RE: [Openca-Users] Chinese vs international

[Kevin Dong]

Hi,

Thank you for your answer. I just want to confirm if the menu.xml supports
the other characters. 

For Chinese GB translation, I have sent an email to Michael. We will finish
the translation before 29 Feb. 


-Kevin Dong

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sergei
Vyshenski
Sent: Monday, January 16, 2006 7:34 PM
To: openca-users@lists.sourceforge.net
Subject: [Openca-Users] Chinese vs international

1. If you want to see Chinese among languages supported by OpenCA,
then you have to submit your translation to Michael as i18n suggests.
In this case you have to obey general design approach of the system.

In particular, you have to understand, that if a non-chinese user
accidentally hits some menu and finds himself around Chinese, then he 
SHOULD have possibility to navigate away from Chinese. And this possibility
implies purely English names of languages in some menus.

2. If you want to hack OpenCA to your personal needs neglecting general 
design guidelines, then why do you bother OpenCA mailing list at all?

Sergei

Kejun Dong wrote:
 Hi,
 
 I am so sorry for having not described the problem clearly.
 Now according to i18n file, we can deploy the Chinese in to OpenCA
 correctly. But in the language tab, all the characters is in English and
now
 we want to modify the character Chinese into the Chinese character
жпнд.
 When we add the жпнд (The Chinese character of Chinese) in the
 menu.xmlfile, it isn't coded right. Do you think about the problem
 before? Thanks a
 lot.
 
 - Kevin Dong  Yihua Zheng
 **
 * Kevin Dong (T-©ф+Э)
 * Tel:+86-10-58812310  Fax:+86-10-58812306
 * Network Technology and Applications Research Laboratory
 * Computer Network Information Center
 * Chinese Academy of Sciences
 **
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Sergei
 Vyshenski
 Sent: Sunday, January 15, 2006 5:18 AM
 To: openca-users@lists.sourceforge.net
 Subject: Re: [Openca-Users] help: A question about use chinese in
menu.xmlfile
 
 Have you read the file i18n from the root of the source distribution?
 
 
 жёрю│L wrote:
 Hi,all
 Yesterday we set up the openca system use openca-0.9.2.5 ,For our
 need,We add the language chinese into this system.we translate the
 openca.po to chinese and add the language chinese item just like below
 shows:
 
 ?xml version=1.0 encoding=UTF-8? item
 nameжпнд/name
 linkcmd=setLanguage;lang=zh_CN;charset=UTF-8/link
 targettop/target
 /item
 
 restart the openca daemon,when I want to see the language item жпнд,it
 don't encoding right.
 can you give me some advise for this problem.
 thank you very much!
 
 
 
 ---
 This SF.net email is sponsored by: Splunk Inc. Do you grep through log
files
 for problems?  Stop!  Download the new AJAX search engine that makes
 searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
 http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click
 ___
 Openca-Users mailing list
 Openca-Users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/openca-users



---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users



---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnkkid3432bid#0486dat1642
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Confusion over web form fields and associated cert fields (sorry for length)

[Kevin]

Hi List-

I'm finding myself getting confused about which OpenCA web form fields
are associated with which certificate fields as I request a certificate
using OpenCA.

For example, I just finished requesting a new certificate using the
Basic Certificate Request web form (/pub--User--Request a
Certificate--Basic Certificate Request).  Then I approved it, moved it
up to the CA, issued the cert, moved it back down to the RA, then picked
up the new cert and examined the web form fields in the request and
compared them to the cert fields.

Here's what I saw:

When requesting pki-last.crt, the following fields were as follows:
==(initial web form with empty fields)=
Basic Certificate Request
Please enter your data in the following form.
Certificate Data
E-Mail  
Name
Certificate Request Group   
alternative email   
IP address  
DNS name
DNS name
User Data
Name (first and Last name)  
Email   
Department  
Telephone   
Level Of Assurance chose the LOA you would like to be authenticated 
against.
Role
Registration Authority chose the RA where you will be authenticated.
PIN [used to verify the certification request, min 10 chars (please
write 
it down for later usage)]   
Re-type your PIN for confirmation   
Choose a keysize

==form filled out and submitted gives


Confirm Certificate Request
Following are listed data received. Please check carefully information
here 
reported with the ones in your possession.
Certificate Data
E-Mail  [EMAIL PROTECTED]
NameTwo Two
Certificate Request Group   Partners
alternative email   [EMAIL PROTECTED]
IP address  001.002.003.004
DNS namefive.five.com
DNS namesix.six.com
User Data
Name (first and Last name)  Seven Seven
Email   [EMAIL PROTECTED]
Department  Nine
Telephone   101.101-1010
Level Of Assurance (LOA)basic
RoleMail Server
Registration Authority  Help Desk 1
Keysize 1024


finalizing request, I get==


Thank you for requesting your certificate from our organization, your 
request with the serial 3360 it's been successfully archived and it is
now 
waiting for approval by any of our Registration Authorities (if you are 
unsure about the receiving of your request by this server, you can check
the list of new requests).
To complete the certification process you have to go to one of our 
Registration Authority office with one of the following documents: o ID 
card or passport. o Documnetation asserting your role and authorization
for 
requesting a certificate for your organization. If you still have doubts
about the issuing process, just use the links provided in the
Information 
section to learn how to complete all the needed steps.

ADDITIONAL_ATTRIBUTE_DEPARTMENT Nine
ADDITIONAL_ATTRIBUTE_EMAIL  [EMAIL PROTECTED]
ADDITIONAL_ATTRIBUTE_REQUESTERCNSeven Seven
ADDITIONAL_ATTRIBUTE_TELEPHONE  101.101-1010
LOA 30
NOTBEFORE   Thu Sep 30 17:38:43 2004 UTC
PIN ef5ceda7b90da75595bb5ec156084140a39d80ef
RA  Help Desk 1
ROLEMail Server
SERIAL  3360
SUBJECT_ALT_NAMEemail: [EMAIL PROTECTED],IP: 001.002.003.004,DNS: 
five.five.com,DNS: six.six.com
TYPEPKCS#10



==


And the certificate itself looks like this:


==

bash-2.05b$ openssl x509 -noout -text -in pki-last.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10 (0xa)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Folkvang Certification Services,
OU=Certification Services, CN=Kevin Ford/[EMAIL PROTECTED]
Validity
Not Before: Sep 30 17:48:17 2004 GMT
Not After : Sep 30 17:48:17 2005 GMT
Subject: C=US, O=Folkvang Certification Services, OU=Partners,
CN=Two Two/serialNumber=10
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:9f:72:24:73:5a:a2:64:05:01:dc:ab:14:b9:1c:
7a:1b:e9:35:7d:0b:d5:b9:ed:4f:5c:22:ab:bd:31:
04:6c:c0:f9:78:02:9b:96:fa:c5:01:09:5b:f5:a7:
fd:1b:5a:d2:8e:38:8a:b4:f2:c9:0d:a5:be:23:08:
72:ba:96:f8:39:f5:2c:06:c5:70:9c:a8:4a:f1:8c:
e6:4d:fd:bf:89:62:3f:60:9f:28:c5:57:5d:d8:d1:
24:b5:7d:c6:15:7f:64:fd:b9:6c:59:75:ad:87:16:
23:cc:3c:14:52:d8:da:7a:72:99:68:ad:ec:f3:47:
ac:8b:40:c4:0b:23:0f:18:7d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Certificate Policies:
Policy: 1.2.3.3.4
Policy: 1.2.3.3.5
Policy: 1.2.3.3.6
  CPS: http://some.url.org/cps

RE: [Openca-Users] STILL... OpenCA not sending email messages for CSRs

[Kevin]

On Mon, 2004-09-27 at 13:52, Til Obes wrote:

 Didnt find new mails. Hmm i dont know what that means.
 Hmm list, what was changed at the email sending thing?
 How do you know what num of email to send now?
 
 Regards til
 
 Ps: my emails are getting sent. So ist obviously a config fault

At what point in the process are your mails getting sent, Til?  Is it as
a part of the dataexchange process?

With additional troubleshooting, I also see the following noteworthy
output.

When I follow the link in /ra-node:
Utilities--E-Mail new users
I get:
Sending CRIN-Mail(s) ...
 (Please wait until operation completes)
 
 Sending the Certificate-Information-Mails ...
Didn't find new mails. No mails send!
 Sending the PIN-Mails ...
Didn't find new mails. No mails send!


When I follow the link in /ra-node:
Utilities--Send a CRIN-mail
You need to enter some additional parameters for the requested
functionality. 

Please enter the number of a mail to send a special mail or enter
nothing to send all new mails.

(I enter nothing to send all)
I get:
Sending CRIN-Mail(s) ...
 (Please wait until operation completes)
 
 Sending the Certificate-Information-Mails ...
Didn't find new mails. No mails send!
 Sending the PIN-Mails ...
Didn't find new mails. No mails send!


When I follow the link in /ra-node:
Utilities--Send a CRIN-mail
You need to enter some additional parameters for the requested
functionality. 

Please enter the number of a mail to send a special mail or enter
nothing to send all new mails.

(I enter 8 because I see a message 8.msg in the directory
/usr/local/openca/OpenCA/var/mail/crins/)
I get:
Sending CRIN-Mail(s) ...
 (Please wait until operation completes)
 
 Try to send CRIN-mail 8 ...FAILED.
 
Unkown error.



When I look in /usr/local/open[cr]a/OpenCA/var/mail/crins/
I see:


ls /usr/local/openca/OpenCA/var/mail/crins/
1.msg  2.msg  3.msg  4.msg  5.msg  6.msg  7.msg  8.msg  mailcounter

cat /usr/local/openca/OpenCA/var/mail/crins/mailcounter
1

ls /usr/local/openra/OpenCA/var/mail/crins/
mailcounter  serials.dmb

cat /usr/local/openra/OpenCA/var/mail/crins/mailcounter
1

Should the *.msg files in /usr/local/openca/OpenCA/var/mail/crins be
showing up in /usr/local/openra/OpenCA/var/mail/crins  ???

When I use the first link above (Utilities--E-Mail new users) but doing
so from the /ca-node URL (vice the ra-node URL), I get the following:

Sending CRIN-Mail(s) ...
 (Please wait until operation completes)
 
 Sending the Certificate-Information-Mails ...
send mail /usr/local/openca/OpenCA/var/mail/default/1.msg successful 
send mail /usr/local/openca/OpenCA/var/mail/default/2.msg successful 
send mail /usr/local/openca/OpenCA/var/mail/default/3.msg successful 
send mail /usr/local/openca/OpenCA/var/mail/default/4.msg successful 
send mail /usr/local/openca/OpenCA/var/mail/default/5.msg successful 
send mail /usr/local/openca/OpenCA/var/mail/default/6.msg successful 
send mail /usr/local/openca/OpenCA/var/mail/default/7.msg successful 
send mail /usr/local/openca/OpenCA/var/mail/default/8.msg successful 
 Sending the PIN-Mails ...
send mail /usr/local/openca/OpenCA/var/mail/crins/1.msg successful 
send mail /usr/local/openca/OpenCA/var/mail/crins/2.msg successful 
send mail /usr/local/openca/OpenCA/var/mail/crins/3.msg successful 
send mail /usr/local/openca/OpenCA/var/mail/crins/4.msg successful 
send mail /usr/local/openca/OpenCA/var/mail/crins/5.msg successful 
send mail /usr/local/openca/OpenCA/var/mail/crins/6.msg successful 
send mail /usr/local/openca/OpenCA/var/mail/crins/7.msg successful 
send mail /usr/local/openca/OpenCA/var/mail/crins/8.msg successful 

and I also see postfix/sendmail getting invoked in the /var/log/messages
file, and I see the messages properly delivered to the users inboxes...

However...

Shouldn't the RA be sending these emails (not the CA)?  After all, the
CA is supposedly off-line, right?  And the RA would typically be
on-line?  Is this the way OpenCA is designed to work (CA sending mail
vice RA) or have I mixed up my configuration somehow?  And am I missing
the meaning of the config.xml option:
option
namesend_mail_automatic/name
valueyes/value
/option

With this set as above, should the mails be sent automatically (without
having to follow the Utilities--E-Mail new users link)?

BTW, this send command initially failed for me because the default
sendmail command in config.xml is:
option
namesendmail/name
value/usr/lib/sendmail -n -t /value
/option

and postfix has no -n option.  According to the man page, it is ignored,
but when I tried it, there were many failed attempts to invoke it with
-n and fatal errors logged in /var/log/message so I removed the -n and
then got the above behavior.

-Kevin




---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give

RE: [Openca-Users] STILL... OpenCA not sending email messages forCSRs

[Kevin]

On Tue, 2004-09-28 at 14:24, Til Obes wrote:
  At what point in the process are your mails getting sent, 
  Til?  Is it as
  a part of the dataexchange process?
  
 
 When i import the data on the ra.

Huh... Wonder why I'm not seeing that...

 After changing the config.xml value, have you run configure_etc.sh?

Yes.

 And restarted the daemon?

Yes.

I even revised config.xml again subsequently (to remove the -n option
on sendmail) and then reran configure_etc.sh and then restarted the
daemons, and I saw the impact of that change (/var/log/messages recorded
fatal errors when running sendmail -n before, and after revising
config.xml and running configure_etc.sh and restarting daemons, sendmail
runs with no -n and no errors).  But still (even after this second
revision of config.xml), I only get mails when I ask for them; not
automatically upon import of the data on the RA.  And then they come
from the CA---not the RA.  This seems backwards.  The CA would normally
be off-line and unable to send mail.

Thanks, Til.

Anyone else have any ideas?

-Kevin



---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

RE: [Openca-Users] OpenCA not sending email messages for CSRs

[Kevin]

BTW, how do I read the email message that would (apparently) be sent?

I see from examining the dataexchange import/export messages the
filename of the email message that (apparently) would be sent, and I can
read it with cat or less, but when I decode the mime with munpack, I get
a binary smime.p7m file.  It looks like this must be decoded with the
certificate itself.  Is that true?  I presume the CRIN is encoded in
this message then?  So I have to figure out why the message is not being
mailed, and also must use an S/MIME aware email client once I resolve
the first problem.  True?  Just want to make sure.

-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

RE: [Openca-Users] OpenCA not sending email messages for CSRs

[Kevin]

On Sat, 2004-09-25 at 04:55, Til Obes wrote:
   I have the
  default settings in config.xml for:
  option
  namesendmail/name
  value/usr/lib/sendmail -n -t /value
  /option
  
  I've tested mailing messages from the command line with:
  mail -s testSubject [EMAIL PROTECTED]  
  filename.txt on the
  computer running openca and it works.
  
  Any ideas?
 
 Some lines later in the config.xml, there are 2 config options.
 Ca mail account and sendmail automatic
 regards til
 

Thanks, Til.

You mean these, right?

option
namesend_mail_automatic/name
valueno/value
/option
option
nameservice_mail_account/name
value[EMAIL PROTECTED]/value
/option


Thanks for mentioning these, Til.  I wasn't sure exactly what the guide
was referring to in Chapter 1, Section 4.1.1 when it said, The option
send_mail_automatic configures the node interface. If the value is YES
then OpenCA sends all incoming mails during an import automatically.
This can be nice but it is dangerous too if you make a mistake.  Since
the guide mentioned that it can be dangerous, I left it off until I was
sure I understood it.  I didn't realize it was referring to the email
messages that I asked about in this thread.

Thanks.

-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

RE: [Openca-Users] OpenCA not sending email messages for CSRs

[Kevin]

On Sat, 2004-09-25 at 04:55, Til Obes wrote:
   I have the
  default settings in config.xml for:
  option
  namesendmail/name
  value/usr/lib/sendmail -n -t /value
  /option
  
  I've tested mailing messages from the command line with:
  mail -s testSubject [EMAIL PROTECTED]  
  filename.txt on the
  computer running openca and it works.
  
