Discussion:
[Openca-Users] SECP + Cisco PIX: certificate request is rejected
Kurt Hockenmaier
2006-03-06 18:06:01 UTC
Permalink
Hi all,

I've been searching for hours, but I can't find the problem so you are
my last chance...

Here is my setup:
openca-0.9.2.4, RA and CA on one machine
PIX OS Rel. 6.3 configured with
ca identity xen-ca 172.16.2.249:/cgi-bin/scep/scep
ca configure xen-ca ra 1 20 crlopt

I'm trying to get a certificate for the Pix, ca authenticate seems to
work well:

home-pix(config)# ca authen xen-ca

CI thread sleeps!
Crypto CA thread wakes up!
home-pix(config)# onnection opened
CI thread wakes up!
CRYPTO_PKI: WARNING: A certificate chain could not be constructed while
selecting certificate status

CRYPTO_PKI: Name: Serial Number = 4, CN = SCEP, OU = Trustcenter, O =
XEN Test RA, C = DE
CRYPTO_PKI: transaction GetCACert completed
CRYPTO_PKI: Name: Serial Number = 4, CN = SCEP, OU = Trustcenter, O =
XEN Test RA, C = DE
Crypto CA thread
sleeps!

home-pix(config)# sh ca cer
CA Certificate
Status: Available
Certificate Serial Number: 81f4e601e028cef6
Key Usage: General Purpose
EA = ***@xen-ca
CN = CA selfsig Cert
OU = Home Lab
O = XEN-CA
C = DE
Validity Date:
start date: 22:40:59 UTC Mar 3 2006
end date: 22:40:59 UTC Feb 26 2026

RA General purpose Certificate
Status: Available
Certificate Serial Number: 04
Key Usage: General Purpose
Serial Number = 4
CN = SCEP
OU = Trustcenter
O = XEN Test RA
C = DE
Validity Date:
start date: 23:21:15 UTC Mar 3 2006
end date: 23:21:15 UTC Nov 18 2025


But as you can see below, the enrollment is failing with the PIX message
'CRYPTO_PKI: status = 101: certificate request is rejected'
and no CSR can be found within the RA.


home-pix(config)# ca enroll xen-ca ipaddress
%
% Start certificate enrollment ..

% The subject name in the certificate will be: home-pix.home.de
CI thread sleeps!
Crypto CA thread wakes up!
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
home-pix(config)#
111008: User 'enable_15' executed the 'ca enroll xen-ca *' command.

CRYPTO_PKI: transaction PKCSReq completed
CRYPTO_PKI: status:
Crypto CA thread sleeps!
CRYPTO_PKI: http connection opened
CRYPTO_PKI: received msg of 3818 bytes
CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while
selecting CRL
CRYPTO_PKI: WARNING: Certificate, private key or CRL was not found while
selecting CRL

CRYPTO_PKI: signed attr: pki-message-type:
13 01 33
CRYPTO_PKI: signed attr: pki-status:
13 01 32
CRYPTO_PKI: signed attr: pki-recipient-nonce:
04 10 2d 40 d5 7e 8c 13 dc 6e 5b ac bc b3 cf df 25 39
CRYPTO_PKI: signed attr: pki-transaction-id:
13 20 32 32 61 34 38 30 38 64 31 30 63 31 37 32 62 33 38 35
36 66 66 33 32 63 35 34 32 61 61 36 39 32
CRYPTO_PKI: status = 101: certificate request is rejected
CRYPTO_PKI: All enrollment requests completed.


Any hints ?

Best Regards
Kurt
Ives Steglich
2006-03-07 07:22:01 UTC
Permalink
Post by Kurt Hockenmaier
13 01 33
13 01 32
04 10 2d 40 d5 7e 8c 13 dc 6e 5b ac bc b3 cf df 25 39
13 20 32 32 61 34 38 30 38 64 31 30 63 31 37 32 62 33 38 35
36 66 66 33 32 63 35 34 32 61 61 36 39 32
CRYPTO_PKI: status = 101: certificate request is rejected
CRYPTO_PKI: All enrollment requests completed.
hmm, at least all seemes to be set up fine, since you recive correct
scep-replies...

please have a look in var/log/stderr.log (in your install path)
and check for lines which have an error-number that starts with: 7237##

this may help to find out, what is going on at the backend


greetings
dalini
Kurt Hockenmaier
2006-03-07 19:22:05 UTC
Permalink
Post by Ives Steglich
hmm, at least all seemes to be set up fine, since you recive correct
scep-replies...
please have a look in var/log/stderr.log (in your install path)
and check for lines which have an error-number that starts with: 7237##
this may help to find out, what is going on at the backend
greetings
dalini
Hi dalini,

now I found the debug switch in log.xml, but I'm not shure wether this
is enough - I couldn't find any error-number.

After the failing enrollment, all existing certificates are listed in
stderr.log and I found the line:
cmds->cmdScepPKIOperation: scepCheckRequest: more than two valid
certificates matched this request, rejected for policy reasons

Below you can find the log of the enrollment.

Greets
Kurt




cmds->cmdScepPKIOperation: execute5: /usr/local/openra/bin/openca-scep
-in /usr/local/openra/openca/var/tmp/scep_pkiOp_919
5.p7 -noout -print_transid
cmds->cmdScepPKIOperation: Pipe returned error code 0
cmds->cmdScepPKIOperation: execute_bt: /usr/local/openra/bin/openca-scep
-in /usr/local/openra/openca/var/tmp/scep_pkiOp_9
195.p7 -keyfile /usr/local/openra/openca/etc/scep/scep-key.pem -passin
env:pwd -noout -print_scert > /usr/local/openra/ope
nca/var/tmp/scep_client_9195.crt
cmds->cmdScepPKIOperation: Backtick expansion returned error code 0
cmds->cmdScepPKIOperation: execute1: /usr/local/openra/bin/openca-scep
-in /usr/local/openra/openca/var/tmp/scep_pkiOp_919
5.p7 -noout -print_msgtype
cmds->cmdScepPKIOperation: Pipe returned error code 0
cmds->cmdScepPKIOperation: execute6: /usr/local/openra/bin/openca-scep
-in /usr/local/openra/openca/var/tmp/scep_pkiOp_919
5.p7 -keyfile /usr/local/openra/openca/etc/scep/scep-key.pem -passin
env:pwd -noout -print_req
cmds->cmdScepPKIOperation: Pipe returned error code 0
cmds->cmdScepPKIOperation: scepCheckRequest() requester DN:
unstructuredName=home-pix.home.de+unstructuredAddress=10.254.2
54.1+CN=home-pix.home.de
cmds->cmdScepPKIOperation: scepCheckRequest() DB search expression DN: %%
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: new errorcode is 0
DEBUG: OpenCA::DBI->searchItems: Entering function searchItems
DEBUG: OpenCA::DBI->searchItems: OpenCA::DBI::errno: 0
DEBUG: OpenCA::DBI->getArguments: entering function
DEBUG: OpenCA::DBI->getArguments: check: DATATYPE=VALID_CERTIFICATE
DEBUG: OpenCA::DBI->getArguments: check: DN=%%
DEBUG: OpenCA::DBI->getArguments: TABLE:CERTIFICATE
DEBUG: OpenCA::DBI->getArguments: MODE:
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: new errorcode is 0
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: old errno 11111 is present
DEBUG: OpenCA::DBI->errno: new errorcode is 11111
DEBUG: OpenCA::DBI->getArguments: attribute: KEY
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: STATUS
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: DN
DEBUG: OpenCA::DBI->getArguments: value: %%
DEBUG: OpenCA::DBI->getArguments: attribute: CN
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: EMAIL
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: ROLE
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: PUBKEY
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: CSR_SERIAL
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: LOA
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: new errorcode is 0
DEBUG: OpenCA::DBI->getStatus: Entering function
DEBUG: OpenCA::DBI->getStatus: no status given using datatype:
VALID_CERTIFICATE
DEBUG: OpenCA::DBI->getStatus: given mode is now: VALID
DEBUG: OpenCA::DBI->getStatus: legal status (leaving function)
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: old errno 11111 is present
DEBUG: OpenCA::DBI->errno: new errorcode is 11111
DEBUG: OpenCA::DBI->getArguments: handling VALID_CERTIFICATE
DEBUG: OpenCA::DBI->getArguments: calling getNumericDate(Tue Mar 7
20:50:39 2006) on backend
DEBUG: OpenCA::DBI->getArguments: status: VALID
DEBUG: OpenCA::DBI->getArguments: completed successful
DEBUG: OpenCA::DBI->searchItems: OpenCA::DBI::errno: 0
DEBUG: OpenCA::DBI->searchItems: dbi-status:VALID
DEBUG: OpenCA::DBI->searchItems: query now: select * from certificate
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: new errorcode is 0
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: old errno 11111 is present
DEBUG: OpenCA::DBI->errno: new errorcode is 11111
DEBUG: OpenCA::DBI->searchItems: scan attribute: KEY
DEBUG: OpenCA::DBI->searchItems: scan attribute: STATUS
DEBUG: OpenCA::DBI->searchItems: attribute's content: VALID
DEBUG: OpenCA::DBI->searchItems: TEXT: STATUS --> TEXT
DEBUG: OpenCA::DBI->searchItems: scan attribute: DN
DEBUG: OpenCA::DBI->searchItems: attribute's content: %%
DEBUG: OpenCA::DBI->searchItems: TEXT: DN --> TEXT
DEBUG: OpenCA::DBI->searchItems: scan attribute: CN
DEBUG: OpenCA::DBI->searchItems: scan attribute: EMAIL
DEBUG: OpenCA::DBI->searchItems: scan attribute: ROLE
DEBUG: OpenCA::DBI->searchItems: scan attribute: PUBKEY
DEBUG: OpenCA::DBI->searchItems: scan attribute: CSR_SERIAL
DEBUG: OpenCA::DBI->searchItems: scan attribute: LOA
DEBUG: OpenCA::DBI->searchItems: query: select * from certificate where
(status like ?) and (notafter > 20060307205039) an
d (dn like ?) order by cert_key
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: new errorcode is 0
DEBUG: OpenCA::DBI->doQuery: entering function
DEBUG: OpenCA::DBI->doQuery: query: select * from certificate where
(status like ?) and (notafter > 20060307205039) and (d
n like ?) order by cert_key
DEBUG: OpenCA::DBI->doQuery: bind_values: VALID
DEBUG: OpenCA::DBI->doQuery: bind_values: %%
DEBUG: OpenCA::DBI->doQuery: prepare statement
DEBUG: OpenCA::DBI->doQuery: execute statement
DEBUG: OpenCA::DBI->doQuery: execute succeeded (leaving function - 5)
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: old errno 11111 is present
DEBUG: OpenCA::DBI->errno: new errorcode is 11111
DEBUG: OpenCA::DBI->searchItems: errstr(undef is OK):
DEBUG: OpenCA::DBI->searchItems: rows (this is buggy in DBD::DB2 and
DBD::Oracle)): 5
DEBUG: OpenCA::DBI->searchItems: item: 1
DEBUG: OpenCA::DBI->searchItems: item: 2
DEBUG: OpenCA::DBI->searchItems: item: 3
DEBUG: OpenCA::DBI->searchItems: item: 4
DEBUG: OpenCA::DBI->searchItems: item: 5
DEBUG: OpenCA::DBI->getItem: Entering sub getItem
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: new errorcode is 0
DEBUG: OpenCA::DBI->getArguments: entering function
DEBUG: OpenCA::DBI->getArguments: check: KEY=1
DEBUG: OpenCA::DBI->getArguments: check: DATATYPE=CERTIFICATE
DEBUG: OpenCA::DBI->getArguments: check: STATUS=
DEBUG: OpenCA::DBI->getArguments: TABLE:CERTIFICATE
DEBUG: OpenCA::DBI->getArguments: MODE:
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: old errno 11111 is present
DEBUG: OpenCA::DBI->errno: new errorcode is 11111
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: old errno 11111 is present
DEBUG: OpenCA::DBI->errno: new errorcode is 11111
DEBUG: OpenCA::DBI->getArguments: attribute: KEY
DEBUG: OpenCA::DBI->getArguments: value: 1
DEBUG: OpenCA::DBI->getArguments: attribute: STATUS
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: DN
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: CN
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: EMAIL
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: ROLE
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: PUBKEY
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: CSR_SERIAL
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: LOA
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: new errorcode is 0
DEBUG: OpenCA::DBI->getStatus: Entering function
DEBUG: OpenCA::DBI->getStatus: no status given using datatype: CERTIFICATE
DEBUG: OpenCA::DBI->getStatus: given mode is now:
DEBUG: OpenCA::DBI->getStatus: no status (leaving function)
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: old errno 11111 is present
DEBUG: OpenCA::DBI->errno: new errorcode is 11111
DEBUG: OpenCA::DBI->getArguments: no STATUS present
DEBUG: OpenCA::DBI->getArguments: completed successful
DEBUG: OpenCA::DBI->getItem: data complete
DEBUG: OpenCA::DBI->getItem: query: select * from certificate where
(cert_key=?)
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: new errorcode is 0
DEBUG: OpenCA::DBI->doQuery: entering function
DEBUG: OpenCA::DBI->doQuery: query: select * from certificate where
(cert_key=?)
DEBUG: OpenCA::DBI->doQuery: bind_values: 1
DEBUG: OpenCA::DBI->doQuery: prepare statement
DEBUG: OpenCA::DBI->doQuery: execute statement
DEBUG: OpenCA::DBI->doQuery: execute succeeded (leaving function - 1)
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: old errno 11111 is present
DEBUG: OpenCA::DBI->errno: new errorcode is 11111
DEBUG: OpenCA::DBI->getItem: check that there is a non-empty result
DEBUG: OpenCA::DBI->getResultItem: entering function
DEBUG: OpenCA::DBI->getResultItem: all params present
DEBUG: OpenCA::DBI->getResultHash: entring function
DEBUG: OpenCA::DBI->getResultHash: column: CERTIFICATE_SERIAL
DEBUG: OpenCA::DBI->getResultHash: value: 1
DEBUG: OpenCA::DBI->getResultHash: column: FORMAT
DEBUG: OpenCA::DBI->getResultHash: value: PEM
DEBUG: OpenCA::DBI->getResultHash: column: DATA
DEBUG: OpenCA::DBI->getResultHash: value: -----BEGIN HEADER-----
PIN=e906c08ffe4e12cc246dfd22c53154b504260222
CSR_SERIAL=256
ROLE=CA Operator
-----END HEADER-----

