tag:old.nabble.com,2006:forum-3689Nabble - OpenCA2009-11-28T18:20:48ZThe OpenCA PKI Development Project is a collaborative effort to develop a robust, full-featured and Open Source out-of-the-box Certification Authority implementing the most used protocols with full-strength cryptography world-wide. OpenCA home is <a href="http://sourceforge.net/projects/openca/" target="_top" rel="nofollow">here</a>.tag:old.nabble.com,2006:post-26558851Re: Expired list doesn't show2009-11-28T18:20:48Z2009-11-28T18:20:48ZSamuel Rios Carvalhohello Ralf<br><br>please, don't forget to see the problem in this weekend.<br><br>thanks.<br><br clear="all">Samuel Rios Carvalho<br>
<br><br><div class="gmail_quote">On Thu, Nov 26, 2009 at 2:25 PM, Ralf Hornik Mailings <span dir="ltr"><<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26558851&i=0" target="_top" rel="nofollow">ralf@...</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im">Samuel Rios Carvalho <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26558851&i=1" target="_top" rel="nofollow">nhawkbr@...</a>> wrote:<br>
<br>
</div><div class="im"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I think that in status like should be REVOKED, but I don't know where I can<br>
change it.<br>
</blockquote>
<br></div>
The database shows EXPIERD in the status field of certificate:<br>
<br>
select status,dn,date(notafter),time(notafter) from certificate where status = 'EXPIRED';<br>
<br>
So cmdlistCerts doesn't seem to do the correct query.<br>
I will try to fix that on this weekend.<br><font color="#888888">
<br>
Ralf<br>
<br>
<br>
</font></blockquote></div><br>
<br />------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br />_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26558851&i=2" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>tag:old.nabble.com,2006:post-26532831Re: Expired list doesn't show2009-11-26T09:42:50Z2009-11-26T09:42:50ZSamuel Rios Carvalhoyes,<br><br>sorry, I make a mistake speaking about REVOKED, the correct is EXPIRED.<br><br>I'm waiting your fix.<br><br>thanks<br><br><br clear="all">Samuel Rios Carvalho<br>
<br><br><div class="gmail_quote">On Thu, Nov 26, 2009 at 2:25 PM, Ralf Hornik Mailings <span dir="ltr"><<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26532831&i=0" target="_top" rel="nofollow">ralf@...</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im">Samuel Rios Carvalho <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26532831&i=1" target="_top" rel="nofollow">nhawkbr@...</a>> wrote:<br>
<br>
</div><div class="im"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I think that in status like should be REVOKED, but I don't know where I can<br>
change it.<br>
</blockquote>
<br></div>
The database shows EXPIERD in the status field of certificate:<br>
<br>
select status,dn,date(notafter),time(notafter) from certificate where status = 'EXPIRED';<br>
<br>
So cmdlistCerts doesn't seem to do the correct query.<br>
I will try to fix that on this weekend.<br><font color="#888888">
<br>
Ralf<br>
<br>
<br>
</font></blockquote></div><br>
<br />------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br />_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26532831&i=2" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>tag:old.nabble.com,2006:post-26531803Re: Expired list doesn't show2009-11-26T08:25:05Z2009-11-26T08:25:05ZRalf Hornik MailingsSamuel Rios Carvalho <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26531803&i=0" target="_top" rel="nofollow">nhawkbr@...</a>> wrote:
<br><br>> I think that in status like should be REVOKED, but I don't know where I can
<br>> change it.
<br><br>The database shows EXPIERD in the status field of certificate:
<br><br>select status,dn,date(notafter),time(notafter) from certificate where
<br>status = 'EXPIRED';
<br><br>So cmdlistCerts doesn't seem to do the correct query.
<br>I will try to fix that on this weekend.
<br><br>Ralf
<br><br><br><br>------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br>_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26531803&i=1" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>tag:old.nabble.com,2006:post-26531567Re: Expired list doesn't show2009-11-26T08:08:59Z2009-11-26T08:08:59ZSamuel Rios CarvalhoI found this query in my mysql's log to show REVOKED certificates<br><br>select * from openca.certificate where (cert_key >= '0' ) and (status like 'VALID') and (notafter < '20091126160813' ) order by cert_key LIMIT 25<br>
<br>I think that in status like should be REVOKED, but I don't know where I can change it.<br><br><br clear="all">Samuel Rios Carvalho<br>
<br><br><div class="gmail_quote">On Thu, Nov 26, 2009 at 12:23 PM, Samuel Rios Carvalho <span dir="ltr"><<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26531567&i=0" target="_top" rel="nofollow">nhawkbr@...</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hello,<br><br>exactly 1 year I'm using OpenCA.<br><br>Then, yesterday my first certificate expired. In EXPIRED Certificate List doesn't show.<br><br>I think it a little bug, please confirm.<br><font color="#888888"><br clear="all">
Samuel Rios Carvalho<br>
</font></blockquote></div><br>
<br />------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br />_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26531567&i=1" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>tag:old.nabble.com,2006:post-26530153Expired list doesn't show2009-11-26T06:23:14Z2009-11-26T06:23:14ZSamuel Rios CarvalhoHello,<br><br>exactly 1 year I'm using OpenCA.<br><br>Then, yesterday my first certificate expired. In EXPIRED Certificate List doesn't show.<br><br>I think it a little bug, please confirm.<br><br clear="all">Samuel Rios Carvalho<br>
<br />------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br />_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26530153&i=0" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>tag:old.nabble.com,2006:post-26519175Fwd: IDtrust peer-reviewed paper deadline extended to Dec 202009-11-25T11:50:26Z2009-11-25T11:50:26ZMassimiliano Pala-3FYI.
<br><br> -- Max
<br><br><br>-------- Original Message --------
<br>Subject: IDtrust peer-reviewed paper deadline extended to Dec 20
<br>Date: Wed, 25 Nov 2009 10:53:04 -0700
<br>From: Neal McBurnett <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26519175&i=0" target="_top" rel="nofollow">neal@...</a>>
<br>To: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26519175&i=1" target="_top" rel="nofollow">MW-PKIPrgmCommittee@...</a>
<br><br>Thanks to everyone for quick responses and good conversation around
<br>the date extension. Based on overwhelming support I've updated the
<br>web site, extending the deadline for peer-reviewed papers to Dec 20th:
<br><br> <a href="http://middleware.internet2.edu/idtrust/2010/" target="_top" rel="nofollow">http://middleware.internet2.edu/idtrust/2010/</a><br><br>I hope you can take a moment to share that with your colleagues and
<br>encourage them to submit a paper, and also to propose a panel.
