Installing OpenCA
From OpenCA::Wiki
| Table of contents |
Prerequisites
In order to be able to install OpenCA, you need the following software already installed on your system:
- PERL
- OpenSSL 0.9.7+
- Apache Web Server
- OpenCA-Tools (download it here (http://www.openca.org/projects/openca/downloads.shtml)).
- A Database (MySQL, PostgreSQL, DB2, Oracle)
- PERL DBI (find it here (http://dbi.perl.org/))
NOTE: many default installation of OpenSSL do not support ECDSA. In order to support it, you will have to compile OpenSSL from sources and then use the OpenCA's installation instruction from sources ([Install OpenCA from Sources]).
Database Creation
In order for OpenCA to be able to store data into the database you need to create a database and a user to manage the database. Following there's an example for MySQL.
Connect to the DBMS:
$ mysql -u root -p -h localhost
Then, create the database:
mysql > CREATE DATABASE openca;
Now select the database:
mysql > use openca;
Then grant the privileges to a new openca user:
mysql > GRANT ALL PRIVILEGES ON *.* TO 'openca'@'localhost' IDENTIFIED BY 'password';
The user and the database are created now, to test it quit the mysql shell and start it again using the openca user:
$ mysql -u openca -p -h localhost openca
If you manage to login into the DB, you correctly setup the database.
NOTE: You should use different names for the db and the username. However, they have to match the ones configured in PREFIX/etc/openca/config.xml
Installing From Source Packages
... it's really easy! If you are running a UNIX system, you are probably familiar with the ./configure && make && make install process. Compiling and installing OpenCA from sources is very easy.
The installation script will try to figure out which OS you are using and configure the defaults for that system automatically. To do so, you can just unpack the sources and then:
$ ./configure
when the configuration script is completed, a brief summary of the configuration is provided. Please check that:
- the user for the webserver and the openca user exist
- the directory of the web pages and cgi scripts are correct
- the database configuration is correct
To get a list of all the possible options, use the following command:
$ ./configure --help
We suggest that you use the following basic options:
- prefix: allows you to specify the installation prefix
- with-ca-organization: name of your organization (eg., University of ... )
- with-httpd-fs-prefix: main dir of the web environment (web pages will be installed under HTTPD_FS_PREFIX
- with-httpd-main-dir: name of the sub directory used for web pages and cgi scripts. For example if you want to install the pages and scripts in HTTPD_FS_PREFIX/html/pki-new/ and HTTPD_FS_PREFIX/cgi-bin/pki-new/ respectively, you can use --with-httpd-main-dir=pki-new
- with-db-name: name of the database to be used
- with-db-host: name of the host to be used, in most environments 'localhost' is ok.
- with-db-user: username to connect to the database
- with-db-password: password to be used to connect to the database
- with-db-type: type of database to be used
- with-service-mail-account: sets the default email support account
Here's an example:
$ ./configure --prefix=/opt/openca-1.1.0 \
--with-ca-organization="OpenCA Labs" \
--with-httpd-fs-prefix=/var/www \
--with-httpd-main-dir=pki \
--with-db-name=openca_db \
--with-db-host=localhost \
--with-db-user=openca_user \
--with-db-password=my_openca_password \
--with-db-type=mysql \
--with-service-mail-account="support@pki.domain.org"
Check that everything is ok, if so you are all set to compile the package. If something is wrong, execute the ./configure ... command with the right options.
Now, you need to compile the source code. To do so, just use the following command:
$ make
a lot of text and warnings will appear on the shell.. this process can take up to several minutes.. but not too many :D If everything is ok, you are now ready to install the package.
If you want to install everything on a single node, use the following command:
$ make install-offline install-online
instead if you want to install only the CA (i.e., the offline components: ca, node, and batch interfaces) use:
$ make install-offline
to install the RA/Pub (i.e., the online components: ra, node, ldap, and pub) use:
$ sudo make install-online
At this point you should be all set, and you need to start configuring the different parts of your PKI to meet your needs.
OpenCA is quite flexible, and, if well configured, can meet 99.99% of any possible configuration for PKIs. The downside of this is that there are a lot of options you can use.. and this may confuse you. Our suggestion is to configure one piece at a time, when you are satisfied with it, move to the next.
If everything is ok, you might try to start the OpenCA daemon by executing the startup script:
$ sudo PREFIX/etc/init.d/openca start
you might also consider to make a symbolic link from your startup directory so that OpenCA will be automatically started when the system reboots. Different systems have different ways to add the scripts to the boot sequence, in general linking the openca script in your /etc/init.d/ is a good start. You can do this by executing the following command:
$ cd /etc/init.d/ $ ln -s PREFIX/etc/init.d/openca .
Now you can use your system's admin tools to add it to the boot sequence (eg., chkconfig).
Configurations: Where Shall I Start ?
Most of the general options of OpenCA are set when you start/restart the openca daemon. The PREFIX/etc/config.xml carries many basic options, so you should start there. Go through the whole file and change the values where needed.
After you finished editing the config.xml file, take a look around the PREFIX/etc/config.xml. There are many files that you might need to edit to match your installation.
After that, you may want to proceed to check the configuration options in the template files in:
PREFIX/etc/openca/servers/
Remember to edit the <name>.template files as the non-template ones get overwritten each time you restart OpenCA. Also, for any changes to be active, you need to restart OpenCA after changing any configuration option.
Finally, you need to set the options for the certificate profiles. To do that, edit the template files in:
PREFIX/etc/openca/openssl/extfiles/
these are the certificate profiles (or ROLES) that are used when a new certificate is issued.
Install Options
You can Install OpenCA by using different modes depending on the type of PKI you are running. In many cases, the simple installation on a single node is ok provided that the CA part is secure.
