Email encryption and signing works now with
the certificates created by this application in Thunderbird and
Outlook. The Thunderbird team has finally fixed the bug.
There was little improvement on the scripts themselves. The main work was done on improving the integration with The Address Book Reloaded http://sourceforge.net/projects/tab-2 as certificate managing database and Intranet address book. There is still lots of work to do to make it more convenient to issue certificates other than pasting commands into a shell. The thing that prevents this until now is that usually the address book is running on a unsecured server, while the certificate authority must be run on a secure computer, which would need a means to sync databases between instances of the address book.
Anyway feel free to post your ideas.
I almost solved how to use these certificates for email encryption with S/MIME and Thunderbird. Unfortunately Thunderbird wants to use the certificates also for the SSL/TLS connection to the mail server, which does not work because the certs are self-signed! If you switch off SSL encryption for the server connection S/MIME singing and encryption work fine. I suppose this is a bug in Thunderbird, maybe Outlook works better.
For signing email one only needs his own certificate installed. The CA public key certificate will verify the signatures of others.
To encrypt email one needs the public key certificate of the other person (.crt file) and install it.
The integration with TAB-2 has matured, although it is not an instant CA solution yet. It works as follows:
Book Reloaded (TAB-2) is a PHP address book web application
(see below). An administrator or a contacts manager enters
contacts into the address book. These contacts are flagged as
'added' and the CA administrator can generate shell commands via
the web browser that he can copy into a script to issue the
certificates on a secure machine with openssl-ca provided
commands. If an administrator/manager deletes a contact, then the
contact is included into the commands generated as revokecert
I have integrated the openssl-CA into http://sourceforge.net/projects/tab-2 (currently as beta extension). It works great. Users can retrieve their reissued cert passwords from their own address card. (Re)issue, revocation, export password management, password retrieval with PIN. I am running an intranet server with 500 contacts with openssl-ca and tab-2. Unfortunately the features are still undocumented, but an SSL-CA button should appear for administrators logged into tab-2 on the main address list beside PDF printing.
The Address Book Reloaded (tab-2) is a PHP address book web application to store contact details (with pictures) of employees/customers in utf8 format on an intranet. Users or address managers can enter records. Features Google Maps, Maporama, distributed management, PDF address books (standard fonts only). Try the Address Book Reloaded DEMO (sorry no CA features demo as admin privileges are required. I will add a screen shot later.)
This readme contains step-by-step instructions to create a (self-signed)
Certificate Authority for your web-server.
The scripts simplify the following work with openssl ca:
1. Create a root CA
2. Issue server certificates
3. Issue client certificates
4. Revoke client certificates
5. Mail them to users
[0. TO START OVER]
a) ca directory
b) dated user directories
HINT: Copy these scripts to an encrypred volume on a secure computer.
Do not run them on your web-server.
For Windows/cygwin check out: http://www.truecrypt.org/
[Optional: edit the defaults in genrootca - you may need to start over a few times until your CA sticks]
Enter public certificate data [Or accept the defaults].
RESULT: ca (directory) ; ca/ca.crt ; ca/ca.key
genservercert -C "myserver.example.com" -e "email@example.com" -p "secret-CA-password" -o "My Company" -u "My Department" -c US -s "1 Company Lane" -l "Sunnyvale, CA 12345"
$ ll ca
-rw-r--r-- 1 joe Domain Users 1143 Jan 19 18:01 ca.crt drwxr-xr-x 2 joe Domain Users 0 Jan 19 18:10 ca.db.certs -rw-r--r-- 1 joe Domain Users 151 Jan 19 18:10 ca.db.index -rw-r--r-- 1 joe Domain Users 21 Jan 19 18:10 ca.db.index.attr -rw-r--r-- 1 joe Domain Users 3 Jan 19 18:10 ca.db.serial -rw-r--r-- 1 joe Domain Users 963 Jan 19 18:00 ca.key
---- possible errors: ----
unable to load CA private key
3064:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:ev
3064:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:425:
>>>>>>>>>>>>>> SOLUTION >>>>>>>>>>>>>>>>>>
===> -p is the wrong password !!! Make sure you use the right password.
Copy: cp ca/ca.crt /etc/apache2/ssl.crt/ cp example.com.crt /etc/apache2/ssl.crt/ cd /etc/apache2/ssl.crt/ ; make cp example.com.key /etc/apache2/ssl.key vhost or http.conf: SSLEngine on SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!NULL:!aNULL:!eNULL:!ADH:!EXPORT56:!LOW:!SSLv2:!EXP:RC4+RSA:+HIGH:+MEDIUM SSLCertificateFile /etc/apache2/ssl.crt/myserver.example.crt SSLCertificateKeyFile /etc/apache2/ssl.key/myserver.example.key SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt SSLCACertificatePath /etc/apache2/ssl.crt # enable if needed SSLCARevocationPath /etc/apache2/ssl.crl #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl SSLVerifyClient require SSLVerifyDepth 1 Configure: Open port on firewall (if needed) Add ports to listen.conf/vhost rcapache2 restart
genusercert -C "Joe Sample" -e firstname.lastname@example.org -o "Acme Inc." -u "Sales" -l "Nashville" -s "TN" -c US -d "730" -x "joes-import-password" -p secret-CA-password
[Edit the xls and]
Save/Generate a CSV-file [No field separators and " characters allowed!].
[make sure it uses commas to separate fields - Germany uses ; instead!!]
[If so change the FS=';' in csv2usercerts script to whatever you use!]
Check runme.sh to verify the generated commands are right.
Batch create the certificates:
./runme.sh -p "very sercret CA root password"
Double click on the file and follow the instuctions.
Provide the export-password that you used to generate the certificate.