openWebPKI  |  open source PKI Web GUI project
Overview
Welcome!

openWebPKI is a free and open source PKI solution which can be used to generate X.509 certificates based on French e-Government standard profiles (according to the RGS v2.3 recommendation - formerly know as the PRIS - published by the DGME & the ANSSI) and manage their life-cycle using a web-based interface. Moreover, openWebPKI generates certificates which profiles are compliant with the RFC 3739 (qualified certificates profile) published by the IETF. openWebPKI was designed to be a user-friendly, turnkey solution (as opposed to other pieces of software). openWebPKI is fully based on open source software including Apache, PHP and OpenSSL.

Caveat: openWebPKI uses plain text and XML files to store datas (as opposed to a RDBMS or LDAP directory) as such the management of concurrent accesses is limited.

Disclaimer: the author provides absolutely no warranty whatsoever regarding the use of openWebPKI. This solution should not be used in a production environment without carrying out a proper risk analysis beforehand, and the operational use of the solution should take into consideration the security stakes at hand, as prescribed and endorsed by e.g. the Certificate Authority's Certification Policy, a full-scale audit of the assets that are to be protected by the delivered certificates. The author shall not be liable for any indirect, special, incidental, punitive, cover or consequential damages (including, but not limited to, damages for the inability to use equipment or access data, loss of business, loss of profits, business interruption or the like), arising out of the use of, or inability to use, openWebPKI and based on any theory of liability including breach of contract, breach of warranty, tort (including negligence), product liability or otherwise, even if the author has been advised of the possibility of such damages and even if a remedy set forth herein is found to have failed of its essential purpose.
Hierarchy definition example Features 
                                           _________
                                          /         \
                                          +---------+
                                          | CA Root |
                                          +----+----+
                                               |
                           +-------------------+-------------------+
                           |                   |                   |
                      +----+----+         +----+-----+        +----+----+
                      | Servers |         | End user |        |  Usage  |
                      +----+----+         +----+-----+        +---------+
                           |                   |
                          TSA          +-------+---------+
                         https         |                 |
                          ...    +-----+-----+     +-----+-----+
                                 | Profile 1 |     | Profile 2 |
                                 +-----------+     +-----------+

  • Open source architecture & multi Web browsers compliance
  • CA hierarchy customization (infinite leaves derivation)
  • Safe authentication & operations logging option
  • Certificate generation (CSR, PKCS#12 & CAPICOM)
  • Operations mass processing via XML database
  • Multiple certificate profiles & usage (authentication, signature...)
  • Certificates life cycle management (expiration detection & renewal)
  • SmartCard support (CAPICOM) or PKCS#12 password strength test
  • Certificate revocation & status checking (CRL & OCSP)
  • OCSP server availability for each Certification Authority
  • Certificate Revocation Lists publication (CRL distribution point)
  • Time Stamping Authority availability (RFC 3161)
  • Conformity with the French e-Government (RGS v2.2)
  • Conformity with the qualified certificates profile (RFC 3739)
See [ ChangeLog ] to get more details
Technical specifications News
  • Web server: Apache
  • Scripts shells: PHP & batch
  • Compression tool: 7-Zip
  • Cryptographic librairies: OpenSSL, SHA-256 JavaScript implementation & MCrypt
Apache modules PHP extensions
mod_auth_digest
mod_authz_host
mod_actions
mod_alias
mod_cgi
mod_dir
mod_env 		mod_log_config
mod_mime
mod_mime_magic
mod_negotiation
mod_setenvif
mod_ssl 		php_mbstring
php_mcrypt
php_openssl

See [ installation notice ] to get more details
 May, 5th 2009: openWebPKI version 3.0 - Validation & Time Stamping Authority version - is available !
  • [ Evolution ] Time-stamping service availability
  • [ Evolution ] OCSP responder availability for each authority
  • [ Evolution ] Generated certificates qualified profile compliance
  • [ Evolution ] Key usage choice in forms before certificate generation
  • [ Improvement ] Single OpenSSL configuration file (openwebpki.cnf)
  • [ Improvement ] SHA-256 message digest algorithm usage generalization
  • [ Improvement ] OpenSSL v0.9.8k | 7-Zip v4.65 | Apache v2.2.11 | PHP v5.2.9
See [ ChangeLog ] to get more details
Evolutions development roadmap

