Appendix D. OpenCA Installation details
- Table of Contents
- Software installation sequence
- openssl.cnf configuration for OpenCA
As described in Figure 7-1, OpenCA requires three distinctive servers. However, this makes the software less accesible. We describe how to install all the components on a single computer.
We assume the character of Woody Allen in the movie "Bananas", where, while he was on trial in the court, he was playing both the role of the defendant and the laywer by switching places quickly.
First, we determine the software components to install and the server on which we install them.
Table D-1. Software installation matrix
| Software | CAServer | RAServer | RAOperator |
|---|---|---|---|
| Perl Generic modules | ✓ | ✓ | ✓ |
| OpenCA Perl modules | ✓ | ✓ | • |
| WWW Server | ✓ | ✓ | ✓ |
| SSL/TSL module | ✓ | ✓ | ✓ |
| LDAP Server | • | • | ✓ |
| OpenSSL | • | • | • |
 | The above table is not yet final and is subject to changes as the project evolves. |
Using the above table, you may proceed with the installation, as described in the following chapters. Keep in mind that if you are doing an all–in–one installation –– all servers on a single workstation –– then you do not need to install the same software component multiple times or in different directories. We will note any special configuration setting to be made in regard to this issue.
Software installation sequence
It is recommended that the software components be installed in this sequence:
Installation of Perl modules
Information about how to find the latest version of a Perl module can be found at Appendix A.
| These Perl modules must be installed in the sequence shown because of dependencies. However, if you make a mistake in the sequence, you receive an informative error that indicates the module was skipped. |
Convert::BER is a perl object class implementation to encode and decode objects as described by ITU-T standard X.209 (ASN.1) using Basic Encoding Rules (BER). The filename is Convert-BER-1.26.tar.gz
MIME::Base64 and MIME::QuotedPrint provide a base64 encoder/decoder and a quoted-printable encoder/decoder. These encoding methods are specified in RFC 2045 – MIME (Multipurpose Internet Mail Extensions). The filename is MIME-Base64-2.11.tar.gz
The URI perl object class provides functionality regarding the Uniform Resource Identifier, as specified in RFC 2396. The filename is URI-1.04.tar.gz
The Digest::* perl object class provides implementations for the MD5 (RFC 1321), MD2 (RFC 1319) and SHA-1 (FIPS PUB 180-1) hash functions. Also, an implementation of the HMAC (RFC 2104) MAC function is provided. The filename is Digest-MD5-2.09.tar.gz
perl-ldap provides access to LDAP servers. A requirement to install it is to already have Convert::BER installed on your system. The filename is perl-ldap-0.13.tar.gz
I have the idea that this and the above have overlapping functionality. The filename is Net-LDAPapi-1.42.tar.gz
Installation of OpenCA–specific modules
The OpenCA–specific modules can be found at either at CPAN or at the OpenCA WWW site.
The functionality of these perl modules is not entirely OpenCA–specific. In general, they help to parse configuration files.
This perl module is used in order to access the configuration files of OpenCA. Currently, the configuration files are
ca.conf
raserver.conf
secure.cnf
This perl module provides access to configuration variables that can have three states. It is used to ease the access to the OpenCA configuration files. The filename is OpenCA-TRIStateCGI-1.02.tar.gz
Installation of OpenCA
This is described in three major sections, the installation of the CAServer, the RAServer and the RAOperator(s).
The installation procedure involves setting up the configuration files, copying the HTML pages to the appropriate directories and finally adding the CGI scripts in the corresponding directories.
CAServer Installation
This is the installation of the Certification Authority. Please refer to Figure 7-1 for more information.
It is assumed that you have uncompressed and untarred the OpenCA software with the following command.
root# tar xvfz OpenCA-0.2.0.tar.gz
To install the software, enter the directory created (OpenCA-0.2.0) and type
root# make install-ca
Use the following parameters when installing the OpenCA component for the CAServer.
Table D-2. CAServer installation parameters
| Parameter | Value |
|---|---|
| OpenSSL installation directory | /usr/local/ssl |
| Base directory for CAServer | /usr/local/RAServer |
| Webserver user | nobody.nobody |
| Use found OpenSSL command | Y |
| Continue installation | yes |
| Edit openssl.cnf | Check the section called openssl.cnf configuration for OpenCA |
Subsequently, to install the WWW pages that accompany the CAServer do
root# make install-ca-web
Table D-3. RAServer WWW Server installation parameters
| Parameter | Value |
|---|---|
| HTML pages directory | /usr/local/apache/htdocs/ca |
| CGI directory | /usr/local/apache/cgi-bin |
| Continue installation | yes |
Finally, follow the instructions from the WWW pages to initialise the CAServer by creating the CA private key and certificate.
RAServer Installation
This is the installation of the Registration Authority. Please refer to Figure 7-1 for more information.
| The RAServer is supposed to be installed on a separate system than the CAServer. Furthermore, it is assumed that the steps that led to the installation of the CAServer will have to be duplicated to create the RAServer. However, for limited testing purposes, all of them could be installed on the same system. |
It is assumed that you have uncompressed and untarred the OpenCA software with the following commands.
root# tar xvfz OpenCA-0.2.0.tar.gz
To install the RAServer software, enter the directory created (OpenCA-0.2.0) and type
root# make install-raserver
root# make install-raserver-web
You can use the following parameters when installing the OpenCA component for the RAServer.
Table D-4. RAServer installation parameters
| Parameter | Value |
|---|---|
| OpenSSL installation directory | /usr/local/ssl |
| Base directory for RAServer | /usr/local/RAServer |
| Webserver user | nobody.nobody |
| Use found OpenSSL command | Y |
| Continue installation | yes |
Table D-5. RAServer WWW Server installation parameters
| Parameter | Value |
|---|---|
| HTML pages directory | /usr/local/apache/htdocs/ra |
| CGI directory | /usr/local/apache/cgi-bin |
| Continue installation | yes |
RAOperator Installation
This is the installation of the RA Operator. Please refer to Figure 7-1 for more information.
It is assumed that you have uncompressed and untarred the OpenCA software with the following commands.
root# tar xvfz OpenCA-0.2.0.tar.gz
To install the software, enter the directory created (OpenCA-0.2.0) and type
root# make install-secure
| Again, the RAOperator is supposed to be installed on a separate system other than the CAServer and the RAServer. Furthermore, it is assumed that the steps that led to the installation of the CAServer and the RAServer will have to be duplicated to create the RAOperator. However, for limited testing purposes, both of them could be installed on the same system. We must say that installing the CAServer, the RAServer and the RAOperators on the same system, will make it rather difficult to use and probably error-prone in the testing. |
Table D-6. RAOperator WWW Server installation parameters
| Parameter | Value |
|---|---|
| HTML pages directory | /usr/local/apache/htdocs/rao |
| CGI directory | /usr/local/apache/cgi-bin |
| Continue installation | yes |
WWW Server installation
Installation of the WWW server and the SSL/TLS WWW Server component. This will be a rather lengthly procedure, unless you use RPM files. This software can be found at the section called Software packages in Chapter 7. Support information is at Chapter 8.
LDAP installation
An independent step is the installation of the LDAP software. This is usually installed on RAOperator. Recommended LDAP software is at the section called Software packages in Chapter 7. For support information, please see Chapter 8.