Public key infrastructures are one of the most widely accepted musts of the future. The problem is that more and more applications can be secured with such crude things like certificates and keys but it is really difficult to setup PKIs and it is really expensive too because flexible trustcentersoftware for Unix is expensive. This was the starting point of OpenCA. Our goal is the production of an open source trustcentersystem to support the community with a good, inexpensive and future-proof solution for their base infrastructure.
OpenCA started in 1999. The first idea consists of three major parts - a Perl webinterface, an OpenSSL backend for the cryptographic operation and a database. This simple concept is still the todays base. Nearly operations can be performed via some webinterfaces. The only difference is that we have six preconfigured interfaces and you can create so many interfaces like you want. The cryptographic backend is still OpenSSL. This is no disadvantage. We want to build the organizational infrastructure for an PKI. This is our major job and the guys from OpenSSL have much more experience with crypto than we. Our databases store all the needed informations about the users crypto objects like certificate signing requests, certificates, certificate revocation requests and CRLs.
Public interface
LDAP interface
RA interface
CA interface
SCEP
OCSP
IP-filters for interfaces
Passphrase based login
Certificate based login (incl. smatcards)
Role Based Access Control
flexible certifcate subjects
flexible certificate extensions
PIN based revocation
digital signature based revocation
CRL issuing
Warnings for expiring certificates
support for nearly every (graphical) browser
OpenCA is designed for a distributed infrastructure. It cannot only handle an offline CA and an online RA. You can build a hierarchy with three or more levels. The goal is a maximum flexibility to support big organizations like universities, grids and global companies. OpenCA is not only a small solution ofr small and medium research facilities.
The OpenCA guides consist of four parts. The first part is a designguide which should help you to setup an good infrastructure. The second part describes all the activities which must be performed offline by some administrators. The third part is the user guide which describes all the available features. The last part is the technology guide which documents the ideas behind OpenCA. This documentation is only for developers and hardcore administrators to understand what's going on.
Finally we wish to thank everybody who helped us programming, testing and documenting OpenCA. This include of course all the universities and companies which finance the work of our developers.