  • PHP v6.0 & OpenSSL v1.0.0 releases integration
  • If possible: complete scripts calls conversion from batch calls to native PHP
    (still some existing limitations with several OU fields during CSR generation)
Download & installation

Ressource Type Size SHA-256 hash value Download

Full package Win32
4.2 Mo e7967c2b157314ae40fd080144c6079da31f2a45d6c84ab9bd5851a2f1fea7e9  
Stand alone PHP scripts
149 Ko 6a2c5ba6a83fbbf378888b4a814c983d4ee87f7f9b746b08af1b96b50843198d  
Visual C++ Redistributable Package
2.6 Mo 3453e87aa523e54f07337abe75c047b1e827c02b105a92028dc55dede9f97ffb  

1st option - Step-by-step installation

Process the installation of every needed component (see the links heading to get details) and modify the default paths if you are installing openWebPKI under a Linux operating system.

2nd option - Automated installation

Currently, this installation is only available under Microsoft Operating Systems. The archive gathers every included component.
  1. Getting of the full distribution: archive download & uncompressing into the folder [ C:\Program Files\ ]
  2. Launching of the script [ C:\Program Files\Apache\bin\install.bat ] and thus following of the procedure.
  3. Finally, connection to the openWebPKI Web user interface (default access options example):
URL [ https://127.0.0.1/ ] => Login [ operator ] => Password [ openWebPKI ]

See [ installation notice ] to get more details
 

openWebPKI - ChangeLog
----------------------

General note
~~~~~~~~~~~~
# Encoding format    UTF-8 / PC
# File contents      Improvements, new features, migrations, corrections, security patches...
# Official Web site  http://www.pki.online.fr/
# Author's Web site  http://www.cymc.online.fr/
# Downloading sites  See the links heading on the Web site
# Development        Cedric CLEMENT - cedric.clement@gmail.com
                     Thanks to Sebastien PUJADAS for the OpenSSL compilation always up-to-date
                     Thanks to Pierre LAGNIER for Time-stamping debugging service help
                     Thanks to Thomas ROHDE for the german translation

openWebPKI features
~~~~~~~~~~~~~~~~~~~
# Secured cryptographic module & interface
  - Architecture based exclusively on open source tools
  - Safe authentication (login / password) or strong authentication (user certificate & LDAP connexion)
  - Automated Key Ceremony script with CA hierarchy customization (infinite derivation)
  - Web user interface multi-browsers compliance (browser detection for specific abilities)
  - Operations logging option & store archiving

# Certificate generation
  - 3 forms modes: CSR post (PKCS#10), PKCS#12 & CAPICOM (MS IE only via CSP)
  - Multiple certificate profiles (authentication, signature, encipherment usage...)
  - Operations mass processing via XML database with XML schema validation for posted files
  - SmartCard support through the Microsoft CAPICOM (xenroll.cab) or PKCS#12 with password strength test
  - Conformity with the RGS v1.0 recommendation (French e-Governement) for generated certificates & CRL profiles
  - Conformity with the Qualified Certificates Profile (RFC 3739)
   
# Validation & certificates life cycle management
  - Certificate expiration date detection & renewal
  - Certificate revocation & status checking (CRL & OCSP)
  - OSCP server availability for each Certification Authority
  - Certificate Revocation Lists publication (CRL distribution point)

# Time Stamping Authority
  - Time-stamping service availability over HTTPS (in conformity with the RFC 3161)
  - Time-stamp request & time-stamp token generation & visualisation
  - Request or token ASN.1 parsing display (dump visualisation)
   
