Creating a custom Public Key Infrastructure (PKI) with OpenSSL

How to create a custom PKI Infrastructure with root ca and intermediate ca with openssl.

Directory structure that holds root ca and intermediate ca PKI files.

mkdir -p ~/ca-tomdus/{certs,crl,newcerts,private}
chmod 700 ~/ca-tomdus/private
touch ~/ca-tomdus/db/index
openssl rand -hex 16 > ~/ca-tomdus/serial

mkdir -p ~/ca-tomdus/intermediate/{certs,crl,newcerts,private}
chmod 700 ~/ca-tomdus/intermediate/private
touch ~/ca-tomdus/intermediate/db/index
openssl rand -hex 16 > ~/ca-tomdus/intermediate/serial

Define ca-tomdus.conf openssl configuration file.

name = tomdus-root-ca
domain_suffix = tomdus.lab
aia_url = http://$name.$domain_suffix/$name.crt
crl_url = http://$name.$domain_suffix/$name.crl
default_ca = ca_default
name_opt = utf8,esc_ctrl,multiline,lname,align

countryName = "DE"
organizationName = "tomdus"
commonName = Common Name (FQDN or YOUR name)
commonName_max = 64

home = ~/ca-tomdus/intermediate
certs = $home/certs
database = $home/db/index
serial = $home/db/serial
crlnumber = $home/db/crlnumber
certificate = $home/$name.crt
private_key = $home/private/$name.key
RANDFILE = $home/private/random
new_certs_dir = $home/certs
unique_subject = no
copy_extensions = copy
default_days = 3650
default_crl_days = 365
default_md = sha256
policy = policy_c_o_match

countryName = match
stateOrProvinceName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

default_bits = 4096
encrypt_key = no
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = ca_dn

basicConstraints = critical,CA:true
authorityKeyIdentifier = keyid:always,issuer
keyUsage = critical,keyCertSign,cRLSign,digitalSignature
subjectKeyIdentifier = hash

authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:true,pathlen:0
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,keyCertSign,cRLSign,digitalSignature
nameConstraints = @name_constraints
subjectKeyIdentifier = hash

URI.0 = $crl_url

caIssuers;URI.0 = $aia_url


authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,digitalSignature,keyEncipherment
subjectKeyIdentifier = hash

Generate root CA key and certificate

Change in ca-tomdus.conf  from ~/ca-tomdus/intermediate to ~/ca-tomdus and copy_extensions = copy to copy_extensions = none

openssl genpkey -algorithm RSA -out ~/ca-tomdus/private/tomdus-root-ca.key -aes256
chmod 400 ~/ca-tomdus/private/tomdus-root-ca.key
openssl req -config ~/ca-tomdus/ca-tomdus.conf -key ~/ca-tomdus/private/tomdus-root-ca.key -new -x509 -days 3650 -sha256 -extensions root_ca_ext -out ~/ca-tomdus/certs/tomdus-root-ca.crt
Generate intermediate CA key and certificate
openssl genpkey -algorithm RSA -out ~/ca-tomdus/intermediate/private/tomdus-ca.key -aes256
chmod 400 ~/ca-tomdus/intermediate/private/tomdus-ca.key

Generate CSR

openssl req -config ~/ca-tomdus/ca-tomdus.conf -new -key ~/ca-tomdus/intermediate/private/tomdus-ca.key -out ~/ca-tomdus/intermediate/csr/tomdus-ca.csr

Sign CSR with root CA

openssl ca -config ~/ca-tomdus/ca-tomdus.conf -extensions sub_ca_ext -days 3650 -md sha256 -in ~/ca-tomdus/intermediate/csr/tomdus-ca.csr -out ~/ca-tomdus/intermediate/certs/tomdus-ca.crt

Sample Code:

Create custom SELinux Policy

Problem: The apche httpd cannot connect to tomcat running on port 8009 with AJP protocol.


curl localhost returns 503

curl localhost
<title>503 Service Unavailable</title>
<h1>Service Unavailable</h1>
<p>The server is temporarily unable to service your
request due to maintenance downtime or capacity
problems. Please try again later.</p>

