Massimiliano Pala wrote:
Evariste AKOUEGNON wrote:
Hello Guys,
Does someone of you succeeded in setting up Open CA on a Debian?
I am not getting it work.
Thank you for your help,
I attach a txt which is a bit old, but maybe it can help you where you
are stuck... :-D
--- Max
Author: Kevin Mitcham
(C)opyright 2004 Dartmouth College (see www.dartmouth.edu)
Please notice that there is a live CD too at:
http://www.dartmouth.edu/%7Edeploypki/CA/InstallOpenCALiveCD.html
This page was created by the Dartmouth PKI Lab Outreach.
=======================================================================
to install from source
(actual commands marked with a "*")
(We ran on Debian "unstable")
(assumes an apache install using default options)
download new tarball from
http://prdownloads.sourceforge.net/openca/openca-0.9.2-RC4.tar.gz?use_mirror=unc
into a source directory
Alternately, get the latest snapshot
We are currently running a snapshot from a couple of weeks ago; RC4 actually
gave me
some problems.
* gunzip openca-0.9.2-RC4.tar.gz
* tar xvf openca-0.9.2-RC4.tar
* make distclean
first install the ra
(may want to update the web-host value)
* ./configure \
--prefix=/usr/local/openra \
--with-httpd-user=www-data \
--with-httpd-group=www-data \
--with-openca-prefix=/usr/local/openra/openca \
--with-etc-prefix=/usr/local/openra/openca/etc \
--with-httpd-fs-prefix=/usr/local/openra/httpd \
--with-module-prefix=/usr/local/openra/modules \
--with-node-prefix=ra-node \
--with-engine=no \
--with-web-host=localhost \
--enable-ocspd \
--enable-dbi \
--enable-rbac \
--with-hierarchy-level=ra \
* make
* make install-online
Now for the CA
(may want to update the web-host value)
* make distclean
* ./configure \
--prefix=/usr/local/openca \
--with-httpd-user=www-data \
--with-httpd-group=www-data \
--with-openca-prefix=/usr/local/openca/openca \
--with-etc-prefix=/usr/local/openca/openca/etc \
--with-httpd-fs-prefix=/usr/local/openca/httpd \
--with-module-prefix=/usr/local/openca/modules \
--with-node-prefix=ca-node \
--with-engine=no \
--with-web-host=localhost \
--enable-ocspd \
--enable-dbi \
--enable-rbac \
--with-hierarchy-level=ca
* make
* make install-offline
create the DB:
*mysql -uroot -p mysql
<password>
create database openca;
create database openra;
grant all privileges on openca.* to [EMAIL PROTECTED] identified by "openca";
grant all privileges on openra.* to [EMAIL PROTECTED] identified by "openra";
test the DB
* mysql -uopenca -p
use openca
show tables
(should return empty set, as DB is empty)
exit;
* mysql -uopenra -p
use openra
show tables
(should return empty set, as DB is empty)
exit;
edit the apache httpd.conf (location varies, but this is the apache config file)
in the script aliases section, add:
# OpenCA Mods
# CA Aliases
Alias /ca /usr/local/openca/httpd/htdocs/ca/
Alias /ca-node /usr/local/openca/httpd/htdocs/ca-node/
ScriptAlias /cgi-bin/ca/ /usr/local/openca/httpd/cgi-bin/ca/
ScriptAlias /cgi-bin/ca-node/ /usr/local/openca/httpd/cgi-bin/ca-node/
# OpenCA Mods
# RA Aliases
Alias /ra /usr/local/openra/httpd/htdocs/ra/
Alias /pub /usr/local/openra/httpd/htdocs/pub/
Alias /ra-node /usr/local/openra/httpd/htdocs/ra-node/
ScriptAlias /cgi-bin/ra/ /usr/local/openra/httpd/cgi-bin/ra/
ScriptAlias /cgi-bin/pub/ /usr/local/openra/httpd/cgi-bin/pub/
ScriptAlias /cgi-bin/ra-node/ /usr/local/openra/httpd/cgi-bin/ra-node/
# OpenCA Mods
<Directory "/usr/local/openca/httpd/cgi-bin/">
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
</Directory>
<Directory "/usr/local/openra/httpd/cgi-bin/">
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
</Directory>
<Directory "/usr/local/openca/httpd/htdocs/">
AllowOverride None
Options FollowSymLinks Indexes
Order allow,deny
Allow from all
</Directory>
<Directory "/usr/local/openra/httpd/htdocs/">
AllowOverride None
Options FollowSymLinks Indexes
Order allow,deny
Allow from all
</Directory>
# OpenCA Mods
# adding dir to symlinks following for cert retrieval
# not totally clear WHY openca puts a symlink here, but it did.
<Directory "/usr/local/openra/httpd/cgi-bin/pub">
AllowOverride None
Options FollowSymLinks Indexes
Order allow,deny
Allow from all
</Directory>
modify the config.xml for the ra (located in /usr/local/openra/openca/etc)
Now onto the config.xml, for the ca and the ra.
