Ives Steglich wrote:
Kurt Hockenmaier wrote:
Dalini and Martin - Thanks a lot for your patience and your guidance !
OpenCA is a great piece of work and the devlopers will keep a safe place
in my hall of fame :-)
maybe you can make a little step by step guide - since i don't have
access to a pix at the moment and usaly take some things as granted...
so we can put a more reliable guide for scep-usage in router/firewall
environments online, since there are a lot of people which seem to have
difficulties in using openca with cisco equipment
thx
greetings
dalini
Hi Dalini,
a little late (I'm busy with other too ;-) below you can find the
guide which shows how it worked
for me.
Best Regards
Kurt
1. General Info
---------------
This setup is based on the Suse Linux 10.0 distribution, mysql, apache2,
OpenCA 0.9.2.5 and PIX OS 6.3(5).
Two OpenCA instances are created, one acts as CA, the other one acts as RA.
2. Installation
Untar the the sources and change directory to the OpenCA-0.9.2.5 dir.
This directory is used for the installation of the CA as well as for the
installation of the RA.
This approach will install a CA in /usr/local/openca/ca and a RA in
/usr/local/openca/ra.
2.1 Installation of the CA
--------------------------
As usual, you have to carry out ./configure and make - I've done it in the
following way:
make distclean
./configure \
--prefix=/usr/local/openca \
--with-httpd-user=wwwrun \
--with-httpd-group=www \
--with-openca-prefix=/usr/local/openca/ca \
--with-etc-prefix=/usr/local/openca/ca/etc \
--with-httpd-fs-prefix=/usr/local/openca/ca/httpd \
--with-module-prefix=/usr/local/openca/modules \
--with-node-prefix=ca-node \
--with-engine=no \
--with-web-host=localhost \
--enable-ocspd \
--enable-dbi \
--enable-rbac
make
make install-offline
2.2 Installation of the RA
--------------------------
It's the the same game like installing the CA, but different options for
./configure
are needed:
make distclean
./configure \
--prefix=/usr/local/openca \
--with-httpd-user=wwwrun \
--with-httpd-group=www \
--with-openca-prefix=/usr/local/openca/ra \
--with-etc-prefix=/usr/local/openca/ra/etc \
--with-httpd-fs-prefix=/usr/local/openca/ra/httpd \
--with-module-prefix=/usr/local/openca/modules \
--with-node-prefix=ra-node \
--with-engine=no \
--with-web-host=localhost \
--enable-ocspd \
--enable-scep \
--enable-dbi \
--enable-rbac
make
make install-online
2.3 Create the databases
-----------------------
To different (empty) databases and user IDs are created, one for the CA
and the second
one for the RA:
mysql --user=root -p
Enter password:
create database cadb;
create database radb;
grant all privileges on cadb.* to [EMAIL PROTECTED] identified by
"change-me";
grant all privileges on radb.* to [EMAIL PROTECTED] identified by
"change-me";
2.4 Modify Apache's configuration
-----------------------------------
Insert the following lines in default-server.conf:
# CA related
Alias /ca /usr/local/openca/ca/httpd/htdocs/ca/
Alias /ca-node /usr/local/openca/ca/httpd/htdocs/ca-node/
ScriptAlias /cgi-bin/ca/ /usr/local/openca/ca/httpd/cgi-bin/ca/
ScriptAlias /cgi-bin/ca-node/ /usr/local/openca/ca/httpd/cgi-bin/ca-node/
<Directory "/usr/local/openca/ca/httpd/cgi-bin/">
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
</Directory>
<Directory "/usr/local/openca/ca/httpd/htdocs/">
AllowOverride None
Options FollowSymLinks Indexes
Order allow,deny
Allow from all
</Directory>
# RA related
Alias /ra /usr/local/openca/ra/httpd/htdocs/ra/
Alias /pub /usr/local/openca/ra/httpd/htdocs/pub/
Alias /ra-node /usr/local/openca/ra/httpd/htdocs/ra-node/
ScriptAlias /cgi-bin/ra/ /usr/local/openca/ra/httpd/cgi-bin/ra/
ScriptAlias /cgi-bin/pub/ /usr/local/openca/ra/httpd/cgi-bin/pub/
ScriptAlias /cgi-bin/ra-node/ /usr/local/openca/ra/httpd/cgi-bin/ra-node/
ScriptAlias /cgi-bin/scep/ /usr/local/openca/ra/httpd/cgi-bin/scep/
<Directory "/usr/local/openca/ra/httpd/cgi-bin/">
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
</Directory>
<Directory "/usr/local/openca/ra/httpd/htdocs/">
AllowOverride None
Options FollowSymLinks Indexes
Order allow,deny
Allow from all
</Directory>
<Directory "/usr/local/openca/ra/httpd/cgi-bin/pub">
AllowOverride None
Options FollowSymLinks Indexes
Order allow,deny
Allow from all
</Directory>
Now resart the apache daemon.