Implemented standards
~~~~~~~~~~~~~~~~~~~~~
# Cryptography
  - PKCS#1  RSA key pair generation           http://www.ietf.org/rfc/rfc3447.txt
  - PKCS#7  Signed certificate file format    http://www.ietf.org/rfc/rfc2315.txt
  - PKCS#8  Private key file format           http://www.ietf.org/rfc/rfc5208.txt
  - PKCS#10 CSR file format                   http://www.ietf.org/rfc/rfc2986.txt
  - PKCS#11 SmartCard dialog                  http://www.rsa.com/rsalabs/node.asp?id=2133
  - PKCS#12 Certificate & private key file    http://www.rsa.com/rsalabs/node.asp?id=2138
  - X.509v3 Certificate & CRL profile         http://www.ietf.org/rfc/rfc5280.txt
  - X.509QC Qualified Certificates Profile    http://www.ietf.org/rfc/rfc3739.txt
  - OCSP    Online certificate validation     http://www.ietf.org/rfc/rfc2560.txt
  - TSP     Time-Stamp Protocol               http://www.ietf.org/rfc/rfc3161.txt
  - ASN.1   Generic string encoding rules     http://www.ietf.org/rfc/rfc3641.txt
  - Base64  Base64 file encoding              http://www.ietf.org/rfc/rfc4648.txt
  - AES     Standardized Rijndael             http://www.ietf.org/rfc/rfc3268.txt
  - 3-DES   Triple-DES encryption             http://www.ietf.org/rfc/rfc3217.txt
  - SHA-256 Secure Hash Algorithm             http://www.ietf.org/rfc/rfc4634.txt
  - HTTPS   HTTP Over SSL (TLS)               http://www.ietf.org/rfc/rfc2818.txt
  - SSLv3   Secure Sockets Layer              http://tools.ietf.org/id/draft-ietf-tls-ssl-version3-00.txt

# Presentation
  - XHTML      v1.1   http://www.w3.org/TR/xhtml11/
  - CSS        v3.0   http://www.w3.org/Style/CSS/
  - XML        v1.1   http://www.w3.org/XML/
  - XML Schema v1.1   http://www.w3.org/XML/Schema/
  - XPath      v2.0   http://www.w3.org/TR/xpath20/
  - JavaScript v1.6   http://www.ecmascript.org/docs.php
  - RegEx      vN/A   http://www.regular-expressions.info/

openWebPKI v3.2
~~~~~~~~~~~~~~~
# [Release]     [Standard]      Happy new year version - January, 7th 2010
# [Improvement] [Configuration] Minor CA certificate profiles correction regarding the RGS compliance
# [Improvement] [Interface]     Useless Locality <L> field deletion in each profile
# [Improvement] [Mass process]  <subjectAltName> CSR extension preservation (<copy_extensions> option)
# [Improvement] [Mass process]  <SAN> field consideration ability in CSR mass signature module
# [Improvement] [Software]      7-Zip compression tool v9.10 release integration
# [Improvement] [Software]      PHP v5.3.1 release integration
# [Improvement] [Software]      cURL v7.20.0 release integration

