分类: 系统运维
2005-03-23 23:58:24
OpenLDAP can be if necessary. Documentation is found here.
Apache-SSL can be found and Apache and mod_ssl can be found .
##############
### Installation of OpenLDAP (NOT NECESSARY, but useful)
##############
All this is done as root on the LDAP server. This was the same machine
as the CA server but, for security, should probably be different.
(See OpenLDAP installation notes.)
##############
### Configuration of OpenLDAP (only if using LDAP)
##############
You will need to add a new root/base into the LDAP for the CA certificate
(at least) and for certificates signed in that subject domain. You will also
need to add new root/base entries into LDAP for each subject domain you wish
to sign certificates for.
eg. Your CA certificate distinguished name (DN) will be:
emailAddress=ra@epp-ca.ph.unimelb.edu.au,
CN=epp-ca.ph.unimelb.edu.au,
OU=Experimental Particle Physics, O=University of Melbourne, c=AU
You wish to sign certificates in the subject domains:
*,OU=Experimental Particle Physics, O=University of Melbourne, c=AU
*,ou=People,o=Belle,o=Grid
*,ou=Hosts,o=Belle,o=Grid
*,ou=Services,o=Belle,o=Grid
*,o=BelleTestbed,o=Grid
Therefore you can create LDAP base DNs of:
OU=Experimental Particle Physics, O=University of Melbourne, c=AU
o=Belle,o=Grid
o=BelleTestbed,o=Grid
Or alternatively more readily distributable base DNs of:
OU=Experimental Particle Physics, O=University of Melbourne, c=AU
ou=People,o=Belle,o=Grid
ou=Hosts,o=Belle,o=Grid
ou=Services,o=Belle,o=Grid
o=BelleTestbed,o=Grid
Check out the existing base DN (base subjects) on the LDAP server.
You may not need to add any additional base entries if your CA certificate can
fit underneath the existing structure...
> ldapsearch -x -P 3 -h lem.ph.unimelb.edu.au -b '' -s base '*' namingContexts
Add new root suffixes into the LDAP server config as root...
> vi /etc/openldap/slapd.conf
>>>>> add allowed root suffix...
suffix "ou=Experimental Particle Physics,o=University of Melbourne,c=AU"
suffix "ou=People,o=Belle,o=Grid"
suffix "ou=Hosts,o=Belle,o=Grid"
suffix "ou=Services,o=Belle,o=Grid"
suffix "o=BelleTestbed,o=Grid"
> /etc/init.d/slapd stop
> /etc/init.d/slapd start
> ldapsearch -x -P 3 -h lem.ph.unimelb.edu.au -b '' -s base '*' namingContexts
Add new entries for each of these into the LDAP database. Be sure to use
the correct LDAP manager/root account and password with the -D option...
> vi /tmp/root.ldif
>>>>> new file (be sure to leave last line of file blank)...
dn: ou=Experimental Particle Physics,o=University of Melbourne,c=AU
objectClass: top
objectClass: organizationalUnit
ou: Experimental Particle Physics
street: School of Physics, University of Melbourne
l: Melbourne
st: VIC
postalCode: 3010
telephoneNumber: 61 3 8344 5075
description: Melbourne EPP Certificate Authority
dn: ou=People,o=Belle,o=Grid
objectClass: top
objectClass: organizationalUnit
ou: People
description: Belle Collaboration Grid users
dn: ou=Hosts,o=Belle,o=Grid
objectClass: top
objectClass: organizationalUnit
ou: Hosts
description: Belle Collaboration Grid hosts
dn: ou=Services,o=Belle,o=Grid
objectClass: top
objectClass: organizationalUnit
ou: Services
description: Belle Collaboration Grid services
dn: o=BelleTestbed,o=Grid
objectClass: top
objectClass: organization
o: BelleTestbed
description: BelleTestbed users, hosts, and services
> ldapadd -x -v -h lem.ph.unimelb.edu.au -D "cn=Manager,ou=People,o=Belle,o=Grid" -W -f /tmp/root.ldif
> ldapsearch -x -h lem.ph.unimelb.edu.au -b "ou=Experimental Particle Physics,o=University of Melbourne,c=AU"
> ldapsearch -x -h lem.ph.unimelb.edu.au -b "ou=People,o=Belle,o=Grid"
> ldapsearch -x -h lem.ph.unimelb.edu.au -b "ou=Hosts,o=Belle,o=Grid"
> ldapsearch -x -h lem.ph.unimelb.edu.au -b "ou=Services,o=Belle,o=Grid"
> ldapsearch -x -h lem.ph.unimelb.edu.au -b "o=BelleTestbed,o=Grid"
> /bin/rm /tmp/root.ldif
**** ERRORS:
ldap_add: No such object
You must make sure the new base suffix is in LDAP config slapd.conf .
ldap_add: Already exists
The entry probably exists already. Try the appropriate ldapsearch
to see what's there, then either an ldapdelete to delete the existing
entry, or remove the entry from the ldapadd ldif file.
****
NOTE: To delete an entry that you do not want try the following with
the entries DN as the last ldapdelete argument
> ldapsearch -x -h lem.ph.unimelb.edu.au -b "ou=Experimental Particle Physics,o=University of Melbourne,c=AU"
> ldapsearch -x -h lem.ph.unimelb.edu.au -b "ou=People,o=Belle,o=Grid"
> ldapdelete -x -v -h lem.ph.unimelb.edu.au -D "cn=Manager,ou=People,o=Belle,o=Grid" -W "ou=Experimental Particle Physics,o=University of Melbourne,c=AU"
##############
### Backing Up previous OLD OpenCA installations...
##############
You should backup any previous OpenCA installations before continuing.
