Yes, it is possible. Go to a RA interface. Go to the certificate which you want to revoke. View the certificate. Click on revoke, fill out the form and now you have created the initial CRR to revoke the certificate.
This message appears if one of the configurationfiles of the new
role already exist. Please check the files in the directories
OPENCADIR/etc/openssl/extfiles
and
OPENCADIR/etc/openssl/openssl
.
Check that the configuration option OPENSSL
is
set to the correct path. It mus be the binary of OpenSSL. You
have to verify all files in
OPENCADIR/etc/servers/
.
You are using OpenSSL 0.9.6 but you must use 0.9.7. The use of
0.9.6 can cause inconsistent data. Normally OpenCA cannot
installed if OpenSSL 0.9.7 is not present. So please check the
path to the OpenSSL binary in the configuration files. The
option is OPENSSL
in all files in
OPENCADIR/etc/servers/
.
Please check the settings in
etc/servers/DBI.conf
because this happens
if IBM's software cannot find the libraries and databases.
it is now possible to create usable packages
you can configure the PKI after the installation
docbook based documentation
integrated access control
secure export of private keys via the public interface
several LDAP improvements
keysizes are now choosable for IE users too
much better CSR editing
additional attributes for requests (e.g. telephonenumbers)
menugeneration via XML-configurationfile
SCEP support
warn expiring certificates
more (an explicit) download formats for certificates
subject verification for PKCS#10 requests
logging support
Mozilla doesn't implement crypto.signForm until version 1.7. We strongly recommend that you update to a newer version. Some workarounds are described at Section 2.2.2, “Signing Data”.
KDE doesn't include any functionality to sign HTML forms until know. So this feature is not supported for KDE.
It is a noncompressed tar file. The name of the file which contains the CA certificate is cacert.pem. The format of the file is PEM (sometimes called CRT or base64 encoded).
If you try to create a CRL, to issue a certificate or to revoke
a certificate and it fails then you should get an errormessage
from OpenSSL. If the errormessage include the string
entry 1: invalid expiry date then the
database file index.txt
is damaged. The
easiest solution is to go to the backup and recovery are of the
node management interface. There you can use the link which starts
the rebuilding of the OpenSSL files. After this operation the
OpenSSL files are correct again.
If you imported the certificate of another user and try to send him an encrypted email then it can happen that this doesn't work with Outlook and Outlook Express. The reason is that the person must be present in your contacts. The best way to add the person to your contacts is to take a signed email and import the user from this email to your contacts.
There are several events why Outlook freezes but one events is a signed email in combination with an anti virus program. One user reports some time ago a frozen Outlook in combination with an anti virus program from Kapersky. Like often with Microsoft programs it is not clear why Outlook crashs and who makes the mistake and includes a bug in it's program.
If you try to issue a certificate and you use an OpenCA version prior to 0.9.2 then it is possible that you get a general error 6751.
Example E.1. General error 6751 during certificate issueing
Error 6751 General Error. Error while issuing Certificate to CA Services some.host.com (filename: /usr/local/openca/var/tmp/04.req). OpenCA::OpenSSL returns errocode 7731071 (OpenCA::OpenSSL->issueCert: OpenSSL fails (256).)..
If you check your Apache's error_log
then
should see some lines which include digital envelope
routines:EVP_DecryptFinal:bad.
Example E.2. Bad passphrase error log during certificate issueing
[Mon Dec 29 18:32:59 2003] [error] [client 192.168.1.38] unable to load CA private key, referer: http://ca.localhosts.com/cgi-bin/ca/ca?cmd=viewCSR;dataType=APPROVED_REQUEST;key=1312 [Mon Dec 29 18:32:59 2003] [error] [client 192.168.1.38] 18685:error:06065064:digital envelope routines: EVP_DecryptFinal:bad decrypt:evp_enc.c:438:, referer: http://ca.localhosts.com/cgi-bin/ca/ca?cmd=viewCSR;dataType=APPROVED_REQUEST;key=1312 [Mon Dec 29 18:32:59 2003] [error] [client 192.168.1.38] 18685:error:0906A065:PEM routines: PEM_do_header:bad decrypt:pem_lib.c:421:, referer: http://ca.localhosts.com/cgi-bin/ca/ca?cmd=viewCSR;dataType=APPROVED_REQUEST;key=1312
The reason is very simple. The messages unable to load CA private key and EVP_DecryptFinal:bad decrypt are from OpenSSL and signal that the CA's private key cannot be decrypted. This usually happens if you use a wrong passphrase. You can test your passphrase with the command openssl rsa -in /usr/local/openca/var/crypto/keys/cakey.pem -text -noout. If it fails then your passphrase is wrong.
This defines all necessary steps for a new release and is mandatory for release candidates too. Steps which are on mandatory for normal releases or release candidates are marked.
Go to CVS module directory openca-0.9
Edit Makefile.devel
and fix the minor release
Commit Makefile.devel
cd ..
cvs tag -R openca_V_E_R_S_I_O_N openca-0.9
cd openca-0.9
make -f Makefile.devel dist
scp openca-0.9.2*.tar.gz username@ftp.openca.org:ftp/releases/
ftp upload.sf.net
Login: anonymous
Passwd: your emailaddress
cd incoming
put openca-0.9.2*.tar.gz
Go to sourceforge.net and release the file for project openca
Add a release for OpenCA at freshmeat.net
Add news message to news area of OpenCA.org
Send a mail to openca-users, openca-devel, openca-announce
Which string should be filled in the Service URL
field of the Mozilla Preferences/Validation
assuming that 10.13.1.13
is my CRL IP?
Well, it depends on your configuration (check the
ocspd.conf
). Anyway by default you should
use http://10.13.1.13:2560/
.
Sometimes you get the following error message.
Example E.3. Error 7211021: Cannot create request!
Error 7211021 General Error. Cannot create request! (OpenCA::REQ->new: Cannot create new request. Backend fails with errorcode 7712071. OpenCA::OpenSSL->genReq: Cannot execute command (7777067). problems making Certificate Request 24649: error:0D07A097: asn1 encoding routines: ASN1_mbstring_copy: string too long: a_mbstr.c:154:maxsize=2 error in req ).
The reason is very simple you entered more than two characters for the ISO country code. Please check you form and the configuration for the used country code. All ISO country codes are two characters long - not one character and not more than two characters.