<br><br>The panel proposal deadline is Jan 24 but we'd love to hear ideas
<br>earlier. Radia Perlman is the panels chair. At this point we're
<br>looking for folks who will step forward to gather participants and
<br>coordinate an interesting, relevant panel.
<br><br>Cheers, and happy Thanksgiving!
<br><br>Neal McBurnett <a href="http://neal.mcburnett.org/" target="_top" rel="nofollow">http://neal.mcburnett.org/</a><br><br><br><br /> <br />------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br />_______________________________________________
<br>OpenCA-Devel mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26519175&i=2" target="_top" rel="nofollow">OpenCA-Devel@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-devel" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-devel</a><br><div class="small"><br/><img src="http://old.nabble.com/images/icon_attachment.gif" > <strong>smime.p7s</strong> (4K) <a href="http://old.nabble.com/attachment/26519175/0/smime.p7s" target="_top">Download Attachment</a></div><p>From forum: <a href="http://old.nabble.com/openca-devel-f3691.html" embed="fixTarget[3691]" target="_top" >openca-devel</a></p>tag:old.nabble.com,2006:post-26519171Fwd: IDtrust peer-reviewed paper deadline extended to Dec 202009-11-25T11:50:19Z2009-11-25T11:50:19ZMassimiliano Pala-3FYI.
<br><br> -- Max
<br><br><br>-------- Original Message --------
<br>Subject: IDtrust peer-reviewed paper deadline extended to Dec 20
<br>Date: Wed, 25 Nov 2009 10:53:04 -0700
<br>From: Neal McBurnett <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26519171&i=0" target="_top" rel="nofollow">neal@...</a>>
<br>To: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26519171&i=1" target="_top" rel="nofollow">MW-PKIPrgmCommittee@...</a>
<br><br>Thanks to everyone for quick responses and good conversation around
<br>the date extension. Based on overwhelming support I've updated the
<br>web site, extending the deadline for peer-reviewed papers to Dec 20th:
<br><br> <a href="http://middleware.internet2.edu/idtrust/2010/" target="_top" rel="nofollow">http://middleware.internet2.edu/idtrust/2010/</a><br><br>I hope you can take a moment to share that with your colleagues and
<br>encourage them to submit a paper, and also to propose a panel.
<br><br>The panel proposal deadline is Jan 24 but we'd love to hear ideas
<br>earlier. Radia Perlman is the panels chair. At this point we're
<br>looking for folks who will step forward to gather participants and
<br>coordinate an interesting, relevant panel.
<br><br>Cheers, and happy Thanksgiving!
<br><br>Neal McBurnett <a href="http://neal.mcburnett.org/" target="_top" rel="nofollow">http://neal.mcburnett.org/</a><br><br><br><br /> <br />------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br />_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26519171&i=2" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><div class="small"><br/><img src="http://old.nabble.com/images/icon_attachment.gif" > <strong>smime.p7s</strong> (4K) <a href="http://old.nabble.com/attachment/26519171/0/smime.p7s" target="_top">Download Attachment</a></div><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>tag:old.nabble.com,2006:post-26479630Re: OCSP URL - what's it return????2009-11-23T07:05:41Z2009-11-23T07:05:41ZMassimiliano Pala-3Hi,
<br><br>the HTTP GET support is on its way. Actually we are in the process of
<br>porting the OCSP server to LibPKI - it makes it easier to manage HSMs
<br>and it has direct support for PKCS#11 devices.
<br><br>Once we have a stable version (0.4.0) of LibPKI we will finish the work
<br>on the OCSP server and publish the new version.
<br><br>This is the first step toward the extensive use of LibPKI in all of our
<br>servers. Ideally we will have a single server with plugins for the different
<br>services that can be enabled/disabled. By using the PRQP activating and
<br>de-activating a service will enable clients to automatically use (or
<br>stop using) the specific service... that is a very useful feature!!!!
<br><br>Cheers,
<br>Max
<br><br><br>On 11/20/2009 04:29 PM, <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26479630&i=0" target="_top" rel="nofollow">blainedw@...</a> wrote:
<br>>
<br>> Cool. I wasn't sure if the chain should be specified as part of the
<br>> -issuer cert or the -CAcert. Your help confirmed that it is the -CAcert
<br>> that requires the concatenated chain of certs.
<br>>
<br>> Also when will you support HTTP GET method in OCSP?
<br><br><br /> <br />------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br />_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26479630&i=1" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><div class="small"><br/><img src="http://old.nabble.com/images/icon_attachment.gif" > <strong>smime.p7s</strong> (4K) <a href="http://old.nabble.com/attachment/26479630/0/smime.p7s" target="_top">Download Attachment</a></div><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>tag:old.nabble.com,2006:post-26450563Re: OCSP URL - what's it return????2009-11-20T13:29:05Z2009-11-20T13:29:05Zblainedw
<br><font size=2 face="sans-serif">Cool. I wasn't sure if the chain should
be specified as part of the -issuer cert or the -CAcert. Your help confirmed
that it is the -CAcert that requires the concatenated chain of certs.</font>
<br>
<br><font size=2 face="sans-serif">Also when will you support HTTP GET
method in OCSP?</font>
<br>
<br>
<br><font size=2 face="sans-serif">Dave<br>
</font><br />------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br />_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26450563&i=0" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>tag:old.nabble.com,2006:post-26447269Re: OCSP URL - what's it return????2009-11-20T09:38:57Z2009-11-20T09:38:57ZMassimiliano Pala-3Yes.
<br><br>OpenSSL needs to have the full chain of certificates. You can use the
<br>-CAfile <file> option for adding trusted certs to the verification
<br>process. You might then get the error for the root CA saying that it
<br>is a self-signed cert :D That will be ok... :D
<br><br>Later,
<br>Max
<br><br><br>On 11/13/2009 07:26 PM, <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26447269&i=0" target="_top" rel="nofollow">blainedw@...</a> wrote:
<br>> Hi max
<br>>
<br>> Getting back to something you said earlier in the thread about the error
<br>> that isn't an error. If you see my openssl command I'm using -issuer
<br>> parameter. So doesn't this tell openssl who the issuer is? This a subca
<br>> so does this -issuer parameter require a concat of ca certs that make up
<br>> the chain?
<br><br>--
<br><br>Best Regards,
<br><br> Massimiliano Pala
<br><br>--o------------------------------------------------------------------------
<br>Massimiliano Pala [OpenCA Project Manager] <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26447269&i=1" target="_top" rel="nofollow">openca@...</a>
<br> <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26447269&i=2" target="_top" rel="nofollow">project.manager@...</a>
<br><br>Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
<br>PKI/Trust Laboratory Work Phone: +1 (603) 646-8734
<br>--o------------------------------------------------------------------------
<br>People who think they know everything are a great annoyance to those of us
<br>who do.