NOTE: The following will backup OpenCA 0.8.1
> mv /usr/local/OpenCA /usr/local/OpenCA.OLD
> mv /usr/local/RAServer /usr/local/RAServer.OLD
> mv /var/www/openca /var/www/openca.OLD
> mv /usr/local/share/perl/5.6.1/OpenCA /usr/local/share/perl/5.6.1/OpenCA.OLD
> mv /usr/local/share/perl/5.6.1/auto/OpenCA /usr/local/share/perl/5.6.1/auto/OpenCA.OLD
> mv /usr/local/lib/perl/5.6.1/auto/OpenCA /usr/local/lib/perl/5.6.1/auto/OpenCA.OLD
> mv /usr/local/share/openca /usr/local/share/openca.OLD
> mkdir /usr/local/bin/openca.OLD
> mv /usr/local/bin/openca* /usr/local/bin/openca.OLD
> mkdir /var/openldap.OLD
> mv /var/openldap* /var/openldap.OLD
##############
### Installation of OpenCA
##############
All this is done as root on the CA server. This was different to the
Grid gateway machine.
Downloaded
openca-0.9.0-2.tar.gz
openssl-0.9.8-1.src.rpm
Installed Debian packages:
apache-ssl Secure HTTP functionality.
libconvert-ber-perl For perl - Convert::BER [cpan Convert-BER]
libmime-perl For perl - MIME::* [cpan MIME-Base64]
liburi-perl For perl - URI [cpan URI]
libdigest-md5-perl For perl - Digest::* [cpan Digest-MD5]
libnet-ldap-perl For perl - [cpan perl-ldap]
Installed Debian packages needed for compilation:
libxml-sax-expat-perl For perl - XML::Parser [Expat@sourceforge]
libexpat1-dev Expat development libraries libs & incs [Expat@sourceforge]
## Must install OpenSSL 0.9.8+ from the OpenCA site to run this software.
## I will install 0.9.8-1 in parallel with the system installed OpenSSL.
## Downloaded openssl-0.9.8-1.src.rpm from OpenCA site.
> su
> mkdir -p ~/OpenCA
> cd ~/OpenCA
> mkdir OpenSSL
> cd OpenSSL
> rpm2cpio openssl-0.9.8-1.src.rpm | cpio -vi -d
> gunzip -c openssl-0.9.8.tar.gz | tar xvf -
> cd openssl-0.9.8
> mkdir -p /usr/local/openca/openssl
> ./config --prefix=/usr/local/openca/openssl --openssldir=/usr/local/openca/openssl/openssl
> make
> make test
> make install
Unpacked OpenCA-0.9.0
> cd ~/OpenCA
> cp .../openca-0.9.0-2.tar.gz .
> gunzip -c openca-0.9.0-2.tar.gz | tar xvf -
> cd openca-0.9.0
> gmake clean
> ./configure --prefix=/usr/local/openca --exec-prefix=/usr/local/openca --with-openssl-prefix=/usr/local/openca/openssl --with-web-host=epp-ca.ph.unimelb.edu.au --with-httpd-host=epp-ca.ph.unimelb.edu.au --with-httpd-user=www-data --with-httpd-group=www-data --with-httpd-fs-prefix=/var/www/openca --with-htdocs-fs-prefix=/var/www/openca --with-ca-organization="University of Melbourne" --with-ca-locality=Melbourne --with-ca-country=AU --with-ldap-host=epp-grid.ph.unimelb.edu.au --with-ldap-root=cn=Manager,ou=People,o=Belle,o=Grid --with-ldap-root-pwd=XXXXXXX --enable-sendmail --with-sendmail=/usr/lib/sendmail --with-service-mail-account=ra@epp-ca.ph.unimelb.edu.au
> gmake install-ca
> gmake clean
> ./configure --prefix=/usr/local/openca-ra --exec-prefix=/usr/local/openca-ra --with-openssl-prefix=/usr/local/openca/openssl --with-web-host=epp-ca.ph.unimelb.edu.au --with-httpd-host=epp-ca.ph.unimelb.edu.au --with-httpd-user=www-data --with-httpd-group=www-data --with-httpd-fs-prefix=/var/www/openca --with-htdocs-fs-prefix=/var/www/openca --with-ca-organization="University of Melbourne" --with-ca-locality=Melbourne --with-ca-country=AU --with-ldap-host=epp-grid.ph.unimelb.edu.au --with-ldap-root=cn=Manager,ou=People,o=Belle,o=Grid --with-ldap-root-pwd=XXXXXXX --enable-sendmail --with-sendmail=/usr/lib/sendmail --with-service-mail-account=ra@epp-ca.ph.unimelb.edu.au
> gmake install-ext
*****
Create a temporary certificate for HTTPS access:
> cd /usr/local/openca/openssl
> ./bin/openssl req -new -x509 -nodes -out epp-ca- -keyout epp-ca-
### Country Name (2 letter code) [AU]:
### State or Province Name (full name) [Some-State]:Victoria
### Locality Name (eg, city) []:Melbourne
### Organization Name (eg, company) [Internet Widgits Pty Ltd]:University of Melbourne
### Organizational Unit Name (eg, section) []:Experimental Particle Physics
### Common Name (eg, YOUR name) []:epp-ca.ph.unimelb.edu.au
### Email Address []:ra@epp-ca.ph.unimelb.edu.au
> cp epp-ca- /etc/apache-ssl
*****
Create a crypt(3) password "passwd" with salt GH for HTTP access.
