On 2016-06-24, C. L. Martinez <[email protected]> wrote: > On Fri 24.Jun'16 at 12:46:48 +0000, Dahlberg, David wrote: >> Am Freitag, den 24.06.2016, 11:45 +0000 schrieb C. L. Martinez: >> >> > I would like to deploy/setup a PKI under OpenBSD for my home lab. >> > Searching about this topic, I think the best option is to use >> > customized openssl/libressl scripts, but it colud be very hard to keep >> > for certifcate requests, revocations, etc. >> > >> > Any suggestion about what can be better option? >> >> Have a look at security/xca, else define "better option". >> >> Cheers > > For "better option", I am speaking about what could be the best tool or > procedure to manage a PKI under OpenBSD.
It really depends on what your reasons are for doing this. If you're trying to learn about the nitty gritty of generating certs, CRLs, revocations, etc, then using the command line tools directly aren't a bad idea. If you're trying to script things but at a higher level than the libressl/openssl command line tool, you might want to look at something like https://github.com/cloudflare/cfssl. If you're just trying to manually generate certs for lab machines and are happier with something visual xca is pretty good. Or you can look at the tools which are really made for simplifying vpn setup like "ikectl ca" (though the way it's designed, it really only makes sense if you generate the private key on a central machine, which is a bit non-standard though makes life easier in some cases). Or yes, as was already pointed out easy-rsa (though personally I find that more complex than easy). If you're more interested in getting certs than investigating how to run pki, something like letsencrypt might work for you.