There is Permission denied: AH00957 in apache httpd (ssl)_error_log

sudo cat /var/log/httpd/error_log
[Wed Feb 15 16:24:38.140421 2023] [proxy:error] [pid 10679:tid 10824] (13)Permission denied: AH00957: AJP: attempt to connect to ( failed[Wed Feb 15 16:24:38.140455 2023] [proxy:error] [pid 10679:tid 10824] AH00959: ap_proxy_connect_backend disabling worker for ( for 60s[Wed Feb 15 16:24:38.140458 2023] [proxy_ajp:error] [pid 10679:tid 10824] [client] AH00896: failed to make connection to backend:

Remedy (1)

sudo setsebool -P httpd_can_network_connect 1

Remedy (2)

Create custom SELinux policy, let generate type enforcement file

sudo grep http /var/log/audit/audit.log | grep denied | audit2allow -m httplocalconf > httplocalconf.te

Edit generated type enforcement httplocalconf.te file

module httplocalconf 1.0;

require {
        type httpd_t;
        type http_port_t;
        class tcp_socket name_connect;
        class file read;

#============= httpd_t ==============

#!!!! This avc can be allowed using one of the these booleans:
#     httpd_can_network_connect, httpd_graceful_shutdown, httpd_can_network_relay, nis_enabled
allow httpd_t http_port_t:tcp_socket name_connect;

Convert it to policy module

checkmodule -M -m -o httplocalconf.mod httplocalconf.te

Compile new  policy

semodule_package -o httplocalconf.pp -m httplocalconf.mod

Install new policy

sudo semodule -i httplocalconf.pp


How to create its own custom SELinux policy module wisely

How to read and correct SELinux denial messages

Chapter 5. Troubleshooting problems related to SELinux

Install / Setup Active Directory

Ziel ist die Installation zum Testzwecken von MS Active Directory in einer virtual box

Setup Windows Server 2022

Download ISO from

Install Windows Active Directory

  1. Server Manager > Manage > Add Roles and Features
  2. Opens the Add Roles and Features Wizard
  3. Wähle Role-based or feature-based installation
  4. Wähle Select a server from the server pool
  5. Wähle Active Directory Domain Services aus Roles
  6. Bestätige Add Features
  7. Bestätige Select Features
  8. Bestätige Active Directory Somain Services
  9. Übersicht Confirmation installation sections

Promote Server to Domain Controller

  1. Klick Promote this Server to Domain Controller
  2. Enter new Root domain name (e.g. winlab.tomdus.lab)
  3. Setzte Directory Service Restore Mode Password
  4. Ignore DNS Options
  5. Bestätige NetBIOS Domain Name (Immer in Großbuchstaben)
  6. Installations Pfade
  7. Review Options
  8. Prerequisites Checks – Klick Install

Install IPA Server and replicas (cluster)

IPA Server can be installed standalone or as master – master cluster

Create Master – Master cluster (simple option)

  1. Install and create stand alone IPA Server (@ipa1)
  2. Install client on IPA Client (@ipa3)
  3. Promote ipa client on @ipa3 to server a master
  4. Install ca certificates on ipa3

1. Install and create standalone IPA Sever

For simplicty all password are 123456798; dns forwarder (acces to internet)

sudo dnf module enable idm:DL1/server -y
sudo dnf module enable idm:DL1/dns -y
sudo dnf distro-sync
sudo dnf module install idm:DL1/server -y
sudo dnf module install idm:DL1/dns -y
sudo dnf install ipa-server -y
sudo dnf install ipa-server-dns -y
sudo ipa-server-install --domain=ipa.tomdus.lab --realm=IPA.TOMDUS.LAB --ds-password=123456798 --admin-password=123456798 --mkhomedir --ssh-trust-dns --idstart=100000 --no-ntp --setup-dns --forwarder= --auto-reverse --allow-zone-overlap


sudo firewall-cmd --add-service={http,https,ldap,ldaps,kerberos,kpasswd,dns} --permanent
sudo firewall-cmd --reload

