duksta.org

adventures in electronics, infosec and life

CSP: DYI Certificate Authority

Are you in need of X.509 certificates for your systems? Are you outraged by the expense of commercial CAs? You can be your own certificate authority.

I’ve tried out a bunch of different Open Source CA packages and found most of them to either be too rudimentary (e.g. the CA.sh script that comes with the OpenSSL distribution) or way too complex (OpenCA). However, I’ve finally managed to find a reasonable middle ground for a low volume CA. That package is Stockholm University’s Certificate Service Provider (CSP).

CSP is a perl class and script for running multiple CAs. It uses OpenSSL for all operations and has a very simple command line interface. Once place it is lacking is in error handling. I have found that if you mis-type the password for the private key of the Root certficate when you are signing a cert, you don’t get any error message telling you that it couldn’t complete the operation.

Installation is a breeze as it uses the standard perl style make structure (perl Makefile.PL; make; make install.) I would recommend setting aside a standalone machine to be the CA host. An old pentium class laptop should suffice, giving you the added bonus of being able to lock it up in a safe or desk drawer for safekeeping. Be sure to keep backups of the root CA cert and key on a floppy, CD-R or some other medium.

The best part about CSP is the excellent documentation available. There is a 21 page user manual available in pdf and sgml formats that walks you all the way from installation to initialization of your CA to issuing and revoking certs. None of the other CA projects I’ve tried have had documentation even a quarter as good as this.

All in all, it’s a great package for a low volume CA. I definately wouldn’t try using it to outfit a large enterprise with certificates for all the users, but if all you need is a few certs for your servers, than this is definately the tool for you.