• Step 1 : Machine preparation

- CA Machine or CA Server (offline)

With security measurements that should be defined in CPS, it must be all time not connected to any network.
It's a CA Server which sign certificates.
It can be a simple machine, it doesn't need a lot of resources as CPU or RAM ( a simple machine with 512G of RAM and Pentium 4 can be enough)

It offers 2 access modes :

--> CA interface
--> Node interface

- RA Machine or RA Server (online)

It's the web server machine witch hosting the online services of OpenCA .
It's the RA Server witch allow to users to request certificates and retrieve them, and also offers the RA service for approving requests and handling certificates
It can be a simple machine, it doesn't need a lot of resources as CPU or RAM ( a simple machine with 512G of RAM and Pentium 4 can be enough)

It offers 3 access modes :

--> Pub interface
--> RA interface
--> Node interface

NB : these machines should not hosting any other services, they should be dedicated to only CA services for security measurements.

• Step 2 : OS installation

The installation based on CentOS distribution of Linux (http://www.centos.org)

If your choice is CentOS 5.4 or 5.5, you can check this URL(http://www.centos.org/product.html) for hardware requirements (In our case Morocco we installed the 5.4 version 32bit architecture)

Otherwise you can check this URL(http://www.openca.org/projects/openca/downloads.shtml) and you can choose the OS depending the version of openca you want to install.

The following will be based on CentOS 5.4 / 32bits Architecture

During the installation of OS, it's important to install some packages (graphical mode, PERL package, MySQL server and MySQL-devel, and other ordinary packages of course).
When you configure hostname and IP for RA machine according to your CP/CPS (IP and hostname should be declared in DNS as public IP Ex : ra.magrid.ma), the CA machine must be offline so IP and hostname in really shoud be a local adress, but to avoid some issues in the post configuration, It's it is desirable to do the same installation in the two machines (with the same IP and hostname, and only one machine can be connected to network at the moment of the configuration),

Genarraly we begin with the CA Server, and the OS installation and the configuration is the same of the RA machine.

• Step 3 : OpenCA installation

Create OpenCA user

useradd openca

Prerequisite packages and modules

Now we need to install some prerequisites on both of the installations:
Login as root and type:

yum install gpg ftp links make unzip openssl-devel expat-devel httpd mod_ssl mysql-server

to install required packages. Also we need some Perl modules. I am using the CPAN directory for this. You may be able to find a CentOS repository with the according rpms.

perl -MCPAN -e shell              
install CGI::Session
install Convert::ASN1
install Digest::MD5
install Digest::SHA1
install Encode::Unicode
install IO::Socket::SSL
install IO::Stringy
install MIME::Base64
install MIME::Lite
install MIME::Tools
install MailTool
install Net::Server
install URI
install XML::Twig
install XML::SAX::Base
install Digest::HMAC
install Authen::SASL 
install NET::SSLeay
install G/GU/GUIDO/libintl-perl-1.20.tar.gz      //Maybe changed you have to find the latest one --> tape: install i libintl-perl
install G/GB/GBARR/perl-ldap-0.4001.tar.gz     //Maybe changed you have to find the latest one --> tape: install i perl-ldap
quit

Hosts config

edit /etc/hosts

Change this file and add your machine hostname like this:

# Do not remove following line,or various programs
#that require network Functionality will fail
127.0.0.1    localhost.localdomain    localhost
X.X.X.X     ra.marwan.ma          ra 

Apache config

edit /etc/httpd/conf/httpd.conf

Change this line to your hostname:

ServerName ra.marwan.ma

MySQL config

Init mysql:

mysql_install_db

Fix a CentOS MySQL bug:

edit /etc/my.cnf

In the section mysqld add the following line:

skip-bdb

Start daemon:

service mysqld start

Set root password:

mysqladmin -u root password 'new_password'
mysqladmin -u root -h your_hostname password 'new_password'

Create database and change permissions for openca:

mysql -p
create database openca;
GRANT create,drop,select,delete,insert,update ON openca.* TO 'openca_u'@'localhost' IDENTIFIED by 'database_password';
FLUSH privileges;
exit;

I don't think it's necessary but you can restart MySQL:

service mysqld restart

Install OpenCA package

Now we have to install the openca tools package:

wget ftp://serv1.marwan.ma/pub/packages/openca-tools-1.3.0.tar.gz
tar xvzf openca-tools-1.3.0.tar.gz
cd openca-tools-1.3.0
./configure –-prefix=/opt/openca –-exec-prefix=/opt/openca –-with-openca-prefix=/opt/openca –-with-openca-user=openca –-with-openca-group=openca
make
make install

Now for the OpenCA ! application itself. Download and uncompress package:

wget ftp://serv1.marwan.ma/pub/packages/openca-base-1.1.0.tar.gz
tar xvzf openca-base-1.1.0.tar.gz

Configure and install OpenCA :

We install openca in the directory /opt/openca

cd openca-base-1.1.0
./configure –-prefix=/opt/openca –-exec-prefix=/opt/openca –-with-openca-prefix=/opt/openca –-with-openca-user=openca –-with-openca-group=openca -–with-module-prefix=/opt/openca/modules –with-web-host=ra.marwan.ma --with-httpd-user=apache –-with-httpd-group=apache -–with-openca-tools-prefix=/opt/openca
make

Now, depending on whether you want to install the offline or online service you have to execute

make install-offline

or

make install-online

Now we install a few helper scripts (it seems there is a bug and they are not installed by default):

cd src/scripts
make install

Edit: After installing the above command also does not work anymore. You'll have to copy the scripts in this directory manually to /opt/openca/bin and change owner and permissions.

