Login/Register
What Certificate Authority Software is Available? [closed]
Asked Answered
linuxopensslcertificate-authority
T

7

12

I am running a number of SSL-encrypted websites, and need to generate certificates to run on these. They are all internal applications, so I don't need to purchase a certificate, I can create my own.

I have found it quite tedious to do everything using openssl all the time, and figure this is the kind of thing that has probably been done before and software exists for it.

My preference is for linux-based systems, and I would prefer a command-line system rather than a GUI.

Does anyone have some suggestions?

Turki answered 20/8, 2008 at 11:36 Comment(0)
A
8

An option that doesn't require your own CA is to get certificates from CAcert (they're free).

I find it convenient to add the two CAcert root certificates to my client machines, then I can manage all the SSL certificates through CAcert.

Acescent answered 20/8, 2008 at 15:34 Comment(1)
+1 to CACert. I have used them in the past, and found the service simple to use, and very effective. The self-certification route is also possible, but I found the difference between CACert and the learning curve required to set up a CA to be too great.Rochelle
M
6

It's likely that self-signing will give you what you need; here is a page (link resurrected by web.archive.org) that provides a decent guide to self-signing if you would like to know the ins and outs of how it's done and how to create your own script.

The original script link from this response is unfortunately dead and I was unable to find an archive of it, but there are many alternatives for pre-rolled shell scripts out there.

If you're looking for something to support fairly full-featured self-signing, then this guide for 802.1x authentication from tldp.org recommends using the helper scripts for self-signing from FreeRADIUS. Or, if you just need quick-and-dirty, then Ron Bieber offers up his "brain-dead script" for self-signing on his blog at bieberlabs.com.

Of course there are many alternative scripts out there but this seems to give a good range of choices, and with a little additional info from the guide you should be able to tailor these to do whatever you need.

It's also worth checking the SSL Certificates HOWTO. It's quite old now (last updated 2002) but its content is still relevant: it explains how to use the CA Perl / Bash script provided with OpenSSL software.

Mcchesney answered 20/8, 2008 at 11:37 Comment(4)
Maybe this answer should be unaccepted, now that the links no longer resolve.Amatol
Good idea. I will have a look through the other answers and see if any of them should be the new accepted answer.Turki
I updated the dead link to the guide with an internet archive link and since I was unable to find paan's original website I have found a couple of other alternatives and put them in (as WebCites, except to the download page of FreeRADIUS, so they won't go dead); in the process I modified the answer quite a bit since it was short and since a chunk was no longer relevant. Hope this is helpful to someone.Caught
Nice work, @shelleybutterfly. I found those links to be useful so I upvoted this answer. Since this is now a Community Wiki, I also added a link to the SSL Certificates HOWTO.Juanjuana
R
6

I know you said you prefer the command line, but for others who are interested in this, TinyCA is a very easy to use GUI CA software. I have used this both in Linux, and also in OSX.

Ruination answered 7/9, 2008 at 16:3 Comment(1)
Yeah, I like TinyCA, but found the need to run in a GUI limiting as I sometimes only have shell access to some machines.Turki
S
5

The XCA software appears reasonably well maintained (copyright 2012, uses Qt4), with a well-documented and simple enough user interface and has packages on debian, ubuntu and fedora.

Don't judge the website at first sight: http://xca.sourceforge.net/

Rather, check this nice walkthrough to add a new CA: http://xca.sourceforge.net/xca-14.html#ss14.1

You can see a screenshot of the application there: http://sourceforge.net/projects/xca/

It is GUI-based though, not command-line.

Starfish answered 26/4, 2013 at 8:1 Comment(1)
XCA is really nice if you need a quick and simple GUI-based CA. There is a lot to learn about certificates just through playing with XCA.Arc
F
2

There's a simple webpage solution: https://www.ibm.com/developerworks/mydeveloperworks/blogs/soma/entry/a_pki_in_a_web_page10

Fortuitous answered 13/9, 2009 at 1:9 Comment(1)
This link does not work. But here's another web based solution:: mCertAuth methodica.ch Note: It is not freeware, and I am the author. But, we could discuss a special discount for stackoverflow members.Bezel
C
2

I like to use the easy-rsa scripts provided with OpenVPN. This is a collection of command line tools used to create the PKI environment required for OpenVPN. But with a slight change of the (also provided) openssl.cnf file you can create pretty much anything you want with it. I use that for self signing ssl server certificates as well as with Bacula backup and for creating private keys/csr's for "real" certificates. just download the OpenVPN community edition source tarball and copy the easy-rsa folder to your linux machine. you'll find lots of documentation on the openvpn community pages.

I used to use CAcert, it's also nice, but you have to create the CSR yourself, so you have to use openssl again and the certs aer only valid for half a year. this is annoying

Currin answered 13/2, 2012 at 10:15 Comment(0)
D
1

I created a wrapper script, written in Bash, for OpenSSL that might be useful to you here. To me, the easiest sources of user error when using OpenSSL were:

  1. Keeping a consistent and logical naming scheme for configuration/certs/keys so that I can see how every artifact fits into the entire PKI by just looking at the file name/extension
  2. Enforcing a folder structure thats consistent across all CA machines that use the script.
  3. Specifying too many configuration options via CLI and loosing track of some of the details

The strategy is to push all configuration into their own files, saving only execution of a particular action for the CLI. The script also strongly enforces the use of a particular naming scheme for folders/files here which is helpful when looking at any single file.

Use/Fork/PR away! Hope it helps.

Deterrence answered 22/1, 2015 at 17:58 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.