# OpenCA installation on Gentoo?

## swimgeek

Hi,

Does anyone have a successful OpenCA installation running on Gentoo? If yes, which ebuilds did you use? When I do

```

emerge -s openca

```

all I get is a list of perl modules. Does this mean that there is no ebuilds for an openca release? Or if anyone else has built openca on gentoo, can you please list what ebuilds you used from gentoo and which parts you compiled from the openca release.

thanks!

----------

## dionysios

Did you ever receive an answer for this?  I'm wondering the same thing myself.

Thanks!

----------

## swimgeek

Actually no. Right now X on my system is borked so I can't go about installing it. Once I have X fixed, I'll report back about my exploits  :Smile: 

----------

## dionysios

Ahh well.  I may take a stab at it - i'm not sure that it'll do what I'm looking for.  

Thanks anyways!

----------

## johabba

i'm going to tackle this one sometime this weekend. I'll report back with my success or failure....not that i intend to fail  :Smile:  Basically, I want to use _client certificates_ with my web server. My web server has an SSL cert, but I want to allow access to certain parts of my web site only if you have the correct _client cert_.

Anyways, here are a few links I have found while gathering information. Perhaps someone else will try and will have some input:

1. http://cacert.org/ - FREE root CA. FREE certs for web, email, whatever. I don't want to use this because I don't want to give my personal info. Also part of the reason I want to use certs this way is to protect MY anonymity. For most normal cert usage, I could just use this as my CA and not have to worry about setting up my own.

2. http://tldp.org/HOWTO/SSL-Certificates-HOWTO/index.html - good starting point. No discussion about RA's tho (Registration Authority)

3. http://www.openca.org/openca/docs/ - OpenCA documentation. Seems kinda incomplete to me. Definition of RA, tho...some other good definitions in the glossary.

4. http://openca.results-security.de/ - Notes/rough outline for setting up a CA and an RA. Here I found that the RA should be connected to the 'net to handle certificate requests and the CA SHOULD NOT be connected to the 'net. The CA and RA should be on different machines.

------

I've only been researching this for a couple of days, so I'll throw some ideas/questions to you all.

- The CA only creates the root cert and signs cert requests. Could the CA be just a file kept on a floppy or usb-stick? I don't have enough machines to do this the right way.

- Looks like I'll need a working LDAP for the RA

- OpenCA seems to be a wrapper or interface to openssl commands. Can I accomplish all of this with just openssl commands. I would like to remove the LDAP dependancy.

- Can I just make self-signed cert and send them to the users that need to connect. I would be nice to have just one or two certs that many (5 - 10 for my application) users can use, instead of a cert for each user. Easier to revoke just one cert.

Stay tuned...

EDIT: 10/12/04 - I kinda gave up on this and used http://cacert.org/.

----------

## zephirus

OpenSSH has an example perl script that comes with it and can automate most CA functions (CA.pl)... If you know how, you can even do it all through the command line with openssh... just annoying as hell...

I have set up several CAs in the past couple of years and will be more than happy to discuss this further, and provide assistance to any who need it, but it will have to wait until tomorrow, as I am dog tired...

If there is sufficient interest to warrant it, I would even be happy to write a simple how to for basic CA/CRL functionality as soon as I can find the spare time... (Probably within the next week...)

----------

## itsmarty

 *zephirus wrote:*   

> If there is sufficient interest to warrant it, I would even be happy to write a simple how to for basic CA/CRL functionality as soon as I can find the spare time... (Probably within the next week...)

 

I'd definitely like to see anything you have to say on the subject.  I've been muddling through creating a CA (the O'Reilly OpenSSL book has been a big help), but would be very interested in how other people are making it work.

Martin

----------

## jsa

Hello Zephirus, would you find some time and put together basic OpenCA howto for Gentoo? That would be a big help.

----------

## gtfx123

http://www.disciplina.net/howto/HOWTO-openca.html

anyone used instructions @ above location to setup OpenCA?

----------

