James B. Byrne wrote: > I have played with self-signed end-use PKI certificates for about a decade > now and would really like to set up a proper, albeit private, PKI using > some sort of OFS CA management software. I have looked at OpenCA and found > a few packages on sourceforge but they all seem to fall short of my > desires in one form or another (rpm install, multiple subordinate CAs, > certificate revocation and extension management, web-based or > linux/microsoft GUI) . I have even tried to use the scripts that come > with OpenSSL with very limited success. > > What I would like to do is to set up a self-signed root CA certificate, > then use that to issue one or more signing CA's, each possibly limited as > to what type of certificate that they can sign. These issuing CAs would > then sign certificate requests for end-use certificates for hosts, email > accounts, document provenance, objects, etc. Perhaps more than what you want, but Spyrus just released their PocketCA(tm). A complete CA on a USB dongle. I know a lot of people at Spyrus and they are among the best you will find in the PKI arena. So it is worth a look. Otherwise, try TinyCA2. It will do what you want too.