Hello Guys, Does someone of you succeeded in setting up Open CA on a Debian? I am not getting it work. Thank you for your help,
Evariste -----Message d'origine----- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de [EMAIL PROTECTED] Envoyé : lundi 25 septembre 2006 21:08 À : [email protected] Objet : Openca-Users Digest, Vol 4, Issue 25 Send Openca-Users mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/openca-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of Openca-Users digest..." Today's Topics: 1. Re: make test failed (Matthias Alsmann) 2. Re: Linking to OCSP service in certificates (Dmitrij Mironov) 3. Basic questions before launch (Francois Pernet) 4. Re: Basic questions before launch (Siva) 5. OCSPD doesn't start and writes no log ([EMAIL PROTECTED]) ---------------------------------------------------------------------- Message: 1 Date: Mon, 25 Sep 2006 07:49:33 +0100 From: "Matthias Alsmann" <[EMAIL PROTECTED]> Subject: Re: [Openca-Users] make test failed To: "Ideas, tips and discussions about OpenCA installation and management." <[email protected]> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hi Jose, I had a similar problem. When I called ./configure [your options] --disable-external-modules everything worked fine. Kind regards, Matthias On 9/21/06, Jose Dragone <[EMAIL PROTECTED]> wrote: > > Hi mates, while trying to compile OpenCA 0.9.2.5 I?m getting this error > message. > > ........................................................ > Message Error Follows: > > ./test/03language_xs.t > Failed 1/160 test scripts, 99.38% okay, 2/1555 subtests failed, 99.78% okay > make[6]: ***[test_dynamic] Error 255 > make[6]: Leaving directory > `/usr/local/src/OpenCa-0.9.2.5/src/modules/libintl-perl-1.10? > make[5]: *** [libintl-perl-1.10] Error 2 > ........................................................... > > I ?ve replaced line 38 on file : 03language_xs.t > Locale::Messages::nl_putenv ("LANG=whatever"); > with .....("LANG=POSIX"); > ........................................... > > But the error message goes on unchanged. > > I think I?m having problems with "locale" (or charset or language) while > installing OpenCA. > > Any help will be apreciated! > Thanks in advance > > Jose Dragone > IT Engineer > Buenos Aires > > > > ------------------------------ Message: 2 Date: Mon, 25 Sep 2006 10:35:24 +0300 From: "Dmitrij Mironov" <[EMAIL PROTECTED]> Subject: Re: [Openca-Users] Linking to OCSP service in certificates To: "'Ideas, tips and discussions about OpenCA installation and management.'" <[email protected]> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="us-ascii" Hello Julian, You need to edit ../openca/etc/openssl/extfiles/xxxxxxxx.ext.template and insert this line (edit it to satisfy your needs): authorityInfoAccess = OCSP;URI:http://HOST.DOMAIN.COM:2560 2560 - port Regards, Dmitrij > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf > Of Julian Pawlowski (lists) > Sent: Sunday, September 24, 2006 9:26 PM > To: [email protected] > Subject: [Openca-Users] Linking to OCSP service in certificates > > Hello, > > I'd like to set the link to the OCSP service in all my > certificates and I found out that I have to use AIA > (authorityInformationAccess) for this. Unfortunately I could > not find out the correct format to set this in the > openssl/extfiles. Can somebody help me out? Thanks! > > > Greetz > Julian > > -------------------------------------------------------------- > ----------- > Take Surveys. Earn Cash. Influence the Future of IT Join > SourceForge.net's Techsay panel and you'll get the chance to > share your opinions on IT & business topics through brief > surveys -- and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge > &CID=DEVDEV > _______________________________________________ > Openca-Users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openca-users > ------------------------------ Message: 3 Date: Mon, 25 Sep 2006 11:45:10 +0200 From: "Francois Pernet" <[EMAIL PROTECTED]> Subject: [Openca-Users] Basic questions before launch To: <[email protected]> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=US-ASCII Hi everyone, Sorry to bother you with basic question but I succeded in implementing an all-in one OpenCA install on a lab and I want now to set up a fully fonctionnal real world install in my company. I thought about the following: - one CA connected to RA with cross over cable - one RA on the network (and lied to the CA with this private link) - eventually some RA-Operator's nodes - apache2 instead of apache 1.3 + mod_ssl Before to go I would like if anyone of you has some clues for the following : - how exactly are talking the RA's operators nodes and the RA Node (protocol,...) ? How database synchro is done ? - experience in apache2 install versus apache 1.3 ? - what could be the advantage to set up a SubCA ? Can it be done later on ? Many thanks for your ideas Francois ------------------------------ Message: 4 Date: Mon, 25 Sep 2006 16:13:00 +0530 From: "Siva" <[EMAIL PROTECTED]> Subject: Re: [Openca-Users] Basic questions before launch To: "'Ideas, tips and discussions about OpenCA installation and management.'" <[email protected]> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="us-ascii" Thank you all very much I installed OpenSSL on linux by my first attempt Regards, Sivakumar.S -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Francois Pernet Sent: Monday, September 25, 2006 3:15 PM To: [email protected] Subject: [Openca-Users] Basic questions before launch Hi everyone, Sorry to bother you with basic question but I succeded in implementing an all-in one OpenCA install on a lab and I want now to set up a fully fonctionnal real world install in my company. I thought