openca 1.1.1 can work with RHEL 5.x/centos 5.x/fFedora 12


fedora 16 & openca1.3&scep


*modify /etc/hosts

/etc/sysconfig/network

For my test enviroment: domain name is hpne.com, servier's name is openca02.hpne.com


A. how to use root user login to xwindows

user other user login, then crtl+alt+F3 (resume +F2)

vi /etc/pam.d/gdm

#auth required pam_succeed_if.so user != root quiet

vi /etc/pam.d/gdm-password

#auth required pam_succeed_if.so user != root quiet

reboot



B. VMTOOLS

http://mytricks.in/2011/09/guide-how-to-install-vmware-tools-on.html

1. Install all requiredPrerequisite as shown below,
From a terminal session run the following commands,
su -

yum distribution-synchronization

yum install @gnome-desktop

yum -y update

yum -y install gcc make kernel-headers kernel-devel

shutdown -r now

tar zxvf VM....

cd vm...

./vmware-install.pl


C. sftp

1.yum install vsftpd

2.config

vim /etc/vsftpd/vsftpd.conf

3.systemctrl start vsftpd.service

systemctrl enable vsftpd.service

4.selinux

vim /etc/selinux/config

SELINUX=disabled

5.service  iptables stop

systemctrl disable vsftpd.service

reboot


D. HTTP & MYSQL


su;

groupadd  openca;

useradd madwolf –G openca;


#yum install -y gcc-c++

#yum install -y openssl-devel db4 db4-devel mysql-server mysql-devel perl-XML-Parser httpd

# yum install -y perl-ExtUtils*

#yum install -y gcc makedb4-devel expat-devel perl-Authen-SASL perl-CGI-Session


service httpd start

service mysqld start

mysqladmin -u root password openca


# mysql -u root -p

Enter password:

Welcome to the MySQLmonitor.  Commands end with ; or \g.

Your MySQLconnection id is 7

Server version:5.0.77 Source distribution


Type 'help;' or '\h'for help. Type '\c' to clear the buffer.



mysql> create database openca;

Query OK, 1 rowaffected (0.00 sec)


mysql> GRANT ALL PRIVILEGES ON *.* TO 'openca'@'localhost' IDENTIFIED BY 'openca';

Query OK, 0 rowsaffected (0.00 sec)


# mysql -u openca -p

password:openca


mysql>showdatabases;


E. OPENCA

1.download software

http://sourceforge.net/projects/openca/files/?source=navbar


openca-base-common-1.3.0-1.rhfc16.x86_64.rpm  

openca-base-online-1.3.0-1.rhfc16.x86_64.rpm

openca-base-offline-1.3.0-1.rhfc16.x86_64.rpm  

openca-tools-1.3.0-1.rhfc13.x86_64.rpm

1. tool, 2.common, 3.offline, 4.online



configuration example:

https://personaltelco.net/~russell/ptp/system/trunk/core/pki/



if you use 1.3, just rpm -Uvh *

below scripts use for other OS.

# cdopenca-base-xxx

./configure--prefix=/opt/openca \

               --with-ca-organization="hpne" \

               --with-httpd-fs-prefix=/var/www \

                --with-httpd-main-dir=pki \

                --with-db-name=openca \

                --with-db-host=localhost \

                --with-db-user=openca \

                --with-db-passwd=openca \

                --with-db-type=mysql \

               --with-service-mail-account="root@hpne.com"


make


make install-offlineinstall-online


# service httpdrestart



#cd/opt/openca/etc/openca

#vimaccess_control/node.xml.template

#vimaccess_control/ca.xml.template

#vimaccess_control/ra.xml.template

 <channel>

           <type>mod_ssl</type>

           <protocol>.*</protocol>

           <source>.*</source>

          <asymmetric_cipher>.*</asymmetric_cipher>

          <asymmetric_keylength>0</asymmetric_keylength>

          <symmetric_cipher>.*</symmetric_cipher>

          <symmetric_keylength>0</symmetric_keylength>

 </channel>

#vim config.xml

       <option>

        <name>dataexchange_device_up</name>

        <value>/tmp/openca_up</value>

       </option>

       <option>

        <name>dataexchange_device_down</name>

        <value>/tmp/openca_down</value>

       </option>

       <option>

        <name>dataexchange_device_local</name>

        <value>/tmp/openca_local</value>

       </option>


./configure_etc.sh


#cd /usr/sbin/

#ln -s/opt/openca/etc/init.d/openca openca




for 1.1.1 you should patch 2 files.

