What is PKI? - 3 (Open Source Coded PKI Software: OpenCA)
 Editor's Note
 PC Room Automation
 with pGina
 Climate Changes of the
 Interaction Research
 and Application
 Laboratory -1 (in
 What is PKI? -3
 IT Policies
 CISN Archive
 Send Feedback

a) OpenCA Structure:

With OpenCA, different from other PKI, there is a certificate authority server and a record authority server.

As the certificate authority server (CA) is where certificates will be kept, it is generally planned to be a unit with no connection to the web. It is responsible for keeping the user certificates and keeping track of the transactions, using a directory access server (LDAP) or a data base server.

The record authority server (RA) is responsible for accepting certificate transactions (request change, cancellation etc.) from users interactively, approving these using record authority operators, and announcing the transactions on web pages, to other users.

b) The Necessary Software for Installing and Operating OpenCA:

For OpenCA to operate, a Unix based operating system, an openSSL encoding library running on this operating system, a web server compiled with Apache mod_ssl, openLDAP, perl and perl modules are necessary.

c) Installing the OpenCA:

During installation it is presumed that the latest versions of all the source codes are downloaded from FTP sites and that these are not compressed and they are installed under the /CA directory.

OpenCA is a system that can be run with either a directory server or a data base server. The OpenCA structure installation described here will be the one running with a data base server.

i) Perl Modules Needed


These modules need to be installed on the assigned machine (computer). The modules can be downloaded from the ftp://ftp.ulak.net.tr/pub/CPAN/modules address.

For installation, the resource directory of each module has to be accessed and the below commands must be entered:

perl Makefile.pm
make test
make install

ii) OpenSSL Installation

The latest possible version of OpenSSL can be downloaded from the ftp://ftp.metu.edu.tr/pub/mirrors/ftp.openssl.org address.

For installation, the openSSL resource code directory has to be accessed and the below commands must be entered:

./config --prefix=/CA openssldir=/CA/ssl
make test
make install

iii) MOD-SSL && Apache.1.3.x Installation

For the installation of SSL supported Apache, the mod_ssl package suitable for the version of the Apache to be installed can be downloaded from the ftp://ftp.metu.edu.tr/pub/mirrors/ftp.modssl.org/source address.

Also the Apache source code may be downloaded from the ftp://ftp.metu.edu.tr/pub/mirrors/ftp.apache.org/httpd address.

For the installation of Apache with mod_ssl the fetched source codes must be opened under the same folder.

Installation must be started primarily under the mod_ssl source folder:

./configure -with-apache=../apache.1.3.x \
--with-ssl=../openssl.x.x.x \

After the steps above installation must proceed with switching to the Apache source directory.

cd ../apache1.3.x
make certificate
make install

A small notice about Apache with Mod_Ssl: Some of the files under the directory Apache /CA/apache are;

*conf/sslkey/server.key - The file the private key of the Web server is kept.
*conf/ssl.crt/server.crt - The file the public key of the Web server is kept.
*conf/ssl.csr/server.csr - The file where certificate requirement data to be sent to a valid and known CA is kept.

iv) Postgresql Installation

Source code for Postgresql can be downloaded from the ftp://ftp.metu.edu.tr/pub/mirrors/ftp.postgresql.org address.

The below commands must be entered in the postgresql source folder:

./configure --prefix=/CA/pgsql
make install

In order for the data base operation system to use the data field to be used, the definition of the data directory must be made. mkdir /CA/pgsql/data

The administrating user of the Postgresql data base operation system is "postgres". It is necessary to create this user in the system and this code must be assigned to be the owner of the data directory.

adduser postgres
chown postgres:postgres /CA/pgsql/data

The below commands has to be run to define the data base operation system, assign the initial values and get the system ready for use:

su - postgres
/CA/pgsql/bin/initdb -D /CA/pgsql/data
/CA/pgsql/bin/postmaster -i -D /CA/pgsql/data > postgres.log

Once the Postgresql data base operation system is ready, the "openca" data base user and the openca data base itself has to be created.

/CA/pgsql/bin/createuser openca
/CA/pgsql/bin/createdb openca

v) OpenCA - CA Server Installation

OpenCA source code can be accessed at the http://www.openca.org address. As mentioned earlier OpenCA is a public key infrastructure software that has been devised by perl.

To install OpenCA CA server the below commands must be entered in the source directory of the OpenCA:

./configure --prefix=/CA/srv/ca \
--with-web-host= ca.sunucu.alan.adı \
--with-httpd-host= ca.httpd.sunucu.alan.adı\
--with-httpd-user= httpd.kullanıcı.adı \
--with-httpd-group= httpd.grup.adı \
--with-dist-user= sunucudan.sorumlu.kullanıcı.adı \
--with-dist-group= sunucudan.sorumlu.grup.adı \
--with-ca-organization= ca.sunucuyu.kullanacak.organizasyon.ismi \
--with-ca-locality= ca.sunucunun.bulundugu.il \
--with-ca-country= ca.sunucunun.bulundugu.ulke.temsili.harfleri \
--with-service-mail-account= ca.servisi@alan.adı\
--with-openssl-prefix=/CA \
--with-sendmail="/usr/sbin/sendmail -t" \
--with-hierarchy-level=ca \
--enable-dbi \
--with-db-type=Pg \
--with-db-name=openca \
--with-db-host=localhost \
--with-db-port=xxxx \
--with-db-user=openca \
--with-db-passwd="xxxxxx" \
make install-ca

Besides the packages above, "BerkeleyDB" ve "gettext" packages are also necessary for installation, if they are not already in the system.

BerkeleyDB Installation:

http://www.sleepycat.com/download/index.shtml address the source can be obtained. With the below commands:

cd build_unix
../dist/configure ?prefix=/CA
make install

the installation can be completed.

vi) OpenCA - RA Server Installation

The RA server installation is structured similar to the CA installation.

./configure \
--prefix=/CA/srv/ra \
--with-web-host=ra.sunucu.alan.adı \
--with-httpd-host=ra.httpd.sunucu.adı \
--with-httpd-user=httpd.kullanıcı.adı \
--with-httpd-group=httpd.grup.adı \
--with-dist-user= sorumlu.kullanıcı.adı \
--with-dist-group= sorumlu.grup.adı \
--with-ca-organization= ca.sunucusunun.bulundugu.org.ismi \
--with-ca-locality= ca.sunucusu.bulundugu.il \
--with-ca-country= ca.sunucusu.bagli.bul.ulke.temsili.harfleri \
--with-service-mail-account=ca.servisi@alan.adı \
--enable-dbi \
--with-openssl-prefix=/CA \
--with-sendmail="/usr/sbin/sendmail -t" \
--with-hierarchy-level=ra \
--with-db-type=Pg \
--with-db-name=opencara \
--with-db-host=localhost \
--with-db-port=xxxx \
--with-db-user=openca \
make install-ext

After all the installations are completed, with nothing missing, for the OpenCA to function properly, some changes will have to be done in the configuration directories in accordance with the system we have developed. Amending the configuration files of the devised OpenCA and describing the menu actions for users will appear in our next issue.

Feyza (Taşkazan) Eryol

  - TOP -