User Tools

Site Tools


MiniCA X.509 certificate and key manager

MiniCA is a web application for creating and managing X.509 certificates and private keys.

With MiniCA you can:

  1. Create or import pairs of root certificates and keys.
  2. Create and store encryptions and export a lot of user certificates.
  3. Revoke/unrevoke certificates.
  4. Create and export a revocation list.
  5. Use national symbols in certificate names.

The number of managed certificates is limited by your server hardware and your browser. I use this application to manage more than 3,000 corporate certificates.

Currently, the application version is beta, (maybe) requires some refinemenl but work well.

Features and capacity

  • Import/​export certificates ​and keys are PEM coded
  • CA private key storage format is encrypted using PKCS#5 with CA password.
  • “End user” private key is stored in AES256-CBC and encrypted by CA public key with a random secure keyword. It can be decrypted only with the CA private key and CA password.
  • Export of private keys encrypted as PKCS#5 with your password.
  • Command-line tool for mass import of certificates and keys.
  • KISS interface.
  • By default I use SQLite3 for storage of certificates but in theory you can use another DBMS: PostgreSQL or MySQL.
  • The application is written in Perl and you can easily modify it.

Dear fans of PHP, Ruby, JS and others programming languages, I'm sorry, but Perl is the best choice for such purposes because its cryptographic modules cover the entire life cycle of X.509 certificates.

Demo

https://minica.unix7.org:5100

Login: officer, password: 1234567
Master and CA passwords also 1234567

License

Dependencies

To build and run the application you must install these perl modules:

You can download perl patches below. FreeBSD ports are here:

Update 2017-Jun-20: patchs commited to FreeBSD ports.

Download

Build and start

# wget https://minica.unix7.org/_media/minica-xxx.tar.xz
# tar xf minica-xxx.tar.xz
# cd minica-xxx
# adduser minica

# ./configure --prefix=/usr/local
# make install

# cd /var/db/minica
# cp minica.db.example  minica.db
# cp  minica.pw.example  minica.pw
# chown minica minica.db minica.pw

# cd /usr/local/etc/minica
# cp minica.conx.example minica.conf

# /usr/local/sbin/minica
# more /var/log/minica/minica.log

Patches

Crypt::OpenSSL::CA patches

Crypt::OpenSSL::RSA patches

Patched sources

Restrictions for the release

  • Only PEM.
  • Only RSA.
  • Don't know how to make coffee.

Motivation

  1. It's personal project for myself, and I don't don't care to be limited to a single corporate installation.
  2. I'm commited to the obligation to the “open source” community.

With sufficient interest of the community, I will continue to improve and develop this application. I can add scp/sftp transport for CRL distribution, PKCS#12 form of certificate and key export, etc.

Author

With thanks to my wife Anna and my freiends.

Drafts

Click image to see more details.

  • Application data flow from CA HTML form to certificate storage/database.

  • Application data flow from database to exported certificate-key pair.

  • Generic OOP model of the application.