openca 1.1.1 can work with RHEL 5.x/centos 5.x/fFedora 12
fedora 16 & openca1.3&scep
*modify /etc/hosts
/etc/sysconfig/network
For my test enviroment: domain name is hpne.com, servier's name is openca02.hpne.com
A. how to use root user login to xwindows
user other user login, then crtl+alt+F3 (resume +F2)
vi /etc/pam.d/gdm
#auth required pam_succeed_if.so user != root quiet
vi /etc/pam.d/gdm-password
#auth required pam_succeed_if.so user != root quiet
reboot
B. VMTOOLS
http://mytricks.in/2011/09/guide-how-to-install-vmware-tools-on.html
1. Install all requiredPrerequisite as shown below,
From a terminal session run the following commands,
su -
yum distribution-synchronization
yum install @gnome-desktop
yum -y update
yum -y install gcc make kernel-headers kernel-devel
shutdown -r now
tar zxvf VM....
cd vm...
./vmware-install.pl
C. sftp
1.yum install vsftpd
2.config
vim /etc/vsftpd/vsftpd.conf
3.systemctrl start vsftpd.service
systemctrl enable vsftpd.service
4.selinux
vim /etc/selinux/config
SELINUX=disabled
5.service iptables stop
systemctrl disable vsftpd.service
reboot
D. HTTP & MYSQL
su;
groupadd openca;
useradd madwolf –G openca;
#yum install -y gcc-c++
#yum install -y openssl-devel db4 db4-devel mysql-server mysql-devel perl-XML-Parser httpd
# yum install -y perl-ExtUtils*
#yum install -y gcc makedb4-devel expat-devel perl-Authen-SASL perl-CGI-Session
service httpd start
service mysqld start
mysqladmin -u root password openca
# mysql -u root -p
Enter password:
Welcome to the MySQLmonitor. Commands end with ; or \g.
Your MySQLconnection id is 7
Server version:5.0.77 Source distribution
Type 'help;' or '\h'for help. Type '\c' to clear the buffer.
mysql> create database openca;
Query OK, 1 rowaffected (0.00 sec)
mysql> GRANT ALL PRIVILEGES ON *.* TO 'openca'@'localhost' IDENTIFIED BY 'openca';
Query OK, 0 rowsaffected (0.00 sec)
# mysql -u openca -p
password:openca
mysql>showdatabases;
E. OPENCA
1.download software
http://sourceforge.net/projects/openca/files/?source=navbar
openca-base-common-1.3.0-1.rhfc16.x86_64.rpm
openca-base-online-1.3.0-1.rhfc16.x86_64.rpm
openca-base-offline-1.3.0-1.rhfc16.x86_64.rpm
openca-tools-1.3.0-1.rhfc13.x86_64.rpm
1. tool, 2.common, 3.offline, 4.online
configuration example:
https://personaltelco.net/~russell/ptp/system/trunk/core/pki/
if you use 1.3, just rpm -Uvh *
below scripts use for other OS.
# cdopenca-base-xxx
./configure--prefix=/opt/openca \
--with-ca-organization="hpne" \
--with-httpd-fs-prefix=/var/www \
--with-httpd-main-dir=pki \
--with-db-name=openca \
--with-db-host=localhost \
--with-db-user=openca \
--with-db-passwd=openca \
--with-db-type=mysql \
--with-service-mail-account="[email protected]"
make
make install-offlineinstall-online
# service httpdrestart
#cd/opt/openca/etc/openca
#vimaccess_control/node.xml.template
#vimaccess_control/ca.xml.template
#vimaccess_control/ra.xml.template
#vim config.xml
./configure_etc.sh
#cd /usr/sbin/
#ln -s/opt/openca/etc/init.d/openca openca
for 1.1.1 you should patch 2 files.
1/opt/openca/lib/openca/perl_modules/perl5/OpenCA/User.pm
ERROR: Bareword"ERR_USER_STATUS_UNKNOWN" not allowed while "strict subs"in use at /opt/openca/lib/openca/perl_modules/perl5/OpenCA/User.pm line 373, line 275.
Added:
+ use constantERR_USER_STATUS_UNKNOWN => [ 3100, "Could not determine userstatus" ];
2/opt/openca/lib/openca/functions/initServer
ERROR: Global symbol "$curr_user"requires explicit package name at /opt/openca/lib/openca/functions/initServerline 269, line 275.
