FAQ
0. What's a x509 certificate/certification authority/PKI?
1. How does ElyCA work?
2. How can I start using ElyCA?
3. How can I clean the database and erase all certificates I created?
4. Why don't you generate request files (PKCS#10) in the Registration Authority?
5. How does the Registration Authorithy works?
6. I read the INSTALL file and I'm not able to get ElyCA working.
7. How can I get ElyCA running? Root CA versus sub-CA's
8. Does ElyCA works with Boa, Apache 2.x, Cherokee,... my favorite web server
9. Does ElyCA support a different SQL database than MySQL?
0. What's a x509 certificate/certification authority/PKI?
mmm, it seems you have no idea what are all these things for, I wrote something for you, have a look at the INFO file.
1. How does this work?
After installing go to the http://localhost/~elyca/gui/ using your favorite web browser. You'll see two frames, on the left bar there's seven buttoms, I'll explain each one.
- New certificate:
After clicking this buttom you'll see more buttoms:
+ email (S/MIME)
+ server
+ client
+ object signing
You can generate certificates for email protection, server, clients
and object signing, after filling the form and clicking on DONE it
will be generated a private key, a certicate and a PKCS#12 for that
entity. How can you get that certicate you generated? it's easy:
/home/elyca/public_html/cgi-bin/
email/
|--- certs (x509 certificates)
|--- crl (certificate revocation list)
|--- key (private keys)
|--- pkcs12 (pkcs#12)
client/
|... (the same thing)
every certificate/key/pkcs12 is called following this pattern:
[Who_signed_it]_[serial_in_hex].[type]
For example:
root_0x3.crt : Root CA key signed it, its serial number is 0x3
and the file contains a certificate (public key).
email_0x4.key:Email sub-CA key signed it, its serial number
is 0x4 and the file contains a private key.
How can you get the password for the private key and the PKCS#12?
Just click on that little icon which looks like a identity card, See
Sections Database, Revoke and Renew.
And how can you see a certificate in human readable text? click on the
serial of the certificate (the first colummn).
How can I save the certificate/private key/pkcs#12 to a disk file or
any kind of removable media? Just click on those icons which says
something like "key" "cert" and "pkcs#12"
2) Database:
+ Show certificates. There's a option bar on the upper right corner
which you can use to set up configurable filters.
+ Search for a certificates, look for a certificate.
3) Revoke:
+ Revoke certificate, select one or more certificates and revoke them.
If you want to use revoke reason, go to the Settings section.
+ Generate a CRL, generate a certicate revocation list.
4) Renew:
+ Renew certificate, renew all selected certificates.
5) CA:
+ Generate a CA, generate a Certication Authorithy which will sign
other certificates we generate. Only one CA certificate at the moment.
There's no support for sub-CA's :(
+ Generate sub-CA's.
6) Settings:
+ Set Root CA and general settings. This section lets you configure
you CA without editing the openssl.cnf file, ElyCA will generate
one for you.
+ Set Sub-CA's.
+ Restart CA. Be CAREFUL using this section because you could drop
your CA into the hell. It's a nice section if you decide to play
with ElyCA.
7) About:
Some things maybe you don't care.
2. How can I start using ElyCA?
First off, go to the Setting section, set your preferences and click on the Save Settings buttom, after that, generate a CA (click on CA buttom on the left bar, fill the form and go ahead, after this you can generate certificates for email, server, client, object signing, and renew, revoke...
3. How can I clean the database and erase all certificates I created?
Have a look at the Settings section -> Restart CA.
4. Why don't you generate request files (PKCS#10) in the Registration Authority?
Because of the RA is connected to internet or any kind of network and I don't like the idea of keeping private keys in danger. I mean, when I generate a request (PKCS#10), I also need to generate a private key for that request which will be stored in the RA, maybe temporary, but if someone picks that private key, he will only have to wait for that certificate is issued to do nasty things with that private key, that's why I decided to keep a database of any request which is done in the RA but nothing else. And of course, Silly users using OpenSSL won't generate their own requests (PKCS#10) and clever ones won't care about it :-).
5. How does the Registration Authorithy works?
Actually, there was a RA but I decided not to keep working on it because it was mainly based in the source code of the CA-side and this was a big problem because ElyCA 0.1 has nothing to do with 0.34. I think that ElyCA is doing little steps forwards to get that stability of a well developed program.
Be patient, there will be one, I promise.
6. I read the INSTALL file and I'm not able to get ElyCA working.
Common problems:
- Did you set the directory /home/elyca/ and /home/elyra/ to 755 permission? If not, chmod 755 /home/elyca.
- Are you using Python 2.2? Make sure doing this: $ python -V Python 2.2.1
- Did you install the module MySQLdb for python? $ python Python 2.2.1 (#1, Sep 7 2002, 14:34:30) [GCC 2.95.4 20011002 (Debian prerelease)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import MySQLdb >>>
If you get the prompt (>>>) and don't see any error message MySQLdb modules is working fine. By the way, Ctrl+D to leave python ;-).
4) Check mysqld, is it running fine? check also the config.py file. Did you installed correctly python-mysqldb?
5) Did you restart apache with no problems?
Doesn't work yet? have a look at the Apache's error.log file, see something?
7. How can I get ElyCA running? Root-CA versus sub-CA's
Step by step to keep it simple. Two choices:
- In this case, you decided to generate a small CA, because:
- your knowledge about the stuff is not so mature.
- you need it running as quick as possible.
- your organization is small.
- Go to http://localhost/~elyca/gui/
- Go to the "settings" section and click on "set root CA and general settings".
- Set your preferences, if any doubt: come on read, read, read! or don't edit anything, anyway don't forget to click on the "save settings" buttom.
- Go to the "CA" section.
- Click on "Generate Root CA". Fill the form and go ahead.
- At this point you are able to generate certificates signed by the Root CA.
- You know something about this matter and want to install a medium/big CA with a nice structure.
- Go to http://localhost/~elyca/gui/
- Go to the "settings" section and click on "set root CA and general settings".
- Set your preferences, if any doubt: come on read, read, read! or don't edit anything, anyway don't forget to click on the "save settings" buttom.
- Go to the "CA" section.
- Click on "Generate Root CA". Fill the form and go ahead.
- Click on "Generate Sub-CA". Generate so many sub-CA's as you prefer.
- At this point you are able to generate certificates signed by the Root CA/sub-CA's whatever you prefer.
Note: Of course, you could choose an intermediate level between the choice a) and the b) one.
8. Does ElyCA works with Boa, Apache 2.x, Cherokee,... my favorite web server
Yes, it works, but I don't know the settings for the config file. If you use ElyCA with a different web server than Apache. Please let me know.
9. Does ElyCA support a different SQL database than MySQL?
Not yet, but it will.