Girish Mahajan (Editor)

OpenCA

Updated on
Edit
Like
Comment
Share on FacebookTweet on TwitterShare on LinkedInShare on Reddit
Developer(s)
  
OpenCA Labs

Type
  
PKI Software

Operating system
  
Multi-platform

Stable release
  
v1.5.2 / May 10, 2014 (2014-05-10)

License
  
GNU General Public License

Website
  
https://www.openca.org/

OpenCA, officially the OpenCA PKI Research Labs and formerly the OpenCA Project, is a PKI collaborative effort to develop a robust, full-featured and open-source out-of-the-box certification authority implementing the most used protocols with full-strength cryptography. OpenCA is based on many open-source projects; among these are OpenLDAP, OpenSSL and Apache projects.

Contents

Project development is divided into 2 main tasks: studying and refining the security scheme that guarantees the best model to be used in a certificate authority, and developing software to easily set up and manage a CA.

The software development side of the project is further divided into the following sub-projects:

  • OpenCA PKI, a full-featured PKI package.
  • LibPKI, a library for PKI application development.
  • OpenCA OCSPD, a small, robust Online Certificate Status Protocol daemon.
  • PRQPD Server, a PKI Resource Query Protocol daemon for use in conjunction with the PKI package.
  • OpenCA-ng, a next-generation project planned to implement new features and overcome limitations of the current project.

    • OpenCA PKI

    The problem with Public Key Infrastructures (PKIs) is that most applications can be secured with certificates and keys but it is difficult and sometimes expensive to set up PKIs, because flexible trustcenter software is expensive.

    OpenCA started in 1999. The first idea consisted of three major parts - a Perl web interface, an OpenSSL backend for the cryptographic operation and a database. This simple concept is still developers motto today. Nearly all operations can be performed via some web interface. It has six preconfigured interfaces and many more can be created from them, depending on the need. The cryptographic backend is OpenSSL, which is in no way a disadvantage. OpenCA is aimed to build the organizational infrastructure for a PKI. OpenCA’s databases store all the needed information about the users' cryptographic objects like Certificate Signing Requests (CSRs), Certificates, Certificate Revocation Requests (CRRs) and Certificate Revocation Lists (CRLs).

    OpenCA PKI Features

    Today OpenCa supports the following elements: (this is an incomplete list just to give you an impression of how complex the subject matter is):

  • Public interface
  • LDAP interface
  • RA interface
  • CA interface
  • SCEP
  • OCSP
  • IP-filters for interfaces
  • Passphrase based login
  • Certificate based login (including smartcards)
  • Role Based Access Control
  • Flexible Certificate Subjects
  • Flexible Certificate Extensions
  • PIN based revocation
  • Digital signature based revocation
  • CRL issuing
  • Warnings for soon to expire certificates
  • support for nearly every (graphical) browser

    • OpenCA is designed for a distributed infrastructure. It can, not only handle an offline CA and an online RA, but using it you can build a whole hierarchy with three or more levels. OpenCA is not just a small solution for small and medium research facilities. The goal is to support maximum flexibility for big organizations like universities, grids and global companies.

    References

    OpenCA Wikipedia
    (Text) CC BY-SA