2. General OpenCA Issues

2.1. Does it be possible to revoke a certificate without any user interaction?

Yes, it is possible. Go to a RA interface. Go to the certificate which you want to revoke. View the certificate. Click on revoke, fill out the form and now you have created the initial CRR to revoke the certificate.

2.2. I try to add a role and get the message “The role XYZ exists already!

This message appears if one of the configurationfiles of the new role already exist. Please check the files in the directories OPENCADIR/etc/openssl/extfiles and OPENCADIR/etc/openssl/openssl.

2.3. All cryptographic operations fail.

Check that the configuration option OPENSSL is set to the correct path. It mus be the binary of OpenSSL. You have to verify all files in OPENCADIR/etc/servers/.

2.4. Apache's error_log reports a nonexistent option -subj of openssl req

You are using OpenSSL 0.9.6 but you must use 0.9.7. The use of 0.9.6 can cause inconsistent data. Normally OpenCA cannot installed if OpenSSL 0.9.7 is not present. So please check the path to the OpenSSL binary in the configuration files. The option is OPENSSL in all files in OPENCADIR/etc/servers/.

2.5. Apache's error_log contains a message from IBM DB2 that the environment is not setted

Please check the settings in etc/servers/DBI.conf because this happens if IBM's software cannot find the libraries and databases.

2.6. What do the new features of 0.9.2 be?

  • it is now possible to create usable packages

  • you can configure the PKI after the installation

  • docbook based documentation

  • integrated access control

  • secure export of private keys via the public interface

  • several LDAP improvements

  • keysizes are now choosable for IE users too

  • much better CSR editing

  • additional attributes for requests (e.g. telephonenumbers)

  • menugeneration via XML-configurationfile

  • SCEP support

  • warn expiring certificates

  • more (an explicit) download formats for certificates

  • subject verification for PKCS#10 requests

  • logging support

2.7. I try to approve and sign a request with Mozilla and it fails.

Mozilla doesn't implement crypto.signForm until version 1.7. We strongly recommend that you update to a newer version. Some workarounds are described at Section 2.2.2, “Signing Data”.

2.8. I try to approve and sign a request with Konqueror (KDE) and it fails.

KDE doesn't include any functionality to sign HTML forms until know. So this feature is not supported for KDE.

2.9. How is the format of the disc to import the CA certificate from the root CA?

It is a noncompressed tar file. The name of the file which contains the CA certificate is cacert.pem. The format of the file is PEM (sometimes called CRT or base64 encoded).

2.10. OpenSSL reports entry 1: invalid expiry date

If you try to create a CRL, to issue a certificate or to revoke a certificate and it fails then you should get an errormessage from OpenSSL. If the errormessage include the string entry 1: invalid expiry date then the database file index.txt is damaged. The easiest solution is to go to the backup and recovery are of the node management interface. There you can use the link which starts the rebuilding of the OpenSSL files. After this operation the OpenSSL files are correct again.

2.11. Outlook cannot encrypt mail with imported certificate

If you imported the certificate of another user and try to send him an encrypted email then it can happen that this doesn't work with Outlook and Outlook Express. The reason is that the person must be present in your contacts. The best way to add the person to your contacts is to take a signed email and import the user from this email to your contacts.

2.12. My Outlook freezes after I received a signed email

There are several events why Outlook freezes but one events is a signed email in combination with an anti virus program. One user reports some time ago a frozen Outlook in combination with an anti virus program from Kapersky. Like often with Microsoft programs it is not clear why Outlook crashs and who makes the mistake and includes a bug in it's program.

2.13. General Error 6751 during certificate issuing

If you try to issue a certificate and you use an OpenCA version prior to 0.9.2 then it is possible that you get a general error 6751.

Example E.1. General error 6751 during certificate issueing

Error 6751
General Error. Error while issuing Certificate to CA Services some.host.com
 (filename: /usr/local/openca/var/tmp/04.req). 

OpenCA::OpenSSL returns errocode 7731071
 (OpenCA::OpenSSL->issueCert: OpenSSL fails (256).)..
              

If you check your Apache's error_log then should see some lines which include digital envelope routines:EVP_DecryptFinal:bad.

Example E.2. Bad passphrase error log during certificate issueing

[Mon Dec 29 18:32:59 2003] [error] [client 192.168.1.38]
        unable to load CA private key, referer:
        http://ca.localhosts.com/cgi-bin/ca/ca?cmd=viewCSR;dataType=APPROVED_REQUEST;key=1312
[Mon Dec 29 18:32:59 2003] [error] [client 192.168.1.38]
        18685:error:06065064:digital envelope routines:
                EVP_DecryptFinal:bad decrypt:evp_enc.c:438:, referer:
        http://ca.localhosts.com/cgi-bin/ca/ca?cmd=viewCSR;dataType=APPROVED_REQUEST;key=1312
[Mon Dec 29 18:32:59 2003] [error] [client 192.168.1.38]
        18685:error:0906A065:PEM routines:
                PEM_do_header:bad decrypt:pem_lib.c:421:, referer:
        http://ca.localhosts.com/cgi-bin/ca/ca?cmd=viewCSR;dataType=APPROVED_REQUEST;key=1312
              

The reason is very simple. The messages unable to load CA private key and EVP_DecryptFinal:bad decrypt are from OpenSSL and signal that the CA's private key cannot be decrypted. This usually happens if you use a wrong passphrase. You can test your passphrase with the command openssl rsa -in /usr/local/openca/var/crypto/keys/cakey.pem -text -noout. If it fails then your passphrase is wrong.

2.14. What does I have to do if I create a new release?

This defines all necessary steps for a new release and is mandatory for release candidates too. Steps which are on mandatory for normal releases or release candidates are marked.

  1. Go to CVS module directory openca-0.9

  2. Edit Makefile.devel and fix the minor release

  3. Commit Makefile.devel

  4. cd ..

  5. cvs tag -R openca_V_E_R_S_I_O_N openca-0.9

  6. cd openca-0.9

  7. make -f Makefile.devel dist

  8. scp openca-0.9.2*.tar.gz username@ftp.openca.org:ftp/releases/

  9. ftp upload.sf.net

  10. Login: anonymous

  11. Passwd: your emailaddress

  12. cd incoming

  13. put openca-0.9.2*.tar.gz

  14. Go to sourceforge.net and release the file for project openca

  15. Add a release for OpenCA at freshmeat.net

  16. Add news message to news area of OpenCA.org

  17. Send a mail to openca-users, openca-devel, openca-announce

2.15. How can I configure Mozilla for OCSP?

Which string should be filled in the Service URL field of the Mozilla Preferences/Validation assuming that 10.13.1.13 is my CRL IP?

Well, it depends on your configuration (check the ocspd.conf). Anyway by default you should use http://10.13.1.13:2560/.

2.16. Error 7211021: Cannot create request!

Sometimes you get the following error message.

Example E.3. Error 7211021: Cannot create request!

   Error 7211021
General Error. Cannot create request!

(OpenCA::REQ->new: Cannot create new request.
 Backend fails with errorcode 7712071.
 OpenCA::OpenSSL->genReq: Cannot execute command (7777067).
     problems making Certificate Request 24649:
     error:0D07A097:
     asn1 encoding routines:
     ASN1_mbstring_copy:
     string too long:
     a_mbstr.c:154:maxsize=2
 error in req
).
        

The reason is very simple you entered more than two characters for the ISO country code. Please check you form and the configuration for the used country code. All ISO country codes are two characters long - not one character and not more than two characters.