<br> -- Isaac Asimov
<br><br><br /> <br />------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br />_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26447269&i=3" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><div class="small"><br/><img src="http://old.nabble.com/images/icon_attachment.gif" > <strong>smime.p7s</strong> (4K) <a href="http://old.nabble.com/attachment/26447269/0/smime.p7s" target="_top">Download Attachment</a></div><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>tag:old.nabble.com,2006:post-26447225Re: cross-site request forgery (XSRF)2009-11-20T09:35:28Z2009-11-20T09:35:28ZMassimiliano Pala-3Hello Leo,
<br><br>I guess you can check the OpenCA::AC module and disable the check for
<br>the xsrf token there. That should do the trick.
<br><br>I am not convinced it is a good idea, though. If you have other security
<br>mechanisms in place.. than it might be ok.. if not, then your PKI could
<br>be subject to the attack.. if the OpenCA pages are accessible via the
<br><iframe> element.. that means I can request them directly if I know the
<br>URL.. and that exposes you to all of the problems...
<br><br>In future versions we could actually think about a configuration option
<br>that allows for the xsrf to be disabled.. but another protection should
<br>be in place...
<br><br>Later,
<br>Max
<br><br><br>On 11/13/2009 11:48 AM, Leo Catalinas wrote:
<div class='shrinkable-quote'><div class='shrinkable-quote'><br>> Hello,
<br>>
<br>> We use OpenCA 0.9.x in a couple of university projects and we are very
<br>> pleased with it, having issued near 700 certificates for students and
<br>> professors for e-learning in the last three years.
<br>>
<br>> We integrate many screens and forms (like the request form) in a public
<br>> web page (our pki portal) made with Joomla an its "wrapper" option
<br>> (allows to embeed an external page within the page body using the html
<br>> "<iframe>" element).
<br>>
<br>> Now, we have tried the 1.0.2 version and we have seen that the "wrapper"
<br>> option doesn't work because the new OpenCA XSRF protection.
<br>>
<br>> We need the "wrapper" option to integrate OpenCA forms with Joomla, but
<br>> tried to disable the XSRF protection and we didn't find how to do it.
<br>>
<br>> How to disable XSRF or how to make work without disabling it? Any
<br>> suggestion, please?
<br>>
<br>> Thank you very much
<br>>
<br>> Regards,
<br>> Leo Catalinas,
</div></div><br /> <br />------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br />_______________________________________________
<br>OpenCA-Devel mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26447225&i=0" target="_top" rel="nofollow">OpenCA-Devel@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-devel" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-devel</a><br><div class="small"><br/><img src="http://old.nabble.com/images/icon_attachment.gif" > <strong>smime.p7s</strong> (4K) <a href="http://old.nabble.com/attachment/26447225/0/smime.p7s" target="_top">Download Attachment</a></div><p>From forum: <a href="http://old.nabble.com/openca-devel-f3691.html" embed="fixTarget[3691]" target="_top" >openca-devel</a></p>tag:old.nabble.com,2006:post-26397928Batch Process Adjustments Questions2009-11-17T13:22:42Z2009-11-17T13:22:42Zmurphykm
<br><font size=2 face="sans-serif">Hello,</font>
<br>
<br><font size=2 face="sans-serif">I have been tasked with adding additional
fields to our cert creation that is done via batching. I have about 15
fields or so that I need to add to the cert. </font>
<br>
<br><font size=2 face="sans-serif">Looking through the code, it appears
that create_csr.sub is the one I need to alter. The changes I have made
seem to create the field files similar to SUBJECT and such that were created
before. Each field file does have the correct data. However, when the cert
is created, none of my custom fields show up. </font>
<br>
<br><font size=2 face="sans-serif">Here are some of the changes I have
made:</font>
<br>
<br><font size=2 face="sans-serif">At line 26, I define the new variables
and fields I am tracking</font>
<br><font size=2 face="sans-serif"> my @additionalfields =
("EMPLOYEEID","USERID","CITIZENSHIP","EMAIL","DEPTARTMENT",</font>
<br><font size=2 face="sans-serif">
"PHONE","APPLICATION","COMPANY","LOCATION","ADDRESS","MAILZONE","CITY","STATE","ZIP","COUNTRY");</font>
<br><font size=2 face="sans-serif"> my %fields = ();</font>
<br><font size=2 face="sans-serif"> my $field = "";</font>
<br>
<br><font size=2 face="sans-serif">Around line 76 (Right below the load
subject lines)</font>
<br><font size=2 face="sans-serif"> foreach $field (@additionalfields)
{</font>
<br><font size=2 face="sans-serif"> $fields{$field}
= $tools->getFile ($home."/data/".$field);</font>
<br><font size=2 face="sans-serif"> if (not
$fields{$field} ) {</font>
<br><font size=2 face="sans-serif">
my $msg = gettext ("The $field of the request cannot
be loaded.");</font>
<br><font size=2 face="sans-serif">
$journal->{message} .= $msg;</font>
<br><font size=2 face="sans-serif">
$log->addMessage (OpenCA::Log::Message->new (HASHREF
=> $journal));</font>
<br><font size=2 face="sans-serif">
return [ -150, $msg ];</font>
<br><font size=2 face="sans-serif"> }</font>
<br><font size=2 face="sans-serif"> }</font>
<br>
<br><font size=2 face="sans-serif">Then right after line 136 I added
the three lines below:</font>
<br><font size=2 face="sans-serif"> foreach $field (@additionalfields)
{</font>
<br><font size=2 face="sans-serif">
$tmp .= $field." = ".$fields{$field}."\n";</font>
<br><font size=2 face="sans-serif"> }</font>
<br>
<br>
<br><font size=2 face="sans-serif">After all that I my new fields do not
show up in the cert. Do I need to alter OpenCA::REQ or something? I am
not sure where to look next.</font>
<br>
<br><font size=2 face="sans-serif">Thank you,</font>
<br><font size=2 face="sans-serif">K Murphy<br>
Email: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26397928&i=0" target="_top" rel="nofollow">murphykm@...</a><br>
</font><br />------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br />_______________________________________________
<br>OpenCA-Devel mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26397928&i=1" target="_top" rel="nofollow">OpenCA-Devel@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-devel" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-devel</a><br><p>From forum: <a href="http://old.nabble.com/openca-devel-f3691.html" embed="fixTarget[3691]" target="_top" >openca-devel</a></p>tag:old.nabble.com,2006:post-26363601Re: Trouble with LDAP and CRL's2009-11-15T13:27:21Z2009-11-15T13:27:21ZblainedwHi ralf
<br><br>Thanks for the response. I've been reading about ldap's alias feature and will probably use that to overcome my shortcomings.