1/opt/openca/lib/openca/perl_modules/perl5/OpenCA/User.pm


ERROR: Bareword"ERR_USER_STATUS_UNKNOWN" not allowed while "strict subs"in use at /opt/openca/lib/openca/perl_modules/perl5/OpenCA/User.pm line 373,<DATA> line 275.


Added:


+ use constantERR_USER_STATUS_UNKNOWN => [ 3100, "Could not determine userstatus" ];


2/opt/openca/lib/openca/functions/initServer


ERROR: Global symbol "$curr_user"requires explicit package name at /opt/openca/lib/openca/functions/initServerline 269, <DATA> line 275.


Added: variable declaration:


- our (%AUTOCONF, $common_libs, $config,$users, $loginUser);


+ our (%AUTOCONF,$common_libs, $config, $curr_user, $users, $loginUser);



ERROR: syntax error at /opt/openca/lib/openca/functions/initServer line 753,near ");"


Canged:


-  i18nGettext ( "OpenCA::User initerror!" );


+ i18nGettext ("OpenCA::User init error!" )


or Download at: http://ftp.openca.org/openca-base/fixes/v1.1.1/err_user_unknown


cp User.pm/opt/openca/lib/openca/perl_modules/perl5/OpenCA/User.pm

cp initServer/opt/openca/lib/openca/functions/initServer


# cd /usr/sbin/

# ln -s/opt/openca/etc/init.d/openca openca

#openca start


*****!!!!! modify scep configuration file.


/opt/openca/etc/openca/servers/scep.conf


ScepRACert      "/opt/openca/var/openca/crypto/certs/546767817FE867072963.pem"

ScepRAKey       "/opt/openca/var/openca/crypto/certs/546767817FE867072963.pem"

ScepRAPasswd    "openca"

================

cisco router configuation just like before:


=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.05.16 00:31:20 =~=~=~=~=~=~=~=~=~=~=~=

show run

Building configuration...


Current configuration : 6061 bytes

!

! Last configuration change at 00:30:43 UTC Thu May 16 2013

!

upgrade fpd auto

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname r1

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

!

!

ip source-route

ip cef

--More--         !

!

!

!

ip domain name hpne.com

ip host openca02.hpne.com 16.187.145.4

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

crypto pki trustpoint openca02

enrollment mode ra

enrollment url http://openca02.hpne.com:80/cgi-bin/pki/scep/scep

revocation-check crl

!

!