2. Install IPA client

In order to install ipa client it is sufficient to enable only idl:DL1/client module, thus as this server will be promoted to IPA Replica muss enable idl:DL1/server and idl:DL1/dns (required by DNS Server)
[tomas@ipa3 ~]$ sudo dnf module list idm:DL1
Last metadata expiration check: 0:00:17 ago on Wed 08 Jun 2022 01:45:55 PM CEST.
CentOS Stream 8 - AppStream
Name Stream Profiles Summary
idm DL1 adtrust, client, common [d], dns, server The Red Hat Enterprise Linux Identity Management system module
Hint: [d]efault, [e]nabled, [x]disabled, [i]nstalled

sudo dnf module enable idm:DL1/server -y
sudo dnf module enable idm:DL1/dns -y
sudo dnf distro-sync -y

sudo dnf module install idm:DL1/server -y
sudo dnf module install idm:DL1/dns -y

Verify network connection on ipa3

[tomas@ipa3 ~]$ ping  (IP Address of IPA1)[tomas@ipa3 ~]$ cat /etc/resolv.conf 
# Generated by NetworkManager
search ipa.tomdus.lab
[tomas@ipa3 ~]$ dig ipa1.ipa.tomdus.lab
; <<>> DiG 9.11.36-RedHat-9.11.36-3.el8 <<>> ipa1.ipa.tomdus.lab
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10689
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

; EDNS: version: 0, flags:; udp: 1232
; COOKIE: b6dd4e79f5137f6a795623dc62a096d3ae0ca70d1d10c863 (good)
;ipa1.ipa.tomdus.lab. IN A

ipa1.ipa.tomdus.lab. 1200 IN A

ipa.tomdus.lab. 86400 IN NS ipa1.ipa.tomdus.lab.

;; Query time: 1 msec
;; WHEN: Wed Jun 08 14:32:17 CEST 2022
;; MSG SIZE rcvd: 141

Install client

[tomas@ipa3 ~]$ sudo dnf install ipa-server -y[tomas@ipa3 ~]$ sudo ipa-client-install --mkhomedir --domain=ipa.tomdus.lab --realm IPA.TOMDUS.LAB --principal admin --password 123456798 --no-ntp
This program will set up IPA client.
Version 4.9.8

Discovery was successful!
Client hostname: ipa3.ipa.tomdus.lab
DNS Domain: ipa.tomdus.lab
IPA Server: ipa1.ipa.tomdus.lab
BaseDN: dc=ipa,dc=tomdus,dc=lab

Continue to configure the system with these values? [no]: yes
Skipping chrony configuration
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.TOMDUS.LAB
Issuer: CN=Certificate Authority,O=IPA.TOMDUS.LAB
Valid From: 2022-06-02 06:40:56
Valid Until: 2042-06-02 06:40:56

Enrolled in IPA realm IPA.TOMDUS.LAB
Created /etc/ipa/default.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IPA.TOMDUS.LAB
Systemwide CA database updated.
Hostname (ipa3.ipa.tomdus.lab) does not have A/AAAA record.
Missing reverse record(s) for address(es):
Adding SSH public key from /etc/ssh/
Adding SSH public key from /etc/ssh/
Adding SSH public key from /etc/ssh/
SSSD enabled
Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring ipa.tomdus.lab as NIS domain.
Client configuration complete.
The ipa-client-install command was successful

Client has been succesfully registered and visible inside IPA server

3. Promote client ipa3 to replica

In order to promote client as a replica the client muss be assigned to host group ipaservers

Check DNS entries for ipa3

[tomas@ipa3 ~]$ dig +short ipa3.ipa.tomdus.lab[tomas@ipa3 ~]$ host -r
Host not found: 3(NXDOMAIN)

Common problem that can be solved inside DNS

Check – OK

[tomas@ipa3 ~]$ dig +short ipa3.ipa.tomdus.lab[tomas@ipa3 ~]$ host -r domain name pointer ipa3.ipa.tomdus.lab.

