Kyle Hamilton wrote: > I'm going to hop in here and mention that MacOSX has a basic but > useful X.509 CA app integrated into its Keychain Access application. > > -Kyle H > > On Mon, Mar 24, 2008 at 12:02 PM, Patrick Patterson > <[EMAIL PROTECTED]> wrote: > >> 3: Your budget. If you are using raw OpenSSL for your CA, you probably don't >> have a lot of cash to spend on infrastructure (since OpenSSL, while >> technically very good, is missing some functionality that more capable tools >> like Entrust, Microsoft CA, or Redhat Certificate Services have - which is >> understandable, given that it is, first and foremost, a library, and not a >> CA >> product). So you may not have the extra funds for an offline root (we >> usually use a laptop, a dedicated HSM, and a good safe in a secure >> location), >> and for it's operation (even though it's offline, you still need to, at >> least >> periodically, issue CRLs (or, more correctly, an ARL)). >> > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > To that point, I like what the OpenXPKI (www.openxpki.org) folks are doing, but there effort is not quite mature enough in my view. It is the case that we are going low budget, but we figure we can roll our own scripts for most of what we need, thanks in large part to the OpenSSL libraries.
As an aside: this is being done for a not-for-profit institution, so we are geared to save money wherever we can.