  Any ideas?
 
 Some lines later in the config.xml, there are 2 config options.
 Ca mail account and sendmail automatic
 regards til

I changed these settings from the default to what you see below and
still no email gets sent.  Just to make sure I wasn't missing something,
I also mailed something using this machine's sendmail binary (with the
command-line /bin/mail client) and then I grepped my mail log.  I found
only those messages that were sent from the command-line; none that were
sent in association with OpenCA certificate generation.  I requested a
new cert, approved it, issued it, and picked it up.  No email messages
were sent.

The settings now read:
option
namesendmail/name
value/usr/lib/sendmail -n -t /value
/option
option
namesend_mail_automatic/name
valueyes/value
/option
option
nameservice_mail_account/name
value[EMAIL PROTECTED]/value
/option

I made the changes to config.xml, stopped the openca servers in each
directory, then reran configure_etc.sh in OpenCA/open[cr]a/etc after
making these changes to config.xml (in each directory), and then
restarted the openca servers in each directory before requesting the new
certificate.

What am I missing?

-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Root CA certificate is not a signing certificate?

[Kevin]

On Fri, 2004-09-24 at 03:22, Michael Bell wrote:
  Shouldn't my first cert have basicConstraints CA:true instead of
  CA:FALSE?
 
 I think you are a little bit confused.

You're right.  I was.  Thanks for clearing that up.  :-)

 
 1. A root CA certificate is the self-signed certificate of the CA. This 
 certificate only signs other certificates and CRLs. CA:FALSE shows me 
 that you try to download a normal certificate. You must import the CA 
 certificate as signer (CA) certificate.
 
 2. The first certificate is the first certificate signed by the CA. this 
 certificate must have CA::FALSE because it is usually not the 
 certificate of sub CA.

Yesterday, I used the /pub page, chose Certificates, and then chose
Valid and downloaded all 6 certificates that I've generated with this
installation of OpenCA going by certificate serial numbers.

After reading your reply, I looked for other methods to get the root CA
certificate as a signer and this time used the CA Infos and Get CA
Certificate links and when I examine this certificate, it does have
CA:TRUE, and I see that the serial number for this root CA certificate
is serial number 0 (which was not present in the list of certificates
that I generated with the previous method---probably by design, I
guess).

I was thinking that the certificate with serial number 1 was the signer,
but now I see that it is serial number 0.

Thanks for clearing that up, Michael.

-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] OpenCA not sending email messages for CSRs

[Kevin]

Hi List-

Chapter 3 of the OpenCA Guide, Section 1.2.1 reads in part:

Once the user has requested their certificate the Certificate Authority
will process the certificate request. This may involve a face to face
identification of the user at the Trust Center. When the certificate has
been created the user will be informed by email. This email will also
include a Certificate Revocation Number (CRIN), this number should be
kept in a safe place as it will be required if the user to needs to
revoke their own certificate in the future.

Using RC6 on Gentoo Linux, I've requested 6 certificates thus far with
my test OpenCA installation and issued them all.  Now I'd like to revoke
one of them.

But the problem is, I never received any emails from the OpenCA server
at any of the (all valid) email addresses that I used in requesting the
certs.

Questions:

1) Is there another way to get this CRIN so I can revoke the cert?

2) Why didn't the OpenCA server send out any email messages to the
addresses given in my CSRs?  How do I fix this?  I have postfix
installed, and /usr/lib/sendmail does exist (from postfix).  I have the
default settings in config.xml for:
option
namesendmail/name
value/usr/lib/sendmail -n -t /value
/option

I've tested mailing messages from the command line with:
mail -s testSubject [EMAIL PROTECTED]  filename.txt on the
computer running openca and it works.

Any ideas?

-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Root CA certificate is not a signing certificate?

[Kevin]

Hi List-

I recently set up RC6 more or less according to Kevin Mitcham's cookbook
as a two-interface (RA and CA) system on one computer.

I've been generating client certificates and learning more about the
software, but I've tried importing the root CA certificate (the first
cert generated in the cookbook) into a web browser as a signing
certificate and it was refused with the error, ...not a signer...

When I look at the cert with:
openssl x509 -noout -text -in 1.crt

I see:
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE

However, I read in the OpenCA Guide at 3. OpenSSL; Chapter 2.
Configuration:

You must care about three configurationfiles and -directories
etc/openssl/openssl.cnf, etc/openssl/openssl and etc/openssl/extfiles.
The first file contains the configuration for the CA. This means the
file is used for the generation of the initial CA-CSR, the selfsigned
certificate (if you setup a Root CA) and the CRLs.

and when I look at etc/openssl/openssl.cnf (in both my open[cr]a/etc
directories, I see this:

===
[ req ]
default_bits= 1024
default_keyfile = privkey.pem
default_md  = sha1
distinguished_name  = req_distinguished_name
attributes  = req_attributes
x509_extensions = v3_ca   # The extentions to
  # add to the self
signed
...
[ v3_ca]

# Extensions for a typical CA

# It's a CA certificate
basicConstraints = critical, CA:true
===

Shouldn't my first cert have basicConstraints CA:true instead of
CA:FALSE?

TIA.

-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Building from CVS sources: no config.xml?

[Kevin]

On Tue, 2004-09-21 at 13:52, Rosa Suárez wrote:
 Hi list,
I've been trying to install openca-0.9.1-10.tar.gz but it happens
 to me the same.
 I dont get config files at etc. I removed etc and re-installed, but it
 didnt work at all. Any suggestions?
 
 Thanks

I'd suggest that you upgrade to RC6.  I just installed it yesterday
according to the guidance in
http://www.mail-archive.com/[EMAIL PROTECTED]/msg05421.html and although I had a 
couple of problems based on those instructions, I did manage to get it working and RC6 
definitely does not suffer from the problem you describe here.

-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Success! (was: Two-interface setup: problem with Import Configuration step)

[Kevin]

Hi Til and Damon-

Many thanks for your replies!

I finally made it all the way through Kevin Mitcham's OpenCA Cookbook at
http://www.mail-archive.com/[EMAIL PROTECTED]/msg05421.html

In doing so, I think I discovered a few mistakes, and in the near
future, I'll be documenting those in some form or another.

What would be the best way to do this?  Should I generate my own
cookbook modeled after his but including the steps that I found to be
necessary which were not included in his cookbook?  Then post this
document to the list?  Would that be best or something different?

It turns out that my original problem as reported in this thread came
about because Kevin apparently left out the step to export the
configuration, and Damon explained how to do this.  Once I did that,
following the rest of Kevin's cookbook worked fine.

With an operational two-interface setup with both CA and RA running in
different directories on one Gentoo Linux box, I think I'll be much
better able to learn all the concepts involved with operating a CA.

It is now my intent to read through the entire guide again with extra
special attention this time to the concepts part and to actually use the
software simultaneously and thus hopefully improve my understanding of
everything in the process.

Ultimately, I plan to set myself up similarly to what Damon described
for himself (two computers, one running the RA functions and connected,
the other running CA functions and disconnected) with OpenBSD as the OS
for both computers.  I tried a two-interface setup on one OpenBSD box
already and was stymied by a couple of things but perhaps with a better
understanding from experimenting with a working OpenCA installation,
I'll have better success next time.

To Michael Bell: many thanks to you for your frequent assistance to me
and for making the changes in the code that were apparently necessary
for proper installation and operation on OpenBSD.

Thank you List!

-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] rc6 install. Errors immediately in xml_cache.log

[Kevin]

On Tue, 2004-09-21 at 12:29, Ed Eden wrote:
 
 
 I don't get it? Fresh install of RC6 and I get the following in the 
 xml_cache.log

Ed, I just installed RC6 on Gentoo Linux following the guidance at
http://www.mail-archive.com/[EMAIL PROTECTED]/msg05421.html (which I found to almost 
completely workable), and seem to have everything working.  I just generated my first 
client certificate a couple of hours ago.

Perhaps you could provide more information about exactly what you have
done and about what the problem is.  What exactly is it that you are
trying to do that generates the error?  If you do, then I may be able to
help.

-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

RE: [Openca-Users] Two-interface setup: problem with Import Configuration step

[Kevin]

On Mon, 2004-09-20 at 00:32, Til Obes wrote:
  I suppose that some of the initialization steps may have depended upon
  those values being set correctly.  What are the implications if they
  were not set correctly during those first init steps?  Must I redo
  everything?
  
  It looks from the error message in the browser that there should
  already be a /usr/local/openra/OpenCA/var/tmp/ca-down file (or perhaps
  one in /usr/local/openca/OpenCA/var/tmp), but I find no ca-* or ra-*
  files in either /usr/local/open[rc]a/OpenCA/var/tmp.  At what 
  step is this archive
  created during the initialization?
  
  The OpenCA guide doesn't go into very much detail on these issues.
  
  Can anyone offer a bit of configuration help?
  
 
 Normally the backup device is a floppy disc or zip disc.

Thanks for your reply, Til, but I'm not sure that I understand.  Please
pardon my questions (that are probably dumb questions due to my lack of
experience with OpenCA):

What do you mean by backup device?  I was talking about these devices:
  namedataexchange_device_up/name
  namedataexchange_device_down/name
  namedataexchange_device_local/name

Is one of these the backup device?

For a two-interface setup, Kevin Mitcham writes to change the default
settings as follows (in
http://www.mail-archive.com/[EMAIL PROTECTED]/msg05421.html):

=
modify the config.xml for the ra (located in
/usr/local/openra/openca/etc)

Now onto the config.xml, for the ca and the ra.
for the CA:   he's apparently writing about changes to the
   /usr/local/openca/openca/etc/config.xml file
   as opposed to openra/openca/etc/config.xml.
...
!-- these are the devices for the default dataexchange -- 
(these might not be in config.xml; if not, see below)
  namedataexchange_device_up/name
  value/usr/local/openca/openca/var/tmp/ca-up/value
/option
option
  namedataexchange_device_down/name
  value/usr/local/openca/openca/var/tmp/ca-down/value
/option
option
  namedataexchange_device_local/name
  value/usr/local/openra/openca/var/tmp/ra-local/value


if the  dataexchange device section is not in config.xml, go to
/usr/local/openca/openca/servers  and look at ca-node.conf.template and 
ca.conf.template

(/usr/local/openca/openca/etc/servers/ca.conf.template)
line EXPORT_IMPORT_DOWN_DEVICE /dev/fd0
to EXPORT_IMPORT_DOWN_DEVICE /usr/local/openca/openca/var/tmp/ca-down


line EXPORT_IMPORT_LOCAL_DEVICE /dev/fd0
to EXPORT_IMPORT_LOCAL_DEVICE /usr/local/openra/openca/var/tmp/ra-local

ra-node.conf.template needs similar updates, as well
ra IMPORT UP DEVICE should be the exact same file as the CA IMPORT_DOWN_DEVICE
...
=

Is that incorrect?

 So the entry looks like /floppy or /dev/hda4/openca/export

Again, not sure I follow.  Should it be /dev/fd0?  Or the mount point
for /dev/fd0?  Or the mount point of some HDD partition (say,
/mnt/testing mounted at /dev/hda4 in linux) followed by a path on that
partition?

Should the entries be identical for the config.xml files in both
/usr/local/openra/OpenCA/etc and /usr/local/openca/OpenCA/etc?  Or
should they be different?

Kevin seems to be writing about about changing
/usr/local/openca/OpenCA/etc/config.xml
   *^
when he says to change the dataexchange_device_local to
/usr/local/openra/openca/var/tmp/ra-local so I figured that this device
should be set identically in both openca and openra config.xml files. 
Is that incorrect?


 For testing you should enter at all entrys at your side

I'm sorry.  Again, I'm not sure which entries you're referring to here. 
The three devices above?  Or what you mean by, at your side.

 /tmp/openca/export (must be writeable by web server)

So, for both config.xml files, set all three (total of 6 devices: 2
files each with three devices?) to the same file (in say the /tmp
directory---or wherever the web server user can write to)?

 for example. Then you export the conf of the ca and the import on ra.
 That should work then ;)
 

Kevin's cookbook never says to export the configuration of the ca
(unless I missed it?).  How do I do that?

In the guide, I see this:

1.1.5. Final setup


 The last steps can also be done on the interface for the nodemanagement
but it is a good idea to do it during the intialization to get a
consistent state. The rebuild of the CA chain is necessary to verify
digital signatures correctly. If you want to setup a sub CA then you
must add all CA certificates of the CA chain in PEM format to the
directory OPENCADIR/var/crypto/chain/ before you rebuild the chain. 


The really last step is the export of the configuration to the online
server(s). The most OpenCA users ignore this step and handle all the
communication between the different nodes of the PKI hierarchy via the
interface for the node management. If this is you first

[Openca-Users] Two-interface setup: problem with Import Configuration step

[Kevin]

Hi List-

I'm very happy to report that I am farther along in Kevin Mitcham's
cookbook than I've ever been before.  My real goal is to get a
two-interface setup going on an OpenBSD 3.5 box, but I was running into
so many problems (with chroot and accessing syslog device et. al.) that
I decided to try with a Linux box first (RC6).  This is a newly built
Gentoo system, and I've worked my way through all of Kevin Mitcham's
cookbook with successful results at each step except for when I get to
here:

==
...initialize the RA database
http://myhost.wherever.edu/ra-node
Admin-Server Init, initialize DB
Admin-Server Init, Import Configuration
==

When I was modifying config.xml in the open[rc]a/OpenCA/etc directories
I wasn't quite sure how to handle this part of the instructions from
Kevin's cookbook:

==
!-- these are the devices for the default dataexchange -- 
(these might not be in config.xml; if not, see below)
  namedataexchange_device_up/name
  value/usr/local/openca/openca/var/tmp/ca-up/value
/option
option
  namedataexchange_device_down/name
  value/usr/local/openca/openca/var/tmp/ca-down/value
/option
option
  namedataexchange_device_local/name
  value/usr/local/openra/openca/var/tmp/ra-local/value


if the  dataexchange device section is not in config.xml, go to
/usr/local/openca/openca/servers  and look at ca-node.conf.template and 
ca.conf.template

(/usr/local/openca/openca/etc/servers/ca.conf.template)
line EXPORT_IMPORT_DOWN_DEVICE /dev/fd0
to EXPORT_IMPORT_DOWN_DEVICE /usr/local/openca/openca/var/tmp/ca-down


line EXPORT_IMPORT_LOCAL_DEVICE /dev/fd0
to EXPORT_IMPORT_LOCAL_DEVICE /usr/local/openra/openca/var/tmp/ra-local

ra-node.conf.template needs similar updates, as well
ra IMPORT UP DEVICE should be the exact same file as the CA IMPORT_DOWN_DEVICE
==

In particular, Kevin goes into detail with modifying only the
openca/OpenCA/etc/config.xml file; not so for
openra/OpenCA/etc/config.xml.

I assumed that this last note that he writes, ra IMPORT UP DEVICE
should be the exact same file as the CA IMPORT_DOWN_DEVICE should apply
equally to the config.xml files (although he is writing in particular
about the template files when he says this).

Could someone tell me how these lines should look in my
open[rc]a/OpenCA/etc/config.xml files?  Or perhaps even better, share
with me a complete copy of working config.xml files for a two-interface
system (ideally based on Kevin's cookbook, but if not that's ok too)?

  namedataexchange_device_up/name
  value/usr/local/openca/openca/var/tmp/ca-up/value
/option
option
  namedataexchange_device_down/name
  value/usr/local/openca/openca/var/tmp/ca-down/value
/option
option
  namedataexchange_device_local/name
  value/usr/local/openra/openca/var/tmp/ra-local/value

The problem that I have encountered at the Import Configuration
step of initializing the RA database seems very likely to be related
to my improper settings for these lines because the error message in
the browser window is:

===
  Importing the configuration from a higher level of the hierarchy ...
(Please wait until operation completes)


Test the archive ...
/bin/tar -tvf /usr/local/openra/OpenCA/var/tmp/ca-down
FAILED


Testing archive failed!

