Nabble - openca-users

Bug in bpExportPIN

2009-12-10T11:11:18Z

Not sure if this was mentioned before but when exporting PINs after the first time using the batch process I would get a module error (strftime not found).

At the top of bpExportPIN, add to correct this issue:

use POSIX qw(strftime);

Dave
------------------------------------------------------------------------------
Return on Information:
Google Enterprise Search pays you back
Get the facts.
http://p.sf.net/sfu/google-dev2dev

_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

renew certificate

2009-11-30T09:42:04Z

People,

I have some certificates. This certificates are created by smartcard. Work perfeclty, but when I want renew the certificates, I renew this certificate in certificate request and after when I import this certificate to my smartcard, it isn't recognized as a valid certificate.

Samuel Rios Carvalho

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: FIX: Expired list doesn't show

2009-11-30T09:33:56Z

Ralf,

worked perfectly

thank you very much.

Samuel Rios Carvalho

On Sun, Nov 29, 2009 at 11:07 AM, Ralf Hornik Mailings <ralf@...> wrote:

Hi

Samuel Rios Carvalho schrieb:
>
> select status,dn,date(notafter),time(notafter) from certificate
> where status = 'EXPIRED';
>
> So cmdlistCerts doesn't seem to do the correct query.
> I will try to fix that on this weekend.
>
You can download the fixed version of OpenCA::DBI.pm here:

http://www.ralf-hornik.de/pub/patches/openca/DBI.pm

Please replace it with <openca_prefix>/modules/perl5/OpenCA/DBI.pm

@Max. Since the status of expired certificates is being updated in DB,
there is no need to use "handleExpiredCert" any more.
I think it can be completely removed.

Please test it and give a short feedback
Regards

Ralf

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: silly question

2009-11-30T05:36:22Z

I always wandered what was with all that files .... :)

It's clear now ... i have modified the wrong file ...

Thank you all for your answers

David O'Callaghan wrote:

Hi,

On 29/11/09 16:53, Ionescu Dan wrote:

I know it's a silly question, but:
I have a problem setting the expiring date of certificates. All the
certificates I create using OpenCa, have a  365 days life span, and i
want to increase that.
I've changed the obvious setting (days)  in openssl.cnf file on the ca
machine , but nothing ...


This might be a silly answer, but are you sure you modified the right file?

For example, on my system (based on OpenCA 1.x) if I want to alter the 
"days" parameter for the Web Server certificate profile I would need to 
edit /opt/openca/etc/openca/openssl/openssl/Web_Server.conf
There is a separate OpenSSL conf file for each profile.

Kind regards,

David

Re: silly question

2009-11-30T04:59:45Z

David O'Callaghan <david.ocallaghan@...> wrote:

> This might be a silly answer, but are you sure you modified the right file?
>
> For example, on my system (based on OpenCA 1.x) if I want to alter the
> "days" parameter for the Web Server certificate profile I would need to
> edit /opt/openca/etc/openca/openssl/openssl/Web_Server.conf
> There is a separate OpenSSL conf file for each profile.

You'd rather want to modify Web_Server.conf.template since
Web_Server.conf would be rewritten on startup.

Also its possible to increase the lifetime by using the days field in
the request form.
Regards

Ralf

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: silly question

2009-11-30T04:39:12Z

Hi,

On 29/11/09 16:53, Ionescu Dan wrote:
> I know it's a silly question, but:
> I have a problem setting the expiring date of certificates. All the
> certificates I create using OpenCa, have a 365 days life span, and i
> want to increase that.
> I've changed the obvious setting (days) in openssl.cnf file on the ca
> machine , but nothing ...

This might be a silly answer, but are you sure you modified the right file?

For example, on my system (based on OpenCA 1.x) if I want to alter the
"days" parameter for the Web Server certificate profile I would need to
edit /opt/openca/etc/openca/openssl/openssl/Web_Server.conf
There is a separate OpenSSL conf file for each profile.

Kind regards,

David
--
Dr David O'Callaghan
Research Fellow - Grid-Ireland - e-INIS - Computer Architecture & Grid
School of Computer Science & Statistics,
Trinity College, Dublin 2, Ireland Telephone: +353 1 896 1536

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: silly question

2009-11-29T09:09:46Z

You cannot have a certificate with an expiry date beyond the expiry of the signing (CA) certificate. Is the expiry of the CA certificate less than 365 days?

