James B. Byrne
2008-Jun-24 17:08 UTC
[CentOS] Suggestions for a plug and play CA certificate manager?
I have played with self-signed end-use PKI certificates for about a decade
now and would really like to set up a proper, albeit private, PKI using
some sort of OFS CA management software. I have looked at OpenCA and found
a few packages on sourceforge but they all seem to fall short of my
desires in one form or another (rpm install, multiple subordinate CAs,
certificate revocation and extension management, web-based or
linux/microsoft GUI) . I have even tried to use the scripts that come
with OpenSSL with very limited success.
What I would like to do is to set up a self-signed root CA certificate,
then use that to issue one or more signing CA's, each possibly limited as
to what type of certificate that they can sign. These issuing CAs would
then sign certificate requests for end-use certificates for hosts, email
accounts, document provenance, objects, etc.
| -- root_CA
|
| -- issuer_hosts_a_CA
| | -- certs
| | | -- cert_issued_index
| | ` -- cert_revoked_list
| | -- csrs
| ` -- private
| ` -- issuer_hosts_a_CA+key.pem
|
| -- issuer_services_a_CA
| | -- certs
| | | -- cert_issued_index
| | ` -- cert_revoked_list
| | -- csrs
| ` -- private
| ` -- issuer_services_a_CA+key.pem
|
` -- issuer_email_a_CA
| -- certs
| | -- cert_issued_index
| ` -- cert_revoked_list
| -- csrs
` -- private
` -- issuer_email_a_CA+key.pem
What software do people use to manage a PKI on CentOS5?
Regards,
--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
Patrick
2008-Jun-24 19:27 UTC
[CentOS] Suggestions for a plug and play CA certificate manager?
On Tue, 2008-06-24 at 13:08 -0400, James B. Byrne wrote:> I have played with self-signed end-use PKI certificates for about a decade > now and would really like to set up a proper, albeit private, PKI using > some sort of OFS CA management software.Have you looked at the Open Source'd Red Hat Certificate Manager? http://pki.fedoraproject.org/wiki/PKI_Main_Page Regards, Patrick
Robert Moskowitz
2008-Jun-24 22:50 UTC
[CentOS] Suggestions for a plug and play CA certificate manager?
James B. Byrne wrote:> I have played with self-signed end-use PKI certificates for about a decade > now and would really like to set up a proper, albeit private, PKI using > some sort of OFS CA management software. I have looked at OpenCA and found > a few packages on sourceforge but they all seem to fall short of my > desires in one form or another (rpm install, multiple subordinate CAs, > certificate revocation and extension management, web-based or > linux/microsoft GUI) . I have even tried to use the scripts that come > with OpenSSL with very limited success. > > What I would like to do is to set up a self-signed root CA certificate, > then use that to issue one or more signing CA's, each possibly limited as > to what type of certificate that they can sign. These issuing CAs would > then sign certificate requests for end-use certificates for hosts, email > accounts, document provenance, objects, etc.Perhaps more than what you want, but Spyrus just released their PocketCA(tm). A complete CA on a USB dongle. I know a lot of people at Spyrus and they are among the best you will find in the PKI arena. So it is worth a look. Otherwise, try TinyCA2. It will do what you want too.
Reasonably Related Threads
- [LLVMdev] Fwd: can i avoid saving CSRs for functions with noreturn
- Less aggressive on the first allocation of CSR if detecting an early exit
- Less aggressive on the first allocation of CSR if detecting an early exit
- Less aggressive on the first allocation of CSR if detecting an early exit
- Less aggressive on the first allocation of CSR if detecting an early exit