openca.results-security.de

 This is not an official site of openca. This can be found at www.openca.org. 
This page is created by a newby, to understand the capility of openca. I publish my experience with openca to help other newbys to start with openca. If you use the information here, think, you missed a seminar and get copys from  notes of a colleague. This description is only for testing purposes.
 
I'm working for a small company (about 40 workers) who sells IT-solution for companys with 1-2000 workers. We also active on firewall and clearly we want to go to more security for small companys.
 In the past I create certificates with openssl on shell. But know we think to publish more extensivly the idea of pki to satisfy our customers. 
If you interested on professional help in erp systems like SAP, navision, mesonic or other, or you need help to configure interfaces between different erp systems (XML, cXBL or something like this) in the german, french or spanish speaking area, it may be a good choice to look at www.results-hannover.de. Thank you.
 
THINK ABOUT: I'm newby and not everything on this site may be correct. If you find something incorrect or you have any comments especially for me, please mail me at wallus@results-hannover.de. Openca related things, please mail to openca-users@list.sourceforge.net. You have to register at www.sourceforge.net first.
 
Please read Michael Bells THE OPENCA GUIDE, you can find it at  ftp://ftp.openca.org/pub/openca/developers/bell/doc/. Please read this guide, although it is still incomplete.
 One more import source of information ist the openca-users-mailing list. The searchable archive can you find at
     http://www.mail-archive.com/openca-users%40lists.sourceforge.net/ .
 I like txt-files, because they are small and you can copy and paste. Without this page everythings else are txt-files.  Perhaps later I will add some graphics.
 
Everything, which I describe here, is for SuSE8.1 and openca 0.9.1 . 


Contents:
 

Overview
--------
Not a real overview, just some information before. Updated 03-01-09.


Install the source for ca
-------------------------
Note: openca has to parts: the realy privat one: ca (this one). Here you will really issue certificates. For security reason this ca have not to be in a network. The certificates and the requests must be transported with a floppy. For testing purposes, you can install ca and ra on one server. Updated 03-01-09.


Install the source for ra
-------------------------
The ext interface: Here you can create an certrequest (look at /pub) and sign a request (as ra-operator, at /ra). After this the request must be transported to the ca. Updated 03-01-09.


Initialize ca
-------------
Using netscape 4.79.


Initialize ra
-------------
Using netscape 4.79.


Create Cert for Webserver
------------------------- 
The first action.

Here the different files start. Please remember this is a backup copy from
Google because the original site was broken.

===============================================================================
00overview.txt
===============================================================================

What is what
-------------------

Certificate Authority CA:
  - URL http://ca.intern.results-hannover.de
  - Don't need a connection to any network

Registration Authority RA:
  - URL https//ra.results-security.de
  - Need connection to the the big badness (internet)
  - contains the public interface for request certificates
  - contains the ra interface for pre task of issue of certs

My browser for everything is netscape 4.79. Perhaps later I test IE 6.0 (capicom.dll).

===============================================================================
01installca.txt
===============================================================================

PRETASK
----------
# If you install SuSE8.1 with standard from Yast you need to install
# apache, make, gcc, autoconf, mod_perl, mod_ssl, gettext,


#Installaton of openssl on both computers ra and ca
#Download openssl version 0.9.7.x from http://www.openssl.org (I use openssl-0.9.7-beta5.tar.gz)
#and do
# (you need to install make and gcc)
tar xzf openssl-0.9.7-beta5.tar.gz; cd openssl-0.9.7-beta5
#(previous version: perl Makefile.PL), now
./config
make
make test
make install
# for using this new openssl version you must use the path  /usr/local/ssl.