> perl -e 'print crypt("passwd","GH")." "'
> vi /var/www/openca/.htpasswd
>>> ca:XXXXXXXXXXXXX
>>> ra:XXXXXXXXXXXXX
> vi /var/www/openca/ca/.htaccess
>>> AuthType Basic
>>> AuthName "EPP CA Server"
>>> AuthUserFile /var/www/openca/.htpasswd
>>> require user ca
> cp /var/www/openca/ca/.htaccess /var/www/openca/cgi-bin/ca/
> vi /var/www/openca/ra/.htaccess
>>> AuthType Basic
>>> AuthName "EPP RA Server"
>>> AuthUserFile /var/www/openca/.htpasswd
>>> require user ra
> cp /var/www/openca/ra/.htaccess /var/www/openca/cgi-bin/ra/
> cp /var/www/openca/ra/.htaccess /var/www/openca/online/
> cp /var/www/openca/ra/.htaccess /var/www/openca/cgi-bin/online/
> cp /var/www/openca/ra/.htaccess /var/www/openca/ldap/
> cp /var/www/openca/ra/.htaccess /var/www/openca/cgi-bin/ldap/
*****
Modified HTTP configuration file /etc/apache-ssl/httpd.conf , added lines:
> vi /etc/apache-ssl/httpd.conf
>>>>> make sure HTTPS enabled and access allowed from certain machines...
####
#### Open CA host access
####
SSLEnable
SSLCertificateFile /etc/apache-ssl/epp-ca-
DocumentRoot /var/www/openca
ScriptAlias /cgi-bin /var/www/openca/cgi-bin
Options Indexes Includes FollowSymLinks MultiViews
AllowOverride FileInfo AuthConfig Limit
order deny,allow
deny from all
allow from 127.0.0.0/255.0.0.0 .unimelb.edu.au
allow from 210.50.216.0/255.255.255.0
AllowOverride FileInfo AuthConfig Limit
Options ExecCGI
order deny,allow
deny from all
allow from 127.0.0.0/255.0.0.0 .unimelb.edu.au
allow from 210.50.216.0/255.255.255.0
*****
Edit CA/RA import/export config (this example assume we don't use floppy):
> vi /usr/local/openca/OpenCA/etc/servers/ca.conf
>>>>> change RegistrationAuthority entry...
## RegistrationAuthority "Trustcenter itself" "Help Desk 1" "Help Desk 2"
RegistrationAuthority "Melbourne EPP RA"
>>>>> change ExportDev and ImportDev entries...
## ExportDev "/dev/fd0"
## ImportDev "/dev/fd0"
ExportDev "/tmp/openca-outca.tar"
ImportDev "/tmp/openca-inca.tar"
>>>>> ensure SET_REQUEST_SERIAL_IN_DN is set to "N"...
SET_REQUEST_SERIAL_IN_DN "N"
>>>>> change SET_CERTIFICATE_SERIAL_IN_DN to N to prevent subject changes...
>>>>> this is essential for Grid certificates...
#SET_CERTIFICATE_SERIAL_IN_DN "Y"
SET_CERTIFICATE_SERIAL_IN_DN "N"
>>>>> check the SERVICE_MAIL_ACCOUNT entry...
SERVICE_MAIL_ACCOUNT "ra@epp-ca.ph.unimelb.edu.au"
> vi /usr/local/openca-ra/OpenCA/etc/servers/online.conf
>>>>> change mailsender entries...
mailsendername "Melbourne EPP Registration Authority"
mailsenderaddress "ra@epp-ca.ph.unimelb.edu.au"
>>>>> change ExportDev and ImportDev entries... (NOTE: reverse of ca.conf)
## ImportDev "/dev/fd0"
## ExportDev "/dev/fd0"
ImportDev "/tmp/openca-outca.tar"
ExportDev "/tmp/openca-inca.tar"
>>>>> make sure basedn represents the LDAP base subject DNs
basedn "ou=Experimental Particle Physics,o=University of Melbourne,c=AU"
> vi /usr/local/openca-ra/OpenCA/etc/servers/ra.conf
>>>>> change RA entry...
## RA "Trustcenter itself" "Help Desk 1" "Help Desk 2"
RA "Melbourne EPP RA"
>>>>> change OU entries...
1.OU "People" "Experimental Particle Physics"
>>>>> change RegistrationAuthority entry...
## RegistrationAuthority "Trustcenter itself" "Help Desk 1" "Help Desk 2"
RegistrationAuthority "Melbourne EPP RA"
>>>>> change mailsender entries...
mailsendername "Melbourne EPP Registration Authority"
mailsenderaddress "ra@epp-ca.ph.unimelb.edu.au"
>>>>> ensure SET_REQUEST_SERIAL_IN_DN is set to "N"...
SET_REQUEST_SERIAL_IN_DN "N"
>>>>> change SET_CERTIFICATE_SERIAL_IN_DN to N to prevent subject changes...
>>>>> this is essential for Grid certificates...
#SET_CERTIFICATE_SERIAL_IN_DN "Y"
SET_CERTIFICATE_SERIAL_IN_DN "N"
> vi /usr/local/openca-ra/OpenCA/etc/servers/pub.conf
>>>>> change RegistrationAuthority entry...
