Infrastructure de Gestion de Clefs
En anglais: Public Key Infrastructure (PKI).
Voir :
Softs
PKIF & Webcullis
The PKI Framework
http://pkif.sourceforge.net
Webcullis, Simple PKI-based access control for the Web. Webcullis
is a security plug-in formultiple https servers. It is designed to strengthen
the web server’s ability to limit access to files based on certificate policy or name
constraints when the server implements X.509 PKI-based authorization schemes
http://pkif.sourceforge.net/webcullis.html
EJBCA
OpenCA
OpenSSL
XCA
http://xca.hohnstaedt.de
une p'tite doc
XCA is a graphical user interface for creating RSA/DSA/ECC keys, certificates, signing requests and revokation lists.
With XCA certificate signing and managing becomes an easy task.
It supports keys on SmartCards via the PKCS#11 library interface. Usually the manufacturer of your card provides an appropriate PKCS#11 library. By default it uses the OpenSC library.
Supported Operating systems:
Linux
Windows
MAC OSX
other Unix variants
Time Stamping
OpenTSA
http://www.opentsa.org
The aim of the OpenTSA project is to develop an RFC 3161 compliant, stable, secure, open source and free time stamping authority client and server application. The following deliverables have already been produced:
Time Stamp patch for OpenSSL: The time stamp request creation, response generation and response verification functionality is implemented as an extension to the latest stable version of OpenSSL. This patch adds a new ts command to OpenSSL with which the time stamping operations can be carried out. This patch and the time stamp client have been merged into the official version of OpenSSL and will be available from openssl-0.9.9 onwards.
Time Stamp client: A simple command-line driven TSA client that can be used for creating and sending time stamp requests over HTTP or HTTPS to a TSA and for receiving and verifying the responses. The utility is distributed with the OpenSSL Time Stamp patch.
Time Stamp module for Apache: This package is an extension module for the latest stable version of the Apache HTTP server. Using the functionality of the OpenSSL Time Stamp patch this module functions as an
RFC 3161 compliant time stamp server over HTTP and HTTPS transport protocols, issued time stamp tokens can be stored in a MySQL or a FireBird database.
Avec le SDK Microsoft
Création du certificat X509, avec makecert.exe. On spécifie d’exporter la clé privée (*.pvk), et surtout il faut marqué le certificat X509 comme exportable, ce qui permet pour l’étape suivante d’inclure la clé privée.
On utilise l'outil pvk2pfx.exe qui inclut la clé privée dans le certificat, pour générer le fichier pfx ou p12 (c’est la même chose maintenant).
D:\projs> makecert.exe -r -pe -n "CN=TOTO-SSO" -b 01/04/2010 -e 01/04/2020 -sky signature -sv TOTO-SSO.Private.pvk TOTO-SSO.cer
Succeeded
D:\projs> pvk2pfx.exe -pvk TOTO-SSO.pvk -spc TOTO-SSO.cer -pfx TOTO-SSO.pfx
Avec le JDK (Java SDK)