about the following: - one CA connected to RA with cross over cable - one RA on the network (and lied to the CA with this private link) - eventually some RA-Operator's nodes - apache2 instead of apache 1.3 + mod_ssl Before to go I would like if anyone of you has some clues for the following : - how exactly are talking the RA's operators nodes and the RA Node (protocol,...) ? How database synchro is done ? - experience in apache2 install versus apache 1.3 ? - what could be the advantage to set up a SubCA ? Can it be done later on ? Many thanks for your ideas Francois ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users ------------------------------ Message: 5 Date: Mon, 25 Sep 2006 16:33:08 +0200 (MEST) From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> Subject: [Openca-Users] OCSPD doesn't start and writes no log To: [email protected] Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="utf-8" Hello to all of you, I've been reading all of your contributions to this mailing list for a while (I've got an openca CA running and everything was done with your help). Now, there's an issue that has not been covered (or I haven't seen it). I'm trying to start the ocspd responder with the script and also using comand line as shown in manpages... and got no response, it just quits after launching it gettting no log at /var/log/messages... It seems that there are no user conflicts, I mean, user has permission to write and read where the certificates,pid file, crl's and keys are kept. I've seen some related mails but never ended up with the clue for solving it... It seems to be something similar to this thread : http://sourceforge.net/mailarchive/message.php?msg_id=35611620 config file used is the following: [ ocspd ] default_ocspd = OCSPD_default # The default ocspd section #################################################################### [ OCSPD_default ] dir = /usr/local/etc/ocspd # Where everything is kept #db = $dir/index.txt # database index file. md = sha1 ca_certificate = $dir/certs/ca.pem # The CA certificate ocspd_certificate = $dir/certs/ocspd_cert.pem # The OCSP server cert ocspd_key = $dir/private/ocspd_key.pem # The OCSP server key pidfile = $dir/ocspd.pid # Main process pid # User and Group the server will run as. It is a good idea # not having servers running as root: in case of errors in # the code providing an 'illegal' access method for an attacker # it is better not to give him additional advantages. user = root group = staff # Bind to a specific address. This option is useful if you need # to listen only on one IP among the availables ones. bind = * # Port where the server will listen for incoming requests. port = 2560 # Max size of accepted requests. Data connection will be closed # in case this size will be reached. max_req_size = 8192 # Auto Reload interval of CRL (if set to 0 or not present, to # reload the CRL you'll need to send a SIGHUP (kill -1 ) # to the parent process (seconds) crl_auto_reload = 3600 # Check CRL validity period. If this parameter is set to #n # then the CRL is checked every #n secs and if the CRL's validity # period is expired then all the responses will be set to # 'unknown'. # If 'crl_check_validity' is set to '0' or it is absent, all # responses will be based on the loaded CRL, no matter if it # is expired or not. crl_check_validity = 600 # Reload CRL if the one loaded is expired. Set this parameter # only if you are sure that the new CRL will be issued and put # in the crl_url. crl_reload_expired = yes # Specifies the response section to load the server options # from response = ocsp_response # It specifies the section to be used where options about where # CRL and certificates are kept. # Example section using FILES for data retrival dbms = dbms_file #################################################################### [ ocsp_response ] # Set this option if you want to include the KeyID. If you are # unsure about this setting, use 'yes'. ocsp_add_response_keyid = yes # next_update_days and next_update_mins allows to specify in # each response when new revocation data will be available. # If the two options are both set to '0' the 'nextUpdate' field # in the OCSP response will be left NULL indicating new data # can be made available anytime (this is true if you are issuing # new CRLs every time a revocation takes place) # # NOTE: Firefox/Mozilla do not parse correctly the OCSP answer in # case the nextUpdate field is missing. It is therefore suggested # to use the next_update_mins set (e.g. 5 minutes) to have mozilla's # software correclty work with OCSP enabled. next_update_days = 0 next_update_mins = 5 #################################################################### [ dbms_file ] # We can have as many CAs supported as we want, each CRL will be # loaded and stored upon server starting 0.ca = @first_ca #################################################################### [ first_ca ] # You can have the CRL on a simple file in PEM format crl_url = file:///usr/local/etc/ocspd/certs/cacrl.pem # We need the CA certificate for every supported CRL ca_url = file:///usr/local/etc/ocspd/certs/ca.pem thank you for your time, hope not being annoying anyone with this simple question. see you. TERRA --> -------------- next part -------------- An HTML attachment was scrubbed... URL: http://sourceforge.net/mailarchive/forum.php?forum=openca-users/attachments/ 20060925/6b98b8af/attachment.html ------------------------------ ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV ------------------------------ _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users End of Openca-Users Digest, Vol 4, Issue 25 ******************************************* ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
