On Sat 25.Jun'16 at 13:56:38 +0000, Stuart Henderson wrote: > On 2016-06-24, C. L. Martinez <[email protected]> wrote: > > On Fri 24.Jun'16 at 12:46:48 +0000, Dahlberg, David wrote: > >> Am Freitag, den 24.06.2016, 11:45 +0000 schrieb C. L. Martinez: > >> > >> > I would like to deploy/setup a PKI under OpenBSD for my home lab. > >> > Searching about this topic, I think the best option is to use > >> > customized openssl/libressl scripts, but it colud be very hard to keep > >> > for certifcate requests, revocations, etc. > >> > > >> > Any suggestion about what can be better option? > >> > >> Have a look at security/xca, else define "better option". > >> > >> Cheers > > > > For "better option", I am speaking about what could be the best tool or > > procedure to manage a PKI under OpenBSD. > > It really depends on what your reasons are for doing this. > > If you're trying to learn about the nitty gritty of generating certs, > CRLs, revocations, etc, then using the command line tools directly > aren't a bad idea. > > If you're trying to script things but at a higher level than the > libressl/openssl command line tool, you might want to look at something > like https://github.com/cloudflare/cfssl. > > If you're just trying to manually generate certs for lab machines > and are happier with something visual xca is pretty good. > > Or you can look at the tools which are really made for simplifying vpn > setup like "ikectl ca" (though the way it's designed, it really only > makes sense if you generate the private key on a central machine, which > is a bit non-standard though makes life easier in some cases). Or yes, > as was already pointed out easy-rsa (though personally I find that more > complex than easy). > > If you're more interested in getting certs than investigating how to > run pki, something like letsencrypt might work for you. >
Many thanks Stuart. I have configured a PKI using openssl tools, and it is working ok ... Now, I would like to install an oscp instance to check when a certificate is revoked ... But I have some doubts: - When a certificate is revoked, can be removed .csr and .crt files (the request and signed cert by CA) without problems? - I am trying to setup a startup script for oscp using openssl, can be accomplished this in OpenBSD's way? Thanks. -- Greetings, C. L. Martinez
