Re: [Openca-Users] PIX won't import issued certificate
Hi Jörg! I see the issued certificate has got some of the X.509 extensions. As I told you on the phone yesterday there were some recommendations concerning those extensions and Cisco. Now I found the posting again: http://www.mail-archive.com/[EMAIL PROTECTED]/msg04641.html Regards T.o.Michael Jörg Bartz wrote: Hi there, I have the following problem: I use OpenCA-9.2RC3 with openssl9.7d(patched)/9.8 (see below). I am able to issue certificates for Webservers as well as fro Users... But when I try to get it running with a cisco pix 501 I encounter the following: I am able to configure and authenticate the CA and can get the CRL. When I try to enroll a certificate, this works as well, I can see, edit and issue it. Whilst this, the request is shown as "pending" on the pix, but after issueing the certificate, the pix seems to download it, and afterwards the pending request is gone, but the pix debug information says "certificate is granted"... Please find any additional information in the text below, there you will find the ca debug log of the pix, as well as the CSR before and after editing it and the issued certificate. This Problem is the same issue as Bernd Probst mentioned in March (see this post: http://www.mail-archive.com/[EMAIL PROTECTED]/msg04684.html) - but somehow I lost track or a solution to his problem has never been posted (or found). Regarding to Michaels suggestion in the posting above I installed the latest snap of openssl 9.8 and compiled & installed it in a different directory than the systems openssl 9.7d (with patch for pcks7) and changed the paths in token.xml to fit the localtion of openssl 9.8 - but the problem persists. Has anyone this config up and running and/or ist there a solution / or hint to the Problem? Micheal Portz pointed me towards that it could have something to do with the VPN-Server profile but I didn't find any further information on this! Thanks in advance! Jörg Bartz Some information that might help: == PIX "show ca certificate" after enrollment: RA General purpose Certificate Status: Available Certificate Serial Number: 03 Key Usage: General Purpose Serial Number = 3 CN = ComNet RA OU = Trustcenter O = ComNet GmbH C = DE Validity Date: start date: 12:28:52 CEDT Apr 30 2004 end date: 12:28:52 CEDT Apr 30 2005 CA Certificate Status: Available Certificate Serial Number: No serial number avaliable Key Usage: Signature EA =<16> [EMAIL PROTECTED] CN = ComNet Certification Authority OU = Trustcenter O = ComNet GmbH C = DE Validity Date: start date: 11:58:56 CEDT Apr 30 2004 end date: 11:58:56 CEDT Apr 30 2006 Certificate Subject Name Name: pix.*mydomain*.de Status: Pending Key Usage: General Purpose Fingerprint: a519b3d2 3307d005 80ff0e08 ddc14015 == PIX debug Logfile for enrollment / retransmission: CI thread sleeps! Crypto CA thread wakes up! CI thread wakes up! CRYPTO_PKI: Name: Serial Number = 3, CN = ComNet RA, OU = Trustcenter, O = ComNet GmbH, C = DE CRYPTO_PKI: Name: EA =<16> [EMAIL PROTECTED], CN = ComNet Certification Authority, OU = Trustcenter, O = ComNet GmbH, C = DE CRYPTO_PKI: transaction PKCSReq completed CRYPTO_PKI: status: Crypto CA thread sleeps! CRYPTO_PKI: http connection opened CRYPTO_PKI: received msg of 2462 bytes CRYPTO_PKI: signed attr: pki-message-type: 13 01 33 CRYPTO_PKI: signed attr: pki-status: 13 01 33 CRYPTO_PKI: signed attr: pki-recipient-nonce: 04 10 a7 70 09 5a 6a e9 90 20 7e 81 f8 31 e3 38 7c 95 CRYPTO_PKI: signed attr: pki-transaction-id: 13 20 33 37 39 32 31 63 30 39 64 35 65 38 33 34 34 36 62 30 39 66 35 32 38 62 34 61 65 62 64 32 30 38 CRYPTO_PKI: status = 102: certificate request pending CRYPTO_PKI: http connection opened CRYPTO_PKI: received msg of 4115 bytes CRYPTO_PKI: signed attr: pki-message-type: 13 01 33 CRYPTO_PKI: signed attr: pki-status: 13 01 30 CRYPTO_PKI: signed attr: pki-recipient-nonce: 04 10 f4 36 78 30 25 92 11 7f 0a 95 60 fc 2b 3c f4 5c CRYPTO_PKI: signed attr: pki-transaction-id: 13 20 