Here’s a (challenging) idea for all the GNOME-lovers out there: a GUI for administering your own Certificate Authority. There are a few of these out there, pyCA, ElyCA, OpenCA, but quite frankly, they all suck. pyCA doesn’t have an interface to create a new server certificate, ElyCA has the nicest UI, but isn’t maintained anymore, and OpenCA is insanely complicated. Further, all of these are web-UIs for something that shouldn’t be done from a website. According to everything I’ve read, you should keep your CA on a non-networked machine, and manually copy things back/forth to your website with floppies or whatnot. So a web UI to admin a CA is just begging for people to put their CA admin stuff on a networked machine.
The basic idea is a little GTK+ app that runs on that non-networked machine, sets things up using a CA/Sub-CA framework (so you have a “Root” CA, and then some sub-CAs for client certs [web browsers, vpn, etc.], e-mail [S/MIME], servers [https, ldaps, etc.], and code [ActiveX, Java, etc.]), and can store both the CA and the certs on removable disks in a nice interface. OpenSSL stores it’s configs in the same ini-style format as .desktop, so glib provides the niceties needed to make both the openssl configuration and the exec’ing reasonably easy. The hard part is divining all this stuff well enough to actually do it (which is why a little GUI tool would rock).
Another important thing (which is missing from all the other CA UIs) is to have an initial setup wizard that prompts for things like “what URL will you publish this stuff from,” “what is your organization’s name” and such. Finally, it’d be really nice to have this be a “duh duh” obvious UI, where after the initial setup you can just browse existing certs, create new ones (using the sub-CAs), revoke old ones, and export the distrib/revocation lists to a directory that’s copyable to a website.
The use-case is a small organization/business that wants to provide a VPN, SSL-protected services, and S/MIME e-mail to their members/employees, without doing insecure stuff or having to spend a month figuring out the openssl command.