#Prepare Mysql: (I use mysql only on the ra, because than I can easy put the ca into a tar-file!)
#(look if mysql is running: /etc/init.d/mysql status;
# look that mysql starts with the systemstart:
# yast / system / Runlevel editor / Runlevel properties / set mysql for you default runlevel )
mysqladmin password mysqladmin
mysqladmin -pmysqladmin create openca
mysql -pmysqladmin
    grant all privileges on openca.* to openca@localhost identified by "mysqlopencapasswd";
    exit;

# Download openca-software from ftp://ftp.openca.org/pub/openca/v0.9/
# on both computers ra and ca:
# create dir for the web server files:
mkdir /srv/ca
# In the directory perhaps /home/openca:
tar xzf openca-0.9.1.tar.gz
cd openca-0.9.1


CONFIGURE THE software
---------------------------------

./configure --prefix=/srv/ca \
  --with-web-host=ca.intern.results-hannover.de \
  --with-httpd-host=ca.intern.results-hannover.de \
  --with-httpd-user=wwwrun \
  --with-httpd-group=nogroup \
  --with-dist-user=wallus \
  --with-dist-group=openca \
  --with-ca-organization=security \
  --with-ca-locality=Hannover \
  --with-ca-country=DE \
  --with-service-mail-account=wallus@results-hannover.de \
  --with-openssl-prefix=/usr/local/ssl \
  --with-sendmail="/usr/sbin/sendmail -t"\
  --with-hierarchy-level=ca\
  --enable-dbi\
  --with-db-type=mysql \
  --with-db-name=openca \
  --with-db-host=localhost \
  --with-db-port=3306 \
  --with-db-user=openca \
  --with-db-passwd=mysqlopencapasswd\
  --with-ldap-host=ra.results-security.de \
  --with-ldap-root="cn=Manager,ou=security,o=results-hannover,c=de"\
  --with-ldap-root-pwd=ldappasswd


Compile and Install CA
-------------------------------
make ca

make install-ca

# If you want make everything again, don't forget
# to delete the installed files:
# rm -rf O* apache bin man

CONFIGURATION of Revocation URL
--------------------------------
Please edit in
   OpenCA/etc/openssl/ca-openssl.cnf
the lines into the correct, from internet accessable URL:
# CRLs
crlDistributionPoints   = URI:https://ra.results-security.de/pub/crl/cacrl.crl
nsCaRevocationUrl       = https://ra.results-security.de/pub/crl/cacrl.crl
nsRevocationUrl         = https://ra.results-security.de/pub/crl/cacrl.crl

The same for  OpenCA/etc/openssl/openssl.cnf and OpenCA/etc/openssl/ra-openssl.cnf
May be it is possible to set this with configure.


CONFIGURATION of apache CA Server
---------------------------------
#I use virtuell hosting:
#From httpd.conf:
....
BindAddress 192.168.251.202:80
Listen 192.168.251.202:80
.....
include /srv/ca/apache.conf
....
# Clear other part of virtuell hosts, if you don't use ist.
#ca.intern.results-hannover.de must be in DNS.

#From /srv/ca/apache.conf

<VirtualHost ca.intern.results-hannover.de:80>
   ServerAdmin wallus@results-hannover.de
   DocumentRoot /srv/ca/apache/htdocs
   ServerName ca.intern.results-hannover.de
   SetEnvIf User-Agent ".*MSIE.*" \
       nokeepalive ssl-unclean-shutdown \
       downgrade-1.0 force-response-1.0
   CustomLog /var/log/httpd/ssl_request_log \
         "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
   <Directory "/home/openca/apache/htdocs">
        Options Indexes FollowSymlinks MultiViews
        AllowOverride None
        Order allow,deny
        Allow from all
   </Directory>
   ScriptAlias /cgi-bin/ "/srv/ca/apache/cgi-bin/"
   <Directory "/srv/ca/apache/cgi-bin">
        AllowOverride None
        Options None
        Order allow,deny
        Allow from all
    </Directory>
</VirtualHost>


chown wwwrun:nogroup /srv/ca/apache.conf

===============================================================================
02installra.txt
===============================================================================

PRETASK
----------
#Installaton of openssl on both computers ra and ca
#Download openssl version 0.9.7.x from http://www.openssl.org (I use openssl-0.9.7-beta5.tar.gz)
#and do
# (you need to install make and gcc)
tar xzf openssl-0.9.7-beta5.tar.gz; cd openssl-0.9.7-beta5
#(previous version: perl Makefile.PL), now
./config
make
make test
make install
# for using this new openssl version you must use the path  /usr/local/ssl.

