n
CATool Frequently Asked Questions

  • 1. Do you accept patches for CATool
  • 2. When I try to download CATool I get rubbish in my browser
  • 3. Is there a mailing list archive?
  • 4. Can I use CATool certificates to encrypt email?
  • 5. When I try to run catool on RedHat EL, I get an error about "Can't do setuid"
  • 6. How do I update an existing CATool installation from
  • 7. How do I import certificates generated by other sustems into CATool?
  • 8. I have installed CATool on Fedora Core 3 (FC3) with SELinux and
  • 9. How do I tell CAtool not to use sendmail to send notifications?
  • 10. I get X509 errors during the Install in CAtool version 1.3.4 and earlier

    1. Do you accept patches for CATool

    Yes, we are always happy to receive and evaluate patches, fixes, enhancements and suggestions.

    We evaluate them and possibly include them in the base product according to the following criteria:

    1. General usefulness for a significant number of users
    2. Backwards compatibility
    3. Impact on performance
    4. Ease of understanding and configuration for administrators.

    Unfortunately, not all patches will meet these criteria, and so not all will be included into the base product. If we decide not to include a patch in the base product, we will often put it in the goodies directory of the distribution for use by others.

    2. When I try to download CATool I get rubbish in my browser

    Some versions of Netscape try to display the CATool distribution file instead of saving it to your disk. Try doing a shift-click on the file instead.

    Some people have reported problems when trying to download with Netscape Communicator, but that Explorer is alright.

    3. Is there a mailing list archive?

    Yes, here.

    4. Can I use CATool certificates to encrypt email?

    Yes. Heres how one of our correspondents did it:

    I created a certificate for "Demo User" with email address "demo@xyz.com".

    I generated a Demo_User-cert.pem and a Demo_User.p12 file.

    I imported the Demo_User.p12 into Outlook Express 6 on a system set up to be an email client for demo@xyz.com, and instructed Outlook Express to use this certificate for signing and encrypting email.

    Then I built up a small shell script on a Linux machine to construct an email message, feed it through openssl smime -encrypt, then into /usr/sbin/sendmail.

    The email was sent by the linux machine, received encrypted by Outlook Express, successfully decrypted, and the original message content displayed.

    What I wanted this for: I have a number of websites which collect information from site visitors, including credit card information. We don't store that information on the web server, but do send the information encrypted to the web site owner. To date we've been using PGP to implement this, but it's messy to implement, and to explain to users.

    CATool permits the use of S/MIME for this, and it works really well.

    I expect the certificates would work just as well for sending email between users of S/MIME capable mail programs (Outlook, Outlook Express, Netscape, Mozilla).

    My very simple script for testing from Linux is below. It assumes the source email is in ml.txt. 

    
#!/bin/bash

openssl smime -in ml.txt -encrypt  \
      -from someuser@somewhere.com -to demo@xyz.com \
      -subject "Signed and Encrypted message" -des3 Demo_User-cert.pem | \
      /usr/sbin/sendmail demo@xyz.com

    5. When I try to run catool on RedHat EL, I get an error about "Can't do setuid"

    Some version of Linux are shipped without the suidperl support package, which allows catool ti run as setuid.

    This will result in a browser error wghen you try to access the catool program, and an error in the web server log, something like this: 

    Can't do setuid
[Mon Oct  6 05:18:30 2003] [error] [client 210.49.153.39] 
 Premature end of script headers: /var/www/cgi-bin/catool

    You should install suidperl. RPM binaries of perl-suidperl are available

    6. How do I update an existing CATool installation fromversion 1.2.x to 1.3?

    See the README-updates file in your distribution.

    7. How do I import certificates generated by other sustems into CATool?

    Use the import tool in /usr/local/catool/bin/import_cert. For documentation, run 
    perldoc /usr/local/catool/bin/import_cert

    8. I have installed CATool on Fedora Core 3 (FC3) with SELinux andit doesn't work

    The usual symptom of this is that when you attempt to access localhost/cgi-bin/catool, the web page results in an error, the httpd error log contains 'Can't do setegid' and 'Premature end of script headers: catool', and /var/log/messages gets a kernel audit error line: 'avc: denied: { setgid } for pid=nnnn exe=/usr/bin/sperl ......'

    This is caused by SELinux (Security Enhanced Linux) which is installed by default with FC3. You can fix this by disabling SElinux with Applications->System Settings->Security Level, SELinux, Enabled checkbox.

    9. How do I tell CAtool not to use sendmail to send notifications?

    By default, CATool wil try to use the senmail mail agent program to send notoification email to the CATool administrator and certificate requesters.

    Some hosts do not have sendmail available, and some (FreeBSD 3.5 etc) restrict the availability of sendmail to certain users and groups.

    You can configure CATool version 1.3.3 or later to use an alternate mail server to send email to directly, using Net::SMTP. Edit the CATool site configuration file (typically /usr/local/catool/etc/catool.cf) and add a line: 

    mailserver: mail.server.host.name.com
    where mail.server.host.name.com is the name or address of a suitable SMTP mail server.

    10. I get X509 errors during the Install in CAtool version 1.3.4 and earlier

    With OpenSSL 0.9.7e you may see this error during Install: 
    
Catool::X509::CertificateInfo: could not extract serial number 
 from cert listing at bin/load_ca_cert line 31
    This is due to changes in OpenSSL in 0.9.7e. Upgrade to OpenSSL 0.9.7g or later and CATool 1.3.5 or later. Ensure the path to the new openssl executable is in your PATH during the install.

    n

    •