Re: [Openca-Users] Some Questions about OpenCA Batch Processor
Okay, I figured out some things by myself. First, the own pin is correctly imported by using the name purePIN insteed of importedPIN. Second, regarding the breaking workflow, the certificate is created and stored indeed, but after the break no further pkcs12 can be enrolled. stderr.log does not have any valuable entries regarding this, except that all has worked fine... Then, when I set the actual state to NEW_CERTt, it continues to ENROLLED_PIN, but then it breaks by performing enroll_pkcs12 because The certificate cannot be determined. However, all works fine, when I use one Key for CA, BP, Key_Backup and LOG so I think there is a problem when using different keys. Can somebody reproduce this, or give me a hint, what I should try next? Ralf Ralf Hornik Mailings r...@best.homeunix.org schreibte: Dear list, I want to learn something about the BP module so I read the (little to) short explantation in the OpenCA Documentation. However I found some more information via google but I cannot collect them usefully... 1. I created a separate bp/log/backup_key since my cakey is located on an etoken. 2. I created a certificate for this key (bp_cert.pem) and changed all corresponding symlinks (key and certs) for log and key_backup. 3. I created a file batch_process_data.txt whith this content: USER ralf PROCESS gen_cert_ralf set_state new_process ROLE User SUBJECT_ALT_NAME_1 email:r...@xxx SUBJECT emailaddress=r...@xxx, CN=Ralf Hornik, O=Daheim, C=DE LOA_MODE USE_IT LOA 10 imported...@private -BEGIN MYPIN- -BEGIN PKCS7- MIICBwYJKoZIhvcNAQcDoIIB+DCCAfQCAQAxggGvMIIBqwIBADCBkjCBjDELMAkG A1UEBhMCREUxGDAWBgNVBAoTD05hdGl2ZSBTZWN1cml0eTESMBAGA1UECxMJTmFz ZWMgUEtJMSAwHgYDVQQDExdOYXRpdmUgU2VjdXJpdHkgUm9vdCBDQTEtMCsGCSqG SIb3DQEJARYedHJ1c3RjZW50ZXJAbmF0aXZlLXNlY3VyaXR5LmRlAgEtMA0GCSqG SIb3DQEBAQUABIIBAGap19ueBhm5TOWrAupP7d6z6ZdcwaaGWbC39WYjK69geSJo Br3PdhTy4JwygXdevcBlsNVNadt1SHIzosc110B6dWY+y/DdnrVyV9JrxA5YdEsr XqoJ8u/kNN15GLEDvyjZuBba98kFY6MqHup+Sco/VwtCkKxo0CCRWj3FqvsRzPz6 l2nhURSCZ3jZYOPFPfWsmF6HGc3QQjPPnF2c2bjlCMKzNpIHOwtIwOmRZ8M5ZTt3 WRbEVz7/we/t90cCf2HWFpPBIR2PXYw8ej8JOb4PfDtlzFPKJAshK5MbK20M8n29 ik9ESuraIBlQ82nq0k+HHBcGScqL7U+HigxGbB8wPAYJKoZIhvcNAQcBMB0GCWCG SAFlAwQBKgQQgebx01xrdMjKCXFMQQy7UoAQFFRAITpt2hamg9H2mgYZww== -END PKCS7- -END MYPIN- (PKCS7 was created using openca-sv) 4. I imported it into the batch interface using Quick Import Now I can see the new user and process. But at first the PIN in not shown because the Webinterface says (Unknown File: importedPIN) 5. anyway, next I start a new Workflow using Do one step for all workflows, choose 16 steps and activate CA key AND BP Key for operation. But the batch process stops with error: Cannot issue the certificate (6794). Cannot encrypt PIN-mail! Aborting! OpenCA::OpenSSL returns errorcode 0 (). -130 And the actual state of the process is CHECKED_CSR. In stderr.log I see my new issued certificate but It doesn't seem to be stored anywhere. So my questions are: 1. How can I import the PIN from PKCS7 File so that I can use it later 2. Why are the issued certificates not stored. Whats wrong? 3. Does the batch process start in background, once activated using Do one step for all workflows frequently, or do I have to configure somthing more? Thank you very much for any help. Ralf This message was sent using IMP, the Internet Messaging Program. -- alles bleibt anders... This message was sent using IMP, the Internet Messaging Program. -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Some questions about OpenCA
Hi Juan, You can find a brief overview on the batch here: http://www.openca.info/docs/ws20041012/5_BatchSystem.pdf And some docs here http://www.openca.info/docs/guide/html_chunked/ch18.html If you need a way to create requests from a third pary datasource you should use the real batch system. This will create certificates from a plain text file with some data. 1. How could I do this? The Operation is really simple * create the text-files with the certificate data * call the batch interface - Workflows * import the textfile * call the workflow engine * enroll your data (no default implementation - must do this yourself !) * enjoy :) 2. What kind of format do the plain text files must have? Its in the Guide above 3. What kind of modifications do I have to perform to the batch processor to be able to