Introduction to OpenCA
October 19th, 2010 By shazkhan

Public Key Infrastructures (PKIs) are one of the most widely accepted must have of the future. Most applications can be secured with certificates and keys but it is really difficult and expensive to setup PKIs, the reason being that flexible trust-center software (especially for Unix) is expensive. This was the starting point of OpenCA.

OpenCA started in 1999. The first idea consisted of three major parts – a Perl web interface, an OpenSSL backend for the cryptographic operation and a database. The cryptographic backend is still OpenSSL, which is in no way a disadvantage. OpenCA is aimed at building the organizational infrastructure for a PKI.  OpenCA databases stores all the needed information about the users’ cryptographic objects like Certificate Signing Requests (CSRs), Certificates, Certificate Revocation Requests (CRRs) and Certificate Revocation Lists (CRLs).

Some salient features of OpenCA

  • Public interface
  • LDAP interface
  • RA interface
  • CA interface
  • SCEP
  • OCSP
  • IP-filters for interfaces
  • Passphrase based login
  • Certificate based login (including smartcards)
  • Role Based Access Control
  • Flexible Certificate Subjects
  • Flexible Certificate Extensions
  • PIN based revocation
  • Digital signature based revocation
  • CRL issuing
  • Warnings for soon to expire certificates
  • support for nearly every (graphical) browser

OpenCA is designed for a distributed infrastructure. It can, not only handle an offline CA and an online RA, but using it you can build a whole hierarchy with three or more levels. OpenCA is not just a small solution for small and medium research facilities. The goal is to support maximum flexibility for big organizations like universities, grids and global companies.

Note: Adapted from OpenCA wiki

Leave a Reply