hi again, Thanks for quick replies. Pardon me for some lame queries. I am just curious that why my mails are not visible on the mailing list [openxpki-users]. secondly please tell me is there any standard way of replying to a mailing list other than i am currently following, ie replying from my mail box e.g. yahoo/gmail etc. Sorry for this lame question, but this is the first time i am using a mailing list.
Now come to the problems: Martin wrote: unless you have configured OpenXPKI to accept digitally signed approvals (which is a bit overkill for a demo) you need to choose approval without digital signature. But on my side the response from the server is the same even when i click approve without signing the workflow details are showed and pressing approve CSR button on right lead to the same starting screen. Summary: The two buttons are acting same for me with a difference that the Approve CSR with digital signatures button displays a message dialog and the other button dont. Martin wrote: (Your browser complains that it does not have a certificate for signing the challenge presented by OpenXPKI, hence an approval cannot be performed.) I have generated a private key RSA:2048:aes256 and then a certificate from the conf file posted earlier and imported the certificate into openxpki and verified it from openxpkiadm certificat list command. I can even download the certificate from the web interface into both internet explorer and mozilla firefox. Martin wrote: > The directories at "/usr/etc/openxpki" and "/usr/var/openxpki" have > openxpki:openxpki permissions as well as 777 permissions. Best bet is to fix this via chmod 755 or 750... done the chmod 755 but no change in the behavior. --------------------------------------------------------------------- Sergei wrote: Really it should go this way. Most probably you have neither private key of ra/ca operator, nor his matching cert installed on your client host. So you have no tools to digitally sign this request. This is what your _browser_ tries to tell you. Do not ask me where you get this key-cert pair. Think yourself after big PKI related reading. As i have expressed above i have generated the key and certificate as expressed on the wiki.openxpki.org page. If there is something wrong with my xxxx.cnf file which is used during the certificate generation process, please help. I have tried a generic yyyy.cnf file following directions from openssl.org site for making a CA certificate. but the responce from the browser is the same. I have imported the certificate into trusted root certificate authorities section and then tried to sign the request, but it did not help. I guess there is something wrong, because as you have mentioned that the sign the request without the digital signature option should work even when there is no proper certificate available. but in my case it also does not work. Please tell me is there any thing special to be done for the certificate like some extra extentions to include in the cnf file....? ======================================================================== Here is the procedure i followed ======================================================================== this procedure is from here: http://sourceforge.net/mailarchive/message.php?msg_id=20080710143224.GA22748%40b109m.uvt.tuke.sk It is for debian etch, but i used it on debian lenny So some packages and package version are different from what i used ======================================================================== aptitude update aptitude upgrade apt-get install perl-modules openssl libssl-dev build-essential dh-make-perl unzip lynx ftp gnupg less ncftp bzip2 subversion mysql-server perl-doc debconf-utils apache2 apache-ssl apache2-mod-perl2 apt-get install liblog-log4perl-perl libcgi-session-perl libdbi-perl libtimedate-perl