What is YetiPKI
YetiPKI is an opensource and crossplatform software for manage X.509 certificates.
You can simply create your own Certificate Authority (or many CA's) and sign certificates with it. There is no need to use self-signed SSL certificates for every server.
YetiPKI designed for organize your certificates in tree-structure with certificate chains any length. But it can be extended for support mesh structure in future.
With YetiPKI you can generate CA's or usual certificates, sign, revoke and prolong certificates. Of course, you can list and view current certificates. YetiPKI include cgi-scripts for OCSP responser and CA chains. Your certificates can be checked by OCSP.
It can store certificates in encrypted form for minimize effect of PKI server comprometation
YetiPKI now beta version and can't be used in production environment.
Before you start
Before YetiPKI use, please get-to-know how X.509 certificates works.
Downloading and installation
You can get YetiPKI in SVN
YetiPKI written on ruby and use openssl. So, you need ruby with openssl module (in stdlib since 1.9) and openssl library. Some storages may need other modules for certificate storage.
For install do "make install" in source code directory. For debian you can build package.
- Format of yetipki.conf is YAML
- There are two config value types:
- storage parameters
- certificate parameters.
- Storage parameters placed in special section "storage"
- type - type of storage (only file yet)
- path - directory for store data (storage driver file)
- Certificate parameters is more complex
- Global parameters
- placed in global namespace
- there is a "default" values
- Any section
- Parameters in this section overwrite global values (but extensions are merged with global)
- Section values used if specified flag --section
- There is special section "ocsp" with info about certificate for sign OCSP responses
- responseValidTime -
- subject -
- type -
- keylength -
- days -
- mergeissuersubject -
- mergeconfigsubject -
- extensions -
- Global parameters
- Create CA
- sign certs
- create ocsp cert
- configure ocsp responser