Well, I think I need to jump in here.... It is correct that CA is not PKI and vice versa and both need to be split into technical and organizational parts. Most people say "CA" or even "PKI" but just want to "get some certificates" without all the organizational stuff around. This is pretty fine if you just need to get the technical things solved ;)
I disagree that you must understand OpenSSL to operate a CA - yes you should have an Idea of what keyUsage means and what is contained in a certificate but there are plenty of tools around that make all this technical stuff a "black box". OpenXPKI is one of the tools that hides this complexity behind a quite easy configuration system but it brings the burdon to care on some other things. If you need something in between, I suggest you have a look at "clca" https://github.com/openxpki/clca which is basically a shell script that hides a lot of the OpenSSL magic in a more understandable manner and also brings some commodity features with it. To use clca you indeed must understand the basic OpenSSL config layout but it comes with the most common use cases preconfigured so it should be easy (Sidenode - there is a commercial add on available that will bootstrap a CA from a YAML config just as it is done in OpenXPKI ) Oliver Am 26.02.21 um 18:53 schrieb Alejandro Imass: > Yes, if you are familiar with Perl it should be no issue. > > I got the Docker version working with the demo script and started > understanding how it works. I would recommend to start that route. > Also, you need pretty good knowledge on setting up multi-level CAs > with OpenSSL first if you really want to setup a system like this more > formally. You will most likely want an off-line root CA that issues > the first few component you need to initialize OpenXPKI. > > If you want a CA, on the other hand I would recommend you use the > methods described in this book: > > https://www.feistyduck.com/books/openssl-cookbook/ > <https://www.feistyduck.com/books/openssl-cookbook/> > > Read the complete book and you will have a recipe to create your own > command line CA which is pretty decent. A PKI like OpenXPKI build on > top of that to make it on-line and easier to manage but essentially > you could use OpenSSL and run your CA off a secure SD card if you > wanted to. > > In any case even before attempting to get a PKI running you need solid > OpenSSL concepts and the use of templates to understand if you need or > want to separate things like signing certificates from encryption > certificates or server certs for TLS and HTTPS. There are many > applications for asymmetric cryptography and you need to have all the > concepts pretty well mastered, and justify a need for a PKI. > > Generally, a full featured CA like the ones you can create with > OpenSSL will be sufficient for most needs. When you want a PKI is for > example if you want an on-line and automated certificate signing > entity via SCEP and well defined workflows, then you probably want > something like OpenXPKI. > > Best, > > -- > Alex > > > > > > On Fri, Feb 26, 2021 at 12:18 PM Carlos Velasco > <carlos.vela...@nimastelecom.com > <mailto:carlos.vela...@nimastelecom.com>> wrote: > > Hello, > > I'm working in my final graduate project and I was thinking of > incorporating a CA into it for some things, and then I saw OpenXPKI. > > Question: Can it be installed from source? > I see debian packages in the docs, but currently the server is not > debian and adding another server (physical/virtual) to the project > is not an option at this point. > > Regards, > Carlos Velasco > > _______________________________________________ > OpenXPKI-users mailing list > OpenXPKI-users@lists.sourceforge.net > <mailto:OpenXPKI-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/openxpki-users > <https://lists.sourceforge.net/lists/listinfo/openxpki-users> > > > > _______________________________________________ > OpenXPKI-users mailing list > OpenXPKI-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
