[Openca-Users] openca cookbook
there was a post about an updated cookbook using suse 9.1, is this avialable? -- Darin Perusich Unix Systems Administrator Cognigen Corp. [EMAIL PROTECTED] --- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] OpenCA cookbook
I know this won't show up in the thread of the same subject because I don't have the original or any of the follow-ups to that message in my own email archive, but I just thought I'd try to get this point somehow associated with the OpenCA Cookbook, thus this message. Other changes to make to httpd.conf (aside from those already listed in the OpenCA Cookbook): SSLOptions +StdEnvVars Thanks to Oliver Welter for pointing this out to me. -Kevin --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] OpenCA Cookbook
I'm sorry if the cookbook mislead you, or was incomplete. I wrote it to make the install procedure overall a little easier, providing a worked example. By the time I wrote it down, I had installed OpenCA several times, and some of the items were already committed to memory, and didn't get written down. I did try to write out several of the problems that came up in my experience, and the solutions to them. Kevin Please read the docs in the OpenCA guide... Thanks Martin, Til, and Johannes for pointing this out. Guess I should've read all of the docs in their entirety before posting but my lame excuse is that I was misled by the cookbook. I had the impression from reading it that it was self-contained and that I could use it as a shortcut for installation and then read the full docs afterwards as I experimented with OpenCA. Sorry for the unnecessary question/time/bandwidth. -Kevin smime.p7s Description: S/MIME Cryptographic Signature
Re: [Openca-Users] OpenCA Cookbook
On Wed, 2004-08-18 at 12:03, Kevin Mitcham wrote: I'm sorry if the cookbook mislead you, or was incomplete. I wrote it to make the install procedure overall a little easier, providing a worked example. By the time I wrote it down, I had installed OpenCA several times, and some of the items were already committed to memory, and didn't get written down. I did try to write out several of the problems that came up in my experience, and the solutions to them. Kevin Hi Kevin- Please don't apologize. I meant what I said when I said that this was my _lame_ excuse. The cookbook was a big help to me; of that I'm quite certain. But I should not have relied on it exclusively. That's a lesson for me. Your cookbook was very helpful to me. Thanks very much for writing it. Once I have completed my installation and configuration of OpenCA, I hope to be able to add my experience to what you've written and perhaps improve upon it somewhat, but there's certainly no cause to apologize. Thanks very kindly for helping me out a great deal by writing it. -Kevin --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
RE: [Openca-Users] OpenCA Cookbook
Hi, The first cookbook I found is still in the doc directory called wallus(?) built for Suse 8.1. A few errors here and there. Kevin's book was great in that it showed how to do it on one box. Some hurried spots but still good when used with the docs and the wallus. I've written a new one for Suse 9.1 based on the two combined above and will release it real soon now. thanks for all the great work everyone! Robert -Original Message- From: [EMAIL PROTECTED] on behalf of Kevin Sent: Wed 8/18/2004 1:30 PM To: [EMAIL PROTECTED] Cc: Subject:Re: [Openca-Users] OpenCA Cookbook On Wed, 2004-08-18 at 12:03, Kevin Mitcham wrote: I'm sorry if the cookbook mislead you, or was incomplete. I wrote it to make the install procedure overall a little easier, providing a worked example. By the time I wrote it down, I had installed OpenCA several times, and some of the items were already committed to memory, and didn't get written down. I did try to write out several of the problems that came up in my experience, and the solutions to them. Kevin Hi Kevin- Please don't apologize. I meant what I said when I said that this was my _lame_ excuse. The cookbook was a big help to me; of that I'm quite certain. But I should not have relied on it exclusively. That's a lesson for me. Your cookbook was very helpful to me. Thanks very much for writing it. Once I have completed my installation and configuration of OpenCA, I hope to be able to add my experience to what you've written and perhaps improve upon it somewhat, but there's certainly no cause to apologize. Thanks very kindly for helping me out a great deal by writing it. -Kevin --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users winmail.dat