## RegistrationAuthority "Trustcenter itself" "Help Desk 1" "Help Desk 2"
RegistrationAuthority "Melbourne EPP RA"
>>>>> change OU entries...
1.OU "People" "Experimental Particle Physics"
> vi /usr/local/openca-ra/OpenCA/etc/servers/ldap.conf
>>>>> make sure basedn represents the LDAP base subject DNs
basedn "ou=Experimental Particle Physics,o=University of Melbourne,c=AU"
>>>>> Make sure LDAP ?/bin ?/sbin location is correct...
##ldapbasedir "/usr/local/ldap"
ldapbasedir "/usr/local"
> vi /usr/local/openca-ra/OpenCA/lib/servers/ra/certsMail.txt
>>>>> Check LDAP address etc.
> vi /usr/local/openca/OpenCA/lib/servers/ca/sheets/request_pin_mail.msg
> vi /usr/local/openca/OpenCA/lib/servers/ca/sheets/secure_pin_mail.msg
>>>>> Modify and suggest a download location for the file???
*****
NOTE: This section is optional.
You may wish to enable insecure HTTP (ie. not HTTPS) access for downloading
certificates. This will allow non HTTPS tools such as WGET to be run.
> cp /var/www/openca/cgi-bin/pub/pki /var/www/insecuredir/cgi-bin/pki
##############
## Modifications to OpenCA Code (errors)
##############
Notes about file locations:
/usr/local/openca All OpenCA libraries and config
/usr/local/openca-ra All OpenCA RA libs and config
/usr/local/openca/openssl Specific OpenSSL version
/var/www/openca All OpenCA web pages
/var/www/openca/cgi-bin All OpenCA CGI directories
/usr/local/share/perl/5.6.1/OpenCA
/usr/local/lib/perl/5.6.1/auto/OpenCA
*** General problems signing certificates? Then try the following...
> vi /usr/local/openca/OpenCA/lib/functions/crypto-utils.lib
>>>> Lookup the "libIssueCertificate" function insert before line 781
>>>> to display debug statements...
$cryptoShell->{DEBUG} = 1;
>>>> then comment out the "unlink" of the request file...
>>>> modify line 801...
#unlink( "$tmpdir/${ser}.req" );
> vi /usr/local/share/perl/5.6.1/OpenCA/OpenSSL.pm
>>>> Lookup the "issueCert" function for reference.
Look out for the "OpenCA::OpenSSL->issueCert: openssl=" debug statement that
displays the actual OpenSSL command that is run. Run this by hand.
Be sure to take out the "-passin env:pwd" bit so you can type a password!
If you find the problem and succeed in issuing a certificate via the command
line you will have to delete this certificate then do it again through the web
browser...
> vi /usr/local/openca/OpenCA/var/crypto/index.txt
>>>> delete the last entry corresponding to the issued cert
> vi /usr/local/openca/OpenCA/var/crypto/serial
>>>> decrement the counter or serial number
Delete the certificate and request (use the correct serial number!)...
> rm /usr/local/openca/OpenCA/var/crypto/certs/05.pem
> rm /usr/local/openca/OpenCA/var/tmp/05.req
*** To prevent infinite mail loop on upload into RA...
> vi /usr/local/openca/OpenCA/lib/functions/mail-utils.lib
>>>>> modified: line 218 of 287
#last if ((scalar @files) >= ($counter+1));
last if ((scalar @files) < ($counter+1));
> vi /usr/local/openca-ra/OpenCA/lib/functions/mail-utils.lib
>>>>> modified: line 218 of 287
#last if ((scalar @files) >= ($counter+1));
last if ((scalar @files) < ($counter+1));
*** To prevent the resending of mail on every import into the RA...
> vi /usr/local/openca-ra/OpenCA/lib/functions/export-import.lib
>>>>> add the backup and restore of the "mailcounter" file in importMails() ...
>>>>> add "system" command lines after line 1714
print addLogSection("Importing the Mails ... ");
system('/bin/cp -f '.getRequired('SENT_MAIL_CRIN_COUNTER').' '.$mail_dir.'/../mailcounter ');
my $ret = `cd $dir; tar -c * | tar -x -C $mail_dir 2>&1`;
if( $? != 0 ) {
print addErrorLog("Cannot copy $dir to $mail_dir!");
print addLogLine( "cd $dir; tar -c * | tar -x -C $mail_dir" );
print closeLogSection ();
return 0;
}
print addLogLine( "Ok." );
system('/bin/mv -f '.$mail_dir.'/../mailcounter '.getRequired('SENT_MAIL_CRIN_COUNTER').' ');
print closeLogSection ();
*** You may need to enable the signing of certificates that are outside
the specified LDAP root. This will enable signing outside of the LDAP
BaseDN specification, and will allow this to be entered into the LDAP
directory if within a specific list of extra BaseDN entries.