33 37 39 32 31 63 30 39 64 35 65 38 33 34 34 36 62 30 39 66 35 32 38 62 34 61 65 62 64 32 30 38 CRYPTO_PKI: status = 100: certificate is granted CRYPTO_PKI: All enrollment requests completed. CRYPTO_PKI: All enrollment requests completed. == PIX "show ca certificate" after retransmission: RA General purpose Certificate Status: Available Certificate Serial Number: 03 Key Usage: General Purpose Serial Number = 3 CN = ComNet RA OU = Trustcenter O = ComNet GmbH C = DE Validity Date: start date: 12:28:52 CEDT Apr 30 2004 end date: 12:28:52 CEDT Apr 30 2005 CA Certificate Status: Available Certificate Serial Number: No serial number avaliable Key Usage: Signature EA =<16> [EMAIL PROTECTED] CN = ComNet Certification Authority OU = Trustcenter O = ComNet GmbH C = DE Validity Date: start date: 11:58:56 CEDT Apr 30 2004
[Openca-Users] PIX won't import issued certificate
Hi there, I have the following problem: I use OpenCA-9.2RC3 with openssl9.7d(patched)/9.8 (see below). I am able to issue certificates for Webservers as well as fro Users... But when I try to get it running with a cisco pix 501 I encounter the following: I am able to configure and authenticate the CA and can get the CRL. When I try to enroll a certificate, this works as well, I can see, edit and issue it. Whilst this, the request is shown as "pending" on the pix, but after issueing the certificate, the pix seems to download it, and afterwards the pending request is gone, but the pix debug information says "certificate is granted"... Please find any additional information in the text below, there you will find the ca debug log of the pix, as well as the CSR before and after editing it and the issued certificate. This Problem is the same issue as Bernd Probst mentioned in March (see this post: http://www.mail-archive.com/[EMAIL PROTECTED]/msg04684.html) - but somehow I lost track or a solution to his problem has never been posted (or found). Regarding to Michaels suggestion in the posting above I installed the latest snap of openssl 9.8 and compiled & installed it in a different directory than the systems openssl 9.7d (with patch for pcks7) and changed the paths in token.xml to fit the localtion of openssl 9.8 - but the problem persists. Has anyone this config up and running and/or ist there a solution / or hint to the Problem? Micheal Portz pointed me towards that it could have something to do with the VPN-Server profile but I didn't find any further information on this! Thanks in advance! Jörg Bartz Some information that might help: == PIX "show ca certificate" after enrollment: RA General purpose Certificate Status: Available Certificate Serial Number: 03 Key Usage: General Purpose Serial Number = 3 CN = ComNet RA OU = Trustcenter O = ComNet GmbH C = DE Validity Date: start date: 12:28:52 CEDT Apr 30 2004 end date: 12:28:52 CEDT Apr 30 2005 CA Certificate Status: Available Certificate Serial Number: No serial number avaliable Key Usage: Signature EA =<16> [EMAIL PROTECTED] CN = ComNet Certification Authority OU = Trustcenter O = ComNet GmbH C = DE Validity Date: start date: 11:58:56 CEDT Apr 30 2004 end date: 11:58:56 CEDT Apr 30 2006 Certificate Subject Name Name: pix.*mydomain*.de Status: Pending Key Usage: General Purpose Fingerprint: a519b3d2 3307d005 80ff0e08 ddc14015 == PIX debug Logfile for enrollment / retransmission: CI thread sleeps! Crypto CA thread wakes up! CI thread wakes up! CRYPTO_PKI: Name: Serial Number = 3, CN = ComNet RA, OU = Trustcenter, O = ComNet GmbH, C = DE CRYPTO_PKI: Name: EA =<16> [EMAIL PROTECTED], CN = ComNet Certification Authority, OU = Trustcenter, O = ComNet GmbH, C = DE CRYPTO_PKI: transaction PKCSReq completed CRYPTO_PKI: status: Crypto CA thread sleeps! CRYPTO_PKI: http connection opened CRYPTO_PKI: received msg of 2462 bytes CRYPTO_PKI: signed attr: pki-message-type: 13 01 33 CRYPTO_PKI: signed attr: pki-status: 13 01 33 CRYPTO_PKI: signed attr: pki-recipient-nonce: 04 10 a7 70 09 5a 6a e9 90 20 7e 81 f8 31 e3 38 7c 95 CRYPTO_PKI: signed