Secure Sockets Layer

Has anyone set up their own Certificate Authority using OpenCA? I'm looking for something that makes it easy for Windows XP/2000 systems to generate private keys and certificate requests. In particular, this is to make deployment of OpenVPN to multiple (20-100) remote systems as easy as possible, while keeping things as secure.

ElyCA *Note: Link appears down (1/27/2005)

This is another Python based CA, but simpler then OpenCA. It's the easiest to install, and easiest to use as well. Works fine in an OpenVPN environment with a Linux server and Windows clients.


This one appears to be very mature and robust. However, since it's fairly sophisticated and designed for a clustered server environment servicing thousands of certificates, it seems a bit overkill. So far I haven't been able to find good Debian packages for it.

Here's a cookbook to setting it up in a single server environment, but beware since it assumes things and has some mistakes:

It requires LDAP and MySQL, which is a bit heavy for a VPN/firewall environment.


Python web-based CA management. Has a Debian package and pretty easy to get going. It's pretty easy to use; however after several hours of going through it's code trying to figure out how to sign a request, it appears that that portion of the code was never started.

EJBCA Enterprise Java Beans Certificate Authority

EJBCA is a fully functional Certificate Authority (CA),written entirely in Java and based on J2EE technology.


Written in C++ and based on the OpenSSL low-level API, all the datas are handled through a database. It use a client/server architecture with a nice GTK ? GUI. Run on Linux and Windows. It's promising but still immature.


An Open Source implementation of IETF PKIX recommendations. It is maintained by IDEALX, software engineering company. Based on OpenLDAP.


Limited but very easy to use, it is one of the rare PKI implementations that use the excellent Peter Guttman's cryptlib ? toolkit instead of OpenSSL. Available for Linix, FreeBSD and Windows.


TinyCA is a simple graphical userinterface written in Perl/Gtk to manage a small CA (Certification Authority). TinyCA works as a frontend for OpenSSL.

See also Apache, NetworkSecurity