> vi /usr/local/openca-ra/OpenCA/etc/servers/online.conf
> vi /usr/local/openca-ra/OpenCA/etc/servers/ldap.conf
>>>>> Add line after "basedn" line
extrabasedn "ou=People,o=Belle,o=Grid" "ou=Hosts,o=Belle,o=Grid" "ou=Services,o=Belle,o=Grid" "o=BelleTestbed,o=Grid"
> vi /usr/local/openca-ra/OpenCA/lib/functions/ldap-utils.lib
>>>>> added a loop over extraBaseDN entries: line 202
my $basedn = getRequired ('basedn');
my @basednlist = getRequiredList ('extrabasedn');
unshift( @basednlist, $basedn ); my $warning="";
BASEDNLOOP: foreach $basedn (@basednlist) {
### START LOOP OVER BaseDN ###
my $basedn_keep = $basedn;
$ou_counter = 0;
@ou_array = ();
>>>>> modified: lines 278 etc
#print "dn conflicts with basedn
" if ($DEBUG);
#LDAP_disconnect ( $ldap );
#return { STATUS => 0 ,
# DESC => "Error ( dn conflicts with basedn )",
# CODE => -1 };
$warning .= "WARNING: DN conflicts with basedn '$basedn_keep'
";
next BASEDNLOOP;
}
>>>>> then modified: modified: line 293 etc
#LDAP_disconnect ( $ldap );
#return { STATUS => 0 ,
# DESC => "Error ( dn is shorter then basedn )",
# CODE => -2 };
$warning .= "WARNING: DN is shorter then basedn '$basedn_keep'
";
next BASEDNLOOP;
>>>>> then modified: line 302 etc
#return { STATUS => 1, CODE => 0, DESC => "Success" }
# if (!scalar (@dn_array));
if (!scalar (@dn_array)) {
$warning .= "WARNING: DN is same length as basedn '$basedn_keep'
";
next BASEDNLOOP;
}
>>>>> then modified: line 312
#my $add_dn = getRequired ('basedn');
my $add_dn = $basedn_keep;
>>>>> then add lines at 457, or just before final LDAP_disconnect and return.
$warning=""; last BASEDNLOOP;
### END LOOP OVER BaseDN ###
}
print "Importing '".$cert_dn."' ...".$warning if ($warning);
# If no BaseDN entries match, we still return success to sign cert anyway.
*** To allow the signing/archiving of certs/revs with slash in the DN...
> vi /usr/local/share/perl/5.6.1/OpenCA/X509.pm
>>>>> modified: line 324 so that only slashes preceeding attribute names change
# $ret->{DN} =~ s//([^=]+)=/, $1=/g;
$ret->{DN} =~ s//([A-Za-z0-9-]+)=/, $1=/g;
>>>>> modified: line 327
# $ret->{ISSUER} =~ s//([^=]+)=/, $1=/g;
$ret->{ISSUER} =~ s//([A-Za-z0-9-]+)=/, $1=/g;
> vi /usr/local/share/perl/5.6.1/OpenCA/REQ.pm
>>>>> modified: line 511
#$ret->{REVOKE_CERTIFICATE_DN} =~ s//([^=]+)=/, $1=/g;
$ret->{REVOKE_CERTIFICATE_DN} =~ s//([A-Za-z0-9-]+)=/, $1=/g;
> vi /usr/local/openca-ra/OpenCA/lib/functions/ldap-utils.lib
>>>>> modified line (now) 242 [in addLDAPobject]
>>>>> only "NAME=VALUE" followed by "/NAME=" or ",NAME=" is removed
# $h_dn =~ s/^[^/,]*[/,]//;
$h_dn =~ s/^ *[A-Za-z0-9-]+=.*?[/,] *(?=[A-Za-z0-9-]+=)//;
>>>>> and also lines 251 and 252
>>>>> only trailing / or , are removed
# $h_attribute =~ s////;
# $h_attribute =~ s/,//;
$h_attribute =~ s//$//;
$h_attribute =~ s/,$//;
>>>>> modified line (now) 526 [in addLDAPattribute]
>>>>> only slashes preceeding attribute names change to commas "/NAME="
# $dn =~ s///,/g;
$dn =~ s//(?=[A-Za-z0-9-]+=)/,/g; $dn =~ s// *$//g;
>>>>> modified line (now) 674 [in deleteLDAPattribute]
# $dn =~ s///,/g;
$dn =~ s//(?=[A-Za-z0-9-]+=)/,/g; $dn =~ s// *$//g;
NOTE: This would probably work without modification on OpenSSL versions that
return slash "/" separators. However, many OpenSSL return comma ","
separators. This modification should allow all OpenSSL versions to work!
NOTE2: This will probably come up often and you should check all scripts
for the above sort of substitution. eg. grep 's/\/' *
##############
## Initialise OpenCA and RAServer
##############
*****
From a web browser now access the CA site:
user=ca password=???
Click CA-Management:Initialization and then work through the options:
* Initialize the Certificate Authority
* Initialize Database (then Back)
* Generate new CA secret key (use defaults) (then Back)
* Generate new CA Certificate Request (then Back)
Email=ra@epp-ca.ph.unimelb.edu.au
CN=epp-ca.ph.unimelb.edu.au
OU=Experimental Particle Physics
O=University of Melbourne
C=AU
* Generate Self Signed CA Certificate (1825 days = 5 year)
[Of course, you could export your request and get it signed.]
NOTE: At this point you can copy your original backed up certificates
over the existing ones, if you are reinstalling.
> cp cakey.pem /usr/local/openca/OpenCA/var/crypto/keys
> cp careq.pem /usr/local/openca/OpenCA/var/crypto/reqs
> cp cacert.der /usr/local/openca/OpenCA/var/crypto/cacerts
> cp cacert.pem /usr/local/openca/OpenCA/var/crypto/cacerts
> cp cacert.pem /usr/local/openca/OpenCA/var/crypto/chain/cacert.crt
* Rebuild CA Chain
* Export Configuration
Click CA-Management:Initialization and then work through the options:
* Create the initial administrator
* Create a new request
Make sure Role is "CA Operator".