issue certificates without RA approval? and if the aproval is needed how can I do to sign all requests in only one step? The Batchrequest go directly into the Batch/CA System - there is no RA step on this data. Further Modification depend on your use-case, there is a standardworkflow shipped with the distribution, that takes DN, Mail and Name from the Importfile, I can provide a modified version that also reads the PIN from the importfile. If you need more/other stuff, you must edit the workflows, how this works is in the guide too 4. Could you please tell me all the steps for the generation of the approval and sing of the requests? to see if we can develop something out of OpenCA to do this. see above You need the cert/public key - this is accessile outside the HSM, have you created a CA certificate ? Yes I did. No more ideas on this...please check: * is the ca-cert correctly in the CA-database ? * is the ca-certificate-file in var/crypto/cacert * is the ca-cert file included in the dataexchange-file * is the var/crypto/cacerts directory on the RA side writable ? Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature
Re: [Openca-Users] Some questions about OpenCA
Hello Juan, Actually we have the OpenCA environment mounted in one machine, and we tryed to migrate it to a configuration with two machines, one for CA and one for RA, but we have found some problems and OpenCA doesn't want to work in two separate machines. What have you exactly done, what version are you using ? 1. We configured the RA machine with: make install-online but this didn't create the batch interface, required to our project to sign all received request with only a few mouse clicks. You cant sign on the RA ! The batchsystem needs the private key of the CA and so is located on the CA. 2. After having configured the CA in my CA machine I tryed to export the configuration to the RA machine, after importing everything was good, but when I tryed to view a request made using the User Public Interface I'm getting this error message: Error 700 *General Error* The compilation of the command cmdViewCSR failed. Can't use an undefined value as a HASH reference at /usr/local/OpenCA/lib/functions/crypto-utils.lib line 1149. I trying looking in the database to see if the configuration worked well but I can see there's nothing in the ca_certificate table Questions: 1. What should I do to install batch interface within the normal steps of the configuration-installation? see above - you cant 2. What should I do to export configuration (including ca_certificate) from CA to RA?? I did it, in the CA, using node -- Administration -- Dataexchange -- Enroll data to a lower level of the hierarchy -- Configuration and in the RA, node -- Administration -- Dataexchange -- Download data from a higher level of the hierarchy -- Configuration This should work normally, I guess you screwed something. Is the CA Certificate correctly installed in the CA ? Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature
Re: [Openca-Users] Some questions about OpenCA
Hello Oliver, I'm using openca-0.9.2.1 You cant sign on the RA ! The batchsystem needs the private key of the CA and so is located on the CA. so, how do I approve requests in RA using BatchSystem? I did it, in the CA, using node -- Administration -- Dataexchange -- Enroll data to a lower level of the hierarchy -- Configuration and in the RA, node -- Administration -- Dataexchange -- Download data from a higher level of the hierarchy -- Configuration This should work normally, I guess you screwed something. Is the CA Certificate correctly installed in the CA ? I'm using an HSM so the private key cannot be exported. So what should I do in that case? Juan David --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag--drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Some questions about OpenCA