#Prepare Mysql: (I use mysql only on the ra, because than I can easy put the ca into a tar-file!)
#(look if mysql is running: /etc/init.d/mysql status;
# look that mysql starts with the systemstart:
# yast / system / Runlevel editor / Runlevel properties / set mysql for you default runlevel )
mysqladmin password mysqladmin
mysqladmin -pmysqladmin create opencara
mysql -pmysqladmin
    grant all privileges on opencara.* to openca@localhost identified by "mysqlopencapasswd";
    exit;


# Download openca-software from ftp://ftp.openca.org/pub/openca/v0.9/
# on both computers ra and ca:
# create dir for the web server files:
mkdir /srv/ca
# In the directory perhaps /home/openca:
tar xzf openca-0.9.1.tar.gz
cd openca-0.9.1


CONFIGURE THE software
---------------------------------

./configure --prefix=/srv/ra \
  --with-web-host=ra.results-security.de \
  --with-httpd-host=ra.results-security.de \
  --with-httpd-user=wwwrun \
  --with-httpd-group=nogroup \
  --with-dist-user=wallus \
  --with-dist-group=openca \
  --with-ca-organization=security \
  --with-ca-locality=Hannover \
  --with-ca-country=DE \
  --with-service-mail-account=mail@results-hannover.de \
  --enable-dbi\
  --with-openssl-prefix=/usr/local/ssl \
  --with-sendmail="/usr/sbin/sendmail -t"\
  --with-hierarchy-level=ra\
  --with-ldap-host=ra.results-security.de \
  --with-ldap-root="cn=Manager,ou=security,o=results-hannover,c=de"\
  --with-ldap-root-pwd=ldappasswd \
  --with-service-mail-account=mail@results-hannover.de \
  --enable-dbi\
  --with-db-type=mysql \
  --with-db-name=opencara \
  --with-db-host=localhost \
  --with-db-port=3306 \
  --with-db-user=openca \
  --with-db-passwd=mysqlopencapasswd \
  --with-openssl-prefix=/usr/local/ssl \
  --with-sendmail="/usr/sbin/sendmail -t"



Compile and Install RA
-------------------------------
make ext

make install-ext


CONFIGURATION of Revocation URL
--------------------------------
Please edit in
   OpenCA/etc/openssl/ca-openssl.cnf
the lines into the correct, from internet accessable URL:
# CRLs
crlDistributionPoints   = URI:https://ra.results-security.de/pub/crl/cacrl.crl
nsCaRevocationUrl       = https://ra.results-security.de/pub/crl/cacrl.crl
nsRevocationUrl         = https://ra.results-security.de/pub/crl/cacrl.crl

The same for  OpenCA/etc/openssl/openssl.cnf and OpenCA/etc/openssl/ra-openssl.cnf
May be it is possible to set this with configure.


CONFIGURATION of apache RA Server
---------------------------------
#I use virtuell hosting:
#From httpd.conf:
....
BindAddress 62.48.68.157:443
Listen 62.48.68.157:443
.....
include /srv/ra/apache.conf
....
# Clear other part of virtuell hosts, if you don't use ist.
#ra.results-security.de must be in DNS.

#From /srv/ra/apache.conf
<VirtualHost ra.results-security.de:443>
   ServerAdmin wallus@results-hannover.de
   DocumentRoot /srv/ra/apache/htdocs
   ServerName ra.results-security.de
   SetEnvIf User-Agent ".*MSIE.*" \
       nokeepalive ssl-unclean-shutdown \
       downgrade-1.0 force-response-1.0
   SSLEngine on
   SSLCertificateFile /srv/ra/ssl.crt/server.pem
   SSLCertificateKeyFile /srv/ra/ssl.key/key.pem
   <Directory "/srv/ra/apache/htdocs/pub/">
        Options Indexes FollowSymlinks MultiViews
        AllowOverride None
        Order allow,deny
        Allow from all
   </Directory>