attr: pki-transaction-id: 13 20 33 37 39 32 31 63 30 39 64 35 65 38 33 34 34 36 62 30 39 66 35 32 38 62 34 61 65 62 64 32 30 38 CRYPTO_PKI: status = 102: certificate request pending CRYPTO_PKI: http connection opened CRYPTO_PKI: received msg of 4115 bytes CRYPTO_PKI: signed attr: pki-message-type: 13 01 33 CRYPTO_PKI: signed attr: pki-status: 13 01 30 CRYPTO_PKI: signed attr: pki-recipient-nonce: 04 10 f4 36 78 30 25 92 11 7f 0a 95 60 fc 2b 3c f4 5c CRYPTO_PKI: signed attr: pki-transaction-id: 13 20 33 37 39 32 31 63 30 39 64 35 65 38 33 34 34 36 62 30 39 66 35 32 38 62 34 61 65 62 64 32 30 38 CRYPTO_PKI: status = 100: certificate is granted CRYPTO_PKI: All enrollment requests completed. CRYPTO_PKI: All enrollment requests completed. == PIX "show ca certificate" after retransmission: RA General purpose Certificate Status: Available Certificate Serial Number: 03 Key Usage: General Purpose Serial Number = 3 CN = ComNet RA OU = Trustcenter O = ComNet GmbH C = DE Validity Date: start date: 12:28:52 CEDT Apr 30 2004 end date: 12:28:52 CEDT Apr 30 2005 CA Certificate Status: Available Certificate Serial Number: No serial number avaliable Key Usage: Signature EA =<16> [EMAIL PROTECTED] CN = ComNet Certification Authority OU = Trustcenter O = ComNet GmbH C = DE Validity Date: start date: 11:58:56 CEDT Apr 30 2004 end date: 11:58:56 CEDT Apr 30 2006 == OpenCA ca_token debug: OpenCA::Token::OpenSSL->new: class instantiated OpenCA::Token::OpenSSL->new: crypto and name present OpenCA::Token::OpenSSL->new: NAME CA OpenCA::Token::OpenSSL->new: PASSWD_PARTS 1 OpenCA::Token::OpenSSL->OpenCA::T
Re: [Openca-Users] Re: scep problem
pug wrote: Hi, could you provide the steps you did to create a certificate/key for use in SCEP_RA_CERT and SCEP_RA_KEY, please ? hmm - what have you put into the subject alt sections? it is usaly a good idea to put there DNS and IP of the interface in this order That mod_ssl compatible certificate works for Apache-ssl, but not for scep :-( I think something in my cert creation process is still wrong. Other applications of OpenCA are running well :-) ist the dns also at the subjectline? greetings dalini --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Problem sending CRIN-Mail
Kevin Mitcham wrote: which openssl version is in use? Are the CRIN-mail messages the only way to revoke certificates? Is there a way for the admin to revoke a certificate without having the CRIN code: [ revocation pin ]? Or to find out the CRIN code? you can revoke certificate through the ra-interface no user interaction is needed at all greetings dalini --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] SCEP and PIX
Bert Koelewijn wrote: Yes OK. But is it possible to access /cgi-bin/scep/scep, without even running the openca server? regards, this is an interface script - you can't run this just like it is you have to modify it - to use it as an stand-alone aplication just take a look ;o) greetings dalini --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Problem sending CRIN-Mail
To fix this bug, I replaced line 2576 in OpenSSL.pm $smime->encrypt(CERTIFICATE => $sign_x509) with $smime->encrypt(CERTIFICATE => $enc_x509) I was having the same problem with unreadable CRIN-mail, and so I updated the file with this fix and re-installed OpenCA. Unfortunately, now the RA won't send email at all. I have confirmed that send_mail_automatic is set to yes, and that sendmail is configured correctly. I can send the generated crin mails (from var/temp/mail/crins) by hand, but they are still unreadable. The problem is mostly just an annoyance at this point, as we have another (later) version of OpenCA running, and generating CRIN-mail correctly. Are the CRIN-mail messages the only way to revoke certificates? Is there a way for the admin to revoke a certificate without having the CRIN code: [ revocation pin ]? Or to find out the CRIN code? For example, to revoke the certificate of a user who is no longer affiliated with the CA orginization. Kevin --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Problems loading config file