for the CA:
general options
ca_organization
ca_locality
ca_country
service_mail_account (set to [EMAIL PROTECTED])
dbmodule -> DBI for the mysql database
db_type-> mysql
db_name -> openca
db_host -> localhost (or whatever)
db_port -> 3306 (the mysql default port)
db_user -> openca
db_passwd -> XXX
configuration of absolute paths
(as needed. once again, looks like some of the work is already done)
dataexchange configuration
de-activate dfault, by adding comment <!-- --> brackets
activate mode 1, node acts as CA only by removing comment brackets
configuration of relative paths
(as needed. Not done first time through due to error)
<!-- these are the devices for the default dataexchange -->
(these might not be in config.xml; if not, see below)
<name>dataexchange_device_up</name>
<value>/usr/local/openca/openca/var/tmp/ca-up</value>
</option>
<option>
<name>dataexchange_device_down</name>
<value>/usr/local/openca/openca/var/tmp/ca-down</value>
</option>
<option>
<name>dataexchange_device_local</name>
<value>/usr/local/openra/openca/var/tmp/ra-local</value>
if the dataexchange device section is not in config.xml, go to
/usr/local/openca/openca/servers and look at ca-node.conf.template and
ca.conf.template
(/usr/local/openca/openca/etc/servers/ca.conf.template)
line EXPORT_IMPORT_DOWN_DEVICE "/dev/fd0"
to EXPORT_IMPORT_DOWN_DEVICE "/usr/local/openca/openca/var/tmp/ca-down"
line EXPORT_IMPORT_LOCAL_DEVICE "/dev/fd0"
to EXPORT_IMPORT_LOCAL_DEVICE "/usr/local/openra/openca/var/tmp/ra-local"
ra-node.conf.template needs similar updates, as well
ra IMPORT UP DEVICE should be the exact same file as the CA IMPORT_DOWN_DEVICE
also update items in /usr/local/openca/openca/etc/access_control
(similar for RA)
ca-node.xml.template
<protocol> set to .*
<symmetric> keylength 0
ca.xml.template
<protocol> set to .*
<symmetric> keylength 0
now return to the ra etc dir /usr/local/openra/openca/etc
run the "magic script" configure_etc.sh
that script makes configuration files from the template(s)
then openca_start
(the script to start the server is the same for the ra as the ca, hence
openca_start
rather than openra_start)
use the browser to open a page on http://myhost.wherever.edu/openra
and you should get a page.
Also check http://myhost.wherever.edu/ra-node
Also check http://myhost.wherever.edu/pub
switch dir to
/usr/local/openca/openca/etc
run the "magic script" configure_etc.sh
that script makes configuration files from the template(s)
use the browser to open a page on http://myhost.wherever.edu/openca
and you should get a page.
Also check http://myhost.wherever.edu/ca-node
if the pages work, you have installed openca. Now you need to initialize it.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++ The intialization of an Installed CA ++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Configure an installed/compiled OpenCA installation
connect to the ca:
http://myhost.wherever.edu/openca
Series of tabs should be visible. Select General->Initialization
Phase I
Initialize the Certification Authority
Initialize Database
initialize-> intialize DB .(reports sucess, but a slurry of error
messages
about table not found may appear on the console)
initalize -> initalize phase 1 -> generate new secret key: des3 rsa 1024 (enter
the
pwd to protect the key)
initalize -> initalize phase 1 -> generate new cert request (args as
appropriate)(I
think you need to set the email to match the sender from the config file, but
am not
sure)
initalize -> initalize phase 1 -> Self Signed CA Certificate (from altready
generated
request): 730 days
initalize -> initalize phase 1 -> Rebuild CA Chain
initalize -> initalize phase 2 -> new request:
fields as appropriate. This is the cert for the ca admin
initalize -> initalize phase 2 -> edit request: (submit)(issue)
initalize -> initalize phase 2 -> handle request: export as p12 (pwd the PIN
entered
during request)
save to disk, import into browser
initalize -> initalize phase 3 -> new request: (RAOperator as role)
initalize -> initalize phase 3 -> edit request: (submit)(issue)
initalize -> initalize phase 3 -> handle request: export as p12 (pwd the PIN
entered
during request)
save to disk, import into browser
Now initialize the RA database
http://myhost.wherever.edu/ra-node
Admin->Server Init, initialize DB
Admin->Server Init, Import Configuration
Now move the Certs down to the RA
http://myhost.wherever.edu/openca
Now export info to the RA:
General -> Node Management (brings you to CA-NODE urls)
Administration->Dataexchange
Enroll data to a lower level of the hierarchy->all
General-> Registration Authority (to the ra)
General-> node management (to the ra-node)
Administration->Dataexchange
Download data from a higher level of the hierarchy->All
(errors getting CA certificate are ok and expected; it came from the
import
config above)
Now to issue the first client certificate:
http://myhost.wherever.edu/pub
User->Request a Certificate->Request a certificate with automatic
browserdetection
(fill out fields as desired)(note the request serial number generated; use it
to pick
it up below)
Now approve the request:
http://myhost.wherever.edu/ra
Active CSRs->New->(search) click on submit name/serial number (color link)
(Approve Request without signing)
Export the request from the RA
http://myhost.wherever.edu/ra-node
Admin->dataexchange->Upload data to a higher level of the hierarchy ->requests
Import into CA
http://myhost.wherever.edu/ca-node
Admin->dataexchange->Receive data from a lower level of the hierarchy ->requests
Approve the Cert
http://myhost.wherever.edu/ca
Usual Operations->Approved Certificate Requests -> click on serial number ,
issue the
certificate button
Export the cert from the CA
http://myhost.wherever.edu/ca-node
Admin->dataexchange->Enroll data to a lower level of the hierarchy
->Certificates
Import the cert to the RA
http://myhost.wherever.edu/ra-node
Admin->dataexchange->Download data from a higher level of the hierarchy
->Certificates
Pick up the certificate
http://myhost.wherever.edu/pub
User->Get Requested Certificate
use the install button. If that fails,
Certificates->valid has an install option, and download options that should get
the
certificate.
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users
