Author: Kevin Mitcham
(C)opyright 2004 Dartmouth College (see www.dartmouth.edu)
(C) OpenCA Projekt 2005

This document can be modified and redistributed along the terms 
of the GNU Free Documentation License 1.2 (or newer) 
You can obtain a copy at http://www.gnu.org/licenses/fdl.txt

Please notice that there is a live CD too at:
http://www.dartmouth.edu/%7Edeploypki/CA/InstallOpenCALiveCD.html

This page was created by the Dartmouth PKI Lab Outreach.
=======================================================================
Note: The HowTo was edited by the OpenCA Team Jun 2005 to reflect 
latest changes on URLs and Options

to install from source
(actual commands marked with a "*")
(We ran on Debian "unstable")
(assumes an apache install using default options)


download new tarball from 
http://www.openca.info/download/
into a source directory
Alternately, get a snapshot or cvs via sourceforge
http://sourceforge.net/projects/openca
We are currently running a snapshot from a couple of weeks ago; RC4 actually gave me 
some problems.

* gunzip openca-0.9.2xxx.tar.gz 
* tar xvf openca-0.9.2xxx.tar 

* make distclean 

first install the ra
(may want to update the web-host value)

* ./configure \
  --prefix=/usr/local/openra \
  --with-httpd-user=www-data \
  --with-httpd-group=www-data \
  --with-openca-prefix=/usr/local/openra/openca \
  --with-etc-prefix=/usr/local/openra/openca/etc \
  --with-httpd-fs-prefix=/usr/local/openra/httpd \
  --with-module-prefix=/usr/local/openra/modules \
  --with-node-prefix=ra-node \
  --with-engine=no \
  --with-web-host=localhost \
  --enable-ocspd \
  --enable-dbi \
  --enable-rbac \

* make
* make install-online  


Now for the CA
(may want to update the web-host value)

* make distclean
* ./configure \
  --prefix=/usr/local/openca \
  --with-httpd-user=www-data \
  --with-httpd-group=www-data \
  --with-openca-prefix=/usr/local/openca/openca \
  --with-etc-prefix=/usr/local/openca/openca/etc \
  --with-httpd-fs-prefix=/usr/local/openca/httpd \
  --with-module-prefix=/usr/local/openca/modules \
  --with-node-prefix=ca-node \
  --with-engine=no \
  --with-web-host=localhost \
  --enable-ocspd \
  --enable-dbi \
  --enable-rbac \
  
* make
* make install-offline

Note: If you build a "all on one" Installation, you can omit the second configure/make step

create the DB:
*mysql -uroot -p mysql
<password>
create database openca;
create database openra;
grant all privileges on openca.* to openca@localhost identified by "openca";
grant all privileges on openra.* to openra@localhost identified by "openra";

test the DB
* mysql -uopenca -p
use openca
show tables
(should return empty set, as DB is empty)
exit;
* mysql -uopenra -p
use openra
show tables
(should return empty set, as DB is empty)
exit;

edit the apache httpd.conf (location varies, but this is the apache config file)
in the script aliases section, add:
# OpenCA Mods
# CA Aliases
Alias       /ca /usr/local/openca/httpd/htdocs/ca/
Alias       /ca-node /usr/local/openca/httpd/htdocs/ca-node/
ScriptAlias /cgi-bin/ca/ /usr/local/openca/httpd/cgi-bin/ca/ 
ScriptAlias /cgi-bin/ca-node/ /usr/local/openca/httpd/cgi-bin/ca-node/

# OpenCA Mods
# RA Aliases
Alias       /ra /usr/local/openra/httpd/htdocs/ra/
Alias       /pub /usr/local/openra/httpd/htdocs/pub/
Alias       /ra-node /usr/local/openra/httpd/htdocs/ra-node/
ScriptAlias /cgi-bin/ra/ /usr/local/openra/httpd/cgi-bin/ra/
ScriptAlias /cgi-bin/pub/ /usr/local/openra/httpd/cgi-bin/pub/
ScriptAlias /cgi-bin/ra-node/ /usr/local/openra/httpd/cgi-bin/ra-node/

# OpenCA Mods
<Directory "/usr/local/openca/httpd/cgi-bin/">
     AllowOverride None
     Options ExecCGI
     Order allow,deny
     Allow from all
</Directory>
<Directory "/usr/local/openra/httpd/cgi-bin/">
     AllowOverride None
     Options ExecCGI
     Order allow,deny
     Allow from all
</Directory>
<Directory "/usr/local/openca/httpd/htdocs/">
     AllowOverride None
     Options FollowSymLinks Indexes
     Order allow,deny
     Allow from all
</Directory>
<Directory "/usr/local/openra/httpd/htdocs/">
     AllowOverride None
     Options FollowSymLinks Indexes
     Order allow,deny
     Allow from all
</Directory>
# OpenCA Mods
# adding dir to symlinks following for cert retrieval
# not totally clear WHY openca puts a symlink here, but it did.
<Directory "/usr/local/openra/httpd/cgi-bin/pub">
     AllowOverride None
     Options FollowSymLinks Indexes
     Order allow,deny
     Allow from all
</Directory>

modify the config.xml for the ra (located in /usr/local/openra/openca/etc)

Now onto the config.xml, for the ca and the ra.
for the CA:
general options 
        ca_organization
        ca_locality
        ca_country
        service_mail_account (set to [EMAIL PROTECTED])
        dbmodule -> DBI for the mysql database
        db_type-> mysql
        db_name -> openca
        db_host -> localhost  (or whatever)
        db_port -> 3306  (the mysql default port)
        db_user -> openca
        db_passwd -> XXX
configuration of absolute paths
        (as needed.  once again, looks like some of the work is already done)
dataexchange configuration
        de-activate dfault, by adding comment <!-- --> brackets
        activate mode 1, node acts as CA only by removing comment brackets
configuration of relative paths
        (as needed.  Not done first time through due to error)  