<br><br>Dave
<br>>From David Blaine's blackberry
<br><br><br>----- Original Message -----
<br>From: Ralf Hornik Mailings [<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26363601&i=0" target="_top" rel="nofollow">ralf@...</a>]
<br>Sent: 11/15/2009 07:08 PM CET
<br>To: <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26363601&i=1" target="_top" rel="nofollow">openca-users@...</a>
<br>Subject: Re: [Openca-Users] Trouble with LDAP and CRL's
<br><br><br><br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26363601&i=2" target="_top" rel="nofollow">blainedw@...</a> wrote:
<br><br>> My problem now is my root certificate LDAP CDP does not include the email
<br>> address and I cannot reissue a new one. Any magic within LDAP I can do?
<br><br>It depends on the SSL app. Some apps use subsearch and some not for
<br>retrieving CRLs. Subsearch is also not recommended because of
<br>performance issues.
<br><br>The easiest way would be to move the crl to the CDP-DN of your
<br>certificates by hand and "patch" your OpenCA installation to enroll
<br>any new CRL there in future.
<br>Regards
<br><br>Ralf
<br><br><br><br>------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br>_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26363601&i=3" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><br>------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br>_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26363601&i=4" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>tag:old.nabble.com,2006:post-26361585Re: Trouble with LDAP and CRL's2009-11-15T10:08:11Z2009-11-15T10:08:11ZRalf Hornik Mailings<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26361585&i=0" target="_top" rel="nofollow">blainedw@...</a> wrote:
<br><br>> My problem now is my root certificate LDAP CDP does not include the email
<br>> address and I cannot reissue a new one. Any magic within LDAP I can do?
<br><br>It depends on the SSL app. Some apps use subsearch and some not for
<br>retrieving CRLs. Subsearch is also not recommended because of
<br>performance issues.
<br><br>The easiest way would be to move the crl to the CDP-DN of your
<br>certificates by hand and "patch" your OpenCA installation to enroll
<br>any new CRL there in future.
<br>Regards
<br><br>Ralf
<br><br><br><br>------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br>_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26361585&i=1" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>tag:old.nabble.com,2006:post-26345777Re: OCSP URL - what's it return????2009-11-13T16:26:20Z2009-11-13T16:26:20Zblainedw<font size="2"><p>Hi max<br><br>Getting back to something you said earlier in the thread about the error that isn't an error. If you see my openssl command I'm using -issuer parameter. So doesn't this tell openssl who the issuer is? This a subca so does this -issuer parameter require a concat of ca certs that make up the chain? <br><br>Just trying to understand<br><br>Dave<br>From David Blaine's blackberry<br></p></font><hr><font size="2"><p><b> From: </b>blainedw<br><b> Sent: </b>11/13/2009 04:53 PM EST<br><b> To: </b><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26345777&i=0" target="_top" rel="nofollow">openca@...</a>; "Users' Help and Suggestions" <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26345777&i=1" target="_top" rel="nofollow">openca-users@...</a>><br><b> Subject: </b>Re: [Openca-Users] OCSP URL - what's it return????<br></p></font><br>
<br><font size=2 face="sans-serif">The OCSP is defined as an AIA location</font>
<br><font size=2 face="sans-serif"><br>
I'll check the logs when I get a chance.</font>
<br>
<br>
<br><font size=2 face="sans-serif">Dave</font><br />------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br />_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26345777&i=2" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><br />------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br />_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26345777&i=3" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>tag:old.nabble.com,2006:post-26344158Re: OCSP URL - what's it return????2009-11-13T13:53:45Z2009-11-13T13:53:45Zblainedw
<br><font size=2 face="sans-serif">The OCSP is defined as an AIA location</font>
<br><font size=2 face="sans-serif"><br>
I'll check the logs when I get a chance.</font>
<br>
<br>
<br><font size=2 face="sans-serif">Dave</font><br />------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br />_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26344158&i=0" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>tag:old.nabble.com,2006:post-26344107Re: Trouble with LDAP and CRL's2009-11-13T13:50:01Z2009-11-13T13:50:01Zblainedw
<br><font size=2 face="sans-serif">I checked ldapsearch and thanks to Ralf
the DN does have the email address in it... OK, I downloaded and installed
libpki. Using that tool and having the email address in the DN, I was able
to retrieve something (lots of garbled characters). </font>
<br>
<br><font size=2 face="sans-serif">My problem now is my root certificate
LDAP CDP does not include the email address and I cannot reissue a new
one. Any magic within LDAP I can do?</font>
<br><font size=2 face="sans-serif"><br>
Dave</font><br />------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br />_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26344107&i=0" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>tag:old.nabble.com,2006:post-26344011Re: OCSP URL - what's it return????2009-11-13T13:43:20Z2009-11-13T13:43:20ZMassimiliano Pala-3I guess we have 2 separate issues here. The CDP is the CRL Distribution
<br>Point - not the OCSP responder address. That should point to your CRL
<br>http location.
<br><br>I have not used the PKIVIEW on Winz... but have you checked the logs on
<br>the OCSP server (should be /var/log/messages).. what do they report ? It
<br>might be that the PKIVIEW uses the HTTP GET instead of the HTTP POST for
<br>the OCSP.. this is just a wild guess.. :D But since the current version
<br>of the software does not support GET.. you'll have to wait for the new
<br>version (which will support GET as well..).
<br><br>Let us know...
<br><br>Later,
<br>Max
<br><br><br>On 11/13/2009 04:10 PM, <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26344011&i=0" target="_top" rel="nofollow">blainedw@...</a> wrote:
<br>>
<br>> When I look in PKIVIEW (windows utility) to verify my AIA and CDP
<br>> locations. It states unable to download for both my LDAP CDP and my OCSP
<br>> location.
<br><br><br>--
<br><br>Best Regards,
<br><br> Massimiliano Pala
<br><br>--o------------------------------------------------------------------------
<br>Massimiliano Pala [OpenCA Project Manager] <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26344011&i=1" target="_top" rel="nofollow">openca@...</a>
<br> <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26344011&i=2" target="_top" rel="nofollow">project.manager@...</a>
<br><br>Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
<br>PKI/Trust Laboratory Work Phone: +1 (603) 646-8734
<br>--o------------------------------------------------------------------------
<br>People who think they know everything are a great annoyance to those of us
<br>who do.
