This is an overview of all Python programs in pyCA and is intended
to give you an idea of what the package does.
The scripts in this section handle are simple helper scripts for
copying public certificate data (mainly the CA certs).
Use [scriptname].py --help to find out more about the usage of each script.
-
ca2ldif.py
-
Write CA certificates and CRLs to a LDIF file. This is intended for
initially setting up the CA entries not for daily
CRL update. The entries are of objectclass certificationAuthority
and contain the attributes cACertificate;binary,
authorityRevocationList;binary and
certificateRevocationList;binary. This might require extending
schemas on LDAPv2 servers. Have a look at your LDAP servers configuration
documentation.
-
certs2ldap.py
-
Send all certs and CRLs to a LDAP repository.
-
copy-cacerts.py
-
Copy all CA certificates defined in an OpenSSL configuration to
a bundled PEM file or a directory with hash-named symbolic links.
This is quite handy in conjunction with ApacheSSL or Apache with
mod_ssl for copying the files for SSLCACertificateFile or
SSLCACertificatePath.
-
ns-jsconfig.py
-
Create Javascript code containing all CA certificates defined in
an OpenSSL configuration for use with the Netscape admin tool
(creating netscape.cfg).
-
print-cacerts.py
-
This simple script prints all CA certs on stdout.
It is intended to generate authentic printouts (on paper!) of the
CA certs fingerprints and is typically run on the private CA system.
Choose the option --html to generate nicer formatted HTML-output
instead of the default textual output in ISO-8859-1.
-
ns-jsconfig.py
-
Create a Javascript file to be included in a Netscape configuration
file (netscape.cfg).
The scripts in this section handle administrative tasks.
-
pickle-cnf.py
-
Create a pickled copy the OpenSSL configuration object for faster
reading of the configuration. The pickle-file name is the name of the
OpenSSL configuration file plus .pickle.
-
ca-make.py
-
Generate a CA hierarchy, all necessary files and directories
and all initial CRLs (see also signedby
extension in OpenSSL configuration file). This is intended to be run
under user root since it sets the ownership and permissions.
-
ca-certreq-mail.py
-
Handles the mail dialogue after certificate request.
The SPKAC certificate request and LDIF data is moved from the
directory pend_reqs_dir
to new_reqs_dir.
Set this script in your /etc/aliases, procmailrc or similar to receive
mails for the address specified in
caCertReqMailAdr.
-
ca-cycle-pub.py
-
This script is typically run by the CA admin user via CRON or
a similar task manager on a networked system holding the public
certificate data. It does several jobs:
-
Publish new certificates and inform user via e-mail
where to download his certificate
-
Remove stale certificate requests from
pend_reqs_dir.
-
Spool certificate requests and certificate revocation requests
to the system holding the CA's private keys. (not implemented yet)
-
Spool certificates and certificate revocation lists
from the system holding the CA's private keys. (not implemented yet)
- ca-cycle-priv.py
-
This script is run on the system where the private keys
of the CA are stored.
It does several jobs:
-
Mark expired certificates in OpenSSL certificate database
-
Generate new CRLs, move old CRLs to archive (not implemented yet)
-
Process certificate requests and certificate revocation requests (not implemented yet)
-
Spool certificate database, issued certificates and
CRLs to public WWW and LDAP server (not implemented yet)
Several CGI-BIN programs provide comfortable user access to the PKI.
-
browser-check.py
-
Checks the SSL and key generation capabilities of a browser.
This is very handy to find out if a certain web client
has sufficient capabilities for the certification process or your policy.
Up to now this CGI-BIN does only make sense when being invoked on a server
running
ApacheSSL or
Apache with mod_ssl with
"SSLOptions +CompatEnvVars" set in httpd.conf.
-
ca-index.py
- Show a clickable table of CA data in the OpenSSL configuration file openssl.cnf.
-
client-enroll.py
-
Generate a certification request with your favourite
web browser.
-
cert-query.py
-
Query the OpenSSL certificate database for searching e-mail
certificates.
-
view-cert.py
-
Display a certificate or CRL.
-
get-cert.py
-
Load a certificate or CRL.
-
ns-check-rev.py
-
On-line verification of a certificate
-
ns-revoke.py
-
Revoke a certificate with checking of client certificate.
-
scep.py
-
Experimental support for Cisco's
Simple Certificate Enrollment Protocol (SCEP)
misc. modules