3. Adjust the CA's configuration templates
------------------------------------------
3.1 /user/local/openca/ca/etc/config.xml
----------------------------------------
Section general options:
<name>ca_organization</name>
<value>Test CA</value>
<name>ca_locality</name>
<value>CA Test Lab</value>
<name>ca_country</name>
<value>DE</value>
<name>service_mail_account</name>
<value>[EMAIL PROTECTED]</value>
Section database configuration:
<option>
<name>dbmodule</name>
<value>DBI</value>
<name>db_type</name>
<value>mysql</value>
<name>db_name</name>
<value>cadb</value>
<name>db_host</name>
<value>localhost</value>
<name>db_port</name>
<value>3306</value>
<name>db_user</name>
<value>causer</value>
<name>db_passwd</name>
<value>change-me</value>
Section dataexchange configuration:
De-activate default mode 0 (no dataexchange configure) by adding comment
<!-- --> brackets.
Activate mode 1, node acts as CA only by removing comment brackets.
<name>dataexchange_device_up</name>
<value>/usr/local/openca/ca/var/tmp/fd0</value>
<name>dataexchange_device_down</name>
<value>/usr/local/openca/ca/var/tmp/fd0</value>
<name>dataexchange_device_local</name>
<value>/usr/local/openca/ca/var/tmp/fd0</value>
3.1.1 /usr/local/openca/ca/etc/servers/ca.conf.template
SET_CERTIFICATE_SERIAL_IN_DN "N"
3.2 /user/local/openca/ca/etc/access_control/ca-node.xml.template
<type>mod_ssl</type>
<protocol>.*</protocol>
<symmetric_cipher>.*</symmetric_cipher>
<symmetric_keylength>0</symmetric_keylength>
4. Adjust the RA's configuration templates
------------------------------------------
4.1 /user/local/openca/ra/etc/config.xml
----------------------------------------
Section general options:
<name>ca_organization</name>
<value>Test RA</value>
<name>ca_locality</name>
<value>RA Test Lab</value>
<name>ca_country</name>
<value>DE</value>
<name>service_mail_account</name>
<value>[EMAIL PROTECTED]</value>
Section database configuration:
<option>
<name>dbmodule</name>
<value>DBI</value>
<name>db_type</name>
<value>mysql</value>
<name>db_name</name>
<value>radb</value>
<name>db_host</name>
<value>localhost</value>
<name>db_port</name>
<value>3306</value>
<name>db_user</name>
<value>rauser</value>
<name>db_passwd</name>
<value>change-me</value>
Section configurationof SCEP:
<name>SCEP_RA_CERT</name>
<value>/usr/local/openca/ra/etc/scep/scep-cert.pem</value>
<name>SCEP_RA_KEY</name>
<value>/usr/local/openca/ra/etc/scep/scep-key.pem</value>
Section dataexchange configuration:
De-activate default mode 0 (no dataexchange configure) by adding comment
<!-- --> brackets.
Activate mode 2, node acts as RA only by removing comment brackets.