<br> -- Isaac Asimov
<br><br><br /> <br />------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br />_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26344011&i=3" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><div class="small"><br/><img src="http://old.nabble.com/images/icon_attachment.gif" > <strong>smime.p7s</strong> (4K) <a href="http://old.nabble.com/attachment/26344011/0/smime.p7s" target="_top">Download Attachment</a></div><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>tag:old.nabble.com,2006:post-26343631Re: OCSP URL - what's it return????2009-11-13T13:10:17Z2009-11-13T13:10:17Zblainedw
<br><font size=2 face="sans-serif">When I look in PKIVIEW (windows utility)
to verify my AIA and CDP locations. It states unable to download for both
my LDAP CDP and my OCSP location.</font>
<br><font size=2 face="sans-serif"><br>
Dave<br>
</font><br />------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br />_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26343631&i=0" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>tag:old.nabble.com,2006:post-26342618Re: OCSP URL - what's it return????2009-11-13T12:00:51Z2009-11-13T12:00:51ZMassimiliano Pala-3Hi Dave,
<br><br>actually that seem to work fine. The error in OpenSSL is not really an error,
<br>it just does not have the issuer certificate of the OCSP server's certificate
<br>but the response is correctly parsed (status good).
<br><br>I do not really understand, what is the issue you are having ?
<br><br>Later,
<br>Max
<br><br><br><br>On 11/13/2009 01:17 PM, <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26342618&i=0" target="_top" rel="nofollow">blainedw@...</a> wrote:
<div class='shrinkable-quote'><div class='shrinkable-quote'><br>>
<br>> Well, I hope I do ;)
<br>>
<br>> I guess the URL threw me because it had /ca/ca.html on it so I was
<br>> expecting a response.
<br>>
<br>> openssl ocsp -issuer /appl/openca-ocspd-1.5.1/etc/ocspd/certs/cacert.pem
<br>> -cert /appl/openca/openca/var/openca/crypto/certs/01.pem -url
<br>> <a href="http://host:2560/" target="_top" rel="nofollow">http://host:2560/</a> -resp_text -respout /tmp/ocspResp.der -CAfile
<br>> /appl/openca-ocspd-1.5.1/etc/ocspd/certs/cacert.pem <<a href="http://host:2560/" target="_top" rel="nofollow">http://host:2560/</a>>
<br>>
<br>> ....
<br>>
<br>> Response Verify Failure
<br>> 19659:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify
<br>> error:ocsp_vfy.c:122:Verify error:unable to get issuer certificate
<br>> /appl/openca/openca/var/openca/crypto/certs/15.pem: good
<br>> This Update: Nov 12 18:12:01 2009 GMT
<br>> Next Update: Nov 13 16:46:03 2009 GMT
<br>>
<br>> I can eliminate this error by adding -VAoption
</div></div><br /> <br />------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br />_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26342618&i=1" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><div class="small"><br/><img src="http://old.nabble.com/images/icon_attachment.gif" > <strong>smime.p7s</strong> (4K) <a href="http://old.nabble.com/attachment/26342618/0/smime.p7s" target="_top">Download Attachment</a></div><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>tag:old.nabble.com,2006:post-26341001Re: OCSP URL - what's it return????2009-11-13T10:17:11Z2009-11-13T10:17:11Zblainedw
<br><font size=2 face="sans-serif">Well, I hope I do ;)</font>
<br>
<br><font size=2 face="sans-serif">I guess the URL threw me because it
had /ca/ca.html on it so I was expecting a response.</font>
<br>
<br><font size=2 face="sans-serif">openssl ocsp -issuer /appl/openca-ocspd-1.5.1/etc/ocspd/certs/cacert.pem
-cert /appl/openca/openca/var/openca/crypto/certs/01.pem -url </font><a href=http://host:2560 target="_top" rel="nofollow" /><font size=2 face="sans-serif">http://host:2560/
-resp_text -respout /tmp/ocspResp.der -CAfile /appl/openca-ocspd-1.5.1/etc/ocspd/certs/cacert.pem</font></a>
<br>
<br><font size=2 face="sans-serif">....</font>
<br>
<br><font size=2 face="sans-serif">Response Verify Failure</font>
<br><font size=2 face="sans-serif">19659:error:27069065:OCSP routines:OCSP_basic_verify:certificate
verify error:ocsp_vfy.c:122:Verify error:unable to get issuer certificate</font>
<br><font size=2 face="sans-serif">/appl/openca/openca/var/openca/crypto/certs/15.pem:
good</font>
<br><font size=2 face="sans-serif"> This Update:
Nov 12 18:12:01 2009 GMT</font>
<br><font size=2 face="sans-serif"> Next Update:
Nov 13 16:46:03 2009 GMT</font>
<br>
<br><font size=2 face="sans-serif">I can eliminate this error by adding
-VAoption</font>
<br>
<br><font size=2 face="sans-serif">Any help would be appreciated</font>
<br>
<br><font size=2 face="sans-serif">Dave</font>
<br><font size=2 face="sans-serif"><br>
Dave</font><br />------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br />_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26341001&i=0" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>tag:old.nabble.com,2006:post-26339844cross-site request forgery (XSRF)2009-11-13T08:48:04Z2009-11-13T08:48:04ZLeo CatalinasHello,
<br><br>We use OpenCA 0.9.x in a couple of university projects and we are very
<br>pleased with it, having issued near 700 certificates for students and
<br>professors for e-learning in the last three years.
<br><br>We integrate many screens and forms (like the request form) in a public
<br>web page (our pki portal) made with Joomla an its "wrapper" option
<br>(allows to embeed an external page within the page body using the html
<br>"<iframe>" element).
<br><br>Now, we have tried the 1.0.2 version and we have seen that the "wrapper"
<br>option doesn't work because the new OpenCA XSRF protection.
<br><br>We need the "wrapper" option to integrate OpenCA forms with Joomla, but
<br>tried to disable the XSRF protection and we didn't find how to do it.
<br><br>How to disable XSRF or how to make work without disabling it? Any
<br>suggestion, please?
<br><br>Thank you very much
<br><br>Regards,
<br>Leo Catalinas,
<br><br><br>------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br>_______________________________________________
<br>OpenCA-Devel mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26339844&i=0" target="_top" rel="nofollow">OpenCA-Devel@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-devel" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-devel</a><br><p>From forum: <a href="http://old.nabble.com/openca-devel-f3691.html" embed="fixTarget[3691]" target="_top" >openca-devel</a></p>tag:old.nabble.com,2006:post-26339830cross-site request forgery (XSRF)2009-11-13T08:47:09Z2009-11-13T08:47:09ZLeo CatalinasHello,
<br><br>We use OpenCA 0.9.x in a couple of university projects and we are very
<br>pleased with it, having issued near 700 certificates for students and
<br>professors for e-learning in the last three years.