Hi, i have a problem running OpenCA 0.9.2 RC4 on FreeBSD 4.9 Stable. I used the following configure-script: export PREFIX=/opt export MAKE=/usr/local/bin/gmake ../configure \ --with-engine=no \ --with-httpd-user=www \ --with-httpd-group=www \ --with-openca-user=openca \ --with-openca-group=openca \ --disable-db \ --enable-dbi \ --enable-rbac \ --enable-openscep \ --with-db-type=mysql \ --with-db-name=openca \ --with-db-host=localhost \ --with-db-port=3306 \ --with-db-user=openca \ --with-db-passwd="caconfig" \ --prefix=${PREFIX} \ --with-language=de_DE \ --with-hierarchy-level=ca If i connect to the webserver, the logfile shows: 6292010 the xml path to the access control is missing (/opt/openca/etc/access_control/ca.xml: access_control/acl_config/module_id). and on the console i get the message: OpenCA: General error trapped Aborting connection - you are using a wrong security protocol (http).: 6251026 at /usr/local/lib/perl5/site_perl/5.6.1/OpenCA/UI/HTML.pm line 175. Compilation failed in require at /opt/OpenCA/etc/openca_start line 62. AccessControlConfiguration is set to "/opt/OpenCA/etc/access_control/ca.xml" in /opt/OpenCA/etc/servers/ca.conf which is a symbolic link to common.conf. Thanks in advance Norbert --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] OpenCA and Rainbow ikey1032
Hi, I didn't mention on my previous email, but yes I did have installed CAPICOM.DLL (before that I was getting the error telling me that Capicom.dll wasn't present). has anybody already manage to create a certificate on a Rainbow ikey with OpenCA? thanks, IF Citando [EMAIL PROTECTED]: > Hi, > > in order to make it works under IE you might have to install and register > capicom.dll. > > (Crypto API COM interface) > > Sebastien Poggi > > > > > --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] CA initialization
Hi, I'm using openca-0.9.2-RC4 I have a problem with the issuing of the CA certificate, everything goes fine, but the certificate have this problem, Issuer: C=PT,O=LIPCA,CN=LIP Certification Authority X509v3 extensions: DirName: CN=LIP Certification Authority,O=LIPCA, C=PT In the "DirName" field i have the reverse of the Issuer field, and i need this two fields have the same. When i make the CSR, if i change the position of the attributes of the "Issuer" field, then i'm getting this problem again. Someone can help me ? Thank's. ND -- Nuno Dias <[EMAIL PROTECTED]> LIP --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] OpenCA and Rainbow ikey1032
Hi, in order to make it works under IE you might have to install and register capicom.dll. (Crypto API COM interface) Sebastien Poggi
[Openca-Users] Problem publishing CRL on the Webserver
Kann man das so wegschicken? Hi, i've four parts of a CA-Infrastructure: CA, RA; SQL-Server and a Webserver. A CRL generated on the CA is exported to the RA. On the RA the CRL is pushed into the SQL-database and pushed to the Web-Server. On the Web-Server I've to import the CRL, but if I want to do so I got the following error-message: [...] Importiere valid CRL ... WARNUNG: Das Objekt konnte nicht eingefügt werden, da es bereits in der Datenbank existiert. file: /usr/local/OpenCA/var/tmp/ tmp_344/CRL/VALID/0de6517c13.pem I think the Web-Server wants to export the CRL to the SQL-database, but the CRL is already in the SQL-database, this causes the error-message. On the other hand it is necessary that the Web-Server is connected to the SQL-Server, because it inserts CSRs and CRRs into the database. Can I solve this problem through a special configuration or is it a general problem. Regards Jan --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id149&alloc_id66&op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] signature problem... (serial number doesn't match)