-----BEGIN CERTIFICATE-----
MIIEyjCCBDOgAwIBAgIBATANBgkqhkiG9w0BAQUFADBsMQswCQYDVQQGEwJERTEP
MA0GA1UEChMGWEVOLUNBMREwDwYDVQQLEwhIb21lIExhYjEYMBYGA1UEAxMPQ0Eg
c2VsZnNpZyBDZXJ0MR8wHQYJKoZIhvcNAQkBFhBjYW1hbmFnZXJAeGVuLWNhMB4X
DTA2MDMwMzIyNDI0MFoXDTI1MTExODIyNDI0MFowWDELMAkGA1UEBhMCREUxFDAS
BgNVBAoTC1hFTiBUZXN0IENBMRQwEgYDVQQLEwtUcnVzdGNlbnRlcjERMA8GA1UE
AxMIY2EgYWRtaW4xCjAIBgNVBAUTATEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAMs/vTkgvnEBYRjXv1u5DvKW66hspILyM5cIXHnPO5Cy8J8eHUxFJEWFELKt
s+7rTsqw/QpP2ot5dR67vZS5EVitwGO51KO+W6sjAou/5GUL/EVSGRZNEp0XkDBU
751pXrIOso9Y9JBUVW5klwMIkve/MD+pgGOlCVPa0hUBGcnjAgMBAAGjggKOMIIC
ijAJBgNVHRMEAjAAMFkGA1UdIARSMFAwBwYFKgMDzgowBgYEKgMDBTAGBgQqAwMG
MAYGBCoDAwcwLQYEKgMDCDAlMCMGCCsGAQUFBwIBFhdodHRwOi8vc29tZS51cmwu
b3JnL2NwczARBglghkgBhvhCAQEEBAMCBLAwCwYDVR0PBAQDAgXgMCkGA1UdJQQi
MCAGCCsGAQUFBwMCBggrBgEFBQcDBAYKKwYBBAGCNxQCAjBDBglghkgBhvhCAQ0E
NhY0Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkgQWRtaW5pc3RyYXRvciBvZiBYRU4g
VGVzdCBDQTAdBgNVHQ4EFgQUY7DWHYjdKeth9R53WY04lAKLjPcwgZ4GA1UdIwSB
ljCBk4AU45TS3p1mkEV1PPk5X+zEBCeN7GWhcKRuMGwxCzAJBgNVBAYTAkRFMQ8w
DQYDVQQKEwZYRU4tQ0ExETAPBgNVBAsTCEhvbWUgTGFiMRgwFgYDVQQDEw9DQSBz
ZWxmc2lnIENlcnQxHzAdBgkqhkiG9w0BCQEWEGNhbWFuYWdlckB4ZW4tY2GCCQCB
9OYB4CjO9jAaBgNVHREEEzARgQ9jYS1hZG1pbkB4ZW4tY2EwGwYDVR0SBBQwEoEQ
Y2FtYW5hZ2VyQHhlbi1jYTAxBglghkgBhvhCAQQEJBYiaHR0cDovL2xvY2FsaG9z
dC9wdWIvY3JsL2NhY3JsLmNybDAxBglghkgBhvhCAQMEJBYiaHR0cDovL2xvY2Fs
aG9zdC9wdWIvY3JsL2NhY3JsLmNybDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8v
bG9jYWxob3N0L3B1Yi9jcmwvY2FjcmwuY3JsMA0GCSqGSIb3DQEBBQUAA4GBADeR
EN8Ido5+A8hQHkLrSCwVpOvH2eiL3G4O8E57HfOdkAc+MxRpl/GRSwmnu3kmiOFN
8d+Z7F3f/CBADFpW/7FUu1oF5IXN9pPB4tKUI2hdRfeK40cYTnAWVf3lowwo5lDO
rDGFAUCsWpGQsQhQLCXvCIVebqUy6JgFqotanSof
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICoTAbBgkqhkiG9w0BBQMwDgQIj7JgsOozlf0CAggABIICgHRS0H4XcjC4jCSU
a7Q0hsyH4uCjF0zeyVzcd01cbrZXmeYTOxnJYGpN7+uUowq9LK9583SWcKQaxara
KeEBjstyglZPkJOEZHxut1NRNQ/Ryhj9ps+XOm3p62jXxuC7h4YAIeaMOWcKq+oI
0u9elawgKhKuVi6U2dBZDvbQaXEFiLhaF5Af2ZLRcJH0suDLulSN4KxJ3YtROuGw
OKt8hPQOM2VRRGryL9+lD1X1+D+r2j+WooyiK2nnEUPL7PKTfcaak5yJR3mMuVtz
ucl7Gvv384u7BSWmV1U+blpdSAePTiE+WTK1zKWyaBnhpGupcleKCNBvWqcdHJjm
+fpNU9XG+9LMxbYn4OCrGhJguU2dS5ooigELvINX5Nivp2k36ec/oman9bN4Usz6
Y/5HLAyiI2fW8dKoXHTyGIoi/d1suG+iLNu3Gg7R1Pl8/dqgrM/GI8X7CJ2jxOF5
Ano6b+gRFgEZrlm8gqxRKPo0C00OFZ4SYZIMX3veU/pC/vYheQFE6BGNuENk1xql
FKcpyIseqnkeushKwNV4yhgRYihDCZV/ZlVupnP3Z77xBiN/ghk1s+ma89LA+VkE
f/UY8a78+JG09bRSlhCoJ1jIEDQ9LRsphhJOBdlc34tNpyF8j61fVmfS9PAwU5eZ
U9Ukyo8GomNa32oyyDNNWf+QOXClKeiMZ/8s5oNUhTl8LxlPL5xzmpG06iNr0uC6
Ex6gNgfvnALZWWugl3uX+HN/UydVoxb1Bu20cJZqNMQMVIQsicyEHp8qsGND6uLv
DjK63WJOhRYPWIRLOD1uv/+e35e1ZnatAonycPa2Ujn8YqPzK7tkZbQCaZQDmofS
F6T2nrM=
-----END ENCRYPTED PRIVATE KEY-----
DEBUG: OpenCA::DBI->getResultHash: column: DN
DEBUG: OpenCA::DBI->getResultHash: value: serialNumber=1,CN=ca
admin,OU=Trustcenter,O=XEN Test CA,C=DE
DEBUG: OpenCA::DBI->getResultHash: column: CN
DEBUG: OpenCA::DBI->getResultHash: value: ca admin
DEBUG: OpenCA::DBI->getResultHash: column: EMAIL
DEBUG: OpenCA::DBI->getResultHash: value: ca-***@xen-ca
DEBUG: OpenCA::DBI->getResultHash: column: STATUS
DEBUG: OpenCA::DBI->getResultHash: value: VALID
DEBUG: OpenCA::DBI->getResultHash: column: ROLE
DEBUG: OpenCA::DBI->getResultHash: value: CA Operator
DEBUG: OpenCA::DBI->getResultHash: column: PUBKEY
DEBUG: OpenCA::DBI->getResultHash: value: Modulus (1024 bit):
00:cb:3f:bd:39:20:be:71:01:61:18:d7:bf:5b:b9:
0e:f2:96:eb:a8:6c:a4:82:f2:33:97:08:5c:79:cf:
3b:90:b2:f0:9f:1e:1d:4c:45:24:45:85:10:b2:ad:
b3:ee:eb:4e:ca:b0:fd:0a:4f:da:8b:79:75:1e:bb:
bd:94:b9:11:58:ad:c0:63:b9:d4:a3:be:5b:ab:23:
02:8b:bf:e4:65:0b:fc:45:52:19:16:4d:12:9d:17:
90:30:54:ef:9d:69:5e:b2:0e:b2:8f:58:f4:90:54:
55:6e:64:97:03:08:92:f7:bf:30:3f:a9:80:63:a5:
09:53:da:d2:15:01:19:c9:e3
Exponent: 65537 (0x10001)

DEBUG: OpenCA::DBI->getResultHash: column: NOTAFTER
DEBUG: OpenCA::DBI->getResultHash: value: 20251118224240
DEBUG: OpenCA::DBI->getResultHash: column: CSR_SERIAL
DEBUG: OpenCA::DBI->getResultHash: value: 256
DEBUG: OpenCA::DBI->getResultHash: column: LOA
DEBUG: OpenCA::DBI->getResultHash: value:
DEBUG: OpenCA::DBI->getResultHash: leaving function
DEBUG: OpenCA::DBI->getResultItem: data: -----BEGIN HEADER-----
PIN=e906c08ffe4e12cc246dfd22c53154b504260222
CSR_SERIAL=256
ROLE=CA Operator
-----END HEADER-----

-----BEGIN CERTIFICATE-----
MIIEyjCCBDOgAwIBAgIBATANBgkqhkiG9w0BAQUFADBsMQswCQYDVQQGEwJERTEP
MA0GA1UEChMGWEVOLUNBMREwDwYDVQQLEwhIb21lIExhYjEYMBYGA1UEAxMPQ0Eg
c2VsZnNpZyBDZXJ0MR8wHQYJKoZIhvcNAQkBFhBjYW1hbmFnZXJAeGVuLWNhMB4X
DTA2MDMwMzIyNDI0MFoXDTI1MTExODIyNDI0MFowWDELMAkGA1UEBhMCREUxFDAS
BgNVBAoTC1hFTiBUZXN0IENBMRQwEgYDVQQLEwtUcnVzdGNlbnRlcjERMA8GA1UE
AxMIY2EgYWRtaW4xCjAIBgNVBAUTATEwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ
AoGBAMs/vTkgvnEBYRjXv1u5DvKW66hspILyM5cIXHnPO5Cy8J8eHUxFJEWFELKt
s+7rTsqw/QpP2ot5dR67vZS5EVitwGO51KO+W6sjAou/5GUL/EVSGRZNEp0XkDBU
751pXrIOso9Y9JBUVW5klwMIkve/MD+pgGOlCVPa0hUBGcnjAgMBAAGjggKOMIIC
ijAJBgNVHRMEAjAAMFkGA1UdIARSMFAwBwYFKgMDzgowBgYEKgMDBTAGBgQqAwMG
MAYGBCoDAwcwLQYEKgMDCDAlMCMGCCsGAQUFBwIBFhdodHRwOi8vc29tZS51cmwu
b3JnL2NwczARBglghkgBhvhCAQEEBAMCBLAwCwYDVR0PBAQDAgXgMCkGA1UdJQQi
MCAGCCsGAQUFBwMCBggrBgEFBQcDBAYKKwYBBAGCNxQCAjBDBglghkgBhvhCAQ0E
NhY0Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkgQWRtaW5pc3RyYXRvciBvZiBYRU4g
VGVzdCBDQTAdBgNVHQ4EFgQUY7DWHYjdKeth9R53WY04lAKLjPcwgZ4GA1UdIwSB
ljCBk4AU45TS3p1mkEV1PPk5X+zEBCeN7GWhcKRuMGwxCzAJBgNVBAYTAkRFMQ8w
DQYDVQQKEwZYRU4tQ0ExETAPBgNVBAsTCEhvbWUgTGFiMRgwFgYDVQQDEw9DQSBz
ZWxmc2lnIENlcnQxHzAdBgkqhkiG9w0BCQEWEGNhbWFuYWdlckB4ZW4tY2GCCQCB
9OYB4CjO9jAaBgNVHREEEzARgQ9jYS1hZG1pbkB4ZW4tY2EwGwYDVR0SBBQwEoEQ
Y2FtYW5hZ2VyQHhlbi1jYTAxBglghkgBhvhCAQQEJBYiaHR0cDovL2xvY2FsaG9z
dC9wdWIvY3JsL2NhY3JsLmNybDAxBglghkgBhvhCAQMEJBYiaHR0cDovL2xvY2Fs
aG9zdC9wdWIvY3JsL2NhY3JsLmNybDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8v
bG9jYWxob3N0L3B1Yi9jcmwvY2FjcmwuY3JsMA0GCSqGSIb3DQEBBQUAA4GBADeR
EN8Ido5+A8hQHkLrSCwVpOvH2eiL3G4O8E57HfOdkAc+MxRpl/GRSwmnu3kmiOFN
8d+Z7F3f/CBADFpW/7FUu1oF5IXN9pPB4tKUI2hdRfeK40cYTnAWVf3lowwo5lDO
rDGFAUCsWpGQsQhQLCXvCIVebqUy6JgFqotanSof
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICoTAbBgkqhkiG9w0BBQMwDgQIj7JgsOozlf0CAggABIICgHRS0H4XcjC4jCSU
a7Q0hsyH4uCjF0zeyVzcd01cbrZXmeYTOxnJYGpN7+uUowq9LK9583SWcKQaxara
KeEBjstyglZPkJOEZHxut1NRNQ/Ryhj9ps+XOm3p62jXxuC7h4YAIeaMOWcKq+oI
0u9elawgKhKuVi6U2dBZDvbQaXEFiLhaF5Af2ZLRcJH0suDLulSN4KxJ3YtROuGw
OKt8hPQOM2VRRGryL9+lD1X1+D+r2j+WooyiK2nnEUPL7PKTfcaak5yJR3mMuVtz
ucl7Gvv384u7BSWmV1U+blpdSAePTiE+WTK1zKWyaBnhpGupcleKCNBvWqcdHJjm
+fpNU9XG+9LMxbYn4OCrGhJguU2dS5ooigELvINX5Nivp2k36ec/oman9bN4Usz6
Y/5HLAyiI2fW8dKoXHTyGIoi/d1suG+iLNu3Gg7R1Pl8/dqgrM/GI8X7CJ2jxOF5
Ano6b+gRFgEZrlm8gqxRKPo0C00OFZ4SYZIMX3veU/pC/vYheQFE6BGNuENk1xql
FKcpyIseqnkeushKwNV4yhgRYihDCZV/ZlVupnP3Z77xBiN/ghk1s+ma89LA+VkE
f/UY8a78+JG09bRSlhCoJ1jIEDQ9LRsphhJOBdlc34tNpyF8j61fVmfS9PAwU5eZ
U9Ukyo8GomNa32oyyDNNWf+QOXClKeiMZ/8s5oNUhTl8LxlPL5xzmpG06iNr0uC6
Ex6gNgfvnALZWWugl3uX+HN/UydVoxb1Bu20cJZqNMQMVIQsicyEHp8qsGND6uLv
DjK63WJOhRYPWIRLOD1uv/+e35e1ZnatAonycPa2Ujn8YqPzK7tkZbQCaZQDmofS
F6T2nrM=
-----END ENCRYPTED PRIVATE KEY-----
DEBUG: OpenCA::DBI->getResultItem: format: PEM
DEBUG: OpenCA::DBI->getResultItem: have all data
DEBUG: OpenCA::DBI->getResultItem: return item
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: new errorcode is 0
DEBUG: OpenCA::DBI->searchItems: add an object to the returnlist
DEBUG: OpenCA::DBI->getItem: Entering sub getItem
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: new errorcode is 0
DEBUG: OpenCA::DBI->getArguments: entering function
DEBUG: OpenCA::DBI->getArguments: check: KEY=2
DEBUG: OpenCA::DBI->getArguments: check: DATATYPE=CERTIFICATE
DEBUG: OpenCA::DBI->getArguments: check: STATUS=
DEBUG: OpenCA::DBI->getArguments: TABLE:CERTIFICATE
DEBUG: OpenCA::DBI->getArguments: MODE:
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: old errno 11111 is present
DEBUG: OpenCA::DBI->errno: new errorcode is 11111
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: old errno 11111 is present
DEBUG: OpenCA::DBI->errno: new errorcode is 11111
DEBUG: OpenCA::DBI->getArguments: attribute: KEY
DEBUG: OpenCA::DBI->getArguments: value: 2
DEBUG: OpenCA::DBI->getArguments: attribute: STATUS
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: DN
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: CN
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: EMAIL
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: ROLE
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: PUBKEY
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: CSR_SERIAL
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: LOA
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: new errorcode is 0
DEBUG: OpenCA::DBI->getStatus: Entering function
DEBUG: OpenCA::DBI->getStatus: no status given using datatype: CERTIFICATE
DEBUG: OpenCA::DBI->getStatus: given mode is now:
DEBUG: OpenCA::DBI->getStatus: no status (leaving function)
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: old errno 11111 is present
DEBUG: OpenCA::DBI->errno: new errorcode is 11111
DEBUG: OpenCA::DBI->getArguments: no STATUS present
DEBUG: OpenCA::DBI->getArguments: completed successful
DEBUG: OpenCA::DBI->getItem: data complete
DEBUG: OpenCA::DBI->getItem: query: select * from certificate where
(cert_key=?)
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: new errorcode is 0
DEBUG: OpenCA::DBI->doQuery: entering function
DEBUG: OpenCA::DBI->doQuery: query: select * from certificate where
(cert_key=?)
DEBUG: OpenCA::DBI->doQuery: bind_values: 2
DEBUG: OpenCA::DBI->doQuery: prepare statement
DEBUG: OpenCA::DBI->doQuery: execute statement
DEBUG: OpenCA::DBI->doQuery: execute succeeded (leaving function - 1)
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: old errno 11111 is present
DEBUG: OpenCA::DBI->errno: new errorcode is 11111
DEBUG: OpenCA::DBI->getItem: check that there is a non-empty result
DEBUG: OpenCA::DBI->getResultItem: entering function
DEBUG: OpenCA::DBI->getResultItem: all params present
DEBUG: OpenCA::DBI->getResultHash: entring function
DEBUG: OpenCA::DBI->getResultHash: column: CERTIFICATE_SERIAL
DEBUG: OpenCA::DBI->getResultHash: value: 2
DEBUG: OpenCA::DBI->getResultHash: column: FORMAT
DEBUG: OpenCA::DBI->getResultHash: value: PEM
DEBUG: OpenCA::DBI->getResultHash: column: DATA
DEBUG: OpenCA::DBI->getResultHash: value: -----BEGIN HEADER-----
PIN=8a96edede147c9d46da2ce1cc1903cb707aba4f9
CSR_SERIAL=512
ROLE=RA Operator
-----END HEADER-----