<br><br>We integrate many screens and forms (like the request form) in a public
<br>web page (our pki portal) made with Joomla an its "wrapper" option
<br>(allows to embeed an external page within the page body using the html
<br>"<iframe>" element).
<br><br>Now, we have tried the 1.0.2 version and we have seen that the "wrapper"
<br>option doesn't work because the new OpenCA XSRF protection.
<br><br>We need the "wrapper" option to integrate OpenCA forms with Joomla, but
<br>tried to disable the XSRF protection and we didn't find how to do it.
<br><br>How to disable XSRF or how to make work without disabling it? Any
<br>suggestion, please?
<br><br>Thank you very much
<br><br>Regards,
<br>Leo Catalinas,
<br><br><br>------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br>_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26339830&i=0" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>tag:old.nabble.com,2006:post-26339116Re: How to make OpenCA use OpenSSL engine?2009-11-13T08:15:03Z2009-11-13T08:15:03ZMassimiliano Pala-3Hi Allen,
<br><br>as Ralf said, check the OpenSC token in the tokens.xml configuration - it is
<br>quite easy to setup the Engine.
<br><br>One small warning: if you are using the engine for accessing a P11 device, be
<br>careful that when you generate keys with that, the key is actually generated
<br>in software and then stored on the device (instead of using the PKCS11 key
<br>generation on hardware directly...).
<br><br>Later,
<br>Max
<br><br><br>On 09/03/2009 08:39 PM, Allen Liu wrote:
<br>> No, it's not.
<br>>
<br>> OpenSSL ENGINE is a loadable module for talking to HSM (hardware Secure
<br>> Module) or smart card through PKCS 11 in order to utilize keys stored inside
<br>> as well as hardware-implementated algorithms.
<br>>
<br>> I know how to use OpenSSL ENGINE to talk to HSM but don't know to make
<br>> OpenCA use ENGINE.
<br><br><br>--
<br><br>Best Regards,
<br><br> Massimiliano Pala
<br><br>--o------------------------------------------------------------------------
<br>Massimiliano Pala [OpenCA Project Manager] <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26339116&i=0" target="_top" rel="nofollow">openca@...</a>
<br> <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26339116&i=1" target="_top" rel="nofollow">project.manager@...</a>
<br><br>Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
<br>PKI/Trust Laboratory Work Phone: +1 (603) 646-8734
<br>--o------------------------------------------------------------------------
<br>People who think they know everything are a great annoyance to those of us
<br>who do.
<br> -- Isaac Asimov
<br><br><br /> <br />------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br />_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26339116&i=2" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><div class="small"><br/><img src="http://old.nabble.com/images/icon_attachment.gif" > <strong>smime.p7s</strong> (4K) <a href="http://old.nabble.com/attachment/26339116/0/smime.p7s" target="_top">Download Attachment</a></div><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>tag:old.nabble.com,2006:post-26339070Re: Trouble with LDAP and CRL's2009-11-13T08:12:30Z2009-11-13T08:12:30ZMassimiliano Pala-3Hi Dave,
<br><br>LDAP can be tricky, especially because if the DNs are not precise, you
<br>will not find what you are looking for. You might want to use one LDAP
<br>browsers (some time ago Mozilla had one built in.. now I don't think
<br>Firefox supports ldap:// urls anymore..). If you can find it for your
<br>system I usually use 'gq' - last version I checked was from 2006. The
<br>url on the 'About' is this:
<br><br> <a href="http://www.gq-project.org/" target="_top" rel="nofollow">http://www.gq-project.org/</a><br><br>but that points just to an empty page.. a very simple google search
<br>gave me back this:
<br><br> <a href="http://linux.softpedia.com/get/Utilities/GQ-LDAP-Client-11212.shtml" target="_top" rel="nofollow">http://linux.softpedia.com/get/Utilities/GQ-LDAP-Client-11212.shtml</a><br><br>there are many others out there (most of them are Java, though...).
<br><br>Also, another thing: check that the certificate CDP (CRL Distribution
<br>Point) is correct.
<br><br>Another possibility is to download the new LibPKI - there is a tool
<br>there that allows you to download data from different URLs, and in
<br>particular from LDAP by using something like:
<br><br> $ url-tool "ldap://ldap.dartmouth.edu:389/cn=Dartmouth CertAuth1, o=Dartmouth College,
<br>C=US, dc=dartmouth, dc=edu?cACertificate;binary"
<br><br>You can find the libpki here:
<br><br> <a href="http://ftp.openca.org/libpki/releases/" target="_top" rel="nofollow">http://ftp.openca.org/libpki/releases/</a><br><br>The version 0.4.0 is on its way...
<br><br>Later,
<br>Max
<br><br><br>On 11/13/2009 09:41 AM, <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26339070&i=0" target="_top" rel="nofollow">blainedw@...</a> wrote:
<div class='shrinkable-quote'><div class='shrinkable-quote'><br>>
<br>> Hi all,
<br>>
<br>> Unlike most folks, I was able to publish my certificates and CRL's in
<br>> LDAP using Openca 1.0.2. My problem exists with check for it in LDAP.
<br>> Using PKIVIEW in Windows it mentions that it is "Unable to download" the
<br>> CRL from the LDAP CDP. It reports "OK" for the http one.
<br>>
<br>> I used an ldap search command to check the existance of the CRL in LDAP
<br>> and that it was not expired. Here is the command I used:
<br>>
<br>> ./ldapsearch -x -h host -b "cn=Root CA,ou=Trustcenter,dc=domain,dc=com"
<br>> certificateRevocationList
<br>>
<br>> I am also able to use IE to at least contact the LDAP server via this
<br>> method (unsure how to download CRL using this method):
<br>>
<br>> ldap://host/cn=Root CA,ou=Trustcenter,dc=domain,dc=com
<br>>
<br>> Any help appreciated!!!!
<br>>
<br>> Dave
</div></div><br>--
<br><br>Best Regards,
<br><br> Massimiliano Pala
<br><br>--o------------------------------------------------------------------------
<br>Massimiliano Pala [OpenCA Project Manager] <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26339070&i=1" target="_top" rel="nofollow">openca@...</a>
<br> <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26339070&i=2" target="_top" rel="nofollow">project.manager@...</a>
<br><br>Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
<br>PKI/Trust Laboratory Work Phone: +1 (603) 646-8734
<br>--o------------------------------------------------------------------------
<br>People who think they know everything are a great annoyance to those of us
<br>who do.