Promote client to replica

[tomas@ipa3 ~]$ sudo ipa-replica-install --admin-password=123456798 --mkhomedir --ssh-trust-dns --setup-dns --forwarder= --auto-reverse --allow-zone-overlap
Lookup failed: Preferred host ipa3.ipa.tomdus.lab does not provide DNS.
Checking DNS forwarders, please wait ...
Reverse record for IP address already exists OK as we corrected is manually above
Run connection check to master
Connection check OK
Disabled p11-kit-proxy
Configuring directory server (dirsrv). Estimated time: 30 seconds[1/38]: creating directory server instance
Validate installation settings ...
Create file system structures ...
Perform SELinux labeling ...
Create database backend: dc=ipa,dc=tomdus,dc=lab ...
Perform post-installation tasks ...[2/38]: tune ldbm plugin[3/38]: adding default schema[4/38]: enabling memberof plugin[5/38]: enabling winsync plugin[6/38]: configure password logging[7/38]: configuring replication version plugin[8/38]: enabling IPA enrollment plugin[9/38]: configuring uniqueness plugin[10/38]: configuring uuid plugin[11/38]: configuring modrdn plugin[12/38]: configuring DNS plugin[13/38]: enabling entryUSN plugin[14/38]: configuring lockout plugin[15/38]: configuring topology plugin[16/38]: creating indices[17/38]: enabling referential integrity plugin[18/38]: configuring certmap.conf[19/38]: configure new location for managed entries[20/38]: configure dirsrv ccache and keytab[21/38]: enabling SASL mapping fallback[22/38]: restarting directory server[23/38]: creating DS keytab[24/38]: ignore time skew for initial replication[25/38]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 4 seconds elapsed
Update succeeded
[26/38]: prevent time skew after initial replication[27/38]: adding sasl mappings to the directory[28/38]: updating schema[29/38]: setting Auto Member configuration[30/38]: enabling S4U2Proxy delegation[31/38]: initializing group membership[32/38]: adding master entry[33/38]: initializing domain level[34/38]: configuring Posix uid/gid generation[35/38]: adding replication acis[36/38]: activating sidgen plugin[37/38]: activating extdom plugin[38/38]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Replica DNS records could not be added on master: Insufficient access: Insufficient 'add' privilege to add the entry 'idnsname=ipa3,idnsname=ipa.tomdus.lab.,cn=dns,dc=ipa,dc=tomdus,dc=lab'.
Configuring Kerberos KDC (krb5kdc)[1/5]: configuring KDC[2/5]: adding the password extension to the directory[3/5]: creating anonymous principal[4/5]: starting the KDC[5/5]: configuring KDC to start on boot
Done configuring Kerberos KDC (krb5kdc).
Configuring kadmin[1/2]: starting kadmin [2/2]: configuring kadmin to start on boot
Done configuring kadmin.
Configuring directory server (dirsrv)[1/3]: configuring TLS for DS instance[2/3]: importing CA certificates from LDAP[3/3]: restarting directory server
Done configuring directory server (dirsrv).
Configuring the web interface (httpd)[1/22]: stopping httpd[2/22]: backing up ssl.conf[3/22]: disabling nss.conf[4/22]: configuring mod_ssl certificate paths[5/22]: setting mod_ssl protocol list[6/22]: configuring mod_ssl log directory[7/22]: disabling mod_ssl OCSP[8/22]: adding URL rewriting rules[9/22]: configuring httpd
Nothing to do for configure_httpd_wsgi_conf[10/22]: setting up httpd keytab[11/22]: configuring Gssproxy[12/22]: setting up ssl[13/22]: configure certmonger for renewals[14/22]: publish CA cert[15/22]: clean up any existing httpd ccaches[16/22]: enable ccache sweep[17/22]: configuring SELinux for httpd[18/22]: create KDC proxy config[19/22]: enable KDC proxy[20/22]: starting httpd[21/22]: configuring httpd to start on boot[22/22]: enabling oddjobd
Done configuring the web interface (httpd).
Configuring ipa-otpd[1/2]: starting ipa-otpd [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Custodia uses 'ipa1.ipa.tomdus.lab' as master peer.
Configuring ipa-custodia[1/4]: Generating ipa-custodia config file[2/4]: Generating ipa-custodia keys[3/4]: starting ipa-custodia [4/4]: configuring ipa-custodia to start on boot
Done configuring ipa-custodia.
Configuring certificate server (pki-tomcatd)[1/2]: configure certmonger for renewals[2/2]: Importing RA key
Done configuring certificate server (pki-tomcatd).
Configuring Kerberos KDC (krb5kdc)[1/1]: installing X509 Certificate for PKINIT
Done configuring Kerberos KDC (krb5kdc).
Applying LDAP updates
Upgrading IPA:. Estimated time: 1 minute 30 seconds[1/10]: stopping directory server[2/10]: saving configuration[3/10]: disabling listeners[4/10]: enabling DS global lock[5/10]: disabling Schema Compat[6/10]: starting directory server[7/10]: upgrading server[8/10]: stopping directory server[9/10]: restoring configuration[10/10]: starting directory server
Finalize replication settings
Restarting the KDC
dnssec-validation yes
Configuring DNS (named)[1/8]: generating rndc key file[2/8]: setting up our own record[3/8]: adding NS record to the zones[4/8]: setting up kerberos principal[5/8]: setting up named.conf
created new /etc/named.conf
created named user config '/etc/named/ipa-ext.conf'
created named user config '/etc/named/ipa-options-ext.conf'
created named user config '/etc/named/ipa-logging-ext.conf'[6/8]: setting up server configuration[7/8]: configuring named to start on boot[8/8]: changing resolv.conf to point to ourselves
Done configuring DNS (named).
Restarting the web server to pick up resolv.conf changes
Configuring DNS key synchronization service (ipa-dnskeysyncd)[1/7]: checking status[2/7]: setting up bind-dyndb-ldap working directory[3/7]: setting up kerberos principal[4/7]: setting up SoftHSM[5/7]: adding DNSSEC containers
DNSSEC container exists (step skipped)[6/7]: creating replica keys[7/7]: configuring ipa-dnskeysyncd to start on boot
Done configuring DNS key synchronization service (ipa-dnskeysyncd).
Restarting ipa-dnskeysyncd
Restarting named
Updating DNS system records

