OpenCA LiveCD

You can download the OpenCA LiveCD image from http://media.dartmouth.edu/~deploypki/openca-livecd.iso.
The purpose of this KNOPPIX remaster is to provide an easy way to test or use OpenCA. We recommend at least 256M of memory to run smoothly.

Please read this document through before starting. There are some caveats you need to be aware of.


On boot, you will be asked to provide your Organization, Location (state), and the email address of the OpenCA administrator. Default values will be used if no answers are provided.

Administer OpenCA, the initialization of an Installed CA


Note: the administration URLs are only available to a browser running on the LiveCD machine. Console-only URLs are indicated as "localhost"; network accessible URLs are indicated as openca-livecd.dhcp-subdomain.your.domain

The OpenCA interface uses frames organized as tabs, with menus leading to pages within the tabs. Below, we will mark Tabs in bold, and Menu Items with emphasis. After executing a given operation, it may be necessary to reselect the Menu Item to advance to the next step. Several of the URLs referenced are available in the bookmarks pane to the left in the Mozilla installed on the CD.

Configure an installed/compiled OpenCA installation

  1. Connect to the ca: http://localhost/ca/ A series of tabs will be visible. Select General tab, and the Initialization item within it. That will bring up the "OpenCA Init" page with several links on it, organized into 3 phases (click the link for each phase to get to its operations).
  2. Phase I:Initialize the Certification Authority

  3. Click on Initialize the Certification Authority. This brings up the "Init Certification Authority" page.
  4. Click on Initialize Database This step should report sucess. Return to the "Init Certification Authority" using the Back button.
  5. Click on Generate new CA secret key. This brings up the "Get Additional Parameters" page. The default values are Click "OK"
  6. Enter the CA Certificate Private Key password on the CA Token Login page. This password will protect the CA private key, and must be entered to operate the CA. After entering your password, click "OK". The server will create a key pair based on the parameters you entered; this may take a few moments. When key generation is complete, a screen will display the key. Click "OK". Return to "Init Certification Authority" page.
  7. Click on Generate new CA Certificate Request (use generated secret key). Fill in the parameters as needed for your installation. Click "OK", and confirm the DN generated from the parameters. The OpenSSL configuration for in the LiveCD install matches these items. You will be prompted to enter your credentials, meaning the private key password you generated in the previous step. Return to "Init Certification Authority" page.
  8. Click on Self Signed CA Certificate (from already generated request). You will be prompted to confirm the validity period for the CA, as well as to confirm you credentials (the private key password). Return to "Init Certification Authority" page.
  9. Click on Rebuild CA Chain. You should get a response confirming success.
  10. Click on Export Configuration. Click "OK" to the prompt about providing a support; this install of OpenCA needs no additional support. You should get a response confirming success.
  11. Phase II:Create the initial administrator

  12. Click on Create the initial CA certificate This brings up the "Init First User" page. This step creates a certificate (and key pair) to identify the CA Administrator.
  13. Click on Create a new request. Fill in the Certificate/User data as desired. The Role should be "CA Operator". The PIN will be used to protect the private key of this certificate on the server. Confirm the data has been entered. There is no need to print the information. Return to the "Init First User" page
  14. Click on Edit the request. Click on "Submit the changed request" at the bottom (even though you didn't change the request). Click on "Issue Certificate" at the bottom. You will be prompted to confirm you credentials (the private key password). Return to the "Init First User" page
  15. Click on Handle the request. Select the "Certificate and Keypair" as p12 in the "Operations" section, and click on "Download". You will be prompted for the private key password for this certificate, which was generated as the PIN above. The p12 will be saved, and can be imported into the browser for use later.
  16. Phase III:Create the initial RA certificate

  17. Click on Create the initial RA certificate This brings up the "Init First User" page. This step creates a certificate (and key pair) to identify the RA Administrator.
  18. Click on Create a new request. Fill in the Certificate/User data as desired. The Role should be "RA Operator". The PIN will be used to protect the private key of this certificate on the server. Confirm the data has been entered. There is no need to print the information. Return to the "Init First User" page
  19. Click on Edit the request. Click on "Submit the changed request" at the bottom (even though you didn't change the request). Click on "Issue Certificate" at the bottom. You will be prompted to confirm you credentials (the private key password). Return to the "Init First User" page
  20. Click on Handle the request. Select the "Certificate and Keypair" as p12 in the "Operations" section, and click on "Download". You will be prompted for the private key password for this certificate, which was generated as the PIN above. The p12 will be saved, and can be imported into the browser for use later.
  21. Initialize the RA

  22. Connect to the ra-node: http://localhost/ra-node/ A series of tabs will be visible. Select Administration tab, and the Server Init item within it. That will bring up the "Init New Node" page with two links on it.
  23. Click on Import Configuration under "PKI Setup". This step should report sucess after prompting for confirmation. An error message about being unable to insert object, but object is already present is expected and acceptable. This step makes the CA certificate available to the RA and public users.

Issue a User Certificate

Submit a Certificate Request

The OpenCA-LiveCD tries to register itself on the network as "openca-livecd.dhcp-subdomain.your.domain". If this fails, you may need to target it via IP address. The ifconfig command in a shell window is helpful to determine the ip address.
  1. Connect to openca-livecd.dhcp-subdomain.your.domain/pub
  2. Select the User tab, and the Request a Certificate item. This brings up the "Request a certificate" page.
  3. Click on Request a certificate with automatic browserdetection. This brings up the "Basic Certificate Request" page
  4. Fill out the "Basic Certificate Request" page as needed, selecting the Role "User". Click "Continue". Confirm the Request. The keysize must be re-selected. What happens next is browser-dependent. Mozilla will ask you to confirm the keysize and prompt you for the master keystore password- this is the password that protects the user's private keys. IE will ask you to select the Cryptographic device, possibly leading you through some decisions about the key. Make note of the Serial number of the request; you will use it to retrieve the certificate.