Hello Oliver If you need a way to create requests from a third pary datasource you should use the real batch system. This will create certificates from a plain text file with some data. 1. How could I do this? 2. What kind of format do the plain text files must have? 3. What kind of modifications do I have to perform to the batch processor to be able to issue certificates without RA approval? and if the aproval is needed how can I do to sign all requests in only one step? 4. Could you please tell me all the steps for the generation of the approval and sing of the requests? to see if we can develop something out of OpenCA to do this. You need the cert/public key - this is accessile outside the HSM, have you created a CA certificate ? Yes I did. Thanks Juan David Gutierrez --- This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting Tool for open source databases. Create drag--drop reports. Save time by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc. Download a FREE copy at http://www.intelliview.com/go/osdn_nl ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Some questions about OpenCA
Hi Juan, I'm using openca-0.9.2.1 You cant sign on the RA ! The batchsystem needs the private key of the CA and so is located on the CA. so, how do I approve requests in RA using BatchSystem? I think you talk about the automatic issue, so the leftmost item in the batch menu ? You can't approve requests en block, you just can issue certificates on manually approved requests with this. If you need a way to create requests from a third pary datasource you should use the real batch system. This will create certificates from a plain text file with some data. I did it, in the CA, using node -- Administration -- Dataexchange -- Enroll data to a lower level of the hierarchy -- Configuration and in the RA, node -- Administration -- Dataexchange -- Download data from a higher level of the hierarchy -- Configuration This should work normally, I guess you screwed something. Is the CA Certificate correctly installed in the CA ? I'm using an HSM so the private key cannot be exported. So what should I do in that case? You need the cert/public key - this is accessile outside the HSM, have you created a CA certificate ? Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature
Re: [Openca-Users] Some questions
On Mon, 14 Jun 2004, Til Obes wrote: 1. i have some errors with the mailcounter. How is it organized? For example: Mailcounter was 2. but i have now my 8th cert. Node mgmt wanted to send the mail 2. and now the counter is 3. Should that depend on the real cert serial? Can this maybe depend on disabling the sendmail_automatic. I had it disabled for some time. Now ist activated again. *** I think (from my tests) the mailcounter contains ID of next mail, which should be sent. When you send no emails, there will be 1 (mail number 1 should be sent). After you send 5 mails (1,2,3,4,5), there will be number 6 that mail number 6 should be send. You can have 10 certificates, but only 5 emails sent. But you should sent all emails, because there is CRIN (PID for certificate revokation) for the certificate. Probably the mail number should be same as certificate serial number, but I'm not sure about this (the email can be sent in other situation, I don't know this). 2. I had a signature error on ca interface when viewing a signed request. What is neccessary, that there isnt an error? *** more details? I don't know, what you mean, maybe someone else will know. Robert Wolf. --- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
RE: [Openca-Users] Some questions
On Mon, 14 Jun 2004, Til Obes wrote: 1. i have some errors with the mailcounter. How is it organized? For example: Mailcounter was 2. but i have now my 8th cert. Node mgmt wanted to send the mail 2. and now the counter is 3. Should that depend on the real cert serial? Can this maybe depend on disabling the sendmail_automatic. I had it disabled for some time. Now ist activated again. *** I think (from my tests) the mailcounter contains ID of next mail, which should be sent. When you send no emails, there will be 1 (mail number 1 should be sent). After you send 5 mails (1,2,3,4,5), there will be number 6 that mail number 6 should be send. You can have 10 certificates, but only 5 emails sent. But you should sent all emails, because there is CRIN (PID for certificate revokation) for the certificate. Probably the mail number should be same as certificate serial number, but I'm not sure about this (the email can be sent in other situation, I don't know this). The problem is, that the node interface wanted to send the mail number 2, but the mail 8.msg was imported from the ca. This is a bug i think. 2. I had a signature error on ca interface when viewing a signed request. What is neccessary, that there isnt an error? *** more details? I don't know, what you mean, maybe someone else will know. When i sign a request at the ra interface with a user cert of the ca, i get a the ca interface An error. It's a red lock(dont know the english word ;) ) (schloss) right beside the message, that there is a sign error. Regards til --- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
