Re: [Openca-Users] Signing CSR

David W Blaine Tue, 30 Dec 2008 10:20:25 -0800

OK slight improvement. I had imported the RA operator certificate into 
Firefox under "People" tab. This is incorrect. I deleted it from there and 
reimported it under the "Your Certificates" tab. Now the Firefox error 
matches the previously reported IE error:


Error Code: 700 
 
The PKCS#7-object signals an error. The signature is not valid.

PKCS#7-Error 7932039: OpenCA::PKCS7->parseDepth: There is a problem with 
the verification of the chain. ( error:7:certificate signature failure)





-----------------------------------------------------------------
DAVID BLAINE, GCIA , CISSP
GDLS-C Lead Information Risk Manager (LIRM)
CSC

6000 E. 17 Mile Rd. Sterling Heights MI 48313
GIS | o: 586.825.7650 | c: 810.217.8041 | f: 586.825.8606 | 
dblai...@csc.com | www.csc.com

This is a PRIVATE message. If you are not the intended recipient, please 
delete without copying and kindly advise us by e-mail of the mistake in 
delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind CSC to 
any order or other contract unless pursuant to explicit written agreement 
or government initiative expressly permitting the use of e-mail for such 
purpose.



David W Blaine/GIS/c...@csc 
12/30/2008 01:12 PM
Please respond to
"Users' Help and Suggestions" <openca-users@lists.sourceforge.net>


To
"Users' Help and Suggestions" <openca-users@lists.sourceforge.net>
cc
"Users' Help and Suggestions" <openca-users@lists.sourceforge.net>
Subject
Re: [Openca-Users] Signing CSR






Hi John, 

Thanks for the reply. 

Yes I did set the 3 options in Firefox for the CA certificate when I 
imported it. I did have Firefox 3.0.4 installed now trying the latest 
3.0.5. EDIT: no go same error with 3.0.5. 

I also have all 4 of the updates (plus the mail stuff and DBI.pm) 
installed that you listed. 


-----------------------------------------------------------------
DAVID BLAINE, GCIA , CISSP
GDLS-C Lead Information Risk Manager (LIRM)
CSC

6000 E. 17 Mile Rd. Sterling Heights MI 48313
GIS | o: 586.825.7650 | c: 810.217.8041 | f: 586.825.8606 | 
dblai...@csc.com | www.csc.com

This is a PRIVATE message. If you are not the intended recipient, please 
delete without copying and kindly advise us by e-mail of the mistake in 
delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind CSC to 
any order or other contract unless pursuant to explicit written agreement 
or government initiative expressly permitting the use of e-mail for such 
purpose. 



"John A. Sullivan III" <jsulli...@opensourcedevel.com>  

12/30/2008 12:42 PM 
Please respond to
"Users' Help and Suggestions" <openca-users@lists.sourceforge.net>



To
"Users' Help and Suggestions" <openca-users@lists.sourceforge.net>
cc

Subject
Re: [Openca-Users] Signing CSR






On Tue, 2008-12-30 at 11:43 -0500, David W Blaine wrote:
>
> In IE 6, I get the error:
>
>                            Error Code: 700
>
>
>                           The PKCS#7-object signals an error.
>                                 The signature is not valid.
>
>                                     PKCS#7-Error 7932039:
>                           OpenCA::PKCS7->parseDepth: There is
>                            a problem with the verification of
>                             the chain. ( error:7:certificate
>                                        signature failure)
>
>
>
>
>
>
>
> In Firefox 3, I get the error:
>
> Error Code: 6203
>
>                       The request is not signed!
>
> after a popup that states "sign is needed to proceed"
>
> I have checked both browsers and the RA and Root certificate look
> properly imported.
>
> -----------------------------------------------------------------
<snip><snip>
>
> I have this same problem. I checked the chain directory - and all is
> ok there. It contains the cacert.crt and the chain. Permissions on the
> file are 644 and owned by the web server account. I put in the patch
> for viewCSR that Max posted in another thread. Can anyone else sign
> their CSR's in Openca 1.0.2?
>
<snip>
Hi, David.  I can think of two possible issues.  If I recall, when one
imports the PKCS#12 package for the RA operator into the browser and it
installs the CA cert, it does not set it as authorized to do much of
anything.  I believe I had to go into the CA cert in Firefox and check
on the three check boxes for the various CA cert faculties.
 
Or, it could be some of the bugs we hit which resulted in similar
errors.  I'm fighting my own deadline so I haven't cleaned this up but
here is a cut and paste from our internal documentation:
 
We need to patch the source code for some bugs in version 1.0.2.
 
cd src/common/lib/cmds
 
Backup the original versions:
 
mv approveCSR{,.orig}
 
mv viewCRR{,.orig}
 
mv viewCert{,.orig}
 
mv send_email_cert{,.orig}
 
Move these backups to the base directory since they MUST not be
installed in the cmds directory even as renamed files:
 
mv *.orig ../../../../
 
Download the new versions using wget from the following locations:

http://ftp.openca.org/openca/openca-base/fixes/v1.0.2/Error_6295020/viewCert

http://ftp.openca.org/openca/openca-base/fixes/v1.0.2/Error_6295020/send_email_cert
 
http://ftp.openca.org/openca/openca-base/fixes/v1.0.2/Error_7221014/approveCSR
 
http://ftp.openca.org/openca/openca-base/fixes/v1.0.2/Error_7221014/viewCRR
 
Next we need to fix some spelling and grammar in the emails by patching
the mails directory:
 
cd ../mails (i.e., src/common/lib/mails)
 
patch -p1 < opencamail-1.0.2.patch
 
Now we need to patch DBI.pm
 
cd ../../../modules/openca-dbi
 
cp DBI.pm ../../../
 
Apply the opencaDBI.pm-1.0.2.patch patch
 
patch -p0 < opencaDBI.pm-1.0.2.patch
 

I'll attach the two patches which are ours.  I've submitted them to the
OpenCA developers and do not know if they've been accepted.  Frankly,
I'm a perl ignoramus so they may not be very good patches.  Good luck -
John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsulli...@opensourcedevel.com
 
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society 
[attachment "opencaDBI.pm-1.0.2.patch" deleted by David W Blaine/GIS/CSC] 
[attachment "opencamail-1.0.2.patch" deleted by David W Blaine/GIS/CSC] 
------------------------------------------------------------------------------ 


_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users 


------------------------------------------------------------------------------

_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

------------------------------------------------------------------------------

_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Signing CSR

Reply via email to