Appendix E. FAQ

Table of Contents

1. General PKI Issues
1.1. What is a certificate?
1.2. Which informations does a certificate contain?
1.3. What is a request?
1.4. Which information does a CSR contain?
1.5. What is a CA?
1.6. Why should I not place the CA on the same machine like the RA?
1.7. What is an extensions?
1.8. I use Windows 2000 and Internet Explorer 6 SP1 and it don't show any CSPs.
1.9. How can I setup a sub CA?
2. General OpenCA Issues
2.1. Does it be possible to revoke a certificate without any user interaction?
2.2. I try to add a role and get the message The role XYZ exists already!
2.3. All cryptographic operations fail.
2.4. Apache's error_log reports a nonexistent option -subj of openssl req
2.5. Apache's error_log contains a message from IBM DB2 that the environment is not setted
2.6. What do the new features of 0.9.2 be?
2.7. I try to approve and sign a request with Mozilla and it fails.
2.8. I try to approve and sign a request with Konqueror (KDE) and it fails.
2.9. How is the format of the disc to import the CA certificate from the root CA?
2.10. OpenSSL reports entry 1: invalid expiry date
2.11. Outlook cannot encrypt mail with imported certificate
2.12. My Outlook freezes after I received a signed email
2.13. General Error 6751 during certificate issuing
2.14. What does I have to do if I create a new release?
2.15. How can I configure Mozilla for OCSP?
2.16. Error 7211021: Cannot create request!
3. Installation Issues
3.1. FreeBSD, OpenBSD and OpenCA
3.2. Solaris and OpenCA
3.3. What is a hierarchy level?
3.4. Undefined subroutine &main::xyz
3.5. Symbolic link installaton failed
3.6. After the installation all common parts are missing
3.7. Conflicting Modules
3.8. The xml path to the access control is missing
3.9. Unknown Login Type
3.10. Type Mismatch during request generation with Internet Explorer
3.11. openca(_rc) start failed
3.12. Missing modules
4. Configuration Issues
4.1. How can I configure my httpd.conf for virtual hosts?
4.2. How can I configure virtual hosts with ./configure?
4.3. I have some users which should not be published in LDAP. Does it be possible with OpenCA?
4.4. Does it be possible to authenticate users by their certificates at the apache before they will be authenticated by OpenCA itself?
4.5. I want to update my 0.9.2 installation. Is this dangerous?
4.6. I want update to 0.9.2. How can I update my sql database?
4.7. If I run openca-ocspd then I obtain a segmentation fault.
4.8. I installed a second public interface, run configure_etc.sh and now are all the paths in the other public interface wrong.
4.9. I issue a certificate for a mailserver but sendmail doesn't work and reports an errormessage which includes reason=unsupported certificate purpose
4.10. My (Microsoft) client hangs after it tries to start a secured connection
4.11. Outlook freezes when receiving a signed Mail but worked already fine for some days
4.12. During the request generation OpenCA fails and reports a too short textfield
4.13. Can I place my organization's logo on the web interface?
4.14. Cannot create new OpenCA tokenobject
4.15. How can I use a Luna token with OpenCA 0.9.1
4.16. How can I include a complete certificate chain into a PKCS#12 file?
4.17. Unknown login type
4.18. Cannot initialize cryptoshell but OpenSSL path is correct
4.19. Emailaddress in subjectAltName but not in CA subject
4.20. Missing environment variables from SSL
4.21. Problems with the country name during PKCS#10 requests
5. Access Control problems
5.1. Always get a login screen - again and again
5.2. Error 6251023: Aborting connection - you are using a wrong channel
5.3. Error 6251026: Aborting connection - you are using a wrong security protocol
5.4. Error 6251029: Aborting connection - you are using the wrong computer
5.5. Error 6251033: Aborting connection - you are using a wrong asymmetric cipher
5.6. Error 6251036: Aborting connection - you are using a too short asymmetric keylength
5.7. Error 6251039: Aborting connection - you are using a wrong symmetric cipher
5.8. Error 6251043: Aborting connection - you are using a too short symmetric keylength
6. Dataexchange
6.1. I try to export something but I get error 512 permission denied for /dev/fd0
6.2. I try to import the CA certificate but it doesn't work.
6.3. I crashed the database of the online server and now I want to import all data again. How can I do it?
6.4. I try to export the requests to the CA but it doesn't work
7. LDAP
7.1. Errormessage: Connection refused.
7.2. Errormessage: Bind failed. Errorcode 49.
7.3. The resultcode of the nodeinsertion was 65.
7.4. How can I get more debugging messages from OpenCA's LDAP code?
7.5. How can I get more debugging messages from OpenLDAP?
8. Internationalization
8.1. How can I fix a misspelling for a language?
8.2. How can I add a new language?
8.3. The compilation/make fails on the Perl module gettext
8.4. MySQL and SET NAMES errormessages

1. General PKI Issues

1.1. What is a certificate?

A certificate is a so called digital ID card. The correctness of a certificate will be guarnteed by a certificate from a higher level of the hierarchy. Such a certificate is called CA certificate.

1.2. Which informations does a certificate contain?

Certificate Informations

  • serial number of the certificate

  • a subject (name)

  • the corresponding public key to the private key of the certificate owner

  • the name of the issuer

  • the version of the certificate

  • the used cryptoalgorithms to create the certificate

  • the validity period

  • some extensions

  • the digital signature of the certificate

1.3. What is a request?

There are two types of requests CSRs and CRRs. CSRs are used to ask a trustcenter for a certificate. CRR are used to ask a trustcenter to revoke a certificate if it is corrupted. There are two important standards for CSRs - PKCS#10 and SPKAC. OpenCA can handle both standards automatically.

1.4. Which information does a CSR contain?

CSR Informations

  • a subject (name)

  • the version of the request

  • the corresponding public key to the private key of the certificate owner

  • some attributes

1.5. What is a CA?

1.6. Why should I not place the CA on the same machine like the RA?

1.7. What is an extensions?

1.8. I use Windows 2000 and Internet Explorer 6 SP1 and it don't show any CSPs.

It is fairly well known that there are two versions of Xenroll.dll used by versions of IE to create certificate requests and manage CSPs etc.. OpenCA since version 0.9.1 has managed them via the ieCSR.vbs scripts.

We have noticed that if a user has Win2K and IE6 SP1 then the version of xenroll.dll does not work and the users can see no CSPs to manage their certs with. A patch is required from Microsoft (323172) for Win2k, or it needs to go up to SP3. You can host a copy of the latest xenroll.dll on your web site under a CertControl directory and it will be downloaded and installed automatically.

As far as we can tell, the latest xenroll.dll is a different file, but shares the same identifiers as the pre-patched version. We have noticed that the isCSR.vbs (as of 0.9.1) is written in such a way as to not expect there to be a non working version of xenroll.dll, so there is a bit of a gap.

1.9. How can I setup a sub CA?

  1. Initialize the SubCA (initialize database, generate secret key, generate request)

  2. export request

  3. untar the export (to get the careq.pem), the next steps are only correct if you use OpenCA for your Root CA

  4. Point to the Root CA public interface -> request a certificate -> server request -> browse for the careq.pem and submit the request

  5. Point to the Root CA RA interface and approuve the request, upload to the Root CA CA; point to CA interface, issue the certificate

  6. Download the certificate for the sub CA via the RA or public interface of the Root CA

  7. rename the file to cacert.pem and manually make a new tar

  8. Point your browser to the SubCA CA interface and import CA certificate approuved by Root CA