crypto pki certificate chain openca02

--More--          certificate 00FE6CAE704C444669A462

 308203B0 30820298 A0030201 02020B00 FE6CAE70 4C444669 A462300D 06092A86

 4886F70D 01010B05 00303E31 0B300906 03550406 1302434E 310D300B 06035504

 0A0C0468 706E6531 0D300B06 0355040B 0C046870 6E653111 300F0603 5504030C

 086F7065 6E636130 32301E17 0D313330 35313531 36333031 375A170D 31343035

 31353136 33303137 5A301C31 1A301806 092A8648 86F70D01 09020C0B 72312E68

 706E652E 636F6D30 5C300D06 092A8648 86F70D01 01010500 034B0030 48024100

 EF088BAA C7C299C8 ACD388F5 A10486E5 E2DE3A0F 7C1CB62D DC65AA07 A236CBB3

 73ECBF6E 9F1E85BD 3A6A27E9 070D5464 0CA3C479 CD4E9D79 A893258A 1E93532B

 02030100 01A38201 97308201 93300906 03551D13 04023000 30110609 60864801

 86F84201 01040403 02064030 0B060355 1D0F0404 030205E0 30210609 60864801

 86F84201 0D041416 1256504E 20536572 76657220 6F662068 706E6530 1D060355

 1D0E0416 0414EBAE 38B4BF58 7ADD7CE8 67928BDD FC289BC5 4115301F 0603551D

 23041830 168014E8 F63274AE A1267712 77479424 CAB39250 4B98DE30 18060355

 1D120411 300F810D 726F6F74 4068706E 652E636F 6D3081A7 06082B06 01050507

 01010481 9A308197 303E0608 2B060105 05073002 86326874 74703A2F 2F6F7065

 6E636130 322E6870 6E652E63 6F6D2F70 6B692F70 75622F63 61636572 742F6361

 63657274 2E637274 302A0608 2B060105 05073001 861E6874 74703A2F 2F6F7065

 6E636130 322E6870 6E652E63 6F6D3A32 3536302F 30290608 2B060105 0507300C

 861D6874 74703A2F 2F6F7065 6E636130 322E6870 6E652E63 6F6D3A38 33302F30

 3F060355 1D1F0438 30363034 A032A030 862E6874 74703A2F 2F6F7065 6E636130

 322E6870 6E652E63 6F6D2F70 6B692F70 75622F63 726C2F63 6163726C 2E63726C

 300D0609 2A864886 F70D0101 0B050003 82010100 802CC64B C418A936 E213FFE5

--More--           AEF7D0DD 655FEB75 E4F17433 2C9A4FCB 7D840227 B6ED14D7 876E24C0 0E8FC113

 B89D50B9 E4C6B798 D945A5CE 908BB3F0 7D20856B 0A5BE450 08E62103 526F3E8A

 B4E3EB2F 29AD50CA 24AB781D 88943449 81E65485 E08E2A1C 35E4D073 99565F5D

 7B7365D4 2D9336A5 FF0D401D 03BE9400 A7CE1436 CC6348FD F166D961 47767780

 D769C1D5 D9DF39D7 88332DF7 1C84C7DD 3D1F6422 35D51642 7D119D66 93CFDC10

 CFC2B75B 6BA32CD4 BD077BB9 572BCACC B0E69C27 A278E9BF DDB3D53B D1391599

 17FE4D77 56BA5689 E7EF5618 65E51DB0 BF77A7B2 846D95EC C3D5152D 1DF280C4

 947856EB 2714386B CFE40CCF F4A56B09 27D07D7F

quit

certificate ca 00

 3082047A 30820362 A0030201 02020100 300D0609 2A864886 F70D0101 0B050030

 3E310B30 09060355 04061302 434E310D 300B0603 55040A0C 0468706E 65310D30

 0B060355 040B0C04 68706E65 3111300F 06035504 030C086F 70656E63 61303230

 1E170D31 33303531 35313630 3331335A 170D3135 30353135 31363033 31335A30

 3E310B30 09060355 04061302 434E310D 300B0603 55040A0C 0468706E 65310D30

 0B060355 040B0C04 68706E65 3111300F 06035504 030C086F 70656E63 61303230

 82012230 0D06092A 864886F7 0D010101 05000382 010F0030 82010A02 82010100

 DBA8FAE1 50C479E8 E45BC183 C9D496D3 EC5F6476 B1B69115 19AD806E 4FE6C06A

 8370A493 20E27284 458255BB F01E1485 DD318286 4FD6E7FB FABD9F5B 56DDEC78