512
===

My initial configuration for these up and down devices was this:

ares etc # cat /usr/local/openca/OpenCA/etc/config.xml|grep -C 2 dataexchange_device
!-- these are the devices for the default dataexchange --
option
  namedataexchange_device_up/name
  value/usr/local/openca/OpenCA/var/tmp/ca-up/value
/option
option
  namedataexchange_device_down/name
  value/usr/local/openca/OpenCA/var/tmp/ca-down/value
/option
option
  namedataexchange_device_local/name
  value/usr/local/openra/OpenCA/var/tmp/ra-local/value
/option
ares etc # cat /usr/local/openra/OpenCA/etc/config.xml|grep -C 2 dataexchange_device
!-- these are the devices for the default dataexchange --
option
  namedataexchange_device_up/name
  value/usr/local/openra/OpenCA/var/tmp/ca-up/value
/option
option
  namedataexchange_device_down/name
  value/usr/local/openra/OpenCA/var/tmp/ca-down/value
/option
option
  namedataexchange_device_local/name
  value/usr/local/openra/OpenCA/var/tmp/ra-local/value
/option


Then based on Kevin's comment, I changed it to this (and naturally reran the
magic configure_etc.sh scripts and ran the openca_stop/start scripts):
ares etc # cat /usr/local/openra/OpenCA

Re: [Openca-Users] OpenBSD: Unknown host new.host.name

[Kevin]

Hi List-

Please ignore this silly question.  I was up late and not thinking
clearly.  I never changed my httpd.conf file's default ServerName
setting in the SSL config section (new.host.name).

Sorry for the wasted bandwidth.

-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] OpenBSD: Cannot write to syslogdevice; Chroot httpd issue?

[Kevin]

Hi List-

I'm still working my way through Kevin's cookbook and have succeeded at
these two steps (yeah!):

-use the browser to open a page on http://myhost.wherever.edu/openra
and you should get a page.
-Also check http://myhost.wherever.edu/ra-node


But when I visit this page:

Also check http://myhost.wherever.edu/pub

I get only:

Error addMessage failed for log slot sys_syslog (6511070). Cannot write
to syslogdevice.

General Error. 64510030.

In these tests, I tried running httpd both inside and outside of its
chroot environment (in the normal root environment) so I don't think
that's the problem.  Disk space is not a problem.

Any ideas?

Initially, when I tried running apache in its chroot environment, I got
other problems (after copying over files needed in chroot environment):

OpenCA Error: Server is not online or does not accept requests
(/usr/local/openra/OpenCA/var/tmp/openca_socket -
/usr/local/openra/OpenCA/var/tmp/openca_socket ).

This arises because the socket openca_socket was not copied over to
the chroot environment when I copied over the /usr/local/open[rc]a
directories.  To solve that problem, I modified the openca_start/stop
script in /var/www/usr/local/openra/OpenCA/etc to use directories in the
chroot environment, and that gets me the openca_socket socket, and it
solves the problem with this socket error above, but how do I get the
openca_xml_cache socket in /usr/local/openra/OpenCA/var/tmp?  Has anyone
else done this?



-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] OpenBSD and config.xml _directory_!? (-d option to /usr/bin/install)

[Kevin]

On Fri, 2004-09-17 at 09:59, Michael Bell wrote:
 Kevin wrote:
  I just installed RC6 on openbsd again, being very careful about
  configure commands, using egcc (gcc 3.3.2), Makefile.global-vars, and
  using gmake vice make.
 
 Ok, good luck :)

I'd rather use CVS sources, but I'm not getting a config.xml file when I
do that (nor many others).  Should I just leave my installed RC6
directory structure in place and install CVS sources over that (thus,
hopefully preserving my config.xml file from RC6)?

 man install is your friend.
 

:-) I did man install... How do you think I learned that OpenBSD install
has no -D option (or an analogue to it).  Just didn't completely
understand the -d option until I saw it in action... :-)

  I'm at a loss here on how to proceed.  Reinstalling with the -d option
  removed from the INSTALL options in Makefile.global-vars doesn't help
  either.
 
 If you look at the fresh CVS HEAD files then you will see that I removed 
 -D -c from Makefile.global-vars(.in).
 

Right, and I'd like to use your changes, but as I said, something's
amiss in the config.xml area.  Apparently some others are seeing it
too.  Did you try installing with no pre-existing directory structure? 
If so, I don't understand why make install-online and make
install-offline are working for you (creating the config.xml file et.
al.) and not for me...

Thanks again, Michael.

-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Building from CVS sources: no config.xml?

[Kevin]

Hi List-

Since Michael was kind enough to make some changes to improve
installation on OpenBSD systems, I'd like to use the most current
sources in building my test system.

So I rm -rf'd my /usr/local/open[rc]a directories and started over using
the CVS module openca-0.9.

The thing is, after ./configure and make and make install-online, I have
no config.xml file in /usr/local/openra/openca/etc.  Just to make sure
this wasn't an OpenBSD install problem, I tried the same thing with CVS
sources on a Gentoo Linux box and got the same result.  On Linux:

cvs -d:pserver:[EMAIL PROTECTED]:/cvsroot/openca login 
cvs -z3 -d:pserver:[EMAIL PROTECTED]:/cvsroot/openca co
openca-0.9

./configure  \
 --prefix=/usr/local/openra \
 --with-httpd-user=apache  \
 --with-httpd-group=apache  \
 --with-openca-prefix=/usr/local/openra/openca  \
 --with-etc-prefix=/usr/local/openra/openca/etc  \
 --with-httpd-fs-prefix=/usr/local/openra/httpd  \
 --with-module-prefix=/usr/local/openra/modules  \
 --with-node-prefix=ra-node  \
 --with-engine=no  \
 --with-web-host=ares.folkvang.org  \
 --enable-dbi  \
 --enable-rbac  \
 --with-hierarchy-level=ra\
 --with-openca-user=_openca\
 --with-openca-group=_openca\
 --enable-ocspd  \
 --with-openldap-prefix=/usr/local/lib
make
make install-online

ares openca-0.9 # ls -al /usr/local/openra/openca/etc/
total 20
drwxr-xr-x  5 apache  apache  4096 Sep 16 18:40 .
drwxr-xr-x  5 apache  apache  4096 Sep 16 18:38 ..
drwxr-xr-x  2 _openca _openca 4096 Sep 16 18:40 access_control
drwxr-xr-x  3 apache  apache  4096 Sep 16 12:42 openssl
drwxr-xr-x  2 _openca apache  4096 Sep 16 18:40 servers

On OpenBSD:

./configure \
--with-engine=no \
--with-httpd-user=www \
--with-httpd-group=www \
--with-openca-user=_openca \
--with-openca-group=_openca \
--with-httpd-fs-prefix=/usr/local/openra/httpd \
--with-web-host=mandible.example.com \
--with-ca-organization=Certification Services \
--with-ca-country=US \
--with-ca-locality=Rhode Island \
--with-ldap-port=389 \
--with-ldap-root=cn=Manager,dc=example,dc=com \
--with-ldap-root-pwd=secret \
--with-module-prefix=/usr/local/openra/modules \
--with-openssl-prefix=/usr/local/ssl \ --with-openldap-prefix=/usr/local
--enable-ocspd \
--enable-dbi \
--enable-rbac \
--prefix=/usr/local/openra \
--with-service-mail-account=[EMAIL PROTECTED] \
--with-node-prefix=ra-node \
--with-hierarchy-level=ra
make
make install-online
/usr/local/src/OpenCA/openca-0.9 # ls -al /usr/local/openra/OpenCA/etc/
total 28
drwxr-xr-x  7 root  wheel  512 Sep 16 11:52 .
drwxr-xr-x  5 root  wheel  512 Sep 16 11:46 ..
drwxr-xr-x  7 root  wheel  512 Sep 16 11:48 access_control
drwxr-xr-x  2 www   www512 Sep 16 11:52 bp
drwxr-xr-x  2 www   www512 Sep 16 11:52 database
drwxr-xr-x  3 www   www512 Sep 16 11:43 openssl
drwxr-xr-x  6 root  wheel  512 Sep 16 11:48 servers

When I did an RC6 install on Linux (same configure command), the content
of that directory was:

ares openca-0.9.2-RC6 # ls -al /usr/local/openra/openca/etc
total 180
drwxr-xr-x  10 apache  apache   4096 Sep 16 08:54 .
drwxr-xr-x   5 apache  apache   4096 Sep 16 08:54 ..
drwxr-xr-x   2 apache  apache   4096 Sep 16 08:56 access_control
-rw-r--r--   1 _openca _openca  2665 Sep 16 08:54 backup.xml.template
drwxr-xr-x   3 apache  apache   4096 Sep 16 08:54 bp
-rw-r--r--   1 _openca _openca 29819 Sep 16 08:54 config.xml
-rwxr-xr-x   1 _openca _openca  1224 Sep 16 08:54 configure_etc.sh
drwxr-xr-x   2 apache  apache   4096 Sep 16 08:54 database
drwxr-xr-x   2 apache  apache   4096 Sep 16 08:54 init.d
-rw-r--r--   1 _openca _openca 24459 Sep 16 08:54 ldap.xml.template
-rw-r--r--   1 _openca _openca 10874 Sep 16 08:54 loa.xml
-rw-r--r--   1 _openca _openca   842 Sep 16 08:54 log.xml
-rw-r--r--   1 _openca _openca 31239 Sep 16 08:54 menu.xml.template
-rwxr-xr-x   1 _openca _openca   383 Sep 16 08:54 openca_rc
-rwxr-xr-x   1 _openca _openca  1893 Sep 16 08:54 openca_start.template
-rwxr-xr-x   1 _openca _openca   206 Sep 16 08:54 openca_stop.template
drwxr-xr-x   4 apache  apache   4096 Sep 16 08:54 openssl
drwxr-xr-x   3 apache  apache   4096 Sep 16 08:54 rbac
drwxr-xr-x   2 apache  apache   4096 Sep 16 08:54 scep
drwxr-xr-x   2 apache  apache   4096 Sep 16 08:56 servers
-rw-r--r--   1 _openca _openca 12399 Sep 16 08:54 token.xml

Shouldn't I have a config.xml and a configure_etc.sh (and others) as I
do here?  I do get these when I install RC6 in Linux, but not OpenBSD. 
I am working towards a single computer installation for both the online
and offline components as Kevin Mitcham writes about in his Cookbook.

Do I need to check out another module from CVS in addition to
openca-0.9?  Or has the configuration of OpenCA changed recently so as
not to use a config.xml file?

Thanks for any suggestions.

-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project

[Openca-Users] OpenBSD and config.xml _directory_!? (-d option to /usr/bin/install)

[Kevin]

I just installed RC6 on openbsd again, being very careful about
configure commands, using egcc (gcc 3.3.2), Makefile.global-vars, and
using gmake vice make.

This time, after the install-online and install-offline commands, I see
the following in the etc files:

/usr/local/openra/OpenCA/etc # ls -al /usr/local/openra/OpenCA/etc
total 84
drwxr-xr-x  21 www  www  512 Sep 16 20:10 .
drwxr-xr-x   5 root wheel512 Sep 16 20:11 ..
drwxr-xr-x   7 www  www  512 Sep 16 20:13 access_control
drw-r--r--   2 _openca  _openca  512 Sep 16 20:10 backup.xml.template
drwxr-xr-x   6 www  www  512 Sep 16 20:10 bp
drw-r--r--   2 _openca  _openca  512 Sep 16 20:10 config.xml
drwxr-xr-x   2 _openca  _openca  512 Sep 16 20:10 configure_etc.sh
drwxr-xr-x   4 www  www  512 Sep 16 20:10 database
drwxr-xr-x   2 www  www  512 Sep 16 20:10 init.d
drw-r--r--   2 _openca  _openca  512 Sep 16 20:10 ldap.xml.template
drw-r--r--   2 _openca  _openca  512 Sep 16 20:10 loa.xml
drw-r--r--   2 _openca  _openca  512 Sep 16 20:10 log.xml
drw-r--r--   2 _openca  _openca  512 Sep 16 20:10 menu.xml.template
drwxr-xr-x   2 _openca  _openca  512 Sep 16 20:10 openca_rc
drwxr-xr-x   2 _openca  _openca  512 Sep 16 20:10 openca_start.template
drwxr-xr-x   2 _openca  _openca  512 Sep 16 20:10 openca_stop.template
drwxr-xr-x   7 www  www  512 Sep 16 20:10 openssl
drwxr-xr-x   6 www  www  512 Sep 16 20:10 rbac
drwxr-xr-x   2 www  www  512 Sep 16 20:10 scep
drwxr-xr-x   7 www  www  512 Sep 16 20:13 servers
drw-r--r--   2 _openca  _openca  512 Sep 16 20:10 token.xml
/usr/local/openra/OpenCA/etc # ls -al /usr/local/openca/OpenCA/etc
total 84
drwxr-xr-x  21 www  www  512 Sep 16 20:41 .
drwxr-xr-x   5 root wheel512 Sep 16 20:42 ..
drwxr-xr-x   5 www  www  512 Sep 16 20:43 access_control
drw-r--r--   2 _openca  _openca  512 Sep 16 20:41 backup.xml.template
drwxr-xr-x   6 www  www  512 Sep 16 20:41 bp
drw-r--r--   2 _openca  _openca  512 Sep 16 20:41 config.xml
drwxr-xr-x   2 _openca  _openca  512 Sep 16 20:41 configure_etc.sh
drwxr-xr-x   4 www  www  512 Sep 16 20:41 database
drwxr-xr-x   2 www  www  512 Sep 16 20:41 init.d
drw-r--r--   2 _openca  _openca  512 Sep 16 20:41 ldap.xml.template
drw-r--r--   2 _openca  _openca  512 Sep 16 20:41 loa.xml
drw-r--r--   2 _openca  _openca  512 Sep 16 20:41 log.xml
drw-r--r--   2 _openca  _openca  512 Sep 16 20:41 menu.xml.template
drwxr-xr-x   2 _openca  _openca  512 Sep 16 20:41 openca_rc
drwxr-xr-x   2 _openca  _openca  512 Sep 16 20:41 openca_start.template
drwxr-xr-x   2 _openca  _openca  512 Sep 16 20:41 openca_stop.template
drwxr-xr-x   7 www  www  512 Sep 16 20:41 openssl
drwxr-xr-x   6 www  www  512 Sep 16 20:41 rbac
drwxr-xr-x   2 www  www  512 Sep 16 20:41 scep
drwxr-xr-x   5 www  www  512 Sep 16 20:43 servers
drw-r--r--   2 _openca  _openca  512 Sep 16 20:41 token.xml

Notice that config.xml and configure_etc.sh are directories!  Not
regular files!

In fact, every file in each of those directories is a subdirectory, not
a regular file.

I guess this must have happened because I replaced the -D option to
install in the Makefile.global-vars file with -d.  I did this because
OpenBSD /usr/bin/install has no -D option.  And there is apparently no
analogue of that option at all in OpenBSD install.

Michael, you said that you got OpenCA to install on OpenBSD (apparently
using OpenBSD gcc (2.95) vice egcc (3.3?), but did you manage to create
the node directory structures from scratch with these installs or did
the install steps just copy files into a directory structure that was
pre-existing?  If the former, how did you do it?  When I try it (without
the -d option to install), I get make install-online and make
install-offline failing with many errors about not being able to copy
files into non-existing directories (this is what -D does for you on
Linux, but as I said, there is no such option for OpenBSD install and -d
apparently just causes all files to be made into directories---also not
what I want).

I'm at a loss here on how to proceed.  Reinstalling with the -d option
removed from the INSTALL options in Makefile.global-vars doesn't help
either.

Anyone?