RE: [Openca-Users] Some questions
On Mon, 14 Jun 2004, Til Obes wrote: The problem is, that the node interface wanted to send the mail number 2, but the mail 8.msg was imported from the ca. This is a bug i think. *** Hmmm, I'm not sure about this. I think when you create certificate, openca creates an email for user. So you can create 5 certificates, openca creates 5 emails (1,2,3,4,5). Mailcounter is 1 (to send email number 1). When you exchange this data to lower hierarchy, it should be the same as on CA. So for example, on RA mailcounter is 1 and there are 5 emails (1,2,3,4,5). The other day you create another certificate (number 6) and openca creates new email (6). When you exchange data, you will see, that email number 6 was imported (or downloaded or how is it called:)). So you got mail number 6 in RA, but you still haven't sent emails number 1,2,3,4,5 so now you should sent email number 1. In openca 0.9.1-8 there are two versions of Send email. The first one sends all unsent emails (the emails with number equal or greater that value from mail counter). The second version reads number of the email you want to send/resend. I hope I understood this functionality correct. Bye. Robert Wolf. --- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Some questions
Til Obes wrote: On Mon, 14 Jun 2004, Til Obes wrote: 1. i have some errors with the mailcounter. How is it organized? For example: Mailcounter was 2. but i have now my 8th cert. Node mgmt wanted to send the mail 2. and now the counter is 3. Should that depend on the real cert serial? Can this maybe depend on disabling the sendmail_automatic. I had it disabled for some time. Now ist activated again. *** I think (from my tests) the mailcounter contains ID of next mail, which should be sent. When you send no emails, there will be 1 (mail number 1 should be sent). After you send 5 mails (1,2,3,4,5), there will be number 6 that mail number 6 should be send. You can have 10 certificates, but only 5 emails sent. But you should sent all emails, because there is CRIN (PID for certificate revokation) for the certificate. Probably the mail number should be same as certificate serial number, but I'm not sure about this (the email can be sent in other situation, I don't know this). The problem is, that the node interface wanted to send the mail number 2, but the mail 8.msg was imported from the ca. This is a bug i think. yes this is a bug - so please file it at sourceforge at the bug tracker thx When i sign a request at the ra interface with a user cert of the ca, i get a the ca interface An error. It's a red lock(dont know the english word ;) ) (schloss) right beside the message, that there is a sign error. you can click this red lock, and it will show you more informations on the signature deteckted basicaly - if its red - that means - there is something wrong with the signature - which certificate did you use to sign the request? one issued by this pki or something different? greetings dalini --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
RE: [Openca-Users] Some questions
The problem is, that the node interface wanted to send the mail number 2, but the mail 8.msg was imported from the ca. This is a bug i think. yes this is a bug - so please file it at sourceforge at the bug tracker thx done When i sign a request at the ra interface with a user cert of the ca, i get a the ca interface An error. It's a red lock(dont know the english word ;) ) (schloss) right beside the message, that there is a sign error. you can click this red lock, and it will show you more informations on the signature deteckted basicaly - if its red - that means - there is something wrong with the signature - which certificate did you use to sign the request? one issued by this pki or something different? I have a userca. I use a cert issued by this userca. I signed it with my cert. When i click on the red lock, i get an empty page. Has it something to do with the correct ca chain? Do i need to have the correct chain in my browser? Regards til --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users