 7E4E4B8B 26D98EB2 E81A4079 A82BA9F8 CAC1029D DEACF0C0 9445CD2E 1ADEBCD9

 E8F919BC E0B79ECA 37900F91 8AD19E32 C258F060 9890CFA1 6525DAB5 B680A0DF

 6C233F51 672DB4BA 1A322469 8A7206FF D8D68485 A65C8FB6 42CF1885 35C63523

 C23D7518 C0C3B895 D28553AD D6400C1A 5706862E D598A82C 2DD05310 27897642

--More--           43AD6CC3 8404CB56 E8B711DA 50B2048A 353BBC32 17AE16AE A0383321 841208F4

 63A3F655 4D21D9FD FD51B40D 8C390BB5 139DBF71 427B1577 B3641D83 1B8F31B7

 02030100 01A38201 81308201 7D300F06 03551D13 0101FF04 05300301 01FF300B

 0603551D 0F040403 02010630 1D060355 1D0E0416 0414E8F6 3274AEA1 26771277

 479424CA B392504B 98DE301F 0603551D 23041830 168014E8 F63274AE A1267712

 77479424 CAB39250 4B98DE30 18060355 1D110411 300F810D 726F6F74 4068706E

 652E636F 6D301806 03551D12 0411300F 810D726F 6F744068 706E652E 636F6D30

 81A70608 2B060105 05070101 04819A30 8197303E 06082B06 01050507 30028632

 68747470 3A2F2F6F 70656E63 6130322E 68706E65 2E636F6D 2F706B69 2F707562

 2F636163 6572742F 63616365 72742E63 7274302A 06082B06 01050507 3001861E

 68747470 3A2F2F6F 70656E63 6130322E 68706E65 2E636F6D 3A323536 302F3029

 06082B06 01050507 300C861D 68747470 3A2F2F6F 70656E63 6130322E 68706E65

 2E636F6D 3A383330 2F303F06 03551D1F 04383036 3034A032 A030862E 68747470

 3A2F2F6F 70656E63 6130322E 68706E65 2E636F6D 2F706B69 2F707562 2F63726C

 2F636163 726C2E63 726C300D 06092A86 4886F70D 01010B05 00038201 010085FB

 5F5D3393 555B2EC1 15CE93CD 12D4CB03 4DC88635 80BCD790 2D64519A F3A75DB0

 2F2B8B2B 28DAE3D9 D31C5096 F983259A DDFAD896 799FE9C1 40EB48F5 EADAC416

 31A31E22 C77878B2 2ADB9FB6 8FB67066 EB81C250 965D5B79 0D52D2E6 C0934EC3

 FC00BDF3 5B8EC329 C89DF592 0DFCBEAD 5661201F 5186DBE4 AF1623B7 F9E9E6F1

 8CCD2E5C CD11F75F 3FE7D0CA 958628E4 FB569967 87D2E797 26D9F72A 0014B3DF

 12D73E44 77A4957E 356BBBCF 9083C435 3BA9DC8E 3FCD1B00 7B11990E B062335E

 937B2AD6 B6272A12 B5E49DDE 61371A0B FFC0B9A7 EDFBD751 48EAD2C1 E6C2C727

 B8CC3A3C 052E7D56 EDD7913D FC6C974E D9673917 299FAF16 CE55F0B0 8E98

--More--           quit

!

redundancy

!

!

ip ssh version 1

!

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 192.168.6.15 255.255.255.0

duplex half

!

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

--More--         !

ip route 0.0.0.0 0.0.0.0 192.168.6.2

!

!

!

!

!

!

!

control-plane

!

!

!

mgcp fax t38 ecm

mgcp behavior g729-variants static-pt

!

!

!

gatekeeper

shutdown

!

!

line con 0

--More--          logging synchronous

stopbits 1

line aux 0

stopbits 1

line vty 0 4

login

!

end


r1#              

r1#show pki cer

r1#show pki cer   ?

% Unrecognized command

r1#show pki     cry c pki cer

r1#show cry pki certificates ?

 WORD     Trustpoint Name

 storage  show certificate storage location

 verbose  Display in verbose mode

 |        Output modifiers

 <cr>


r1#show cry pki certificates openca02

Certificate

 Status: Available

 Certificate Serial Number (hex): 00FE6CAE704C444669A462

 Certificate Usage: General Purpose

 Issuer:

   cn=openca02

   ou=hpne

   o=hpne

   c=CN

 Subject:

   Name: r1.hpne.com

   hostname=r1.hpne.com

 CRL Distribution Points:

   http://openca02.hpne.com/pki/pub/crl/cacrl.crl

 Validity Date:

   start date: 16:30:17 UTC May 15 2013

   end   date: 16:30:17 UTC May 15 2014

 Associated Trustpoints: openca02


CA Certificate

 Status: Available

 Certificate Serial Number (hex): 00

 Certificate Usage: Signature

--More--           Issuer:

   cn=openca02

   ou=hpne

   o=hpne

   c=CN

 Subject:

   cn=openca02

   ou=hpne

   o=hpne

   c=CN

 CRL Distribution Points:

   http://openca02.hpne.com/pki/pub/crl/cacrl.crl

 Validity Date:

   start date: 16:03:13 UTC May 15 2013

   end   date: 16:03:13 UTC May 15 2015

 Associated Trustpoints: openca02



r1#

r1#show cry pki certificates openca02 ?

 |  Output modifiers

 <cr>


r1#show cry pki certificates openca02            ?

 WORD     Trustpoint Name

 storage  show certificate storage location

 verbose  Display in verbose mode

 |        Output modifiers

 <cr>


r1#show cry pki certificates ver

r1#show cry pki certificates verbose ?

 WORD  Trustpoint Name

 |     Output modifiers

 <cr>


r1#show cry pki certificates verbose openca02

Certificate

 Status: Available

 Version: 3

 Certificate Serial Number (hex): 00FE6CAE704C444669A462

 Certificate Usage: General Purpose

 Issuer:

   cn=openca02

   ou=hpne

   o=hpne

   c=CN

 Subject:

   Name: r1.hpne.com

   hostname=r1.hpne.com

 CRL Distribution Points:

   http://openca02.hpne.com/pki/pub/crl/cacrl.crl

 Validity Date:

   start date: 16:30:17 UTC May 15 2013

   end   date: 16:30:17 UTC May 15 2014

 Subject Key Info:

   Public Key Algorithm: rsaEncryption

   RSA Public Key: (512 bit)

 Signature Algorithm: SHA256 with RSA Encryption

 Fingerprint MD5: 249F3F1A F9836BE1 7FB33692 B48190F9

--More--           Fingerprint SHA1: D0234534 6A3AA746 E21D3D6B DC2A495E A65100C6

 X509v3 extensions:

   X509v3 Key Usage: E0000000

     Digital Signature

     Non Repudiation

     Key Encipherment

   X509v3 Subject Key ID: EBAE38B4 BF587ADD 7CE86792 8BDDFC28 9BC54115

   X509v3 Basic Constraints:

       CA: FALSE

   X509v3 Authority Key ID: E8F63274 AEA12677 12774794 24CAB392 504B98DE

   Authority Info Access:

 Associated Trustpoints: openca02

 Key Label: r1.hpne.com


CA Certificate

 Status: Available

 Version: 3

 Certificate Serial Number (hex): 00

 Certificate Usage: Signature

 Issuer:

   cn=openca02

   ou=hpne

   o=hpne

--More--             c=CN

 Subject:

   cn=openca02

   ou=hpne

   o=hpne

   c=CN

 CRL Distribution Points:

   http://openca02.hpne.com/pki/pub/crl/cacrl.crl

 Validity Date:

   start date: 16:03:13 UTC May 15 2013

   end   date: 16:03:13 UTC May 15 2015

 Subject Key Info:

   Public Key Algorithm: rsaEncryption

   RSA Public Key: (2048 bit)

 Signature Algorithm: SHA256 with RSA Encryption

 Fingerprint MD5: 05A2A93C 62C15372 A6066C91 99C94D8C

 Fingerprint SHA1: D027DD83 70D42493 E6A53CA8 61529A57 3379C06E

 X509v3 extensions:

   X509v3 Key Usage: 6000000

     Key Cert Sign

     CRL Signature

   X509v3 Subject Key ID: E8F63274 AEA12677 12774794 24CAB392 504B98DE

   X509v3 Basic Constraints:

--More--                 CA: TRUE

   X509v3 Subject Alternative Name:

       root@hpne.com

   X509v3 Authority Key ID: E8F63274 AEA12677 12774794 24CAB392 504B98DE

   Authority Info Access:

 Associated Trustpoints: openca02



===================



Thanks for ZZ-Xiao.