libdatetime-perl libdigest-sha1-perl libipc-sharelite-perl libmail-rfc822-address-perl libnet-ip-perl libnet-server-perl libnet-ldap-server-perl libtest-pod-perl libtest-pod-coverage-perl libtest-exception-perl libxml-sax-perl libxml-sax-writer-perl libxml-parser-perl libxml-simple-perl libversion-perl libtext-csv-perl libtree-dagnode-perl libclass-factory-perl libdatetime-format-strptime-perl libtest-exception-perl libio-prompt-perl libdata-page-perl libmath-round-perl libcache-cache-perl libclass-container-perl libhtml-mason-perl libtest-www-mechanize-perl libapache-mod-perl libio-socket-ssl-perl libapache-request-perl libtest-simple-perl libnetaddr-ip-perl libclass-dbi-sqlite-perl libclass-dbi-mysql-perl libintl-perl apt-get build-dep libclass-std-perl apt-get -b source libclass-std-perl dpkg -i libclass-std-perl_0.0.9-2_all.deb apt-get build-dep libconfig-std-perl apt-get -b source libconfig-std-perl dpkg -i libconfig-std-perl_0.0.4-3_all.deb apt-get build-dep libtemplate-perl apt-get -b source libtemplate-perl dpkg -i libtemplate-perl_2.19-1_i386.deb apt-get build-dep libexception-class-perl apt-get -b source libexception-class-perl dpkg -i libexception-class-perl_1.24-1_all.deb apt-get -y build-dep libhook-lexwrap-perl apt-get -t testing -b source libhook-lexwrap-perl dpkg -i libhook-lexwrap-perl_0.20-2_all.deb dh-make-perl --build --cpan Devel::StackTrace dpkg -i libdevel-stacktrace-perl_1.1901-1_all.deb dh-make-perl --build --cpan Data::Password dpkg -i libdata-password-perl_1.07-1_all.deb dh-make-perl --build --cpan Locale::TextDomain dpkg -i libintl-perl_1.16-1_i386.deb dh-make-perl --build --cpan Proc::ProcessTable dpkg -i libproc-processtable-perl_0.42-1_i386.deb dh-make-perl --build --cpan Sys::SigAction dpkg -i libsys-sigaction-perl_0.10-1_all.deb dh-make-perl --build --cpan Class::Observable dpkg -i libclass-observable-perl_1.04-1_all.deb dh-make-perl --build --cpan DBD::Mock dpkg -i libdbd-mock-perl_1.37-1_all.deb dh-make-perl --build --cpan Workflow dpkg -i libworkflow-perl_0.31-1_all.deb dh-make-perl --build --cpan XML::Filter::XInclude dpkg -i libxml-filter-xinclude-perl_1.0-1_all.deb dh-make-perl --build --cpan XML::Validator::Schema dpkg -i libxml-validator-schema-perl_1.10-1_all.deb dh-make-perl --build --cpan Data::Serializer dpkg -i libdata-serializer-perl_0.46-1_all.deb dh-make-perl --build --cpan DateTime::Format::DateParse dpkg -i libdatetime-format-dateparse-perl_0.04-1_all.deb dh-make-perl --build --cpan Regexp::Common dpkg -i libregexp-common-perl_2.122-1_all.deb dh-make-perl --build --cpan Data::SpreadPagination dpkg -i libdata-spreadpagination-perl_0.1.2-1_all.deb dh-make-perl --build --cpan HTTP::Server::Simple::Mason dpkg -i libhttp-server-simple-mason-perl_0.09-1_all.deb dh-make-perl --build --cpan Test::HTTP::Server::Simple dpkg -i libtest-http-server-simple-perl_0.09-1_all.deb ########################### # checkout the source cd /usr/src/ svn co https://openxpki.svn.sourceforge.net/svnroot/openxpki svn-openxpki # OpenXPKI Core cd /usr/src/svn-openxpki/trunk/perl-modules/core/trunk perl Makefile.PL # Installed Crypt::CBC and Crypt::OpenSSL::AES as the requirements came up with this command. make make install # OpenXPKI Client cd ../../../clients/perl/OpenXPKI-Client perl Makefile.PL make make install # OpenXPKI Internationalization files cd i18n/ mv en_US en_US-old cp -av en_GB en_US make scan make make install cd ../OpenXPKI-Client-HTML-Mason/ perl Makefile.PL make make install cd ../OpenXPKI-Client-SCEP/ perl Makefile.PL make make install cd ../deployment/ ./configure make make install adduser --system --group openxpki mysql -u root -p Enter password: freiheit mysql> CREATE USER 'openxpki'@'localhost' IDENTIFIED BY 'openxpki'; mysql> CREATE DATABASE IF NOT EXISTS openxpki; mysql> GRANT ALL PRIVILEGES ON openxpki.