Thanks David for your help. I took all your suggestions below and you were
right about the Error 690, it does not happen on the pki/pub interface, it
works correctly from there.
I have a few additional questions:
1) When I try to generate the request as you suggested:
HOSTNAME=ca.mycompany.net
mkdir $HOSTNAME
openssl req -config
$PREFIX/etc/openca/openssl/openssl/Web_Server.conf -new -key
$HOSTNAME/hostkey.pem -out $HOSTNAME/hostcert_request.pem
-subj "/C=US/O=My Company/OU=Hosts/CN=$HOSTNAME" -batch
But I get the following error message:
Error opening Private Key ca.mycompany.net/hostkey.pem
17161:error:02001002:system library:fopen:No such file or
directory:bss_file.c:352:fopen('ca.mycompany.net/hostkey.pem','r')
17161:error:20074002:BIO routines:FILE_CTRL:system
lib:bss_file.c:354:
unable to load Private Key
So I guess I have to generate the key first. What command do I use to
generate the key?
2) Our setup is very basic, we have Ubuntu servers for LDAP, FreeRadius,
WWW, MySQL, Apache2 and Asterisk.
We will be implementing LDAP/Radius authentication in the entire network
including our routers and switches and we want all essential communications
between servers to be encrypted. Our current LDAP schema, looks like this:
OU=People,DC=mycompany,DC=net
OU=Groups,DC=mycompany,DC=net
OU=Hosts,DC=mycompany,DC=net
So to tie everything in to PKI, are we following a correct LDAP design?
3) This would be more like a feature request: When requesting a certificate,
would it be possible to allow pasting of the request itself instead of or in
addition to uploading on the pub interface? This would come in very handy
specially when the administrator has to make a lot of requests for servers.
CACert.org has this and I think it would be a great feature to add to
openca.
Thanks again for your help.
Lenir
-----Original Message-----
From: David O'Callaghan [mailto:david.ocallag...@cs.tcd.ie]
Sent: Tuesday, May 05, 2009 4:59 AM
To: Users' Help and Suggestions
Subject: Re: [Openca-Users] OpenCA Post Install Questions
Hi Lenir,
Looks fine to me up to step 7.
On 01/05/09 19:33, Lenir Santiago wrote:
> Question: Does Common Name (e.g. Name Surname) need to be the hostname
> of the openca server? Or it same as the company name?
I would suggest the CN should be a name for the CA itself, so "My
Company CA" or "My Company Certification Authority" or "My Company CA
2009" might be appropriate. Have a look at the CNs of CA certs in your
browser for example.
Neither the hostname or the company name (on its own) are really
appropriate.
> This is what I filled in:
>
> E-mail address (PKIX deprecated) supp...@mycompany.com
> Common Name (e.g. Name Surname) hostname.mycompany.com
> Organizational Unit Name (e.g. MyUnit) My Company
> Organization (e.g. OpenCA) My Company
> Locality (e.g., Modena) Miami
> State/Province (e.g., NY) FL
> ISO 3166 Country Code (e.g. IT, DE, US, ...) US
Note that you don't have to fill all the fields. So you could have:
C=US, O=My Company, OU=CA, CN=My Company CA 2009
or, if you don't want to specify the country and you want to guarantee
uniqueness, you could use a name rooted with domainComponent RDNs, i.e.
based on your company's domain name:
DC=com, DC=mycompany, O=My Company, OU=CA, CN=My Company CA 2009
...
> Were my steps correct up to this point? If my steps were correct and im
> ok up to this point.
Yes, unless you decide you want to change your CA distinguished name.
> At this point, on all of the interfaces (ca, ra, node, pub) the
> following links don't work:
>
> 1)From the home page, when I click "Get CA Certificate", none of the
> certificate links work, I get this error message for all the certificate
> types:
>
> The requested URL /pki/ca/cacert/cacert.crt was not found on this server.
I found I had to copy these manually too, from
$PREFIX/var/openca/crypto/cacert to $PREFIX/var/www/pki/ca/cacert (the
paths are from memory so you may need to correct them!)
> 2)From the home page, when I click "Request a Certificate", I get the
> following error message:
>
> Error 690
>
> Configuration Error. Missing Configuration Keyword(s)
> : SupportedRequests.
Which home page? http://host/pki/ca/ or http://host/pki/pub/ ? You
should probably request it from the "pub" homepage.
> 3)From the home page, when I click "Certification Policies", I get the
> following error message:
>
> The requested URL /pki/ca/policy.html was not found on this server.
Try from the "pub" home page, but this may be a file you need to write
yourself.
> Now here comes the confusing part for me because is not specific on the
> online manual. According to Ch.6 , it is highly recommended that the
> first certificates to be issued should be CA Operator and RA Operator.
> So my questions are about what should I input on the "Certificate
> Details" page:
>
> Certificate Request Group : Which request group should I use for the CA
> and RA operator?
I think this corresponds to the OU (organizational unit) field. I accept
"Hosts" and "Users" here.
> E-Mail : Normally I fill in our supp...@mycompany.com
> <mailto:supp...@mycompany.com> email, is this recommended?
This depends on your certification policy. If you're doing this for
internal use in your company and you're in charge of the CA then it's up
to you. Some policies might require that it's an individual email
address rather than a group email address.
> User ID (if any) : normally I leave it blank, Should I use a user id?
I've disabled this field because it's not appropriate for our policy.
> Certificate Template : Here I choose CA Operator and RA Operator
>
> Selected Registration Authority : Here I always choose TrustCenter Itself
If you set up multiple RAs (say in different company branches) you can
modify the list of RAs (e.g. FL, CA, NY, or whatever is appropriate).
> Level of Assurance : I always choose Very High for CA and RA operators
>
> Key Generation Mode : I always choose "Browser (Your Computer)", When
> should I use "Server (Our Server)" as an option?
Depends on policy. In my policy the CA can never generate keys for the
users. For a company, it might make sense that the CA generates and
stores keys for all the company's employees so that the company will
always be able to decrypt documents, etc.
> So after I create the certificates, I guess im supposed to install them
> to Firefox and IE on my PC? If that's the case, then no problem. The
> next thing is how do I request a certificate for the openca webserver?
> If the certificate is for a web server, do I still have to specify my
> name, email, etc just like a certificate for a user? All of our servers
> are Ubuntu 8.04 running apache2, so how do I do this?
You can generate the request using OpenSSL, e.g.:
HOSTNAME=ca.mycompany.com
mkdir $HOSTNAME
openssl req -config $PREFIX/etc/openca/openssl/openssl/Web_Server.conf
-new -key $HOSTNAME/hostkey.pem -out $HOSTNAME/hostcert_request.pem
-subj "/C=US/O=My Company/OU=Hosts/CN=$HOSTNAME" -batch
This will generate ca.mycompany.com/hostkey.pem and
ca.mycompany.com/hostcert_request.pem
You should be able to upload the hostcert_request.pem via the Server
Certificate Request on the /pki/pub/ interface, then approve it on the
/pki/ra/ interface...
Good luck,
David
----------------------------------------------------------------------------
--
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK
i700
Series Scanner you'll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
