Certification Authority Systems on Linux
Are the any Certification Authority or PKI Systems based on Linux out there?
I would prefer something that could be easily used with openVPN. I know a openVPN server comes with a CA, but I was thinking something alternative. My problem is that I want the client to create they'r keypairs by they'r own, and nobody having to distribute them in any way. I would offcourse also want the certificate of the client to be authorized by the CA, so that it can be used.
I am also looking for a automatic way to do all this. When creating the clients key pairs, there are many questions asked. The answers should be put in a configuration file and automatically read, or something like that.
I would prefer something that could be easily used with openVPN. I know a openVPN server comes with a CA, but I was thinking something alternative. My problem is that I want the client to create they'r keypairs by they'r own, and nobody having to distribute them in any way. I would offcourse also want the certificate of the client to be authorized by the CA, so that it can be used.
I am also looking for a automatic way to do all this. When creating the clients key pairs, there are many questions asked. The answers should be put in a configuration file and automatically read, or something like that.
ASKER
I guess I still have to manually distribute the certificates to the clients? I also have to have the clients key pairs to create they'r certificates?
> I guess I still have to manually distribute the certificates to the clients?
Yes. There is no server in TinyCA.
> I also have to have the clients key pairs to create they'r certificates?
I don't understad how clients key pairs are related to certificates? Please clarify.
You may generate new key pair and new certificate request and sign it in TinyCA, then distribute it to client.
Or you may take existing client's public key, sign it and send it back to the client.
Anyway there are no server, you are right. But GUI for standalone CA.
Yes. There is no server in TinyCA.
> I also have to have the clients key pairs to create they'r certificates?
I don't understad how clients key pairs are related to certificates? Please clarify.
You may generate new key pair and new certificate request and sign it in TinyCA, then distribute it to client.
Or you may take existing client's public key, sign it and send it back to the client.
Anyway there are no server, you are right. But GUI for standalone CA.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
> I don't understad how clients key pairs are related to certificates? Please clarify.
I think you clarified it. I had unprecise knowledge, the public key of the client should be enough.
I was looking for something that was more automatic. Something so that the generation and signing of keys and certificates would happen more automatic for the client.
I think you clarified it. I had unprecise knowledge, the public key of the client should be enough.
I was looking for something that was more automatic. Something so that the generation and signing of keys and certificates would happen more automatic for the client.
ASKER
Yes, this looks pretty good (http://odyssipki.sourceforge.net/index.html), a full-fledged PKI would propably give me the service I could get I assume?
Yes, it seems to be pretty good, but it's development had stopped in 2006 on revision 0.1
Just try it if it works good stay there...
Just try it if it works good stay there...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks! Great! :)
Try to use TinyCA (http://tinyca.sm-zone.net/). It requires some additional Perl modules to be installed (or even GTK libraries and some others), but once it is up and running your certificates issuing/signature efforts will be minimal.
P.S. I'm using this GUI on CentOS 5.4, though it was not easy to make it running.
Regards,
Arty