You are here
Ken Robinson - Mon, 2016/09/05 - 04:14
I am in the market for an open source CA turnkey soultion. I don't see anything publish in the TKL. Anyone intrested in a TKL CA? If so what open source CA would be easy to use, easy to configure and automate with the TKL tool chain?
I know EJBCA (https://www.ejbca.org) needs JBOSS/WildFly (I did not see a JBOSS/WildFly in ther TKL, I thought there was at one point) that is the one I have been looking at. Is there a reason that a JBOSS/WildFly? does not exist other than some one making it work?
Another one I just glanced at was http://www.openxpki.org, looks like it forked from OpenCA.
Forum:
I was about to suggest "Let's Encrypt"...
I am unaware of any others (actually I was unaware of that one too), although surely there should be?! Also you are correct that we do not have a JBOSS appliance. Also in my experience Java web apps are often resource intensive and a bit sluggish. But that doesn't neccessarily rule it out, just wouldn't be my first preference...
A quick search of the Debian repos and it seems that there isn't a lot pre-packaged other than desktop type software. I did find a couple: pyca appears to be fairly bare bones, but it does say that it requires CGI so I assume that it has some sort of web UI? The other is pki-ca which appears to be a quite powerful and modular tool, although it too uses Java. I know nothing about it although it appears to be more the building blocks you might use, rather than a polished end product. Besides it only has packages for Debian Sid (unstable) so not a lot of help...
The only other ones that I found were OpenCA (appears to be abandonware) and Dogtag. From what I can gather Dogtag is actually built on top of the PKI packages that I noted above (in Debian Sid) but provides the UI around it. Unfortunately that appears to be aimed at Fedora rather than Debian so not really helpful at all... Oops, looks like I spoke too soon; it's also in Sid.
So digging a little deeper into the Dogtag on Debian thing, it appears that there are issues with the package, hence why it isn't in Stretch (testing). According to the package tracker it made it into Stretch but was removed relatively recently due to build issues (these bugs; here and here).
So short answer is I have no idea and aren't much help! :p
My sights are on OpenXPKI
It seems to be easyer to as the other, as you have said. My goal is to have an offline CA for my root certs, then subCAs using openXPKI.
I started already to build an offline CA. The folks of OpenXPKI have some offline CA scripts to create a LIVE deb CD (https://github.com/openxpki/clca) I have already started looking into that. They use a build script to create a LIVE CD. Almost like what TKL does with the LIVE. Got me thinking that maybe I can do something like that with TKL but I need to enable persistence drive of some sort to keep the CAs on. The idea is you LIVE boot with the CD/Thumb drive with the USB key that has the persistence img file on it to keep the CA on.
Just a thought, as building the LIVE cd is not very TKL at the moment, it would not be hard at all creating one for TKL that just does what the current script does, maybe that would be v1 and the v2 could have some nice menus for some things, and create a persistance drive for you.
Regards,
Ken
":0)
http://www.github.com/DocCyblade
Sounds cool
Playing around with TKL-Dev and OpenXPKI
Just thought I would share, I'll be posting some build scripts. I have played around with OpenXPKI and got it to work (sort of). I have setup a git repo (https://github.com/DocCyblade/tkl-openxpki) and will be pushing some stuff in the next week or so. :-)
Regards,
Ken
":0)
http://www.github.com/DocCyblade
Add new comment