   <Directory "/srv/ra/apache/htdocs/ra/">
        Options Indexes FollowSymlinks MultiViews
        AllowOverride None
        Order allow,deny
        Allow from 62.48.68
   </Directory>
   <Directory "/srv/ra/apache/htdocs/ra_node/">
        Options Indexes FollowSymlinks MultiViews
        AllowOverride None
        Order allow,deny
        Allow from 62.48.68
   </Directory>
   <Directory "/srv/ra/apache/htdocs/ldap/">
        Options Indexes FollowSymlinks MultiViews
        AllowOverride None
        Order allow,deny
        Allow from 62.48.68
   </Directory>
   ScriptAlias /cgi-bin/ "/srv/ra/apache/cgi-bin/"
   <Directory "/srv/ra/apache/cgi-bin">
        AllowOverride None
        Options None
        Order allow,deny
        Allow from all
    </Directory>
</VirtualHost>

Note: The ra and ldap interface schould be only accessible from ra.
I use here simple method for protecting; Allow from  <my subnet>.
This is not secure enough and must not be used in a real production
enviroment. Better way is to give access only the clients with the appropiate
ra operator cert.
But the cgi script need also some protect rules.



CONFIGURATION of ldap Server
-----------------------------
# On ra computer:
# From /etc/openldap/slapd.conf:

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args

allow  bind_v2
database        bdb
suffix          "ou=security,o=results-hannover,c=de"
rootdn          "cn=Manager,ou=security,o=results-hannover,c=de"
rootpw          ldappasswd


# This must be in accord with the lines in
# /srv/ra/OpenCA/etc/servers/ldap.conf:

## Now the LDAP default base dn
basedn "ou=security,o=results-hannover,c=de"

## Let's define the privileged Account Allowed to Modify the LDAP entries
ldaproot "cn=Manager,ou=security,o=results-hannover,c=de"
ldappwd  "ldappasswd"



# Start your slapd /etc/init.d/ldap start
# With yast / system / Runlevel editor / Runlevel properties / set ldap for you default runlevel

Note: I have still problems with ldap!

===============================================================================
03initca_netscape.txt
===============================================================================

PreTASK
-------
# On SuSE8.1 or if you run an X-Server the default-permissions on the floppy device
# are not correct. Do this, if you get problems
# to write on floppy (also when you restart your X-Server):
  chmod wwwrun /dev/fd0


Intialize CA Phase 1
----------------------------
On http://ca.intern.results-hannover.de
    Initialize/Initialize the Certification Authority ->
    -Initialize Database
    -create new key -> des3,2048, ca-passwd
    -Generate new CA Certificate Request (use generated secret key)
      -> email:wallus@results-hannover.de
      -> Common name: ca
      -> organizational unit: intern
      -> Organization: results-hannover.de
      -> Country: DE
      Resulting DN= emailAddress=wallus@results-hannover.de, CN=ca, OU=intern, O=results-hannover.de, C=DE
     -Generate Self Signed CA Certificate (from altready generated request)
       -> 730, ca-passwd
     -Rebuild CA Chain
Put in a floppy disk, make clear, that wwwrun has
right to write on /dev/fd0 (chown wwwrun /dev/fd0)
     -Export Configuration


Intialize CA Phase 2
----------------------------
On http://ca.intern.results-hannover.de
    Initialize/Create the initial administrator (user-cert for signing transactions) ->
    -Create a new request
       ->Email: wallus@results-hannover.de
       ->Name:  Harald Wallus
       -> Certicate Request Group: Internet
       -> Role: RA Operator  !Change from default
       -> Registration Authority: Trustcenter itsself
       -> PIN: download-passwd
       -> Choose a keysize: 1024  ! Change from default
       ->Continue, ->Continue
      -Edit the request
       -> OK
       -> issue the certificate, ca-passwd
      -Handle the certificate
       ->Certificate and Keypair: change to PKCS#12 -> Download, download-passwd
         store it in ra_datum.p12 (this is for netscape4.79).
Now It must be loaded:
       -netsc-menu/Communicator/tools/security-info/yours
        ->Certificate import, Password of your Cert-storage,
          choose the file above, download-passwd,
          short-name for your brain like raop_datum, OK, close.


