OpenCA Guides for 0.9.2+
Next
OpenCA Guides for 0.9.2+
Michael
Bell
Chris
Covell
Table of Contents
Introduction
I.
Design Guide
Preface
1.
General Design
1.
Basic Hierarchy
2.
Interfaces
2.1.
Node
2.2.
CA
2.3.
RA
2.4.
LDAP
2.5.
Pub
3.
Configuration
4.
Database
5.
Interface
6.
Lifecycle of the objects
7.
Sub-Ca
7.1.
Example 1
7.2.
Example 2
2.
Recommendations
1.
Hardware Issues
1.1.
Time
1.2.
Failing disks
1.3.
Hardwaremonitoring
2.
Physical Security
2.1.
Safes and Dataorganization
2.2.
Buildings
3.
Network Issues
4.
Certificate Issues
4.1.
CDPs
4.2.
Application specific problems
5.
Organizational Aspects
5.1.
Dual Access Control
5.2.
Privacy vs. Security
5.3.
Enforcement of Access Control
5.4.
Privacy Officer Integration
5.5.
Enterprise Integration
5.6.
Parallel use of several end user PKIs
II.
Installation and Configuration Guide
Preface
3.
Installation
1.
Preparations
1.1.
Software
1.2.
Hardware
2.
Configure
2.1.
Host System Configuration
2.2.
Filesystem paths
2.3.
Webserver specific stuff
2.4.
Email
2.5.
Compiling features
3.
Installation
4.
config.xml (for RPMs and DEBs too)
4.1.
Configuration sections of config.xml
4.2.
How to setup two management interfaces on one server?
4.
Configuration
1.
Access Control
1.1.
Channel verification
1.2.
Login
1.3.
Session management
1.4.
ACLs
2.
Token and keyconfiguration
2.1.
OpenSSL
2.2.
Empty
2.3.
LunaCA3
3.
OpenSSL
3.1.
Certificate Extensions
3.2.
Profiles
4.
CSRs
4.1.
Additional Attributes
4.2.
PKCS#10 Requests
4.3.
Basic CSR
4.4.
SCEP
5.
Subject
5.1.
Common stuff
5.2.
dc style
6.
Subject Alternative Name
7.
LDAP
7.1.
Configuration of the Directory
7.2.
Configuration of the RA components
7.3.
Writing Certifciates to the Directory
8.
SCEP
8.1.
OPENCADIR/etc/servers/scep.conf
8.2.
OPENCADIR/etc/config.xml
9.
Dataexchange
9.1.
Configuration
9.2.
Adding a new node
10.
Databases
10.1.
PostgreSQL
10.2.
DBM Files
III.
User Guide
Preface
5.
Interface Descriptions
1.
Public PKI Server
1.1.
CA
1.2.
User
1.3.
Certificates
1.4.
Requests
2.
Registration Authority
2.1.
Administration
2.2.
Pending Requests
2.3.
Information
2.4.
Utilites
3.
Registration Authority Node
3.1.
Gateways
3.2.
Administration
3.3.
Utilites
4.
LDAP Interface
4.1.
Update LDAP
4.2.
View CA-Certificates
4.3.
View Certificates
4.4.
View CRLs
6.
Functionality Descriptions
1.
CA Initialization
1.1.
Phase I: Initialize the Certification Authority
1.2.
Phase II and III: Create the initial administrator and RA certificate
2.
CSR Handling - a request HOWTO
2.1.
Ways to request a certificate
2.2.
Edit a certificate signing requests
2.3.
Approve certificate signing requests
2.4.
Issue a certificate from a certificate signing request
2.5.
Certificate enrollment
2.6.
Delete certificate signing requests
3.
Certificate Handling
3.1.
Find a certificate
3.2.
Download
3.3.
Start revocation
3.4.
Write an email to the owner
3.5.
Informations and their meaning
4.
SCEP
4.1.
SSCEP
4.2.
NetScreen ScreenOS
4.3.
