XCA, Tool for managing certificates and private/public keys

In XCA home page:

X Certificate and Key management: This application is intended for creating and managing X.509 certificates, certificate requests, RSA, DSA and EC private keys, Smartcards and CRLs. Everything that is needed for a CA is implemented. It uses the OpenSSL library for the cryptographic operations.

Good:

• Smart-Cards via PKCS#11 interface

In the figure below, the root private key of CA has been created and used for CA self signed root. The keys and certificates are stored in “test.xdb” database file.

In the figure below, the root private key of CA has been created on the Smart Card and used for CA self signed root. The root key on Smart Card is protected by PIN. The other keys and certificates are stored in “XCA-aventra.xdb” database file.

Tips

• Protect your xdb file
• XCA is using OpenSC to access smart card via PKCS11. In menu File->Options, one can add vendor specific PKCS11 Provider. In case of Aventra MyEID smart card, one can use “C:\Program Files\Fujitsu Services\ActiveSecurity MyClient\Cryptoki.dll”.

Links

• Good “Step by step” flows, found via google search…
  • Using XCA to configure the OpenVPN PKI part as an alternative to OpenVPN’s easy-rsa
  • How to manage X509 certificates with XCA for their correct implementation in Panda GateDefender Integra
  • http://www2.lancom.de/kb.nsf/1276/B59D0CA49EBD3559C12578FF003210B2?OpenDocument