I manage multiple certificate authorities – two are for my company, three are for customers, one is my personal and so on. I run certificate authorities because I do not like feeling dependant on companies with stupid security policies like commercial certificate companies. It my sound like I hate these companies but I only consider them as pure security evil (yet, I still must use them). :)
If you are asking, why you should manage your own certificate authority consider things like very own VPN server (based on OpenVPN or IPSEC), securing your sites and applications like OwnCloud or SOGo, signing emails (yes, you can do it with GPG) and so on. x509 standard is good – implementation and realisation is really bad.
So, if I do not want go usual way I need to manage CA on my own. I just to use TinyCA2 which seems to be dead, and I’m on OS X now so TinyCA2 did not fit to my system and workflow. Thank you for your service, but it is time to move to new home dear TinyCA2.
I found few other options like OpenVPN easy-rsa, some shell-hacked-ultimate-wrappers on Github, huge projects like OpenCA and so on. I even tried to use certificate helper integrated in Keychain Access on OS X.
Results:
* Keychain Access is good for generating certificate request for user, but sucks on CA management;
* OpenCA is way to big for me;
* easy-rsa and shell-hacked-ultimate-wrappers seemed to be solution, yet I do not like it;
Bummer.
Then I started to google around again and I realised I totally missed XCA project. After installation I really did not liked user interface, but it is just about habit. TinyCA2 UI was just different, you have to get used to new software (and is good if you know how certificates work – it will help :) ).
I did not made migration of old CA’s to new system as I’m waiting ’till certificates will expire and then I will migrate users to new standard with 4096 bit long keys.
What else you should know about this software?
* XCA stores whole CA in single file with suffix xdb;
* has pretty decent UI with glitches but I can survive them;
* supports whole subset of formats like DER, PEM, PFX and so on;
* allows you to sign external requests – I needed this;
* supports revocation lists – with little bit scripting you can automate it;
* has templates – I hate to fill forms again and again with same informations;
* has pretty good documentation;
Hope this software will stay with me as long as TinyCA2.