<br> -- Isaac Asimov
<br><br><br /> <br />------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br />_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26339070&i=3" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><div class="small"><br/><img src="http://old.nabble.com/images/icon_attachment.gif" > <strong>smime.p7s</strong> (4K) <a href="http://old.nabble.com/attachment/26339070/0/smime.p7s" target="_top">Download Attachment</a></div><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>tag:old.nabble.com,2006:post-26338861Re: OCSP URL - what's it return????2009-11-13T07:59:21Z2009-11-13T07:59:21ZMassimiliano Pala-3Hi Dave,
<br><br>I assume you have installed and configured the OCSP server ... :D If not,
<br>you have to download it as it is a separate package (that I am going to
<br>update quite soon... :D).
<br><br>The OCSP server returns an OCSP response.. so it is not viewable with the
<br>browser. You can use the `openssl ocsp' to view the response (check the
<br>command line syntax by using `openssl ocsp -'.
<br><br>Or you can just use wget (`wget <a href="http://...'" target="_top" rel="nofollow">http://...'</a>) and then parse the contents
<br>of the saved data with `openssl asn1parse -inform DER -in <filename>'. Or,
<br>last but not least, just use the telnet command:
<br><br> $ telnet host 2560
<br><br>then hit a couple of returns.. you'll see the response.. with the full
<br>headers.
<br><br>I hope this helps,
<br><br>Cheers,
<br>Max
<br><br><br>On 11/13/2009 09:49 AM, <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26338861&i=0" target="_top" rel="nofollow">blainedw@...</a> wrote:
<br>>
<br>> I have a OCSP URL similar to the default one as an AIA location
<br>>
<br>> <a href="http://host:2560/ca/ca.html" target="_top" rel="nofollow">http://host:2560/ca/ca.html</a><br>>
<br>> If I copy and paste into a browser, it returns a 0
<br>>
<br>> What is that supposed to return????
<br><br><br>--
<br><br>Best Regards,
<br><br> Massimiliano Pala
<br><br>--o------------------------------------------------------------------------
<br>Massimiliano Pala [OpenCA Project Manager] <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26338861&i=1" target="_top" rel="nofollow">openca@...</a>
<br> <a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26338861&i=2" target="_top" rel="nofollow">project.manager@...</a>
<br><br>Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
<br>PKI/Trust Laboratory Work Phone: +1 (603) 646-8734
<br>--o------------------------------------------------------------------------
<br>People who think they know everything are a great annoyance to those of us
<br>who do.
<br> -- Isaac Asimov
<br><br><br /> <br />------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br />_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26338861&i=3" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><div class="small"><br/><img src="http://old.nabble.com/images/icon_attachment.gif" > <strong>smime.p7s</strong> (4K) <a href="http://old.nabble.com/attachment/26338861/0/smime.p7s" target="_top">Download Attachment</a></div><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>tag:old.nabble.com,2006:post-26337743OCSP URL - what's it return????2009-11-13T06:49:11Z2009-11-13T06:49:11Zblainedw
<br><font size=2 face="sans-serif">I have a OCSP URL similar to the default
one as an AIA location</font>
<br>
<br><a href=http://host:2560/ca/ca.html target="_top" rel="nofollow"><font size=2 face="sans-serif">http://host:2560/ca/ca.html</font></a>
<br>
<br><font size=2 face="sans-serif">If I copy and paste into a browser,
it returns a 0</font>
<br>
<br><font size=2 face="sans-serif">What is that supposed to return????</font>
<br>
<br>
<br><font size=2 face="sans-serif">Dave<br>
</font><br />------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br />_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26337743&i=0" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>tag:old.nabble.com,2006:post-26337715Re: Trouble with LDAP and CRL's2009-11-13T06:47:59Z2009-11-13T06:47:59ZRalf Hornik Mailings<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26337715&i=0" target="_top" rel="nofollow">blainedw@...</a> wrote:
<br><br>>
<br>> ldap://host/cn=Root CA,ou=Trustcenter,dc=domain,dc=com
<br><br>Is this the full DN or is there an emailAddess too?
<br><br>Some Applications need the full DN to find the CRL:
<br><br>ldap://<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26337715&i=1" target="_top" rel="nofollow">host/emailAdress=root@...</a>, cn=Root
<br>CA,ou=Trustcenter,dc=domain,dc=com
<br><br><br>--
<br>alles bleibt anders...
<br><br><br><br>------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br>_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26337715&i=2" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>tag:old.nabble.com,2006:post-26337641Trouble with LDAP and CRL's2009-11-13T06:41:21Z2009-11-13T06:41:21Zblainedw
<br><font size=2 face="sans-serif">Hi all,</font>
<br>
<br><font size=2 face="sans-serif">Unlike most folks, I was able to publish
my certificates and CRL's in LDAP using Openca 1.0.2. My problem exists
with check for it in LDAP. Using PKIVIEW in Windows it mentions that it
is "Unable to download" the CRL from the LDAP CDP. It reports
"OK" for the http one.</font>
<br>
<br><font size=2 face="sans-serif">I used an ldap search command to check
the existance of the CRL in LDAP and that it was not expired. Here is the
command I used:</font>
<br>
<br><font size=2 face="sans-serif">./ldapsearch -x -h host -b "cn=Root
CA,ou=Trustcenter,dc=domain,dc=com" certificateRevocationList</font>
<br>
<br><font size=2 face="sans-serif">I am also able to use IE to at least
contact the LDAP server via this method (unsure how to download CRL using
this method):</font>
<br>
<br><font size=2 face="sans-serif">ldap://host/cn=Root CA,ou=Trustcenter,dc=domain,dc=com</font>
<br><font size=2 face="sans-serif"><br>
Any help appreciated!!!!</font>
<br>
<br><font size=2 face="sans-serif">Dave</font><br />------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br />_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26337641&i=0" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>tag:old.nabble.com,2006:post-26326883Smartcard and Trust Chain2009-11-12T13:22:44Z2009-11-12T13:22:44Zblainedw
<br><font size=2 face="sans-serif"><br>
<br>
Hi all,</font>
<br>
<br><font size=2 face="sans-serif">I am having a problem with Windows
2003 authentication using a Smartcard with a certificate generated from
OpenCA. It won't allow logon saying "the smartcard used for authentication
was not trusted". I am using a HID global card and with their utilities
I double checked the chain and verified the certificate ok. The CRL's on
both the offline and online CA are current and good.</font>
<br>
<br><font size=2 face="sans-serif">This setup worked beautifully in development
but in my dev lab their is just the online root CA. </font>