Added: variable declaration:
- our (%AUTOCONF, $common_libs, $config,$users, $loginUser);
+ our (%AUTOCONF,$common_libs, $config, $curr_user, $users, $loginUser);
ERROR: syntax error at /opt/openca/lib/openca/functions/initServer line 753,near ");"
Canged:
- i18nGettext ( "OpenCA::User initerror!" );
+ i18nGettext ("OpenCA::User init error!" )
or Download at: http://ftp.openca.org/openca-base/fixes/v1.1.1/err_user_unknown
cp User.pm/opt/openca/lib/openca/perl_modules/perl5/OpenCA/User.pm
cp initServer/opt/openca/lib/openca/functions/initServer
# cd /usr/sbin/
# ln -s/opt/openca/etc/init.d/openca openca
#openca start
*****!!!!! modify scep configuration file.
/opt/openca/etc/openca/servers/scep.conf
ScepRACert "/opt/openca/var/openca/crypto/certs/546767817FE867072963.pem"
ScepRAKey "/opt/openca/var/openca/crypto/certs/546767817FE867072963.pem"
ScepRAPasswd "openca"
================
cisco router configuation just like before:
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.05.16 00:31:20 =~=~=~=~=~=~=~=~=~=~=~=
show run
Building configuration...
Current configuration : 6061 bytes
!
! Last configuration change at 00:30:43 UTC Thu May 16 2013
!
upgrade fpd auto
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
!
ip source-route
ip cef
--More-- !
!
!
!
ip domain name hpne.com
ip host openca02.hpne.com 16.187.145.4
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
crypto pki trustpoint openca02
enrollment mode ra
enrollment url http://openca02.hpne.com:80/cgi-bin/pki/scep/scep
revocation-check crl
!
!
crypto pki certificate chain openca02
--More-- certificate 00FE6CAE704C444669A462
308203B0 30820298 A0030201 02020B00 FE6CAE70 4C444669 A462300D 06092A86
4886F70D 01010B05 00303E31 0B300906 03550406 1302434E 310D300B 06035504
0A0C0468 706E6531 0D300B06 0355040B 0C046870 6E653111 300F0603 5504030C
086F7065 6E636130 32301E17 0D313330 35313531 36333031 375A170D 31343035
31353136 33303137 5A301C31 1A301806 092A8648 86F70D01 09020C0B 72312E68
706E652E 636F6D30 5C300D06 092A8648 86F70D01 01010500 034B0030 48024100
EF088BAA C7C299C8 ACD388F5 A10486E5 E2DE3A0F 7C1CB62D DC65AA07 A236CBB3
73ECBF6E 9F1E85BD 3A6A27E9 070D5464 0CA3C479 CD4E9D79 A893258A 1E93532B
02030100 01A38201 97308201 93300906 03551D13 04023000 30110609 60864801
86F84201 01040403 02064030 0B060355 1D0F0404 030205E0 30210609 60864801
86F84201 0D041416 1256504E 20536572 76657220 6F662068 706E6530 1D060355
1D0E0416 0414EBAE 38B4BF58 7ADD7CE8 67928BDD FC289BC5 4115301F 0603551D
23041830 168014E8 F63274AE A1267712 77479424 CAB39250 4B98DE30 18060355
1D120411 300F810D 726F6F74 4068706E 652E636F 6D3081A7 06082B06 01050507
01010481 9A308197 303E0608 2B060105 05073002 86326874 74703A2F 2F6F7065
6E636130 322E6870 6E652E63 6F6D2F70 6B692F70 75622F63 61636572 742F6361
63657274 2E637274 302A0608 2B060105 05073001 861E6874 74703A2F 2F6F7065
6E636130 322E6870 6E652E63 6F6D3A32 3536302F 30290608 2B060105 0507300C
861D6874 74703A2F 2F6F7065 6E636130 322E6870 6E652E63 6F6D3A38 33302F30
3F060355 1D1F0438 30363034 A032A030 862E6874 74703A2F 2F6F7065 6E636130
322E6870 6E652E63 6F6D2F70 6B692F70 75622F63 726C2F63 6163726C 2E63726C
300D0609 2A864886 F70D0101 0B050003 82010100 802CC64B C418A936 E213FFE5