Si

2009/11/29 Ionescu Dan <dionescux@...>

Hi
I know it's a silly question, but:
I have a problem setting the expiring date of certificates. All the
certificates I create using OpenCa, have a 365 days life span, and i
want to increase that.
I've changed the obvious setting (days) in openssl.cnf file on the ca
machine , but nothing ...

My OpenCa Chain is the following:
- one pub machine
-one ra machine
-one ca machine

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

silly question

2009-11-29T08:53:49Z

Hi
I know it's a silly question, but:
I have a problem setting the expiring date of certificates. All the
certificates I create using OpenCa, have a 365 days life span, and i
want to increase that.
I've changed the obvious setting (days) in openssl.cnf file on the ca
machine , but nothing ...

My OpenCa Chain is the following:
- one pub machine
-one ra machine
-one ca machine

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

Generate Requests from CSV Import

2009-11-29T08:31:56Z

Hi,

I want to implement the ability to generate PKCS12 files using CSV based
CSR generation:

Name,email,role,loa,pin
----------------------------------------------
Ralf Hornik,ralf@...,User,1,ba11aba||a
...
-----------------------------------------------

Then generate the requests as advanced_csr "server side key generation"

Can somebody (Max?) give me a pointer, witch would be the shortest (and
less performance killing) way to do it (only short hints)?
I will then do the development.
Regards

Ralf

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: FIX: Expired list doesn't show

2009-11-29T05:07:06Z

Hi

Samuel Rios Carvalho schrieb:
>
> select status,dn,date(notafter),time(notafter) from certificate
> where status = 'EXPIRED';
>
> So cmdlistCerts doesn't seem to do the correct query.
> I will try to fix that on this weekend.
>
You can download the fixed version of OpenCA::DBI.pm here:

http://www.ralf-hornik.de/pub/patches/openca/DBI.pm

Please replace it with <openca_prefix>/modules/perl5/OpenCA/DBI.pm

@Max. Since the status of expired certificates is being updated in DB,
there is no need to use "handleExpiredCert" any more.
I think it can be completely removed.

Please test it and give a short feedback
Regards

Ralf

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: Expired list doesn't show

2009-11-28T18:20:48Z

hello Ralf

please, don't forget to see the problem in this weekend.

thanks.

Samuel Rios Carvalho

On Thu, Nov 26, 2009 at 2:25 PM, Ralf Hornik Mailings <ralf@...> wrote:

Samuel Rios Carvalho <nhawkbr@...> wrote:

I think that in status like should be REVOKED, but I don't know where I can
change it.

The database shows EXPIERD in the status field of certificate:

select status,dn,date(notafter),time(notafter) from certificate where status = 'EXPIRED';

So cmdlistCerts doesn't seem to do the correct query.
I will try to fix that on this weekend.

Ralf

Re: Expired list doesn't show

2009-11-26T09:42:50Z

yes,

sorry, I make a mistake speaking about REVOKED, the correct is EXPIRED.

I'm waiting your fix.

thanks

Samuel Rios Carvalho

On Thu, Nov 26, 2009 at 2:25 PM, Ralf Hornik Mailings <ralf@...> wrote:

Samuel Rios Carvalho <nhawkbr@...> wrote:

I think that in status like should be REVOKED, but I don't know where I can
change it.

The database shows EXPIERD in the status field of certificate:

select status,dn,date(notafter),time(notafter) from certificate where status = 'EXPIRED';

So cmdlistCerts doesn't seem to do the correct query.
I will try to fix that on this weekend.

Ralf

Re: Expired list doesn't show

2009-11-26T08:25:05Z

Samuel Rios Carvalho <nhawkbr@...> wrote:

> I think that in status like should be REVOKED, but I don't know where I can
> change it.

The database shows EXPIERD in the status field of certificate:

select status,dn,date(notafter),time(notafter) from certificate where
status = 'EXPIRED';

So cmdlistCerts doesn't seem to do the correct query.
I will try to fix that on this weekend.

Ralf

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: Expired list doesn't show

2009-11-26T08:08:59Z

I found this query in my mysql's log to show REVOKED certificates

select * from openca.certificate where (cert_key >= '0' ) and (status like 'VALID') and (notafter < '20091126160813' ) order by cert_key LIMIT 25

I think that in status like should be REVOKED, but I don't know where I can change it.