-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] OpenBSD and config.xml _directory_!? (-d option to /usr/bin/install)

[Kevin]

Apparent temporary solution:

Remove the -D option from the INSTALL line of Makefile.global-vars
(don't replace it with -d), then you must mkdir the directory prefix to
the one file that install fails on in each of make install-online and
make install-offline and then run those make install-online and make
install-offline commands again, after creating the directory by hand.




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM.
Deadline: Sept. 24. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] 0.9.2-RC6 won't install on OpenBSD 3.5

[Kevin]

On Mon, 2004-09-13 at 07:12, Michael Bell wrote:
 Hi Kevin,
 
 I don't use ocsp too but I checked the ocspd.
 

Thank you Michael and Ives.  I decided that I don't really need ocsp
either.

However, I'm still having difficulties with installation on OBSD3.5.

the ./configure and make steps worked:

CPP=/usr/local/bin/ecpp CC=/usr/local/bin/egcc ./configure  \
 --prefix=/usr/local/openra \
 --with-httpd-user=www  \
 --with-httpd-group=www  \
 --with-openca-prefix=/usr/local/openra/openca  \
 --with-etc-prefix=/usr/local/openra/openca/etc  \
 --with-httpd-fs-prefix=/usr/local/openra/httpd  \
 --with-module-prefix=/usr/local/openra/modules  \
 --with-node-prefix=ra-node  \
 --with-engine=no  \
 --with-web-host=mandible  \
 --enable-dbi  \
 --enable-rbac  \
 --with-hierarchy-level=ra\
 --with-openca-user=_openca\
 --with-openca-group=_openca\
 --with-openldap-prefix=/usr/local/lib

make

But...

The first problem is that the -D option to install is not supported in
OpenBSD 3.5 /usr/bin/install.  After reading man install on a linux box,
I decided that it probably was not necessary since the -d option was
being called.  So I removed it from the definition of $INSTALL in
Makefile.global-vars (make install-online was failing with a complaint
about -D being unrecognized).

Unfortunately, I still cannot make install-online.

Now the problem is this:

/usr/local/src/OpenCA/openca-0.9.2-RC6 # make install-online
installing common components because it is not a package build
make docssrc SUBTARGET=install-common
cd docs  make install-common
cd src  make install-common
make common SUBTARGET=install
cd common  make install
make etc lib var SUBTARGET=install
cd etc  make install
/usr/local/openra/openca/etc already exists, skipping configuration
cd lib  make install
make: don't know how to make /usr/local/openra/openca/lib/bp. Stop in
/usr/local/src/OpenCA/openca-0.9.2-RC6/src/common/lib.
*** Error code 2

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src/common (line 22 of
Makefile).
*** Error code 1

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src/common (line 25 of
Makefile).
*** Error code 1

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src (line 35 of
Makefile).
*** Error code 1

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src (line 38 of
Makefile).
*** Error code 1

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6 (line 87 of Makefile).
*** Error code 1

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6 (line 75 of Makefile).
*** Error code 1

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6 (line 84 of Makefile).
=

It looks like these Makefiles have not been ported to OpenBSD, but I
thought the manual said that OpenCA had been successfully installed on
OBSD.

Has anyone on the list installed OpenCA on OpenBSD?  If so, have you
done so on release 3.5 of OBSD?  I would greatly appreciate any tips on
tweaking the Makefiles (and if any other tweaks are needed).

Thanks!

-Kevin




---
This SF.Net email is sponsored by: thawte's Crypto Challenge Vl
Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam
Camcorder. More prizes in the weekly Lunch Hour Challenge.
Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] 0.9.2-RC6 won't make on OpenBSD 3.5

[Kevin]

On Sat, 2004-09-11 at 19:02, dalini wrote:
 Kevin wrote:
  Hi All-
  
  I'm not sure if I've found a bug in the code or if there is an
  incompatibility, but can anyone comment on this?
  
  i386/OpenBSD3.5 (most current)
  /usr/local/src/OpenCA/openca-0.9.2-RC6 # gcc -v
  Reading specs from /usr/lib/gcc-lib/i386-unknown-openbsd3.5/2.95.3/specs
  gcc version 2.95.3 20010125 (prerelease, propolice)
^^
 
 thats 'the problem' - it should compile with a newer gcc
 i havn't checked out what is the exact problem with 2.95 and
 apps.c but a newer gcc works with the code
 

Thanks, dalini.  I installed lang/egcs from OBSD ports which gives me
gcc 3.3.2 and tried again.

This time I get a failure with a different message:


...
`openca-xml-cache/Makefile' is up to date.
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LC_ALL = de_AT,
LANG = (unset)
are supported and installed on your system.
perl: warning: Falling back to the standard locale (C).
cd openca-sv  make
Making all in src
Making all in docs
cd scripts  make
cd web-interfaces  make
make batch   ca  ldapnode   
pub ra  scep
cd batch  make
cd ca  make
cd ldap  make
cd node  make
cd pub  make
cd ra  make
cd scep  make
cd ocspd  make
Making all in src
if /usr/local/bin/egcc -DPACKAGE_VERSION=\0.5.1\\x0\
-D_USE_SEMAPHORES=1 -I. -I. -I../include   -g -O2 -MT ocspd.o -MD
-MP -MF .deps/ocspd.Tpo  -c -o ocspd.o `test -f 'ocspd.c' || echo
'./'`ocspd.c;  then mv .deps/ocspd.Tpo .deps/ocspd.Po;  else rm -f
.deps/ocspd.Tpo; exit 1;  fi
In file included from ocspd.c:25:
general.h:38: error: redefinition of `union semun'
*** Error code 1

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src/ocspd/src.
*** Error code 1

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src/ocspd (line 301 of
Makefile).
*** Error code 1

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src (line 35 of
Makefile).
*** Error code 1

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6 (line 87 of Makefile).


My configure command was:
CPP=/usr/local/bin/ecpp CC=/usr/local/bin/egcc ./configure  \
 --prefix=/usr/local/openra \
 --with-httpd-user=www  \
 --with-httpd-group=www  \
 --with-openca-prefix=/usr/local/openra/openca  \
 --with-etc-prefix=/usr/local/openra/openca/etc  \
 --with-httpd-fs-prefix=/usr/local/openra/httpd  \
 --with-module-prefix=/usr/local/openra/modules  \
 --with-node-prefix=ra-node  \
 --with-engine=no  \
 --with-web-host=mandible  \
 --enable-ocspd  \
 --enable-dbi  \
 --enable-rbac  \
 --with-hierarchy-level=ra\
 --with-openca-user=_openca\
 --with-openca-group=_openca\
 --with-openldap-prefix=/usr/local/lib

and then just a plain 'make'

The newly installed gcc is egcc with version:
/usr/local/src/OpenCA/openca-0.9.2-RC6 # /usr/local/bin/egcc -v
Reading specs from
/usr/local/lib/gcc-lib/i386-unknown-openbsd3.5/3.3.2/specs
Configured with:
/usr/ports/lang/egcs/stable/w-gcc-3.3.2/gcc-3.3.2/configure --verbose
--program-transform-name=s,^,e, --disable-nls --with-system-zlib
--enable-cpp --enable-languages=c,c++,f77,objc,java
--enable-sjlj-exceptions --with-gnu-as --with-gnu-ld --enable-shared
--prefix=/usr/local --sysconfdir=/etc
Thread model: single
gcc version 3.3.2

A newly built updatedb database shows only the following general.h files
on my system:

/usr/local/src/OpenCA/openca-0.9.2-RC6 # locate general.h
/usr/include/dev/raidframe/rf_general.h
/usr/local/src/OpenCA/openca-0.9.2-RC6/src/ocspd/src/general.h
/usr/local/src/OpenCA/openca-0.9.2-RC6/src/openca-sv/include/openca/general.h
/usr/src/sys/dev/raidframe/rf_general.h
/usr/src/usr.bin/tn3270/general/general.h

I see only one definition of union semun in that.  Is it defined
elsewhere in the OpenCA code?

Has anyone else built RC6 on an OBSD3.5 box?

TIA!

-Kevin




---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM. 
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] 0.9.2-RC6 won't make on OpenBSD 3.5

[Kevin]

Hi All-

I'm not sure if I've found a bug in the code or if there is an
incompatibility, but can anyone comment on this?

i386/OpenBSD3.5 (most current)
/usr/local/src/OpenCA/openca-0.9.2-RC6 # gcc -v
Reading specs from /usr/lib/gcc-lib/i386-unknown-openbsd3.5/2.95.3/specs
gcc version 2.95.3 20010125 (prerelease, propolice)

Configure line from the Cookbook with a couple of additions:

./configure  \
 --prefix=/usr/local/openra \
 --with-httpd-user=www  \
 --with-httpd-group=www  \
 --with-openca-prefix=/usr/local/openra/openca  \
 --with-etc-prefix=/usr/local/openra/openca/etc  \
 --with-httpd-fs-prefix=/usr/local/openra/httpd  \
 --with-module-prefix=/usr/local/openra/modules  \
 --with-node-prefix=ra-node  \
 --with-engine=no  \
 --with-web-host=mandible  \
 --enable-ocspd  \
 --enable-dbi  \
 --enable-rbac  \
 --with-hierarchy-level=ra\
 --with-openca-user=_openca\
 --with-openca-group=_openca\
 --with-openssl-prefix=/usr/sbin/openssl\
 --with-openldap-prefix=/usr/local/lib

make fails with:
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LC_ALL = de_AT,
LANG = (unset)
are supported and installed on your system.
perl: warning: Falling back to the standard locale (C).
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LC_ALL = de_AT,
LANG = (unset)
are supported and installed on your system.
perl: warning: Falling back to the standard locale (C).
Manifying blib/man3/OpenCA::XML::Cache.3p
Use of uninitialized value in string eq at /usr/libdata/perl5/Pod/Man.pm
line 418.
Use of uninitialized value in string eq at /usr/libdata/perl5/Pod/Man.pm
line 419.
cd openca-sv  make
Making all in src
source='apps.c' object='apps.o' libtool=no  depfile='.deps/apps.Po'
tmpdepfile='.deps/apps.TPo'  depmode=gcc /bin/sh ../build/depcomp  gcc
-DPACKAGE_VERSION=\1.0.1\\x0\ -I. -I. -I../include 
-I/usr/sbin/openssl/include -g -O2 -c `test -f 'apps.c' || echo
'./'`apps.c
apps.c: In function `load_engine':
apps.c:1036: syntax error before `*'
apps.c:1037: `e' undeclared (first use in this function)
apps.c:1037: (Each undeclared identifier is reported only once
apps.c:1037: for each function it appears in.)
*** Error code 1

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src/openca-sv/src.
*** Error code 1

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src/openca-sv (line 293
of Makefile).
*** Error code 1

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6/src (line 35 of
Makefile).
*** Error code 1

Stop in /usr/local/src/OpenCA/openca-0.9.2-RC6 (line 87 of Makefile).
/usr/local/src/OpenCA/openca-0.9.2-RC6 #

TIA.

-Kevin

PS. My perl is:
/usr/local/src/OpenCA/openca-0.9.2-RC6 # perl -v

This is perl, v5.8.2 built for i386-openbsd

Copyright 1987-2003, Larry Wall

Perl may be copied only under the terms of either the Artistic License
or the
GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using `man perl' or `perldoc perl'.  If you have access to
the
Internet, point your browser at http://www.perl.com/, the Perl Home
Page.






---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM. 
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] too short symmetric keylength: General Error. 6251043.

[Kevin]

On Wed, 2004-08-18 at 02:49, Oliver Welter wrote:
 Hi Kevin,
 
 I had the same problem :)
 Its likely that you have not exportet your SSL-Vars to Perl...
 Add
 SSLOptions +StdEnvVars
 to your SSL-Config in apache and it sould work
 
 Oliver

Hi Oliver-

Yes, you were right.  This solved my problem.  Thanks very much.  I
think I'll add it to the OpenCA Cookbook thread on the list for other
changes to make to httpd.conf as a part of a first installation.

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] OpenCA cookbook

[Kevin]

I know this won't show up in the thread of the same subject because I
don't have the original or any of the follow-ups to that message in my
own email archive, but I just thought I'd try to get this point somehow
associated with the OpenCA Cookbook, thus this message.

Other changes to make to httpd.conf (aside from those already listed in
the OpenCA Cookbook):


SSLOptions +StdEnvVars


Thanks to Oliver Welter for pointing this out to me.

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] problems initializing openca (Error Login failed: 6273120.)

[Kevin]

Hi List-

Many thanks to Oliver Welter for helping me resolve my problem with
SSLOptions +StdEnvVars that was causing my too short symmetric
keylength error.

Now that I have that solved, I've encountered another problem in trying
to follow the guidelines in the OpenCA cookbook from Kevin Mitcham.

I do get pages when visiting all of the following:
https://myhost.wherever.edu/ra
https://myhost.wherever.edu/ra-node
https://myhost.wherever.edu/pub
https://myhost.wherever.edu/ca
https://myhost.wherever.edu/ca-node

What I get is as follows:
https://myhost.wherever.edu/ra
A purple login screen

https://myhost.wherever.edu/ra-node
A white login screen

https://myhost.wherever.edu/pub
A series of tabs labeled:
General (Logout)
CA Infos (Policy  Get CA certificate  Certificate Revocation Lists)
User (Request a Certificate  Get Requested Certificate  Test Certificate
Revoke Certificate)
Certificates (Valid  Expired  Suspended  Revoked  Search)
Requests (Certificate Requests  Certificate Revocation Requests)
Language (English  German  Spanish  French  Italian  Japanese  Polish)

https://myhost.wherever.edu/ca
A purple login screen

https://myhost.wherever.edu/ca-node
A white login screen

In the cookbook, Kevin Mitcham says:

connect to the ca: 
http://myhost.wherever.edu/openca

Series of tabs should be visible.  Select General-Initialization
 Phase I
Initialize the Certification Authority
Initialize Database
initialize- intialize DB .(reports sucess, but a slurry of error messages 
about table not found may appear on the console)

Based upon the changes he recommends for httpd.conf, I assume he
means to connect to http://myhost.wherever.edu/ca because that's what
he makes an Alias for.

With what username/password credentials should I login?

The ones that I set up in my config.xml files?  I assumed
that these were the username/password of the mysql openca database
administrator that I created when creating the databases themselves,
but these aren't working.  When I try it I get a login failed message.
Must I permit access to port 3306 over the network?  I can connect
to the mysql server using the mysql command-line client program
running on the server machine when using these credentials,
but cannot do so through the web interface of OpenCA.

The only place I see a series of tabs is at /pub and while there
is a General tab, there is no Initialization item in it.

Am I missing something?

Any suggestions?  I checked the list archives but didn't see anything
that helped me out.  Someone reported a problem with the cookie
directory being created, but I'm not seeing the same symptoms he was.

The exact error message is:
Error Login failed.
General Error. 6273120.

Thanks again.

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] problems initializing openca (Error Login failed: 6273120.)

[Kevin]

On Wed, 2004-08-18 at 10:48, Martin Bartosch wrote:
 Hi Kevin,
 
 just some quick notes:
 
 The initial user/password is root/root. Of course you do not need
 to open the database from the outside.
 The initialization steps can be performed using the /ca/ frontend
 after logging in.
 Public frontend is for issuing requests and picking up certs only.
 
 Please read the docs in the OpenCA guide...

Thanks Martin, Til, and Johannes for pointing this out.

Guess I should've read all of the docs in their entirety before posting
but my lame excuse is that I was misled by the cookbook.  I had the
impression from reading it that it was self-contained and that I could
use it as a shortcut for installation and then read the full docs
afterwards as I experimented with OpenCA.

Sorry for the unnecessary question/time/bandwidth.

