pyCA is a collection of scripts and CGI-BIN programs written in Python for setting up and maintaining a certification authority.
However these standards require setting up a working X.509-based PKI
(pulic key infrastructure).
Although there is a quite lot of documentation and some example software
for setting up a primitive PKI with an own certificate authority
with the free package OpenSSL
it seems that this task is not easy for most people. There is a lot of
discussion on various mailing-lists, e.g. how to generate self-signed
CA certificates, generate certificate requests with the famous WWW browsers and how to provide
client certificates / certificate revocation lists for download, etc.
Additionally if the certification business of an organization gets only a
little bit more serious one has to take care about critical security issues.
pyCA tries to make it easier for people to set up and run a organizational certificate authority which fulfills the need for a fairly secure certification processing. The package also tries to reduce administrative tasks and user's frustration by providing a comfortable web interface to users contacting the certificate authority.
The following tasks will be provided by this package:
This software including all modules is Open Source and given away under the GPL (GNU GENERAL PUBLIC LICENSE) Version 2. The author refuses to give any warranty of any kind.
The files (see list) are provided
as gzipped tar ball:
Topic | Status |
---|---|
Clean up the code and remove all special features to make it usable in a more common way. | released (0.4.1) |
Consequent use of the openssl.cnf throughout the whole package. | released (0.4.1) |
Make certificate enrollment process more comfortable to users, e.g. check parameters against openssl.cnf and give more detailed feedback about input errors. | released (0.4.2) |
Show clickable structure of openssl.cnf for downloading CA certificates and CRLs. | released (0.4.2) |
Documentation of configuration parameters | released (0.4.3) |
Script for generating of CA certificate hierarchies and initial CRLs | released (0.4.5) |
Speed up certificate loading by handling DER certificates | released (0.4.5) |
Documentation of all configuration parameters | released (0.5.0) |
Scripts ca-cycle-pub.py for cyclic CA tasks on the public server | most done and released (0.5.0) |
Update cnf-parsing to reflect the recent changes which were made in OpenSSL (complete rewrite). | released (0.5.1) |
Scripts ca-cycle-priv.py for daily/hourly CA tasks on the system holding the private keys | to do |
English help texts. | to do |
Enrollment script server-enroll.py for server certificate requests. | to do |
Speed up access to bigger certificate databases by using the GDBM package for holding a copy of the certificate database | to do |
PKIX compliance (e.g. keyUsage etc.) | to do |
Flexible logging support for CGI-BINs | to do |
Improve LDAP support. | to do |
Support for Microsoft Internet Explorer (ugly work) | to do |
Documentation of the certification process | to do |
Script ns-renewal.py for certificate renewal requests | to do |
Script ns-revoke.py for certificate revocation requests | to do |
Instant certificate issueing (what some CAs call "Class 0") without admin interaction | to do |
Support for anonymized certificates for better privacy | to do |
Signing stored data and e-mails if possible (depends on further S/MIME support in OpenSSL) | to do |
Better localizing, multiple languages. | to do |