Hi Michael, thanks for your suggestions, I've resolved the signature problem, by enroll the RA Operator certificate before approving and signing the user certificate request. It's all right! Now I'm facing a new problem in the exportation of approved and signed certificate requests: when I try to "Upload data to a higher level of the hierarchy" (in the ra_node), I receive the following message: --- Exporting Approved REQUEST... Exporting Archive... --- So, when I try to "Receive data from a lower level of the hierarchy" (in the ca_node), I get the following message: --- Importing Approved REQUEST... No objects are present. --- NOTE: I'm still using the OpenSSL 0.9.7d version. I can't check the config.xml file because I think that my openca version doesn't provide it. Can anyone help me, please? Thanks in advance Valeria Michael Bell wrote: open_group wrote: Hi everybody, I'm new of openCA and I'm have followed the istructions in the OpenCA guide (by M.Bell) and I succeeded in installing the CA, RA and PUB interfaces, but now I'm having some problems in approving and signing the user certificate request. In particular, when the RA authority try approving and signing a certificate request I got the following error message: --- Certificate Request Successfully approved. Signature: Cannot find the certificate with the matching serial in the database! --- This can be caused by two things - the certificate is not in the database because the CA doesn't enroll it or the usual OpenSSL 0.9.7d bug is in action (then the complete signature stuff does not work). Moreover, I can't export the request even if it is approved and not signed. Any suggestion? Check config.xml. Did you activate the correct preconfiguration template for the dataexchange? NOTE: I'm using the following software: OpenCA 0.9.1.8 OpenSSL 0.9.7d Please downgrade to OpenSSL 0.9.7c before continuing. OpenCA does not work with OpenSSL 0.9.7d because of a PKCS#7 bug in OpenSSL. Best regards Michael --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] OpenCA and Rainbow ikey1032
hi, I am trying to generate a certificate request using OpenCA and a USB Rainbow ikey 1032 through the "Internet Explorer request" option. I can easily reach the interface "Confirm request certificate", then I choose the Cryptographic device "Rainbow iKey 1000 RSA Cryptographic Service Provider" and when I click on "Continue" the following popup messages appear: "You are using a patched Internet Explorer", "The used Cryptographic Service Provider is Rainbow ikey 1000 RSA Cryptographic Provider", "DN is OU=,E=**", and finally an error "The generation of the request failed". I am using version Openca 0.9.2RC3. Any ideia of what can be happening ? Thanks, IF --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] SCEP and PIX
Yes OK. But is it possible to access /cgi-bin/scep/scep, without even running the openca server? regards, bert dalini wrote: Bert Koelewijn wrote: Hello all, Is it possible to use SCEP stand-alone, without using openca? Can I get the PIX-request from SCEP, sign it and feed it back to SCEP? yes, call the scep-tool with --help ;o) - it has a interface similar to the openssl tools like pkcs## or req and so on... so just call the binary and look - how to call for usal operations you can see in the script "scepPKIOperation" greetings dalini --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] gettext error at compilation
Laurent Mesuré wrote: Hi, i'm compiling openca-0.9.1-8 with scep (and without oscpd) on a mandrake 9.2 with some packages updated to 10.0. But when the make reach the gettext module i got an error: no rule to make target "/usr/lib/perl5/5.8.3/i386-linux-thread-multi/CORE/config.h", necessary for "Makefile". Stop. the module is gettext-1.01, but i have gettext-0.14.1-4mdk and perl-locale-gettext-1.01-9mdk Can someone help me? Laurent Finally, i ll reply to myself. The problem was that the make and make install didn't worked right. It should have set /usr/OpenCA/etc and /usr/OpenCA/var user ownership to the apache user and group but it didn't. It set the group at apache but user at nobody instead of apache as stated in my configuration options. Laurent --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id149&alloc_id66&op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] FASD project: Online survey launched
