Certificate Authority Idea

Here’s a (challenging) idea for all the GNOME-lovers out there: a GUI for administering your own Certificate Authority. There are a few of these out there, pyCA, ElyCA, OpenCA, but quite frankly, they all suck. pyCA doesn’t have an interface to create a new server certificate, ElyCA has the nicest UI, but isn’t maintained anymore, and OpenCA is insanely complicated. Further, all of these are web-UIs for something that shouldn’t be done from a website. According to everything I’ve read, you should keep your CA on a non-networked machine, and manually copy things back/forth to your website with floppies or whatnot. So a web UI to admin a CA is just begging for people to put their CA admin stuff on a networked machine.

The basic idea is a little GTK+ app that runs on that non-networked machine, sets things up using a CA/Sub-CA framework (so you have a “Root” CA, and then some sub-CAs for client certs [web browsers, vpn, etc.], e-mail [S/MIME], servers [https, ldaps, etc.], and code [ActiveX, Java, etc.]), and can store both the CA and the certs on removable disks in a nice interface. OpenSSL stores it’s configs in the same ini-style format as .desktop, so glib provides the niceties needed to make both the openssl configuration and the exec’ing reasonably easy. The hard part is divining all this stuff well enough to actually do it (which is why a little GUI tool would rock).

Another important thing (which is missing from all the other CA UIs) is to have an initial setup wizard that prompts for things like “what URL will you publish this stuff from,” “what is your organization’s name” and such. Finally, it’d be really nice to have this be a “duh duh” obvious UI, where after the initial setup you can just browse existing certs, create new ones (using the sub-CAs), revoke old ones, and export the distrib/revocation lists to a directory that’s copyable to a website.

The use-case is a small organization/business that wants to provide a VPN, SSL-protected services, and S/MIME e-mail to their members/employees, without doing insecure stuff or having to spend a month figuring out the openssl command.

4 thoughts on “Certificate Authority Idea

  1. Just one comment regarding “something that shouldn’t be done from a website”:
    OpenCA is really complex – but architecturally-wise it is mostly correct IMHO. There is a part for standalone web-less machine (holding the base certificate) – and there are parts for web-enabled machines (not so security-sensitive operations)
    PS. There is also TinyCA – which I used for some while and it did the things I needed.

  2. I have been considering the same thing here recently. I am working on a tool (EDSRealmAssistant) to sanely auto-configure some standard services (kerberos, ldap, sasl, postfix, etc.) and as part of that, plan to build a very simple CA to SSL/TLS enable each of those services. At the moment, it’s only TUI but my plan is to make a simple GTK UI. I agree that PyCA is overly complex, my goal will be to make something that normal humans can use easily enough, even if it sacrifices a small bit of tinfoilhatlyness. I should really do some mockups…

  3. It sounds like what you need is TinyCA. Its perl/GTK+ based. The description from their homepage is “TinyCA is a simple graphical userinterface written in Perl/Gtk to manage a small CA (Certification Authority). TinyCA works as a frontend for openssl”.

  4. Hey James.

    Same problem. Trying to create a wide-scale VPN. TinyCA is lame I’m looking at OpenCA now . . .

    I’m about ready to code this thing myself. This sucks.

Comments are closed.