openWebPKI v3.1
~~~~~~~~~~~~~~~
# [Release]     [Standard]      Security improvement version - No official publication date (Q3 2009)
# [Evolution]   [Security]      Maximum attempts lock mechanism during operator login (<Lock*> tags)
# [Evolution]   [Validation]    <email> moved from <DN> to <subjectAltName> when the field is activated
# [Evolution]   [Validation]    <SAN> & <keyUsage> extensions addition in CSR (not considered anyway)
# [Evolution]   [Configuration] Page encoding charset option (<Charset> tag)
# [Improvement] [Software]      OpenSSL v1.0.0 beta 3 integration (library & executable)
# [Improvement] [Software]      PHP v5.3 release integration
# [Improvement] [Software]      cURL v7.19.5 release integration
# [Improvement] [Software]      7-Zip compression tool v9.06 release integration
# [Improvement] [Security]      Shell command calls limitation in KC & reset script increasing Linux compliance
# [Improvement] [Security]      Deprecated <ereg> functions replacement by <preg> functions (PHP v5.3)
# [Improvement] [Security]      Native password strength test PHP function (no more call to CrackLib)
# [Improvement] [Security]      <php.ini> configuration file hardening (default options deletion)
# [Improvement] [Interface]     German translation addition in configuration file (thanks to Thomas ROHDE)
# [Improvement] [Interface]     <CRLdp>, <OCSP>, <SAN> & <qcStatements> X.509 structure display
# [Improvement] [Interface]     <CRLdp>, <OCSP> & <SAN> dynamic HTTP testing link in X.509 structure display
# [Improvement] [Interface]     Minor code optimization & bugs corrections
# [Improvement] [Interface]     Accents & special latin characters (ISO 8859-1) allowed in form field
# [Improvement] [Interface]     Character <*> now allowed for Server CN (<*.example.com>)
# [Improvement] [Interface]     Google Chrome & Apple Safari browsers detections
# [Improvement] [Validation]    <printableString> to <UTF8String> encoding in certificates & CRL profiles
# [Improvement] [Validation]    <QcCompliance> & <QcSSCD> ASN.1 encoding addition in <qcStatements>
# [Improvement] [Mass process]  Dedicated PKCS#12 password option for each certificate (<PKCS12Password> tag)

openWebPKI v3.0
~~~~~~~~~~~~~~~
# [Release]     [Standard]      Complete compliance with RGS v2.2 version - May, 5th 2009
# [Improvement] [Configuration] <certificatePolicies> extension indication option addition (<PolicyOID=none> tag)
# [Improvement] [Configuration] Single OpenSSL configuration file (<openwebpki.cnf>)
# [Improvement] [Time Stamping] Generated time-stamp tokens in conformity with the RGS v2.2
# [Improvement] [Time Stamping] <tsr.bat> script customization in <kc.php> in order to test the TSA service 
# [Improvement] [Mass process]  PKCS#12 chain export option & default option (configuration)
# [Improvement] [Validation]    <crlNumber> extension addition in generated CRL v2.0 (full RGS v2.2 compliance)
# [Improvement] [Validation]    <qcStatements> extension addition for <keyUsage=nonRepudiation> (RFC 3739)
# [Improvement] [Validation]    Database parsing enhancement to allow <unique_subject> OpenSSL option consideration
# [Improvement] [Security]      SHA-256 algorithm usage generalization (including signature: sha256RSA)
# [Improvement] [Security]      <basicConstraints> extension marked as critical in end entities certificates
# [Correction]  [Validation]    Certificate revocation troubleshooting (<-name> OpenSSL ca option)

openWebPKI v2.9
~~~~~~~~~~~~~~~
# [Release]     [Major]         Time Stamping Authority version - April, 16th 2009
# [Evolution]   [Time Stamping] TSA abilities due to new <ts> command in OpenSSL v1.0.0 (beta 2)
# [Evolution]   [Time Stamping] TSA certificate generation during Key Ceremony (<extendedKeyUsage=timeStamping>)
# [Evolution]   [Time Stamping] Time-stamping service availability (URL: https://[FQDN]/ts.php)
# [Evolution]   [Time Stamping] Time-stamp request & token generation forms
# [Evolution]   [Time Stamping] Request or token ASN.1 parsing display form
# [Evolution]   [Time Stamping] <tsr.bat> script addition in order to test TSA service availability
# [Improvement] [Interface]     CAPICOM functions calls Visual Basic script externalization (<capicom.vbs>)
# [Improvement] [Software]      cURL v7.19.4 release integration
# [Improvement] [Security]      Signature algorithm parameter in CSR generation (default <sha256WithRSAEncryption>)
# [Improvement] [Security]      CRL distribution points & TSA service informations display during Key Ceremony
# [Improvement] [Security]      <SSLCADNRequestPath> directive addition in strong authentication (mod_SSL module)

openWebPKI v2.8
~~~~~~~~~~~~~~~
# [Release]     [Standard]      Key usage high customization version - No official publication date (Q2 2009)
# [Evolution]   [Store]         Dynamic table row deletion & Ajax XMLHTTPRequest for file deletion
# [Evolution]   [Validation]    CRL distribution point automatic indication in certificates profiles
# [Evolution]   [Validation]    <certificatePolicies> indication (conformity with qualified certificate profile)
# [Evolution]   [Interface]     Key usage choice in forms before certificate generation (fields form & CSR post)
# [Evolution]   [Mass process]  Key usage tag for each generation (<KU> tag in mass XML file)
# [Evolution]   [Configuration] Key usage options for each defined Authority (<KeyUsage> tag) 
# [Evolution]   [Configuration] <certs.bat> script addition in order to auto-enroll generated certificates
# [Improvement] [Configuration] Forced issued certificate subject uniqueness per CA via <unique_subject> option
# [Improvement] [Configuration] Browser default language autodetection : [auto] option addition in <Locale> tag
# [Improvement] [Interface]     Key usage display for submitted certificate
# [Improvement] [Interface]     Accents & special latin characters (ISO 8859-1) replacement in posted filename
# [Improvement] [Software]      OpenSSL v0.9.8k release integration (library & executable)
# [Improvement] [Software]      7-Zip compression tool v4.65 release integration
# [Improvement] [Software]      Apache v2.2.11 HTTP server integration
# [Improvement] [Software]      PHP v5.2.9 release integration
# [Improvement] [Security]      SHA-256 message digest algorithm usage for authentication (login/password couple)
# [Correction]  [Security]      Default form method Google Chrome behavior login correction (thanks to SPU)
# [Correction]  [Interface]     Real-time time display Ajax request timeout under Microsoft Internet Explorer