<name>dataexchange_device_up</name>
<value>/usr/local/openca/ca/var/tmp/fd0</value>
<name>dataexchange_device_down</name>
<value>/usr/local/openca/ca/var/tmp/fd0</value>
<name>dataexchange_device_local</name>
<value>/usr/local/openca/ca/var/tmp/fd0</value>
4.2 Change directory to /usr/local/openca/ra/etc/access-control. In the
files pub.xml.template, ra.xml.template and ra-node.xml.template the
protocol and symetric_keylength values have to be adjusted
<type>mod_ssl</type>
<protocol>.*</protocol>
<symmetric_cipher>.*</symmetric_cipher>
<symmetric_keylength>0</symmetric_keylength>
4.3 Adjust etc/servers/scep.conf.template
Change
ScepRenewalRDNMatch "CN"
to
ScepRenewalRDNMatch "unstructuredName"
5. Generate the configuration files and start CA and RA
-------------------------------------------------------
For the CA:
cd /usr/local/openca/ca/etc/
./configure_etc.sh
./openca_start
For the RA:
cd /usr/local/openca/ra/etc/
./configure_etc.sh
./openca_start
6. Initialization of the CA
---------------------------
Point your browser to http://some-host/ca (user root and pasword root)
and follow
the menu General->Initialization->Initialize the Certification Authority
Carry out the following tasks from Phase 1:
a) Initialize Database
b) Generate new CA secret key - choose 2048 for the CA key size
c) Generate new CA Certificate Request (use generated secret key)
d) Self Signed CA Certificate (from altready generated request)
e) Rebuild CA Chain
Import the CA certificate to your browser.
Then follow the menu General->Initialization->Create the initial
administrator and
carry out the following tasks from Phase 2:
a) Create a new request - choose Trustcenter for Certificate Request
Group, choose
CA Operator as role and choose High for LOA (for the key size I've
chosen 2048).
b) Edit the request and after editing chose Issue Certificate from the
bottom the page.
c) Handle the Certifcate - download the certificate (PKCS#12) to your
browser (if the browser
complains about a wrong key, it can't handle a key composed with symbols
(i.e. $-/) -
at least Firefox could not)
Follow now the menu General->Initialization->Create the initial RA
certificate and
carry out the following tasks from Phase 3:
a) Create a new request as above Trustcenter, LOA High, role RA
Operator, keysize 2048
b) Edit the request and after editing chose Issue Certificate from the
bottom the page.
c) Handle the Certifcate - download the certificate (PKCS#12) to your
browser
Create the CRL.
6.1 Export the CA's Configuration
---------------------------------
Move to General->Node Management to login to the CA node and choose
Administration->Dataexchange. Under the topic Enroll data to a lower
level of the hierarchy
choose All.
7. Initialize the RA
--------------------
Point your browser to http://some-host/ra-node (user root and pasword
root) and follow
the menu Administration->Server Init, choose Initialize Database and
chose Import Configuration from the same page afterwards.
Follow the menu Administration->Dataexchange. Under the topic Download
data from a higher level of the hierarchy chose All.
8. Create the Certificate for the SCEP interface
Point your browser to http://some-host/pub and follow the menu User->
Request a Certificate
->Basic Request
Choose Trustcenter for Certificate Request Group, Web Server as role and
High for LOA set the key size to 2048.
Move to the RA, edit the request and approve it without signing.
Go to the RA-Node and upload the request to the CA.
Go to the CA Node, receive data from the ra.
Go to the CA and issue the certificate.
Again go to the CA Node and enroll data to the RA and then go to the RA
and download data from the CA.
Go to the RA and follow the menu Information-> Certificates->Valid.
Click on the SCEP certificate and download it with SSLeay.
Cut the certificate (including -----BEGIN CERTIFICATE and END
CERTIFICATE-----) and save it to the file
/usr/local/openca/ra/etc/scep/scep-cert.pem.
Cut the private key (including -----BEGIN RSA and END RSA PRIVATE
KEY-----) and save it to the file
/usr/local/openca/ra/etc/scep/scep-key.pem.
Chown certificate and key wwwrun.www.
9. Configure the PIX
As described in the manuals, create the private key and authenticate the RA
ca identi xen-ca 172.16.2.249:/cgi-bin/scep/scep
ca configure xen-ca ra 1 50 crloptional
ca authenticate xen-ca
(If you do a 'show ca cert' you should see a CA and a RA certificate now)
ca enroll xen-ca fake ipaddress
Now edit the request at the RA interface.
You can see a line unstructuredAddress 1.1.1.1 +CN some-value +
unstructuredName some-value
Put all fields following the first + sign at the left above the
unstructuredAdress field.
Add additional attributes in the Subject Alternative Name section: DNS
and IP with the same
values like in the request at unstructuredName and unstructuredAddress
Then submit the changed request and approve it.
Upload the data to the CA, import it into the CA, issue certificate,
download it to the RA
and finaly import it into the ra again.
When the pix has received it's certificate, save it with ca save all,
and as the last step you can retrieve the CRL with ca crl request xen-ca.
10. Mind the time
Don't forget to synchronise the time settings on all involved devices
before you
start to request certificates.
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