--More-- AEF7D0DD 655FEB75 E4F17433 2C9A4FCB 7D840227 B6ED14D7 876E24C0 0E8FC113
B89D50B9 E4C6B798 D945A5CE 908BB3F0 7D20856B 0A5BE450 08E62103 526F3E8A
B4E3EB2F 29AD50CA 24AB781D 88943449 81E65485 E08E2A1C 35E4D073 99565F5D
7B7365D4 2D9336A5 FF0D401D 03BE9400 A7CE1436 CC6348FD F166D961 47767780
D769C1D5 D9DF39D7 88332DF7 1C84C7DD 3D1F6422 35D51642 7D119D66 93CFDC10
CFC2B75B 6BA32CD4 BD077BB9 572BCACC B0E69C27 A278E9BF DDB3D53B D1391599
17FE4D77 56BA5689 E7EF5618 65E51DB0 BF77A7B2 846D95EC C3D5152D 1DF280C4
947856EB 2714386B CFE40CCF F4A56B09 27D07D7F
quit
certificate ca 00
3082047A 30820362 A0030201 02020100 300D0609 2A864886 F70D0101 0B050030
3E310B30 09060355 04061302 434E310D 300B0603 55040A0C 0468706E 65310D30
0B060355 040B0C04 68706E65 3111300F 06035504 030C086F 70656E63 61303230
1E170D31 33303531 35313630 3331335A 170D3135 30353135 31363033 31335A30
3E310B30 09060355 04061302 434E310D 300B0603 55040A0C 0468706E 65310D30
0B060355 040B0C04 68706E65 3111300F 06035504 030C086F 70656E63 61303230
82012230 0D06092A 864886F7 0D010101 05000382 010F0030 82010A02 82010100
DBA8FAE1 50C479E8 E45BC183 C9D496D3 EC5F6476 B1B69115 19AD806E 4FE6C06A
8370A493 20E27284 458255BB F01E1485 DD318286 4FD6E7FB FABD9F5B 56DDEC78
7E4E4B8B 26D98EB2 E81A4079 A82BA9F8 CAC1029D DEACF0C0 9445CD2E 1ADEBCD9
E8F919BC E0B79ECA 37900F91 8AD19E32 C258F060 9890CFA1 6525DAB5 B680A0DF
6C233F51 672DB4BA 1A322469 8A7206FF D8D68485 A65C8FB6 42CF1885 35C63523
C23D7518 C0C3B895 D28553AD D6400C1A 5706862E D598A82C 2DD05310 27897642
--More-- 43AD6CC3 8404CB56 E8B711DA 50B2048A 353BBC32 17AE16AE A0383321 841208F4
63A3F655 4D21D9FD FD51B40D 8C390BB5 139DBF71 427B1577 B3641D83 1B8F31B7
02030100 01A38201 81308201 7D300F06 03551D13 0101FF04 05300301 01FF300B
0603551D 0F040403 02010630 1D060355 1D0E0416 0414E8F6 3274AEA1 26771277
479424CA B392504B 98DE301F 0603551D 23041830 168014E8 F63274AE A1267712
77479424 CAB39250 4B98DE30 18060355 1D110411 300F810D 726F6F74 4068706E
652E636F 6D301806 03551D12 0411300F 810D726F 6F744068 706E652E 636F6D30
81A70608 2B060105 05070101 04819A30 8197303E 06082B06 01050507 30028632
68747470 3A2F2F6F 70656E63 6130322E 68706E65 2E636F6D 2F706B69 2F707562
2F636163 6572742F 63616365 72742E63 7274302A 06082B06 01050507 3001861E
68747470 3A2F2F6F 70656E63 6130322E 68706E65 2E636F6D 3A323536 302F3029
06082B06 01050507 300C861D 68747470 3A2F2F6F 70656E63 6130322E 68706E65
2E636F6D 3A383330 2F303F06 03551D1F 04383036 3034A032 A030862E 68747470
3A2F2F6F 70656E63 6130322E 68706E65 2E636F6D 2F706B69 2F707562 2F63726C
2F636163 726C2E63 726C300D 06092A86 4886F70D 01010B05 00038201 010085FB
5F5D3393 555B2EC1 15CE93CD 12D4CB03 4DC88635 80BCD790 2D64519A F3A75DB0
2F2B8B2B 28DAE3D9 D31C5096 F983259A DDFAD896 799FE9C1 40EB48F5 EADAC416
31A31E22 C77878B2 2ADB9FB6 8FB67066 EB81C250 965D5B79 0D52D2E6 C0934EC3
FC00BDF3 5B8EC329 C89DF592 0DFCBEAD 5661201F 5186DBE4 AF1623B7 F9E9E6F1
8CCD2E5C CD11F75F 3FE7D0CA 958628E4 FB569967 87D2E797 26D9F72A 0014B3DF
12D73E44 77A4957E 356BBBCF 9083C435 3BA9DC8E 3FCD1B00 7B11990E B062335E
937B2AD6 B6272A12 B5E49DDE 61371A0B FFC0B9A7 EDFBD751 48EAD2C1 E6C2C727
B8CC3A3C 052E7D56 EDD7913D FC6C974E D9673917 299FAF16 CE55F0B0 8E98
--More-- quit
!
redundancy
!
