Re: Looking for a simple SSL-CA package
----- Original Message -----
From: "Tarjei Huse" <firstname.lastname@example.org>
To: "Noah L. Meyerhans" <email@example.com>;
Sent: Sunday, August 24, 2003 1:51 PM
Subject: Re: Looking for a simple SSL-CA package
> I think I'll end up with pyca (www.pyca.org) as it seems to have most of
> these features in place. The other possibilities are openca which is
> IMHO to complicated for my needs and tinyca (that many on this list
> suggested) that doesn't (please correct me if I'm wrong) give me the
> finished scripts for importing certs in outlook, IE, Mozilla and other
> If there are other alternatives out there, please let me know. Again, I
> thank you for your contributions.
Apologies if I am repeating someone else's points, I haven't followed the
thread in depth.
It sounds kind of kooky, but we have operated a CA for about 2 years, having
about 400 users, using just openssl and a few hand turned scripts and a
dynamic webpage. User info is maintained in MySQL, though we let openssl
maintain the CA history in text files.
The CA doesn't do any of the Outlook, IE, Mozilla etc importing - those
programs do that, you just have to know what sort of certs to generate, and
how to trigger the import processing on the client.
We use a webpage and several variants of the XEnroll object for IE v
5.01-6.0 where IE generates the keypairs, and creates a CSR which gets
posted to the webserver. We then sign the request and create a
x-pkcs7-certificates [.p7b file] which is returned to the webserver for the
user to download (they hit the Refresh button on the request page).
There are some busted Office XP upgrade paths, for which we have to generate
the keypair on our server in a PKCS12 format [.pfx file] - which we then
make available to the user via the webpage.
NS/Mozilla is easy - as per IE, we get the client to generate a CSR which
gets posted to our webserver. We sign the certificate, x-x509-user-cert
[.cct file] and copy it back to the webserver for the user to install. The
only bugbear is that Mozilla succeeds silently, so you can't easily throw up
a warning if the import failed for some reason [failure is rare].
Outlook will recognise your CA as an authority for secure pop and imap
connections, if you import your self-signed CA cert in IE - just get your
users to download your CA cert x-x509-ca-cert [.crt file] from a website,
and click on Install Cert.