-- DavidBannon - 11 Dec 2007

Install OpenCA version 0.93

Migrated here from the old APACGrid Twiki 11/12/2007

Prepare and install the Offline and Online boxes

Xen

Since we are using xen virtual machines on both the CA and the RA/pub server we need to install xen and two images of CentOS: XenInstall?

Create OpenCA user

useradd openca

Prerequisite packages and modules

Now we need to install some prerequisites on both of the installations:

Login as root and type:

yum install gpg ftp links make unzip openssl-devel expat-devel httpd mod_ssl mysql-server

to install required packages. Also we need some Perl modules. I am using the CPAN directory for this. You may be able to find a CentOS repository with the according rpms.

perl -MCAPN -e shell               // reported (by Samuel Rios Carvalho) to be actually perl -MCPAN -e shell     // DRB, 30/5/2008
install CGI::Session
install Convert::ASN1
install Digest::MD5
install Digest::SHA1
install Encode::Unicode
install IO::Socket::SSL
install IO::Stringy
install MIME::Base64
install MIME::Lite
install MIME::Tools
install MailTool
install Net::Server
install URI
install XML::Twig
install XML::SAX::Base

    useradd openca

Prerequisite packages and modules 
quit

Also we need the libintl module which I could not find in CPAN so we need to download and install it manually:

wget http://search.cpan.org/CPAN/authors/id/G/GU/GUIDO/libintl-perl-1.16.tar.gz
tar xvzf libintl-perl-1.16.tar.gz
cd linintl-perl-1.16
perl Makefile.PL
make
make test
make install

Apache config

edit /etc/httpd/httpd.conf

Change this line to your hostname:

ServerName cabox.vpac.org

MySQL config

Init mysql:

mysql_install_db

Fix a CentOS MySQL bug:

edit /etc/my.cnf

In the section mysqld add the following line:

skip-bdb

Start daemon:

service mysqld start

Set root password:

mysqladmin -u root password 'new_password'
mysqladmin -u root -h your_hostname password 'new_password'

Create database and change permissions for openca:

mysql -p
create database openca;
GRANT create,drop,select,delete,insert,update ON openca.* TO 'openca_u'@'localhost' IDENTIFIED by 'database_password';
FLUSH privileges;
exit;

I don't think it's necessary but you can restart MySQL:

service mysqld restart

Install OpenCA package

---

Because of a bug in the openssl version that comes with CentOS 4.4 we need to install openssl from scratch. I decided to install a version that is not to different from the one installed. Here we go:

wget http://www.openssl.org/source/openssl-0.9.7e.tar.gz
tar xvzf openssl-0.9.7e.tar.gz
cd openssl-0.9.7e
./config
make
make install

This installs openssl into /usr/local/ssl/.

Now we have to install the openca tools package:

wget http://www.openca.org/alby/download?target=openca-tools-1.0.0.tar.gz
tar xvzf openca-tools-1.0.0.tar.gz
cd openca-tools-1.0.0
./configure --prefix=/opt/openca93 --exec-prefix=/opt/openca93 \
--with-openca-prefix=/opt/openca93 --with-openca-user=openca --with-openca-group=openca --with-openssl-prefix=/usr/local/ssl
make
make install

Now for the OpenCA? application itself. Download and uncompress package:

wget http://www.openca.org/alby/download?target=openca-0.9.3-rc1.tar.gz
tar xvzf openca-0.9.3-rc1.tar.gz

Configure and install OpenCA:

We install openca in the directory /opt/openca93.

cd openca-0.9.3-rc1
./configure --prefix=/opt/openca93 --exec-prefix=/opt/openca93 --with-openca-prefix=/opt/openca93 \
-with-module-prefix=/opt/openca93/modules --with-openssl-prefix=/usr/local/ssl \
--with-openca-user=openca --with-openca-group=openca --with-web-host=localhost --with-httpd-user=apache \
--with-httpd-group=apache --with-cgi-fs-prefix=/var/www/cgi-bin --with-htdocs-fs-prefix=/var/www/html
make

make test is broken (at least on the version I used) so we skip that.

Now, depending on whether you want to install the offline or online service you have to execute

make install-offline

or

make install-online

Now we install a few helper scripts (it seems there is a bug and they are not installed by default):

cd src/scripts
make install

Edit: After installing the above command also does not work anymore. You'll have to copy the scripts in this directory manually to /opt/openca93/bin and change owner and permissions.