Click CA-Management:Initialization and then work through the options:
* Create the initial administrator
* Issue the certificate
Click CA-Management:Initialization and then work through the options:
* Create the initial administrator
* Handle the Certificate
-> Certificate and Keypair: PKCS#12 -> Download
Save as "caadmin.p12" or something. Import into your Browser.
Click CA-Management:Initialization and then work through the options:
* Create the initial RA certificate
* Create a new request
Make sure Role is "RA Operator".
Click CA-Management:Initialization and then work through the options:
* Create the initial RA certificate
* Issue the certificate
Click CA-Management:Initialization and then work through the options:
* Create the initial RA certificate
* Handle the Certificate
-> Certificate and Keypair: PKCS#12 -> Download
Save as "raadmin.p12" or something. Import into your Browser.
*****
From a web browser now access the RA site:
user=ra password=???
Click Administration:RAServer Admin
Click Administration:RAServer Init then the following
* Initialize Database
* Import Configuration
*****
From a web browser now access the Public site:
Click Init: Get CA certificate. Import into your Browser.
*****
From a web browser now access the CA site:
/
Click CA-Management:Input and Output
* Export Certs
*****
From a web browser now access the RA site:
Click Administration:RAServer Admin
Click Administration:Input and Output then the following
* Import Certs
* Delete Temp Files
*****
ERRORS:
Error 700
General Error. Cannot convert PEM-certificate and PKCS#8-key to
PKCS#12-formatted file!.
This is caused by a mistyped password. When downloading a
certificate you will be prompted for the "User Password".
This is the password on the request, not the admin password!
##############
## Adding a new Role or Certificate Type (such as Grid Cert)
##############
From a web browser now access the CA site:
/
Click CA-Management:Configuration
* Roles
* Add a role
* Type "Grid Cert" or the name of the new role
On the CA host tailor the Role to suit your needs...
> vi /usr/local/openca/OpenCA/etc/openssl/openssl/Grid_Cert.conf
>>>>> change "countryName" to optional under policy_match
[ policy_match ]
countryName = optional
>>>>> comment out "subjectAltName" entry to ignore missing email address
# Include email address in subject alt name: another PKIX recommendation
###subjectAltName=email:copy
> vi /usr/local/openca/OpenCA/etc/openssl/extfiles/Grid_Cert.ext
>>>>> comment out "subjectAltName" entry to ignore missing email address
###subjectAltName=${ENV::subjectAltName}
From a web browser now access the CA site:
Click CA-Management:Input and Output
* Export Configuration
From a web browser now access the RA site:
Click Administration:RAServer Admin
Click Administration:Input and Output then the following
* Import Configuration
#############
### How to Sign a Certificate
#############
Public interface
* Request a Certificate
* Server Request ? (for PKCS#10 PEM formatted certs)
* Select a role of 'User' or 'Grid Cert'
RAServer interface
* Requests -> Pending Requests
* Choose RA 'Melbourne EPP RA' and Continue...
* (select certificate)
* Edit Request? (check for type 'Grid Cert' or 'User')
* Approve and Sign Request
* Sign Request (with RA Server user certificate)
* RAServer Admin -> Input and Output
* EXPORT All
CAServer interface /
* Input and Output
* IMPORT All
* Certificate Requests -> Approved Requests
* (select certificate)
* Issue Certificate
* Input and Output
* EXPORT Certs
RAServer interface
* RAServer Admin -> Input and Output
* IMPORT Certs
* Delete Temp Files
* Registration Authority -> (get out of "RAServer Admin")
* Certificates -> Valid Certs (see if the certificate is there)
Public interface
* Valid Certificates List (select the certificate)
* Download the certificate (right click then Save As...)
OR (to download the PEM file)
cgi-bin/pub/pki?cmd=send_email_cert;type=other;key=
*****
ERRORS:
Problem with request!
- Try deleting any double-quoted data within the request file. ***
Request must be signed. (Then forwards on to error page.)
Did you remember to import the CA certificate into your browser?
Error 6757: General Error. Error while storing the request's serial in cert-object.
- The openssl command is failing for some reason and is not producing
an output certificate. This could possibly be because you are signing
a Grid certificate (or one without email address) and the requested
role of the certificate still has "subjectAltName" entries in the
ROLE.conf and ROLE.ext OpenSSL config files. See the section on
adding new roles.
##############
### Creating a custom CA homepage.
##############
You can create a custom CA homepage in the root directory of the CA
web site. This can then link into the requests page like so...
Click here to fill in a Grid certificate request form!
##############
### Standard User/Host certificate request
##############
This is how to generate a standard user host certificate request...
> openssl genrsa -des3 -out user.key 2048
> openssl req -new -key user.key -out user.csr
Send user.csr to the certificate authority.
The CA should the follow the "How to Sign a Certificate" section above.
Type the following URL to download the certificate in PEM format
(with correct serial no.):
>> cgi-bin/pub/pki?cmd=send_email_cert;type=other;key=
##############
### Globus User Certificate
##############
This is the same as a user certificate with the difference that the
role must be "Grid Cert" or a role that does not require a country and
email address in the certificate! See the section on adding a new Role.
Following the globus instruction to create a user request...
> source /data/1/grid/cshrc_general
**OR**
> . /data/1/grid/shrc_general
> grid-cert-request
Submit the request file ~/.globus/usercert_request.pem to the CA as
a "server" generated request (ie. not Netscape or IE).