-Kevin





---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] OpenCA Cookbook

[Kevin Mitcham]

I'm sorry if the cookbook mislead you, or was incomplete.  I wrote it to 
make the install procedure overall a little easier, providing a worked 
example.  By the time I wrote it down, I had installed OpenCA several 
times, and some of the items were already committed to memory, and 
didn't get written down.  I did try to write out several of the problems 
that came up in my experience, and the solutions to them.

Kevin
Please read the docs in the OpenCA guide...

Thanks Martin, Til, and Johannes for pointing this out.
Guess I should've read all of the docs in their entirety before posting
but my lame excuse is that I was misled by the cookbook.  I had the
impression from reading it that it was self-contained and that I could
use it as a shortcut for installation and then read the full docs
afterwards as I experimented with OpenCA.
Sorry for the unnecessary question/time/bandwidth.
-Kevin



smime.p7s
Description: S/MIME Cryptographic Signature

[Openca-Users] Error 700 in attempting to initialize database

[Kevin]

At the risk of getting yelled at, I have another question... (sorry...)

This time I've read both the cookbook and the relevant portions of the
guide.  As usual, I've also searched the list archives, searched through
the entire guide for this particular error, and double-checked the steps
I performed in the cookbook.  I'm not finding anything to help me solve
this.  That said, however, it's true that I have not read the guide from
cover to cover.  If I'm wrong for asking a question here in such
circumstances, someone please feel free to correct me.  I promise I
won't take offense.

I'm following the steps exactly in the cookbook:
Series of tabs should be visible.  Select General-Initialization
 Phase I
Initialize the Certification Authority
Initialize Database
 at this point, clicking on Initialize Database gives Error 700
initialize- intialize DB .(reports sucess, but a slurry of error messages 
about table not found may appear on the console)

Anyway, when I attempt to initialize the database, I get this error:
Error 700
General Error. The compilation of the command cmdGenDB failed. Can't
call method prepare on an undefined value at
/usr/local/openca/modules/perl5/OpenCA/DBI.pm line 2518.

When I look at line 2518 of said file, I see:
   2515   ## prepare
   2516   $self-debug (doQuery: prepare statement);
   2517   $self-debug (doQuery: statement nr.: .(scalar (@
   2517 {$self-{STH}}) +1));
   2518   $self-{STH}[scalar (@{$self-{STH}})] = $self-{DB
   2518 H}-prepare ($query);
   2519   if ( (my $h = $self-{STH}[scalar (@{$self-{STH}})
   2519  -1]-state) != 0) {
   2520 $self-debug (doQuery: prepare failed);
   2521 $self-debug (doQuery: query: $query);
   2522 $self-debug (doQuery: returned errorcode: $h);
   2523 $self-errno ( $OpenCA::DBI::ERROR-{PREPARE_FAIL
   2523 ED} );
   2524 return undef;
   2525   }

Not being very clueful on perl in general, I'm definitely out of my
league trying to interpret perl code.

Can anyone offer suggestions on how to resolve this?  I suppose I must
have screwed up something in my config files.  Should I post those?  If
so, just say so and I will.

Sorry to be such a pain, guys.

Thanks for any help.

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] OpenCA Cookbook

[Kevin]

On Wed, 2004-08-18 at 12:03, Kevin Mitcham wrote:
 I'm sorry if the cookbook mislead you, or was incomplete.  I wrote it to 
 make the install procedure overall a little easier, providing a worked 
 example.  By the time I wrote it down, I had installed OpenCA several 
 times, and some of the items were already committed to memory, and 
 didn't get written down.  I did try to write out several of the problems 
 that came up in my experience, and the solutions to them.
 
 Kevin

Hi Kevin-

Please don't apologize.  I meant what I said when I said that this was
my _lame_ excuse.  The cookbook was a big help to me; of that I'm quite
certain.  But I should not have relied on it exclusively.  That's a
lesson for me.  Your cookbook was very helpful to me.  Thanks very much
for writing it.  Once I have completed my installation and configuration
of OpenCA, I hope to be able to add my experience to what you've written
and perhaps improve upon it somewhat, but there's certainly no cause to
apologize.  Thanks very kindly for helping me out a great deal by
writing it.

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Error 700 in attempting to initialize database

[Kevin]

On Wed, 2004-08-18 at 16:37, Ives Steglich wrote:
 Tiller, Robert wrote:
  I don't know if this is the same error I had, but some earlier versions of
  openca had a permission error on the db files.  Mainly DBM files not
  SQL.  You might check the file permissions.
 
 but this would not be good - i thought we solved those problems before 
 rc6... could be it was afterwards... but acutally it shouldn't happend 
 anymore - at least with cvs ,o)
 
 yes - check file permissions in var/db/ if its not your 
 apacheuser:apachegroup just delete the files (there should be none 
 before initialization) or change the ownerchip to the apache stuff
 

I have no files in /usr/local/open[cr]a/openca/var/db, and the ownership
of each directory itself is apacheuser:apachegroup.

Based on the error message, I was thinking that this error would be a
code problem, no?  Perhaps related to configuration?  But I'm really
without a clue.

I had to make some adjustments to the aliases that I used in httpd.conf
because I configured with --with-node-prefix=online-ra-node and
--with-node-prefix=offline-ca-node instead of the cookbook recommended
--with-node-prefix=[cr]a-node.  I just did it to help me keep straight
in my mind which was online and which was offline, but I found that it
threw a couple of small wrenches into my configuration.  I think I
ferreted them all out, but perhaps this problem is another result of
that minor change I made.

Thanks dalani and Robert for your replies though.  Any other thoughts? 
Should I simply start over from scratch?  Perhaps with a new SuSE 9.0 or
9.1 box?  I'm trying to compile OpenCA on Gentoo, but seem to have a
problem with my perl setup (see thread, Problem compiling:
XML::Parser-2.23 important vice 2.34?) so I can't make a comparison
there either---I can't even complete the make step.

Again, thanks for being so patient with an OpenCA newbie.

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Problem compiling: XML::Parser-2.23 important vice 2.34?

[Kevin]

On Fri, 2004-08-13 at 03:11, Michael Bell wrote:
 Kevin wrote:
 
  Or is this the problem?
  Can't locate XML/Parser.pm in @INC (@INC contains:
  ...
  
  I don't see XML/Parser.pm in @INC either.  How do I get it there given
  that I do have this module installed on my system?
 
 You can link it to a directory in you @INC array. Simply run find and 
 then create an appropriate link from one of your directories in @INC to 
 the file or a directory in the path of this file. The path must look 
 exactly like for the original file.
 

Hi again Michael and thanks for your suggestion here.  I tried it with
the following steps:

tombstone root # cat test.perl
#!/usr/bin/perl
print [EMAIL PROTECTED] is @INC\n;

tombstone root # ./test.perl
@INC is /etc/perl /usr/lib/perl5/site_perl/5.8.4/i686-linux-thread-multi
/usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.2
/usr/lib/perl5/site_perl
/usr/lib/perl5/vendor_perl/5.8.4/i686-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl
/usr/lib/perl5/5.8.4/i686-linux-thread-multi /usr/lib/perl5/5.8.4
/usr/local/lib/site_perl /usr/lib/perl5/site_perl/5.8.2 .
tombstone root # cd /usr/local/lib/site_perl
tombstone site_perl # ln -s \
/usr/lib/perl5/vendor_perl/5.8.4/i686-linux/XML XML
tombstone site_perl # ls -l
total 0
lrwxrwxrwx1 root root   47 Aug 17 08:50 XML -
/usr/lib/perl5/vendor_perl/5.8.4/i686-linux/XML
tombstone site_perl # cd XML
tombstone XML # ls -l
total 156
drwxr-xr-x4 root root 4096 Aug 10 13:41 GDOME
-r--r--r--1 root root12554 Aug 10 13:41 GDOME.pm
-r--r--r--1 root root 2862 Aug 10 13:41 GDOME.pod
drwxr-xr-x3 root root 4096 Aug 10 13:54 LibXML
-r--r--r--1 root root31844 Aug 10 09:29 LibXML.pm
-r--r--r--1 root root 5338 Aug 10 09:29 LibXML.pod
-r--r--r--1 root root11061 Aug 10 09:29 LibXSLT.pm
drwxr-xr-x4 root root 4096 Aug 10 08:25 Parser
-r--r--r--1 root root27103 Aug 10 08:25 Parser.pm
drwxr-xr-x4 root root 4096 Aug 10 09:28 Sablotron
-r--r--r--1 root root29538 Aug 10 09:28 Sablotron.pm
-r--r--r--1 root root 7889 Aug 10 09:29 benchmark.pl
tombstone XML # ls -l Parser
total 48
drwxr-xr-x2 root root 4096 Aug 10 08:25 Encodings
-r--r--r--1 root root33917 Aug 10 08:25 Expat.pm
-r--r--r--1 root root 1571 Aug 10 08:25 LWPExternEnt.pl
drwxr-xr-x2 root root 4096 Aug 10 08:25 Style

So I'm thinking I've successfully linked the perl modules in
/usr/lib/perl5/vendor_perl/5.8.4/i686-linux/XML to a directory that is
in @INC.

However, when I run the ./configure and make commands now, I get a
slightly different error:

XML-Twig-3.09/MANIFEST
make[4]: Entering directory
`/mnt/tmp/working/openca-0.9.2-RC6/src/modules'
Checking if your kit is complete...
Looks good
Warning: prerequisite XML::Parser 2.23 not found.
Writing Makefile for XML::Twig
make[4]: Leaving directory
`/mnt/tmp/working/openca-0.9.2-RC6/src/modules'
make[4]: Entering directory
`/mnt/tmp/working/openca-0.9.2-RC6/src/modules/XML-Twig-3.09'
/usr/bin/perl5.8.4 speedup Twig.pm.slow  Twig.pm
Can't locate loadable object for module XML::Parser::Expat in @INC (@INC
contains: ../Digest-SHA1-2.02/blib/lib ../IO-Socket-SSL-0.92/blib/lib 
snipped for brevity
/usr/lib/perl5/site_perl
/usr/lib/perl5/vendor_perl/5.8.4/i686-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl
/usr/lib/perl5/5.8.4/i686-linux-thread-multi /usr/lib/perl5/5.8.4
/usr/local/lib/site_perl /usr/lib/perl5/site_perl/5.8.2 .) at
/usr/local/lib/site_perl/XML/Parser.pm line 14
Compilation failed in require at /usr/local/lib/site_perl/XML/Parser.pm
line 14.
BEGIN failed--compilation aborted at
/usr/local/lib/site_perl/XML/Parser.pm line 18.
Compilation failed in require at speedup line 5.
BEGIN failed--compilation aborted at speedup line 5.
make[4]: *** [Twig.pm] Fehler 255
make[4]: Leaving directory
`/mnt/tmp/working/openca-0.9.2-RC6/src/modules/XML-Twig-3.09'
make[3]: *** [XML-Twig-3.09] Error 2
make[3]: Leaving directory
`/mnt/tmp/working/openca-0.9.2-RC6/src/modules'
make[2]: *** [modules] Error 2
make[2]: Leaving directory
`/mnt/tmp/working/openca-0.9.2-RC6/src/modules'
make[1]: *** [modules] Error 2
make[1]: Leaving directory `/mnt/tmp/working/openca-0.9.2-RC6/src'
make: *** [src] Error 2

Strangely, when I run make a second time, immediately after getting this
error, it does complete successfully.  I'm not sure if it's skipping
over the portions that caused the failure initially or if it's including
them and getting it right the second time or what, but I'd still like to
resolve the problem with XML::Parser just on general principle---perhaps
this is a symptom of a more general problem with my perl installation
and I'd prefer to resolve it now rather than ignore it and have it cause
other problems later.

When I

Re: [Openca-Users] Problem compiling: XML::Parser-2.23 important vice 2.34?

[Kevin]

I think I've found the problem now, but not sure about the best way to
fix it.

I used Tom Phoenix's perl module Inside to discover that, for some
reason, XML::Parser::Expat is installed on my system as:

i686-linux::XML::Parser::Expat (version 2.34) found in
/usr/lib/perl5/vendor_perl/5.8.4

I suppose one very difficult way to resolve the problem would be to
change all instances of XML::Parser::Expat in the OpenCA code to
i686-linux::XML::Parser::Expat, but that seems awfully silly.

Anyone have a suggestion on the best way to resolve this one?

Thanks.

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] too short symmetric keylength: General Error. 6251043.

[Kevin]

Hi List-

Many thanks for suggestions relating to my other posts here (some of
which I'm still trying to resolve), but I did get a successful
configure/make/make install of OpenCA according to the OpenCA Cookbook
that Johnny Gonzalez referred me to on a SuSE 9.0 box.  I'm still
struggling with this part on a Gentoo system, but with the SuSE system,
I may be suffering from a configuration problem, and that's what I'm
trying to resolve with this message.

I have the following error upon accessing https://localhost/ra

Error Aborting connection - you are using a too short symmetric
keylength ().
General Error. 6251043.

I saw in the archives in May where someone else had this problem and
Michael pointed out the solution by explaining that the keylength in
etc/access_control/ra.xml file was appraently the problem.

In my etc/access_control/ra.xml, I have the following:

openca
access_control
channel
typemod_ssl/type
protocolssl/protocol
source.*/source
asymmetric_cipher.*/asymmetric_cipher
asymmetric_keylength0/asymmetric_keylength
symmetric_cipher.*/symmetric_cipher
symmetric_keylength128/symmetric_keylength
/channel
...

And when I use Mozilla Firefox to view https://localhost/ra and click
the lock, it reports that the connection is encrypted with High-grade
Encryption (AES-256 256 bit).

Perhaps OpenCA doesn't know about the AES cipher?

Or is it this other thing that Michael mentioned in his reply to that
poster: The empty () at the end of the errormessage looks like a 
general problem with your SSL

I have no problems viewing other content over the https protocol.  Only
OpenCA stuff.

Any help here?

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Single computer installation of OpenCA

[Kevin]

On Thu, 2004-08-12 at 02:47, Oliver Welter wrote: 
 Hi Kevin,

Hi Oliver.

 have a look at the openca-guide.pdf in the docs directory. There is a 
 chapter about installation and a brief description how to install both 
 interfaces onto one directory

Yes, I studied that pretty thoroughly, and my questions actually
arose from doing so.  Thanks for your reply, Oliver.

 Oliver
 


 
 On Thu, 2004-08-12 at 03:24, Michael Bell wrote:
 Kevin wrote:
  ... and it's becoming clear that a typical test
  installation of the OpenCA software involves two separate server
  computers: one connected to a network (CA?) and the other NOT connected
  to a network (RA?).
 
 Small security warning - the CA is OFFLINE and the RA stuff is online.
 

Ah!  Ok.  Thanks for pointing that out.

  4.2 How to setup two management interfaces on one server?
  
  Exactly what is meant by management interface here?  Probably not
  Network Interface (as in Network Interface Card)... perhaps Web
  Interface? (as in, a different TCP port for each management function)? 
  I'm guessing that if I can learn this part, my first question will be
  moot.
 
 The management interface is the node interface. It is used for 
 dataexchange. Please take a look at the pictures in the DEsign part of 
 the OpenCA guide. BTW if the images in openca-guide.pdf are still broken 
 then please use the HTML version of the guide. It looks like I have a 
 problem with Apache FOP.
 

Yes, the images are still broken in openca-guide.pdf.  I saw the
references to them, but assumed that they were meant to be added later. 
Thanks for explaining this.

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Typo in openca-guide?

[Kevin]

Hi List-

Really quick question:

Section 1 of the guide Basic Heirarchy reads in part...

The data exchange between such isolated databases can be handled
automatically if you use a distributed database system but in the sense
of OpenCA such a distributed database system is only on database in our
tree.   ^^

Is this word, on supposed to be one?  I can make sense of either
sentence but in my first read of this, I assumed it was supposed to be a
one and also assumed that the images in openca-guide.pdf were missing
because they had yet to be added.  Michael Bell pointed me to the
openca-guide.html and now I see the images, but just thought I would
double-check this typo, if that's what it is.

