Recommendations for a Certificate Management tool for Linux

  • A client is looking to roll out OpenVPN to all its mobile employees and will use certificates on both the server and all clients.

    This creates a new challenge to manage all these certificates and handle certificate revocations and renewals.

    Any recommendations on a Linux GUI tool to manage hundreds of certificates?

    I have done testing using the CLI, but that is going to become a nightmare as the number of certificates increases into the hundreds.

  • You may want to try EJBCA. It is free, opensource, graphical, and runs on Linux.

    Note that proper certificate management is 95% procedures; software can only get you so far.

    I had a look at the EJBCA Live CD and it is impressive. Thanks for the link.

    Can you expand on which procedures or types of procedures you believe are critical to proper certificate mangaement?

    A certificate links a physical identity to a cryptographic key. So you must ask yourself how you identify people, who does it, who checks it, who creates keys, how keys are stored, how and when keys are destroyed, who does what in case of key compromise, who is _accountable_ for mishaps, and so on. Software can help you do the actual signing and encoding of certificates, but most of the job is about understanding what happens and planning for security events, and software will not help you for that.

    Major tasks will include (1) revoking certificates of employees who leave the organization (2) revoking certificates used on systems that might be stolen, lost, etc (3) keeping track of certificates that need to be renewed. Regarding the question of identity, these certificates will be used either by employees or contract staff, so the identity issue is handled under normal HR procedures.

  • XCA is a nice little tool, which is also cross-platform. Though I have to add, that in my experience, graphical tools will only get you so far. Especially if you create a lot of certificates, working your way into openssl pays off.

    I find XCA to be the most perfect tool for testing and development, not so sure about using it in production, it doesn't provide ACLs

  • OpenCA has a nice Web UI that gives you full control over a PKI. It has its own OCSP server for revoking certificates. Of course this project also includes LibPKI which allows you control it from software.

    Thank you for link. I worry that the OpenCA project looks like it has lost momentum. Latest Fedora RPMs are for Fedora 13, but Fedora 15 is the current with Fedora 16 out in next few months.

    @Frank Daley, I didn't know you where using RedHat. Actually RedHat maintains their own CA software stack.

    Thank you for the lead that helped me track down a Fedora project called Dogtag that is the basis for the Red Hat CA software stack.

  • Another little tool with a GUI is TinyCA. It relies on OpenSSL, Perl and GTK.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM