Nikolay Sturm wrote:
>
> Hi!
Hi,
> I have installed OpenCA-20000916 and want to comment on some
> problems I had.
:-D
> First you assume the user to install openssl as an addon, well I
> use OpenBSD and this OS has integrated OpenSSL into the
> system, so asking for an OpenSSL installation directory does not
> make sense, I just took /usr/local and changed all calls for openssl
> to /usr/sbin/openssl by hand since configfile parsing did not seem
> to be enough (maybe this was not really necessary).
This should now be correct in the new upcoming SNAP - to be checked.
> Second you often use /bin/sh in your shell skripts, while
> programming in bash. On some systems /bin/sh is really just
> bourne shell compatible so you might want to really call /bin/bash
> or just programm in sh.
>
> Has anyone successfully generated a CA keypair with the
> webinterface? IMHO this is not possible, because the key
> generation code of OpenCA::OpenSSL did not work for me.
Probably this was due to the wrong openssl path lookup.
> Have you considered using POST than GET, this way you don't log
> passwords to your webservers logfile, AFAIK.
This is a good point, I'll check it.
> The verify program does not work for me. Where it is used in the
> scripts, it is called as "verify signaturefile -d textfile -cf cacert" while
> "verify -h" suggests something like "verify -in signaturefile ...". Well
> that told me the signature was not valid. Might be because you
> have to use the certificate of the user that signed your data?
You should use the tool like this:
verify -in TEXT.sig -data TEXT -cf cacert.pem -verbose
or if you want to verify just the signature and not the whole chain of
certificates, use something like:
verify -in TEXT.sig -data TEXT -no_chain -verbose
> When creating a certificate for a RA Admin, do I need a special
> type of a certificate or could I just use a normale User Cert?
Just use a normal user_cert, you obviously have to limit the access
to the RAServer pages to the right OU/CN combination in the httpd.conf
file ( i.e. by limiting the access to certificates with OU=RA Operator,
this is up to you and your organization's policy).
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
S/MIME Cryptographic Signature
