20

A client is looking to roll out OpenVPN to all its mobile employees and will use certificates on both the server and all clients.

This creates a new challenge to manage all these certificates and handle certificate revocations and renewals.

Any recommendations on a Linux GUI tool to manage hundreds of certificates?

I have done testing using the CLI, but that is going to become a nightmare as the number of certificates increases into the hundreds.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
Frank Daley
  • 201
  • 1
  • 2
  • 3

4 Answers4

10

XCA is a nice little tool, which is also cross-platform. Though I have to add, that in my experience, graphical tools will only get you so far. Especially if you create a lot of certificates, working your way into openssl pays off.

mat
  • 1,262
  • 7
  • 16
  • 1
    I find XCA to be the most perfect tool for testing and development, not so sure about using it in production, it doesn't provide ACLs – Jaime Hablutzel Mar 27 '15 at 19:57
8

You may want to try EJBCA. It is free, opensource, graphical, and runs on Linux.

Note that proper certificate management is 95% procedures; software can only get you so far.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • I had a look at the EJBCA Live CD and it is impressive. Thanks for the link. – Frank Daley Sep 11 '11 at 01:23
  • Can you expand on which procedures or types of procedures you believe are critical to proper certificate mangaement? – this.josh Sep 12 '11 at 06:26
  • 6
    A certificate links a physical identity to a cryptographic key. So you must ask yourself how you identify people, who does it, who checks it, who creates keys, how keys are stored, how and when keys are destroyed, who does what in case of key compromise, who is _accountable_ for mishaps, and so on. Software can help you do the actual signing and encoding of certificates, but most of the job is about understanding what happens and planning for security events, and software will not help you for that. – Thomas Pornin Sep 12 '11 at 16:13
  • Major tasks will include (1) revoking certificates of employees who leave the organization (2) revoking certificates used on systems that might be stolen, lost, etc (3) keeping track of certificates that need to be renewed. Regarding the question of identity, these certificates will be used either by employees or contract staff, so the identity issue is handled under normal HR procedures. – Frank Daley Sep 13 '11 at 00:04
3

OpenCA has a nice Web UI that gives you full control over a PKI. It has its own OCSP server for revoking certificates. Of course this project also includes LibPKI which allows you control it from software.

rook
  • 47,004
  • 10
  • 94
  • 182
  • 1
    Thank you for link. I worry that the OpenCA project looks like it has lost momentum. Latest Fedora RPMs are for Fedora 13, but Fedora 15 is the current with Fedora 16 out in next few months. – Frank Daley Sep 11 '11 at 01:26
  • @Frank Daley, I didn't know you where using RedHat. Actually RedHat maintains [their own CA software stack](http://docs.redhat.com/docs/en-US/Red_Hat_Certificate_System/8.0/html/Deployment_Guide/SubsystemOverview.html). – rook Sep 11 '11 at 02:10
  • 1
    Thank you for the lead that helped me track down a Fedora project called Dogtag that is the basis for the Red Hat CA software stack. – Frank Daley Sep 18 '11 at 00:07
1

Another little tool with a GUI is TinyCA. It relies on OpenSSL, Perl and GTK.

Bruno
  • 10,875
  • 1
  • 39
  • 61