I apologize in advance for the length of this, but I don't have access to the wiki to write something more comprehensive and understandable - this time including how to initiate the OpenCA services.
Mohammed, I spent 3 full days and countless mistakes trying to install this on Ubuntu 12.04, Apache, MySql (all updated to current) using the OpencCA 1.3.0 versions of both the tools and the base. Here are my notes. As raw as they are, they may give you some ideas because I know how frustrating this has been for you. Note, there is a quick guide to scrape the field and start over again at the bottom - if I wrote this out, you can guess how many times I screwed up and had to "green field" over again. Jack D. Pond "State facts, offer opinions; understand and respect the difference." -- Jack Pond -------------------------------------------------------------------------------- - my offset build directories used below (within the user directory structure) were: * [BuildDir] = OpenCa * [ToolsBuildDir] = [BuildDir]/openca-tools-1.3.0 * [BaseBuildDir] = [BuildDir]/openca-base-1.3.0 <pre> cd mkdir [BuildDir] cd [BuildDir] wget http://ftp.openca.org/openca/openca-tools/releases/v1.3.0/sources/openca-tools-1 .3.0.tar.gz wget http://ftp.openca.org/openca/openca-tools/releases/v1.3.0/sources/openca-tools-1 .3.0.tar.gz.sha1 wget http://ftp.openca.org/openca/openca-base/releases/v1.3.0/sources/openca-base-1.3 .0.tar.gz wget http://ftp.openca.org/openca/openca-base/releases/v1.3.0/sources/openca-base-1.3 .0.tar.gz.sha1 # Check the checksums to make sure you have good versions sha1sum openca-tools-1.3.0.tar.gz more openca-tools-1.3.0.tar.gz.sha1 sha1sum openca-base-1.3.0.tar.gz more openca-base-1.3.0.tar.gz.sha1 tar -zxvf openca-tools-1.3.0.tar.gz tar -zxvf openca-base-1.3.0.tar.gz </pre> Now make sure you have the set of tools you need to build from source and execute: You also need to make sure you have the appropriate tool set: <pre> sudo apt-get -y install build-essential libssl-dev binutils binutils-dev openssl # if you haven't already sudo apt-get -y install libdb-dev libexpat1-dev automake checkinstall # install apache with perl if you haven't already sudo apt-get -y install apache2 libapache2-mod-perl2 sudo apt-get -y install libcrypt-ssleay-perl libwww-perl libhtml-parser-perl libwww-mechanize-perl # install mysql sudo apt-get -y install mysql-server libmysqld-dev libdb-dev # then clean up sudo apt-get -y update; sudo apt-get -y upgrade; sudo apt-get -y autoremove sudo apt-get -y autoremove # now add the system user/group openca sudo useradd -rU openca sudo usermod -a -G openca root # install postfix (you'll want this later if you use the notification stuff) sudo apt-get -y install postfix </pre> For the apache configuration, I used a new "site available", then added a symlink to it. <pre> sudo vim /etc/apache2/sites-available/051-PKI-CA #within the new file, added: <VirtualHost *:80> ServerAdmin support@[yourdomain].com ServerName ca.[yourdomain].com # ServerAlias pki.[yourdomain].com *.[yourdomain].com DocumentRoot "/var/www" # <IfModule mpm_itk_module> # AssignUserId www-data www-data # </IfModule> <Directory /> Options -Indexes FollowSymLinks MultiViews AllowOverride None </Directory> ScriptAlias /cgi-bin/ /var/www/cgi-bin/ <Directory "/var/www/cgi-bin/"> AllowOverride None Options +ExecCGI -Indexes -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog "${APACHE_LOG_DIR}/openca-error.log" # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog "${APACHE_LOG_DIR}/openca.log" combined </VirtualHost> # exit editor sudo ln -s /etc/apache2/sites-available/051-PKI-CA /etc/apache2/sites-enabled/051-PKI-CA # test the config before you throw the switch sudo apache2ctl configtest sudo service apache2 restart </pre> Now start the actual installation [edit] Database Creation In order for OpenCA to be able to store data into the database you need to create a database and a user to manage the database. Following there's an example for MySQL. Connect to the DBMS: mysql -u root -p -h localhost Then, create the database: mysql> CREATE DATABASE opencadb; mysql> use opencadb; mysql> GRANT ALL ON *.* TO 'opencadbuser'@'%' IDENTIFIED BY '[YourSuperSecretPassword]'; mysql> GRANT ALL ON *.