openWebPKI v2.7
~~~~~~~~~~~~~~~
# [Release]     [Major]         Validation abilities version - No official publication date (Q1 2009)
# [Evolution]   [Store]         Table sorting ability for columns [Item] & [Size] ([sortable.js] library)
# [Evolution]   [Validation]    OCSP responder availability for each authority (<FQDN> & <OCSPPort> tags)
# [Evolution]   [Validation]    OCSP responders launching script dynamic generation (</private/oscp.bat>)
# [Evolution]   [Validation]    OCSP certificate generation during Key Ceremony (<extendedKeyUsage=OCSPSigning>)
# [Evolution]   [Validation]    OCSP server indication in certificates profiles (<authorityInfoAccess>)
# [Evolution]   [Validation]    3 certificate status checking methods: CRL update | OCSP request | CA database 
# [Evolution]   [Validation]    First CRL generations & publications during Key Ceremony
# [Evolution]   [Validation]    OpenSSL <x509> replacement by <ca> command in order to constitute the OCSP DB
# [Evolution]   [Validation]    Expired certificates database automatic update (<openssl ca -updatedb ...>)
# [Evolution]   [Validation]    Duplicated DN detection (<ExistingDN> tag - Certification Policy rules respect)
# [Evolution]   [Validation]    Database file parsing with revoked certificates only (lines beginning with <V>)
# [Evolution]   [Interface]     Server time real-time display via Ajax XMLHTTPRequest (<UpdateTimeDelay> tag)
# [Evolution]   [Security]      Cipher & digest algorithms configuration checking (else default: aes256 | sha1)
# [Evolution]   [Security]      PKCS#12 3-DES certificate forced encryption (<openssl pkcs12 -descert> option)
# [Evolution]   [Security]      PKCS#12 private key encryption choice: aes256 | des3 (<PKCS12Algorithm> tag)
# [Evolution]   [Security]      Symetric encryption choice: Rijndael-256 | 3-DES (<CipherAlgorithm> tag)
# [Improvement] [Security]      DN construction policy checking ([policy_match] section in <ca-*.cnf> files)
# [Improvement] [Security]      Key Ceremony script actions logging
# [Improvement] [Security]      Default Apache HTTP server configuration file hardening
# [Improvement] [Security]      OpenSSL mandatory configuration file hardening
# [Improvement] [Security]      Implemented standards exhaustive list in documentation (I hope...)
# [Improvement] [Security]      Cryptographic module & Web server informations display during Key Ceremony
# [Improvement] [Security]      OpenSSL random seed file (<RANDFILE>) always hosting in </private/> section
# [Improvement] [Security]      OpenSSL default configuration file deletion (/usr/local/ssl/openssl.cnf)
# [Improvement] [Software]      OpenSSL v0.9.8j release integration (library & executable)
# [Improvement] [Software]      7-Zip compression tool v4.64 release integration
# [Improvement] [Scripts]       Integration in native PHP code in order to improve Linux compliance
# [Improvement] [Scripts]       Whole scripts & directory deletion </scripts/*.bat> (PHP direct calls)
# [Improvement] [Mass process]  CSR & certificate mass generation table display
# [Improvement] [Configuration] Single OpenSSL configuration file per Authority (<ca-name.cnf>)
# [Improvement] [Configuration] Extensions & configuration file merging (<ca-name.cnf> & <ca-name-ext.cnf>)

openWebPKI v2.6
~~~~~~~~~~~~~~~
# [Release]     [Major]         First internationalized version - October, 22th 2008
# [Evolution]   [Interface]     Module (des)activation option for each section (<Activation> tag)
# [Evolution]   [Interface]     Localization (L10n) & Internationalization compliance (I18n) (<I18n> node)
# [Evolution]   [Interface]     French language translation availability (<Site lang="fr"> tag)
# [Evolution]   [Mass process]  Random password generation & logging for each certificate or CSR generated
# [Evolution]   [Mass process]  XML schema validation status display
# [Improvement] [Configuration] Certificate status validation messages customization
# [Improvement] [Configuration] Dates format display depending on locale definition
# [Improvement] [Configuration] Invalid XML database & X.509 format messages customization
# [Improvement] [Configuration] CAPICOM VBScript messages customization
# [Improvement] [Configuration] CRL signature algorithm customization
# [Improvement] [Interface]     Border color customization (<Color> tag)
# [Improvement] [Interface]     Table width definitions (<Width> & <STRFileChars> tags)
# [Improvement] [Interface]     Browser detection for CAPICOM functions calls (IE only)
# [Improvement] [Interface]     Enhanced errors management in each form
# [Improvement] [Software]      OpenSSL v0.9.8i release integration (library & executable)
# [Improvement] [Store]         Forced download for all files in order to avoid browser Base64 ASCII display
# [Improvement] [Store]         Archiving process customization (<ArchivesExt> & <ArchivesUsersExt> tags)
# [Improvement] [Store]         Item deletion option also available for archive repository
# [Improvement] [Store]         Archives repository management enhancement
# [Improvement] [Security]      File download hardening (only available in the public or archives repository)
# [Correction]  [Interface]     Filename truncation during download due to URL encoding (RFC 1738)
# [Correction]  [Mass process]  Error catch when decompressing archive without any CSR (empty directory)