Specify a "Grid Cert" as the role or type.
Type the following URL to download the certificate in PEM format
(with correct serial no.):
>> cgi-bin/pub/pki?cmd=send_email_cert;type=other;key=
To verify the certificate with the CA public key (on the certificate auth):
> openssl verify -CAfile /usr/local/OpenCA/cacert.pem usercert.pem
NOTE: This file should eventually be located in ~/.globus/usercert.pem
##############
### Revoking a Certificate
##############
In some cases you may need to revoke a certificate, if a user loses their
password or thinks their certificate to be insecure.
RAServer interface
* Certificates -> Valid Certs (see if the certificate is there)
* (select certificate)
* Revoke button
* Type reason for revocation. (eg. key compromise)
* RAServer Admin -> Input and Output
* EXPORT All
CAServer interface /
* Input and Output
* IMPORT All
* Approved Revocation Requests
* (select certificate)
* Revoke Certificate
* Issue new CRL (Validity period 90 days)
* Input and Output
* EXPORT CRLs
RAServer interface
* RAServer Admin -> Input and Output
* IMPORT CRLs
* Registration Authority -> (get out of "RAServer Admin")
* CRLs
* (select latest version)
* (see if your certificate serial is there)
Public interface
* Certificate Revocation Lists
* OpenCA's CRL (you can download PEM format)
crl/cacrl.pem
##############
### Renewing a Certificate
##############
Unfortunately you cannot renew a certificate with the current version of
OpenCA. There is a bit of a work around however...
*** Submit the renewal request as a normal request...
Public interface
* Request a Certificate
* Server Request ? (for PKCS#10 PEM formatted certs)
* Select a role of 'User' or 'Grid Cert'
*** Revoke the existing certificate with the same subject
RAServer interface
* Certificates -> Valid Certs (see if the certificate is there)
* (select certificate)
* Revoke button
* Type reason for revocation. (eg. key compromise)
*** Modify the certificate request making sure the Role and Distinguished names
are correct. Often the DN will have a prefix/postfix which can be removed
by hand. (eg. Grid certs attach a CN=proxy)
RAServer interface
* Requests -> Pending Requests
* Choose RA 'Melbourne EPP RA' and Continue...
* (select certificate)
* Edit Request
* check for type 'Grid Cert' or 'User'
* check that DN matches original certificate
* RAServer Admin -> Input and Output
* EXPORT All
*** From this point on carry out the revocation then the approval of the
certificate within the CA system (as normal). Remember to revoke first!
CAServer interface /
* Input and Output
* Approved Revocation Requests
* (select certificate)
* Revoke Certificate
* Issue new CRL (Validity period 90 days)
* Certificate Requests -> Approved Requests
* (select certificate)
* Issue Certificate
* Input and Output
* EXPORT CRLs
RAServer interface
* RAServer Admin -> Input and Output
* IMPORT CRLs
CAServer interface /
* Input and Output
* EXPORT Certs
RAServer interface
* RAServer Admin -> Input and Output
* IMPORT Certs
*** The should then download this as a file "newcert.pem" and replace their old
cert with this file and their old key with the new key file "newkey.pem".
Public interface
* Valid Certificates List (select the certificate)
* Download the certificate (right click then Save As...)
OR (to download the PEM file)
cgi-bin/pub/pki?cmd=send_email_cert;type=other;key=
#############
### To Reinstall OpenCA
#############
To preserve the existing server certificate keep a copy of the following
files somewhere safe:
> cp -a /usr/local/openca/OpenCA/var var-ca
> cp -a /usr/local/openca-ra/OpenCA/var var-ra
You may also want to preserve these files to put back after install if
installing the same version again (these have been modified by above steps)...
> cp /var/www/openca/.htpasswd htpasswd
> cp /var/www/openca/ca/.htaccess htaccess-ca
> cp /var/www/openca/ra/.htaccess htaccess-ra
> cp /usr/local/openca/OpenCA/etc/servers/ca.conf .
> cp /usr/local/openca-ra/OpenCA/etc/servers/online.conf .
> cp /usr/local/openca-ra/OpenCA/etc/servers/ra.conf .
> cp /usr/local/openca-ra/OpenCA/etc/servers/pub.conf .
> cp /usr/local/openca-ra/OpenCA/etc/servers/ldap.conf .
> cp /usr/local/openca-ra/OpenCA/lib/servers/ra/certsMail.txt .
> cp /usr/local/openca-ra/OpenCA/lib/functions/mail-utils.lib .
> cp /usr/local/openca-ra/OpenCA/lib/functions/export-import.lib .
> cp /usr/local/openca-ra/OpenCA/lib/functions/ldap-utils.lib .
> cp /usr/local/share/perl/5.6.1/OpenCA/X509.pm .
As added security backup the original installation...
> mv /usr/local/openca /usr/local/openca.OLD90
> mv /usr/local/openca-ra /usr/local/openca-ra.OLD90
> mv /var/www/openca /var/www/openca.OLD90
> mv /usr/local/share/perl/5.6.1/OpenCA /usr/local/share/perl/5.6.1/OpenCA.OLD90
> mv /usr/local/lib/perl/5.6.1/auto/OpenCA /usr/local/lib/perl/5.6.1/auto/OpenCA.OLD90
To reinstall openCA from scratch you need to do the following first:
> rm -R /usr/local/openca
> rm -R /usr/local/openca-ra
> rm -R /var/www/openca/*
> rm /tmp/openca-*
You can then go back to the build steps...
