Ubuntu-Server-10.04下搭建OpenCA
Ubuntu-Server-10.04下搭建OpenCA平台1、准备工作
*)更新一下apt源。shell> apt-get update*)安装了gcc/g++;表示我装的这个版本默认没有gcc。shell> apt-get install g++*)必须有root权限*)本实验采用OpenCA-1.1.1版本,是需要补丁程序方可运行成功的。关于补丁,将在第(8)点细述。 2、安装MySQL
直接在线安装。shell> apt-get install mysql-server创建数据库以及账户:mysql> create database openca;mysql> grant all on openca.* to 'opencaadmin'@'%'>mysql> exit 3、安装Apache服务器
需要启用mod_ssl,加configure参数--enable-ssl。但需要libssl的支持,因此先安装libssl和libssl-devshell> apt-get install libssl0.9.8libssl-dev shell> tar -xf httpd-2.2.23shell> cd httpd-2.2.23shell> ./configure --prefix=/usr/local/httpd--enable-sslshell> makeshell> make install 4、安装OpenSSL
(其实这个步骤不需要了,默认有OpenSSL了,如果没有OpenSSL则需要安装)
shell> tar -xf openssl-1.0.1c.tar.gzshell> cd openssl-1.0.1c shell> ./config --prefix=/usr/local/opensslshell> make shell> make install 接下去把/usr/local/openssl下的目录和文件cp到对应的系统目录,比如etc -> /etc、lib -> /usr/lib 此处不列出命令。 5、安装OpenCA-tools
shell> tar -xf openca-tools-1.3.0.tar.gzshell> cd openca-tools-1.3.0shell> ./configure --prefix=/usr/local/openca-toolsshell> makeshell> make install 创建命令工具链接到/usr/binshell> cd /usr/binshell> ln /usr/local/openssl/bin/openca-svshell> ln /usr/local/openssl/bin/openca-crmfshell> ln /usr/local/openssl/bin/openca-scep 6、安装OpenCA-base
shell> tar -xf openca-base-1.1.1.tar.gzshell> cd openca-base-1.1.1shell> ./configure --prefix=/usr/local/openca-base \--with-httpd-user=daemon \--with-httpd-group=daemon \--with-httpd-fs-prefix=/usr/local/httpd \--with-htdocs-fs-prefix=/usr/local/httpd/htdocs/pki \--with-db-type=mysql \--with-db-host=localhost \--with-db-port=3306 \--with-db-name=openca \--with-db-user=opencaadmin \--with-db-passwd=opencasecret shell> make 说明:configure参数里httpd-fs-prefix是Apache安装目录,htdocs-fs-prefix是Apache默认的静态资源目录(可以配置到非Apache默认目录,需要在httpd.conf里进行配置)。db-host是MySQL数据库服务器主机,db-port端口,db-name是OpenCA数据库名称,db-user是MySQL的数据库用户名,db-passwd是MySQL的数据库访问密码。 make完成之后先查看安装选项shell> make helpTargets: [] make everything make everything CA server> make everything RA and public server> make everything documentation> Install Target: install all offline components (common, modules, ca, batch and node)install all online components (common, modules, ra, pub, ldap and node) install RA and public server components Install Target: install batch system components install CA componentsinstall all common components (for package builds) install all perl modules (for package builds) install LDAP components install aministration components install public server components install RA server components install scep server components install documentation remove everything created by make like clean, plus remove everything created by ./configure Development: build distribution package build rpm 如上面所示,安装选项可以分为两级级别:笼统的online/offline/ext方案,以及各个组件单个安装。现在测试是在单个机器上进行,因此把online/offline都装上去:shell> make install-onlineshell> make install-offline 7、[配置-01] OpenCA
shell> cd /usr/local/openca-base/etc/opencashell> ./configure_etc.shshell> cd /usr/local/openca-base/var/openca/log/shell> chown -R daemon:daemon /usr/local/openca-base/varshell> chown -R daemon:daemon /usr/local/openca-base/etc注:daemon:daemon是apache配置文件里指定的User和Group。上面的两次chown操作是为了保证var和etc两个目录属于daemon:daemon,我在测试安装过程中偶尔遇到安装完成之后var和etc拥有者不是daemon:daemon。 8、[配置-02] OpenCA补丁
如果此时启动OpenCA会发生如下错误:shell> /usr/local/openca-base/etc/init.d/openca start [错误信息]Bareword "ERR_USER_STATUS_UNKNOWN" not allowed while "strict subs" in use at /usr/local/openca-base/lib/openca/perl_modules/perl5/OpenCA/User.pm line 372,line 275.Compilation failed in require at /usr/local/openca-base/lib/openca/functions/initServer line 44,line 275.BEGIN failed--compilation aborted at /usr/local/openca-base/lib/openca/functions/initServer line 44,line 275.Compilation failed in require at /usr/local/openca-base/etc/openca/openca_start line 65,line 275. 这是1.1.1这个版本的Bug,官方发布了补丁,下载地址:http://www.openca.org/mirrors.shtml 进入该页面选择一个镜像,进入openca-base/fixes/v1.1.1/err_user_unknown,下载User.pm和initServer两个文件。将这两个文件替换已有文件,他们的位置如下:shell> cp User.pm /usr/local/openca-base/lib/openca/perl_modules/perl5/OpenCA/User.pmshell> cp initServer /usr/local/openca-base/lib/openca/functions/initServer9、[启动测试]
shell> cd /usr/local/httpd/shell> bin/apachectl startshell> cd /usr/local/openca-base/etc/shell> init.d/openca start 注意:第一次启动openca时需要设置一个口令,该口令以后访问web管理页面是必须的(用户名默认是admin,可以在/usr/local/openca-base/etc/openca/config.xml里面设置)。 访问:http://localhost/pki/ca进行测试 (接下去将对OpenCA的进一步配置和使用进行探讨)
页:
[1]