* TO 'opencadbuser'@'localhost' IDENTIFIED BY '[YourSuperSecretPassword]'; mysql> flush privileges; mysql> exit; # Test it: sudo mysql -u opencadbuser -p opencadb If you manage to login into the DB, you correctly setup the database. NOTE: You should use different names for the db and the username. However, the have to match the ones configured in PREFIX/etc/openca/config.xml Create the Openca Tools <pre> pushd openca-tools-1.3.0/ ./configure \ --with-openca-user="openca" \ --with-openca-group="openca" # now make them make # now install them sudo make install popd </pre> Make and Install the OpenCA Offline (Certificate Authority, CA Server, Ubuntu) <pre> pushd openca-base-1.3.0/ # now configure the system for ubuntu 12.04 ./configure \ --with-openca-user="openca" \ --with-openca-group="openca" \ --with-htdocs-fs-prefix="/var/www/html/pki" \ --with-htdocs-url-prefix="/html/pki" \ --with-cgi-fs-prefix="/var/www/cgi-bin/pki" \ --with-cgi-url-prefix="/cgi-bin/pki" \ --with-service-mail-account="c...@yourdomain.com" \ --with-support-mail-address="supp...@yourdomain.com" \ --with-ca-organization="Your Organization" \ --with-ca-locality="Philadelphia" \ --with-ca-state="Pennsylvania" \ --with-db-type="mysql" \ --with-db-user="opencadbuser" \ --with-db-name="opencadb" \ --with-db-passwd="[YourSuperSecretPassword]" make sudo make install-offline # If you are using a single-node CA/RA, uncomment and do the following # sudo make install-offline popd </pre> Now run the configurations - hopefully you'll get no errors: <pre> pushd /usr/local/etc/openca sudo -s . configure_etc.sh /usr/local/etc/init.d openca restart exit popd <pre> Finally, to make sure the service comes up at reboot add the following: Different systems have different ways to add the scripts to the boot sequence, in general linking the openca script in your /etc/init.d/ is a good start. You can do this by executing the following command: <pre> cd /etc/init.d/ ln -s /usr/local/etc/init.d/openca . </pre> Problems Encountered (I did get errors), but don't do this until you're sure. You shouldn't have to reconfigure if you're getting them in the openca configure_etc Missing XML::Parser Missing perl modules. I don't know why they didn't compile (but the following didn't): XML::Parser <pre> sudo cpan cpan>install CPAN cpan>reload cpan cpan>install XML::Parser cpan>exit </pre> [edit] Certificate "fetch" Bombs Out (internal error 500) due to hex serial number Fix from http://sourceforge.net/mailarchive/message.php?msg_id=28435810 sudo cp /usr/local/lib/openca/perl_modules/perl5/OpenCA/DBI.pm Saved/DBI.pm.patched sudo cp DBI.pm.patched /usr/local/lib/openca/perl_modules/perl5/OpenCA/DBI.pm my offset build directories used below (within the user directory structure) were: * [BuildDir] = OpenCa * [ToolsBuildDir] = [BuildDir]/openca-tools-1.3.0 * [BaseBuildDir] = [BuildDir]/openca-base-1.3.0 Because I'd updated (using cpan) the DBD, DBI modules, it was necessary to update the ones used by OpenCA too, otherwise, I got a version conflict. This may not be necessary [edit] If You Need the Current DBI Modules # for this version it was the modules DBI-1.618 and DBD-mysql-4.020 <pre> pushd [BaseBuildDir]/src/ext-modules/ rm DBI-* rm DBD-mysql-* wget http://search.cpan.org/CPAN/authors/id/T/TI/TIMB/DBI-1.621.tar.gz wget http://search.cpan.org/CPAN/authors/id/C/CA/CAPTTOFU/DBD-mysql-4.021.tar.gz wget http://search.cpan.org/CPAN/authors/id/T/TO/TODDR/XML-Parser-2.41.tar.gz sed -i 's/DBI-1.618/DBI-1.621/g' Makefile sed -i 's/DBD-mysql-4.020/DBD-mysql-4.021/g' Makefile popd </pre> To remove an old version, you should execute the following: <pre> sudo [PREFIX]/etc/init.d/openca stop pushd [BaseBuildDir] sudo make distclean popd pushd [ToolsBuildDir] sudo make distclean popd sudo rm -r sudo find / -name openca sudo find / -name pki # for each directory returned above: sudo rm -r [dir from 'find' above] # to remove the bins: sudo find / -name "openca*" # for each file (or set of files, you can use wildcards) sudo rm [file(s) returned from find above] mysql -uroot -p mysql> select user from mysql.user; mysql> DROP USER opencadbuser; #or whatever you used before mysql> show databases; mysql> DROP DATABASE opencadb; #or whatever you used before mysql> exit; </pre> ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
