Hi all,
Can anybody inform me wether the "RedHat Certificate System" or actually a CentOS equivalent is available for CentOS. Just skimmed on a download site through the RPM's for 5.3 and I couldn't find it. According to their pressrelease, it the code should be gpl, allthough I can't find any rpm for RH, FC or Centos.
It seems that this is one of the few CA-packages for large scale deployment of certificates. Only alternative AFAIK is OpenCA, which seems to be hardly maintained... ( binaries on their site are old, and source code yields lots of errors during build..)
Defensie/CDC/IVENT/Research en Innovation Centrum Ing J. (Hans) Witvliet Systeembeheer, CAcert-assurer T 0174-539053 mailto:j.witvliet@mindef.nl Coldenhovelaan 1, 3155RC Maasland, kamer A109
______________________________________________________________________ Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.
This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
J.Witvliet@MINDEF.NL schrieb:
Hi all,
Can anybody inform me wether the "RedHat Certificate System" or actually a CentOS equivalent is available for CentOS. Just skimmed on a download site through the RPM's for 5.3 and I couldn't find it. According to their pressrelease, it the code should be gpl, allthough I can't find any rpm for RH, FC or Centos.
It seems that this is one of the few CA-packages for large scale deployment of certificates. Only alternative AFAIK is OpenCA, which seems to be hardly maintained… ( binaries on their site are old, and source code yields lots of errors during build..)
You can try ejbca (.sf.net).
In CA-land, few stuff is plug- and play.
Rainer
Quoting J.Witvliet@MINDEF.NL:
Hi all,
Can anybody inform me wether the "RedHat Certificate System" or actually a CentOS equivalent is available for CentOS. Just skimmed on a download site through the RPM's for 5.3 and I couldn't find it. According to their pressrelease, it the code should be gpl, allthough I can't find any rpm for RH, FC or Centos.
It seems that this is one of the few CA-packages for large scale deployment of certificates. Only alternative AFAIK is OpenCA, which seems to be hardly maintained... ( binaries on their site are old, and source code yields lots of errors during build..)
The Fedora version of RHCS is called Dogtag
http://pki.fedoraproject.org/wiki/PKI_Main_Page
You might have to modify/rebuild their SRPMS.
Barry
a few months ago, Barry Brimer wrote...
The Fedora version of RHCS is called Dogtag
http://pki.fedoraproject.org/wiki/PKI_Main_Page
You might have to modify/rebuild their SRPMS.
has anyone rebuilt this for CentOS5 yet?
its quite a few packages, and I'd hate to dive nito trying to rebuild it all myself and sort out the differences if this has already been done and is parked on a repository.
much like the original poster back in April, I'm interested in prototyping something that may eventually be deployed with RH Certificate Services..
John R Pierce wrote:
a few months ago, Barry Brimer wrote...
The Fedora version of RHCS is called Dogtag
http://pki.fedoraproject.org/wiki/PKI_Main_Page
You might have to modify/rebuild their SRPMS.
has anyone rebuilt this for CentOS5 yet?
its quite a few packages, and I'd hate to dive nito trying to rebuild it all myself and sort out the differences if this has already been done and is parked on a repository.
I spent pretty much all afternoon and think I've got it built correctly from the RHCS sources on ftp.redhat.com using CentOS 5.3 x86_64...
in a nutshell.
1) yum install the following prerequisites... yum install nss-devel pcsc-lite-devel yum install fontconfig-devel freetype-devel glib2-devel libIDL-devel atk-devel gtk2-devel libjpeg-devel pango-devel libpng-devel yum install autoconf213 libX11-devel libXt-devel xulrunner-devel coolkey-devel libnotify-devel dbus-devel yum install java-devel java-devel-openjdk httpd-devel arp-devel arp-util-devel yum install ant sqlite-devel mozldap-devel svrcore-devel selinux-policy-devel pcre-devel yum install ldapjdk xerces-j2 perl-XML-LibXML perl-Crypt-SSLeay perl-XML-SAX mozldap-tools yum install eclipse-ecj tomcat5 velocity idm-console-framework yum install rhgb perl-XML-Parser perl-XML-Simple
2) download and install all these .src.rpm's from ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/RHCERT/SRPMS/ (32 of them...) coolkey-1.1.0-9.el5.src.rpm esc-1.1.0-9.el5.src.rpm jss-4.2.6-4.el5idm.src.rpm mod_nss-1.0.8-1.el5idm.src.rpm osutil-1.1.0-30.el5pki.src.rpm perl-DBD-SQLite-1.12-6.el5idm.src.rpm perl-Parse-RecDescent-1.94-5.3.el5idm.src.rpm pki-ca-8.0.0-21.el5pki.src.rpm pki-common-8.0.0-16.el5pki.src.rpm pki-console-8.0.0-13.el5pki.src.rpm pki-java-tools-8.0.0-17.el5pki.src.rpm pki-kra-8.0.0-20.el5pki.src.rpm pki-migrate-8.0.0-17.el5pki.src.rpm pki-native-tools-8.0.0-17.el5pki.src.rpm pki-ocsp-8.0.0-20.el5pki.src.rpm pki-ra-8.0.0-26.el5pki.src.rpm pki-selinux-8.0.0-10.el5pki.src.rpm pki-setup-8.0.0-18.el5pki.src.rpm pki-silent-8.0.0-13.el5pki.src.rpm pki-tks-8.0.0-20.el5pki.src.rpm pki-tps-8.0.0-29.el5pki.src.rpm pki-util-8.0.0-16.el5pki.src.rpm redhat-pki-ca-ui-8.0.0-30.el5pki.src.rpm redhat-pki-common-ui-8.0.0-21.el5pki.src.rpm redhat-pki-console-ui-8.0.0-14.el5pki.src.rpm redhat-pki-kra-ui-8.0.0-15.el5pki.src.rpm redhat-pki-ocsp-ui-8.0.0-14.el5pki.src.rpm redhat-pki-ra-ui-8.0.0-23.el5pki.src.rpm redhat-pki-tks-ui-8.0.0-13.el5pki.src.rpm redhat-pki-tps-ui-8.0.0-33.el5pki.src.rpm symkey-1.1.0-26.el5pki.src.rpm tomcatjss-1.1.0-15.el5idm.src.rpm
I used rpmmacros to force these to install to a user $HOME/rpm $ cat ~/.rpmmacros %_topdir /home/pierce/rpm %dist .el5 %packager John R Pierce pierce@hogranch.com
3) now, the fun begins. you have to build, then install these in batches.