-----BEGIN CERTIFICATE-----
MIIExDCCBC2gAwIBAgIBAjANBgkqhkiG9w0BAQUFADBsMQswCQYDVQQGEwJERTEP
MA0GA1UEChMGWEVOLUNBMREwDwYDVQQLEwhIb21lIExhYjEYMBYGA1UEAxMPQ0Eg
c2VsZnNpZyBDZXJ0MR8wHQYJKoZIhvcNAQkBFhBjYW1hbmFnZXJAeGVuLWNhMB4X
DTA2MDMwMzIzMDAzNVoXDTI1MTExODIzMDAzNVowVzELMAkGA1UEBhMCREUxFDAS
BgNVBAoTC1hFTiBUZXN0IENBMRQwEgYDVQQLEwtUcnVzdGNlbnRlcjEQMA4GA1UE
AxMHUkEgQ2VydDEKMAgGA1UEBRMBMjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEA0boQ2PR6Lykq3sKcogAg7Z5ZLhDwNXB1HjvmpaU1u/sCCS1KugdMsGfT24IP
hESWEIhCrwI75ixSe5oITfBr0U/S1w9zy9FNnXc8U/oX3PRHTQqW1FpNmlE9TdV5
FAOVQUl2kdEIJoVyfTkA4T0bL3+kSrogLKX14KxZ1epI+ZUCAwEAAaOCAokwggKF
MAkGA1UdEwQCMAAwWQYDVR0gBFIwUDAHBgUqAwPOCjAGBgQqAwMFMAYGBCoDAwYw
BgYEKgMDBzAtBgQqAwMIMCUwIwYIKwYBBQUHAgEWF2h0dHA6Ly9zb21lLnVybC5v
cmcvY3BzMBEGCWCGSAGG+EIBAQQEAwIEsDALBgNVHQ8EBAMCBeAwKQYDVR0lBCIw
IAYIKwYBBQUHAwIGCCsGAQUFBwMEBgorBgEEAYI3FAICMD0GCWCGSAGG+EIBDQQw
Fi5SZWdpc3RyYXRpb24gQXV0aG9yaXR5IE9wZXJhdG9yIG9mIFhFTiBUZXN0IENB
MB0GA1UdDgQWBBR/e764IONgvTpnPZDeQs1dVYsBqzCBngYDVR0jBIGWMIGTgBTj
lNLenWaQRXU8+Tlf7MQEJ43sZaFwpG4wbDELMAkGA1UEBhMCREUxDzANBgNVBAoT
BlhFTi1DQTERMA8GA1UECxMISG9tZSBMYWIxGDAWBgNVBAMTD0NBIHNlbGZzaWcg
Q2VydDEfMB0GCSqGSIb3DQEJARYQY2FtYW5hZ2VyQHhlbi1jYYIJAIH05gHgKM72
MBsGA1UdEQQUMBKBEGNhbWFuYWdlckB4ZW4tY2EwGwYDVR0SBBQwEoEQY2FtYW5h
Z2VyQHhlbi1jYTAxBglghkgBhvhCAQQEJBYiaHR0cDovL2xvY2FsaG9zdC9wdWIv
Y3JsL2NhY3JsLmNybDAxBglghkgBhvhCAQMEJBYiaHR0cDovL2xvY2FsaG9zdC9w
dWIvY3JsL2NhY3JsLmNybDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vbG9jYWxo
b3N0L3B1Yi9jcmwvY2FjcmwuY3JsMA0GCSqGSIb3DQEBBQUAA4GBACkE0l602LCH
4I4zSqiiz35TguRoVnNnMu3UqtqyVaNwD47dbwTl7AfHNabej1qzSpgnkNRrBZiD
ahC9NyDoKhzUhLGuRBtJ+iJY4XQz9cFWK1kCml/xmGTHRqIvo+7Ts0FxqU51xhzS
GaRggKRQEqiquK27ajuM0u3Q6jreYyK9
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICoTAbBgkqhkiG9w0BBQMwDgQIRoVcekujLfMCAggABIICgDjY4PGXHfm+EGHC
bFt+8qFAaOGptFOgxuS1nvYetmaFZKL/1wKZDlt1+ll6rsE26pBuk0m0Q9YaorlF
B3KqJlaOcw5vrReq7/Q45eg9nVHLUP44mHfWgmu9UMZ1WUQcBzcORPjYRjMY9KJD
UFvxrGSi7o/BcyWIlsgrpdYmHL98ka9fT8/BoPQ3lk4RsY6HbjPW5CoGW/iQWABJ
gOy0YEzY2zBnkNC1SCleIH5duk2g0WX2zmYrjN4Zw22+0yxhzMZKjCWob9yUK+ns
wwcVvGuQUCCHDFUvb8uyh3PyPufBSzWcKGbSTQqCo96cK9P/hGX5UH8kZ5vcFxKs
seyg/kqGDwi+U35/rNKpNYOWbhiG8YCOWqK0EMjKRq2Q1T+KlZeRHhwmbPGNkKah
znG42gV/4MHIlEfQI+oWB2i+qSOUVrBJ4LPE4JarHVdmPI7TlmJQoQVQPDgggTOW
qDZ9SJoaSn7pYvzI99NLc7eNUNPCueacXm4QT150JW6fAlWQI5FrOoYNVLUof+Sj
Kz/+WVshx3lqZfzgd6jcqmZf1kvexrmIfLM9MdGol4ACh8aOz6UYsg2MoILyWcsO
xi4R1M2SopjnBS2gfLs7Tz20p+0WNgwWdjsIV79G4a8X9OumLaoaTDBuSKoW4xG8
Kk/crzFC/aQ4Pub69mbhHfeaxHHKG7RuxDwY+GGnmQXK1yHhphZa/i4FPfLwflYA
x43gRTR7Arhxwgn3BMrSkVCqwIbq1hANkcTM/NW6Jsh75nd4eHoecm16QL5tToS0
ZhW/LRVpjPdZRoDKpkBBadPUK0U963a/66VXrR+G5kSYzCbIsrK0OIDf1vacrYGr
1/bIYz0=
-----END ENCRYPTED PRIVATE KEY-----
DEBUG: OpenCA::DBI->getResultHash: column: DN
DEBUG: OpenCA::DBI->getResultHash: value: serialNumber=2,CN=RA
Cert,OU=Trustcenter,O=XEN Test CA,C=DE
DEBUG: OpenCA::DBI->getResultHash: column: CN
DEBUG: OpenCA::DBI->getResultHash: value: RA Cert
DEBUG: OpenCA::DBI->getResultHash: column: EMAIL
DEBUG: OpenCA::DBI->getResultHash: value: ***@xen-ca
DEBUG: OpenCA::DBI->getResultHash: column: STATUS
DEBUG: OpenCA::DBI->getResultHash: value: VALID
DEBUG: OpenCA::DBI->getResultHash: column: ROLE
DEBUG: OpenCA::DBI->getResultHash: value: RA Operator
DEBUG: OpenCA::DBI->getResultHash: column: PUBKEY
DEBUG: OpenCA::DBI->getResultHash: value: Modulus (1024 bit):
00:d1:ba:10:d8:f4:7a:2f:29:2a:de:c2:9c:a2:00:
20:ed:9e:59:2e:10:f0:35:70:75:1e:3b:e6:a5:a5:
35:bb:fb:02:09:2d:4a:ba:07:4c:b0:67:d3:db:82:
0f:84:44:96:10:88:42:af:02:3b:e6:2c:52:7b:9a:
08:4d:f0:6b:d1:4f:d2:d7:0f:73:cb:d1:4d:9d:77:
3c:53:fa:17:dc:f4:47:4d:0a:96:d4:5a:4d:9a:51:
3d:4d:d5:79:14:03:95:41:49:76:91:d1:08:26:85:
72:7d:39:00:e1:3d:1b:2f:7f:a4:4a:ba:20:2c:a5:
f5:e0:ac:59:d5:ea:48:f9:95
Exponent: 65537 (0x10001)

DEBUG: OpenCA::DBI->getResultHash: column: NOTAFTER
DEBUG: OpenCA::DBI->getResultHash: value: 20251118230035
DEBUG: OpenCA::DBI->getResultHash: column: CSR_SERIAL
DEBUG: OpenCA::DBI->getResultHash: value: 512
DEBUG: OpenCA::DBI->getResultHash: column: LOA
DEBUG: OpenCA::DBI->getResultHash: value:
DEBUG: OpenCA::DBI->getResultHash: leaving function
DEBUG: OpenCA::DBI->getResultItem: data: -----BEGIN HEADER-----
PIN=8a96edede147c9d46da2ce1cc1903cb707aba4f9
CSR_SERIAL=512
ROLE=RA Operator
-----END HEADER-----