Samuel Rios Carvalho

On Thu, Nov 26, 2009 at 12:23 PM, Samuel Rios Carvalho <nhawkbr@...> wrote:

Hello,

exactly 1 year I'm using OpenCA.

Then, yesterday my first certificate expired. In EXPIRED Certificate List doesn't show.

I think it a little bug, please confirm.

Samuel Rios Carvalho

Expired list doesn't show

2009-11-26T06:23:14Z

Hello,

exactly 1 year I'm using OpenCA.

Then, yesterday my first certificate expired. In EXPIRED Certificate List doesn't show.

I think it a little bug, please confirm.

Samuel Rios Carvalho

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

Fwd: IDtrust peer-reviewed paper deadline extended to Dec 20

2009-11-25T11:50:19Z

FYI.

-- Max

-------- Original Message --------
Subject: IDtrust peer-reviewed paper deadline extended to Dec 20
Date: Wed, 25 Nov 2009 10:53:04 -0700
From: Neal McBurnett <neal@...>
To: MW-PKIPrgmCommittee@...

Thanks to everyone for quick responses and good conversation around
the date extension. Based on overwhelming support I've updated the
web site, extending the deadline for peer-reviewed papers to Dec 20th:

http://middleware.internet2.edu/idtrust/2010/

I hope you can take a moment to share that with your colleagues and
encourage them to submit a paper, and also to propose a panel.

The panel proposal deadline is Jan 24 but we'd love to hear ideas
earlier. Radia Perlman is the panels chair. At this point we're
looking for folks who will step forward to gather participants and
coordinate an interesting, relevant panel.

Cheers, and happy Thanksgiving!

Neal McBurnett http://neal.mcburnett.org/

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

smime.p7s (4K) Download Attachment

Re: OCSP URL - what's it return????

2009-11-23T07:05:41Z

Hi,

the HTTP GET support is on its way. Actually we are in the process of
porting the OCSP server to LibPKI - it makes it easier to manage HSMs
and it has direct support for PKCS#11 devices.

Once we have a stable version (0.4.0) of LibPKI we will finish the work
on the OCSP server and publish the new version.

This is the first step toward the extensive use of LibPKI in all of our
servers. Ideally we will have a single server with plugins for the different
services that can be enabled/disabled. By using the PRQP activating and
de-activating a service will enable clients to automatically use (or
stop using) the specific service... that is a very useful feature!!!!

Cheers,
Max

On 11/20/2009 04:29 PM, blainedw@... wrote:
>
> Cool. I wasn't sure if the chain should be specified as part of the
> -issuer cert or the -CAcert. Your help confirmed that it is the -CAcert
> that requires the concatenated chain of certs.
>
> Also when will you support HTTP GET method in OCSP?

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

smime.p7s (4K) Download Attachment

Re: OCSP URL - what's it return????

2009-11-20T13:29:05Z

Cool. I wasn't sure if the chain should be specified as part of the -issuer cert or the -CAcert. Your help confirmed that it is the -CAcert that requires the concatenated chain of certs.

Also when will you support HTTP GET method in OCSP?

Dave

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: OCSP URL - what's it return????

2009-11-20T09:38:57Z

Yes.

OpenSSL needs to have the full chain of certificates. You can use the
-CAfile <file> option for adding trusted certs to the verification
process. You might then get the error for the root CA saying that it
is a self-signed cert :D That will be ok... :D

Later,
Max

On 11/13/2009 07:26 PM, blainedw@... wrote:
> Hi max
>
> Getting back to something you said earlier in the thread about the error
> that isn't an error. If you see my openssl command I'm using -issuer
> parameter. So doesn't this tell openssl who the issuer is? This a subca
> so does this -issuer parameter require a concat of ca certs that make up
> the chain?

--

Best Regards,

Massimiliano Pala

--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] openca@...
project.manager@...

Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
PKI/Trust Laboratory Work Phone: +1 (603) 646-8734
--o------------------------------------------------------------------------
People who think they know everything are a great annoyance to those of us
who do.
-- Isaac Asimov

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

smime.p7s (4K) Download Attachment

Re: Trouble with LDAP and CRL's

2009-11-15T13:27:21Z

Hi ralf

Thanks for the response. I've been reading about ldap's alias feature and will probably use that to overcome my shortcomings.