<br>
<br><font size=2 face="sans-serif">In production, however, their is a offline
and an online root CA so a little more complicated. Using OpenCA 1.0.2
with patches.</font>
<br>
<br><font size=2 face="sans-serif">Any information you need to assist with
this dilemna just let me know.</font>
<br>
<br><font size=2 face="sans-serif">Dave</font>
<br>
<br>
<br><font size=2 face="sans-serif">Dave </font>
<br><br />------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br />_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26326883&i=0" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>tag:old.nabble.com,2006:post-26259032Openca-sv docs2009-11-08T15:05:14Z2009-11-08T15:05:14ZJavier Sarmiento-3Hello,<br><br><div id="result_box" dir="ltr">where can I get the documentation of OpenCA-sv (README-SV)?, I don't know where to find it, <br><br> thanks for your attention</div><br>
<br />------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br />_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26259032&i=0" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>tag:old.nabble.com,2006:post-26207348Re: Better docs for Batch system and examples needed2009-11-04T14:59:37Z2009-11-04T14:59:37Zblainedw
<br><font size=2 face="sans-serif">OK I learned some things on my own.</font>
<br>
<br><font size=2 face="sans-serif">I created the following batch_data_process.txt</font>
<br>
<br><font size=2 face="sans-serif">USER user1</font>
<br><font size=2 face="sans-serif">PROCESS gen_certs_2</font>
<br><font size=2 face="sans-serif">SET_STATE new_process</font>
<br><font size=2 face="sans-serif">ROLE Smartcard</font>
<br><font size=2 face="sans-serif">SUBJECT_ALT_NAME_1 email:<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26207348&i=0" target="_top" rel="nofollow">user1@...</a>,otherName:1.3.6.1.4.311.20.2.3;UTF8:<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26207348&i=1" target="_top" rel="nofollow">user1@...</a></font>
<br><font size=2 face="sans-serif">SUBJECT UID=user1,CN=Joe Blow,OU=Employees,DC=gdls,DC=com</font>
<br><font size=2 face="sans-serif">LOA_MODE NORMAL</font>
<br><font size=2 face="sans-serif">LOA 4</font>
<br>
<br><font size=2 face="sans-serif">and added it to my dataexchange tar
file</font>
<br>
<br><font size=2 face="sans-serif">Then selected "QuickImport"
which slurped up the dataexchange file. At this point, if I tried to reimport
the same user I would get an error so I found that I could reset things
by deleting the contents of file $OPENCADIR/var/openca/bp/users.txt and
delete the contents of directory $OPENCADIR/var/openca/bp/users. Of course,
this only works if your just in test dealing with one user ;)</font>
<br>
<br><font size=2 face="sans-serif">And then I selected "Do one step
for all workflows" Yes for both CA and BP key certificates. It then
asked for the CA key twice (since I didn't create a seperate BP certificate).</font>
<br>
<br><font size=2 face="sans-serif">I noticed that in the RA interface that
it doesn't have any options to download the PKCS#12 file. Is this normal
for the UI? Never fear, though, these files are located in $OPENCADIR/var/openca/bp/dataexchange
directory. </font>
<br>
<br><font size=2 face="sans-serif">My next problem was to determine the
PIN assigned. This can be done in the Batch UI by selecting Export PIN.
I found that if you want to issue Export PIN more than once you will get
an error. To clear the error, you have to delete the file $OPENCADIR/var/openca/bp/dataexchange/pin_list
(BTW, this is the list of PINs exported).</font>
<br>
<br><font size=2 face="sans-serif">My remaining issue is that our normal
requests have extra fields like phone number, etc that aren't in the DN
of the certificate. They are just additional request attributes. How can
those be accomodated????</font>
<br>
<br><font size=2 face="sans-serif">Dave</font>
This is an e-mail from General Dynamics Land Systems. It is for the intended recipient only and may contain confidential and privileged information. No one else may read, print, store, copy, forward or act in reliance on it or its attachments. If you are not the intended recipient, please return this message to the sender and delete the message and any attachments from your computer. Your cooperation is appreciated.
<br />------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br />_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26207348&i=2" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>tag:old.nabble.com,2006:post-26201568Better docs for Batch system and examples needed2009-11-04T09:59:13Z2009-11-04T09:59:13Zblainedw
<br><font size=2 face="sans-serif">I have several 1000 certs to create
and was looking at the batch system to do this. But there is so little
documentation on it (will the 0.9.2+ docs work for 1.0.2?) and I am very
confused.</font>
<br>
<br><font size=2 face="sans-serif">To test it out, I can just use the CA
cert or am I required to create a BP cert?</font>
<br>
<br><font size=2 face="sans-serif">Then I create a batch_process_data.txt
file that contains the info and tar it up into a dataexchange file.</font>
<br>
<br><font size=2 face="sans-serif">I think I can use QuickImport... So
if that is the case, can someone give me examples of their batch_process_data.txt?</font>
<br>
<br><font size=2 face="sans-serif">Dave<br>
</font><br />------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br />_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26201568&i=0" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>tag:old.nabble.com,2006:post-26199386Re: Upgrade from OpenCA 0.8x to 1.022009-11-04T08:16:42Z2009-11-04T08:16:42ZRalf Hornik MailingsHi Max,
<br><br>Massimiliano Pala <<a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26199386&i=0" target="_top" rel="nofollow">Massimiliano.Pala@...</a>> wrote:
<br><br>> AFAIK, the upgrade should work.
<br><br>Thank you for the quick answer. So I will try that and give a short
<br>conclusion if necsessary.
<br>Regards
<br><br>Ralf
<br><br><br><br>------------------------------------------------------------------------------
<br>Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
<br>trial. Simplify your report design, integration and deployment - and focus on
<br>what you do best, core application coding. Discover what's new with
<br>Crystal Reports now. <a href="http://p.sf.net/sfu/bobj-july" target="_top" rel="nofollow">http://p.sf.net/sfu/bobj-july</a><br>_______________________________________________
<br>Openca-Users mailing list
<br><a href="http://old.nabble.com/user/SendEmail.jtp?type=post&post=26199386&i=1" target="_top" rel="nofollow">Openca-Users@...</a>
<br><a href="https://lists.sourceforge.net/lists/listinfo/openca-users" target="_top" rel="nofollow">https://lists.sourceforge.net/lists/listinfo/openca-users</a><br><p>From forum: <a href="http://old.nabble.com/openca-users-f3692.html" embed="fixTarget[3692]" target="_top" >openca-users</a></p>