Re: [Openca-Users] OpenCA cookbook
On Thu, 24 Jun 2004, Kevin Mitcham wrote: I've been working on getting some documents and files together to make an easy installation of OpenCA. Here is what I've got so far. I realize it isn't setting things up in the most secure fashion, but I'm hoping to help folks get past the initial steps before getting more complicated. I'd appreciate any comments or pointers about what might be wrong or unclear in this document. *** Hi, It looks like installation all nodes on one machine in one web server. I think it would be better to make installation steps for installing some nodes on separate machines (or at least separate virtual hosts to emulate different machines). I tried to make all nodes (CA, RA, pub and LDAP) in different location (/data/openca-ca, /data/openca-ra etc) and use different hostnames and virtual hosts in apache. In 0.9.1-8 this is a little problem because somethimes there are absolute links on the same machine for different node (eg. on node in navbar.html there are links to /ca/, /ra/, /pub/, /ldap/ without hostname, but if CA, RA and PUB are on different machines, this doesn't work) and somethimes full URL (in confirm_cert_sign.msg.in link to https://@httpd_host@@httpd_port@). The only web server hostname I can enter in --with-web-host= configure switch, but is it web host of CA, RA or PUB node? Maybe there should be more switches for each possible node (CA, RA, PUB, LDAP) and in source HTML and TXT sheets there should be full URL links. I hope I understood every switch correct. I made some mod_rewrite rules in apache virtual hosts to run it correctly (https://openca-ra/ca/ - https://openca-ca/ca/ etc.) and it looks fine, only many click about receiving certificates from apache. I have tested openca-0.9.2 for a while - is there any chance to solve this inside of installation process or have I to do the same URL rewriting? Bye. Robert Wolf. --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] OpenCA cookbook
[EMAIL PROTECTED] wrote: It looks like installation all nodes on one machine in one web server. I think it would be better to make installation steps for installing some nodes on separate machines (or at least separate virtual hosts to emulate different machines). Our idea with that document was to make it as simple for the user as possible. This isn't meant to be a production CA, just one that can be installed quickly so that the user can get their feet wet with the software and start learning it. The only web server hostname I can enter in --with-web-host= configure switch, but is it web host of CA, RA or PUB node? Maybe there should be more switches for each possible node (CA, RA, PUB, LDAP) and in source HTML and TXT sheets there should be full URL links. We got everything to work by manipulating the values at the end of config.xml. There's places where you can specify all of the paths that you need. Hell, we got 2 different CAs and RAs, with pubs and nodes, running on the same box with the same Apache server. Yeah, not optimal, but as I said, our objective was to have something that people could play with just to get started. This was with RC4 of 0.9.2, by the way. r. --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] OpenCA cookbook