Dave
>From David Blaine's blackberry

----- Original Message -----
From: Ralf Hornik Mailings [ralf@...]
Sent: 11/15/2009 07:08 PM CET
To: openca-users@...
Subject: Re: [Openca-Users] Trouble with LDAP and CRL's

blainedw@... wrote:

> My problem now is my root certificate LDAP CDP does not include the email
> address and I cannot reissue a new one. Any magic within LDAP I can do?

It depends on the SSL app. Some apps use subsearch and some not for
retrieving CRLs. Subsearch is also not recommended because of
performance issues.

The easiest way would be to move the crl to the CDP-DN of your
certificates by hand and "patch" your OpenCA installation to enroll
any new CRL there in future.
Regards

Ralf

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: Trouble with LDAP and CRL's

2009-11-15T10:08:11Z

blainedw@... wrote:

> My problem now is my root certificate LDAP CDP does not include the email
> address and I cannot reissue a new one. Any magic within LDAP I can do?

It depends on the SSL app. Some apps use subsearch and some not for
retrieving CRLs. Subsearch is also not recommended because of
performance issues.

The easiest way would be to move the crl to the CDP-DN of your
certificates by hand and "patch" your OpenCA installation to enroll
any new CRL there in future.
Regards

Ralf

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: OCSP URL - what's it return????

2009-11-13T16:26:20Z

Hi max

Getting back to something you said earlier in the thread about the error that isn't an error. If you see my openssl command I'm using -issuer parameter. So doesn't this tell openssl who the issuer is? This a subca so does this -issuer parameter require a concat of ca certs that make up the chain?

Just trying to understand

Dave
From David Blaine's blackberry

From: blainedw
Sent: 11/13/2009 04:53 PM EST
To: openca@...; "Users' Help and Suggestions" <openca-users@...>
Subject: Re: [Openca-Users] OCSP URL - what's it return????

The OCSP is defined as an AIA location

I'll check the logs when I get a chance.

Dave
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: OCSP URL - what's it return????

2009-11-13T13:53:45Z

Re: Trouble with LDAP and CRL's

2009-11-13T13:50:01Z

I checked ldapsearch and thanks to Ralf the DN does have the email address in it... OK, I downloaded and installed libpki. Using that tool and having the email address in the DN, I was able to retrieve something (lots of garbled characters).

My problem now is my root certificate LDAP CDP does not include the email address and I cannot reissue a new one. Any magic within LDAP I can do?

Dave
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: OCSP URL - what's it return????

2009-11-13T13:43:20Z

I guess we have 2 separate issues here. The CDP is the CRL Distribution
Point - not the OCSP responder address. That should point to your CRL
http location.

I have not used the PKIVIEW on Winz... but have you checked the logs on
the OCSP server (should be /var/log/messages).. what do they report ? It
might be that the PKIVIEW uses the HTTP GET instead of the HTTP POST for
the OCSP.. this is just a wild guess.. :D But since the current version
of the software does not support GET.. you'll have to wait for the new
version (which will support GET as well..).

Let us know...

Later,
Max

On 11/13/2009 04:10 PM, blainedw@... wrote:
>
> When I look in PKIVIEW (windows utility) to verify my AIA and CDP
> locations. It states unable to download for both my LDAP CDP and my OCSP
> location.

--

Best Regards,

Massimiliano Pala

--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] openca@...
project.manager@...

Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
PKI/Trust Laboratory Work Phone: +1 (603) 646-8734
--o------------------------------------------------------------------------
People who think they know everything are a great annoyance to those of us
who do.
-- Isaac Asimov

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

smime.p7s (4K) Download Attachment

Re: OCSP URL - what's it return????

2009-11-13T13:10:17Z

When I look in PKIVIEW (windows utility) to verify my AIA and CDP locations. It states unable to download for both my LDAP CDP and my OCSP location.

Dave

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: OCSP URL - what's it return????

2009-11-13T12:00:51Z

Hi Dave,

actually that seem to work fine. The error in OpenSSL is not really an error,
it just does not have the issuer certificate of the OCSP server's certificate
but the response is correctly parsed (status good).

I do not really understand, what is the issue you are having ?