Intialize CA Phase 3
----------------------------
On http://ca.intern.results-hannover.de
    Initialize/Create the initial RA certificate (web cert for apache) ->
    -Create a new request
      ->Email: wallus@results-hannover.de (email adress of webmaster)
       ->Name:  Harald Wallus
       -> Certicate Request Group: Internet
       -> Role: Web Server  !Change from default
       -> Registration Authority: Trustcenter itsself
       -> PIN: download-passwd
       -> Choose a keysize: 1024  ! Change from default
       ->Continue, ->Continue
      -Edit the request
       -> change Subject alternate Name from
              email:wallus@results-hannover.de
          to
              DNS:ra.intern.results-security.de;email:wallus@results-hannover.de
          (DNS must be written in upper letters)
       -> OK
       -> issue the certificate, ca-passwd
      -Handle the certificate
       ->Certificate and Keypair:
         Certificate and Keypair: SSLeay (mod_ssl), download , user-passwd
The Cert appears in the browser copy it with your mouse and
store the first, public part (BEGIN CERTIFICATE till END CERTIFICATE)
into /home/ra/ssl.cert/server.pem and the
privat part (BEGIN RSA.... till END RSA ....) into /home/ra/ssl.cert/key.pem
   mkdir /home/ra/ssl.crt
   vi /home/ra/ssl.crt/server.pem
   mkdir /home/ra/ssl.key
   vi /home/ra/ssl.key/key.pem

===============================================================================
04initra_netscape.txt
===============================================================================

INITIALIZE RA using netscape 4.79
-------------

PRETASKS:
#Prepare Mysql: (I use mysql only on the ra, because than I can easy put the ca into a tar-file!)
#(look if mysql is running: /etc/init.d/mysql status;
# look that mysql starts with the systemstart:
# yast / system / Runlevel editor / Runlevel properties / set mysql for you default runlevel )
mysqladmin password mysqladmin
mysqladmin -pmysqladmin create opencara
mysql -pmysqladmin
    grant all privileges on opencara.* to openca@localhost identified by "mysqlopencapasswd";
    exit;

# Be sure, that your ra computer can send emails.

Export Configuration from CA
----------------------------
Put in a freshly formatted floppy,
make shure that wwwrun has access to /dev/fd0 (chown wwwrun /dev/fd0).
Open within the browser
   http://ca.intern.results-hannover.de/ca_node
   -> Dataexchange -> Enroll data to a lower level of the hierarchy -> Configuration



INITIALIZE Database of RA
-------------------------
Point your browser to
   https://ra.results-security.de/ra_node/
   -> Server init -> Initialize Database
Hint: If you need to initialize the database once again, you must recreate the database.
Now you have to put the floppy from ca, created above, in to the ra computer,
configure your ldap-Server (look at the txt file  ldap configuration),
make shure that wwwrun has access to /dev/fd0 (chown wwwrun /dev/fd0).
   -> Server init -> Import Configuration
Hint: I got an error: Cannot write CA-Certificate cc45eff55b11d9d661a091a43539cc75 to LDAP
     I use the program slapcat: ldap was empty!
     I start again this -> Import Configuration
     Then I got two errors
              Importing valid CA_CERTIFICATE ...
                    WARNING: Cannot update object but object is present in database
                    FILE: /srv/ra/OpenCA/var/tmp/tmp_17570/CA_CERTIFICATE/VALID/cc45eff55b11d9d661a091a43539cc75.pem
              Importing CA-Certificates into ldap ...
                    Cannot write CA-Certificate cc45eff55b11d9d661a091a43539cc75 to LDAP
     The first error is OK I think, because we have it imported before.
     Perhaps something I do is not correct.
     To identify the cert I compare .../OpenCA/var/crypto/cacerts/cacert.pem from CA with
     the output of slapcat.

