Ubuntu-Server-10.04下搭建OpenCA平台

 

1、准备工作

  *)更新一下apt源。
shell> apt-get update
  *)安装了gcc/g++;表示我装的这个版本默认没有gcc。
shell> apt-get install g++
  *)必须有root权限
  *)本实验采用OpenCA-1.1.1版本,是需要补丁程序方可运行成功的。关于补丁,将在第(8)点细述。
 

2、安装MySQL

  直接在线安装。
  shell> apt-get install mysql-server
  创建数据库以及账户:
mysql> create database openca;
mysql> grant all on openca.* to 'opencaadmin'@'%' identified by 'opencasecret';
mysql> exit
 

3、安装Apache服务器

  需要启用mod_ssl,加configure参数--enable-ssl。但需要libssl的支持,因此先安装libssl和libssl-dev
shell> apt-get install libssl0.9.8  libssl-dev  
shell> tar -xf httpd-2.2.23
shell> cd httpd-2.2.23
shell> ./configure --prefix=/usr/local/httpd  --enable-ssl
shell> make
shell> make install
 

4、安装OpenSSL 

       (其实这个步骤不需要了,默认有OpenSSL了,如果没有OpenSSL则需要安装)

  shell> tar -xf openssl-1.0.1c.tar.gz
shell> cd openssl-1.0.1c 
shell> ./config --prefix=/usr/local/openssl
shell> make 
shell> make install
 
        接下去把/usr/local/openssl下的目录和文件cp到对应的系统目录,比如etc -> /etc、lib -> /usr/lib
        此处不列出命令。
 

5、安装OpenCA-tools

shell> tar -xf openca-tools-1.3.0.tar.gz
shell> cd openca-tools-1.3.0
shell> ./configure --prefix=/usr/local/openca-tools
shell> make
shell> make install
 
  创建命令工具链接到/usr/bin
shell> cd /usr/bin
shell> ln /usr/local/openssl/bin/openca-sv
shell> ln /usr/local/openssl/bin/openca-crmf
shell> ln /usr/local/openssl/bin/openca-scep
 

6、安装OpenCA-base

shell> tar -xf openca-base-1.1.1.tar.gz
shell> cd openca-base-1.1.1
shell> ./configure --prefix=/usr/local/openca-base \
--with-httpd-user=daemon \
--with-httpd-group=daemon \
--with-httpd-fs-prefix=/usr/local/httpd \
--with-htdocs-fs-prefix=/usr/local/httpd/htdocs/pki \
--with-db-type=mysql \
--with-db-host=localhost \
--with-db-port=3306 \
--with-db-name=openca \
--with-db-user=opencaadmin \
--with-db-passwd=opencasecret 
shell> make
 
  说明:configure参数里httpd-fs-prefix是Apache安装目录,htdocs-fs-prefix是Apache默认的静态资源目录(可以配置到非Apache默认目录,需要在httpd.conf里进行配置)。db-host是MySQL数据库服务器主机,db-port端口,db-name是OpenCA数据库名称,db-user是MySQL的数据库用户名,db-passwd是MySQL的数据库访问密码。
 
  make完成之后先查看安装选项
shell> make help
Targets:
 
 []                make everything
 [ca]              make everything CA server related
 [ext]             make everything RA and public server related
 [doc]             make everything documentation related
 
Install Target:
 
 [install-offline] install all offline components (common, modules, ca, batch and node)
 [install-online]  install all online components (common, modules, ra, pub, ldap and node)
 [install-ext]     install RA and public server components
 
Install Target:
 
 [install-batch]   install batch system components
 [install-ca]      install CA components
 [install-common]  install all common components (for package builds)
 [install-modules] install all perl modules (for package builds)
 [install-ldap]    install LDAP components
 [install-node]    install aministration components
 [install-pub]     install public server components
 [install-ra]      install RA server components
 [install-scep]    install scep server components
 [install-doc]     install documentation
 [clean]           remove everything created by make
 [distclean]       like clean, plus remove everything created by ./configure
 
Development:
 
 [dist]            build distribution package
 [rpm]             build rpm
  
  如上面所示,安装选项可以分为两级级别:笼统的online/offline/ext方案,以及各个组件单个安装。
  现在测试是在单个机器上进行,因此把online/offline都装上去:
shell> make install-online
shell> make install-offline
 

7、[配置-01] OpenCA

shell> cd /usr/local/openca-base/etc/openca
shell> ./configure_etc.sh
shell> cd /usr/local/openca-base/var/openca/log/
shell> chown -R daemon:daemon /usr/local/openca-base/var
shell> chown -R daemon:daemon /usr/local/openca-base/etc
注:daemon:daemon是apache配置文件里指定的User和Group。上面的两次chown操作是为了保证var和etc两个目录属于daemon:daemon,我在测试安装过程中偶尔遇到安装完成之后var和etc拥有者不是daemon:daemon。
 

8、[配置-02] OpenCA补丁

  如果此时启动OpenCA会发生如下错误:
shell> /usr/local/openca-base/etc/init.d/openca start
 
[错误信息]
Bareword "ERR_USER_STATUS_UNKNOWN" not allowed while "strict subs" in use at /usr/local/openca-base/lib/openca/perl_modules/perl5/OpenCA/User.pm line 372, <DATA> line 275.
Compilation failed in require at /usr/local/openca-base/lib/openca/functions/initServer line 44, <DATA> line 275.
BEGIN failed--compilation aborted at /usr/local/openca-base/lib/openca/functions/initServer line 44, <DATA> line 275.
Compilation failed in require at /usr/local/openca-base/etc/openca/openca_start line 65, <DATA> line 275.
 
  这是1.1.1这个版本的Bug,官方发布了补丁,下载地址:
http://www.openca.org/mirrors.shtml  
  进入该页面选择一个镜像,进入openca-base/fixes/v1.1.1/err_user_unknown,下载User.pm和initServer两个文件。
  将这两个文件替换已有文件,他们的位置如下:
shell> cp User.pm /usr/local/openca-base/lib/openca/perl_modules/perl5/OpenCA/User.pm
shell> cp initServer /usr/local/openca-base/lib/openca/functions/initServer
 
 

9、[启动测试]

  shell> cd /usr/local/httpd/
shell> bin/apachectl start
shell> cd /usr/local/openca-base/etc/
shell> init.d/openca start
 
注意:第一次启动openca时需要设置一个口令,该口令以后访问web管理页面是必须的(用户名默认是admin,可以在/usr/local/openca-base/etc/openca/config.xml里面设置)。
        访问:http://localhost/pki/ca  进行测试
 
        (接下去将对OpenCA的进一步配置和使用进行探讨)