-----BEGIN CERTIFICATE-----
MIIExDCCBC2gAwIBAgIBAjANBgkqhkiG9w0BAQUFADBsMQswCQYDVQQGEwJERTEP
MA0GA1UEChMGWEVOLUNBMREwDwYDVQQLEwhIb21lIExhYjEYMBYGA1UEAxMPQ0Eg
c2VsZnNpZyBDZXJ0MR8wHQYJKoZIhvcNAQkBFhBjYW1hbmFnZXJAeGVuLWNhMB4X
DTA2MDMwMzIzMDAzNVoXDTI1MTExODIzMDAzNVowVzELMAkGA1UEBhMCREUxFDAS
BgNVBAoTC1hFTiBUZXN0IENBMRQwEgYDVQQLEwtUcnVzdGNlbnRlcjEQMA4GA1UE
AxMHUkEgQ2VydDEKMAgGA1UEBRMBMjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEA0boQ2PR6Lykq3sKcogAg7Z5ZLhDwNXB1HjvmpaU1u/sCCS1KugdMsGfT24IP
hESWEIhCrwI75ixSe5oITfBr0U/S1w9zy9FNnXc8U/oX3PRHTQqW1FpNmlE9TdV5
FAOVQUl2kdEIJoVyfTkA4T0bL3+kSrogLKX14KxZ1epI+ZUCAwEAAaOCAokwggKF
MAkGA1UdEwQCMAAwWQYDVR0gBFIwUDAHBgUqAwPOCjAGBgQqAwMFMAYGBCoDAwYw
BgYEKgMDBzAtBgQqAwMIMCUwIwYIKwYBBQUHAgEWF2h0dHA6Ly9zb21lLnVybC5v
cmcvY3BzMBEGCWCGSAGG+EIBAQQEAwIEsDALBgNVHQ8EBAMCBeAwKQYDVR0lBCIw
IAYIKwYBBQUHAwIGCCsGAQUFBwMEBgorBgEEAYI3FAICMD0GCWCGSAGG+EIBDQQw
Fi5SZWdpc3RyYXRpb24gQXV0aG9yaXR5IE9wZXJhdG9yIG9mIFhFTiBUZXN0IENB
MB0GA1UdDgQWBBR/e764IONgvTpnPZDeQs1dVYsBqzCBngYDVR0jBIGWMIGTgBTj
lNLenWaQRXU8+Tlf7MQEJ43sZaFwpG4wbDELMAkGA1UEBhMCREUxDzANBgNVBAoT
BlhFTi1DQTERMA8GA1UECxMISG9tZSBMYWIxGDAWBgNVBAMTD0NBIHNlbGZzaWcg
Q2VydDEfMB0GCSqGSIb3DQEJARYQY2FtYW5hZ2VyQHhlbi1jYYIJAIH05gHgKM72
MBsGA1UdEQQUMBKBEGNhbWFuYWdlckB4ZW4tY2EwGwYDVR0SBBQwEoEQY2FtYW5h
Z2VyQHhlbi1jYTAxBglghkgBhvhCAQQEJBYiaHR0cDovL2xvY2FsaG9zdC9wdWIv
Y3JsL2NhY3JsLmNybDAxBglghkgBhvhCAQMEJBYiaHR0cDovL2xvY2FsaG9zdC9w
dWIvY3JsL2NhY3JsLmNybDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vbG9jYWxo
b3N0L3B1Yi9jcmwvY2FjcmwuY3JsMA0GCSqGSIb3DQEBBQUAA4GBACkE0l602LCH
4I4zSqiiz35TguRoVnNnMu3UqtqyVaNwD47dbwTl7AfHNabej1qzSpgnkNRrBZiD
ahC9NyDoKhzUhLGuRBtJ+iJY4XQz9cFWK1kCml/xmGTHRqIvo+7Ts0FxqU51xhzS
GaRggKRQEqiquK27ajuM0u3Q6jreYyK9
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICoTAbBgkqhkiG9w0BBQMwDgQIRoVcekujLfMCAggABIICgDjY4PGXHfm+EGHC
bFt+8qFAaOGptFOgxuS1nvYetmaFZKL/1wKZDlt1+ll6rsE26pBuk0m0Q9YaorlF
B3KqJlaOcw5vrReq7/Q45eg9nVHLUP44mHfWgmu9UMZ1WUQcBzcORPjYRjMY9KJD
UFvxrGSi7o/BcyWIlsgrpdYmHL98ka9fT8/BoPQ3lk4RsY6HbjPW5CoGW/iQWABJ
gOy0YEzY2zBnkNC1SCleIH5duk2g0WX2zmYrjN4Zw22+0yxhzMZKjCWob9yUK+ns
wwcVvGuQUCCHDFUvb8uyh3PyPufBSzWcKGbSTQqCo96cK9P/hGX5UH8kZ5vcFxKs
seyg/kqGDwi+U35/rNKpNYOWbhiG8YCOWqK0EMjKRq2Q1T+KlZeRHhwmbPGNkKah
znG42gV/4MHIlEfQI+oWB2i+qSOUVrBJ4LPE4JarHVdmPI7TlmJQoQVQPDgggTOW
qDZ9SJoaSn7pYvzI99NLc7eNUNPCueacXm4QT150JW6fAlWQI5FrOoYNVLUof+Sj
Kz/+WVshx3lqZfzgd6jcqmZf1kvexrmIfLM9MdGol4ACh8aOz6UYsg2MoILyWcsO
xi4R1M2SopjnBS2gfLs7Tz20p+0WNgwWdjsIV79G4a8X9OumLaoaTDBuSKoW4xG8
Kk/crzFC/aQ4Pub69mbhHfeaxHHKG7RuxDwY+GGnmQXK1yHhphZa/i4FPfLwflYA
x43gRTR7Arhxwgn3BMrSkVCqwIbq1hANkcTM/NW6Jsh75nd4eHoecm16QL5tToS0
ZhW/LRVpjPdZRoDKpkBBadPUK0U963a/66VXrR+G5kSYzCbIsrK0OIDf1vacrYGr
1/bIYz0=
-----END ENCRYPTED PRIVATE KEY-----
DEBUG: OpenCA::DBI->getResultItem: format: PEM
DEBUG: OpenCA::DBI->getResultItem: have all data
DEBUG: OpenCA::DBI->getResultItem: return item
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: new errorcode is 0
DEBUG: OpenCA::DBI->searchItems: add an object to the returnlist
DEBUG: OpenCA::DBI->getItem: Entering sub getItem
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: new errorcode is 0
DEBUG: OpenCA::DBI->getArguments: entering function
DEBUG: OpenCA::DBI->getArguments: check: KEY=3
DEBUG: OpenCA::DBI->getArguments: check: DATATYPE=CERTIFICATE
DEBUG: OpenCA::DBI->getArguments: check: STATUS=
DEBUG: OpenCA::DBI->getArguments: TABLE:CERTIFICATE
DEBUG: OpenCA::DBI->getArguments: MODE:
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: old errno 11111 is present
DEBUG: OpenCA::DBI->errno: new errorcode is 11111
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: old errno 11111 is present
DEBUG: OpenCA::DBI->errno: new errorcode is 11111
DEBUG: OpenCA::DBI->getArguments: attribute: KEY
DEBUG: OpenCA::DBI->getArguments: value: 3
DEBUG: OpenCA::DBI->getArguments: attribute: STATUS
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: DN
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: CN
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: EMAIL
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: ROLE
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: PUBKEY
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: CSR_SERIAL
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: LOA
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: new errorcode is 0
DEBUG: OpenCA::DBI->getStatus: Entering function
DEBUG: OpenCA::DBI->getStatus: no status given using datatype: CERTIFICATE
DEBUG: OpenCA::DBI->getStatus: given mode is now:
DEBUG: OpenCA::DBI->getStatus: no status (leaving function)
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: old errno 11111 is present
DEBUG: OpenCA::DBI->errno: new errorcode is 11111
DEBUG: OpenCA::DBI->getArguments: no STATUS present
DEBUG: OpenCA::DBI->getArguments: completed successful
DEBUG: OpenCA::DBI->getItem: data complete
DEBUG: OpenCA::DBI->getItem: query: select * from certificate where
(cert_key=?)
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: new errorcode is 0
DEBUG: OpenCA::DBI->doQuery: entering function
DEBUG: OpenCA::DBI->doQuery: query: select * from certificate where
(cert_key=?)
DEBUG: OpenCA::DBI->doQuery: bind_values: 3
DEBUG: OpenCA::DBI->doQuery: prepare statement
DEBUG: OpenCA::DBI->doQuery: execute statement
DEBUG: OpenCA::DBI->doQuery: execute succeeded (leaving function - 1)
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: old errno 11111 is present
DEBUG: OpenCA::DBI->errno: new errorcode is 11111
DEBUG: OpenCA::DBI->getItem: check that there is a non-empty result
DEBUG: OpenCA::DBI->getResultItem: entering function
DEBUG: OpenCA::DBI->getResultItem: all params present
DEBUG: OpenCA::DBI->getResultHash: entring function
DEBUG: OpenCA::DBI->getResultHash: column: CERTIFICATE_SERIAL
DEBUG: OpenCA::DBI->getResultHash: value: 3
DEBUG: OpenCA::DBI->getResultHash: column: FORMAT
DEBUG: OpenCA::DBI->getResultHash: value: PEM
DEBUG: OpenCA::DBI->getResultHash: column: DATA
DEBUG: OpenCA::DBI->getResultHash: value: -----BEGIN HEADER-----
PIN=759cc7a66998ae2dc0815d518c32a5c5d46fb4a0
CSR_SERIAL=288
ROLE=RA Operator
-----END HEADER-----

-----BEGIN CERTIFICATE-----
MIIEujCCBCOgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBsMQswCQYDVQQGEwJERTEP
MA0GA1UEChMGWEVOLUNBMREwDwYDVQQLEwhIb21lIExhYjEYMBYGA1UEAxMPQ0Eg
c2VsZnNpZyBDZXJ0MR8wHQYJKoZIhvcNAQkBFhBjYW1hbmFnZXJAeGVuLWNhMB4X
DTA2MDMwMzIzMDk0OVoXDTI1MTExODIzMDk0OVowUzELMAkGA1UEBhMCREUxFDAS
BgNVBAoTC1hFTiBUZXN0IFJBMRQwEgYDVQQLEwtUcnVzdGNlbnRlcjEMMAoGA1UE
AxMDSyBIMQowCAYDVQQFEwEzMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJ
RMhNicuC/gzotljFSK1+4n1hjkayhTEOf+nRZwVbmqtzmvAr2AaO0zPPhC/Xck1f
CLxRXh733/Zy0GWS1jxgjrv/m5wBwlJ9vD87zwftFpafZoAeCrFUSL9wzSbi1Ah5
jpP80mm7tAmns8HTYNVQiRpy7kFoAhU0bIYrc0NDJQIDAQABo4ICgzCCAn8wCQYD
VR0TBAIwADBZBgNVHSAEUjBQMAcGBSoDA84KMAYGBCoDAwUwBgYEKgMDBjAGBgQq
AwMHMC0GBCoDAwgwJTAjBggrBgEFBQcCARYXaHR0cDovL3NvbWUudXJsLm9yZy9j
cHMwEQYJYIZIAYb4QgEBBAQDAgSwMAsGA1UdDwQEAwIF4DApBgNVHSUEIjAgBggr
BgEFBQcDAgYIKwYBBQUHAwQGCisGAQQBgjcUAgIwPQYJYIZIAYb4QgENBDAWLlJl
Z2lzdHJhdGlvbiBBdXRob3JpdHkgT3BlcmF0b3Igb2YgWEVOIFRlc3QgQ0EwHQYD
VR0OBBYEFItlVYiMYpkHcUKgsRZWQ6NcMVQqMIGeBgNVHSMEgZYwgZOAFOOU0t6d
ZpBFdTz5OV/sxAQnjexloXCkbjBsMQswCQYDVQQGEwJERTEPMA0GA1UEChMGWEVO
LUNBMREwDwYDVQQLEwhIb21lIExhYjEYMBYGA1UEAxMPQ0Egc2VsZnNpZyBDZXJ0
MR8wHQYJKoZIhvcNAQkBFhBjYW1hbmFnZXJAeGVuLWNhggkAgfTmAeAozvYwFQYD
VR0RBA4wDIEKa2hAd29ya2JveDAbBgNVHRIEFDASgRBjYW1hbmFnZXJAeGVuLWNh
MDEGCWCGSAGG+EIBBAQkFiJodHRwOi8vbG9jYWxob3N0L3B1Yi9jcmwvY2Fjcmwu
Y3JsMDEGCWCGSAGG+EIBAwQkFiJodHRwOi8vbG9jYWxob3N0L3B1Yi9jcmwvY2Fj
cmwuY3JsMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9sb2NhbGhvc3QvcHViL2Ny
bC9jYWNybC5jcmwwDQYJKoZIhvcNAQEFBQADgYEAC021xiBFkSpctcloh4YWDBzp
hEmteHYtKKkfPtJCzUJnRFQXpbtBjeoERIF9dyXMmrAQVgVETPz0qoIRna5pb0w7
QdAkgejHGjtsSKtz2/z+tfudbTu4MsLxr5OxfEjtKOrAzLxAyKwNhz4qUCIHktJd
IM3O5/zob75j2ucbsF4=
-----END CERTIFICATE-----

DEBUG: OpenCA::DBI->getResultHash: column: DN
DEBUG: OpenCA::DBI->getResultHash: value: serialNumber=3,CN=K
H,OU=Trustcenter,O=XEN Test RA,C=DE
DEBUG: OpenCA::DBI->getResultHash: column: CN
DEBUG: OpenCA::DBI->getResultHash: value: K H
DEBUG: OpenCA::DBI->getResultHash: column: EMAIL
DEBUG: OpenCA::DBI->getResultHash: value: ***@workbox
DEBUG: OpenCA::DBI->getResultHash: column: STATUS
DEBUG: OpenCA::DBI->getResultHash: value: VALID
DEBUG: OpenCA::DBI->getResultHash: column: ROLE
DEBUG: OpenCA::DBI->getResultHash: value: RA Operator
DEBUG: OpenCA::DBI->getResultHash: column: PUBKEY
DEBUG: OpenCA::DBI->getResultHash: value: Modulus (1024 bit):
00:c9:44:c8:4d:89:cb:82:fe:0c:e8:b6:58:c5:48:
ad:7e:e2:7d:61:8e:46:b2:85:31:0e:7f:e9:d1:67:
05:5b:9a:ab:73:9a:f0:2b:d8:06:8e:d3:33:cf:84:
2f:d7:72:4d:5f:08:bc:51:5e:1e:f7:df:f6:72:d0:
65:92:d6:3c:60:8e:bb:ff:9b:9c:01:c2:52:7d:bc:
3f:3b:cf:07:ed:16:96:9f:66:80:1e:0a:b1:54:48:
bf:70:cd:26:e2:d4:08:79:8e:93:fc:d2:69:bb:b4:
09:a7:b3:c1:d3:60:d5:50:89:1a:72:ee:41:68:02:
15:34:6c:86:2b:73:43:43:25
Exponent: 65537 (0x10001)

DEBUG: OpenCA::DBI->getResultHash: column: NOTAFTER
DEBUG: OpenCA::DBI->getResultHash: value: 20251118230949
DEBUG: OpenCA::DBI->getResultHash: column: CSR_SERIAL
DEBUG: OpenCA::DBI->getResultHash: value: 288
DEBUG: OpenCA::DBI->getResultHash: column: LOA
DEBUG: OpenCA::DBI->getResultHash: value:
DEBUG: OpenCA::DBI->getResultHash: leaving function
DEBUG: OpenCA::DBI->getResultItem: data: -----BEGIN HEADER-----
PIN=759cc7a66998ae2dc0815d518c32a5c5d46fb4a0
CSR_SERIAL=288
ROLE=RA Operator
-----END HEADER-----

-----BEGIN CERTIFICATE-----
MIIEujCCBCOgAwIBAgIBAzANBgkqhkiG9w0BAQUFADBsMQswCQYDVQQGEwJERTEP
MA0GA1UEChMGWEVOLUNBMREwDwYDVQQLEwhIb21lIExhYjEYMBYGA1UEAxMPQ0Eg
c2VsZnNpZyBDZXJ0MR8wHQYJKoZIhvcNAQkBFhBjYW1hbmFnZXJAeGVuLWNhMB4X
DTA2MDMwMzIzMDk0OVoXDTI1MTExODIzMDk0OVowUzELMAkGA1UEBhMCREUxFDAS
BgNVBAoTC1hFTiBUZXN0IFJBMRQwEgYDVQQLEwtUcnVzdGNlbnRlcjEMMAoGA1UE
AxMDSyBIMQowCAYDVQQFEwEzMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJ
RMhNicuC/gzotljFSK1+4n1hjkayhTEOf+nRZwVbmqtzmvAr2AaO0zPPhC/Xck1f
CLxRXh733/Zy0GWS1jxgjrv/m5wBwlJ9vD87zwftFpafZoAeCrFUSL9wzSbi1Ah5
jpP80mm7tAmns8HTYNVQiRpy7kFoAhU0bIYrc0NDJQIDAQABo4ICgzCCAn8wCQYD
VR0TBAIwADBZBgNVHSAEUjBQMAcGBSoDA84KMAYGBCoDAwUwBgYEKgMDBjAGBgQq
AwMHMC0GBCoDAwgwJTAjBggrBgEFBQcCARYXaHR0cDovL3NvbWUudXJsLm9yZy9j
cHMwEQYJYIZIAYb4QgEBBAQDAgSwMAsGA1UdDwQEAwIF4DApBgNVHSUEIjAgBggr
BgEFBQcDAgYIKwYBBQUHAwQGCisGAQQBgjcUAgIwPQYJYIZIAYb4QgENBDAWLlJl
Z2lzdHJhdGlvbiBBdXRob3JpdHkgT3BlcmF0b3Igb2YgWEVOIFRlc3QgQ0EwHQYD
VR0OBBYEFItlVYiMYpkHcUKgsRZWQ6NcMVQqMIGeBgNVHSMEgZYwgZOAFOOU0t6d
ZpBFdTz5OV/sxAQnjexloXCkbjBsMQswCQYDVQQGEwJERTEPMA0GA1UEChMGWEVO
LUNBMREwDMR8wHQYJKoZIhvcNAQkBFhBjYW1hbmFnZXJAeGVuLWNhggkAgfTmAeAozvYwFQYD
VR0RBA4wDIEKa2hAd29ya2JveDAbBgNVHRIEFDASgRBjYW1hbmFnZXJAeGVuLWNh
MDEGCWCGSAGG+EIBBAQkFiJodHRwOi8vbG9jYWxob3N0L3B1Yi9jcmwvY2Fjcmwu
Y3JsMDEGCWCGSAGG+EIBAwQkFiJodHRwOi8vbG9jYWxob3N0L3B1Yi9jcmwvY2Fj
cmwuY3JsMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9sb2NhbGhvc3QvcHViL2Ny
bC9jYWNybC5jcmwwDQYJKoZIhvcNAQEFBQADgYEAC021xiBFkSpctcloh4YWDBzp
hEmteHYtKKkfPtJCzUJnRFQXpbtBjeoERIF9dyXMmrAQVgVETPz0qoIRna5pb0w7
QdAkgejHGjtsSKtz2/z+tfudbTu4MsLxr5OxfEjtKOrAzLxAyKwNhz4qUCIHktJd
IM3O5/zob75j2ucbsF4=
-----END CERTIFICATE-----