F-Secure VPN+
IV.
Technology Guide
Preface
7.
Introduction
1.
Slotechnology
8.
XML
9.
Cryptolayer
10.
Accesscontrol
11.
Logging
12.
Webinterfaces
1.
Interfacebuilding
1.1.
Technology overview
1.2.
Customization capabilities
2.
CSS
3.
Configuration after installation
13.
Hierarchy
1.
Nodemanagement
2.
Dataexchange
14.
LDAP
1.
supported options
2.
LDAP schema specification
2.1.
Used objectclasses
2.2.
Supported attributes
2.3.
Common definitions for distinguished names
2.4.
Special definitions for user certificates
3.
Sourcecodeorganization
3.1.
Structure of the code
3.2.
The relevant commands
3.3.
export-import.lib
3.4.
ldap-utils.lib
15.
Software Design (legacy from design guide)
1.
Database(s)
2.
Interface construction
3.
openca.cgi
4.
libraries
5.
modules
6.
commands
7.
Dataexchange and Node management
A.
History
1.
PKI Scenario before OpenCA
2.
PKI and eGovernment
3.
Internet Standards
4.
The Project's Purposes
5.
The Project's Achievements
6.
The OpenCA Project
6.1.
The project start
6.2.
Offering Help to Other Projects: OpenSSL
6.3.
CVS and Mailing Lists
6.4.
The Open Source Choice
6.5.
Migrating to SourceForge
B.
Authors and Contributors
1.
Michael Bell
2.
Chris Covell
3.
Massimiliano Pala
4.
FAQ
C.
FAQ
1.
General PKI Issues
1.1.
What is a certificate?
1.2.
Which informations does a certificate contain?
1.3.
What is a request?
1.4.
Which information does a CSR contain?
1.5.
What is a CA?
1.6.
Why should I not place the CA on the same machine like the RA?
1.7.
What is an extensions?
1.8.
I use Windows 2000 and Internet Explorer 6 SP1 and it don't show any CSPs.
1.9.
How can I setup a sub CA?
2.
General OpenCA Issues
2.1.
Does it be possible to revoke a certificate without any user interaction?
2.2.
I try to add a role and get the message The role XYZ exists already!
2.3.
All cryptographic operations fail.
2.4.
Apache's error_log reports a nonexistent option -subj of openssl req
2.5.
Apache's error_log contains a message from IBM DB2 that the environment is not setted
2.6.
What do the new features of 0.9.2 be?
2.7.
I try to approve and sign a request with Mozilla and it fails.
2.8.
I try to approve and sign a request with Konqueror (KDE) and it fails.
2.9.
How is the format of the disc to import the CA certificate from the root CA?
2.10.
OpenSSL reports entry 1: invalid expiry date
2.11.
Outlook cannot encrypt mail with imported certificate
2.12.
My Outlook freezes after I received a signed email
2.13.
General Error 6751 during certificate issuing
3.
Installation Issues
3.1.
FreeBSD and OpenCA
3.2.
What is a hierarchy level?
3.3.
Undefined subroutine &main::xyz
3.4.
Symbolic link installaton failed
3.5.
After the installation all common parts are missing
4.
Configuration Issues
4.1.
How can I configure my httpd.conf for virtual hosts?
4.2.
How can I configure virtual hosts with ./configure?
4.3.
I have some users which should not be published in LDAP. Does it be possible with OpenCA?
4.4.
Does it be possible to authenticate users by their certificates at the apache before they will be authenticated by OpenCA itself?
4.5.
I want to update my 0.9.2 installation. Is this dangerous?
4.6.
I want update to 0.9.2. How can I update my sql database?
4.7.
If I run openca-ocspd then I obtain a segmentation fault.
4.8.
I installed a second public interface, run configure_etc.sh and now are all the paths in the other public interface wrong.
4.9.
I issue a certificate for a mailserver but sendmail doesn't work and reports an errormessage which includes reason=unsupported certificate purpose
4.10.
