µ-CA-Tool for Certificate Management and SmartCards

SektionEins is delighted to announce the release of the open source µ-CA-Tool.

SektionEins is delighted to announce the release of the open source µ-CA-Tool.

The µ-CA-Tool (pronounced 'micro CA tool') is a high-level CLI frontend for OpenSSL, OpenSC and GnuPG, written in Bash. It has been developed to simplify the handling and management of X.509 certificates with and without private keys stored on hardware tokens.

Overview - Problem/Solution

X.509 certificates are commonly used for

  • encryption, e.g. the 'S' in HTTPS and S/MIME email encryption

  • authentication, e.g. TLS client authentication or SSH login

  • signing, e.g. code signing for software distribution or certificate signing.

In each instance it is best to keep the private key part of the certificate private. A SmartCard can hold the private key and perform the encryption or signing operation without divulging the key. In order for this to work, the following tasks are common in advance and can be done with the µ-CA-Tool:

  • Create CA as files

  • or Create CA on a SmartCard

  • or Create CA as files and store on SmartCard

  • Create intermediate CA

  • Sign other certificates

  • Backup CA key with n-of-m scheme key sharing

  • Create client certificates

  • Basic SmartCard functions: Info, Read, Write, Generate keys, Reset

SmartCard Support

The µ-CA-Tool was developed with focus on Nitrokey Pro and Crypto Stick. However other OpenPGP-Cards and PKCS#11 compliant SmartCards should work as well, e.g. Nitrokey Storage, Yubikey Neo or the FSFE Fellowship Smart Card.

Download & Feedback

The source code is available from Github, licensed under the Apache License, Version 2.0.

Please send feature requests and bug reports directly to the issue tracker.

Ben Fuhrmannek