a) OpenCA Structure:
With OpenCA, different from other PKI, there is a certificate authority server and a record authority server.
As the certificate authority server (CA) is where certificates will be kept, it is generally planned to be a unit with no connection to the web. It is responsible for keeping the user certificates and keeping track of the transactions, using a directory access server (LDAP) or a data base server.
The record authority server (RA) is responsible for accepting certificate transactions (request change, cancellation etc.) from users interactively, approving these using record authority operators, and announcing the transactions on web pages, to other users.
b) The Necessary Software for Installing and Operating OpenCA:
For OpenCA to operate, a Unix based operating system, an openSSL encoding library running on this operating system, a web server compiled with Apache mod_ssl, openLDAP, perl and perl modules are necessary.
c) Installing the OpenCA:
During installation it is presumed that the latest versions of all the source codes are downloaded from FTP sites and that these are not compressed and they are installed under the /CA directory.
OpenCA is a system that can be run with either a directory server or a data base server. The OpenCA structure installation described here will be the one running with a data base server.
i) Perl Modules Needed
These modules need to be installed on the assigned machine (computer). The modules can be downloaded from the ftp://ftp.ulak.net.tr/pub/CPAN/modules address.
For installation, the resource directory of each module has to be accessed and the below commands must be entered:
ii) OpenSSL Installation
The latest possible version of OpenSSL can be downloaded from the ftp://ftp.metu.edu.tr/pub/mirrors/ftp.openssl.org address.
For installation, the openSSL resource code directory has to be accessed and the below commands must be entered:
./config --prefix=/CA openssldir=/CA/ssl
iii) MOD-SSL && Apache.1.3.x Installation
For the installation of SSL supported Apache, the mod_ssl package suitable for the version of the Apache to be installed can be downloaded from the ftp://ftp.metu.edu.tr/pub/mirrors/ftp.modssl.org/source address.
Also the Apache source code may be downloaded from the ftp://ftp.metu.edu.tr/pub/mirrors/ftp.apache.org/httpd address.
For the installation of Apache with mod_ssl the fetched source codes must be opened under the same folder.
Installation must be started primarily under the mod_ssl source folder:
./configure -with-apache=../apache.1.3.x \
After the steps above installation must proceed with switching to the Apache source directory.
A small notice about Apache with Mod_Ssl: Some of the files under the directory Apache /CA/apache are;
*conf/sslkey/server.key - The file the private key of the Web server is kept.
*conf/ssl.crt/server.crt - The file the public key of the Web server is kept.
*conf/ssl.csr/server.csr - The file where certificate requirement data to be sent to a valid and known CA is kept.
iv) Postgresql Installation
Source code for Postgresql can be downloaded from the ftp://ftp.metu.edu.tr/pub/mirrors/ftp.postgresql.org address.
The below commands must be entered in the postgresql source folder:
In order for the data base operation system to use the data field to be used, the definition of the data directory must be made.
The administrating user of the Postgresql data base operation system is "postgres". It is necessary to create this user in the system and this code must be assigned to be the owner of the data directory.
chown postgres:postgres /CA/pgsql/data
The below commands has to be run to define the data base operation system, assign the initial values and get the system ready for use:
su - postgres
/CA/pgsql/bin/initdb -D /CA/pgsql/data
/CA/pgsql/bin/postmaster -i -D /CA/pgsql/data > postgres.log
Once the Postgresql data base operation system is ready, the "openca" data base user and the openca data base itself has to be created.
v) OpenCA - CA Server Installation
OpenCA source code can be accessed at the http://www.openca.org address. As mentioned earlier OpenCA is a public key infrastructure software that has been devised by perl.
To install OpenCA CA server the below commands must be entered in the source directory of the OpenCA:
./configure --prefix=/CA/srv/ca \
--with-web-host= ca.sunucu.alan.adı \
--with-httpd-user= httpd.kullanıcı.adı \
--with-httpd-group= httpd.grup.adı \
--with-dist-user= sunucudan.sorumlu.kullanıcı.adı \
--with-dist-group= sunucudan.sorumlu.grup.adı \
--with-ca-organization= ca.sunucuyu.kullanacak.organizasyon.ismi \
--with-ca-locality= ca.sunucunun.bulundugu.il \
--with-ca-country= ca.sunucunun.bulundugu.ulke.temsili.harfleri \
--with-sendmail="/usr/sbin/sendmail -t" \
Besides the packages above, "BerkeleyDB" ve "gettext" packages are also necessary for installation, if they are not already in the system.
http://www.sleepycat.com/download/index.shtml address the source can be obtained. With the below commands:
the installation can be completed.
vi) OpenCA - RA Server Installation
The RA server installation is structured similar to the CA installation.
--with-dist-user= sorumlu.kullanıcı.adı \
--with-dist-group= sorumlu.grup.adı \
--with-ca-organization= ca.sunucusunun.bulundugu.org.ismi \
--with-ca-locality= ca.sunucusu.bulundugu.il \
--with-ca-country= ca.sunucusu.bagli.bul.ulke.temsili.harfleri \
--with-sendmail="/usr/sbin/sendmail -t" \
After all the installations are completed, with nothing missing, for the OpenCA to function properly, some changes will have to be done in the configuration directories in accordance with the system we have developed. Amending the configuration files of the devised OpenCA and describing the menu actions for users will appear in our next issue.
Feyza (Taşkazan) Eryol