Later,
Max

On 11/13/2009 01:17 PM, blainedw@... wrote:

>
> Well, I hope I do ;)
>
> I guess the URL threw me because it had /ca/ca.html on it so I was
> expecting a response.
>
> openssl ocsp -issuer /appl/openca-ocspd-1.5.1/etc/ocspd/certs/cacert.pem
> -cert /appl/openca/openca/var/openca/crypto/certs/01.pem -url
> http://host:2560/ -resp_text -respout /tmp/ocspResp.der -CAfile
> /appl/openca-ocspd-1.5.1/etc/ocspd/certs/cacert.pem <http://host:2560/>
>
> ....
>
> Response Verify Failure
> 19659:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify
> error:ocsp_vfy.c:122:Verify error:unable to get issuer certificate
> /appl/openca/openca/var/openca/crypto/certs/15.pem: good
> This Update: Nov 12 18:12:01 2009 GMT
> Next Update: Nov 13 16:46:03 2009 GMT
>
> I can eliminate this error by adding -VAoption

smime.p7s (4K) Download Attachment

Re: OCSP URL - what's it return????

2009-11-13T10:17:11Z

Well, I hope I do ;)

I guess the URL threw me because it had /ca/ca.html on it so I was expecting a response.

openssl ocsp -issuer /appl/openca-ocspd-1.5.1/etc/ocspd/certs/cacert.pem -cert /appl/openca/openca/var/openca/crypto/certs/01.pem -url http://host:2560/ -resp_text -respout /tmp/ocspResp.der -CAfile /appl/openca-ocspd-1.5.1/etc/ocspd/certs/cacert.pem

....

Response Verify Failure
19659:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:ocsp_vfy.c:122:Verify error:unable to get issuer certificate
/appl/openca/openca/var/openca/crypto/certs/15.pem: good
This Update: Nov 12 18:12:01 2009 GMT
Next Update: Nov 13 16:46:03 2009 GMT

I can eliminate this error by adding -VAoption

Any help would be appreciated

Dave

Dave
------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

cross-site request forgery (XSRF)

2009-11-13T08:47:09Z

Hello,

We use OpenCA 0.9.x in a couple of university projects and we are very
pleased with it, having issued near 700 certificates for students and
professors for e-learning in the last three years.

We integrate many screens and forms (like the request form) in a public
web page (our pki portal) made with Joomla an its "wrapper" option
(allows to embeed an external page within the page body using the html
"<iframe>" element).

Now, we have tried the 1.0.2 version and we have seen that the "wrapper"
option doesn't work because the new OpenCA XSRF protection.

We need the "wrapper" option to integrate OpenCA forms with Joomla, but
tried to disable the XSRF protection and we didn't find how to do it.

How to disable XSRF or how to make work without disabling it? Any
suggestion, please?

Thank you very much

Regards,
Leo Catalinas,

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: How to make OpenCA use OpenSSL engine?

2009-11-13T08:15:03Z

Hi Allen,

as Ralf said, check the OpenSC token in the tokens.xml configuration - it is
quite easy to setup the Engine.

One small warning: if you are using the engine for accessing a P11 device, be
careful that when you generate keys with that, the key is actually generated
in software and then stored on the device (instead of using the PKCS11 key
generation on hardware directly...).

Later,
Max

On 09/03/2009 08:39 PM, Allen Liu wrote:
> No, it's not.
>
> OpenSSL ENGINE is a loadable module for talking to HSM (hardware Secure
> Module) or smart card through PKCS 11 in order to utilize keys stored inside
> as well as hardware-implementated algorithms.
>
> I know how to use OpenSSL ENGINE to talk to HSM but don't know to make
> OpenCA use ENGINE.

--

Best Regards,

Massimiliano Pala

--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] openca@...
project.manager@...

Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
PKI/Trust Laboratory Work Phone: +1 (603) 646-8734
--o------------------------------------------------------------------------
People who think they know everything are a great annoyance to those of us
who do.
-- Isaac Asimov

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

smime.p7s (4K) Download Attachment

Re: Trouble with LDAP and CRL's

2009-11-13T08:12:30Z

Hi Dave,

LDAP can be tricky, especially because if the DNs are not precise, you
will not find what you are looking for. You might want to use one LDAP
browsers (some time ago Mozilla had one built in.. now I don't think
Firefox supports ldap:// urls anymore..). If you can find it for your
system I usually use 'gq' - last version I checked was from 2006. The
url on the 'About' is this:

http://www.gq-project.org/

but that points just to an empty page.. a very simple google search
gave me back this:

http://linux.softpedia.com/get/Utilities/GQ-LDAP-Client-11212.shtml

there are many others out there (most of them are Java, though...).

