pyCA - Software for running a certificate authority

Page last modified:

pyCA is a collection of scripts and CGI-BIN programs written in Python for setting up and maintaining a certification authority.

Abstract
Requirements
Download
Documentation
Demo
Roadmap
Related work

Abstract

The usage of cryptographic techniques promises secure usage of Internet services concerning authentication of clients and servers and authorized access to sensitive data. During the last two years it turned out that X.509 certificates, SSL and S/MIME are the relevant, widely adopted cryptographic standards for securing various Internet services like WWW, Mail, etc.

However these standards require setting up a working X.509-based PKI (pulic key infrastructure). Although there is a quite lot of documentation and some example software for setting up a primitive PKI with an own certificate authority with the free package OpenSSL it seems that this task is not easy for most people. There is a lot of discussion on various mailing-lists, e.g. how to generate self-signed CA certificates, generate certificate requests with the famous WWW browsers and how to provide client certificates / certificate revocation lists for download, etc.
Additionally if the certification business of an organization gets only a little bit more serious one has to take care about critical security issues.

pyCA tries to make it easier for people to set up and run a organizational certificate authority which fulfills the need for a fairly secure certification processing. The package also tries to reduce administrative tasks and user's frustration by providing a comfortable web interface to users contacting the certificate authority.

The following tasks will be provided by this package:

Generate CA certificate hierarchy and initials CRLs
Generate certificate requests with widely used web browsers
Search tool for client certificates in the OpenSSL certificate database
Download of client certificates / certificate revocation lists with appropriate MIME types
Storing all certificate data in LDAP repositories
Scripts for the handling of the certification process on a non-networked system holding the CA's private key(s)
Fairly easy configuration based on the OpenSSL configuration file (most times called openssl.cnf).

See the roadmap for a detailed list of what is still to be done.

Requirements

For running these scripts you need:

A Unix-like operating system (e.g. Linux, I would like to hear reports of pyCA running on other systems).
OpenSSL 0.9.3a+
Python 1.5.2+
If you have difficulties convincing your server admin to install Python you might want to have a look at mxCGIPython - One-file easy-to-install Python interpreter.

For running the CGI-BIN programs you need:

Web server with CGI-BIN support, e.g. Apache or preferrably a web server with SSL support like ApacheSSL or Apache with mod_ssl.
The web browser has to be aware of <TABLE>-tags for presentation of the dialogues and the <KEYGEN>-tag for the asymmetric key generation (e.g. Netscape Navigator, Opera).

For using LDAP as a certificates repository you need:

The UMich ldap server or Open LDAP (recommended)
ldapmodule for Python

Download

This software including all modules is Open Source and given away under the GPL (GNU GENERAL PUBLIC LICENSE) Version 2. The author refuses to give any warranty of any kind.

The files (see list) are provided as gzipped tar ball:

pyca-0.5.3.tar.gz

Documentation

Some rudimental documentation is available now:

Installing

Install all required software.
Put the Python programs under cgi-bin/ anywhere in the CGI-BIN directory of your web server.
Put the Python modules under pylib/ anywhere in your Python path or adjust the list variable pylib in pycacnf.py.
You have to set up a reasonable OpenSSL configuration file openssl.cnf (see documentation, see example) and adjust variable cnf_filename in pycacnf.py.
You might want to create a CA hierarchy with ca-make.py.
call the CGI-BIN program ca-index to show some of the relevant data in your OpenSSL configuration file.

Demo

ca-index.py shows CA index of the example configuration file. You can download CA certificates and CRLs of my TestCA and call the application form for generating certificate requests.
Please make backup copies of your certificate database and key files (e.g. cert7.db and key3.db in your Netscape's profile directory) before playing around with the CA certificates and CRLs.
To all hacker wanna-be's: There are no private keys on this server!
browser-check.py trys to show the cryptographic capabilities of your web browser.

Roadmap

Topic	Status
Clean up the code and remove all special features to make it usable in a more common way.	released (0.4.1)
Consequent use of the openssl.cnf throughout the whole package.	released (0.4.1)
Make certificate enrollment process more comfortable to users, e.g. check parameters against openssl.cnf and give more detailed feedback about input errors.	released (0.4.2)
Show clickable structure of openssl.cnf for downloading CA certificates and CRLs.	released (0.4.2)
Documentation of configuration parameters	released (0.4.3)
Script for generating of CA certificate hierarchies and initial CRLs	released (0.4.5)
Speed up certificate loading by handling DER certificates	released (0.4.5)
Documentation of all configuration parameters	released (0.5.0)
Scripts ca-cycle-pub.py for cyclic CA tasks on the public server	most done and released (0.5.0)
Update cnf-parsing to reflect the recent changes which were made in OpenSSL (complete rewrite).	released (0.5.1)
Scripts ca-cycle-priv.py for daily/hourly CA tasks on the system holding the private keys	to do
English help texts.	to do
Enrollment script server-enroll.py for server certificate requests.	to do
Speed up access to bigger certificate databases by using the GDBM package for holding a copy of the certificate database	to do
PKIX compliance (e.g. keyUsage etc.)	to do
Flexible logging support for CGI-BINs	to do
Improve LDAP support.	to do
Support for Microsoft Internet Explorer (ugly work)	to do
Documentation of the certification process	to do
Script ns-renewal.py for certificate renewal requests	to do
Script ns-revoke.py for certificate revocation requests	to do
Instant certificate issueing (what some CAs call "Class 0") without admin interaction	to do
Support for anonymized certificates for better privacy	to do
Signing stored data and e-mails if possible (depends on further S/MIME support in OpenSSL)	to do
Better localizing, multiple languages.	to do

Related work

This work was started during my diploma thesis which might be helpful for german readers to understand the architecture and goals of pyCA.
If you're eager using LDAP as certificate repository you might also consider using ldap-client-cgi/ for accessing your LDAP data via WWW.