"This is a minor release adding improvements and bugfixes
- Add street and pseudonym DN attributes.
- OCSP improvements, RFC 5019, nextUpdate, support for requests using GET, improved configuration and error handling.
- Correct coding of optional Issuing Distribution Point in CRLs.
- Possible to publish userPassword in LDAP.
- A few minor fixes."
Check out the change-log for all the details.
A pretty cool feature that hides behind the "RFC 5019" improvement is that you can now cache OCSP responses. If you use HTTP GET you will be able to use simple network components like a HTTP/1.1 cache (Apache httpd config included in the docs) for caching and load-balancing between your responders. I'd love to see someone try this out on a massive scale and report back to me with some statistics.. =)
Saturday, March 28, 2009
Tuesday, February 3, 2009
Using smart card browser authentication in Ubuntu
To use smart card authentication in Firefox on Ubuntu 8.10 you have to install pcscd, a working card reader driver (if the built in ccid does not work for you) and a pkcs#11 module.
This example works for Ubuntu 8.10. In my case I have an OmniKey CardMan 3021 USB card reader and a smart card with 2048 bit RSA keys. To be able to use 2048 bit keys using the OmniKey reader I have to use their driver.
- Download driver from omnikey.com and put in /tmp
# sudo su -
# apt-get install pcscd
# cd /tmp
# tar -zxvf ifdokccid_lnx_x64-3.5.1.tar.gz
# cd /usr/lib/pcsc/drivers
# cp -r /tmp/ifdokccid_lnx_x64-3.5.1/ifdokccid_lnx_x64-3.5.1.bundle .
# rm -rf ifd-ccid.bundle/
# /etc/init.d/pcscd restart
# apt-get install mozilla-opensc
Finally open pkcs11.html in Firefox and click "Install opensc in linux".
--- pkcs11.html ---
<HTML>
<HEAD>
<TITLE>opensc</TITLE>
</HEAD>
<BODY>
<SCRIPT>
PKCS11_PUBLIC_READ_CERT = 0x1<<28;
function doInstallPkcs11Windows()
{
pkcs11.addmodule("opensc", "opensc-pkcs11.dll", PKCS11_PUBLIC_READ_CERT, 0);
}
function doInstallPkcs11Linux()
{
pkcs11.addmodule("opensc", "opensc-pkcs11.so", PKCS11_PUBLIC_READ_CERT, 0);
}
function doUninstallPkcs11()
{
pkcs11.deletemodule("opensc");
}
</SCRIPT>
<a href=javascript:doInstallPkcs11Linux();>Install opensc in Linux</a><br>
<a href=javascript:doInstallPkcs11Windows();>Install opensc in Windows</a><br>
<a href=javascript:doUninstallPkcs11();>Uninstall opensc</a><br>
</BODY>
</HTML>
This example works for Ubuntu 8.10. In my case I have an OmniKey CardMan 3021 USB card reader and a smart card with 2048 bit RSA keys. To be able to use 2048 bit keys using the OmniKey reader I have to use their driver.
- Download driver from omnikey.com and put in /tmp
# sudo su -
# apt-get install pcscd
# cd /tmp
# tar -zxvf ifdokccid_lnx_x64-3.5.1.tar.gz
# cd /usr/lib/pcsc/drivers
# cp -r /tmp/ifdokccid_lnx_x64-3.5.1/ifdokccid_lnx_x64-3.5.1.bundle .
# rm -rf ifd-ccid.bundle/
# /etc/init.d/pcscd restart
# apt-get install mozilla-opensc
Finally open pkcs11.html in Firefox and click "Install opensc in linux".
--- pkcs11.html ---
<HTML>
<HEAD>
<TITLE>opensc</TITLE>
</HEAD>
<BODY>
<SCRIPT>
PKCS11_PUBLIC_READ_CERT = 0x1<<28;
function doInstallPkcs11Windows()
{
pkcs11.addmodule("opensc", "opensc-pkcs11.dll", PKCS11_PUBLIC_READ_CERT, 0);
}
function doInstallPkcs11Linux()
{
pkcs11.addmodule("opensc", "opensc-pkcs11.so", PKCS11_PUBLIC_READ_CERT, 0);
}
function doUninstallPkcs11()
{
pkcs11.deletemodule("opensc");
}
</SCRIPT>
<a href=javascript:doInstallPkcs11Linux();>Install opensc in Linux</a><br>
<a href=javascript:doInstallPkcs11Windows();>Install opensc in Windows</a><br>
<a href=javascript:doUninstallPkcs11();>Uninstall opensc</a><br>
</BODY>
</HTML>
Thursday, January 29, 2009
EJBCA 3.8.1 released
This is a minor release, targeted for adding support for JBoss 5 and fixing a mistake that caused install on Glassfish to fail.