Start OpenCA at boottime

Add/Edit the file /etc/init.d/openca and put the following in it:

#!/bin/sh
#
# chkconfig: 345 75 55
# description: OpenCA Server

cd /opt/openca93/etc  || exit 1
case "$1" in
    start)
        echo -n "Starting OpenCA ... "
        ./openca_start
        echo OK
    ;;
    stop)
        echo "Shutting down OpenCA ... "
        ./openca_stop
    ;;
    restart)
        $0 stop
        $0 start
    ;;
    *)
    echo "Usage: $0 {start|stop|restart}"
    exit 1
esac

Other stuff

Fix log file permission:

chown -R apache:apache /opt/openca93/var/log/

Now the install part of the OpenCA package is finished. Now we have to

Configure the Offline and Online machine

Edit config.xml

We have to edit the file /opt/openca93/etc/config.xml in order to make changes to the default OpenCA configuration. These are the parts I edited (the complete config file is attached on this page):

First we set the name of the organization the CA is set up for:

ca_organization
APACGrid

And the country the CA is located in:

<name>ca_country</name>
 <value>AU</value>

These two values are the first two tokens of the DN a certificate of this CA is going to have.

Now we change the way the mail server is invoked (because we use postfix per default):

<name>sendmail</name>
<value>/usr/lib/sendmail -t </value>

What is the ca email address?

<name>service_mail_account</name>
<value>ca@apac.edu.au</value>

A link to your CA's policy:

<name>policy_link</name>
<value>http://www.vpac.org/twiki/bin/view/APACgrid/CaPolicy_1_3</value>

Here is the database configuration:

        <option>
            <name>dbmodule</name>
            <!-- you can use DB or DBI -->
            <value>DBI</value>
        </option>
        <option>
            <name>db_type</name>
            <value>mysql</value>
        </option>
        <option>
            <name>db_name</name>
            <value>openca</value>
        </option>
        <option>
            <name>db_host</name>
            <value>localhost</value>
        </option>
        <option>
            <name>db_port</name>
            <value>3306</value>
        </option>
        <option>
            <name>db_user</name>
            <value>openca_u</value>
        </option>
        <option>
            <name>db_passwd</name>
            <value>database_password</value>
        </option>
        <option>
            <name>db_namespace</name>
            <!--
               a namespace is prefix in front of every table
               Example: table user1
                        ==>
                        select * from user1.certificate;
               This is not required for MySQL, PostgreSQL and IBM DB2.
               Nevertheless all supported database can use such namespaces
               and it is the default behaviour of Oracle. Oracle uses as
               namespace usually the name of the database.
              -->
            <value>openca</value>
        </option>

We don't need LOAS (Levels of Authentication):

 <option>
      <name>USE_LOAS</name>
      <value>no</value>
</option>

Now for a very important part, the dataexchange. For the Ofline machine comment the "no dataexchange configuration" and uncomment the "acts as CA only" section. For the Online machine also comment the "no dataexchange configuration" but uncomment the "acts as RA only" section.

We also have to configure the way we exchage data between Offline and Online machine (will add details later).

  <option>
      <name>dataexchange_device_up</name>
      <value>/tmp/fd0</value>
    </option>
    <option>
       <name>dataexchange_device_down</name>
       <value>/tmp/fd0</value>
    </option>
    <option>
       <name>dataexchange_device_local</name>
       <value>/tmp/openca_local</value>
     </option>

When you are finished editing config.xml you have to apply the content of config.xml to the appropriate templates to create the "real" config files:

cd /opt/openca93/etc
./configure_etc.sh

Edit seperate config files

Here? is an extra page that describes additional configuration options.

---

Configure the Offline machine

OK. Now is the time to start the openca service for the first time and use the web interface:

service openca start

Point your browser to https://your_hostname/ca. You will be prompted to trust a server certificate. This certificate was created when installing the apache package and it is self-signed. We will exchange it later. Trust it for now.

Login with the default login/password root/root.

---

General -> Initialization -> Initialize the Certification Authority

Show SQL statements for database initialization
Check if everything is ok there.

Initialize Database
You should see: "The database was successfully initialized."

Generate new CA secret key -> choose your settings -> OK
Now choose and type in the passphrase for the CA secret key. After that the pem encoded private key should be displayed.

Generate new CA Certificate Request (use generated secret key)
-> edit the fields -> OK -> confirm the next page with OK -> type in your CA secret key passphrase again.

