pyCA - Software for running a certificate authority

Page last modified:

pyCA is a collection of scripts and CGI-BIN programs written in Python for setting up and maintaining a certification authority.

Table of Contents

Abstract
Requirements
Download
Documentation
Demo
Roadmap
Related work

Abstract

The usage of cryptographic techniques promises secure usage of Internet services concerning authentication of clients and servers and authorized access to sensitive data. During the last two years it turned out that X.509 certificates, SSL and S/MIME are the relevant, widely adopted cryptographic standards for securing various Internet services like WWW, Mail, etc.

However these standards require setting up a working X.509-based PKI (pulic key infrastructure). Although there is a quite lot of documentation and some example software for setting up a primitive PKI with an own certificate authority with the free package OpenSSL it seems that this task is not easy for most people. There is a lot of discussion on various mailing-lists, e.g. how to generate self-signed CA certificates, generate certificate requests with the famous WWW browsers and how to provide client certificates / certificate revocation lists for download, etc.
Additionally if the certification business of an organization gets only a little bit more serious one has to take care about critical security issues.

pyCA tries to make it easier for people to set up and run a organizational certificate authority which fulfills the need for a fairly secure certification processing. The package also tries to reduce administrative tasks and user's frustration by providing a comfortable web interface to users contacting the certificate authority.

The following tasks will be provided by this package:

See the roadmap for a detailed list of what is still to be done.

Requirements

For running these scripts you need: For running the CGI-BIN programs you need: For using LDAP as a certificates repository you need:

Download

© by Michael Ströder, michael.stroeder@inka.de

This software including all modules is Open Source and given away under the GPL (GNU GENERAL PUBLIC LICENSE) Version 2. The author refuses to give any warranty of any kind.

The files (see list) are provided as gzipped tar ball:

Documentation

Some rudimental documentation is available now:

Installing

Demo

Roadmap

TopicStatus
Clean up the code and remove all special features to make it usable in a more common way. released (0.4.1)
Consequent use of the openssl.cnf throughout the whole package. released (0.4.1)
Make certificate enrollment process more comfortable to users, e.g. check parameters against openssl.cnf and give more detailed feedback about input errors. released (0.4.2)
Show clickable structure of openssl.cnf for downloading CA certificates and CRLs. released (0.4.2)
Documentation of configuration parameters released (0.4.3)
Script for generating of CA certificate hierarchies and initial CRLs released (0.4.5)
Speed up certificate loading by handling DER certificates released (0.4.5)
Documentation of all configuration parameters released (0.5.0)
Scripts ca-cycle-pub.py for cyclic CA tasks on the public server most done and released (0.5.0)
Update cnf-parsing to reflect the recent changes which were made in OpenSSL (complete rewrite). released (0.5.1)
Scripts ca-cycle-priv.py for daily/hourly CA tasks on the system holding the private keys to do
English help texts. to do
Enrollment script server-enroll.py for server certificate requests. to do
Speed up access to bigger certificate databases by using the GDBM package for holding a copy of the certificate database to do
PKIX compliance (e.g. keyUsage etc.) to do
Flexible logging support for CGI-BINs to do
Improve LDAP support. to do
Support for Microsoft Internet Explorer (ugly work) to do
Documentation of the certification process to do
Script ns-renewal.py for certificate renewal requests to do
Script ns-revoke.py for certificate revocation requests to do
Instant certificate issueing (what some CAs call "Class 0") without admin interaction to do
Support for anonymized certificates for better privacy to do
Signing stored data and e-mails if possible (depends on further S/MIME support in OpenSSL) to do
Better localizing, multiple languages. to do

Related work