It also adds a few minor improvements and bugfixes.
- Add support for JBoss 5.
- Fix support for Glassfish caused by a forgotten commit in 3.8.0.
- Improve support for Weblogic 10.3.
- Fix support for IPv6 subject alternative names.
- A few minor CMP, OCSP and CVC fixes.
See the full changelog at ejbca.org for details.
It also adds a few minor improvements and bugfixes.
- Add support for JBoss 5.
- Fix support for Glassfish caused by a forgotten commit in 3.8.0.
- Improve support for Weblogic 10.3.
- Fix support for IPv6 subject alternative names.
- A few minor CMP, OCSP and CVC fixes.
See the full changelog at ejbca.org for details.
Saturday, December 20, 2008
HTC G1 android phone and tele2
Hardly surprising the G1 works perfectly also in sweden. To configure for tele2 I only configured five items in the APN configuration.
- Name: Tele2
- APN: internet.tele2.se
- MMSC: http://mmsc.tele2.se
- MMS proxy: 130.244.202.30
- MMS port: 8080
After this this phone works like a charm. Buying the phone from google was easy and delivery was fast, only a week.
Now all we have to do is run EJBCA on the phone :-)
To re-encode movies to show on the phone (using cinema app for example) do this on Ubuntu:
- apt-get install avidemux, and start avidemux. Avidemux works great as a mobile media encoder.
- Open the file you want to convert.
- In Video dropdown select MGEG-4 ASP (lavc).
- Click Configure->Encoding Mode->Single pass - bitrate, enter 384 kb/s and click ok.
- Click Filters, double click MPlayer resize, width 480, height 320, click OK then close.
- In Audio dropdown select AAC (FAAC).
- Click Configure and select bitrate 96.
- In Format dropdown select MP4.
- Finally click Save and enter the new filename with .mp4 ending.
Now just make sure you copy the file to sdcard intact.
- Name: Tele2
- APN: internet.tele2.se
- MMSC: http://mmsc.tele2.se
- MMS proxy: 130.244.202.30
- MMS port: 8080
After this this phone works like a charm. Buying the phone from google was easy and delivery was fast, only a week.
Now all we have to do is run EJBCA on the phone :-)
To re-encode movies to show on the phone (using cinema app for example) do this on Ubuntu:
- apt-get install avidemux, and start avidemux. Avidemux works great as a mobile media encoder.
- Open the file you want to convert.
- In Video dropdown select MGEG-4 ASP (lavc).
- Click Configure->Encoding Mode->Single pass - bitrate, enter 384 kb/s and click ok.
- Click Filters, double click MPlayer resize, width 480, height 320, click OK then close.
- In Audio dropdown select AAC (FAAC).
- Click Configure and select bitrate 96.
- In Format dropdown select MP4.
- Finally click Save and enter the new filename with .mp4 ending.
Now just make sure you copy the file to sdcard intact.
Tuesday, December 16, 2008
Zepto Nox A15 and Ubuntu 8.10
On my new Zepto Nox A15 most things work out of the box, except suspend to ram (hibernate works) and screen brightness. I blame the nvidia proprietary driver for this...
This is what I did to get screen brighness settings to work:
-----
First check out the latest nvclock source code:
> cvs -d:pserver:anonymous@nvclock.cvs.sourceforge.net:/cvsroot/nvclock login
> cvs -z3 -d:pserver:anonymous@nvclock.cvs.sourceforge.net:/cvsroot/nvclock co -P nvclock
> cd nvclock
> gedit src/backend/nv50.c
change line 331 from:
if((nv_card->subvendor_id == PCI_VENDOR_ID_SONY) && nv_card->gpu == MOBILE)
to
if(nv_card->gpu == MOBILE)
> ./configure --prefix=/usr
> make
> sudo make install
> sudo cp src/smartdimmer /usr/bin/smartdimmer
Now we have the command so fix up hal so it calls nvclock when the brightness keys on the keyboard are pressed:
> sudo gedit /usr/lib/hal/scripts/linux/hal-system-lcd-set-brightness-linux
if [ -w "$HAL_PROP_LINUX_SYSFS_PATH/brightness" ]; then
echo "$value" > $HAL_PROP_LINUX_SYSFS_PATH/brightness
if [ "$HAL_PROP_LAPTOP_PANEL_ACCESS_METHOD" = "general" ]; then
# if nvidia nvclock command exists, try to use it
if command -v nvclock &>/dev/null
then
#echo " Yes, command :nvclock: was found."
foo="$(((($value +1)*10)+5))"
nvclock -S $foo
fi
fi
exit 0
fi
-----
Done. Now if only suspend would work it would be perfect.