openWebPKI v2.5
~~~~~~~~~~~~~~~
# [Release]     [Major]         First customizable hierarchy version - February, 11th 2008
# [Evolution]   [Store]         Certificate Revocation Lists expiration date display
# [Evolution]   [Store]         Only users datas archiving function addition
# [Evolution]   [Store]         Archive folder display
# [Evolution]   [Security]      Operator account safe storage (3-DES encryption & Base64 encoding)
# [Evolution]   [Configuration] Infinite Certification Authorities leaves derivation (<Authority> nodes)
# [Evolution]   [Configuration] Parametering modernization (using XPath instead of exploding array)
# [Evolution]   [Configuration] Authorities Certificates common configuration (<CACommonCNF> tag)
# [Evolution]   [Configuration] Certificates DN common construction customization (OpenSSL options)
# [Evolution]   [Configuration] Independant CRL validity period for each certification authority
# [Evolution]   [Configuration] Independant authorities certificates validity period (<CACRTValidity> tag)
# [Evolution]   [Configuration] SSL certificate CA signature customization (<SSLCertIssuer> tag)
# [Evolution]   [Configuration] Form fields JavaScript errors customization (<ErrorEmail> & <ErrorOU1> tags)
# [Improvement] [Configuration] High factorization & code compression (15 % due to variables instantiations)
# [Improvement] [Interface]     Minor corrections (field content JavaScript checking...)

openWebPKI v2.4
~~~~~~~~~~~~~~~
# [Release]     [Major]         Security improvement version - January, 31th 2008
# [Evolution]   [Security]      Password safety enhancement (3-DES encryption & Base64 encoding storage)
# [Evolution]   [Configuration] CAPICOM user protection default option
# [Evolution]   [Configuration] CAPICOM private key exportable default option
# [Evolution]   [Configuration] PKCS#12 random password generation default option
# [Evolution]   [Configuration] PKCS#12 chain export default option
# [Evolution]   [Configuration] Key length options list customization
# [Evolution]   [Configuration] Certificate validity options list customization
# [Evolution]   [Software]      License merging to Creative Commons (by-nc-nd)
# [Evolution]   [Software]      Strong cryptography use restriction warning addition
# [Improvement] [Software]      OpenSSL v0.9.8g release integration (library)
# [Improvement] [Scripts]       Reset script migration from batch to PHP
# [Improvement] [Interface]     Certificate forms fields factorization
# [Improvement] [Interface]     Server date & time addition in page title
# [Correction]  [Interface]     Minor corrections (CSS font color...)
# [Correction]  [Security]      String buffer overflow vulnerability