DEBUG: OpenCA::DBI->getResultItem: format: PEM
DEBUG: OpenCA::DBI->getResultItem: have all data
DEBUG: OpenCA::DBI->getResultItem: return item
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: new errorcode is 0
DEBUG: OpenCA::DBI->searchItems: add an object to the returnlist
DEBUG: OpenCA::DBI->getItem: Entering sub getItem
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: new errorcode is 0
DEBUG: OpenCA::DBI->getArguments: entering function
DEBUG: OpenCA::DBI->getArguments: check: KEY=4
DEBUG: OpenCA::DBI->getArguments: check: DATATYPE=CERTIFICATE
DEBUG: OpenCA::DBI->getArguments: check: STATUS=
DEBUG: OpenCA::DBI->getArguments: TABLE:CERTIFICATE
DEBUG: OpenCA::DBI->getArguments: MODE:
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: old errno 11111 is present
DEBUG: OpenCA::DBI->errno: new errorcode is 11111
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: old errno 11111 is present
DEBUG: OpenCA::DBI->errno: new errorcode is 11111
DEBUG: OpenCA::DBI->getArguments: attribute: KEY
DEBUG: OpenCA::DBI->getArguments: value: 4
DEBUG: OpenCA::DBI->getArguments: attribute: STATUS
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: DN
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: CN
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: EMAIL
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: ROLE
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: PUBKEY
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: CSR_SERIAL
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: LOA
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: new errorcode is 0
DEBUG: OpenCA::DBI->getStatus: Entering function
DEBUG: OpenCA::DBI->getStatus: no status given using datatype: CERTIFICATE
DEBUG: OpenCA::DBI->getStatus: given mode is now:
DEBUG: OpenCA::DBI->getStatus: no status (leaving function)
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: old errno 11111 is present
DEBUG: OpenCA::DBI->errno: new errorcode is 11111
DEBUG: OpenCA::DBI->getArguments: no STATUS present
DEBUG: OpenCA::DBI->getArguments: completed successful
DEBUG: OpenCA::DBI->getItem: data complete
DEBUG: OpenCA::DBI->getItem: query: select * from certificate where
(cert_key=?)
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: new errorcode is 0
DEBUG: OpenCA::DBI->doQuery: entering function
DEBUG: OpenCA::DBI->doQuery: query: select * from certificate where
(cert_key=?)
DEBUG: OpenCA::DBI->doQuery: bind_values: 4
DEBUG: OpenCA::DBI->doQuery: prepare statement
DEBUG: OpenCA::DBI->doQuery: execute statement
DEBUG: OpenCA::DBI->doQuery: execute succeeded (leaving function - 1)
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: old errno 11111 is present
DEBUG: OpenCA::DBI->errno: new errorcode is 11111
DEBUG: OpenCA::DBI->getItem: check that there is a non-empty result
DEBUG: OpenCA::DBI->getResultItem: entering function
DEBUG: OpenCA::DBI->getResultItem: all params present
DEBUG: OpenCA::DBI->getResultHash: entring function
DEBUG: OpenCA::DBI->getResultHash: column: CERTIFICATE_SERIAL
DEBUG: OpenCA::DBI->getResultHash: value: 4
DEBUG: OpenCA::DBI->getResultHash: column: FORMAT
DEBUG: OpenCA::DBI->getResultHash: value: PEM
DEBUG: OpenCA::DBI->getResultHash: column: DATA
DEBUG: OpenCA::DBI->getResultHash: value: -----BEGIN HEADER-----
PIN=ec7a856d628a7155c69410c58536abb3001009b1
CSR_SERIAL=800
ROLE=Web Server
-----END HEADER-----

-----BEGIN CERTIFICATE-----
MIIEkTCCA/qgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBsMQswCQYDVQQGEwJERTEP
MA0GA1UEChMGWEVOLUNBMREwDwYDVQQLEwhIb21lIExhYjEYMBYGA1UEAxMPQ0Eg
c2VsZnNpZyBDZXJ0MR8wHQYJKoZIhvcNAQkBFhBjYW1hbmFnZXJAeGVuLWNhMB4X
DTA2MDMwMzIzMjExNVoXDTI1MTExODIzMjExNVowVDELMAkGA1UEBhMCREUxFDAS
BgNVBAoTC1hFTiBUZXN0IFJBMRQwEgYDVQQLEwtUcnVzdGNlbnRlcjENMAsGA1UE
AxMEU0NFUDEKMAgGA1UEBRMBNDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
1oY+6urnAaac3KKP7XjC7PAY8Csc9R9c31j3GYpIOoT/Xy7cjjkrmEVW0RFlgDQY
psa2VE9kT/pvX+mNF96mDG+Aj0EThrxFwtMXCPtyX+bCznWYthfgptIjnTIrXd4R
8tu5gOWLuBkQDpib1LVuNbw4W0wHBtNuhUbLWTDS0t8CAwEAAaOCAlkwggJVMAkG
A1UdEwQCMAAwWQYDVR0gBFIwUDAHBgUqAwPOCjAGBgQqAwMFMAYGBCoDAwYwBgYE
KgMDBzAtBgQqAwMIMCUwIwYIKwYBBQUHAgEWF2h0dHA6Ly9zb21lLnVybC5vcmcv
Y3BzMBEGCWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCBPAwEwYDVR0lBAwwCgYI
KwYBBQUHAwEwKAYJYIZIAYb4QgENBBsWGVdXVy1TZXJ2ZXIgb2YgWEVOIFRlc3Qg
Q0EwHQYDVR0OBBYEFGATuAuAanqiK213uEcYUZsE1Kh7MIGeBgNVHSMEgZYwgZOA
FOOU0t6dZpBFdTz5OV/sxAQnjexloXCkbjBsMQswCQYDVQQGEwJERTEPMA0GA1UE
ChMGWEVOLUNBMREwDwYDVQQLEwhIb21lIExhYjEYMBYGA1UEAxMPQ0Egc2VsZnNp
ZyBDZXJ0MR8wHQYJKoZIhvcNAQkBFhBjYW1hbmFnZXJAeGVuLWNhggkAgfTmAeAo
zvYwFgYDVR0RBA8wDYELc2NlcEB4ZW4tY2EwGwYDVR0SBBQwEoEQY2FtYW5hZ2Vy
QHhlbi1jYTAxBglghkgBhvhCAQQEJBYiaHR0cDovL2xvY2FsaG9zdC9wdWIvY3Js
L2NhY3JsLmNybDAxBglghkgBhvhCAQMEJBYiaHR0cDovL2xvY2FsaG9zdC9wdWIv
Y3JsL2NhY3JsLmNybDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vbG9jYWxob3N0
L3B1Yi9jcmwvY2FjcmwuY3JsMA0GCSqGSIb3DQEBBQUAA4GBAKPNWV5ipVnlvjsn
HssFkHg3xe0IlOrBqMLnXYPy6J+uWNGoRD1xGanf/SB37w8g8lhz969xEzKfNJtm
4Q0wsXrVWE4i4gqoubMFGWe85M9vZ7PEFdbaYB51/xTVbDLKxHIaneGCYKd1WiBW
J/uWHHkMq/S3KCdMTMGxecKuHv5n
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICoTAbBgkqhkiG9w0BBQMwDgQIFX8lpSuSOxcCAggABIICgLNpM4599vNJasqd
Q3CbsLg51JGKuRELfAPOtLQK8MCew2WI7MWDd/ObaObwxY8dhgYaMn3cSgc5S+95
++lrCiw8ZrnMWf4s1M/jN3yVV1gvFXd5/GO+j4alvIEMQQtRueTnhV21Duhq+eUF
J7w5hFbYUitcAKqOlkeKuaYzT5VPm2M35Ox2ToT+8HBNqVe1d+Y1/LW3BuYKePEH
iuVVFS/ml7C0Ae5w7VQFVxh9se9fmfSuuRR4+JBBR3ok6BZ1EeAUOE9MAV/tfVcS
qTLOiDGkHm689+yjgbBU6z64i8KaLBoyDC3rRoBQN4Gkl4FEAgOAUK2IaizKJ3M/
bunnlNJo5BU//k3XzE4MboFy9U8c6lY2wEZf3lJ8B4Y+MoTPG1KTNoH2kCKwarqO
inK6sI6+hGHm8K1j+3eCpZA5BcHiBJeZnDSLPH5q7mZ6szGjW9vQ0AuttnjLVWzd
b3256cCe6lNWAFMYsXxu9WDP3seT/X3maAv7q+LAbhYyCqjmMPvuQKOwfZDffVJF
3zW8FoQijVHXxYzEPt6cXigfG8FUkwAWEbdzE1S5NboxnpctQZwcnWcOyaN2dWyU
LcXRsUaJvyIYyYZ7dj8tCeim7ccuXCZkhQVkYiYpfGMW9+VIpoaCMhKwTX6dDXk5
z01FA7WQT/iBuK7u38AnrgdAwTkKje5EOuXivqqM4luIZ/ViXxGRjIm0/E5dbYsI
E1CtDYkdfJL7KasBtcfz+RLdAUfAlkw/0T44WGZGJGdMys2TZFttbufrMvuEjmDl
sYp+6EZ7kfrzZ7xQMjmk5l0CCA8R9do2HHbRWAR+N3bn4HuFFC5DkeOBaZrHnDt2
l7bN1ZE=
-----END ENCRYPTED PRIVATE KEY-----
DEBUG: OpenCA::DBI->getResultHash: column: DN
DEBUG: OpenCA::DBI->getResultHash: value:
serialNumber=4,CN=SCEP,OU=Trustcenter,O=XEN Test RA,C=DE
DEBUG: OpenCA::DBI->getResultHash: column: CN
DEBUG: OpenCA::DBI->getResultHash: value: SCEP
DEBUG: OpenCA::DBI->getResultHash: column: EMAIL
DEBUG: OpenCA::DBI->getResultHash: value: ***@xen-ca
DEBUG: OpenCA::DBI->getResultHash: column: STATUS
DEBUG: OpenCA::DBI->getResultHash: value: VALID
DEBUG: OpenCA::DBI->getResultHash: column: ROLE
DEBUG: OpenCA::DBI->getResultHash: value: Web Server
DEBUG: OpenCA::DBI->getResultHash: column: PUBKEY
DEBUG: OpenCA::DBI->getResultHash: value: Modulus (1024 bit):
00:d6:86:3e:ea:ea:e7:01:a6:9c:dc:a2:8f:ed:78:
c2:ec:f0:18:f0:2b:1c:f5:1f:5c:df:58:f7:19:8a:
48:3a:84:ff:5f:2e:dc:8e:39:2b:98:45:56:d1:11:
65:80:34:18:a6:c6:b6:54:4f:64:4f:fa:6f:5f:e9:
8d:17:de:a6:0c:6f:80:8f:41:13:86:bc:45:c2:d3:
17:08:fb:72:5f:e6:c2:ce:75:98:b6:17:e0:a6:d2:
23:9d:32:2b:5d:de:11:f2:db:b9:80:e5:8b:b8:19:
10:0e:98:9b:d4:b5:6e:35:bc:38:5b:4c:07:06:d3:
6e:85:46:cb:59:30:d2:d2:df
Exponent: 65537 (0x10001)

DEBUG: OpenCA::DBI->getResultHash: column: NOTAFTER
DEBUG: OpenCA::DBI->getResultHash: value: 20251118232115
DEBUG: OpenCA::DBI->getResultHash: column: CSR_SERIAL
DEBUG: OpenCA::DBI->getResultHash: value: 800
DEBUG: OpenCA::DBI->getResultHash: column: LOA
DEBUG: OpenCA::DBI->getResultHash: value:
DEBUG: OpenCA::DBI->getResultHash: leaving function
DEBUG: OpenCA::DBI->getResultItem: data: -----BEGIN HEADER-----
PIN=ec7a856d628a7155c69410c58536abb3001009b1
CSR_SERIAL=800
ROLE=Web Server
-----END HEADER-----