Start OpenCA at boottime

Add/Edit the file /etc/init.d/openca and put the following in it:

#!/bin/sh
#
# chkconfig: 345 75 55
# description: OpenCA Server

cd /opt/openca/etc/openca  || exit 1
case "$1" in
    start)
        echo -n "Starting OpenCA ... "
        ./openca_start
        echo OK
    ;;
    stop)
        echo "Shutting down OpenCA ... "
        ./openca_stop
    ;;
    restart)
        $0 stop
        $0 start
    ;;
    *)
    echo "Usage: $0 {start|stop|restart}"
    exit 1
esac

Other stuff

Fix log file permission:

chown -R apache:apache /opt/openca/var/openca/log/

Now the install part of the OpenCA package is finished. Now we have to go to the configuration step.

• Step 4 : OpenCA configuration (for both offline and online machines)

Edit config.xml (You can downlaod the files andthen changes the values)

We have to edit the file /opt/openca/etc/openca/config.xml in order to make changes to the default OpenCA configuration. These are the parts I edited (the complete config file is attached on this page):

First we set the name of the organization the CA is set up for:

<name>ca_organization</name>
   <value>MARWAN CA</value>

And the country the CA is located in:

<name>ca_country</name>
 <value>MA</value>

These two values are the first two tokens of the DN a certificate of this CA is going to have.
Now we change the way the mail server is invoked:

<name>sendmail</name>
<value>/usr/lib/sendmail -t </value>

What is the ca email address?

<name>service_mail_account</name>
<value>ca@marwan.ma</value>

A link to your CA's policy:

<name>policy_link</name>
<value>http://ca.marwan.ma/pki/pub/policy.html</value>

The value must be the same as indicated in the CP/CPS, be careful!!
Here is the database configuration:

        <option>
            <name>dbmodule</name>
            <!-- you can use DB or DBI -->
            <value>DBI</value>
        </option>
        <option>
            <name>db_type</name>
            <value>mysql</value>
        </option>
        <option>
            <name>db_name</name>
            <value>openca</value>
        </option>
        <option>
            <name>db_host</name>
            <value>ra.marwan.ma</value>
        </option>
        <option>
            <name>db_port</name>
            <value>3306</value>
        </option>
        <option>
            <name>db_user</name>
            <value>openca_u</value>
        </option>
        <option>
            <name>db_passwd</name>
            <value>database_password</value>
        </option>
        <option>
            <name>db_namespace</name>
            <!--
               a namespace is prefix in front of every table
               Example: table user1
                        ==>
                        select * from user1.certificate;
               This is not required for MySQL, PostgreSQL and IBM DB2.
               Nevertheless all supported database can use such namespaces
               and it is the default behaviour of Oracle. Oracle uses as
               namespace usually the name of the database.
              -->
            <value>openca</value>
        </option>

We need activate LOAS (Levels of Authentication):

 <option>
      <name>USE_LOAS</name>
      <value>yes</value>
</option>

Now for a very important part, the dataexchange. For the Ofline machine comment the "no dataexchange configuration" and uncomment the "acts as CA only" section. For the Online machine also comment the "no dataexchange configuration" but uncomment the "acts as RA only" section.

We also have to configure the way we exchage data between Offline and Online machine (will add details later).

  <option>
      <name>dataexchange_device_up</name>
      <value>/tmp/fd0</value>
    </option>
    <option>
       <name>dataexchange_device_down</name>
       <value>/tmp/fd0</value>
    </option>
    <option>
       <name>dataexchange_device_local</name>
       <value>/tmp/openca_local</value>
     </option>

You can dowmlaod the config.xml for the 2 machine (they will be availaibles as soon as possible) :

in CA Machine
wget ftp://serv1.marwan.ma/pub/packages/config_CA.xml
mv /opt/openca/etc/openca/config.xml /opt/openca/etc/openca/config_back.xml 
mv config_CA.xml /opt/openca/etc/openca/config.xml

in RA Machine
wget ftp://serv1.marwan.ma/pub/packages/config_RA.xml
mv /opt/openca/etc/openca/config.xml /opt/openca/etc/openca/config_back.xml 
mv config_RA.xml /opt/openca/etc/openca/config.xml

When you are finished editing config.xml you have to apply the content of config.xml to the appropriate templates to create the "real" config files:

cd /opt/openca/etc/openca
./configure_etc.sh

Configure the Offline machine

OK. Now is the time to start the openca service for the first time and use the web interface:

service openca start

Point your browser to https://your_hostname/ca. You will be prompted to trust a server certificate. This certificate was created when installing the apache package and it is self-signed. We will exchange it later. Trust it for now.

Login with the default login/password root/root.

At this stage if every think is Ok you shoud access the CA interface of OpenCA

Next configuration will be availaible as soon as possible !!!

• config.xml: config.xml