openWebPKI v2.3
~~~~~~~~~~~~~~~
# [Release]     [Major]         Cerficates life cycle management version - January, 23th 2008
# [Evolution]   [Store]         Certificates expiration date detection & renewal
# [Evolution]   [Store]         Files name nomenclature simplification
# [Evolution]   [Store]         File by file archiving option
# [Evolution]   [Mass process]  XML Schema validation and errors notifications for submitted files
# [Improvement] [Security]      Posted datas regular expressions server validation
# [Improvement] [Interface]     OU format checking JavaScript function
# [Improvement] [Interface]     Progressive migration to Web 2.0 technologies
# [Improvement] [Configuration] PHP & BAT files names nomenclature renaming
# [Improvement] [CRL module]    ARL & CRL update choice dissociation
# [Improvement] [CRL module]    ARL & CRL update date & time display
# [Improvement] [Scripts]       File renaming scripts merging (CRL & certificate DN hash)

openWebPKI v2.2
~~~~~~~~~~~~~~~
# [Release]     [Major]         Improved code version - January, 16th 2008
# [Evolution]   [Scripts]       Full Key Ceremony scripts factorization
# [Improvement] [Software]      OpenSSL v0.9.8g release integration (command line only)
# [Improvement] [Software]      7-Zip v4.57 compression tool
# [Improvement] [Interface]     Full code optimization & pages factorization
# [Improvement] [Interface]     Full code XHTML validation (Tidy parsing)
# [Improvement] [Interface]     CSS optimization & validation warning deletion
# [Improvement] [Store]         Nuvola icons theme integration (Copyright (c) David Vignoni)

openWebPKI v2.1
~~~~~~~~~~~~~~~
# [Release]     [Standard]      Improved GUI version - October, 16th 2007
# [Improvement] [Interface]     e-mail format checking JavaScript function
# [Improvement] [Interface]     e-mail format validation submit condition
# [Improvement] [Interface]     Minor code corrections & optimizations
# [Improvement] [Interface]     User key validation for OU, O & L fields
# [Correction]  [Security]      HTTP header location redirection (instead of JavaScript)

openWebPKI v2.0
~~~~~~~~~~~~~~~
# [Release]     [Standard]      Softwares version upgrade - June, 21th 2007
# [Improvement] [Security]      CSR parsing & key length scripts deletion (thanks to PHP v5.2)
# [Evolution]   [Configuration] Default CRL outform option (configuration file: DER|PEM)
# [Improvement] [Configuration] Installation & reset scripts optimizations
# [Improvement] [Mass process]  XML parsing mistakes management
# [Improvement] [Interface]     Progressive merging to strict XHTML syntax
# [Improvement] [Interface]     Graphical validation pictures
# [Improvement] [Interface]     Mozilla Firefox v3.0 browser detection
# [Improvement] [Software]      OpenSSL v0.9.8e release integration
# [Improvement] [Software]      PHP v5.2.3 release integration
# [Correction]  [Interface]     JS getElementById omission in frmcrt.php
# [Correction]  [Interface]     XHTML NameSpace declaration omission in html tag

