1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
|
[
{ type: install
message: <<EOM
- Universal server building block (OpenXPKI) for arbitrary PKI: installed.
- i18n tools for UI: installed.
- Enable utf8 locale (e.g. en_US.utf8) for the translation staff to operate
(translation is needed even for English language).
- Using database
= Install your favorite database (enable utf8 support), e.g.
databases/postgresql15-server
and perl interface for it, e.g. databases/p5-DBD-Pg
= Examples, demos and tutorials of OpenXPKI traditionally use MariaDB
database. But its use with OpenXPKI on FreeBSD is a bit tricky:
- Install e.g. databases/mariadb106-server
- Add value mysql to file /etc/make.conf like this:
DEFAULT_VERSIONS+= mysql=10.6m
- cd /usr/ports/databases/p5-DBD-mysql && make reinstall
Note that installing of databases/p5-DBD-MariaDB here may hinder
operation of your OpeXPKI setup.
- Install your favorite web server.
Copy FastCGI scripts from %%EXAMPLESDIR%%/cgi-bin to the location
where your web server can use them. Set executable permissions for them.
Copy htdocs files from %%EXAMPLESDIR%%/htdocs to the location
where your web server can use them.
You can see some samples in %%EXAMPLESDIR%%/config/apache.
- If you want your server to act just as the simplest CA,
then the basic deployment procedure is all you need:
copy sample configuration for this case with
cp -pR %%EXAMPLESDIR%%/config/* %%PREFIX%%/etc/openxpki/
and follow advice at:
https://openxpki.readthedocs.org/en/latest/quickstart.html
Without this deployment procedure OpenXPKI server would not start.
- If you want more complex role for your server inside the PKI infrastructure,
then perform further deployment procedure for your server atop
the basic deployment.
- Oversimplified example scripts and configs are provided herewith for
illustration only, and not for production use. All features of OpenXPI in
production should be acquired by setting up an appropriate server with
needed deployment procedure.
- This port has created user:group as openxpki:openxpki, which owns
the OpenXPKI server.
- After first fresh installation, create empty log files as follows
(assuming your web server is owned by user www):
install -m 660 -o openxpki -g openxpki /dev/null /var/log/openxpki/openxpki.log
install -m 660 -o www -g www /dev/null /var/log/openxpki/webui.log
install -m 660 -o www -g www /dev/null /var/log/openxpki/scep.log
install -m 660 -o www -g www /dev/null /var/log/openxpki/soap.log
- It is essential that www and openpki are two different users in your system.
- Start daemons in this order:
1) database server,
2) OpenXPKI server (%%PREFIX%%/etc/rc.d/openxpki start),
3) web server.
- Docs installed (if you opted so) into %%DOCSDIR%%
- Mind FreeBSD specific file structure:
%%PREFIX%%/etc/openxpki: server configuration, logs configuration.
/var/openxpki: pid file, socket file, ...
/var/openxpki/session: session files.
/var/log/openxpki: server log files.
/var/tmp: temporary directory.
- Use of openssl/libressl
= This package comes (from FreeBSD build cluster) bound with
openssl from base system, cf: /usr/ports/Mk/Uses/ssl.mk
If you want to use openssl or libressl from ports instead, then:
1) add the name of respective port
(openssl, openssl30, openssl31, libressl, libressl-devel...)
to /etc/make.conf file e.g. like this:
DEFAULT_VERSIONS+= ssl=openssl31
2) install security/openssl31
3) cd /usr/ports/security/p5-openxpki && make reinstall
you do not need to rebuild dependencies, installed from packages.
= Using versions OpenSSL 1.0 or less can restrict features of the OpenXPI.
= OpenXPKI builds just fine with any available versions of OpenSSL or
LibreSSL. But its operation with LibreSSL, or with OpenSSL 3+ has not
been fully tested. Report your respective story to the list
https://sourceforge.net/p/openxpki/mailman/
or use OpenSSL 1.1.1 instead.
EOM
}
{ type: upgrade
message: <<EOM
If you update existing installation, please check if extra handwork
is needed in your case:
http://openxpki.readthedocs.io/en/latest/upgrading.html
https://sourceforge.net/p/openxpki/mailman/message/37607700/
EOM
}
]
|