-----BEGIN CERTIFICATE-----
MIIEkTCCA/qgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBsMQswCQYDVQQGEwJERTEP
MA0GA1UEChMGWEVOLUNBMREwDwYDVQQLEwhIb21lIExhYjEYMBYGA1UEAxMPQ0Eg
c2VsZnNpZyBDZXJ0MR8wHQYJKoZIhvcNAQkBFhBjYW1hbmFnZXJAeGVuLWNhMB4X
DTA2MDMwMzIzMjExNVoXDTI1MTExODIzMjExNVowVDELMAkGA1UEBhMCREUxFDAS
BgNVBAoTC1hFTiBUZXN0IFJBMRQwEgYDVQQLEwtUcnVzdGNlbnRlcjENMAsGA1UE
AxMEU0NFUDEKMAgGA1UEBRMBNDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
1oY+6urnAaac3KKP7XjC7PAY8Csc9R9c31j3GYpIOoT/Xy7cjjkrmEVW0RFlgDQY
psa2VE9kT/pvX+mNF96mDG+Aj0EThrxFwtMXCPtyX+bCznWYthfgptIjnTIrXd4R
8tu5gOWLuBkQDpib1LVuNbw4W0wHBtNuhUbLWTDS0t8CAwEAAaOCAlkwggJVMAkG
A1UdEwQCMAAwWQYDVR0gBFIwUDAHBgUqAwPOCjAGBgQqAwMFMAYGBCoDAwYwBgYE
KgMDBzAtBgQqAwMIMCUwIwYIKwYBBQUHAgEWF2h0dHA6Ly9zb21lLnVybC5vcmcv
Y3BzMBEGCWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCBPAwEwYDVR0lBAwwCgYI
KwYBBQUHAwEwKAYJYIZIAYb4QgENBBsWGVdXVy1TZXJ2ZXIgb2YgWEVOIFRlc3Qg
Q0EwHQYDVR0OBBYEFGATuAuAanqiK213uEcYUZsE1Kh7MIGeBgNVHSMEgZYwgZOA
FOOU0t6dZpBFdTz5OV/sxAQnjexloXCkbjBsMQswCQYDVQQGEwJERTEPMA0GA1UE
ChMGWEVOLUNBMREwDwYDVQQLEwhIb21lIExhYjEYMBYGA1UEAxMPQ0Egc2VsZnNp
ZyBDZXJ0MR8wHQYJKoZIhvcNAQkBFhBjYW1hbmFnZXJAeGVuLWNhggkAgfTmAeAo
zvYwFgYDVR0RBA8wDYELc2NlcEB4ZW4tY2EwGwYDVR0SBBQwEoEQY2FtYW5hZ2Vy
QHhlbi1jYTAxBglghkgBhvhCAQQEJBYiaHR0cDovL2xvY2FsaG9zdC9wdWIvY3Js
L2NhY3JsLmNybDAxBglghkgBhvhCAQMEJBYiaHR0cDovL2xvY2FsaG9zdC9wdWIv
Y3JsL2NhY3JsLmNybDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vbG9jYWxob3N0
L3B1Yi9jcmwvY2FjcmwuY3JsMA0GCSqGSIb3DQEBBQUAA4GBAKPNWV5ipVnlvjsn
HssFkHg3xe0IlOrBqMLnXYPy6J+uWNGoRD1xGanf/SB37w8g8lhz969xEzKfNJtm
4Q0wsXrVWE4i4gqoubMFGWe85M9vZ7PEFdbaYB51/xTVbDLKxHIaneGCYKd1WiBW
J/uWHHkMq/S3KCdMTMGxecKuHv5n
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICoTAbBgkqhkiG9w0BBQMwDgQIFX8lpSuSOxcCAggABIICgLNpM4599vNJasqd
Q3CbsLg51JGKuRELfAPOtLQK8MCew2WI7MWDd/ObaObwxY8dhgYaMn3cSgc5S+95
++lrCiw8ZrnMWf4s1M/jN3yVV1gvFXd5/GO+j4alvIEMQQtRueTnhV21Duhq+eUF
J7w5hFbYUitcAKqOlkeKuaYzT5VPm2M35Ox2ToT+8HBNqVe1d+Y1/LW3BuYKePEH
iuVVFS/ml7C0Ae5w7VQFVxh9se9fmfSuuRR4+JBBR3ok6BZ1EeAUOE9MAV/tfVcS
qTLOiDGkHm689+yjgbBU6z64i8KaLBoyDC3rRoBQN4Gkl4FEAgOAUK2IaizKJ3M/
bunnlNJo5BU//k3XzE4MboFy9U8c6lY2wEZf3lJ8B4Y+MoTPG1KTNoH2kCKwarqO
inK6sI6+hGHm8K1j+3eCpZA5BcHiBJeZnDSLPH5q7mZ6szGjW9vQ0AuttnjLVWzd
b3256cCe6lNWAFMYsXxu9WDP3seT/X3maAv7q+LAbhYyCqjmMPvuQKOwfZDffVJF
3zW8FoQijVHXxYzEPt6cXigfG8FUkwAWEbdzE1S5NboxnpctQZwcnWcOyaN2dWyU
LcXRsUaJvyIYyYZ7dj8tCeim7ccuXCZkhQVkYiYpfGMW9+VIpoaCMhKwTX6dDXk5
z01FA7WQT/iBuK7u38AnrgdAwTkKje5EOuXivqqM4luIZ/ViXxGRjIm0/E5dbYsI
E1CtDYkdfJL7KasBtcfz+RLdAUfAlkw/0T44WGZGJGdMys2TZFttbufrMvuEjmDl
sYp+6EZ7kfrzZ7xQMjmk5l0CCA8R9do2HHbRWAR+N3bn4HuFFC5DkeOBaZrHnDt2
l7bN1ZE=
-----END ENCRYPTED PRIVATE KEY-----
DEBUG: OpenCA::DBI->getResultItem: format: PEM
DEBUG: OpenCA::DBI->getResultItem: have all data
DEBUG: OpenCA::DBI->getResultItem: return item
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: new errorcode is 0
DEBUG: OpenCA::DBI->searchItems: add an object to the returnlist
DEBUG: OpenCA::DBI->getItem: Entering sub getItem
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: new errorcode is 0
DEBUG: OpenCA::DBI->getArguments: entering function
DEBUG: OpenCA::DBI->getArguments: check: KEY=5
DEBUG: OpenCA::DBI->getArguments: check: DATATYPE=CERTIFICATE
DEBUG: OpenCA::DBI->getArguments: check: STATUS=
DEBUG: OpenCA::DBI->getArguments: TABLE:CERTIFICATE
DEBUG: OpenCA::DBI->getArguments: MODE:
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: old errno 11111 is present
DEBUG: OpenCA::DBI->errno: new errorcode is 11111
EBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: old errno 11111 is present
DEBUG: OpenCA::DBI->errno: new errorcode is 11111
DEBUG: OpenCA::DBI->getArguments: attribute: KEY
DEBUG: OpenCA::DBI->getArguments: value: 5
DEBUG: OpenCA::DBI->getArguments: attribute: STATUS
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: DN
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: CN
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: EMAIL
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: ROLE
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: PUBKEY
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: CSR_SERIAL
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->getArguments: attribute: LOA
DEBUG: OpenCA::DBI->getArguments: value:
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: new errorcode is 0
DEBUG: OpenCA::DBI->getStatus: Entering function
DEBUG: OpenCA::DBI->getStatus: no status given using datatype: CERTIFICATE
DEBUG: OpenCA::DBI->getStatus: given mode is now:
DEBUG: OpenCA::DBI->getStatus: no status (leaving function)
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: old errno 11111 is present
DEBUG: OpenCA::DBI->errno: new errorcode is 11111
DEBUG: OpenCA::DBI->getArguments: no STATUS present
DEBUG: OpenCA::DBI->getArguments: completed successful
DEBUG: OpenCA::DBI->getItem: data complete
DEBUG: OpenCA::DBI->getItem: query: select * from certificate where
(cert_key=?)
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: new errorcode is 0
DEBUG: OpenCA::DBI->doQuery: entering function
DEBUG: OpenCA::DBI->doQuery: query: select * from certificate where
(cert_key=?)
DEBUG: OpenCA::DBI->doQuery: bind_values: 5
DEBUG: OpenCA::DBI->doQuery: prepare statement
DEBUG: OpenCA::DBI->doQuery: execute statement
DEBUG: OpenCA::DBI->doQuery: execute succeeded (leaving function - 1)
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: old errno 11111 is present
DEBUG: OpenCA::DBI->errno: new errorcode is 11111
DEBUG: OpenCA::DBI->getItem: check that there is a non-empty result
DEBUG: OpenCA::DBI->getResultItem: entering function
DEBUG: OpenCA::DBI->getResultItem: all params present
DEBUG: OpenCA::DBI->getResultHash: entring function
DEBUG: OpenCA::DBI->getResultHash: column: CERTIFICATE_SERIAL
DEBUG: OpenCA::DBI->getResultHash: value: 5
DEBUG: OpenCA::DBI->getResultHash: column: FORMAT
DEBUG: OpenCA::DBI->getResultHash: value: PEM
DEBUG: OpenCA::DBI->getResultHash: column: DATA
DEBUG: OpenCA::DBI->getResultHash: value: -----BEGIN HEADER-----
PIN=b9fc990f6fc0efd0a5eb9ce8c43c95d25381b346
CSR_SERIAL=1056
ROLE=Web Server
-----END HEADER-----

-----BEGIN CERTIFICATE-----
MIIEmTCCBAKgAwIBAgIBBTANBgkqhkiG9w0BAQUFADBsMQswCQYDVQQGEwJERTEP
MA0GA1UEChMGWEVOLUNBMREwDwYDVQQLEwhIb21lIExhYjEYMBYGA1UEAxMPQ0Eg
c2VsZnNpZyBDZXJ0MR8wHQYJKoZIhvcNAQkBFhBjYW1hbmFnZXJAeGVuLWNhMB4X
DTA2MDMwNTIxNTkxNVoXDTI1MTEyMDIxNTkxNVowVjELMAkGA1UEBhMCREUxFDAS
BgNVBAoTC1hFTiBUZXN0IFJBMRQwEgYDVQQLEwtUcnVzdGNlbnRlcjEPMA0GA1UE
AxMGYXBhY2hlMQowCAYDVQQFEwE1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQC6lMIDiX5yrgL3zAsLaBNOlb0eod2CzFcG2bGM/rCT6iDu4tO224acx/Cy/ysC
BqajkNY9Dn59AaRQ9BVnEXr4/GK63kIWEODwZF1+afL0iiYFTCQBcYVTTzxTZV00
hbReXulnt1TY0aXXEY6m92DxAbWU/Ubi2V3Gl+AxCAHP1QIDAQABo4ICXzCCAlsw
CQYDVR0TBAIwADBZBgNVHSAEUjBQMAcGBSoDA84KMAYGBCoDAwUwBgYEKgMDBjAG
BgQqAwMHMC0GBCoDAwgwJTAjBggrBgEFBQcCARYXaHR0cDovL3NvbWUudXJsLm9y
Zy9jcHMwEQYJYIZIAYb4QgEBBAQDAgZAMAsGA1UdDwQEAwIE8DATBgNVHSUEDDAK
BggrBgEFBQcDATAoBglghkgBhvhCAQ0EGxYZV1dXLVNlcnZlciBvZiBYRU4gVGVz
dCBDQTAdBgNVHQ4EFgQUpXB11Jv0K9cDgUW9jFhaf9sljBQwgZ4GA1UdIwSBljCB
k4AU45TS3p1mkEV1PPk5X+zEBCeN7GWhcKRuMGwxCzAJBgNVBAYTAkRFMQ8wDQYD
VQQKEwZYRU4tQ0ExETAPBgNVBAsTCEhvbWUgTGFiMRgwFgYDVQQDEw9DQSBzZWxm
c2lnIENlcnQxHzAdBgkqhkiG9w0BCQEWEGNhbWFuYWdlckB4ZW4tY2GCCQCB9OYB
4CjO9jAcBgNVHREEFTATgRFhcGFjaGVAeGVuY2Euc2l0ZTAbBgNVHRIEFDASgRBj
YW1hbmFnZXJAeGVuLWNhMDEGCWCGSAGG+EIBBAQkFiJodHRwOi8vbG9jYWxob3N0
L3B1Yi9jcmwvY2FjcmwuY3JsMDEGCWCGSAGG+EIBAwQkFiJodHRwOi8vbG9jYWxo
b3N0L3B1Yi9jcmwvY2FjcmwuY3JsMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9s
b2NhbGhvc3QvcHViL2NybC9jYWNybC5jcmwwDQYJKoZIhvcNAQEFBQADgYEAkBvs
2WK75HwH00YLwcUMNLF5TY8bai0KP6WewbtMGnjvJN8hNeOWRvKh2EYWLRylLzWF
Ce0Y/6t8sHyMIjRmgBfhAyq5jcAykEhL8TqCYaqiIkHH9WM/KZc4KwSaIas6Kgkt
cJoBga3FSohC4smevK7GPq/W65GoKfgnhU8FBXw=
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICoTAbBgkqhkiG9w0BBQMwDgQIMu54PyxkGYkCAggABIICgDlOybv9qiHdQ4Kg
EUe+P4ibv9y+8GmZdsYDwOKIeWJmQPJPGngX4OqHt1Fbo1Ouj1Lp9BVMmdb6dtjt
AKcIemKB0REAOtoQ/3ZJYoW0Wm9ygMtraYEOhC9B+IRfuSRr7Olg3b+507sg73Ni
LIBDxlxZeEKBWXntbNSOfvCNAZjmA73jzQ9JO2PRdJq/voLxk51+GlZ/bh84zxH7
Gdo4rNCmEfvJfOnh85UjaUfAX0qhr98jkIZj8JbDXM82qmEcRrh5+8qYlFOSSeHm
OC01zDcHYLFikvScpxJ/Y5DqCO/hQch0s8BxnfMjpQJ32ho74Dzwds2py34WN41C
k5Mc6cPkdmhbLvkV/UwLrUJfc8sao4VnvZQYQ7BzXeHifOaPv22wZ1A3Hj8E0Sz7
HnmzvdmUIPcorDqzvltPQbQZojmIdAroJLXiiQaJnPrGMLRWf4BHVMrFCkl+eqJz
mwciF9YnGYutrFvl/hVDthW/wYip6tIbo0QehvVcAC/76L5/9dUUkl+n+1e5Mhz3
NMy/PEjJhLIDizlWcl6mM9SN83m3KoPIyd4eVGUiyIV1qOwuyJz3d4qO3vvjhlBG
dEWozy4je9z6xbznKMVod9siRiSO9Nn3fdXci7jedhiF3fAkkBJXbSE1H28JlQe1
RNOvGVzwG8n/qigwdM1HWA1BEf0IzMGm8f0A8JVf36xoX+D0HzxCZm4ahy7CWNcL
asi0Cf3olPARCU3R5VqclqEis7QnouHOKsKqqiVMwPA5RpkSoRS3RIwGRf7kHODQ
zBN4NnjqsjMqmeFXs0MqtVfkosDa0niBVtS4yHe9JxufKKgca61Cby7W2XOOIfQv
7eQlo8A=
-----END ENCRYPTED PRIVATE KEY-----
DEBUG: OpenCA::DBI->getResultHash: column: DN
DEBUG: OpenCA::DBI->getResultHash: value:
serialNumber=5,CN=apache,OU=Trustcenter,O=XEN Test RA,C=DE
DEBUG: OpenCA::DBI->getResultHash: column: CN
DEBUG: OpenCA::DBI->getResultHash: value: apache
DEBUG: OpenCA::DBI->getResultHash: column: EMAIL
DEBUG: OpenCA::DBI->getResultHash: value: ***@xenca.site
DEBUG: OpenCA::DBI->getResultHash: column: STATUS
DEBUG: OpenCA::DBI->getResultHash: value: VALID
DEBUG: OpenCA::DBI->getResultHash: column: ROLE
DEBUG: OpenCA::DBI->getResultHash: value: Web Server
DEBUG: OpenCA::DBI->getResultHash: column: PUBKEY
DEBUG: OpenCA::DBI->getResultHash: value: Modulus (1024 bit):
00:ba:94:c2:03:89:7e:72:ae:02:f7:cc:0b:0b:68:
13:4e:95:bd:1e:a1:dd:82:cc:57:06:d9:b1:8c:fe:
b0:93:ea:20:ee:e2:d3:b6:db:86:9c:c7:f0:b2:ff:
2b:02:06:a6:a3:90:d6:3d:0e:7e:7d:01:a4:50:f4:
15:67:11:7a:f8:fc:62:ba:de:42:16:10:e0:f0:64:
5d:7e:69:f2:f4:8a:26:05:4c:24:01:71:85:53:4f:
3c:53:65:5d:34:85:b4:5e:5e:e9:67:b7:54:d8:d1:
a5:d7:11:8e:a6:f7:60:f1:01:b5:94:fd:46:e2:d9:
5d:c6:97:e0:31:08:01:cf:d5
Exponent: 65537 (0x10001)

