>The CA is online ofcourse (in the IP-sense), how else can I sign certificates?
>It is not a pre-known CA (like VeriSign and Netscape, for example).
in a real setup, your CA should be closed in a room without any
connection for security aims; you can exchange data through floppy or
othe removable media. In fact, you should, also if you have all
components on the same machine. Just for trial, simply let a floppy
always in the drive, but you need such step. Remember to have it
writable by the right user.
>I have no certificate for the RAserver yet. Can this be the problem? I also
>don't use a secure webserver (yet).
I do not know if your specific problem is due to this, but surely
these are real problems.
To generate the certificate for the RAserver (and also the
RAOperator, which is the person signing the requests), you should use
the bin/issue_certs.bin command in the OpenCA dir (but after having
generated the CA certificate using the web tool). Just follow
instructions: the RAserver certificate is of "server_cert" type,
while the RA Operator certificate is of default type. The former
should contain the name of the server, the latter should have OU = RA
Operator. The RAserver certificate should be copied in the
configuration dir of the secure web server (there appears some info
at the end of the procedure), together with the key. The RA Operator
certificate should be exported in .p12 format with
bin/browser_export.bin and then imported into the browser of the
operator. Such certificate will be used to sign the requests.
Warning: I'm having problems with RA operator signature, thus there
could be some failure in my description (although I'm confident the
problem is elsewhere).
Hope this helps,
Vincenzo Della Mea
_________________________________________________________________
OpenCA - Users Support Mailing List [EMAIL PROTECTED]
