Chapter 10. Managing Certs with tinyca

Revision History
Revision 0.12005-11-18AB
Initial document

Table of Contents

Getting started
Create a Certificate
Exporting everything


Managing your certificates on your router is possible, but might be not a good idea regarding security. You also might want to have a graphical frontend for easy creating and managing your keys and certs. In this chapter you will find information on how to do this all with tinyca.

Tinyca is a GTK based Frontend for creating and maintaining certificates with openssl. It is written in perl, to be able to use it, you need a Unix Machine. If you don't have one, download yourself a Linux Live CD (e.g. Knoppix) and use a USB Stick to save your certs and keys.

This Documentation assumes that you already have a copy of tinyca installed. If your distribution does not contain a version of tinyca, get it from the tinyca homepage.

Getting started

After starting tinyca you should get a screen like this:

We now start creating a new CA for ourself

Press the New CA button and enter the needed information (an example follows), please note that choosing a key length of 2048 should be enough.

After that you will be presented a window showing the possible CA options. You should not need to change anything.

When the program has finished creating the CA, the main window will look like this. You are now ready to create the needed certificates.

Create a Certificate

change to the certificates View in the main window.

Start creation by pressing the New button, a new window will open. The screens hot should give you an example.

After the certificate request has been created, you need to sign it with the CA certificate. Please note that the Valid for (Days) value means that after this period of time you are not able to use it anymore. If you don't plan to change your certs often, 365 days is rather short, you better choose 730 or 1095 (which will be 3 years). Not adding the email Address to the Subject might prevent you from running into trouble with some software that has problem with the @ in the email address. It is not needed, anyway.

After creating your cert, the main window looks like this:

Create as much certificates as you need, for a 2 host VPN you normally need 2.

Exporting everything

To be able to use the certs for open vpn or openswan, you need to export them in the correct format. This is normally PEM. Now choose the certificate you want to export and press Export. You will get a window asking for some options:

After you exported all required certs, change to the key view of the main window.

Choose the key, press Export and you will get a similar window as before. With one difference, you will be asked if you want to export the key with or without a passphrase. Choose no, so you will export it with a passphrase securing the private key.

After exporting all your keys, go to the CA view of the main window and choose Export Ca which will get you another export window. Choose PEM Format, too.

The Last thing to export is the CRL (Certificate revocation list), to do this, choose Export CRL from the CA view. You might set the value of how long this list is valid to a value greater than 30 days. If this matters at all changes with the software you want to use this cert with. You can , for example, configure openswan to reject connections when the crl is not up to date. Choosing a value of 90 days means that you have to export a new crl in the next 90 days regardless whether you revoke a cert or not...