DEBUG: OpenCA::DBI->getResultHash: column: NOTAFTER
DEBUG: OpenCA::DBI->getResultHash: value: 20251120215915
DEBUG: OpenCA::DBI->getResultHash: column: CSR_SERIAL
DEBUG: OpenCA::DBI->getResultHash: value: 1056
DEBUG: OpenCA::DBI->getResultHash: column: LOA
DEBUG: OpenCA::DBI->getResultHash: value:
DEBUG: OpenCA::DBI->getResultHash: leaving function
DEBUG: OpenCA::DBI->getResultItem: data: -----BEGIN HEADER-----
PIN=b9fc990f6fc0efd0a5eb9ce8c43c95d25381b346
CSR_SERIAL=1056
ROLE=Web Server
-----END HEADER-----

-----BEGIN CERTIFICATE-----
MIIEmTCCBAKgAwIBAgIBBTANBgkqhkiG9w0BAQUFADBsMQswCQYDVQQGEwJERTEP
MA0GA1UEChMGWEVOLUNBMREwDwYDVQQLEwhIb21lIExhYjEYMBYGA1UEAxMPQ0Eg
c2VsZnNpZyBDZXJ0MR8wHQYJKoZIhvcNAQkBFhBjYW1hbmFnZXJAeGVuLWNhMB4X
DTA2MDMwNTIxNTkxNVoXDTI1MTEyMDIxNTkxNVowVjELMAkGA1UEBhMCREUxFDAS
BgNVBAoTC1hFTiBUZXN0IFJBMRQwEgYDVQQLEwtUcnVzdGNlbnRlcjEPMA0GA1UE
AxMGYXBhY2hlMQowCAYDVQQFEwE1MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQC6lMIDiX5yrgL3zAsLaBNOlb0eod2CzFcG2bGM/rCT6iDu4tO224acx/Cy/ysC
BqajkNY9Dn59AaRQ9BVnEXr4/GK63kIWEODwZF1+afL0iiYFTCQBcYVTTzxTZV00
hbReXulnt1TY0aXXEY6m92DxAbWU/Ubi2V3Gl+AxCAHP1QIDAQABo4ICXzCCAlsw
CQYDVR0TBAIwADBZBgNVHSAEUjBQMAcGBSoDA84KMAYGBCoDAwUwBgYEKgMDBjAG
BgQqAwMHMC0GBCoDAwgwJTAjBggrBgEFBQcCARYXaHR0cDovL3NvbWUudXJsLm9y
Zy9jcHMwEQYJYIZIAYb4QgEBBAQDAgZAMAsGA1UdDwQEAwIE8DATBgNVHSUEDDAK
BggrBgEFBQcDATAoBglghkgBhvhCAQ0EGxYZV1dXLVNlcnZlciBvZiBYRU4gVGVz
dCBDQTAdBgNVHQ4EFgQUpXB11Jv0K9cDgUW9jFhaf9sljBQwgZ4GA1UdIwSBljCB
k4AU45TS3p1mkEV1PPk5X+zEBCeN7GWhcKRuMGwxCzAJBgNVBAYTAkRFMQ8wDQYD
VQQKEwZYRU4tQ0ExETAPBgNVBAsTCEhvbWUgTGFiMRgwFgYDVQQDEw9DQSBzZWxm
c2lnIENlcnQxHzAdBgkqhkiG9w0BCQEWEGNhbWFuYWdlckB4ZW4tY2GCCQCB9OYB
4CjO9jAcBgNVHREEFTATgRFhcGFjaGVAeGVuY2Euc2l0ZTAbBgNVHRIEFDASgRBj
YW1hbmFnZXJAeGVuLWNhMDEGCWCGSAGG+EIBBAQkFiJodHRwOi8vbG9jYWxob3N0
L3B1Yi9jcmwvY2FjcmwuY3JsMDEGCWCGSAGG+EIBAwQkFiJodHRwOi8vbG9jYWxo
b3N0L3B1Yi9jcmwvY2FjcmwuY3JsMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9s
b2NhbGhvc3QvcHViL2NybC9jYWNybC5jcmwwDQYJKoZIhvcNAQEFBQADgYEAkBvs
2WK75HwH00YLwcUMNLF5TY8bai0KP6WewbtMGnjvJN8hNeOWRvKh2EYWLRylLzWF
Ce0Y/6t8sHyMIjRmgBfhAyq5jcAykEhL8TqCYaqiIkHH9WM/KZc4KwSaIas6Kgkt
cJoBga3FSohC4smevK7GPq/W65GoKfgnhU8FBXw=
-----END CERTIFICATE-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICoTAbBgkqhkiG9w0BBQMwDgQIMu54PyxkGYkCAggABIICgDlOybv9qiHdQ4Kg
EUe+P4ibv9y+8GmZdsYDwOKIeWJmQPJPGngX4OqHt1Fbo1Ouj1Lp9BVMmdb6dtjt
AKcIemKB0REAOtoQ/3ZJYoW0Wm9ygMtraYEOhC9B+IRfuSRr7Olg3b+507sg73Ni
LIBDxlxZeEKBWXntbNSOfvCNAZjmA73jzQ9JO2PRdJq/voLxk51+GlZ/bh84zxH7
Gdo4rNCmEfvJfOnh85UjaUfAX0qhr98jkIZj8JbDXM82qmEcRrh5+8qYlFOSSeHm
OC01zDcHYLFikvScpxJ/Y5DqCO/hQch0s8BxnfMjpQJ32ho74Dzwds2py34WN41C
k5Mc6cPkdmhbLvkV/UwLrUJfc8sao4VnvZQYQ7BzXeHifOaPv22wZ1A3Hj8E0Sz7
HnmzvdmUIPcorDqzvltPQbQZojmIdAroJLXiiQaJnPrGMLRWf4BHVMrFCkl+eqJz
mwciF9YnGYutrFvl/hVDthW/wYip6tIbo0QehvVcAC/76L5/9dUUkl+n+1e5Mhz3
NMy/PEjJhLIDizlWcl6mM9SN83m3KoPIyd4eVGUiyIV1qOwuyJz3d4qO3vvjhlBG
dEWozy4je9z6xbznKMVod9siRiSO9Nn3fdXci7jedhiF3fAkkBJXbSE1H28JlQe1
RNOvGVzwG8n/qigwdM1HWA1BEf0IzMGm8f0A8JVf36xoX+D0HzxCZm4ahy7CWNcL
asi0Cf3olPARCU3R5VqclqEis7QnouHOKsKqqiVMwPA5RpkSoRS3RIwGRf7kHODQ
zBN4NnjqsjMqmeFXs0MqtVfkosDa0niBVtS4yHe9JxufKKgca61Cby7W2XOOIfQv
7eQlo8A=
-----END ENCRYPTED PRIVATE KEY-----
DEBUG: OpenCA::DBI->getResultItem: format: PEM
DEBUG: OpenCA::DBI->getResultItem: have all data
DEBUG: OpenCA::DBI->getResultItem: return item
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: new errorcode is 0
DEBUG: OpenCA::DBI->searchItems: add an object to the returnlist
DEBUG: OpenCA::DBI->searchItems: leaving function successfully
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: new errorcode is 0
cmds->cmdScepPKIOperation: scepCheckRequest: renewal allowed
cmds->cmdScepPKIOperation: scepCheckRequest: more than two valid
certificates matched this request, rejected for policy re
asons
cmds->cmdScepPKIOperation: execute8: /usr/local/openra/bin/openca-scep
-new -signcert /usr/local/openra/openca/etc/scep/sc
ep-cert.pem -msgtype CertRep -status FAILURE -failinfo badRequest
-keyfile /usr/local/openra/openca/etc/scep/scep-key.pem
-passin env:pwd -in /usr/local/openra/openca/var/tmp/scep_pkiOp_9195.p7
-reccert /usr/local/openra/openca/var/tmp/scep_cli
ent_9195.crt -outform DER
cmds->cmdScepPKIOperation: Pipe returned error code 0
cmds->cmdScepPKIOperation: execute4: /usr/local/openra/bin/openca-scep
-new -signcert /usr/local/openra/openca/etc/scep/sc
ep-cert.pem -msgtype CertRep -status FAILURE -failinfo badRequest
-keyfile /usr/local/openra/openca/etc/scep/scep-key.pem
-passin env:pwd -in /usr/local/openra/openca/var/tmp/scep_pkiOp_9195.p7
-reccert /usr/local/openra/openca/var/tmp/scep_cli
ent_9195.crt -outform DER
cmds->cmdScepPKIOperation: Pipe returned error code 0
DEBUG: OpenCA::DBI->commit: entering function
DEBUG: OpenCA::DBI->errno: returning local errorcode 0
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: new errorcode is 0
OpenCA::OpenSSL->_stop_shell: try to stop shell
OpenCA::OpenSSL->_stop_shell: try to stop shell
DEBUG: OpenCA::DBI->DESTROY: automatic commit by destructor DESTROY
DEBUG: OpenCA::DBI->commit: entering function
DEBUG: OpenCA::DBI->errno: returning local errorcode 0
DEBUG: OpenCA::DBI->Entering set_error ...
DEBUG: OpenCA::DBI->errno: gettext is defined
DEBUG: OpenCA::DBI->errno: new errorcode is 0
DEBUG: OpenCA::DBI->DESTROY: call finish on all statement handles to
avoid warnings by DBI
Martin Bartosch
2006-03-08 05:26:00 UTC
Permalink
Hi Kurt,
Post by Kurt Hockenmaier
After the failing enrollment, all existing certificates are listed
cmds->cmdScepPKIOperation: scepCheckRequest: more than two valid
certificates matched this request, rejected for policy reasons
Below you can find the log of the enrollment.
the SCEP server rejects the request because it *seems* to find an
already existing certificate with the same requested DN in the database.

First (to be sure) please check if there is already a certificate
with CN=home-pix.home.de, if there is, please revoke the existing one
(s).

Next please change ScepRenewalRDNMatch in the SCEP server
configuration. Try setting it to
"unstructuredName" for your setup.

If it still does not work, set this value to the empty string "".

Remember to run configure_etc.sh and to restart OpenCA after changing
the configuration.

cheers,

Martin
Kurt Hockenmaier
2006-03-08 15:53:02 UTC
Permalink
Post by Martin Bartosch
the SCEP server rejects the request because it *seems* to find an
already existing certificate with the same requested DN in the database.
First (to be sure) please check if there is already a certificate
with CN=home-pix.home.de, if there is, please revoke the existing one
(s).
Next please change ScepRenewalRDNMatch in the SCEP server
configuration. Try setting it to
"unstructuredName" for your setup.
If it still does not work, set this value to the empty string "".
Remember to run configure_etc.sh and to restart OpenCA after changing
the configuration.
Hi Martin,

I'm shure there is no certificate with CN=home-pix.home.de within the
database, so I used "unstructuredName".

The RA is working fine with this, but now the CA is complaining:

OpenCA Allgemeiner Fehler 700: The compilation of the command
cmdIssueCertificate failed. openssl syntax for multi-valued RDNs is
unknown at /usr/lib/perl5/vendor_perl/5.8.7/X500/DN.pm line 104<br>

It is not possible to issue the certificate, I only can delete the request.

Best Regards
Kurt
Ives Steglich
2006-03-08 23:51:05 UTC
Permalink
Post by Kurt Hockenmaier
Hi Martin,
I'm shure there is no certificate with CN=home-pix.home.de within the
database, so I used "unstructuredName".
but then they code shouldn't complain about an already existing
certificate in the database... maybe there are more then one pending
request with the same dn/subject in the db?
Post by Kurt Hockenmaier
OpenCA Allgemeiner Fehler 700: The compilation of the command
cmdIssueCertificate failed. openssl syntax for multi-valued RDNs is
unknown at /usr/lib/perl5/vendor_perl/5.8.7/X500/DN.pm line 104<br>
If you edit the request, you should NOT use the available + connected
fields in the subject name:

this is like the request my look like:
name value
name value
name1 value1 + name1 value2 + namex value x

you should transform it into

name value
name value
name1 value1
name2 value2
namex vlauex

and make sure that the + connected fields from the request are empty!

as i just saw, your certificates have the form:
Subject: C=DE, O=XEN Test RA, OU=Trustcenter, CN=apache/serialNumber=5

usually cisco-devices don't like it to get an certificate back with an
changed cn, you are not at this stage yet but if the device rejects the
certificate you should disable this atomatic attachment of the serial
number in the cn... this can be changed in etc/servers/##.conf.template
(## = ra, ca, usw. Value: SET_CERTIFICATE_SERIAL_IN_DN) to enable or
disable it


greetings
dalini
Kurt Hockenmaier
2006-03-09 19:28:05 UTC
Permalink
Post by Ives Steglich
If you edit the request, you should NOT use the available + connected
name value
name value
name1 value1 + name1 value2 + namex value x
you should transform it into
name value
name value
name1 value1
name2 value2
namex vlauex
and make sure that the + connected fields from the request are empty!
Subject: C=DE, O=XEN Test RA, OU=Trustcenter, CN=apache/serialNumber=5
usually cisco-devices don't like it to get an certificate back with an
changed cn, you are not at this stage yet but if the device rejects the
certificate you should disable this atomatic attachment of the serial
number in the cn... this can be changed in etc/servers/##.conf.template
(## = ra, ca, usw. Value: SET_CERTIFICATE_SERIAL_IN_DN) to enable or
disable it
Dalini,

I've also checked the pending requests, nothing in the database. I've
also changed the host+domain name of the pix
to create different requests - same result.

But to be shure I've setup a completely new CA and RA installation.
The request of the pix was still rejected without ScepRenewalRDNMatch
"unstructuredName".
After configuring ScepRenewalRDNMatch "unstructuredName" the request was
accepted and following your
recommendations for editing the request (also setting up
SET_CERTIFICATE_SERIAL_IN_DN),
the PIX received it's certificate.

