Yes, it is possible. Go to a RA interface. Go to the certificate which you want to revoke. View the certificate. Click on revoke, fill out the form and now you have created the initial CRR to revoke the certificate.
This message appears if one of the configurationfiles of the new role already exist. Please check the files in the directories OPENCADIR/etc/openssl/extfiles and OPENCADIR/etc/openssl/openssl.
Check that the configuration option OPENSSL is set to the correct path. It mus be the binary of OpenSSL. You have to verify all files in OPENCADIR/etc/servers/.
You are using OpenSSL 0.9.6 but you must use 0.9.7. The use of 0.9.6 can cause inconsistent data. Normally OpenCA cannot installed if OpenSSL 0.9.7 is not present. So please check the path to the OpenSSL binary in the configuration files. The option is OPENSSL in all files in OPENCADIR/etc/servers/.
Please check the settings in etc/servers/DBI.conf because this happens if IBM's software cannot find the libraries and databases.
it is now possible to create usable packages
you can configure the PKI after the installation
docbook based documentation
integrated access control
secure export of private keys via the public interface
several LDAP improvements
keysizes are now choosable for IE users too
much better CSR editing
additional attributes for requests (e.g. telephonenumbers)
menugeneration via XML-configurationfile
SCEP support
warn expiring certificates
more (an explicit) download formats for certificates
subject verification for PKCS#10 requests
logging support
Mozilla doesn't implement crypto.signForm or anything else to sign HTML forms. There is a really good patch or better bugfix for Mozilla but they don't include it into the releases. You can find a patched Mozilla at WaMCom.org. The patch can be visited at Mozilla. The bug ID is 29152. We don't know why it takes so long to fix such a small security problem but until now we can only recommend to use the Mozilla version from WaMCom.org.
There is a second fix for this problem secclab. This is plugin which is available from mozdev.org but until now it is not stable enough to be supported from us. If it is stable and Mozilla still doesn't support crypto.signFrom then we will support secclab.
KDE doesn't include any functionality to sign HTML forms until know. So this feature is not supported for KDE.
It is a noncompressed tar file. The name of the file which contains the CA certificate is cacert.pem. The format of the file is PEM (sometimes called CRT or base64 encoded).
If you try to create a CRL, to issue a certificate or to revoke a certificate and it fails then you should get an errormessage from OpenSSL. If the errormessage include the string entry 1: invalid expiry date then the database file index.txt is damaged. The easiest solution is to go to the backup and recovery are of the node management interface. There you can use the link which starts the rebuilding of the OpenSSL files. After this operation the OpenSSL files are correct again.
If you imported the certificate of another user and try to send him an encrypted email then it can happen that this doesn't work with Outlook and Outlook Express. The reason is that the person must be present in your contacts. The best way to add the person to your contacts is to take a signed email and import the user from this email to your contacts.
There are several events why Outlook freezes but one events is a signed email in combination with an anti virus program. One user reports some time ago a frozen Outlook in combination with an anti virus program from Kapersky. Like often with Microsoft programs it is not clear why Outlook crashs and who makes the mistake and includes a bug in it's program.
Example E.1. General error 6751 during certificate issueing
Error 6751 General Error. Error while issuing Certificate to CA Services some.host.com (filename: /usr/local/openca/var/tmp/04.req). OpenCA::OpenSSL returns errocode 7731071 (OpenCA::OpenSSL->issueCert: OpenSSL fails (256).)..
Example E.2. Bad passphrase error log during certificate issueing
[Mon Dec 29 18:32:59 2003] [error] [client 192.168.1.38] unable to load CA private key, referer: http://ca.localhosts.com/cgi-bin/ca/ca?cmd=viewCSR;dataType=APPROVED_REQUEST;key=1312 [Mon Dec 29 18:32:59 2003] [error] [client 192.168.1.38] 18685:error:06065064:digital envelope routines: EVP_DecryptFinal:bad decrypt:evp_enc.c:438:, referer: http://ca.localhosts.com/cgi-bin/ca/ca?cmd=viewCSR;dataType=APPROVED_REQUEST;key=1312 [Mon Dec 29 18:32:59 2003] [error] [client 192.168.1.38] 18685:error:0906A065:PEM routines: PEM_do_header:bad decrypt:pem_lib.c:421:, referer: http://ca.localhosts.com/cgi-bin/ca/ca?cmd=viewCSR;dataType=APPROVED_REQUEST;key=1312
This defines all necessary steps for a new release and is mandatory for release candidates too. Steps which are on mandatory for normal releases or release candidates are marked.
Go to CVS module directory openca-0.9
Edit Makefile.devel and fix the minor release
Commit Makefile.devel
cd ..
cvs tag -R openca_V_E_R_S_I_O_N openca-0.9
cd openca-0.9
make -f Makefile.devel dist
scp openca-0.9.2*.tar.gz username@ftp.openca.org:ftp/releases/
ftp upload.sf.net
Login: anonymous
Passwd: your emailaddress
cd incoming
put openca-0.9.2*.tar.gz
Go to sourceforge.net and release the file for project openca
Add a release for OpenCA at freshmeat.net
Add news message to news area of OpenCA.org
Send a mail to openca-users, openca-devel, openca-announce