Dear Open Source developer I am doing a research project on "Fun and Software Development" in which I kindly invite you to participate. You will find the online survey under http://fasd.ethz.ch/qsf/. The questionnaire consists of 53 questions and you will need about 15 minutes to complete it. With the FASD project (Fun and Software Development) we want to define the motivational significance of fun when software developers decide to engage in Open Source projects. What is special about our research project is that a similar survey is planned with software developers in commercial firms. This procedure allows the immediate comparison between the involved individuals and the conditions of production of these two development models. Thus we hope to obtain substantial new insights to the phenomenon of Open Source Development. With many thanks for your participation, Benno Luthiger PS: The results of the survey will be published under http://www.isu.unizh.ch/fuehrung/blprojects/FASD/. We have set up the mailing list [EMAIL PROTECTED] for this study. Please see http://fasd.ethz.ch/qsf/mailinglist_de.html for registration to this mailing list. ___ Benno Luthiger Swiss Federal Institute of Technology Zurich 8092 Zurich Mail: benno.luthiger(at)id.ethz.ch ___ --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Re: scep problem
pug wrote: Content-Type: application/x-x509-ca-ra-cert Apr 26 16:31:49.924: CRYPTO_PKI: status = 0: failed to select RA encrypt cert Content type says there is a CA and a RA certificate, but there is a CA certificate only. Later that dump tells it cannot decrypt RA part, which is not enclosed (I think so...) OpenCA is running with openssl 0.9.7c. Other functions of OpenCA are fully operable, certificates can be requested, approved and issued. regards thats exactly what i wrote ;o) you should issue an extra (webserver) cert from the ca this you have to assign to the scep-interface through config.xml then run configure_etc.sh again than the scep-interface should work - at least - have the right certs for operating - since you usaly don't want to use the ca cert and key directly for the scep-interface greetings dalini --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] RA CSR upload problesm
lin leon wrote: > > > Michael wrote: > >> Did you correctly choose the appropriate configuration template for >> the dataexchange in config.xml before you are running configure_etc.sh >> on the RA and on the CA? OpenCA's dataexchange does not export or >> import anything if you don't change the used template in config.xml. >> We must do this for security reasons to avoid impacts into the >> infrastructure of the CA. >> >> Best regards >> >> Michael >> -- >> --- > > i want to know what is the mean to change the used template and how to do > you go to: installdir/.../etc and look into file config.xml at the end - there is a section for configuring dataexchange there are 5 or 6 templates - from wich the first one ist activated, and this stands for - everything is at the same machine... you have to comment out this section and choose the apropriate one for the right node so for the ra - choose a template for ra, with ldap,public,scep whatever you have and for the ca activate the ca only template then you have to rerun ./configure_etc.sh to get the configfiles updated... greetings dalini --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Problem reading CRIN-Mail
[EMAIL PROTECTED] wrote: To fix this bug, I replaced line 2576 in OpenSSL.pm $smime->encrypt(CERTIFICATE => $sign_x509) with $smime->encrypt(CERTIFICATE => $enc_x509) ah great - i will put this into cvs - so should be available to all tomorrow (since the public cvs is usaly around one day behind) greetings dalini --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users