!
ip ssh version 1
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.6.15 255.255.255.0
duplex half
!
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
--More-- !
ip route 0.0.0.0 0.0.0.0 192.168.6.2
!
!
!
!
!
!
!
control-plane
!
!
!
mgcp fax t38 ecm
mgcp behavior g729-variants static-pt
!
!
!
gatekeeper
shutdown
!
!
line con 0
--More-- logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
!
end
r1#
r1#show pki cer
r1#show pki cer ?
% Unrecognized command
r1#show pki cry c pki cer
r1#show cry pki certificates ?
WORD Trustpoint Name
storage show certificate storage location
verbose Display in verbose mode
| Output modifiers
r1#show cry pki certificates openca02
Certificate
Status: Available
Certificate Serial Number (hex): 00FE6CAE704C444669A462
Certificate Usage: General Purpose
Issuer:
cn=openca02
ou=hpne
o=hpne
c=CN
Subject:
Name: r1.hpne.com
hostname=r1.hpne.com
CRL Distribution Points:
http://openca02.hpne.com/pki/pub/crl/cacrl.crl
Validity Date:
start date: 16:30:17 UTC May 15 2013
end date: 16:30:17 UTC May 15 2014
Associated Trustpoints: openca02
CA Certificate
Status: Available
Certificate Serial Number (hex): 00
Certificate Usage: Signature
--More-- Issuer:
cn=openca02
ou=hpne
o=hpne
c=CN
Subject:
cn=openca02
ou=hpne
o=hpne
c=CN
CRL Distribution Points:
http://openca02.hpne.com/pki/pub/crl/cacrl.crl
Validity Date:
start date: 16:03:13 UTC May 15 2013
end date: 16:03:13 UTC May 15 2015
Associated Trustpoints: openca02
r1#
r1#show cry pki certificates openca02 ?
| Output modifiers
r1#show cry pki certificates openca02 ?
WORD Trustpoint Name
storage show certificate storage location
verbose Display in verbose mode
| Output modifiers
r1#show cry pki certificates ver
r1#show cry pki certificates verbose ?
WORD Trustpoint Name
| Output modifiers
r1#show cry pki certificates verbose openca02
Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 00FE6CAE704C444669A462
Certificate Usage: General Purpose
Issuer:
cn=openca02
ou=hpne
o=hpne
c=CN
Subject:
Name: r1.hpne.com
hostname=r1.hpne.com
CRL Distribution Points:
http://openca02.hpne.com/pki/pub/crl/cacrl.crl
Validity Date:
start date: 16:30:17 UTC May 15 2013
end date: 16:30:17 UTC May 15 2014
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (512 bit)
Signature Algorithm: SHA256 with RSA Encryption
Fingerprint MD5: 249F3F1A F9836BE1 7FB33692 B48190F9
--More-- Fingerprint SHA1: D0234534 6A3AA746 E21D3D6B DC2A495E A65100C6
X509v3 extensions:
X509v3 Key Usage: E0000000
Digital Signature
Non Repudiation
Key Encipherment
X509v3 Subject Key ID: EBAE38B4 BF587ADD 7CE86792 8BDDFC28 9BC54115
X509v3 Basic Constraints:
CA: FALSE
X509v3 Authority Key ID: E8F63274 AEA12677 12774794 24CAB392 504B98DE
Authority Info Access:
Associated Trustpoints: openca02
Key Label: r1.hpne.com
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 00
Certificate Usage: Signature
Issuer:
cn=openca02
ou=hpne
o=hpne
--More-- c=CN
Subject:
cn=openca02
ou=hpne
o=hpne
c=CN
CRL Distribution Points:
http://openca02.hpne.com/pki/pub/crl/cacrl.crl
Validity Date:
start date: 16:03:13 UTC May 15 2013
end date: 16:03:13 UTC May 15 2015
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA256 with RSA Encryption
Fingerprint MD5: 05A2A93C 62C15372 A6066C91 99C94D8C
Fingerprint SHA1: D027DD83 70D42493 E6A53CA8 61529A57 3379C06E
X509v3 extensions:
X509v3 Key Usage: 6000000
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: E8F63274 AEA12677 12774794 24CAB392 504B98DE
X509v3 Basic Constraints:
--More-- CA: TRUE
X509v3 Subject Alternative Name:
X509v3 Authority Key ID: E8F63274 AEA12677 12774794 24CAB392 504B98DE
Authority Info Access:
Associated Trustpoints: openca02
===================
Thanks for ZZ-Xiao.