Chapter 6. OpenCA Installation details

As described in Figure 4-1, OpenCA normally needs three unique servers to be installed. However, this would make the software less accesible. Thus, we shall describe how one can install all the components on a single server.

We shall assume the character of Woody Allen in the movie Bananas, where, while he was on trial in the court, he was assuming both the roles of the defendant and the laywer by switching places quickly.

First, we should see what software components we are going to install and on which server we should install them.

Table 6-1. Software installation matrix

SoftwareCAServerRAServerRAOperator
Perl Generic modules
OpenCA Perl modules
WWW Server
SSL/TSL module
LDAP Server
OpenSSL

Note: We must say that the above table is not final and is subject to change as the project evolves.

Using the above table, you may proceed with the installation, as described in the following chapters. Keep in mind that if you are doing an all–in–one installation, that is, all the servers on a single workstation, then you do not need to install the same software component multiple times or in different directories. If there is a special configuration setting to be made in regard with this issue, it will be noted.

Software installation sequence

It is recommended that the software components to be installed with the suggested sequence.

Installation of Perl modules

Information about how to find the latest version of a Perl module can be found at Appendix A.

Note: These Perl modules have to be installed in the sequence shown because of certain dependencies. However, if you make a mistake with the sequence, you will get an informative error that will indicate which module was skipped.

  1. Convert::BER is a perl object class implementation to encode and decode objects as described by ITU-T standard X.209 (ASN.1) using Basic Encoding Rules (BER). The filename is Convert-BER-1.26.tar.gz

  2. MIME::Base64 and MIME::QuotedPrint provide a base64 encoder/decoder and a quoted-printable encoder/decoder. These encoding methods are specified in RFC 2045 – MIME (Multipurpose Internet Mail Extensions). The filename is MIME-Base64-2.11.tar.gz

  3. The URI perl object class provides functionality regarding the Uniform Resource Identifier, as specified in RFC 2396. The filename is URI-1.04.tar.gz

  4. The Digest::* perl object class provides implementations for the MD5 (RFC 1321), MD2 (RFC 1319) and SHA-1 (FIPS PUB 180-1) hash functions. Also, an implementation of the HMAC (RFC 2104) MAC function is provided. The filename is Digest-MD5-2.09.tar.gz

  5. perl-ldap provides access to LDAP servers. A requirement to install it is to already have Convert::BER installed on your system. The filename is perl-ldap-0.13.tar.gz

  6. I have the idea the this and the above have overlapping functionality. The filename is Net-LDAPapi-1.42.tar.gz

Installation of OpenCA–specific modules

The OpenCA–specific modules can be found at either at CPAN or at the OpenCA WWW site.

The functionality of these perl modules is not entirely OpenCA–specific. In general, they help to parse configuration files.

  1. This perl module is used in order to access the configuration files of OpenCA. Currently, the configuration files are

    • ca.conf

    • raserver.conf

    • secure.cnf

    The filename is OpenCA-Configuration-1.2.tar.gz

  2. This perl module provides access to configuration variables that can have three states. It is used to ease the access to the OpenCA configuration files. The filename is OpenCA-TRIStateCGI-1.02.tar.gz

Installation of OpenCA

This is described in three major sections, the installation of the CAServer, the RAServer and the RAOperator(s).

The installation procedure involves setting up the configuration files, copying the HTML pages to the appropriate directories and finally adding the CGI scripts in the corresponding directories.

CAServer Installation

This is the installation of the Certification Authority. Please refer to Figure 4-1 for more information.

It is assumed that you have uncompressed and untarred the OpenCA software with the following command.

        root# tar xvfz OpenCA-0.2.0.tar.gz

To install the software, enter the directory created (OpenCA-0.2.0) and type

        root# make install-ca
        

Use the following parameters when installing the OpenCA component for the CAServer.

Table 6-2. CAServer installation parameters

ParameterValue
OpenSSL installation directory/usr/local/ssl
Base directory for CAServer/usr/local/RAServer
Webserver usernobody.nobody
Use found OpenSSL commandY
Continue installationyes
Edit openssl.cnfCheck the section called openssl.cnf configuration for OpenCA in Appendix C

Subsequently, to install the WWW pages that accompany the CAServer do

        root# make install-ca-web
        

Use the following parameters when installing the WWW pages of the OpenCA component for the CAServer.

Table 6-3. RAServer WWW Server installation parameters

ParameterValue
HTML pages directory/usr/local/apache/htdocs/ca
CGI directory/usr/local/apache/cgi-bin
Continue installationyes

Finally, follow the instructions from the WWW pages to initialise the CAServer by creating the CA private key and certificate.

RAServer Installation

This is the installation of the Registration Authority. Please refer to Figure 4-1 for more information.

Note: The RAServer is supposed to be installed on a separate system than the CAServer. Furthermore, it is assumed that the steps that led to the installation of the CAServer will have to be duplicated to create the RAServer. However, for limited testing purposes, all of them could be installed on the same system.

It is assumed that you have uncompressed and untarred the OpenCA software with the following commands.

        root# tar xvfz OpenCA-0.2.0.tar.gz

To install the RAServer software, enter the directory created (OpenCA-0.2.0) and type

        root# make install-raserver
        root# make install-raserver-web
        

You can use the following parameters when installing the OpenCA component for the RAServer.

Table 6-4. RAServer installation parameters

ParameterValue
OpenSSL installation directory/usr/local/ssl
Base directory for RAServer/usr/local/RAServer
Webserver usernobody.nobody
Use found OpenSSL commandY
Continue installationyes

Table 6-5. RAServer WWW Server installation parameters

ParameterValue
HTML pages directory/usr/local/apache/htdocs/ra
CGI directory/usr/local/apache/cgi-bin
Continue installationyes

RAOperator Installation

This is the installation of the RA Operator. Please refer to Figure 4-1 for more information.

It is assumed that you have uncompressed and untarred the OpenCA software with the following commands.

        root# tar xvfz OpenCA-0.2.0.tar.gz

To install the software, enter the directory created (OpenCA-0.2.0) and type

        root# make install-secure
        

Note: Again, the RAOperator is supposed to be installed on a separate system other than the CAServer and the RAServer. Furthermore, it is assumed that the steps that led to the installation of the CAServer and the RAServer will have to be duplicated to create the RAOperator. However, for limited testing purposes, both of them could be installed on the same system. We must say that installing the CAServer, the RAServer and the RAOperators on the same system, will make it rather difficult to use and probably error-prone in the testing.

Table 6-6. RAOperator WWW Server installation parameters

ParameterValue
HTML pages directory/usr/local/apache/htdocs/rao
CGI directory/usr/local/apache/cgi-bin
Continue installationyes

WWW Server installation

Installation of the WWW server and the SSL/TLS WWW Server component. This will be a rather lengthly procedure, unless you manage to find RPM files. This software can be found at the section called Software packages in Chapter 5. Support information can be found at Chapter 7.

LDAP installation

A fairly independant step is the installation of the LDAP software. This is usually installed on a RAOperator. Recommended LDAP software can be found at the section called Software packages in Chapter 5. For support information, please see Chapter 7.