Hi, there are two open source CA systems I am aware of, although I haven't tried them out.
I think they can be a good starting point instead of doing everything from scratch :-) http://pki.fedoraproject.org/wiki/PKI_Main_Page http://openca.org/projects.shtml marco PS: Adding a Subject line helps... On Jul 25, 2012, at 19:49 , Ted Byers wrote: > Hi All > > I just subscribed to this list. > > I have some familiarity with openssl having used it to generate self > signed keys for testing secured web applications (on Apache 2.2), > prior to deployment, at which time my colleagues would buy a server > certificate from one of the usual CAs, such as GoDaddy. > > Now, I am looking to do something a little different. > > First, I set up several Linux virtual machines using Oracle's > VirtualBox (nice product BTW)., and installed Suse on some and Ubuntu > on others. On all, I made sure that openssl was installed and up to > date (at least as far as the repositories for Suse and Ubuntu are > concerned). I then went exploring, and in /etc/ssl/ I found a > configuration file for openssl. I tried reading it, but the comments > relied heavily on jargon that most of you take for granted. But since > I am just beginning to study this, it might as well have been in > Swahili for allt he good it did me; and the available documentation is > a bit too terse for me to be able to use it to fill in the gaps. > > I am hoping that one of you kind souls would direct me to a few good > web resources on which all your jargon is explained/defined, ideally > in standard English. > > I am also hoping that in describing what I want to do, one or more of > you would point me to good documentation on how to get it done. > > Note, Ialthough I am a programmer (using C++, Perl and Javascript - > mostly Peerl and C++), I am content to use openssl as installed on the > Linux distros, and don't really want to recompile it unless absolutely > necessary. > > Here is the objective (mostly dealing with client certificates). As I > understand it, one can have a CA that handles issuing certificates and > a RA, or registration authority, that is responsible for verifying the > identity of the person or corporation that is receiving a certificate; > and I understand that most commercial 'CA's combine the two functions > into a single corporate entity. But, I want to set up a CA for a > company, and then set up an RA for each department (so that the > department managers can worry about verifying the identities of their > own staff, perhaps in collaboration with their human resources > department, and selected outsiders (such as preferred customers, > contractors, suppliers, &c.). I want to set up a simple, secure > website that users (intended recipients) access using ccredentials I > provide, including a single user password. After login, the user > would be presented with a series of challenges and the responses would > be checked against what the user had presented to the RA that passed > the credials I created to the user (each RA would access the DB > containing user data through a separate website, in order to enter the > required data for each person to whom he wants a client certificate > issued). Once the identity of the user is verified, the web site > would take the user through the process of creating the client > certificate and key. I am unclear as to how this can happen on the > client side and the resulting certificate still be signed on the servr > by my CA. Also, it is unclear to me how I can configure these > certificates so that they can a) authenticate the user to a secure > server, b) encrypt documents passed between the client and server, and > c) sign encrypted documents. Also, I understand that the different > browsers support different methods for creating client certificates, > so I'd appreciate a pointer to Javascript code that automagically uses > the right procedure for whatever browser the client is using. I do > not want to be dictating to the user where or when he gets his client > certificate or what browser he should use. If there is a repository > of javascript code that can run once the certificate has been created > and installed inthe browser that handles installing it also in > whatever email client the user is using, as well as making a proper > backup (e.g. to a USB memory stick, so that if anything happens to his > computer, he can restore it all once his computer issues are resolved. > In breif, I want to make things as easy as possible for the end > users. > > Now, I envision a website for each department, to which only those > users who have certificates authorized by the RA in that department > can access, and another that provides access as long as he, or raher > his browser, presents a certificate authorized by any of the RAs iin > the company (i.e. a company wide site along with departmental sites). > Having worked with Apache 2.2 for quite a while, and on quite a number > of secure websites, I am reasonably familiar with configuring Apache > to use server certificates, but I am a little unclear on how to tell > it to require certificates from a given pair of CA and RA, or a given > CA in conjunction with any of a given set of RAs. > > I am sure there must be lots of companies that have done something > like this. What I need is a pointer to documentation on how to do it, > along with any accounts of the experiences of those who have done it > and what gotchas to watch out for. > > I have been googling all this for a while, now, but it seems I must > have the wrong search query as the signal to noise ratio is > vanishingly small (i.e. I get plenty of noise, but little useful > info). > > Any help you can provide would be greatly appreciated. > > Thanks > > Ted > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org -- Marco Molteni Technical Leader - Cisco Media Services Interface ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org