I also have some slight problems with sound settings (volume up/down) that worked at first but not anymore...
Oh I forgot to say...EJBCA works perfect!
This is what I did to get screen brighness settings to work:
-----
First check out the latest nvclock source code:
> cvs -d:pserver:anonymous@nvclock.cvs.sourceforge.net:/cvsroot/nvclock login
> cvs -z3 -d:pserver:anonymous@nvclock.cvs.sourceforge.net:/cvsroot/nvclock co -P nvclock
> cd nvclock
> gedit src/backend/nv50.c
change line 331 from:
if((nv_card->subvendor_id == PCI_VENDOR_ID_SONY) && nv_card->gpu == MOBILE)
to
if(nv_card->gpu == MOBILE)
> ./configure --prefix=/usr
> make
> sudo make install
> sudo cp src/smartdimmer /usr/bin/smartdimmer
Now we have the command so fix up hal so it calls nvclock when the brightness keys on the keyboard are pressed:
> sudo gedit /usr/lib/hal/scripts/linux/hal-system-lcd-set-brightness-linux
if [ -w "$HAL_PROP_LINUX_SYSFS_PATH/brightness" ]; then
echo "$value" > $HAL_PROP_LINUX_SYSFS_PATH/brightness
if [ "$HAL_PROP_LAPTOP_PANEL_ACCESS_METHOD" = "general" ]; then
# if nvidia nvclock command exists, try to use it
if command -v nvclock &>/dev/null
then
#echo " Yes, command :nvclock: was found."
foo="$(((($value +1)*10)+5))"
nvclock -S $foo
fi
fi
exit 0
fi
-----
Done. Now if only suspend would work it would be perfect.
I also have some slight problems with sound settings (volume up/down) that worked at first but not anymore...
Oh I forgot to say...EJBCA works perfect!
EJBCA 3.8.0 released
EJBCA 3.8.0 have a whole range of fixes. One of the most interesting is the improvements in the authorization module, making it much easier to configure administrators and allowing you to use externally issued certificates as administrator certificates (for example from a national id).
This will hopefully get rid of most questions posted asking about problems configuring new administrators.
See http://ejbca.org/ for the download and full changelog.
News was published on Serverside.com.
This will hopefully get rid of most questions posted asking about problems configuring new administrators.
See http://ejbca.org/ for the download and full changelog.
News was published on Serverside.com.
Wednesday, November 19, 2008
Simple Certificate Archival solution
Introduction
From syscheck 1.2 and on there is a script-based archival solution.
New and revoked certificates are stored on local disk in a file-tree and optional remote SSH server.
syscheck svn: https://ejbca.svn.sourceforge.net/svnroot/ejbca/trunk/syscheck/
Setup of publisher
Go to: EJBCA Adminweb → ”Edit Publishers” → Add new name: ”Archival publisher”
Select/ enter the following:
Publisher Type: ”Custom Publisher”
Class Path: ”org.ejbca.core.model.ca.publisher.GeneralPurposeCustomPublisher”
Properties of Custom Publisher:
crl.application /path/to/syscheck/related-enabled/902_export_crl.sh
crl.failOnStandardError true
crl.failOnErrorCode true
cert.application /path/to/syscheck/related-enabled/900_export_cert.sh
cert.failOnStandardError true
cert.failOnErrorCode true
revoke.application /path/to/syscheck/related-enabled/901_export_revocation.sh
revoke.failOnStandardError true
revoke.failOnErrorCode true
Use the publisher on CA:s
Go to: EJBCA Adminweb → ”Edit Certificate Authorites”
Select the CA you want CRL archival on, then click on edit CA
At ”CRL Publishers”:
Select ”Archival publisher”
Do this for all CA:s you want CRL Archival for.
Use the publisher on Certificate profile:s
Go to: EJBCA Adminweb → ”Edit Certifcate Profiles”
At: ”Publishers”
Select ”Archival publisher”
Do this for all Certificate profiles:s you want Certifcate Archival for.
Subscribe to:
Comments (Atom)
Posts
