This project doesn't even have a proper name. It's a collection of tools to make the management of a CA with openssl (http://www.openssl.org/) a little easier. There's no database, the configuration file has been reigned in (and is created for you) and all the output files (except for encrypted keys) retain their human-readable headings so there's no need to remember which openssl command parses which binary blob. Features: * No complicated code to read in order to understand and trust what it's doing. * Create the directory and self-signed certificate to operate a CA. * Can also create CAs signed by other CAs (untested). * Can set (but does not do anything else to) a certificate's CRL URL. * Create a key with or without encryption (encrypted by default). * Create a signing request from a key. * Sign a signing request as a CA. Missing features: * I have no idea really which types of certificates need which extensions. Upcoming features: * Create keys and requests independently of the working directory. * Some form of guide to adding sections to pki.conf for different certificate and request extensions. * Less clunky code. Features I ought to work on but probably won't: * Documentation. Usage guide: All commands display usage with -h, --help or an error parsing arguments. Requires a working directory with a pki.conf file (equivalent to openssl.cnf). Create it with: # newpki -p /srv/pki # ls -1F /srv/pki certificates/ keys/ pki.conf requests/ Create a root CA: # newca -p /srv/pki Example # ls -1FR /srv/pki/Example /srv/pki/Example/: CA@ certificates/ index index.attr index.old key serial serial.old /srv/pki/Example/certificates: 01.pem # ls -l /srv/pki/Example/CA lrwxr-xr-x 1 root wheel 19 Feb 23 13:46 /srv/pki/Example/CA -> certificates/01.pem Or with a CRL: # newca -p /srv/pki -d http://example.com/crl Example # ls -1F /srv/pki/Example/crl /srv/pki/Example/crl Create a sub-CA (-d for a (different) CRL URL again): # newca -p /srv/pki -c Example Secondary # ls -1dF /srv/pki/Secondary /srv/pki/Secondary/ Create a key: # newkey -p /srv/pki test # ls -l /srv/pki/keys/test -r-------- 1 root wheel 1751 Feb 23 13:49 /srv/pki/keys/test Create a request (from a key): # newcsr -p /srv/pki test # cat /srv/pki/requests/test Certificate Request: Data: ... -----BEGIN CERTIFICATE REQUEST----- ... -----END CERTIFICATE REQUEST----- Sign a request (from a certificate): # sign -p /srv/pki -c Example test # cat /srv/pki/certificates/test Certificate: Data: ... -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- Certificate is also stored in /srv/pki/Example/certificates/<serial>.pem