Re: [Openca-Users] RA node Interface issues

Wed, 27 Apr 2005 00:44:19 -0700 

Thank you very much Alexei for your comprehensive answer. It really
helps.
Discussions in openca-devel seem quite interesting to get the total
picture on this problem. I should have checked this list as well.

Regards,
Pierre

> On Mon, Apr 25, 2005 at 05:02:13PM +0200, pierre lhostis wrote:
> > Date: Mon, 25 Apr 2005 17:02:13 +0200
> > From: pierre lhostis <[EMAIL PROTECTED]>
> > To: [email protected]
> > Reply-To: [email protected]
> > Subject: [Openca-Users] RA node Interface issues
> > 
> > Me again again,
> > 2 problems on the RA node interface :
> > 
> > 1. 
> > Using Administration/Backup and Recovery/Recovery/Rebuild OpenSSL's
> > database and next serialnumber, I have got the following error message:
> > 
> > "Cr�ez des sauvegardes de index.txt et du num�ro de s�rie ...
> >     /usr/local/openra921/openca/var/crypto/index.txt
> >     /usr/local/openra921/openca/var/crypto/serial
> > Chargement des Objets ...
> >     CERTIFICAT_AC_VALIDE: 7FFFFFFF
> >     Erreur 700
> >      Erreur G�n�rale The compilation of the command
> > cmdRebuildOpenSSLindexDB failed. panic: array extend
> > at /usr/local/openra921/openca/lib/functions/crypto-utils.lib line 369."
> > 
> > I only got this message with the RA of the Root CA and not with RAs
> > linked with subCAs. This makes me think that there is a problem with the
> > Root CA certificate. I noticed that for the self-signed Root CA
>   The cause is Serial number of selfsignet root CA. The problem is using
> of sprintf/hex functions wich are overflowed by really big ints. 
>  
> > certificate, the serial number is always 0 (first certificate signed by
> > the CA) and this may be the problem because, for a subCA, the serial
> > number of the subCA is never 0 but at least 1. I do not see how to avoid
> > the 0 serial number to prove that it is my problem (except modifying the
> > code but I am not a perl guru to say the least...).
>   As there're no signs of anyone else experiencing same problem, it make
> me thinks that this is debian related. In short, debian's openssl
> generates self-signed certificate with very long serial (is it random?).
> "Rebuild OpenSSL's database and next serialnumber" search max. serial
> number, increment it and writes to file named "serial". Number from "serial"
> will be used for next signed cert. But, as sprintf is 4 bytes wide, very
> long serials cause errors.
> 
> So you have two options:
> 1. apply big-int patch, see openca-devel for more details, (want to be a
> beta tester :)
> 2. Use serial 0 for the selfsigned root ca, you need to change function
> genCert in openca-0.9.2.2/src/modules/openca-openssl/OpenSSL.pm, around
> line 569 change from:
> my $command = "req -x509 ";
> to:
> my $command = "req -x509 -set_serial 0 ";
> 
> 3rd. Leave it alone. Could anybody explain me for what index.txt file is
> needed on CA node?
> 
>   Best wishes
> 
> --
> Alexei Chetroi
> 
> Smile... Tomorrow will be worse. (c) Murphy's Law
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
> _______________________________________________
> Openca-Users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openca-users



-------------------------------------------------------
SF.Net email is sponsored by: Tell us your software development plans!
Take this survey and enter to win a one-year sub to SourceForge.net
Plus IDC's 2005 look-ahead and a copy of this survey
Click here to start!  http://www.idcswdc.com/cgi-bin/survey?id5hix
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to