lwithers-ca is a really simple CA (certificate authority), using the openssl commandline client, implemented using a few bash scripts. I wrote it one evening because I needed a simple CA, and to be able to generate a few keys and revoke some of them. Using the existing CA we had was painful in the first place and hacking on, when it didn't exhibit the correct behaviour, was very hard. This CA is pretty minimal which means it's easy to see how to fix or otherwise kludge it.


This is an extremely simple commandline certificate authority (CA) that
has support for generating a private key, self-signed root certificate,
and for signing and revoking user keys (and for generating user keys and
certificate signing requests).


Run ./make.sh once. This will create any necessary files. You'll be
asked a bunch of questions by openssl about your new root certificate.
The CommonName should generally match the domain name you're interested

The root certificate is in root/ca.crt .

User keys

You can create a new user key and certificate signing request by
changing to the users/key directory and running ./make.sh "username".
Alternatively, you can create the key elsewhere and drop its CSR
into users/csr/"username".csr .

Then run ./make.sh, which will sign the CSR (resulting in
users/cert/"username".crt) and, if the private key is available, will
create a PKCS#12 file suitable for import into mail clients etc. in
users/pkcs12/"username".p12 .


Run ./revoke.sh username [...]

This will generate root/crl.pem .


You can download the latest version by cloning the git repository:

git clone git://git.lwithers.me.uk/lwithers-ca
Released Files.
Version Date Source GPG Signature (key) Dependencies
1.0.0 20061012 .tar.bz2 .tar.bz2.asc

Older releases may be found here.