pyca(8) System Manager's Manual pyca(8)NAME
pyca - CA written in python
DESCRIPTION
The scripts in this suite are basically wrappers around openssl(1). Additionally the scripts integrates the generic CA-functionality with
the mail-system and apache for handling certificate requests; with LDAP for handling distributing certificates and revocation lists; and
cron for maintenance tasks.
PROGRAMMES
pickle-cnf.py
Create a pickled copy the OpenSSL configuration object for faster reading of the configuration. The pickle-file name is the name of
the OpenSSL configuration file plus .pickle.
ca-make.py
Generate a CA hierarchy, all necessary files and directories and all initial CRLs (see also signedby extension in OpenSSL configura-
tion file). This is intended to be run under user root since it sets the ownership and permissions.
ca-certreq-mail.py
Handles the mail dialogue after certificate request. The SPKAC certificate request and LDIF data is moved from the directory
pend_reqs_dir to new_reqs_dir. Set this script in your /etc/aliases, procmailrc or similar to receive mails for the address speci-
fied in caCertReqMailAdr.
ca-cycle-pub.py
This script is typically run by the CA admin user via CRON or a similar task manager on a networked system holding the public cer-
tificate data. It does several jobs:
* Publish new certificates and inform user via e-mail where to download his certificate
* Remove stale certificate requests from pend_reqs_dir.
* Spool certificate requests and certificate revocation requests to the system holding the CA's private keys. (not implemented yet)
* Spool certificates and certificate revocation lists from the system holding the CA's private keys. (not implemented yet)
ca-cycle-priv.py
This script is run on the system where the private keys of the CA are stored. It does several jobs:
* Mark expired certificates in OpenSSL certificate database
* Generate new CRLs, move old CRLs to archive (not implemented yet)
* Process certificate requests and certificate revocation requests (not implemented yet)
* Spool certificate database, issued certificates and CRLs to public WWW and LDAP server (not implemented yet)
SEE ALSO pyca(1)
The programs are documented fully by the HTML documents in /usr/share/doc/pyca/htdocs/
COPYRIGHT
Copyright (C) 2001 - 2003 Michael Stroeder <michael@stroeder.com>
This software including all modules is Open Source and given away under: GPL (GNU GENERAL PUBLIC LICENSE) Version 2.
The author refuses to give any warranty of any kind.
AUTHOR
Michael Stroeder <michael@stroeder.com>
This manual page was written by Lars Bahner <bahner@debian.org>, for the Debian GNU/Linux system (but may be used by others).
june 30, 2002 pyca(8)
Check Out this Related Man Page
PKI(1) strongSwan PKI(1)NAME
pki - Simple public key infrastructure (PKI) management tool
SYNOPSIS
pki command [option ...]
pki -h | --help
DESCRIPTION
pki is a suite of commands that allow you to manage a simple public key infrastructure (PKI).
Generate RSA and ECDSA key pairs, create PKCS#10 certificate requests containing subjectAltNames, create X.509 self-signed end-entity and
root CA certificates, issue end-entity and intermediate CA certificates signed by the private key of a CA and containing subjectAltNames,
CRL distribution points and URIs of OCSP servers. You can also extract raw public keys from private keys, certificate requests and certifi-
cates and compute two kinds of SHA-1-based key IDs.
COMMANDS -h, --help
Prints usage information and a short summary of the available commands.
-g, --gen
Generate a new private key.
-s, --self
Create a self-signed certificate.
-i, --issue
Issue a certificate using a CA certificate and key.
-c, --signcrl
Issue a CRL using a CA certificate and key.
-r, --req
Create a PKCS#10 certificate request.
-7, --pkcs7
Provides PKCS#7 wrap/unwrap functions.
-k, --keyid
Calculate key identifiers of a key or certificate.
-a, --print
Print a credential (key, certificate etc.) in human readable form.
-p, --pub
Extract a public key from a private key or certificate.
-v, --verify
Verify a certificate using a CA certificate.
EXAMPLES
Generating a CA Certificate
The first step is to generate a private key using the --gen command. By default this generates a 2048-bit RSA key.
pki --gen > ca_key.der
This key is used to create the self-signed CA certificate, using the --self command. The distinguished name should be adjusted to your
needs.
pki --self --ca --in ca_key.der
--dn "C=CH, O=strongSwan, CN=strongSwan CA" > ca_cert.der
Generating End-Entity Certificates
With the root CA certificate and key at hand end-entity certificates for clients and servers can be issued. Similarly intermediate CA cer-
tificates can be issued, which in turn can issue other certificates. To generate a certificate for a server, we start by generating a pri-
vate key.
pki --gen > server_key.der
The public key will be included in the certificate so lets extract that from the private key.
pki --pub --in server_key.der > server_pub.der
The following command will use the CA certificate and private key to issue the certificate for this server. Adjust the distinguished name,
subjectAltName(s) and flags as needed (check pki --issue(8) for more options).
pki --issue --in server_pub.der --cacert ca_cert.der
--cakey ca_key.der --dn "C=CH, O=strongSwan, CN=VPN Server"
--san vpn.strongswan.org --flag serverAuth > server_cert.der
Instead of storing the public key in a separate file, the output of --pub may also be piped directly into the above command.
Generating Certificate Revocation Lists (CRL)
If end-entity certificates have to be revoked, CRLs may be generated using the --signcrl command.
pki --signcrl --cacert ca_cert.der --cakey ca_key.der
--reason superseded --cert server_cert.der > crl.der
The certificate given with --cacert must be either a CA certificate or a certificate with the crlSign extended key usage (--flag crlSign).
URIs to CRLs may be included in issued certificates with the --crl option.
SEE ALSO
pki --gen(1), pki --self(1), pki --issue(1), pki --signcrl(1), pki --req(1), pki --pkcs7(1), pki --keyid(1), pki --print(1), pki --pub(1),
pki --verify(1)5.1.1 2013-07-31 PKI(1)