[openssl-users] Developing CA with Openssl library

Bear Giles bgiles at coyotesong.com
Thu Mar 3 17:17:45 UTC 2016


I've written big chunks of a CA in both openssl and java (BouncyCastle). It
has definite benefits since it can be tightly integrated into an existing
infrastructure but does require a fairly deep understanding of both
concepts and implementation details. The actual key management is not that
hard to write once you have that basic knowledge.

However a CA is a lot more than just signing keys and that can be a lot of
work but I think that will be true regardless of whether you're doing new
development with the libraries or using scripts with the command line
program. The command line is fine for small needs but I would definitely
rather use the libraries (C or java) if I had it sitting behind a web or
microservice.

Finally I should point out that Amazon has just released an X.509 key
management system as part of Amazon Web Services. I haven't had a chance to
look at it but it might be easier to implement a front end to it.

Bear

On Wed, Mar 2, 2016 at 11:24 PM, lists <lists at rustichelli.net> wrote:

> On 03/02/2016 09:36 AM, thirumalkumarkanakurthi at bel.co.in wrote:
>
>>
>> Dear users,
>>  I want to develop my own CA with openssl library with all the CA
>> functionalities like Key generation,Certificate creation,Certificate
>> Revocation List creation,Certificate revocation and certificate
>> verification.in Order to do so i am struct with the following questions
>>
>> 1. currently i am using openssl_1_0_1 stable version. With this version
>> is it possible to perform the above operations.
>>
>
> Yes, but it's a lot of code to write if you plan to use the library.
>
> 2. Will above mentioned version provide full CA CRL functionalities.
>>  please help me  with your valuable suggestions and solutions. Thanks in
>> advance.
>>
>>
> For what I know, all of it is there, too.
> But really consider using OpenSSL-based open source products or at least
> openssl command line tools where possible, otherwise it is just as answer
> (1): there is a lot to do!
>
>
> Regards
>> Thirumal Kumar Kanakurthi
>> Member (Research Staff)/NWS Group
>> Central Research Laboratory(BEL).
>> Bangalore.
>> Mobile:+918050469976
>>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160303/2f8ba3b3/attachment-0001.html>


More information about the openssl-users mailing list