Thanks.

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Single computer installation of OpenCA

[Kevin]

On Wed, 2004-08-11 at 19:34, Kevin wrote:
 On Wed, 2004-08-11 at 18:52, Ives Steglich wrote:
  Kevin wrote:
   Hi List-
   
   I've been studying the openca-guide.pdf file in the openca-SNAP-20040730
   tarball (Is this the latest non-CVS source?  If not, where's the best
...
   of complexity.  Is there some way to get the full functionality of
   OpenCA in a test environment by installing everything on one computer?
   
  yes you can simply install everything on one system
  just use different directories for ca and pub stuff
  
 
 Sorry if I'm being dense here, but how does this translate into
 ./configure options and/or make targets?
 
 By use different directories do you mean while setting the configure
 options? (ie. --with-ca-prefix=DIR, --with-node-prefix=NODEPREFIX,
 --with-ra-prefix=DIR, etc.) or something else.  It looks like these all
 default to different values anyway...  Am I missing something?
 

I'm reading the guide again with the benefit of the images, and it
occurs to me that my question here may not be clear so I'll try to
clarify.

Section 4.2.1 (How to setup two management interfaces on one
server?---Online Components) of the guide reads as follows:

The first installation uses only the normal steps - ./configure
--with-node-prefix=online_node --with-your-options, make, make test,
make install-online, edit OPENCADIR/etc/config.xml and
OPENCADIR/etc/configure_etc.sh. Please use your options to configure the
software and use the hierarchy level ra.

I have a better understanding of the word node in this context, but
I'm still not sure I have a complete understanding of it.  Michael
explained that management interface and node interface are the same,
and it is used for data exchange, and I see the images depicting the
node in the design part of the guide, but I'd like to ask some questions
to confirm my understanding (or correct it).

The configure options above use the literal string, online_node, and
below in section 4.2.2 (Offline Components) the literal string
offline_node.  If a node is a management interface, can the string be
any arbitary string in this --with-node-prefix configure option?  Or
must it match the hostname of the computer or some other parameter?  How
are these node-prefixes used later by the software?  If I install
everything on one server computer, is the node-prefix online_node (as
used in the configure step above) associated with a TCP port or a unix
domain socket that is open on the computer (and perhaps another TCP port
or socket for the string offline_node) (this is what I think of when I
read, interface) or is it just a hyperlink by the name of
online_node in a web page generated by the software for doing
management/data exchange tasks with a browser or what?  If the
node-prefix can be any arbitrary string, is there a typical value that
is used for it?  Are the strings online_node and offline-node ok for
that?  Do these strings become part of the certificates issued by
OpenCA?

  you will then have full functionality as if both parts where on separate 
  systems - the only thing thats different - the dataexchange between them 
  would happen at the local filesystem (you have to change the path at 
  config.xml usaly set to /dev/fd0)
  
  you can even install ca and pub components to the same directory, then 
  you don't have to do dataexchange for the first testing steps... (so no 
  node interfaces is actually used)
  
 
 Again, how does this translate into ./configure options and/or make
 targets?  Would I just run:
 ./configure (but what options... or are there any special options for a
 single-computer installation?... I realize of course that there are many
 options that relate to my httpd and so forth, but I mean those that are
 specifically for OpenCA related to a single-computer installation... or
 are there any?)
 make
 make test
 make install-ca
 make install-ext
 any others?
 
 What about:
 install-ldap
 install-node
 etc.
 
 And exactly what is meant by node here (a computer?)?
 
  i will send some scripts tomorrow - which can be used
  to setup a simple testing system and also generates the necessary 
  apache.conf entries - which can be simply included then
  
 
 Thank you, dalani!
 
 -Kevin
 

I guess my other questions still stand.  Please pardon me if I'm being
dense here.  At first blush, installing OpenCA looks a bit more
complicated than the typical server software's installation routine of
./configure; make; make install.  The configure options for nodes are
clearly important, and the make targets also look important (and there
are many!).  Again, my apologies if these are stupid questions.  I think
that once I get a good understanding of this part, the rest will come to
me quickly.

Thanks.

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free

Re: [Openca-Users] Single computer installation of OpenCA

[Kevin]

On Thu, 2004-08-12 at 08:01, Johnny Gonzalez wrote:
 Hello Kevin,
  
 I suggest you to read a document made by another Kevin, Kevin
 Mitcham, He wrote a document called OpenCA Cookbook, this document
 covers all the steps to configure and install OpenCA versions 0.9.2.X,
 read it and all of your questions, related to the instalation
 process, will be solved.
  
 The link to Kevin Mitcham's Posting to the mail archive is:
  
 http://www.mail-archive.com/[EMAIL PROTECTED]/msg05421.html
  
 Hope this will help you,
  
  
 Johnny Gonzalez L.

Hi Johnny-

This looks very helpful!  Thanks, I'll study it in detail before posting
again.

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Single computer installation of OpenCA

[Kevin Mitcham]

At the Dartmouth PKI lab, we spent a good bit of time working on an very 
easy intial setup for single-server OpenCA.
We eventually generated a CD image with a script to help set up the 
initial versions.  It generates a minimal (and not secure) CA that 
should be enough to get people started.

You can learn more at
http://www.dartmouth.edu/%7Edeploypki/CA/InstallOpenCALiveCD.html
Hope this helps.  I've been mostly moved on to other projects, and so 
haven't been following the list as closely as I'd like to.

Kevin


smime.p7s
Description: S/MIME Cryptographic Signature

[Openca-Users] Re: images in openca-guide.pdf (was Re: Typo in openca-guide?)

[Kevin]

On Thu, 2004-08-12 at 09:29, Michael Bell wrote:
 Kevin wrote:
 
  The data exchange between such isolated databases can be handled
  automatically if you use a distributed database system but in the sense
  of OpenCA such a distributed database system is only on database in our
  tree.   ^^
  
  Is this word, on supposed to be one?
 
 You are right. one is correct.
 

Thanks.

 BTW if I look at openca-guide.pdf with gv then I see the images. If 
 somebody can explain this then this would help a lot to fix the problems 
 with acrobat reader.
 

I used xpdf and acrobat reader and saw no images (using the guide from
openca-0.9.2-RC6).  When I used gv, I saw the black-and-white line
drawings, but not the color drawing of the life-cycle of objects that I
see in the .html file with a web browser.  Actually, when I turned to
the page for the life-cycle of objects in gv, I saw a very brief (1
second) flash of the color drawing but then it disappeared and the page
was blank.

I'm using the following versions of the pdf viewers:
acroread-5.08
xpdf-2.03
gv-3.5.8-r2

I'm gonna upgrade to the latest available in Gentoo portage right now to
see if that helps:
[ebuild U ] app-text/gv-3.5.8-r4 [3.5.8-r2]  0 kB
[ebuild U ] app-text/xpdf-3.00-r1 [2.03] -cjk +motif  522 kB
[ebuild U ] app-text/acroread-5.09 [5.08] -cjk  9,066 kB

I'll post my results.

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Re: images in openca-guide.pdf

[Kevin]

On Thu, 2004-08-12 at 10:18, Kevin wrote:
 On Thu, 2004-08-12 at 09:29, Michael Bell wrote:
  BTW if I look at openca-guide.pdf with gv then I see the images. If 
  somebody can explain this then this would help a lot to fix the problems 
  with acrobat reader.
  
...
 I'm gonna upgrade to the latest available in Gentoo portage right now to
 see if that helps:
 [ebuild U ] app-text/gv-3.5.8-r4 [3.5.8-r2]  0 kB
 [ebuild U ] app-text/xpdf-3.00-r1 [2.03] -cjk +motif  522 kB
 [ebuild U ] app-text/acroread-5.09 [5.08] -cjk  9,066 kB
 
 I'll post my results.
 

After the upgrades, I get the same results as before.

Not sure what else it could be...

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Re: images in openca-guide.pdf (was Re: Typo in openca-guide?)

[Kevin]

On Thu, 2004-08-12 at 11:32, Michael Bell wrote:
 Hi Kevin,
 
 I finally found a solution. I installed JAI into my Apache FOP and now I 
 can compile working PDF files by using JPEG and PNG. Actually I'm 
 commiting new versions of the openca guide.
 
 Michael

Cool!  Thanks for letting me know.

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Problem compiling: XML::Parser-2.23 important vice 2.34?

[Kevin]

Hi List-

Thanks very kindly to Johnny Gonzalez for pointing it out to me, and to
Kevin Mitcham for writing it, I've been using the OpenCA Cookbook to get
myself started.

Unfortunately, I'm having problems already.  Perhaps I need a different
perl module installed.  make gives me the following error message:

==
...
XML-Twig-3.09/MANIFEST
make[4]: Entering directory
`/mnt/tmp/working/openca-0.9.2-RC6/src/modules'
Checking if your kit is complete...
Looks good
Warning: prerequisite XML::Parser 2.23 not found.
Writing Makefile for XML::Twig
make[4]: Leaving directory
`/mnt/tmp/working/openca-0.9.2-RC6/src/modules'
make[4]: Entering directory
`/mnt/tmp/working/openca-0.9.2-RC6/src/modules/XML-Twig-3.09'
/usr/bin/perl5.8.4 speedup Twig.pm.slow  Twig.pm
Can't locate XML/Parser.pm in @INC (@INC contains:
../Digest-SHA1-2.02/blib/lib ../IO-Socket-SSL-0.92/blib/lib
../IO-stringy-2.108/blib/lib ../MIME-tools-5.411/blib/lib
../MailTools-1.58/blib/lib ../Net-Server-0.86/blib/lib
../XML-Twig-3.09/blib/lib ../libintl-perl-1.10/blib/lib
../openca-ac/blib/lib ../openca-configuration/blib/lib
../openca-crl/blib/lib ../openca-crypto/blib/lib ../openca-db/blib/lib
../openca-dbi/blib/lib ../openca-ldap/blib/lib ../openca-log/blib/lib
../openca-openssl/blib/lib ../openca-pkcs7/blib/lib
../openca-req/blib/lib ../openca-session/blib/lib
../openca-statemachine/blib/lib ../openca-tools/blib/lib
../openca-tristatecgi/blib/lib ../openca-ui-html/blib/lib
../openca-x509/blib/lib ../openca-xml-cache/blib/lib
../perl-ldap-0.28/blib/lib ../Digest-SHA1-2.02/blib/arch
../IO-Socket-SSL-0.92/blib/arch ../IO-stringy-2.108/blib/arch
../MIME-tools-5.411/blib/arch ../MailTools-1.58/blib/arch
../Net-Server-0.86/blib/arch ../XML-Twig-3.09/blib/arch
../libintl-perl-1.10/blib/arch ../openca-ac/blib/arch
../openca-configuration/blib/arch ../openca-crl/blib/arch
../openca-crypto/blib/arch ../openca-db/blib/arch
../openca-dbi/blib/arch ../openca-ldap/blib/arch ../openca-log/blib/arch
../openca-openssl/blib/arch ../openca-pkcs7/blib/arch
../openca-req/blib/arch ../openca-session/blib/arch
../openca-statemachine/blib/arch ../openca-tools/blib/arch
../openca-tristatecgi/blib/arch ../openca-ui-html/blib/arch
../openca-x509/blib/arch ../openca-xml-cache/blib/arch
../perl-ldap-0.28/blib/arch /etc/perl
/usr/lib/perl5/site_perl/5.8.4/i686-linux-thread-multi
/usr/lib/perl5/site_perl/5.8.4 /usr/lib/perl5/site_perl/5.8.2
/usr/lib/perl5/site_perl
/usr/lib/perl5/vendor_perl/5.8.4/i686-linux-thread-multi
/usr/lib/perl5/vendor_perl/5.8.4 /usr/lib/perl5/vendor_perl
/usr/lib/perl5/5.8.4/i686-linux-thread-multi /usr/lib/perl5/5.8.4
/usr/local/lib/site_perl /usr/lib/perl5/site_perl/5.8.2 .) at speedup
line 5.
BEGIN failed--compilation aborted at speedup line 5.
make[4]: *** [Twig.pm] Fehler 2
make[4]: Leaving directory
`/mnt/tmp/working/openca-0.9.2-RC6/src/modules/XML-Twig-3.09'
make[3]: *** [XML-Twig-3.09] Error 2
make[3]: Leaving directory
`/mnt/tmp/working/openca-0.9.2-RC6/src/modules'
make[2]: *** [modules] Error 2
make[2]: Leaving directory
`/mnt/tmp/working/openca-0.9.2-RC6/src/modules'
make[1]: *** [modules] Error 2
make[1]: Leaving directory `/mnt/tmp/working/openca-0.9.2-RC6/src'
make: *** [src] Error 2
tombstone openca-0.9.2-RC6 # epm -q XML-Parser
XML-Parser-2.34
==

It looks like make wants XML::Parser 2.23 and I have XML::Parser-2.34. 
Is this an important dependency?  I mean, does 2.34 lose something that
2.23 has?  If not, can someone offer any hints as to how to get around
this?  I configured with Kevin's configure line (or very near to it):

tombstone openca-0.9.2-RC6 # ./configure   --prefix=/usr/local/openra  
--with-httpd-user=apache   --with-httpd-group=apache  
--with-openca-prefix=/usr/local/openra/openca  
--with-etc-prefix=/usr/local/openra/openca/etc  
--with-httpd-fs-prefix=/usr/local/openra/httpd  
--with-module-prefix=/usr/local/openra/modules  
--with-node-prefix=ra-node   --with-engine=no  
--with-web-host=gnosys.gnosys.us   --enable-ocspd   --enable-dbi  
--enable-rbac   --with-hierarchy-level=ra

Or is this the problem?
Can't locate XML/Parser.pm in @INC (@INC contains:
...

I don't see XML/Parser.pm in @INC either.  How do I get it there given
that I do have this module installed on my system?

Any thoughts?

Thanks!

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] How to reach Massimiliano Pala

[Kevin]

Hi All-

I've been trying to send a non-list-type (ie. personal) email to
Massimiliano Pala (at [EMAIL PROTECTED]), but my MTA is reporting that
the destination MTA is refusing the message.  Here's the error:

Hi. This is the qmail-send program at
smtpout01-04.mesa1.secureserver.net.
I'm afraid I wasn't able to deliver your message to the following
addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

[EMAIL PROTECTED]:
217.133.34.6 does not like recipient.
Remote host said: 550 5.7.1 [EMAIL PROTECTED]... Relaying denied
Giving up on 217.133.34.6.

Does anyone here know how I can reach him via email?

TIA.

-Kevin



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Single computer installation of OpenCA

[Kevin]

Hi List-

I've been studying the openca-guide.pdf file in the openca-SNAP-20040730
tarball (Is this the latest non-CVS source?  If not, where's the best
place to get the tarballs with openca.org down?) and looking at the
README and INSTALL files, and it's becoming clear that a typical test
installation of the OpenCA software involves two separate server
computers: one connected to a network (CA?) and the other NOT connected
to a network (RA?).  Since this will be my first installation and
strictly for my own testing purposes, I don't need (or want) that degree
of complexity.  Is there some way to get the full functionality of
OpenCA in a test environment by installing everything on one computer?

A possibly-related question is about the guide itself.  It reads as
follows:

4.2 How to setup two management interfaces on one server?

Exactly what is meant by management interface here?  Probably not
Network Interface (as in Network Interface Card)... perhaps Web
Interface? (as in, a different TCP port for each management function)? 
I'm guessing that if I can learn this part, my first question will be
moot.

I browsed the list archives for this question but didn't see it. 
Apologies if it's been asked before.

Thanks.

