µ-CA-Tool for Certificate Management and SmartCards
SektionEins is delighted to announce the release of the open source µ-CA-Tool.
SektionEins is delighted to announce the release of the open source µ-CA-Tool.
The µ-CA-Tool (pronounced 'micro CA tool') is a high-level CLI frontend for OpenSSL, OpenSC and GnuPG, written in Bash. It has been developed to simplify the handling and management of X.509 certificates with and without private keys stored on hardware tokens.
Overview - Problem/Solution
X.509 certificates are commonly used for
encryption, e.g. the 'S' in HTTPS and S/MIME email encryption
authentication, e.g. TLS client authentication or SSH login
signing, e.g. code signing for software distribution or certificate signing.
In each instance it is best to keep the private key part of the certificate private. A SmartCard can hold the private key and perform the encryption or signing operation without divulging the key. In order for this to work, the following tasks are common in advance and can be done with the µ-CA-Tool:
Create CA as files
or Create CA on a SmartCard
or Create CA as files and store on SmartCard
Create intermediate CA
Sign other certificates
Backup CA key with n-of-m scheme key sharing
Create client certificates
Basic SmartCard functions: Info, Read, Write, Generate keys, Reset
SmartCard Support
The µ-CA-Tool was developed with focus on Nitrokey Pro and Crypto Stick. However other OpenPGP-Cards and PKCS#11 compliant SmartCards should work as well, e.g. Nitrokey Storage, Yubikey Neo or the FSFE Fellowship Smart Card.
Download & Feedback
The source code is available from Github, licensed under the Apache License, Version 2.0.
Please send feature requests and bug reports directly to the issue tracker.
Ben Fuhrmannek