This is an overview of all Python programs in pyCA and is intended to give you an idea of what the package does.
The scripts in this section handle are simple helper scripts for copying public certificate data (mainly the CA certs).
Use [scriptname].py --help to find out more about the usage of each script.
- ca2ldif.py
- Write CA certificates and CRLs to a LDIF file. This is intended for initially setting up the CA entries not for daily CRL update. The entries are of objectclass certificationAuthority and contain the attributes cACertificate;binary, authorityRevocationList;binary and certificateRevocationList;binary. This might require extending schemas on LDAPv2 servers. Have a look at your LDAP servers configuration documentation.
- certs2ldap.py
- Send all certs and CRLs to a LDAP repository.
- copy-cacerts.py
- Copy all CA certificates defined in an OpenSSL configuration to a bundled PEM file or a directory with hash-named symbolic links. This is quite handy in conjunction with ApacheSSL or Apache with mod_ssl for copying the files for SSLCACertificateFile or SSLCACertificatePath.
- ns-jsconfig.py
- Create Javascript code containing all CA certificates defined in an OpenSSL configuration for use with the Netscape admin tool (creating netscape.cfg).
- print-cacerts.py
- This simple script prints all CA certs on stdout. It is intended to generate authentic printouts (on paper!) of the CA certs fingerprints and is typically run on the private CA system.
Choose the option --html to generate nicer formatted HTML-output instead of the default textual output in ISO-8859-1.
- ns-jsconfig.py
- Create a Javascript file to be included in a Netscape configuration file (netscape.cfg).
The scripts in this section handle administrative tasks.
- pickle-cnf.py
- Create a pickled copy the OpenSSL configuration object for faster reading of the configuration. The pickle-file name is the name of the OpenSSL configuration file plus .pickle.
- ca-make.py
- Generate a CA hierarchy, all necessary files and directories and all initial CRLs (see also signedby extension in OpenSSL configuration file). This is intended to be run under user root since it sets the ownership and permissions.
- ca-certreq-mail.py
- Handles the mail dialogue after certificate request. The SPKAC certificate request and LDIF data is moved from the directory pend_reqs_dir to new_reqs_dir. Set this script in your /etc/aliases, procmailrc or similar to receive mails for the address specified in caCertReqMailAdr.
- ca-cycle-pub.py
-
This script is typically run by the CA admin user via CRON or a similar task manager on a networked system holding the public certificate data. It does several jobs:
- Publish new certificates and inform user via e-mail where to download his certificate
- Remove stale certificate requests from pend_reqs_dir.
- Spool certificate requests and certificate revocation requests to the system holding the CA's private keys. (not implemented yet)
- Spool certificates and certificate revocation lists from the system holding the CA's private keys. (not implemented yet)
- ca-cycle-priv.py
-
This script is run on the system where the private keys of the CA are stored. It does several jobs:
- Mark expired certificates in OpenSSL certificate database
- Generate new CRLs, move old CRLs to archive (not implemented yet)
- Process certificate requests and certificate revocation requests (not implemented yet)
- Spool certificate database, issued certificates and CRLs to public WWW and LDAP server (not implemented yet)
Several CGI-BIN programs provide comfortable user access to the PKI.
- browser-check.py
- Checks the SSL and key generation capabilities of a browser. This is very handy to find out if a certain web client has sufficient capabilities for the certification process or your policy.
Up to now this CGI-BIN does only make sense when being invoked on a server running ApacheSSL or Apache with mod_ssl with "SSLOptions +CompatEnvVars" set in httpd.conf.
- ca-index.py
- Show a clickable table of CA data in the OpenSSL configuration file openssl.cnf.
- client-enroll.py
- Generate a certification request with your favourite web browser.
- cert-query.py
- Query the OpenSSL certificate database for searching e-mail certificates.
- view-cert.py
- Display a certificate or CRL.
- get-cert.py
- Load a certificate or CRL.
- ns-check-rev.py
- On-line verification of a certificate
- ns-revoke.py
- Revoke a certificate with checking of client certificate.
- scep.py
- Experimental support for Cisco's Simple Certificate Enrollment Protocol (SCEP)
misc. modules
Page last modified: Saturday, 20-Jan-2001 16:43:40 CET, sponsored by
stroeder.com - Information Technology, IT-Security, Identity Management, System Integration