-Kevin




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Single computer installation of OpenCA

[Kevin]

On Wed, 2004-08-11 at 18:52, Ives Steglich wrote:
 Kevin wrote:
  Hi List-
  
  I've been studying the openca-guide.pdf file in the openca-SNAP-20040730
  tarball (Is this the latest non-CVS source?  If not, where's the best
  place to get the tarballs with openca.org down?) and looking at the
  README and INSTALL files, and it's becoming clear that a typical test
  installation of the OpenCA software involves two separate server
  computers: one connected to a network (CA?) and the other NOT connected
  to a network (RA?).  Since this will be my first installation and
  strictly for my own testing purposes, I don't need (or want) that degree
  of complexity.  Is there some way to get the full functionality of
  OpenCA in a test environment by installing everything on one computer?
  
 yes you can simply install everything on one system
 just use different directories for ca and pub stuff
 

Sorry if I'm being dense here, but how does this translate into
./configure options and/or make targets?

By use different directories do you mean while setting the configure
options? (ie. --with-ca-prefix=DIR, --with-node-prefix=NODEPREFIX,
--with-ra-prefix=DIR, etc.) or something else.  It looks like these all
default to different values anyway...  Am I missing something?

 you will then have full functionality as if both parts where on separate 
 systems - the only thing thats different - the dataexchange between them 
 would happen at the local filesystem (you have to change the path at 
 config.xml usaly set to /dev/fd0)
 
 you can even install ca and pub components to the same directory, then 
 you don't have to do dataexchange for the first testing steps... (so no 
 node interfaces is actually used)
 

Again, how does this translate into ./configure options and/or make
targets?  Would I just run:
./configure (but what options... or are there any special options for a
single-computer installation?... I realize of course that there are many
options that relate to my httpd and so forth, but I mean those that are
specifically for OpenCA related to a single-computer installation... or
are there any?)
make
make test
make install-ca
make install-ext
any others?

What about:
install-ldap
install-node
etc.

And exactly what is meant by node here (a computer?)?

 i will send some scripts tomorrow - which can be used
 to setup a simple testing system and also generates the necessary 
 apache.conf entries - which can be simply included then
 

Thank you, dalani!

-Kevin



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] OpenCA cookbook

[Kevin Mitcham]

I've been working on getting some documents and files together to make 
an easy installation of OpenCA.  Here is what I've got so far.  I 
realize it isn't setting things up in the most secure fashion, but I'm 
hoping to help folks get past the initial steps before getting more 
complicated.

I'd appreciate any comments or pointers about what might be wrong or 
unclear in this document.

Thanks
to install from source
(actual commands marked with a *)
(We ran on Debian unstable)
(assumes an apache install using default options)


download new tarball from 
http://prdownloads.sourceforge.net/openca/openca-0.9.2-RC4.tar.gz?use_mirror=unc
into a source directory
Alternately, get the latest snapshot
We are currently running a snapshot from a couple of weeks ago; RC4 actually gave me 
some problems.

* gunzip openca-0.9.2-RC4.tar.gz 
* tar xvf openca-0.9.2-RC4.tar 

* make distclean 

first install the ra
(may want to update the web-host value)

* ./configure \
  --prefix=/usr/local/openra \
  --with-httpd-user=www-data \
  --with-httpd-group=www-data \
  --with-openca-prefix=/usr/local/openra/openca \
  --with-etc-prefix=/usr/local/openra/openca/etc \
  --with-httpd-fs-prefix=/usr/local/openra/httpd \
  --with-module-prefix=/usr/local/openra/modules \
  --with-node-prefix=ra-node \
  --with-engine=no \
  --with-web-host=localhost \
  --enable-ocspd \
  --enable-dbi \
  --enable-rbac \
  --with-hierarchy-level=ra \

* make
* make install-online  


Now for the CA
(may want to update the web-host value)

* make distclean
* ./configure \
  --prefix=/usr/local/openca \
  --with-httpd-user=www-data \
  --with-httpd-group=www-data \
  --with-openca-prefix=/usr/local/openca/openca \
  --with-etc-prefix=/usr/local/openca/openca/etc \
  --with-httpd-fs-prefix=/usr/local/openca/httpd \
  --with-module-prefix=/usr/local/openca/modules \
  --with-node-prefix=ca-node \
  --with-engine=no \
  --with-web-host=localhost \
  --enable-ocspd \
  --enable-dbi \
  --enable-rbac \
  --with-hierarchy-level=ca 
  
* make
* make install-offline

create the DB:
*mysql -uroot -p mysql
password
create database openca;
create database openra;
grant all privileges on openca.* to [EMAIL PROTECTED] identified by openca;
grant all privileges on openra.* to [EMAIL PROTECTED] identified by openra;

test the DB
* mysql -uopenca -p
use openca
show tables
(should return empty set, as DB is empty)
exit;
* mysql -uopenra -p
use openra
show tables
(should return empty set, as DB is empty)
exit;

edit the apache httpd.conf (location varies, but this is the apache config file)
in the script aliases section, add:
# OpenCA Mods
# CA Aliases
Alias   /ca /usr/local/openca/httpd/htdocs/ca/
Alias   /ca-node /usr/local/openca/httpd/htdocs/ca-node/
ScriptAlias /cgi-bin/ca/ /usr/local/openca/httpd/cgi-bin/ca/ 
ScriptAlias /cgi-bin/ca-node/ /usr/local/openca/httpd/cgi-bin/ca-node/

# OpenCA Mods
# RA Aliases
Alias   /ra /usr/local/openra/httpd/htdocs/ra/
Alias   /pub /usr/local/openra/httpd/htdocs/pub/
Alias   /ra-node /usr/local/openra/httpd/htdocs/ra-node/
ScriptAlias /cgi-bin/ra/ /usr/local/openra/httpd/cgi-bin/ra/
ScriptAlias /cgi-bin/pub/ /usr/local/openra/httpd/cgi-bin/pub/
ScriptAlias /cgi-bin/ra-node/ /usr/local/openra/httpd/cgi-bin/ra-node/

# OpenCA Mods
Directory /usr/local/openca/httpd/cgi-bin/
 AllowOverride None
 Options ExecCGI
 Order allow,deny
 Allow from all
/Directory
Directory /usr/local/openra/httpd/cgi-bin/
 AllowOverride None
 Options ExecCGI
 Order allow,deny
 Allow from all
/Directory
Directory /usr/local/openca/httpd/htdocs/
 AllowOverride None
 Options FollowSymLinks Indexes
 Order allow,deny
 Allow from all
/Directory
Directory /usr/local/openra/httpd/htdocs/
 AllowOverride None
 Options FollowSymLinks Indexes
 Order allow,deny
 Allow from all
/Directory
# OpenCA Mods
# adding dir to symlinks following for cert retrieval
# not totally clear WHY openca puts a symlink here, but it did.
Directory /usr/local/openra/httpd/cgi-bin/pub
 AllowOverride None
 Options FollowSymLinks Indexes
 Order allow,deny
 Allow from all
/Directory

modify the config.xml for the ra (located in /usr/local/openra/openca/etc)

Now onto the config.xml, for the ca and the ra.
for the CA:
general options 
ca_organization
ca_locality
ca_country
service_mail_account (set to [EMAIL PROTECTED])
dbmodule - DBI for the mysql database
db_type- mysql
db_name - openca
db_host - localhost  (or whatever)
db_port - 3306  (the mysql default port)
db_user - openca
db_passwd - XXX
configuration of absolute paths
(as needed.  once again, looks like some of the work is already done)
dataexchange configuration
de-activate dfault, by adding comment !-- -- brackets
activate mode 1, node acts as CA only by removing comment brackets
configuration of relative paths
(as 

[Openca-Users] problem starting openca

[Kevin Mitcham]

Using RC4, I'm having the following problem starting up the server:
[EMAIL PROTECTED]:/usr/local/openra/openca/etc# ./openca_start
Content-Type: text/html
?xml version=1.0 encoding=iso-8859-1?
!DOCTYPE html
PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN
 http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;
html xmlns=http://www.w3.org/1999/xhtml; lang=C 
xml:lang=CheadtitleConfiguration Error/title
/headbody bgcolor=#FFCENTERBRHR 
WIDTH=80%BR/CENTEROLOLH1FONT COLOR=redError 
690/FONT/H1OL BConfiguration Error/B. Cannot initialize 
OpenCA::DBI class! The database returns errorcode 0. (Success (error 
10070: __OLD__ERRVAL__))./OL/OL/OL

/PRECENTERHR WIDTH=80%/CENTER
FONT SIZE=+0
/BODY
/HTML
OpenCA: Error Trapped: Cannot initialize OpenCA::DBI class! The database 
returns errorcode 0. (Success (error 10070: __OLD__ERRVAL__)) at 
/usr/local/openra/modules/perl5/OpenCA/UI/HTML.pm line 147, SOCK line 88.
Compilation failed in require at 
/usr/local/openra/openca/lib/servers/ra-node/functions/initServer line 
207, SOCK line 88.
Compilation failed in require at ./openca_start line 62, SOCK line 88.

I've checked and re-checked the Database part of the config.xml, and it 
all seems good to me.  Any hints from the more experienced parts of the 
world?

Kevin

---
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson  Lucent use to deliver
higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Problem sending CRIN-Mail

[Kevin Mitcham]

To fix this bug, I replaced line 2576 in OpenSSL.pm
$smime-encrypt(CERTIFICATE  = $sign_x509)
with
$smime-encrypt(CERTIFICATE  = $enc_x509)
I was having the same problem with unreadable CRIN-mail, and so I 
updated the file with this fix and re-installed OpenCA.  Unfortunately, 
now the RA won't send email at all.

I have confirmed that send_mail_automatic is set to yes, and that 
sendmail is configured correctly.  I can send the generated crin mails 
(from var/temp/mail/crins) by hand, but they are still unreadable.

The problem is mostly just an annoyance at this point, as we have 
another (later) version of OpenCA running, and generating CRIN-mail 
correctly.

Are the CRIN-mail messages the only way to revoke certificates?  Is 
there a way for the admin to revoke a certificate without having the 
CRIN code: [ revocation pin ]?  Or to find out the CRIN code?

For example, to revoke the certificate of a user who is no longer 
affiliated with the CA orginization.

Kevin

---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] RA CSR upload problesm

[Kevin Mitcham]

The best part about stupid problems is that the solutions are often easy 
and quick.  Fixing the config.xml file solved the problem immediately, 
thank you very much.

Kevin

Michael Bell wrote:
Kevin Mitcham wrote:

I'm having trouble uploading CSRs from my RA to the CA.

I submit the request, and approve it without signing, and everything 
seems to work.  However, when I go to the RA-Node/dataexchange to 
upload data to a higher level the export file is empty (except for 
the directory structure and module.id file)- no certificate requests 
are exported.
I'm trying to run it down in the source code myself, and failing.  Any 
suggestions?

I am running a snapshot from CVS as of April 18th-essentially RC4.


Did you correctly choose the appropriate configuration template for the 
dataexchange in config.xml before you are running configure_etc.sh on 
the RA and on the CA? OpenCA's dataexchange does not export or import 
anything if you don't change the used template in config.xml. We must do 
this for security reasons to avoid impacts into the infrastructure of 
the CA.

Best regards

Michael


smime.p7s
Description: S/MIME Cryptographic Signature

[Openca-Users] RA CSR upload problesm

[Kevin Mitcham]

I'm having trouble uploading CSRs from my RA to the CA.

I submit the request, and approve it without signing, and everything 
seems to work.  However, when I go to the RA-Node/dataexchange to 
upload data to a higher level the export file is empty (except for the 
directory structure and module.id file)- no certificate requests are 
exported.
I'm trying to run it down in the source code myself, and failing.  Any 
suggestions?

I am running a snapshot from CVS as of April 18th-essentially RC4.

Kevin


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [Openca-Users] Re: Re: Phase II - Error 'Cannot encrypt PIN-mail' - Issue the certificate

[Kevin Mitcham]

Kevin Mitcham wrote:

I've got a complete new CVS snapshot, and I'm still getting the same 
error message.

Error 6794
  General Error. Cannot encrypt PIN-mail! Aborting!
  OpenCA::OpenSSL returns errorcode 8012006 
(OpenCA::OpenSSL::SMIME-encrypt: unknown problem encrypting (11). )..


Michael Bell wrote:

This looks definitly like an OpenSSL crash. Errorcode 11 means crypto 
lib failed. This is a direct errorcode from OpenSSL. Can you downgrade 
to 0.9.7c please and try it with this version?

We reinstalled with 0.9.7c, and seem to have moved past this problem. 
Hopefully we will get a little more along before we need more help. 
Thanks for the advice.

Kevin Mitcham


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [Openca-Users] Re: Re: Phase II - Error 'Cannot encrypt PIN-mail' - Issue the certificate

[Kevin Mitcham]

I am getting this same error when I try to generate the intial
administrator certificate.  The Certificate is being generated, but
the error show up.
   Error 6794
 General Error. Cannot encrypt PIN-mail! Aborting!
OpenCA::OpenSSL returns errorcode 8012006
(OpenCA::OpenSSL::SMIME-encrypt: unknown problem encrypting: )..


Michael Bell wrote:
Can you try CVS versions from OpenSSL.pm and SMIME.pm please? OpenSSL.pm
v1.108 and SMIME.pm v1.7 have a better errordetection. They can detect
installation problems so that we can reduce the number of possible errors.
I think this is the only way to solve your problem.
Is that a simple file replace, or is there more to updating the files 
than that?  Should I get an entirely new snapshot?

I tried the simple file replace, and generated errors when I tried to 
restart openca (output slightly modfied to hide path info):

# ./openca_start
OpenCA::OpenSSL object version 0.9.103 does not match bootstrap 
parameter 0.9.108 at /usr/lib/perl/5.8/XSLoader.pm line 91.
Compilation failed in require at /modules/perl5/OpenCA/AC.pm line 557.
BEGIN failed--compilation aborted at /modules/perl5/OpenCA/AC.pm line 557.
Compilation failed in require at 
/openca/lib/servers/node/functions/initServer line 23.
BEGIN failed--compilation aborted at 
/openca/lib/servers/node/functions/initServer line 23.
Compilation failed in require at ./openca_start line 49.




smime.p7s
Description: S/MIME Cryptographic Signature

Re: [Openca-Users] Re: Re: Phase II - Error Cannot encrypt PIN-mail - Issue the certificate

[Kevin Mitcham]

Kevin Mitcham wrote:

I am getting this same error when I try to generate the intial 
administrator certificate.  The Certificate is being generated, but 
the error show up.

Error 6794
  General Error. Cannot encrypt PIN-mail! Aborting!
  OpenCA::OpenSSL returns errorcode 8012006 
(OpenCA::OpenSSL::SMIME-encrypt: unknown problem encrypting: )..

I can't seem to find the correct place to add the suggested debug lines.


Michael Bell wrote:

Perhaps you have this problem too because of an installation bug. The 
tool openca-sv was installed to exec_prefix but the path in token.xml 
was set to prefix. Please check that the path to openca-sv is correct in 
token.xml. We updated OpenSSL.pm and SMIME.pm to return better 
errormessages. RC4 will report a wrong path correctly.

Michael
We have updated/patched the local OpenSSL (0.9.7d 17 Mar 2004) as per 
the earlier not, and I checked the token.xml path to openca-sv.  So far 
as I can tiell, it is correct.  The values point to the actual location 
of openca-sv.

-rwxr-xr-x1 root root   321762 Apr  8 14:30 
/usr/local/openca.0.9.2/bin/openca-sv

Restarting the server, apache and the entire machine after the patch 
didn't resolve the issue either.

Kevin


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [Openca-Users] Re: Re: Phase II - Error Cannot encrypt PIN-mail - Issue the certificate

[Kevin Mitcham]

I am getting this same error when I try to generate the intial 
administrator certificate.  The Certificate is being generated, but the 
error show up.

Error 6794
  General Error. Cannot encrypt PIN-mail! Aborting!
  OpenCA::OpenSSL returns errorcode 8012006 
(OpenCA::OpenSSL::SMIME-encrypt: unknown problem encrypting: )..

