Openxpki implementation on med1
Setting up PKI implementation and web interface on med1. Openxpki was selected as it seemed to operate nicely within the openssl frame already used on med1, and provides a nice enough intefrace. The major issue seems to be stability - all similar projects (open-ca) suffer from limited long-time enthusiasm to keep the code up-to-date with support software development.
Installation
MySQL
As expected, hiccups were encountered. The first was a stale installation of mysql-server,
already present on med1 with lost password. The old installation was
removed via
apt-get purge mysql-*
and a generic binaries were installed in
/usr/share/mysql serving as home for mysql user. A new mysql cluster
was installed via
$>sudo su mysql
$>cd
$>bin/mysqld --defaults-file etc/my.cnf --initialize
where the content of etc/my.cnf is roughly:
[mysqld]
basedir=/usr/share/mysql
datadir=/data0/mysql/data
socket=/var/run/mysqld/mysqld.sock
port=3306
The trick is to redirect default database location to /data0/mysql
which in this case makes it separate from system drive and part of the
raided disk cluster. Using the reported database password I logged in
and changed the password.
Openxpki
Perform the dependency installation. I omitted mysql-server, but
installed everything else. Running openxpkiadm reports:
$>openxpkiadm version
Version (core): 2.0.3
Setup
Initial setup
Execute commands from the instructions in mysql:
CREATE DATABASE openxpki CHARSET utf8;
CREATE USER 'openxpki'@'localhost' IDENTIFIED BY 'openxpki';
ALTER USER 'openxpki'@'localhost' IDENTIFIED WITH mysql_native_password BY 'openxpki';
GRANT ALL ON openxpki.* TO 'openxpki'@'localhost';
flush privileges;
Verify settings in yaml (where is xml gone?):
main:
debug: 0
type: MySQL
name: openxpki
host: localhost
port: 3306
user: openxpki
passwd: openxpki
More setup in mysql from schema packed with openxpki:
zcat /usr/share/doc/libopenxpki-perl/examples/schema-mysql.sql.gz | \
mysql -u root --password --database openxpki
Set the certificates
To allow for smooth transition I am keeping the tomcat8CA root
certificate in place. This corresponds to ca-root-1.crt in openxpki
instructions.
Following instructions, I generate a signing certificate under CA, which will be inserted into the openxpki scheme. It is just a standard user certificate with two distinctions: - no email - as a subject, I put: tomcat8A Openxpki signing 1
~andrej/scripts/generate_openxpkiCert_selfsigned.sh openxpki-scep-generic-1
'/DC=net/DC=openxpki/DC=ca-generic/CN=OpenXPKI-SCEP-Generic-1'
~andrej/scripts/generate_openxpkiCert_selfsigned.sh openxpki-dataVault-generic-1
'/DC=net/DC=openxpki/DC=ca-generic/DC=OpenXPKI-Internal/CN=OpenXPKI-DataVault-Generic-1'
Starting to import certificate. Root first:
openxpkiadm certificate import --file /etc/ssl/tomcat8CA/signing-ca-1.crt
openxpkiadm certificate import --file /home/pkiadm/cert/tomcat8A-signing-1.crt --realm ca-one --token certsign
Tried to follow documentation on realms handling and how to integrate openxpki with ssl base. And failed. Probably the best way is to somehow use labkey to store issued certificates and think of delivery service where the root-ca signer doesn't have priviliges to manipulate the generated certificate.