Global DNS configuration in LDAP server is not empty
The following configuration options override local settings in named.conf:

API Version number was not sent, forward compatibility not guaranteed. Assuming server's API version, 2.245
Forward policy: first
IPA DNS servers: ipa1.ipa.tomdus.lab, ipa2.ipa.tomdus.lab

Configuring SID generation[1/7]: creating samba domain object
Samba domain object already exists[2/7]: adding admin(group) SIDs
Admin SID already set, nothing to do
Admin group SID already set, nothing to do[3/7]: adding RID bases
RID bases already set, nothing to do[4/7]: updating Kerberos config
'dns_lookup_kdc' already set to 'true', nothing to do.[5/7]: activating sidgen task[6/7]: restarting Directory Server to take MS PAC and LDAP plugins changes into account[7/7]: adding fallback group
Fallback group already set, nothing to do

WARNING: The CA service is only installed on one server (ipa1.ipa.tomdus.lab).
It is strongly recommended to install it on another server.
Run ipa-ca-install(1) on another master to accomplish this.

The ipa-replica-install command was successful

Enable firewall

sudo firewall-cmd --add-service={http,https,ldap,ldaps,kerberos,kpasswd,dns} --permanent
sudo firewall-cmd --reload

4. Install ca certificates on ipa3

[tomas@ipa3 ~]$ sudo ipa-ca-install
Directory Manager (existing master) password:

Run connection check to master
Connection check OK
Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes[1/28]: creating certificate server db[2/28]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 5 seconds elapsed
Update succeeded
[3/28]: creating ACIs for admin
...[26/28]: importing IPA certificate profiles[27/28]: configuring certmonger renewal for lightweight CAs[28/28]: deploying ACME service
Done configuring certificate server (pki-tomcatd).
Updating DNS system records

VirtualBox and two separates NATs

Aim is to create two networks (10.0.2.x and 10.0.3.x) in VirtualBox and be enable ip routing between them. At first there is no default routing (AFAIK) implemented in VirtualBox for such a scenario, thus the creation of a separate router is required.

