(CATOOL) Re: CATool question
Mike McCauley
mikem at open.com.au
Sun Sep 11 18:11:22 CDT 2005
Hello Bon,
Thanks for your note.
There were a number of changes in OpenSSL 0.9.7e that were incompatible with
earlier versions of CAtool.
There is a faq item covering this, http://www.open.com.au/catool/faq.html#10
which recommends upgrading to OpenSSL 0.9.7g or later and upgrading CAtool to
1.3.5.
OpenSSL 0.9.7e by default generates certificates with large binary serial
numbers. You can see that in the certificate you are trying to import below.
The latest version of CAtool fixes this problem:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
be:0e:06:99:09:cd:f7:2a
Signature Algorithm: md5WithRSAEncryption
On Sunday 11 September 2005 23:05, Bon sy wrote:
> Mike,
> Thanks for the additional information. Would you please take a look on
> the above two attachments and see whether you see anything unusual?
The binary serial number is likely to cause a number of problems.
>
> We specify the above two files in the rebuild of catool in SUSE
> and encounter the following error:
>
> Importing existing Root CA certificate ...
> Argument "./cakey.pem" isn't numeric in numeric gt
> (>) at bin/load_ca_cert line 22.
> bin/load_ca_cert: number certs signed (-n) must be non-zero
Not sure what the problem is without seeing your Defs file, but perhaps:
The IMPORT_CA_CERTS_SIGNED in the Defs needs to be an integer.
Cheers.
>
> Thanks!
>
> Bon
> P.S. We found your Install script and load_ca_cert in catool-1.3.3 very
> buggy. setup_rootca script in "Install" basically will go ahead to
> generate root cert irrespective to the seeting in the $IMPORT_CA_CERT and
> $IMPORT_CA_KEY. We also found load_ca_cert does not work properly in
> generating new root cert using the flag CAserial with -serial_no in
> OpenSSL 0.9.7e environment.
>
> On Wed, 7 Sep 2005, Mike McCauley wrote:
> > Hello Bon,
> >
> > We have confiirmed that the latest version of CATool (1.3.4) installs on
> > SuSE 9.2 Here are our notes:
> >
> > SuSE does not usually install Apache 2 or MySQL by default,
> > but they are available with YaST from SuSE mirrors with
> > package names apache2 and mysql.
> >
> > suidperl and openssl are installed by default, but you will
> > need to enable suidperl by setting the SUID bit with:
> > chmod u+s /usr/bin/suidperl
> > You will also need to install the perl-HTML-Parser package.
> >
> > With the standard Apache 2 package, you will need to modify
> > the following configuration variables in Defs:
> > WEBSERVER=your.host.name.com # Change this
> > WEB_DOCROOT=/srv/www/htdocs
> > WEB_DOCDIR=catool
> > WEB_CGIPATH=/srv/www/cgi-bin/catool
> >
> >
> > Hope that helps.
> >
> > Cheers.
> >
> > On Wednesday 07 September 2005 00:19, Bon sy wrote:
> > > Hello Mike,
> > >
> > > I just checked out the URL below about the history revision. I am
> > > not sure how we could benefit from it. There is only one newer revision
> > > than the one we currently installed. But that one is posted in Aug ---
> > > beyond our maintainence expiration according to Joan (I think).
> > > (Besides, we do not have the user/pass to access the src since we
> > > bought the license long time ago. We don't remember whether we ever got
> > > user/pass for the download or just received the src by email.)
> > >
> > > In addition, from what we know, there is also a key issue about
> > > the availability of perl suid for SUSE --- which is required by CATool
> > > according to its installation note. It would be great if you could let
> > > us know where we may be able to download the perl suid.
> > >
> > > Many thanks!
> > >
> > > Bon
> > > P.S. I will be very interested in possible new feature on root
> > > certificate renewal. If CATool is simply using openssl in a standard
> > > manner, then it will not be possible to renew the root certificate.
> > > It's because openssl will have no way to enforce consistency between
> > > the expiration between the root certificate and its
> > > client/server/standard certificate; i.e., a client/server/standard
> > > certificate could have a life time beyond the lifetime of the root
> > > certificate. Yet openssl is just a single command utility and will not
> > > check its consistency between the root and client certs .... unless you
> > > are going to write additional utilities on top of openssl in CATool to
> > > make the root cert renewal possible and ti maintain consistency.
> > >
> > > On Tue, 6 Sep 2005, Mike McCauley wrote:
> > > > > the following error during the installlation and were not able to
> > > > > go further:
> > > > > Catool::X509::CertificateInfo: could not extract serial number
> > > > > from cert listing at bin/load_ca_cert line 31
> > > > > Did anyone successfully install CATool in SUSE 9.x?
> > > >
> > > > There are a number of recent fixes for various compatibility issues,
> > > > including various versions of Linux and recent versions of OpenSSL.
> > > > Details at:
> > > > http://www.open.com.au/catool/history.html
> >
> > --
> > Mike McCauley mikem at open.com.au
> > Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
> > 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> > http://www.open.com.au Phone +61 7 5598-7474 Fax
> > +61 7 5598-7070
> >
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> > TTLS, PEAP etc on Unix, Windows, MacOS etc.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
--
Archive at http://www.open.com.au/archives/catool/
Announcements on catool-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe catool' in the body of the message.
More information about the catool
mailing list