Certificate authority

Ken Robinson's picture

I am in the market for an open source CA turnkey soultion. I don't see anything publish in the TKL. Anyone intrested in a TKL CA? If so what open source CA would be easy to use, easy to configure and automate with the TKL tool chain?  

I know EJBCA (https://www.ejbca.org) needs JBOSS/WildFly (I did not see a JBOSS/WildFly in ther TKL, I thought there was at one point) that is the one I have been looking at. Is there a reason that a JBOSS/WildFly? does not exist other than some one making it work?

Another one I just glanced at was http://www.openxpki.org, looks like it forked from OpenCA. 

 

Jeremy Davis's picture

But then I realised I had missed your point and you are not talking about the certs themselves, but a fully independent CA! The subject should have been the giveaway! Doh! :)

I am unaware of any others (actually I was unaware of that one too), although surely there should be?! Also you are correct that we do not have a JBOSS appliance. Also in my experience Java web apps are often resource intensive and a bit sluggish. But that doesn't neccessarily rule it out, just wouldn't be my first preference...

A quick search of the Debian repos and it seems that there isn't a lot pre-packaged other than desktop type software. I did find a couple: pyca appears to be fairly bare bones, but it does say that it requires CGI so I assume that it has some sort of web UI? The other is pki-ca which appears to be a quite powerful and modular tool, although it too uses Java. I know nothing about it although it appears to be more the building blocks you might use, rather than a polished end product. Besides it only has packages for Debian Sid (unstable) so not a lot of help...

The only other ones that I found were OpenCA (appears to be abandonware) and Dogtag. From what I can gather Dogtag is actually built on top of the PKI packages that I noted above (in Debian Sid) but provides the UI around it. Unfortunately that appears to be aimed at Fedora rather than Debian so not really helpful at all... Oops, looks like I spoke too soon; it's also in Sid.

So digging a little deeper into the Dogtag on Debian thing, it appears that there are issues with the package, hence why it isn't in Stretch (testing). According to the package tracker it made it into Stretch but was removed relatively recently due to build issues (these bugs; here and here).

So short answer is I have no idea and aren't much help! :p

Ken Robinson's picture

It seems to be easyer to as the other, as you have said. My goal is to have  an offline CA for my root certs, then subCAs using openXPKI.

I started already to build an offline CA. The folks of OpenXPKI have some offline CA scripts to create a LIVE deb CD (https://github.com/openxpki/clca) I have already started looking into that. They use a build script to create a LIVE CD. Almost like what TKL does with the LIVE. Got me thinking that maybe I can do something like that with TKL but I need to enable persistence drive of some sort to keep the CAs on. The idea is you LIVE boot with the CD/Thumb drive with the USB key that has the persistence img file on it to keep the CA on. 

Just a thought, as building the LIVE cd is not very TKL at the moment, it would not be hard at all creating one for TKL that just does what the current script does, maybe that would be v1 and the v2 could have some nice menus for some things, and create a persistance drive for you. 

Regards,

Ken  
":0)

http://www.github.com/DocCyblade

Jeremy Davis's picture

Also as an aside, apparently OpenSSL itself can act as CA although I'm not too sure on how good it is or what's involved...
Ken Robinson's picture

Just thought I would share, I'll be posting some build scripts. I have played around with OpenXPKI and got it to work (sort of). I have setup a git repo (https://github.com/DocCyblade/tkl-openxpki) and will be pushing some stuff in the next week or so. :-)

Regards,

Ken  
":0)

http://www.github.com/DocCyblade

Daniel C's picture

I just wanted to follow-up to see if you would be willing to post your scripts!   Thank you.

Post new comment