# OpenSSL GUI Interface

## diegoaugustomolina

Hi forum, I've got to manage a little CA but every once in a while I've got some big requests of client certificates. I set up a little script which recognizes simple actions like "CreateCSR" and "Sign", but in these bursts of requests it gets a very time consuming task to do and I'm needing some help. I'm using dev-libs/openssl-1.0.0c.

I've seen in portage app-crypt/ { tinyca , xca }, but in the developers site I see the last changelog entries dated in 2006 and April 2011 (respectively), so I've got my doubts about the maintainability of those packages. Can anyone tell about them?

Googling around I found other CA manager software for Linux, but I prefer gentoo tested... (and web interface, if it's not too much to ask).

I'm thinking in writing some PHP code to manage the certs with some helper functions documented in PHP's manual under Function Reference -> Cryptography Extensions -> OpenSSL. That would be a little more elaborated than my silly script, of course, and that would require X509 client authentication and maybe user/pass on top. If I actually have to write the code for lack of choices, I'd be happy to share it (and be thanked for comments), of course, though it would be really simple at first because I've got to cover my urgent needs first.

Any help appreciated.

----------

## depontius

Running a CA is such a sensitive function, especially these days.  Last time I messed with being a CA, I did so from a bootable CD and went offline to do so.  I did all I/O through a USB stick.

That was years ago.  You might want to look into a CA LiveCD that includes a GUI.  Beyond that, if you want to do some batching stuff, it would make sense to read the batch requests and turn them into a list of actions written to a USB stick, or even better would be to write a shell script to the USB stick.  Boot the CA LiveCD, insert the USB stick, and run the script, which would move the certs back to the stick when it's done.

The second part of this problem would be private keys and such, which would also have to be stored on the USB stick, preferably in an encrypted container.

----------

## diegoaugustomolina

Well, I use a USB stick formatted with LUKS in a completely isolated machine, and what I'm looking for is a GUI to use from the localhost. Of course, Open Source software for this is a must, and what I'm looking for is a rather small tool which I could track/debug easily. A lot of testing to be done... even so this would be an investment in time for me because this bunch of requests are expected to grow in the future in frequency and in amount.

I ask for a web GUI because I've got more experience programming web interfaces rather than GTK / QT / Java / Other interfaces, so that would help me when checking the code.

The nature of the purpose of the CA and the amount of the certificates needed forced us not to buy the certificates.

Thanks for the comments.

----------

## depontius

I believe I looked at some of the GUIs, including the ones you mentioned, and never got the hang of it.  I had so few certs to generate that I just did it at the command line.

Unfortunately I lost the keys to my container, so next time I do this I have to start all over.  Luckily I generated 10-year certs at the time.  When I start over, I'll revisit the GUI issue, including watching this thread.

----------

## diegoaugustomolina

Has anyone taken a look into EJBCA, SignServer and related projects?

They seem to be a good alternative for the task I'm having. Licenced under LGPL and written in Java, with few requirements like installation by hand of JBoss (or from the overlays, as you wish).

I'm gonna try this soft and expect some reviews probably later on the next week. Code peeping is each one's homework! (but hints are welcome since I-don't-Java).

----------