I can't seem to find the correct place to add the suggested debug lines.

I am running openca-0.9.2-RC3:
Module  Version
OpenSSL 0.9.103
Tools   0.4.3
DB  0.9.99
Configuration   1.5.3
TRIStateCGI 1.5.5
REQ 0.9.54
X5090.9.52
CRL 0.9.22
PKCS7   0.9.17
and the config is as follows:
./configure \
  --prefix=${PREFIX} \
  --with-httpd-user=www-data \
  --with-httpd-group=www-data \
  --with-openca-prefix=${PREFIX}/openca \
  --with-etc-prefix=${PREFIX}/openca/etc \
  --with-httpd-fs-prefix=${PREFIX}/httpd \
  --with-module-prefix=${PREFIX}/modules \
  --with-engine=no \
  --with-web-host=openca.dartmouth.edu \
  --with-ca-organization=Dartmouth \
  --with-ca-country=US \
  --with-ca-locality=Hanover \
  --enable-ocspd \
  --enable-dbi \
  --with-db-host=openca.dartmouth.edu \
  --with-db-port=3306 \
  --with-db-user=openca \
  --with-db-passwd=Wah7Eegh \
  --disable-rbac \
  --with-hierarchy-level=ra \
  --with-service-mail-account=[EMAIL PROTECTED] \
  --enable-update-ldap-automatic
Any hints/clues?

Thanks.

Kevin Mitcham
Dartmouth PKI Lab


smime.p7s
Description: S/MIME Cryptographic Signature

[Openca-Users] online.conf file

[Kevin Mitcham]

Im having trouble finding the online.conf file, which is referenced in 
several of the documents as part of the configuartion of the ldap.

I'm looking in the servers/ directory, and the online.conf file is not 
present.  Do I need to create it manually, or should it have been 
generated by the install?

Kevin Mitcham
Dartmouth PKI Lab
---
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps  Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356alloc_id=3438op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] RedHat Installation Issue

[Kevin Blanchard]

I having been doing some work with openca on RH9, my first recommendation is to download a version of apache from their site and recompile it before going any further. My exp. with RH is that many of the compiled binaries are incomplete. Try downloading it, recompile and then try it again, and let me know if you still get the same error, and make sure you install apache in a NEW directory, now the same :)Kevin BlanchardPresident / CEONykon Systemshttp://www.nykon-systems.net"Making Linux a little less scary since 2001"

Re: [Openca-Users] RedHat Installation Issue

[Kevin Blanchard]

out of curiosity... what is the output of your "perl -V" ?
Christopher Harrington [EMAIL PROTECTED] wrote:
On Fri, 2003-10-10 at 10:43, Kevin Blanchard wrote: I having been doing some work with openca on RH9, my first recommendation is to download a version of apache from their site and recompile it before going any further. My exp. with RH is that many of the compiled binaries are incomplete. Try downloading it, recompile and then try it again, and let me know if you still get the same error, and make sure you install apache in a NEW directory, now the same :)I removed the RH9 Apache install and compiled from source. I get thesame error in the logs:[Fri Oct 10 15:55:08 2003] [error] [client 127.0.0.1] Undefinedsubroutine main::configError called at /usr/local/apache2/cgi-bin/ca/caline 86., referer: http://localhost/ca/index.htmlconfigError is not defined somewhere. My guess is it is
 defined in apackage or module that I dont have or have the wrong version of.Is there a way to find out where this file is defined?--Chris---This SF.net email is sponsored by: SF.net Giveback Program.SourceForge.net hosts over 70,000 Open Source Projects.See the people who have HELPED US provide better services:Click here: http://sourceforge.net/supporters.php___Openca-Users mailing list[EMAIL PROTECTED]https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] OpenCA-0.9.1, Windows XP, IE 6, svc pack 1

[Kevin Metz]

I looked in the archives and found something close but not
my exact problem.



When I go and try to request a certificate and click on the auto-dectect I go through the first step of putting in
all the information. And then I get the confirmation page, and I get the Default
cryptographic device (ve selected 1024 as the
key size). When I click on the Continue button at the bottom of
the page, I get nothing. I cant find anything in the error logs either.
Now, Im able to request a certificate using Netscape and it works. But Im
really hoping to get it working with Internet Explorer as well.



Any information or suggestions would be greatly appreciated!



Kevin

[Openca-Users] Invalid expiry date

[Kevin Metz]

I'm getting closer!! I was finally able to reverse engineer the backup 
process and import all my old certs, along with my old cacert. And they 
all list now in the database. So I'm VERY happy. How-ever it seems I 
keep running into stops, and this is my latest. I'm trying to sign a 
certificate, and at the very last step, where I'm trying to issue the 
certificate, I get this error

Using configuration from /usr/local/OpenCA/etc/openssl/openssl/User.conf
entry 2: invalid expiry date
unable to write 'random state'
General Error Trapped 6757: Error while storing the request's serial in 
cert-object at /usr/local/OpenCA/lib/functions/misc-utils.lib line 38.
Compilation failed in require at /usr/local/OpenCA/apache/cgi-bin/ca/ca 
line 194.


My cacert is valid until 2007 (I think I picked like 5 years or 
something). Is it possible thats getting picked up as being invalid? And 
so therefore it won't issue any other certs?

Thanks again for your helpand patience.

Kevin



smime.p7s
Description: S/MIME Cryptographic Signature

[Openca-Users] Upgrading

[Kevin Metz]

I ran a old version of OpenCA and am now forced to upgrade. I downloaded 
the RC2 candidate, and after much puzzling and tweaking I've got the 
basics working. Now, what I REALLY need is to be able to import all my 
old certificates. I never backed them up to disk, so I don't have a tar 
file or anything. How-ever I've got the old OpenCA directory with all 
the files. I already got the certificate keys over and all, and can sign 
new certificates with no problem. How-ever I've tried copying over the 
old certificates, with no success. I've tried the openca-importcerts 
several times with no success. Since this version uses a database, I 
really need to get these imported since there seems to be no other 
alternative. Any assistance would be GREATLY appreciated

Thanks

Kevin



smime.p7s
Description: S/MIME Cryptographic Signature

RE: [Openca-Users] Upgrading

[Kevin Metz]

Let me first just say thanks for the feedback! My problem was a little 
less complicated than that. I was using a much earlier version, like 
0.2.0 I think. All I really needed was to import the old certs, not the 
old database or anything like that.

The fix was, to go to the Registration Authority server, then the 
Registration Authority Admin page. Next click on Input and Output. From 
there I clicked on Export All. I then found the tar file in 
/tmp/openca-outca.tar. I untarred it, went to the CERTIFICATE directory, 
then the VALID directory. I copied all of my valid certificates into 
there. Once that was done, went to the Import all screen. Once I did 
that, it then loaded up all my old certificates into the current 
database. Kinda kludgy, but I think it works.

Again, THANKS! Just thought I'd post my follow-up in case anyone else 
has the same kind of problem.

Kevin



---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Newer Versions

[Kevin Elliott]

Greetings,

Just like to let everyone know that OpenCA 0.8.0 branch is working _MUCH_
better for me. Congrats! Much cleaner install using configure too. I'm
having problems generating the CA request though. I have no problem using
the interface to create the Key, which i confirmed is at
/usr/local/OpenCA/private/cakey.pem. But, when I generate the CA request, I
get a blank screen, and view source shows that the html was completed, just
no content in the middle of the source. The file careq.pem is not created.

Any ideas?

Also, maybe it's time to put the PRE-0.8.0 stuff at the top of the distro
pages so people don't get confused, like I did ;]

-Kevin Elliott



___
Openca-Users mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/openca-users

RE: [Openca-Users] ie_enroll.scp

[Kevin Elliott]

Robert,

Sorry for my confusion, but are you developing an IE interface to
the CAPI with Javascript or VBScript in order to successfully
generate a certificate request and install the cert using CryptoAPI
in Windows?

Best Regards,

Kevin Elliott

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Robert
Hannemann
Sent: Tuesday, July 31, 2001 6:30 AM
To: [EMAIL PROTECTED]
Subject: [Openca-Users] ie_enroll.scp


Hello, 

in the ie_enroll.scp there are the following lines

  if( checkField( myForm.locality, Organization )) {
  szName += , L= + myForm.locality.value; 

and 

  if( checkField( myForm.state, Organization )) {
  szName += , S= + myForm.organization.value; 

is it o.k. to check against Organization and in the second part to
append the organization value ?

Also i get an error (in the browser bottom-line ) when i confirm the
ie-cert request with an IE - nothing happens when i press continue .
How can i watch those errors ( any log files ) ?

Thanks for your help,

Robert

___
Openca-Users mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/openca-users


___
Openca-Users mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/openca-users

RE: [Openca-Users] Net::LDAPapi Module compile fails

[Kevin Elliott]

To all regarding this issue, that perl problem was solved 20 minutes after
I faced the problem by simply relinking /usr/local/bin/perl to a 5.003
version as I stated before. The na problem went away. There were still
pointer dereferencing issues that showed up everywhere. It was finally
solved by using OpenLDAP 1.2.2 instead of 2.0.1. I'm guessing there are some
changes in 2.0.1 from 1.2.2, more specifically, things like void pointers
in front of integer definitions, and the like, instead of raw integers.

So, I thankfully got that part working. Only thing now, is I can't get a
certificate approved now. I click the approve, and then it shows me the
same page with no fields, and just text for the cert details, and has
the approve button. Very odd.

-Kevin

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of root
Sent: Monday, July 30, 2001 3:31 AM
To: [EMAIL PROTECTED]
Subject: Re: [Openca-Users] Net::LDAPapi Module compile fails


Kevin Elliott wrote:

 Robert,

 Thanks for the assistance. Unfortunately, that post did not help and was
 slightly
 unrelated. In that post, a variable na was not defined. In my particular
 case,
 it's very different. I've tried 1.42 and 1.43 of Net::LDAPapi as well.
Both
 with
 the same results. I have also tried using just Perl 5.003, and 5.6.

 Anyone else know what's wrong?

 -Kevin Elliott

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]]On Behalf Of Robert
 Hannemann
 Sent: Friday, July 27, 2001 3:03 AM
 To: [EMAIL PROTECTED]
 Subject: Re: [Openca-Users] Net::LDAPapi Module compile fails

 Hi Kevin,

 i´ve found a mail in the openssl mailinglist - hope this will help ...


http://www.openldap.org/cgi-bin/wilma_hiliter/openldap-software/28/msg00
 377.html

 Regards,

 Robert

 Kevin Elliott wrote:
 
  Greetings,
 
  I've been attempting to install the Net::LDAPapi perl module, but there
 are
  some conflicts
  and problems with the libs and includes for OpenLDAP 2.0.1. Any ideas?
I'm
  including the compile log.
 
  Thanks,
 
  Kevin
 
  Net::LDAPapi Perl5 Module - by Clayton Donley [EMAIL PROTECTED]
 
  Enter How I Should Run Perl5 (ex. /usr/bin/perl, c:\perl\bin\perl),
   (default: /usr/local/bin/perl)?
 
  Select your Development Kit:
1.  Netscape (default)
2.  University of Michigan
3.  ISODE (compiled with LDAP)
  Choose: 2
  Location of LDAP Include Files (default: /usr/include):
  Location of LDAP Library Files (default: /usr/lib):
  Using Kerberos for Authentication (default: n)?
  Checking if your kit is complete...
  Looks good
  Writing Makefile for Net::LDAPapi
  mkdir blib
  mkdir blib/lib
  mkdir blib/lib/Net
  mkdir blib/arch
  mkdir blib/arch/auto
  mkdir blib/arch/auto/Net
  mkdir blib/arch/auto/Net/LDAPapi
  mkdir blib/lib/auto
  mkdir blib/lib/auto/Net
  mkdir blib/lib/auto/Net/LDAPapi
  mkdir blib/man3
  cp LDAPapi.pm blib/lib/Net/LDAPapi.pm
  AutoSplitting blib/lib/Net/LDAPapi.pm (blib/lib/auto/Net/LDAPapi)
  /usr/local/bin/perl constant.gen constant.h
 

/usr/bin/perl -I/usr/local/lib/perl5/5.6.0/i686-linux -I/usr/local/lib/perl5
  /5.6.0 /usr/local/lib/perl5/5.6.0/ExtUtils/xsubpp  -typemap
  /usr/local/lib/perl5/5.6.0/ExtUtils/typemap -typemap typemap LDAPapi.xs

  LDAPapi.xsc  mv LDAPapi.xsc LDAPapi.c
 
cc -c  -fno-strict-aliasing -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2

-DVERSION=\1.42\ -DXS_VERSION=\1.42\ -fpic -I/usr/local/lib/perl5/5
 .6
  .0/i686-linux/CORE -Dbool=char -DHAS_BOOL LDAPapi.c
  In file included from LDAPapi.xs:21:
  ldap_compat.h:14: warning: `LDAP_OPT_DEREF' redefined
  /usr/include/ldap.h:88: warning: this is the location of the previous
  definition
  ldap_compat.h:15: warning: `LDAP_OPT_SIZELIMIT' redefined
  /usr/include/ldap.h:89: warning: this is the location of the previous
  definition
  ldap_compat.h:16: warning: `LDAP_OPT_TIMELIMIT' redefined
  /usr/include/ldap.h:90: warning: this is the location of the previous
  definition
  ldap_compat.h:17: warning: `LDAP_OPT_REFERRALS' redefined
  /usr/include/ldap.h:92: warning: this is the location of the previous
  definition
  ldap_compat.h:19: warning: `LDAP_OPT_ON' redefined
  /usr/include/ldap.h:151: warning: this is the location of the previous
  definition
  ldap_compat.h:20: warning: `LDAP_OPT_OFF' redefined
  /usr/include/ldap.h:152: warning: this is the location of the previous
  definition
  LDAPapi.xs: In function `av2modvals':
  LDAPapi.xs:95: `na' undeclared (first use in this function)
  LDAPapi.xs:95: (Each undeclared identifier is reported only once
  LDAPapi.xs:95: for each function it appears in.)
  LDAPapi.xs: In function `parse1mod':
  LDAPapi.xs:197: `na' undeclared (first use in this function)
  LDAPapi.xs: In function `XS_Net__LDAPapi_ldap_set_option':
  LDAPapi.xs:385: dereferencing pointer to incomplete type
  LDAPapi.xs:386: dereferencing pointer to incomplete type
  LDAPapi.xs:387: dereferencing pointer to incomplete type
  LDAPapi.xs:389: dereferencing

RE: [Openca-Users] No Net::LDAPapi necessary

[Kevin Elliott]

Michael,

Thanks for the clarification. Although, the cgi still requires Net::LDAPapi
so I'm assuming you have sub/includes still?

-Kevin Elliott

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Michael
Bell
Sent: Monday, July 30, 2001 5:31 AM
To: [EMAIL PROTECTED]
Subject: [Openca-Users] No Net::LDAPapi necessary


Hi,

I have to apologize me to all people who ask for Net::LDAPapi for the
complete wrong answers.

There is a big different between Net::LDAP and Net::LDAPapi. OpenCA uses
Net::LDAP and NOT Net::LDAPapi. So please install Net::LDAP (=v0.22)
and all should work fine. (I realize my mistake only when I saw the
versionnumbers of Net::LDAPapi.)

Sorry for wasting your time :-(

Cheers,

Michael
--

Michael Bell Email: [EMAIL PROTECTED]
Rechenzentrum - DatacenterEmail (work):
[EMAIL PROTECTED]
Humboldt-University of Berlin   Tel.(work): +49 (0)30-2093 2482
Unter den Linden 6  Fax.(work): +49 (0)30-2093 2959
10099 Berlin
Germany  [OpenCA Core
Developer]

http://openca.sourceforge.net


___
Openca-Users mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/openca-users