Hints:
-----

If you want to do again this procedure you must
 - shut slapd
 - remove all files beneath /var/lib/ldap
 - start slapd
 - drop databse opencara
 - create the old database new, the permits still exists in the db
 - initialize the Database of ra
 - and import from floppy.

===============================================================================
05_create_webserver_cert.txt
===============================================================================

Create a certificate for webserver
-----------------------------------
# PRETASK
# Please Control if your have set on all three flags on your cert
# netscape 4.79: Communicator/Tools/Security info/
# -> Certificates/Signer
#    beneath:  This Certificate belongs to a Certifying Authority
#    You must set on all three flags.
# Also control if you have importet you ra operator cert.
# netscape 4.79: Communicator/Tools/Security info/
# -> Yours


CREATE a BASIC REQUEST
----------------------
Point your browser to
https://ra.results-security.de/pub/
hint: Because we have importet the ca cert before we don'nt need that now.
  -> Request a Certificate -> Basic Request
   (wallus@results-hannover.de, rubixml.intern.results-hannover.de,
    Internet, Webserver, Trustcenter itsself, pin, pin , 1024,)
    -> continue -> continue

APPROVE this Request by ra
--------------------------
Point your browser to
https://ra.results-security.de/ra/
  -> Certificate Requests, Trustcenter itsself -> continue
You see one certificate Request.
  -> Click on serial number
  -> Edit request
  change the Subject alternative name: from
     email:wallus@results-hannover.de
  to
    DNS:rubixml.intern.results-hannover.de;email:wallus@results-hannover.de
  -> OK
  -> Approve and Sign Request

EXPORT THE REQUEST from ra to ca
--------------------------------
Put in a fresh formatted floppy into ra.
Point your browser to   https://ra.results-security.de/ra_node/ (Server Management)
  -> Dataexchange
    - Upload data to a higher level of the hierarchy
    - Requests
Your Approved request is written on to floppy.

CREATE WEBSERVER CERTIFICATE
----------------------------

# pretask
# Make shure that you have importetd the certificate from ca and
# if you trust it completly (all three flags):
#

Import The REQUEST into ca
---------------------------------
Put the the floppy into the ca computer.
Point your browser to   http://ca.intern.results-hannover.de/ca_node/ (Server Management)
 -> Dataexchange
   - Receive data from a lower level of the hierarchy
   - Requests
   
ISSUE THE Request
-----------------------
Point your browser to  http://ca.intern.results-hannover.de/ca/
   -> Approved Certificate Requests
    - Click onto the serial number (not onto Op.)
    - Issue the cert (Input CA password).
      If you get an error, make shure you don't misspelled the password.
The new cert, you can find if you click on
   -> Certificates
    - Valid Certificates
    - Click on the appropiate serial number
      Here you can download the cert.
To download the cert, I will go the way via the RA.


EXPORT THE CERT from ca and import it to ra
--------------------------------------------
Point your browser to   http://ca.intern.results-hannover.de/ca_node/ (Server Management)
 -> Dataexchange
    - Enroll data to a lower level of the hierarchy
    - Certs
No we put this floppy into ra computer.
Put in a fresh formatted floppy into ra.
Point your browser to   https://ra.results-security.de/ra_node/ (Server Management)
  -> Dataexchange
    - Download data from a higher level of the hierarchy
    - Certs
Email new users
  -> E-mail new users (make shure, that your ra can send mails)


DOWNLOAD THE cert
-----------------
#https://ra.results-security.de/pub/
#  -> Get Requested Certificate
#    - Put in the serial number (see your email)

It is not possible to download a Web server cert via the pub interface. (is that right?)
Point your browser to https://ra.results-security.de/ra/
  -> Certificates
    - Valid Certificates
    - Choose the appropiate serial
      put the cert with copy/paste into the appropiate webserverfiles.

OK?. 

