Personal tools

Certificate Authority

From Adapt

Revision as of 17:51, 11 September 2008 by Toaster (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

The Adapt CA is designed to help create keystores (pkcs12) for use in various adapt projects.

Features

  • create new ca certificates, or import openssl keys
  • maintain a list of certificates to include in pkcs12 keystores
  • create pkcs12 keystores
  • sign and optionally store certificate requests

Setup

You will need to have Jakarta/Apache Tomcat installed. The CA has been tested on 5.5.7 and higher. After you have tomcat installed, download the adapt-ca.xml and adapt-ca.war files listed below. Place the war file in your tomcat/webapps directory. Place the adapt-ca.xml in your tomcat/conf/Catalina/localhost directory. You will need to edit the adapt-ca.xml prior to starting tomcat.

Edit the 'value' part of the following line to point to a directory that the ca can use for storing keys and certificates


  <Parameter name="ca.directory" value="/export/tomcat/adapt-ca"/>

You can now start tomcat. When you browse to adapt-ca, you'll be presented with a configuration screen to either import existing certificates, or create a new pair.

  • 1. To use an existing pair, upload the private and public key files for the ca. You will also need to enter the password to unlock the private key. This is not stored on the server, but rather used to ensure the public and private keys are a valid pair.
  • 2. to create a new certificate, fill in the certificate information in the 2nd part of the form.
Adapt-ca-config-web.png

Now, you are ready to start signing keys and creating keystores. To sign keys, you need to login (upper right) using the ca's key password.

Adapt-ca-index-web.png

Stored Keys

The CA is able to store keys that will be included in any created keystores. These keys can be imported by clicking on ' Modify Included public keys '. You can add new keys (pem format), or remove previously registered keys. Also, when you sign keys, or create a keystore, you have the option to add the resulting certificate into the list of included keys.

Using the ' download ca certificate ' or ' download public keys ' you can view and download the pem formatted certificates that are stored on the ca. This is available to anyone.

Sign Keys

The CA can sign certificate signing requests(csr) generated from openssl (exmple: =openssl req -new -nodes -out client-req.pem -keyout private/client-key.pem -days 365 -config ./openssl.cnf=). From the ' sign certificate ' item, paste the csr into the text box and optionally enter an alias if the signed certificate is to be stored. After clicking ' Sign Certificate ' you will be able to download the signed cert.

Create Keystores

Creating a keystore will let you create a new keypair, sign it, and include any registered public keys from the ca in the resulting keystore. Keystores are returned in pkcs12 format. Openssl can handle these (see openssl pkcs12)

Click on ' Create new keystore '. You will need to fill in the information for creating this certificate. The alias listed will be the alias in the created keystore and also used to register it on the CA if desired. When you have entered all the information, click ' Create keystore ' and you will be able to download the new keystore.