My (Microsoft) client hangs after it tries to start a secured connection
4.11.
Outlook freezes when receiving a signed Mail but worked already fine for some days
4.12.
During the request generation OpenCA fails and reports a too short textfield
4.13.
Can I place my organization's logo on the web interface?
4.14.
Microsoft Smartcard Logon
4.15.
Cannot create new OpenCA tokenobject
4.16.
How can I use a Luna token with OpenCA 0.9.1
4.17.
How can I include a complete certificate chain into a PKCS#12 file?
5.
Access Control problems
5.1.
Always get a login screen - again and again
5.2.
Error 6251023: Aborting connection - you are using a wrong channel
5.3.
Error 6251026: Aborting connection - you are using a wrong security protocol
5.4.
Error 6251029: Aborting connection - you are using the wrong computer
5.5.
Error 6251033: Aborting connection - you are using a wrong asymmetric cipher
5.6.
Error 6251036: Aborting connection - you are using a too short asymmetric keylength
5.7.
Error 6251039: Aborting connection - you are using a wrong symmetric cipher
5.8.
Error 6251043: Aborting connection - you are using a too short symmetric keylength
6.
Dataexchange
6.1.
I try to export something but I get error 512 permission denied for /dev/fd0
6.2.
I try to import the CA certificate but it doesn't work.
6.3.
I crashed the database of the online server and now I want to import all data again. How can I do it?
6.4.
I try to export the requests to the CA but it doesn't work
7.
LDAP
7.1.
Errormessage: Connection refused.
7.2.
Errormessage: Bind failed. Errorcode 49.
7.3.
The resultcode of the nodeinsertion was 65.
7.4.
How can I get more debugging messages from OpenCA's LDAP code?
7.5.
How can I get more debugging messages from OpenLDAP?
8.
Internationalization
8.1.
How can I fix a misspelling for a language?
8.2.
How can I add a new langiage?
8.3.
The compilation/make fails on the Perl module gettext
Bibliography
Glossary
List of Figures
1.1.
Database oriented view
1.2.
Logical data view
1.3.
Complete technical overview
1.4.
Lifecycle of objects
4.1.
Passes of the accesscontrol
4.2.
Passphrase based login
4.3.
Tokenconcept
6.1.
Phases of the CA initialization
6.2.
Phase I of the CA initialization
6.3.
Phase II of the CA initialization
6.4.
Phase III of the CA initialization
9.1.
Example cryptolayer with tokens
10.1.
Passes of the accesscontrol
10.2.
Channel verification
10.3.
Identification of the user
10.4.
Access control list
14.1.
LDAP source schema
List of Tables
14.1.
Schema usage
14.2.
Schema usage for user certificates
C.1.
Texttypes for different databases
List of Examples
4.1.
channel configuration
4.2.
Login and Passphrase configuration
4.3.
Authentication with certificates
4.4.
Session configuration
4.5.
Basic ACL configuration
4.6.
Permission for serverInfo
4.7.
Allow all
4.8.
OpenSSL configuration - Authority Key Identifier
4.9.
Minimal SSL client extensions
4.10.
Minimal SSL server extensions
4.11.
Minimal SMTP extensions for a single certificate
4.12.
Additional attributes configuration
4.13.
PKCS#10 configuration
4.14.
Basic CSR configuration
4.15.
Configuration example for a XML file based HTML-select
4.16.
Download configuration
4.17.
Export configuration
4.18.
Local export configuration
6.1.
SSCEP configuration
C.1.
General error 6751 during certificate issueing
C.2.
Bad passphrase error log during certificate issueing
C.3.
Full errormessage for missing functions
C.4.
Already present symbolic link
C.5.
virtual host configuration
C.6.
./configure and virtual hosts
C.7.
Client authentication with mod_ssl
C.8.
OCSP configuration for LDAP
C.9.
OCSP configuration for http
C.10.
Failed request upload