Approve the Certificate

All of the Approval and Issuance steps must be done from the console. This is why we list the URL as "localhost"
  1. Connect to the ra: http://localhost/ra/ There is a bookmark for the ra in the collection of bookmarks on the left. Select Active CSRs tab, and the New item within it. This brings up a search page. If you did not modify the trust center or security levels for the request, you can use the default search parameters. Click "Search".
  2. A list of requests should display. Click on the Serial Number of the request you wish to process.
  3. Confirm that the displayed request is the desired one, and click on "Approve Without Signing". (Approval with signing requires Mozialla 1.7, or the SecCLAB plugin, not currently installed on the liveCD).

Issue the Certificate

  1. Connect to the ca: http://localhost/ca/
  2. Select Usual Operations tab, and the Approved Certificate Requests item within it.
  3. A list of requests should display. Click on the Serial Number of the request you wish to process.
  4. Confirm that the displayed request is the desired one, and click on "Issue the Certificate". Confirm the request with the CA private key password.
  5. This completes the console operations.

Get the Certificate

  1. Connect to openca-livecd.dhcp-subdomain.your.domain/pub
  2. Select the User tab, and the Get Requested Certificate item. Enter the Request Serial number, and select "Request's Serial" from the "Type of Serial" selection box. Click "OK". There is no feedback if the operation was successful.
  3. Confirm the certificate is present:

Get the Root Certificate

  1. Connect to openca-livecd.dhcp-subdomain.your.domain/pub
  2. Select the CA Infos tab, and the Get CA Certificate item.
  3. Select "CA-certificate in format CRT "
  4. Mozilla/Netscape users need to follow these steps:
    1. On the dialog box that appears, check all three boxes:
      • Trust this CA to identify web sites.
      • Trust this CA to identify email users.
      • Trust this CA to identify software developers
    2. Click the "OK" button.

    Internet Explorer users on Windows need to follow these steps:
    1. On the dialog box that appears, click on the "Open" button. (Windows XP will save the certificate file to disk first).
    2. Click on the 'Install Certificate...' button in the window that opens.
    3. Accept the Certificate Installation Wizard's defaults.


How do I...

Get the CD to boot: consult your computer's documentation about BIOS boot order. You need to tell it to boot off the CD before it boots off the hard drive.

Find this document from the LiveCD: open Mozilla (red dinosaur in the bottom toolbar), click "OpenCA LiveCD" in the sidebar.

Access the CA from another machine: by default the LiveCD will get an IP address via DHCP and will try to register the hostname openca-livecd, so if you have DHCP and DNS tied together, the hostname will be openca-livecd.your.domain, or openca-livecd.dhcp-subdomain.your.domain. In order to request a certificate you go to http://openca-livecd/pub/.

Format or partition a disk: run sudo qtparted from a terminal. ext3 is a safe choice for the partition type.
You will need to reboot (click the K at the bottom left and select Logout) if you partition a device, so do this step before your initialize OpenCA.

Create a permanent home directory: run sudo mkpersistenthome from a terminal. When you reboot, you will need to tell KNOPPIX at the initial boot prompt to reuse the saved home. If you used a full partition you have to type knoppix home=/dev/????. If you used an image you can type knoppix home=scan. You should make the persistent root at least 100M (although you may be able to get away with as little as 40M). A USB keychain type device is perfect for a persistent home.

If you are planning on installing to hard drive at any point in the future, be aware that you cannot install to the same partition you use for the permanent home. A full install requires about 1.5G.

Because of some of the voodoo that happens to enable servers to run from a read only media, we recommend you stop the MySQL server (sudo /etc/init.d/mysql stop) before you run this command, and reboot (click the K at the bottom left and select Logout) immediately after.

Install to a hard drive: run sudo knoppix-installer from a terminal. After you install to a hard drive you might want to undo some of the customizations of the LiveCD required to run services with a read only media. You can run sudo /usr/local/sbin/openca-undo.sh to do this for you.

Note that you cannot install Knoppix to the same place you used for the persistent home. Please plan accordingly by making two partitions when you partition your hard drive. A full install requires about 1.5G.

There is an Enforcer enabled kernel supplied if you have a computer with a TPM and wish to use it to your advantage. You can use this kernel by selecting 'Linux(2.6)-3' from the initial boot menu. Note that this kernel is compiled with the Enforcer's debug support on, which is good for testing, but not good for security. Please recompile if you are using this in a production environment. You can find the Enforcer enabled kernel source in /usr/src/linux-2.6.5-enforcer.tar.bz2.

Find out more about KNOPPIX: http://www.knoppix.net/docs/

Open up more ports through the firewall: after installing to the hard drive, edit /etc/firewall/config. Look for the variable SERVICES around line 53. You can add any services/ports you wish to the list. If you wish to open a port to a limited set of IPs you can add something like dport=ssh;source=192.168.0.0/16.

Enable wireless networking: short answer, you can't. Wireless networking support was removed as a strategic decision that a Certificate Authority should not be run over a wireless connection.

Revoke a Certificate: You will need to install Openca onto a hard drive and install an upgraded version of mozilla (or download the SecCLAB plugin for the current version) before the revocation path will function for adminstrators.

Find the error output of the custom OpenCA stuff: in /var/tmp/ you will find logs for the start and stop of openca as well as verbose output from openca-setup.sh which allows daemons to run with a read only media.






Kevin Mitcham
Last modified: Sun Jul 11