Alex, OpenSSL 0.9.8b ships with Redhat EL5 and Fedora Core 8. I couldn't get your code to compile with this version, so I downloaded and installed OpenSSL 0.9.8g from source and linked your code against that. As for the diff your right, it doesn't seem to be needed if you have the permissions correctly set on the cakey.pem.
-nate ----- Original Message ----- From: "Alexander Klink" <[EMAIL PROTECTED]> To: [email protected] Sent: Thursday, February 7, 2008 9:46:19 AM (GMT-0600) America/Chicago Subject: Re: [OpenXPKI-users] successful install of OpenXPKI-0.1206 on Redhat EL5! Hi Nathan, On Thu, Feb 07, 2008 at 09:20:53AM -0600, Nathan Yehle wrote: > Thanks Alex and Sergei! You're welcome ... > I had originaly avoided this release as it seems the version of openssl-devel > that comes standard with Redhat EL5 doesn't work with this build. (missing > ec.h) Hmmm, which version is that? > After installing the new version of OpenXPKI it still didn't work but I have > included a patch which seems to solve the problem with issuing certificates. > what follows are my notes on installing, and at the end is the patch. I hope > this helps some people, and perhapse you guys in finishing that documentation > :) One thing I noticed is you seem to have missed Apache::Request and > Config::Std in your perl module dependancy checks. Thanks. These two are a bit tough - I believe you don't need Apache::Request if you run a CGI version (not that I would recommend that, though), so technically it is optional ... As for Config::Std - this is needed by the deployment tools, which do not have their own Makefile.PL ... As for the patch ... > change ENGINE to OPENXPKI in > /usr/lib64/perl5/site_perl/5.8.8/x86_64-linux-thread-multi/OpenXPKI/Crypto/Backend/OpenSSL/Command/issue_cert.pm > - if ( (uc($self->{TOKEN_TYPE}) ne 'CA') or ($key_store ne 'ENGINE')) > + if ( (uc($self->{TOKEN_TYPE}) ne 'CA') or ($key_store ne 'OPENXPKI')) > { > if (not -e $self->{KEYFILE}) ... I still believe that if the keystore is not 'ENGINE' (in which case the key resides in hardware, so no keyfile is needed), OpenXPKI should check for the existence of the key file. > trying again will give permission denied on cakey.pem's location, since it > was created as root, change the permissions to actualy make the key usable by > openxpki: > chown -R openxpki:openxpki /usr/etc/openxpki Did you try to change the permission without the patch? I believe that should already have solved your problem (-e fails if the path to the file is not accessible). > Then signing CSRs worked! All together a fascinating project, Thanks, nice to hear that you like it ... Best regards, Alex -- Dipl.-Math. Alexander Klink | IT-Security Engineer [EMAIL PROTECTED] | working @ urn:oid:1.3.6.1.4.1.11417 ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