> cd openssl-0.9.8
> make clean
> mkdir -p /usr/local/openca/openssl
> make install
> cd openca-0.9.0
> gmake clean
Then redo the make and installation proceedure.
To reinstate the modified code...
NOTE: This is only recommended if you are installing the same version.
> cp mail-utils.lib /usr/local/openca/OpenCA/lib/functions/
> cp mail-utils.lib /usr/local/openca-ra/OpenCA/lib/functions/
> cp export-import.lib /usr/local/openca-ra/OpenCA/lib/functions/
> cp ldap-utils.lib /usr/local/openca-ra/OpenCA/lib/functions/
> cp X509.pm /usr/local/share/perl/5.6.1/OpenCA/
To reinstate the modified configuration files...
NOTE: This is only recommended if you are installing the same version.
> cp ca.conf /usr/local/openca/OpenCA/etc/servers/
> cp online.conf /usr/local/openca-ra/OpenCA/etc/servers/
> cp ra.conf /usr/local/openca-ra/OpenCA/etc/servers/
> cp pub.conf /usr/local/openca-ra/OpenCA/etc/servers/
> cp ldap.conf /usr/local/openca-ra/OpenCA/etc/servers/
> cp certsMail.txt /usr/local/openca-ra/OpenCA/lib/servers/ra/
> cp htpasswd /var/www/openca/.htpasswd
> cp htaccess-ca /var/www/openca/ca/.htaccess
> cp htaccess-ca /var/www/openca/cgi-bin/ca/.htaccess
> cp htaccess-ra /var/www/openca/ra/.htaccess
> cp htaccess-ra /var/www/openca/cgi-bin/ra/.htaccess
> cp htaccess-ra /var/www/openca/ldap/.htaccess
> cp htaccess-ra /var/www/openca/cgi-bin/ldap/.htaccess
To reinstate the configuration, databases, and certificates...
NOTE: This is only recommended if you are installing the same version.
> mv /usr/local/openca/OpenCA/var /usr/local/openca/OpenCA/var.OLD
> cp -a var-ca /usr/local/openca/OpenCA/var
> mv /usr/local/openca-ra/OpenCA/var /usr/local/openca-ra/OpenCA/var.OLD
> cp -a var-ra /usr/local/openca-ra/OpenCA/var
############################
### OpenSSL Example Commands
############################
Create a self signed certificate for apache HTTPS access:
> openssl req -new -x509 -nodes -out epp-ca.pem -keyout epp-ca.pem
To create a key and certificate request file (-config might not be required)
(.crs and .key files are in PEM format)
> openssl req -new -keyout user.key -out user.csr -days 360 -config /usr/local/OpenCA/conf/openssl/openssl.cnf
To create a key and certificate request file separately. You can specify
size of key in this way.
> openssl genrsa -des3 -out user.key 2048
> openssl req -new -key user.key -out user.csr
Create a certificate request from an existing key:
> openssl req -new -key somekey.pem -out somereq.pem
To sign a certificate request file as a CA (-config might not be required)
(.crt and .csr files are in PEM format)
> /usr/local/OpenCA/openssl ca -out user.crt -days 360 -config /usr/local/OpenCA/conf/openssl/openssl.cnf -infiles user.csr
To sign a certificate request file as a CA with specified config, CA key,
extensions, PEM cert request, and preserving Distinguished Name (required
if strange chars in the DN).
> /usr/local/OpenCA/openssl ca -batch -config /usr/local/OpenCA/conf/openssl/openssl.cnf -keyfile /usr/local/OpenCA/private/cakey.pem -extfile /usr/local/OpenCA/conf/openssl/extfiles/Server_Certificate.ext -preserveDN -in /usr/local/OpenCA/tmp/07.req
To convert a certificate from PEM to PKCS12 (Netscape format)
(.crt and .key files are in PEM format)
> /usr/local/OpenCA/openssl pkcs12 -export -in user.crt -inkey user.key -out user.p12
To get the key and certificate and CA certificate from a PKCS12 file
> openssl pkcs12 -in RAServerUser.p12 -out RAServerUser.key.pem -nocerts
> openssl pkcs12 -in RAServerUser.p12 -out RAServerUser.crt.pem -nokeys -clcerts
> openssl pkcs12 -in RAServerUser.p12 -out CA.crt.pem -nokeys -cacerts
To create a PKCS12 file from your key and certificate and CA certificate files
> openssl pkcs12 -export -out LyleWinton-Grid.p12 -inkey ~/.globus/userkey.pem -certfile /etc/grid-security/certificates/42864e48.0 < ~/.globus/usercert.pem
> openssl pkcs12 -in LyleWinton-Grid.p12 -noout -info
To get the text description of a certificate
> openssl x509 -text -in RAServerUser.crt.pem -noout
To get the hash of a certificate (sometimes needed for CA certificate filenames)
> openssl x509 -in /usr/local/OpenCA/cacert.pem -hash -noout
To verify that a certificate was signed by a given CA:
> openssl verify -CAfile /usr/local/OpenCA/cacert.pem usercert.crt
To verify that a key/certificate pair match:
For RSA keys (check the first line of key file)...
> openssl rsa -in mykey.pem -noout -modulus
For DSA keys...
> openssl dsa -in mykey.pem -noout -modulus
> openssl x509 -in mycert.pem -noout -modulus