Dalini and Martin - Thanks a lot for your patience and your guidance !
OpenCA is a great piece of work and the devlopers will keep a safe place
in my hall of fame :-)

Cheers
Kurt
Ives Steglich
2006-03-09 19:36:04 UTC
Permalink
Post by Kurt Hockenmaier
Dalini and Martin - Thanks a lot for your patience and your guidance !
OpenCA is a great piece of work and the devlopers will keep a safe place
in my hall of fame :-)
maybe you can make a little step by step guide - since i don't have
access to a pix at the moment and usaly take some things as granted...

so we can put a more reliable guide for scep-usage in router/firewall
environments online, since there are a lot of people which seem to have
difficulties in using openca with cisco equipment

thx

greetings
dalini
Kurt Hockenmaier
2006-03-10 18:21:02 UTC
Permalink
Post by Ives Steglich
maybe you can make a little step by step guide - since i don't have
access to a pix at the moment and usaly take some things as granted...
so we can put a more reliable guide for scep-usage in router/firewall
environments online, since there are a lot of people which seem to have
difficulties in using openca with cisco equipment
Dalini,

I strongly agree with you that a guide for the SCEP setup is needed ;-)
It was really a pain to walk through the mailing list, collecting
the bits and pieces out of the various mails...

Since I'm into it now, I'll write the guide.

Best Regards
Kurt
Kurt Hockenmaier
2006-05-11 19:16:01 UTC
Permalink
Post by Ives Steglich
Post by Kurt Hockenmaier
Dalini and Martin - Thanks a lot for your patience and your guidance !
OpenCA is a great piece of work and the devlopers will keep a safe place
in my hall of fame :-)
maybe you can make a little step by step guide - since i don't have
access to a pix at the moment and usaly take some things as granted...
so we can put a more reliable guide for scep-usage in router/firewall
environments online, since there are a lot of people which seem to have
difficulties in using openca with cisco equipment
thx
greetings
dalini
Hi Dalini,

a little late (I'm busy with other too ;-) below you can find the
guide which shows how it worked
for me.

Best Regards
Kurt

1. General Info
---------------

This setup is based on the Suse Linux 10.0 distribution, mysql, apache2,
OpenCA 0.9.2.5 and PIX OS 6.3(5).
Two OpenCA instances are created, one acts as CA, the other one acts as RA.

2. Installation

Untar the the sources and change directory to the OpenCA-0.9.2.5 dir.
This directory is used for the installation of the CA as well as for the
installation of the RA.
This approach will install a CA in /usr/local/openca/ca and a RA in
/usr/local/openca/ra.


2.1 Installation of the CA
--------------------------

As usual, you have to carry out ./configure and make - I've done it in the
following way:

make distclean
./configure \
--prefix=/usr/local/openca \
--with-httpd-user=wwwrun \
--with-httpd-group=www \
--with-openca-prefix=/usr/local/openca/ca \
--with-etc-prefix=/usr/local/openca/ca/etc \
--with-httpd-fs-prefix=/usr/local/openca/ca/httpd \
--with-module-prefix=/usr/local/openca/modules \
--with-node-prefix=ca-node \
--with-engine=no \
--with-web-host=localhost \
--enable-ocspd \
--enable-dbi \
--enable-rbac
make
make install-offline



2.2 Installation of the RA
--------------------------

It's the the same game like installing the CA, but different options for
./configure
are needed:

make distclean
./configure \
--prefix=/usr/local/openca \
--with-httpd-user=wwwrun \
--with-httpd-group=www \
--with-openca-prefix=/usr/local/openca/ra \
--with-etc-prefix=/usr/local/openca/ra/etc \
--with-httpd-fs-prefix=/usr/local/openca/ra/httpd \
--with-module-prefix=/usr/local/openca/modules \
--with-node-prefix=ra-node \
--with-engine=no \
--with-web-host=localhost \
--enable-ocspd \
--enable-scep \
--enable-dbi \
--enable-rbac
make
make install-online


2.3 Create the databases
-----------------------

To different (empty) databases and user IDs are created, one for the CA
and the second
one for the RA:

mysql --user=root -p
Enter password:

create database cadb;
create database radb;
grant all privileges on cadb.* to ***@localhost identified by
"change-me";
grant all privileges on radb.* to ***@localhost identified by
"change-me";


2.4 Modify Apache's configuration
-----------------------------------

Insert the following lines in default-server.conf:

# CA related
Alias /ca /usr/local/openca/ca/httpd/htdocs/ca/
Alias /ca-node /usr/local/openca/ca/httpd/htdocs/ca-node/
ScriptAlias /cgi-bin/ca/ /usr/local/openca/ca/httpd/cgi-bin/ca/
ScriptAlias /cgi-bin/ca-node/ /usr/local/openca/ca/httpd/cgi-bin/ca-node/

<Directory "/usr/local/openca/ca/httpd/cgi-bin/">
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
</Directory>

<Directory "/usr/local/openca/ca/httpd/htdocs/">
AllowOverride None
Options FollowSymLinks Indexes
Order allow,deny
Allow from all
</Directory>

# RA related
Alias /ra /usr/local/openca/ra/httpd/htdocs/ra/
Alias /pub /usr/local/openca/ra/httpd/htdocs/pub/
Alias /ra-node /usr/local/openca/ra/httpd/htdocs/ra-node/
ScriptAlias /cgi-bin/ra/ /usr/local/openca/ra/httpd/cgi-bin/ra/
ScriptAlias /cgi-bin/pub/ /usr/local/openca/ra/httpd/cgi-bin/pub/
ScriptAlias /cgi-bin/ra-node/ /usr/local/openca/ra/httpd/cgi-bin/ra-node/
ScriptAlias /cgi-bin/scep/ /usr/local/openca/ra/httpd/cgi-bin/scep/

<Directory "/usr/local/openca/ra/httpd/cgi-bin/">
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
</Directory>

<Directory "/usr/local/openca/ra/httpd/htdocs/">
AllowOverride None
Options FollowSymLinks Indexes
Order allow,deny
Allow from all
</Directory>

<Directory "/usr/local/openca/ra/httpd/cgi-bin/pub">
AllowOverride None
Options FollowSymLinks Indexes
Order allow,deny
Allow from all
</Directory>

Now resart the apache daemon.

3. Adjust the CA's configuration templates
------------------------------------------


3.1 /user/local/openca/ca/etc/config.xml
----------------------------------------

Section general options:

<name>ca_organization</name>
<value>Test CA</value>

<name>ca_locality</name>
<value>CA Test Lab</value>

<name>ca_country</name>
<value>DE</value>

<name>service_mail_account</name>
<value>***@localhost</value>


Section database configuration:

<option>
<name>dbmodule</name>
<value>DBI</value>

<name>db_type</name>
<value>mysql</value>

<name>db_name</name>
<value>cadb</value>

<name>db_host</name>
<value>localhost</value>

<name>db_port</name>
<value>3306</value>

<name>db_user</name>
<value>causer</value>

<name>db_passwd</name>
<value>change-me</value>

Section dataexchange configuration:

De-activate default mode 0 (no dataexchange configure) by adding comment
<!-- --> brackets.
Activate mode 1, node acts as CA only by removing comment brackets.


<name>dataexchange_device_up</name>
<value>/usr/local/openca/ca/var/tmp/fd0</value>

<name>dataexchange_device_down</name>
<value>/usr/local/openca/ca/var/tmp/fd0</value>

<name>dataexchange_device_local</name>
<value>/usr/local/openca/ca/var/tmp/fd0</value>

3.1.1 /usr/local/openca/ca/etc/servers/ca.conf.template

SET_CERTIFICATE_SERIAL_IN_DN "N"

3.2 /user/local/openca/ca/etc/access_control/ca-node.xml.template

<type>mod_ssl</type>
<protocol>.*</protocol>

<symmetric_cipher>.*</symmetric_cipher>
<symmetric_keylength>0</symmetric_keylength>


4. Adjust the RA's configuration templates
------------------------------------------


4.1 /user/local/openca/ra/etc/config.xml
----------------------------------------

Section general options:

<name>ca_organization</name>
<value>Test RA</value>

<name>ca_locality</name>
<value>RA Test Lab</value>

<name>ca_country</name>
<value>DE</value>

<name>service_mail_account</name>
<value>***@localhost</value>


Section database configuration:

<option>
<name>dbmodule</name>
<value>DBI</value>

<name>db_type</name>
<value>mysql</value>

<name>db_name</name>
<value>radb</value>

<name>db_host</name>
<value>localhost</value>

<name>db_port</name>
<value>3306</value>

<name>db_user</name>
<value>rauser</value>

<name>db_passwd</name>
<value>change-me</value>


Section configurationof SCEP:

<name>SCEP_RA_CERT</name>
<value>/usr/local/openca/ra/etc/scep/scep-cert.pem</value>

<name>SCEP_RA_KEY</name>
<value>/usr/local/openca/ra/etc/scep/scep-key.pem</value>


Section dataexchange configuration:

De-activate default mode 0 (no dataexchange configure) by adding comment
<!-- --> brackets.
Activate mode 2, node acts as RA only by removing comment brackets.

<name>dataexchange_device_up</name>
<value>/usr/local/openca/ca/var/tmp/fd0</value>

<name>dataexchange_device_down</name>
<value>/usr/local/openca/ca/var/tmp/fd0</value>

<name>dataexchange_device_local</name>
<value>/usr/local/openca/ca/var/tmp/fd0</value>


4.2 Change directory to /usr/local/openca/ra/etc/access-control. In the
files pub.xml.template, ra.xml.template and ra-node.xml.template the
protocol and symetric_keylength values have to be adjusted

<type>mod_ssl</type>
<protocol>.*</protocol>

<symmetric_cipher>.*</symmetric_cipher>
<symmetric_keylength>0</symmetric_keylength>

4.3 Adjust etc/servers/scep.conf.template
Change
ScepRenewalRDNMatch "CN"
to
ScepRenewalRDNMatch "unstructuredName"



5. Generate the configuration files and start CA and RA
-------------------------------------------------------

For the CA:
cd /usr/local/openca/ca/etc/
./configure_etc.sh
./openca_start

For the RA:
cd /usr/local/openca/ra/etc/
./configure_etc.sh
./openca_start


6. Initialization of the CA
---------------------------

Point your browser to http://some-host/ca (user root and pasword root)
and follow
the menu General->Initialization->Initialize the Certification Authority

Carry out the following tasks from Phase 1:
a) Initialize Database
b) Generate new CA secret key - choose 2048 for the CA key size
c) Generate new CA Certificate Request (use generated secret key)
d) Self Signed CA Certificate (from altready generated request)
e) Rebuild CA Chain

Import the CA certificate to your browser.

Then follow the menu General->Initialization->Create the initial
administrator and
carry out the following tasks from Phase 2:
a) Create a new request - choose Trustcenter for Certificate Request
Group, choose
CA Operator as role and choose High for LOA (for the key size I've
chosen 2048).
b) Edit the request and after editing chose Issue Certificate from the
bottom the page.
c) Handle the Certifcate - download the certificate (PKCS#12) to your
browser (if the browser
complains about a wrong key, it can't handle a key composed with symbols
(i.e. $-/) -
at least Firefox could not)

Follow now the menu General->Initialization->Create the initial RA
certificate and
carry out the following tasks from Phase 3:
a) Create a new request as above Trustcenter, LOA High, role RA
Operator, keysize 2048
b) Edit the request and after editing chose Issue Certificate from the
bottom the page.
c) Handle the Certifcate - download the certificate (PKCS#12) to your
browser

Create the CRL.

6.1 Export the CA's Configuration
---------------------------------

Move to General->Node Management to login to the CA node and choose
Administration->Dataexchange. Under the topic Enroll data to a lower
level of the hierarchy
choose All.


7. Initialize the RA
--------------------
Point your browser to http://some-host/ra-node (user root and pasword
root) and follow
the menu Administration->Server Init, choose Initialize Database and
chose Import Configuration from the same page afterwards.

Follow the menu Administration->Dataexchange. Under the topic Download
data from a higher level of the hierarchy chose All.



8. Create the Certificate for the SCEP interface

Point your browser to http://some-host/pub and follow the menu User->
Request a Certificate
->Basic Request
Choose Trustcenter for Certificate Request Group, Web Server as role and
High for LOA set the key size to 2048.

Move to the RA, edit the request and approve it without signing.
Go to the RA-Node and upload the request to the CA.
Go to the CA Node, receive data from the ra.
Go to the CA and issue the certificate.
Again go to the CA Node and enroll data to the RA and then go to the RA
and download data from the CA.
Go to the RA and follow the menu Information-> Certificates->Valid.
Click on the SCEP certificate and download it with SSLeay.
Cut the certificate (including -----BEGIN CERTIFICATE and END
CERTIFICATE-----) and save it to the file
/usr/local/openca/ra/etc/scep/scep-cert.pem.
Cut the private key (including -----BEGIN RSA and END RSA PRIVATE
KEY-----) and save it to the file
/usr/local/openca/ra/etc/scep/scep-key.pem.
Chown certificate and key wwwrun.www.

9. Configure the PIX

As described in the manuals, create the private key and authenticate the RA
ca identi xen-ca 172.16.2.249:/cgi-bin/scep/scep
ca configure xen-ca ra 1 50 crloptional
ca authenticate xen-ca

(If you do a 'show ca cert' you should see a CA and a RA certificate now)

ca enroll xen-ca fake ipaddress


Now edit the request at the RA interface.
You can see a line unstructuredAddress 1.1.1.1 +CN some-value +
unstructuredName some-value
Put all fields following the first + sign at the left above the
unstructuredAdress field.
Add additional attributes in the Subject Alternative Name section: DNS
and IP with the same
values like in the request at unstructuredName and unstructuredAddress
Then submit the changed request and approve it.
Upload the data to the CA, import it into the CA, issue certificate,
download it to the RA
and finaly import it into the ra again.

When the pix has received it's certificate, save it with ca save all,
and as the last step you can retrieve the CRL with ca crl request xen-ca.

10. Mind the time

Don't forget to synchronise the time settings on all involved devices
before you
start to request certificates.
Casey rayback
2006-05-16 05:31:00 UTC
Permalink
Hello guys,

I am quite new to OpenWorld and want to use OpenCA now but I am much confused on the configuration.
Can you please help me with the choice of the OS ?

I have Redhat 9.0 and FreeBSD 5.4 at hand now, so which one am I to choose for the minimum trouble installation ?

Sincerely
Ray
_________________________________________________________________
Search on the go: Try Windows Live(tm) Search for Mobile beta
http://www1.imagine-msn.com/minisites/mobile/Default.aspx?locale=en-us
David Bannon
2006-05-17 01:48:03 UTC
Permalink
I've used centos with no OS type issues. I don't think you need worry
too much about the OS.

Spend more time deciding about database to use and modules to install.

David
Post by Casey rayback
Hello guys,
I am quite new to OpenWorld and want to use OpenCA now but I am much
confused on the configuration.
Can you please help me with the choice of the OS ?
I have Redhat 9.0 and FreeBSD 5.4 at hand now, so which one am I to
choose for the minimum trouble installation ?
Sincerely
Ray
______________________________________________________________________
Express yourself instantly with MSN Messenger! MSN Messenger
Loading...