3.a.1) batch 1. cd ~/rpms/SPECS, then for each of these, rpmbuild -bb $1 coolkey.spec esc.spec jss.spec mod_nss.spec osutil.spec perl-DBD-SQLite.spec perl-Parse-RecDescent.spec pki-migrate.spec pki-native-tools.spec pki-selinux.spec pki-setup.spec redhat-pki-ca-ui.spec redhat-pki-common-ui.spec
3.a.2) install the first batch. cd ../RPMS rpm -Uvh noarch/redhat-pki-common-ui-8.0.0-21.el5.noarch.rpm noarch/pki-migrate-8.0.0-17.el5.noarch.rpm \ noarch/pki-selinux-8.0.0-10.el5.noarch.rpm noarch/perl-Parse-RecDescent-1.94-5.3.el5.noarch.rpm \ noarch/redhat-pki-ca-ui-8.0.0-30.el5.noarch.rpm noarch/pki-setup-8.0.0-18.el5.noarch.rpm \ x86_64/mod_nss-1.0.8-1.el5.x86_64.rpm x86_64/mod_nss-debuginfo-1.0.8-1.el5.x86_64.rpm \ x86_64/coolkey-1.1.0-9.el5.x86_64.rpm x86_64/jss-4.2.6-4.el5.x86_64.rpm \ x86_64/esc-debuginfo-1.1.0-9.el5.x86_64.rpm x86_64/jss-debuginfo-4.2.6-4.el5.x86_64.rpm \ x86_64/esc-1.1.0-9.el5.x86_64.rpm x86_64/osutil-1.1.0-30.el5.x86_64.rpm \ x86_64/jss-javadoc-4.2.6-4.el5.x86_64.rpm x86_64/pki-native-tools-8.0.0-17.el5.x86_64.rpm \ x86_64/coolkey-devel-1.1.0-9.el5.x86_64.rpm x86_64/coolkey-debuginfo-1.1.0-9.el5.x86_64.rpm
3.b) same as above, for the following specs... redhat-pki-console-ui.spec redhat-pki-kra-ui.spec redhat-pki-ocsp-ui.spec redhat-pki-ra-ui.spec redhat-pki-tks-ui.spec redhat-pki-tps-ui.spec symkey.spec tomcatjss.spec pki-util.spec
3.c) same as above agani, for these... pki-common.spec pki-console.spec pki-java-tools.spec
3.d) finally, same as above, one more time. this time, watch the rpm install output carefully, these are launching services that need to be initialized per the URL's in the output. pki-silent.spec pki-ca.spec pki-ra.spec pki-tps.spec pki-tks.spec pki-kra.spec pki-ocsp.spec
now comes the fun part. this thing is a bigass complex monster, and I know you need to configure each of the (ca, ra, tps, tks, kra, and ocsp) but I have yet to even figure this out, or verify if any of it is actually working.
someone might consider wikifying this information, I dunno. It took me just about all day to sort out that build/install/build/install order due to all the various dependencies.
On Thu, 6 Aug 2009, John R Pierce wrote:
I spent pretty much all afternoon and think I've got it built correctly from the RHCS sources on ftp.redhat.com using CentOS 5.3 x86_64...
... nice work, John -- I know you were dragging earlier today, in IRC, when you mentioned this effort
-- Russ herrold
On Fri, 2009-04-24 at 17:22 +0200, J.Witvliet@MINDEF.NL wrote:
Hi all,
Can anybody inform me wether the "RedHat Certificate System" or actually a CentOS equivalent is available for CentOS. Just skimmed on a download site through the RPM's for 5.3 and I couldn't find it. According to their pressrelease, it the code should be gpl, allthough I can't find any rpm for RH, FC or Centos.
It seems that this is one of the few CA-packages for large scale deployment of certificates. Only alternative AFAIK is OpenCA, which seems to be hardly maintained… ( binaries on their site are old, and source code yields lots of errors during build..)
Build? Why build? Check out TinyCA2, for which you can find rpms in rpmforge...
-I
-
Barry Brimer -
Ian Forde -
J.Witvliet@MINDEF.NL -
John R Pierce -
R P Herrold -
Rainer Duffner