<!-- these are the devices for the default dataexchange --> 
(these might not be in config.xml; if not, see below)
          <name>dataexchange_device_up</name>
          <value>/usr/local/openca/openca/var/tmp/ca-up</value>
        </option>
        <option>
          <name>dataexchange_device_down</name>
          <value>/usr/local/openca/openca/var/tmp/ca-down</value>
        </option>
        <option>
          <name>dataexchange_device_local</name>
          <value>/usr/local/openra/openca/var/tmp/ra-local</value>
        
        
if the  dataexchange device section is not in config.xml, go to
/usr/local/openca/openca/servers  and look at ca-node.conf.template and 
ca.conf.template

(/usr/local/openca/openca/etc/servers/ca.conf.template)
line EXPORT_IMPORT_DOWN_DEVICE "/dev/fd0"
to EXPORT_IMPORT_DOWN_DEVICE "/usr/local/openca/openca/var/tmp/ca-down"


line EXPORT_IMPORT_LOCAL_DEVICE "/dev/fd0"
to EXPORT_IMPORT_LOCAL_DEVICE "/usr/local/openra/openca/var/tmp/ra-local"

ra-node.conf.template needs similar updates, as well
ra IMPORT UP DEVICE should be the exact same file as the CA IMPORT_DOWN_DEVICE




also update items in /usr/local/openca/openca/etc/access_control
(similar for RA)

ca-node.xml.template
<protocol> set to .*
<symmetric> keylength 0

ca.xml.template
<protocol> set to .*
<symmetric> keylength 0


now return to the ra etc dir /usr/local/openra/openca/etc
run the "magic script" configure_etc.sh
that script makes configuration files from the template(s)
then openca_start  
(the script to start the server is the same for the ra as the ca, hence openca_start 
rather than openra_start)
use the browser to open a page on http://myhost.wherever.edu/openra
and you should get a page.
Also check http://myhost.wherever.edu/ra-node
Also check http://myhost.wherever.edu/pub

switch dir to 
/usr/local/openca/openca/etc
run the "magic script" configure_etc.sh
that script makes configuration files from the template(s)

use the browser to open a page on http://myhost.wherever.edu/openca
and you should get a page.
Also check http://myhost.wherever.edu/ca-node

if the pages work, you have installed openca.  Now you need to initialize it.


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++  The intialization of an Installed CA ++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Configure an installed/compiled OpenCA installation

connect to the ca: 
http://myhost.wherever.edu/openca

Series of tabs should be visible.  Select General->Initialization
 Phase I
Initialize the Certification Authority
        Initialize Database
        initialize-> intialize DB .(reports sucess, but a slurry of error messages 
about table not found may appear on the console)

initalize -> initalize phase 1 -> generate new secret key: des3 rsa 1024 (enter the 
pwd to protect the key)
initalize -> initalize phase 1 -> generate new cert request (args as appropriate)(I 
think you need to set the email to match the sender from the config file, but am not 
sure)
initalize -> initalize phase 1 -> Self Signed CA Certificate (from altready generated 
request): 730 days
initalize -> initalize phase 1 -> Rebuild CA Chain
        
initalize -> initalize phase 2 -> new request: 
        fields as appropriate.  This is the cert for the ca admin
initalize -> initalize phase 2 -> edit request: (submit)(issue)
initalize -> initalize phase 2 -> handle request: export as p12 (pwd the PIN entered 
during request)
 save to disk, import into browser

initalize -> initalize phase 3 -> new request:  (RAOperator as role)
initalize -> initalize phase 3 -> edit request: (submit)(issue)
initalize -> initalize phase 3 -> handle request: export as p12 (pwd the PIN entered 
during request)
 save to disk, import into browser

Now initialize the RA database
http://myhost.wherever.edu/ra-node
Admin->Server Init, initialize DB
Admin->Server Init, Import Configuration


Now move the Certs down to the RA
http://myhost.wherever.edu/openca
Now export info to the RA:
General -> Node Management  (brings you to CA-NODE urls)
Administration->Dataexchange
 Enroll data to a lower level of the hierarchy->all
 
 General-> Registration Authority (to the ra)
 General-> node management (to the ra-node)
Administration->Dataexchange
         Download data from a higher level of the hierarchy->All 
         
         (errors getting CA certificate are ok and expected; it came from the import 
config above)

Now to issue the first client certificate:
http://myhost.wherever.edu/pub
User->Request a Certificate->Request a certificate with automatic browserdetection 
(fill out fields as desired)(note the request serial number generated; use it to pick 
it up below)

Now approve the request:
http://myhost.wherever.edu/ra
Active CSRs->New->(search)  click on submit name/serial number (color link)
(Approve Request without signing)  

Export the request from the RA
http://myhost.wherever.edu/ra-node
Admin->dataexchange->Upload data to a higher level of the hierarchy ->requests

Import into CA
http://myhost.wherever.edu/ca-node
Admin->dataexchange->Receive data from a lower level of the hierarchy ->requests

Approve the Cert
http://myhost.wherever.edu/ca
Usual Operations->Approved Certificate Requests -> click on serial number , issue the 
certificate button

Export the cert from the CA
http://myhost.wherever.edu/ca-node
Admin->dataexchange->Enroll data to a lower level of the hierarchy  ->Certificates

Import the cert to the RA
http://myhost.wherever.edu/ra-node
Admin->dataexchange->Download data from a higher level of the hierarchy ->Certificates

Pick up the certificate
http://myhost.wherever.edu/pub
User->Get Requested Certificate  
   use the install button.  If that fails, 
Certificates->valid has an install option, and download options that should get the 
certificate.