Alternative for openSSL

Question

I have academical project to build communicator with Public Key Infrastructure. For communication between server and clients I'll use SSL/TLS and I need for them certificates. I have to build Certificate Authority with CRL and I can do this with openSSL but this tool is only good for manual administrative not for making certificates automatically in remote CA.

To be clear: Clients must register and login to communicator using certificates but it should be made invisible for them. I've tried running openSSL as process in Java but it's not working properly - my previous problem.

Have you any good advice for making simple PKI?

they said "simple pki". heh. heh. – andrew cooke Nov 28 '13 at 20:49 — andrew cooke, Nov 28 '13 at 20:49

score 1 · Answer 1 · answered Nov 28 '13 at 21:05

1

You can use and extend EJBCA. It takes some getting used to but it has support for some HSM's, and it should not be hard to create a small PKI with it. Open source.

answered Nov 28 '13 at 21:05

Maarten Bodewes

90,524
13
150
263

Would this solve your problem, mydew, please accept or indicate what is missing. – Maarten Bodewes Dec 06 '13 at 15:53

score 0 · Answer 2 · edited May 23 '17 at 12:28

A replacement for simple operations of OpenSSL, would be Bouncy castle. To have better CA support you should also use the EJBCA. To create certificates automatically in the client (I assume you use a client web browser) is a bit trickier. Some browser can generate private client keys and then get them signed by the CA server. Generating client side certificates in browser and signing on server In that case, I would also use the EJBCA to make it manageable.

Alternative for openSSL

2 Answers2