* TO 'openxpki'@'localhost'; mysql> FLUSH PRIVILEGES; mysql> quit //test that openxpki user can access mysql and the openxpki db mysql -u openxpki -p openxpki Enter password: openxpki mysql> use openxpki mysql> quit openxpkiadm deploy --template quickstart openxpki-configure --createdirs #* Checking directories #openxpkistatedir: /usr/var/openxpki: CREATED #openxpkisessiondir: /usr/var/openxpki/session: CREATED #dataexchange: /usr/var/openxpki/dataexchange: CREATED #tmpdir: /usr/var/tmp: CREATED # #OpenXPKI instance configured successfully. openxpkiadm initdb DONE... openxpkictl start ... Not done then degraded from Workflow 1.32 to Workflow 0.31-1 openxpkictl start ... Done openxpkictl stop #webfrontend cd /usr/src/svn-openxpki/trunk/clients/perl/OpenXPKI-Client-HTML-Mason/ cp -r htdocs /var/www cp -av eg/openxpki-mason-mod_perl.conf /etc/apache/conf.d/ vi /etc/apache/conf.d/openxpki-mason-mod_perl.conf ================= openxpki-mason-mod_perl.conf ============================ PerlAddVar MasonDataDir "/usr/var/openxpki" PerlAddVar MasonCompRoot "/var/www/htdocs" PerlAddVar MasonAllowGlobals "$context" PerlAddVar MasonAllowGlobals "%session_cache" # Serve these requests through Mason. <LocationMatch "\.html$"> SetHandler perl-script PerlHandler OpenXPKI::Client::HTML::Mason::ApacheHandler </LocationMatch> # this is necessary to make internet explorer happy because it do not understand content types <LocationMatch "\.crt$"> SetHandler perl-script PerlHandler OpenXPKI::Client::HTML::Mason::ApacheHandler </LocationMatch> # Hide private components from users. <LocationMatch "(handler|mhtml)$"> Order allow,deny Deny from all </LocationMatch> SetEnv OPENXPKI_SOCKET_FILE "/usr/var/openxpki/openxpki.socket" SetEnv OPENXPKI_LOCALE_PREFIX /usr/share/locale SetEnv OPENXPKI_MASON_SESSION_DIR "/usr/var/openxpki/session" addgroup www-data openxpki mkdir /usr/var/openxpki/mason_sessions chown -R openxpki:openxpki /usr/etc/openxpki/ chown -R openxpki:openxpki /usr/var/openxpki/ /etc/init.d/apache restart openxpkictl start ... DONE openxpkicrl stop ... DONE ======================================================================== openxpkiadm key generate --realm I18N_OPENXPPKI_DEPLOYMENT_TEST_DUMMY_CA --group default 0. Entered passphrase 1.RSA 2.2048 3.aes256 openxpkiadm key list --realm I18N_OPENXPPKI_DEPLOYMENT_TEST_DUMMY_CA this command displays the key with a '+' sign which means it is OK. But at the end of the execution this error/warning is also displayed I18N_OPENXPKI_XML_CACHE_GET_XPATH_COUNT_NOTHING_FOUND; __XPATH__ => pki_realm/0/ ======== then i created this xxxx.cnf file ============ [ ext ] keyUsage = critical, cRLSign, keyCertSign basicConstraints = critical,CA:true subjectKeyIdentifier = hash [ req ] distinguished_name = ca_dn [ ca_dn ] countryName = "Country code" organizationName = "Organization" organizationalUnitName = "Organizational Unit" commonName = "Common name" ============================================= openssl req -config /etc/ssl/xxxx.cnf -extensions ext -days 3650 -new -x509 -key /usr/etc/openxpki/ca/testdummyca1/cakey.pem -out cacert.pem openxpkiadm certificate import --file /path/to/your/cacert.pem openxpkiadm certificate alias --realm I18N_OPENXPPKI_DEPLOYMENT_TEST_DUMMY_CA --alias testdummyca1 --identifier "placed identifier from the previous command here" openxpkiadm certificate list --> shows this certificate as well as the browser. openxpkictl stop; openxpkictl start ------------------------------------------------------------------------- After logging as a ca and unlocking the key with the passphrase and then generating a csr from a User, i am still not been able to sign a certificate signing request, neither with digital signatures nor without digital signatures. anxiously waiting for help like before ... Regards, John Daniel ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
