On 05/05/09 16:01, Lenir Santiago wrote:
> 1) When I try to generate the request as you suggested:
>
> HOSTNAME=ca.mycompany.net
> mkdir $HOSTNAME
> openssl req -config
> $PREFIX/etc/openca/openssl/openssl/Web_Server.conf -new -key
> $HOSTNAME/hostkey.pem -out $HOSTNAME/hostcert_request.pem
> -subj "/C=US/O=My Company/OU=Hosts/CN=$HOSTNAME" -batch
>
> But I get the following error message:
>
> Error opening Private Key ca.mycompany.net/hostkey.pem
> 17161:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:352:fopen('ca.mycompany.net/hostkey.pem','r')
> 17161:error:20074002:BIO routines:FILE_CTRL:system
> lib:bss_file.c:354:
> unable to load Private Key
>
> So I guess I have to generate the key first. What command do I use to
> generate the key?
Sorry, I didn't actually try running it...
Replace "-key" with "-keyout" and it should work!
> 2) Our setup is very basic, we have Ubuntu servers for LDAP, FreeRadius,
> WWW, MySQL, Apache2 and Asterisk.
> We will be implementing LDAP/Radius authentication in the entire network
> including our routers and switches and we want all essential communications
> between servers to be encrypted. Our current LDAP schema, looks like this:
> OU=People,DC=mycompany,DC=net
> OU=Groups,DC=mycompany,DC=net
> OU=Hosts,DC=mycompany,DC=net
>
> So to tie everything in to PKI, are we following a correct LDAP design?
It seems like a good idea for your certs to use the same structure as
your LDAP schema. You will need to edit various config files
(servers/pub.conf(.template), server_req.xml(.template), etc.) to get
OpenCA to use the correct base RDNs (DC=mycompany,DC=net) and present
only the relevant fields to the users.
> 3) This would be more like a feature request: When requesting a certificate,
> would it be possible to allow pasting of the request itself instead of or in
> addition to uploading on the pub interface? This would come in very handy
> specially when the administrator has to make a lot of requests for servers.
> CACert.org has this and I think it would be a great feature to add to
> openca.
Seems like a reasonable idea. Could one of the developers comment?
Should we file feature requests like this on the issue tracker on
SourceForge?
Kind regards,
David
------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