Self Signed CA Certificate (from altready generated request) -> choose the validity -> The CA certificate details should be displayed.

Rebuild CA Chain

---

General -> Initialization -> Create the initial administrator

Create a new request -> fill in your details (choose CA Operator as role) -> Continue -> Continue -> Your request details are displayed.

Now you can Edit the request but that should not be necessary.

Issue the certificate -> click the "Issue certificate" button -> type in the CA secret key passphrase -> The certificate details are displayed.

Handle the certificate -> Certificate and Keypair - PKCS#12 -> click "Download" -> input the passphrase you entered when requesting that certificate (PIN) -> save & import into your browser.

---

Genera=l -> =Initialization -> Create the initial RA certificate

Create a new request -> fill in your details (choose web server as role & hostname as Name) -> Continue -> Continue -> Your request details are displayed.

Now you can Edit the request but that should not be necessary.

Issue the certificate -> click the "Issue certificate" button -> type in the CA secret key passphrase -> The certificate details are displayed.

Handle the certificate -> Certificate and Keypair - PKCS#12 -> click "Download" -> input the passphrase you entered when requesting that certificate (PIN) -> save & import as racert.p12

---

Now we have to export the configuration and certificate data to the ra machine:

General -> Node management -> login (root/root again) -> Administration -> Dataexchange -> Enroll data to a lower level of the hierarchy (All) -> click "OK" -> Check log messages for errors but hopefully everything is all right and the export file is in the location you specified in /opt/openca93/etc/config.xml.

Configure the Online machine

First we exchange the self-signed server certificate on the Online machine with the one we just created. Copy racert.p12 to your Online machine and convert it to a pem encoded key&cert pair:

openssl pkcs12 -in racert.p12 -clcerts -nokeys -out hostcert.pem
openssl pkcs12 -in racert.p12 -nocerts -nodes -out hostkey.pem

cp /root/hostkey.pem /etc/httpd/conf/ssl.key/server.key 
cp: overwrite `/etc/httpd/conf/ssl.key/server.key'? y

cp /root/hostcert.pem /etc/httpd/conf/ssl.crt/server.crt 
cp: overwrite `/etc/httpd/conf/ssl.crt/server.crt'? y

service httpd restart
service openca start

Now point your browser to https://nsa2.vpac.org/ra and login with root/root.

---

General -> Server management -> login with root/root

Administration -> Server Init -> Show SQL statements for database initialization -> Check statements

Administration -> Server Init -> Initialize Database -> You should see: "The database was successfully initialized."=

For the next step to work you have to copy the exported data from above (in our case a file /tmp/fd0 from the Offline machine) to the Online machine (again in our case to the file /tmp/fd0). Administration -> Server Init -> Import Configuration -> click "OK" -> you should see a log file - check for errors

Requesting the first certificate

For test purposes we request the first certificate via the public interface.

Go to https://your_online_machine/pub.

User -> Request a certificate -> ...automatic browser detection -> fill in your details -> Continue -> Continue -> a page with your request details should appear, remember the serial of your request

Now go to https://your_online_machine/ra and log in again.

Active CSRs -> New -> choose "All" on the Registry Authority combobox & click "Search" -> click the Serial of the certificate you just requested -> click "Approve Request without Signing" (with signing does not work for me - have to investigate) -> check whether successful

General -> Server management -> login -> Administration -> Dataexchange -> Upload data to a higher level of the hierarchy (Requests) -> click "OK -> check log output

Now copy the data over to your offline machine and point your browser to https://your_offline_machine/ca:

General -> Node management -> login -> Administration -> Dataexchange -> Receive data from a lower level of the hierarchy (Requests) -> click "OK" -> check log output

Go to https://your_offline_machine/ca and login, then:

Usual Operations -> Approved Certificate Requests -> click the Serial of the appropriate certificate request -> click "Issue Certificate" -> provide your CA secret key passphrase -> check log.

General -> Node management -> login -> Administration -> Dataexchange -> Enroll data to a lower level of the hierarchy (Certificates) -> click "OK" -> check log output

Copy the exported date back to your Online machine and go to: https://your_online_machine/ra, then:

General -> Server management -> login -> Administration -> Dataexchange -> Download data from a higher level of the hierarchy (Certificates) -> click "OK" -> check log output

Go to the public interface at https://your_online_machine/pub:

User -> Get Requested Certificate -> provide the Request serial -> click "OK" -> check certificate in browser keystore

-- MarkusBinsteiner - 19 Feb 2007