I've been working on getting some documents and files together to make an easy installation of OpenCA. Here is what I've got so far. I realize it isn't setting things up in the most secure fashion, but I'm hoping to help folks get past the initial steps before getting more complicated. I'd appreciate any comments or pointers about what might be wrong or unclear in this document. Thanks to install from source (actual commands marked with a *) (We ran on Debian unstable) (assumes an apache install using default options) download new tarball from http://prdownloads.sourceforge.net/openca/openca-0.9.2-RC4.tar.gz?use_mirror=unc into a source directory Alternately, get the latest snapshot We are currently running a snapshot from a couple of weeks ago; RC4 actually gave me some problems. * gunzip openca-0.9.2-RC4.tar.gz * tar xvf openca-0.9.2-RC4.tar * make distclean first install the ra (may want to update the web-host value) * ./configure \ --prefix=/usr/local/openra \ --with-httpd-user=www-data \ --with-httpd-group=www-data \ --with-openca-prefix=/usr/local/openra/openca \ --with-etc-prefix=/usr/local/openra/openca/etc \ --with-httpd-fs-prefix=/usr/local/openra/httpd \ --with-module-prefix=/usr/local/openra/modules \ --with-node-prefix=ra-node \ --with-engine=no \ --with-web-host=localhost \ --enable-ocspd \ --enable-dbi \ --enable-rbac \ --with-hierarchy-level=ra \ * make * make install-online Now for the CA (may want to update the web-host value) * make distclean * ./configure \ --prefix=/usr/local/openca \ --with-httpd-user=www-data \ --with-httpd-group=www-data \ --with-openca-prefix=/usr/local/openca/openca \ --with-etc-prefix=/usr/local/openca/openca/etc \ --with-httpd-fs-prefix=/usr/local/openca/httpd \ --with-module-prefix=/usr/local/openca/modules \ --with-node-prefix=ca-node \ --with-engine=no \ --with-web-host=localhost \ --enable-ocspd \ --enable-dbi \ --enable-rbac \ --with-hierarchy-level=ca * make * make install-offline create the DB: *mysql -uroot -p mysql password create database openca; create database openra; grant all privileges on openca.* to [EMAIL PROTECTED] identified by openca; grant all privileges on openra.* to [EMAIL PROTECTED] identified by openra; test the DB * mysql -uopenca -p use openca show tables (should return empty set, as DB is empty) exit; * mysql -uopenra -p use openra show tables (should return empty set, as DB is empty) exit; edit the apache httpd.conf (location varies, but this is the apache config file) in the script aliases section, add: # OpenCA Mods # CA Aliases Alias /ca /usr/local/openca/httpd/htdocs/ca/ Alias /ca-node /usr/local/openca/httpd/htdocs/ca-node/ ScriptAlias /cgi-bin/ca/ /usr/local/openca/httpd/cgi-bin/ca/ ScriptAlias /cgi-bin/ca-node/ /usr/local/openca/httpd/cgi-bin/ca-node/ # OpenCA Mods # RA Aliases Alias /ra /usr/local/openra/httpd/htdocs/ra/ Alias /pub /usr/local/openra/httpd/htdocs/pub/ Alias /ra-node /usr/local/openra/httpd/htdocs/ra-node/ ScriptAlias /cgi-bin/ra/ /usr/local/openra/httpd/cgi-bin/ra/ ScriptAlias /cgi-bin/pub/ /usr/local/openra/httpd/cgi-bin/pub/ ScriptAlias /cgi-bin/ra-node/ /usr/local/openra/httpd/cgi-bin/ra-node/ # OpenCA Mods Directory /usr/local/openca/httpd/cgi-bin/ AllowOverride None Options ExecCGI Order allow,deny Allow from all /Directory Directory /usr/local/openra/httpd/cgi-bin/ AllowOverride None Options ExecCGI Order allow,deny Allow from all /Directory Directory /usr/local/openca/httpd/htdocs/ AllowOverride None Options FollowSymLinks Indexes Order allow,deny Allow from all /Directory Directory /usr/local/openra/httpd/htdocs/ AllowOverride None Options FollowSymLinks Indexes Order allow,deny Allow from all /Directory # OpenCA Mods # adding dir to symlinks following for cert retrieval # not totally clear WHY openca puts a symlink here, but it did. Directory /usr/local/openra/httpd/cgi-bin/pub AllowOverride None Options FollowSymLinks Indexes Order allow,deny Allow from all /Directory modify the config.xml for the ra (located in /usr/local/openra/openca/etc) Now onto the config.xml, for the ca and the ra. for the CA: general options ca_organization ca_locality ca_country service_mail_account (set to [EMAIL PROTECTED]) dbmodule - DBI for the mysql database db_type- mysql db_name - openca db_host - localhost (or whatever) db_port - 3306 (the mysql default port) db_user - openca db_passwd - XXX configuration of absolute paths (as needed. once again, looks like some of the work is already done) dataexchange configuration de-activate dfault, by adding comment !-- -- brackets activate mode 1, node acts as CA only by removing comment brackets configuration of relative paths (as