Also, another thing: check that the certificate CDP (CRL Distribution
Point) is correct.

Another possibility is to download the new LibPKI - there is a tool
there that allows you to download data from different URLs, and in
particular from LDAP by using something like:

$ url-tool "ldap://ldap.dartmouth.edu:389/cn=Dartmouth CertAuth1, o=Dartmouth College,
C=US, dc=dartmouth, dc=edu?cACertificate;binary"

You can find the libpki here:

http://ftp.openca.org/libpki/releases/

The version 0.4.0 is on its way...

Later,
Max

On 11/13/2009 09:41 AM, blainedw@... wrote:

>
> Hi all,
>
> Unlike most folks, I was able to publish my certificates and CRL's in
> LDAP using Openca 1.0.2. My problem exists with check for it in LDAP.
> Using PKIVIEW in Windows it mentions that it is "Unable to download" the
> CRL from the LDAP CDP. It reports "OK" for the http one.
>
> I used an ldap search command to check the existance of the CRL in LDAP
> and that it was not expired. Here is the command I used:
>
> ./ldapsearch -x -h host -b "cn=Root CA,ou=Trustcenter,dc=domain,dc=com"
> certificateRevocationList
>
> I am also able to use IE to at least contact the LDAP server via this
> method (unsure how to download CRL using this method):
>
> ldap://host/cn=Root CA,ou=Trustcenter,dc=domain,dc=com
>
> Any help appreciated!!!!
>
> Dave

--

Best Regards,

Massimiliano Pala

--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] openca@...
project.manager@...

Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
PKI/Trust Laboratory Work Phone: +1 (603) 646-8734
--o------------------------------------------------------------------------
People who think they know everything are a great annoyance to those of us
who do.
-- Isaac Asimov

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

smime.p7s (4K) Download Attachment

Re: OCSP URL - what's it return????

2009-11-13T07:59:21Z

Hi Dave,

I assume you have installed and configured the OCSP server ... :D If not,
you have to download it as it is a separate package (that I am going to
update quite soon... :D).

The OCSP server returns an OCSP response.. so it is not viewable with the
browser. You can use the `openssl ocsp' to view the response (check the
command line syntax by using `openssl ocsp -'.

Or you can just use wget (`wget http://...') and then parse the contents
of the saved data with `openssl asn1parse -inform DER -in <filename>'. Or,
last but not least, just use the telnet command:

$ telnet host 2560

then hit a couple of returns.. you'll see the response.. with the full
headers.

I hope this helps,

Cheers,
Max

On 11/13/2009 09:49 AM, blainedw@... wrote:
>
> I have a OCSP URL similar to the default one as an AIA location
>
> http://host:2560/ca/ca.html
>
> If I copy and paste into a browser, it returns a 0
>
> What is that supposed to return????

--

Best Regards,

Massimiliano Pala

--o------------------------------------------------------------------------
Massimiliano Pala [OpenCA Project Manager] openca@...
project.manager@...

Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332
PKI/Trust Laboratory Work Phone: +1 (603) 646-8734
--o------------------------------------------------------------------------
People who think they know everything are a great annoyance to those of us
who do.
-- Isaac Asimov

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

smime.p7s (4K) Download Attachment

OCSP URL - what's it return????

2009-11-13T06:49:11Z

I have a OCSP URL similar to the default one as an AIA location

http://host:2560/ca/ca.html

If I copy and paste into a browser, it returns a 0

What is that supposed to return????

Dave

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: Trouble with LDAP and CRL's

2009-11-13T06:47:59Z

blainedw@... wrote:

>
> ldap://host/cn=Root CA,ou=Trustcenter,dc=domain,dc=com

Is this the full DN or is there an emailAddess too?

Some Applications need the full DN to find the CRL:

ldap://host/emailAdress=root@..., cn=Root
CA,ou=Trustcenter,dc=domain,dc=com

--
alles bleibt anders...

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________
Openca-Users mailing list
Openca-Users@...
https://lists.sourceforge.net/lists/listinfo/openca-users