There are two separates networks 10.0.2.x and 10.0.3.x defined in VirtualBox

Further more we need for such an example 3 virtual machines:
• router with two networks (10.0.2.x and 10.0.3.x)
• ipa2 network
• ipa3 network
Both ipa2 and ipa3 have virbr0 for internet connection (i.e. package updates)

Network on “router”

[tomas@router ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:a7:20:28 brd ff:ff:ff:ff:ff:ff
inet brd scope global noprefixroute enp0s3
valid_lft forever preferred_lft forever
3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:ea:77:c4 brd ff:ff:ff:ff:ff:ff
inet brd scope global noprefixroute enp0s8
valid_lft forever preferred_lft forever
[tomas@router ~]$ ip r
default via dev enp0s8 proto static metric 101 dev enp0s3 proto kernel scope link src metric 100 dev enp0s8 proto kernel scope link src metric 101

Enable ipv4 forwarding in kernel

[tomas@router ~]$ sudo sysctl net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1[tomas@router ~]$ sudo sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

Network Connection on ipa2 (ipa3 is similar)

[tomas@ipa2 ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:e5:0e:7b brd ff:ff:ff:ff:ff:ff
inet brd scope global noprefixroute enp0s3
valid_lft forever preferred_lft forever
3: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 52:54:00:e1:ad:57 brd ff:ff:ff:ff:ff:ff
inet brd scope global virbr0
valid_lft forever preferred_lft forever

Additional routing for 10.0.3.x network:

[tomas@ipa2 ~]$ sudo nmcli connection modify enp0s3 +ipv4.routes ""[tomas@ipa2 ~]$ sudo nmcli connection down enp0s3 [tomas@ipa2 ~]$ sudo nmcli connection up enp0s3 
[tomas@ipa2 ~]$ ip r
default via dev enp0s3 proto static metric 100 dev enp0s3 proto kernel scope link src metric 100 via dev enp0s3 proto static metric 100 dev virbr0 proto kernel scope link src linkdown


[tomas@ipa2 ~]$ ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=63 time=1.94 ms
[tomas@ipa3 ~]$ ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=63 time=0.899 ms

Create Toolchain with ptxdist

This is a small introduction to create a toolchain with ptxdist (Version ptxdist-2019.08.0.tar.bz2)


sudo apt install libncurses5-dev python-dev

mkdir ptxdist
cd ptxdist
tar -xjf ptxdist-2019.08.0.tar.bz2
cd ptxdist-2019.08.0
./configure --prefix /home/tomas/ptxdist/install
make install
cd /home/tomas/ptxdist/install/bin/
./ptxdist setup

Create your own toolchain

sudo apt install python3-dev
cd /home/tomas/ptxdist
tar -xjf OSELAS.Toolchain-2018.12.0.tar.bz2
cd OSELAS.Toolchain-2018.12.0/
/home/tomas/ptxdist/install/bin/ptxdist-2019.08.0 select ptxconfigs/i686-atom-linux-gnu_gcc-8.2.1_glibc-2.28_binutils-2.31.1_kernel-4.19-sanitized.ptxconfig
/home/tomas/ptxdist/install/bin/ptxdist-2019.08.0 migrate
/home/tomas/ptxdist/install/bin/ptxdist-2019.08.0 go

change in selected_ptxconfig from PTXCONF_PREFIX=“/opt“ to PTXCONF_PREFIX=“/home/tomas/ptxdist/toolchain“

How To Setup and Orange PI One

This is a small introduction to setup orange pi one

Format and prepare SD Card

Prepare 32GB SD Card, thus Orange Pi One can boot from up to 32GB SD Card. I am using SDCard Formatter,

Install Linux image on SD Card

Download image, e.g Debian Buster based version from

Use e.g. Etcher to flash linux image to SD Card:

First time boot

Insert an SD Card into Orange Pi One and connect power supply