Hi Martin, Sorry for the late answer. > Hello, > > I have Pub and RA interfaces on the same machine. > I've generated the Certificate Signing Request (CSR), > using "Request a certificate with automatic browserdetection" > (My browser is Mozilla) > link on Pub interface. After switching to RA interface I can see > the CSR among "active CSRs". But when I am trying to view the > request (clicking on its Serial), I am getting the following error: > > =============================================== > > Error 700 > > General Error The compilation of the command cmdViewCSR failed. > Can't use an undefined value as a HASH reference at > /opt/openca/ra/lib/functions/crypto-utils.lib line 1186. > > =============================================== > > The same appears if I use "Netscape's Request" link for generating > the request. > > Now I have the following questions: > > 1) When Mozilla generates keys and request for me, where > does it store them? > > 2) What does the error above mean? > > Arsen. > > > Hi, > > > I've generated the Certificate Signing Request (CSR), > > using "Request a certificate with automatic browserdetection" > > (My browser is Mozilla) > > link on Pub interface. After switching to RA interface I can see > > the CSR among "active CSRs". But when I am trying to view the > > request (clicking on its Serial), I am getting the following error: > > > > =============================================== > > > > Error 700 > > > > General Error The compilation of the command cmdViewCSR failed. > > Can't use an undefined value as a HASH reference at > > /opt/openca/ra/lib/functions/crypto-utils.lib line 1186. > > OpenCA version?
It is 0.9.2.5. > > Did you perform the CA initialization, in particular import or > generation of the CA certificate? > > > Now I have the following questions: > > > > 1) When Mozilla generates keys and request for me, where > > does it store them? > > In the browser's local keystore. > > > 2) What does the error above mean? > > I am quite sure that you did not initialize the node properly. OpenCA > should generate a more user friendly error, or course. You are right, the problem is the proper initialisation on the RA side. Let me remind you that the error is coming out on RA side, when I am trying to approve the CSR. I've found out that the reason of RA initialisation procedure fails is the strange thing which happens during the data exchange between CA and RA. I've configured the dataexchange to be done via scp (actually my CA 'machine' is running under Xen (it is a Xen guest) and RA machine is Xen0 host). Here is what I have in the files OPENCADIR/etc/servers/node.cnf and OPENCADIR/etc/servers/ca.dir on CA side: ==================================================================== EXPORT_IMPORT_DOWN_EXPORT "/bin/tar -cvfp @__DEVICE__@ -C @__SRC__@ . "\ "scp @__DEVICE__@ 192.168.0.3:/opt/openca/ra/var/tmp/dataexchange.tar"\ "rm -rf @__DEVICE__@" ==================================================================== Appropriately, on the RA side I have the following in the OPENCADIR/etc/servers/node.cnf side: ===================================================================== EXPORT_IMPORT_UP_DEVICE "/opt/openca/ra/var/tmp/dataexchange.tar" EXPORT_IMPORT_UP_IMPORT "/bin/tar -xvf @__DEVICE__@ -C @__DEST__@"\ "rm -rf @__DEVICE__@" ===================================================================== Now when I am doing (on the CA side): Node->Administration->Dataexchange->Enroll data to a lower level of hierarchy->All it isn't giving any errors, BUT!!!... in the file, in the dataexchange.tar file, which is supposed to contain all the data which ca later be imported by RA, I can see that the directory CA_CERTIFICATE/VALID is empty! I've checked the database - there IS a valid ca certificate. So, it seems that openca fails to include the ca certificate into the dataexchange.tar. This results in empty files (of size 0) in OPENCADIR/var/crypto/cacerts directory and the empty table "ca_certificates" on RA side. I tried to copy the CA certificates manually to the RA machine, and the previous error disappeared. But when I am trying to approve the request on RA side, it seems to be looking for the CA certificate in its database, and, finding nothing there, generates the following error: "General Error: Cannot find the certificate with the matching serial in the database!" So, my question is: what is going wrong with the export of the CA certificate and its including in the exchange archive? Should I change any files other than OPENCADIR/etc/servers/node.cnf and OPENCADIR/etc/servers/ca.cnf on the CA side to get it work? And you don't know where mozilla stores the private key generated for the user, do you? I mean, if the user wants to use his/her private key in the application other than Mozilla, where he/she can find it? Arsen. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