openWebPKI v1.9
~~~~~~~~~~~~~~~
# [Release]     [Standard]      Softwares version upgrade - May, 22th 2006
# [Evolution]   [Store]         Entity ICD number addition in filenames
# [Improvement] [Interface]     HTML v4.01 to XHTML v1.0 code conversion
# [Improvement] [Interface]     Certificate status graphical display
# [Improvement] [Interface]     Certificate associated key length display
# [Improvement] [Interface]     Minor code corrections & optimizations
# [Improvement] [Software]      OpenSSL v0.9.8b release integration
# [Improvement] [Software]      Apache v2.2.2 HTTP server integration
# [Improvement] [Software]      7-Zip v4.42 compression tool integration
# [Improvement] [Software]      PHP v5.1.4 release integration

openWebPKI v1.8
~~~~~~~~~~~~~~~
# [Release]     [Standard]      Improved GUI version - March, 27th 2006
# [Evolution]   [Configuration] Digest algorithm strength (SHA-1|SHA-256|SHA-512|...)
# [Evolution]   [Store]         Item deletion option
# [Evolution]   [Store]         PHP graphic presentation (no more auto-indexation)
# [Improvement] [Store]         Links URL encoding compliance with RFC 1738
# [Improvement] [Software]      Apache auto-indexation module suppression
# [Improvement] [Configuration] Apache configuration file simplification
# [Improvement] [Interface]     CSS styles consolidation (JavaScript limitation)
# [Improvement] [Interface]     Status bar customization
# [Correction]  [Security]      Downloaded files filter
# [Correction]  [Interface]     Minor mistakes corrections

openWebPKI v1.7
~~~~~~~~~~~~~~~
# [Release]     [Major]         Mass processing abilities version - January, 24th 2006
# [Evolution]   [CSR module]    Automated issuer suggestion in validation form
# [Evolution]   [Configuration] Useless LDAP modules suppression
# [Evolution]   [Configuration] Fields default values
# [Evolution]   [Configuration] Default password
# [Evolution]   [Configuration] Error messages
# [Evolution]   [Mass process]  CSR generation (via XML database export)
# [Evolution]   [Mass process]  CSR signature  (via Zip or 7-Zip archive file)
# [Improvement] [Mass process]  XML parsing optimization
# [Improvement] [Mass process]  Errors management (empty or incorrect XML post)
# [Improvement] [Mass process]  One line Base64 encoding option (without Begin & End tags)
# [Improvement] [Interface]     CSS v2.1 compliance
# [Improvement] [Publication]   Issuer CN addition in signed CRT filenames
# [Improvement] [Publication]   Store archiving filters
# [Improvement] [Log module]    Nicer log file
# [Improvement] [CSR module]    Errors management
# [Improvement] [CSR module]    Visualisation
# [Improvement] [CSR module]    ASN1 parsing optimization (through openSSL text output)
# [Improvement] [Software]      Apache v2.2 HTTP server integration
# [Improvement] [Software]      7-Zip v4.32 compression tool integration
# [Improvement] [Software]      PHP v5.1.2 release integration
# [Correction]  [Publication]   Store archiving failure when file already exists
# [Correction]  [Configuration] Boolean parameters misunderstanding
# [Correction]  [Security]      CAPICOM key exportation flag
# [Correction]  [Security]      HTTP post method & SSL v3.0 mutual authentication conjunction
# [Correction]  [Interface]     JavaScript onclick event management

openWebPKI v1.6
~~~~~~~~~~~~~~~
# [Release]     Major release - December, 3rd 2005
# [Evolution]   Certificates mass generation (via XML database export)
# [Evolution]   Smartcard support for each certificate profile (end user & application)
# [Evolution]   Full store contents download ability into compressed archive (7-zip file format)
# [Evolution]   Operator client certificate DN logging when mutual authentication SSL v3.0 is activated
# [Evolution]   serverAuth attribute extended Key Usage addition into Application Signature certificate profile
# [Improvement] Operations & passwords logging common modules
# [Improvement] Certificate store: sorting options, description, display optimization (icons & filters)
# [Improvement] Customized configuration file included in reset batch & initial config file restauration
# [Improvement] Certificate generation common code optimization
# [Improvement] Page title customization (title HTML tag)
# [Improvement] PHP v5.1.1 release integration
# [Improvement] CSR & XML database archiving
# [Correction]  Chain export trouble due to Key Ceremony script avoidind CA certificates crushing
# [Security]    No CA certificates download from the private container

openWebPKI v1.5
~~~~~~~~~~~~~~~
# [Release]     Standard release - Important corrective version
# [Evolution]   Generated certificate Base64 display
# [Evolution]   Logout fonctionality (late better than never...)
# [Evolution]   Smartcard support through the CAPICOM cryptographic API (xenroll.cab ActiveX)
# [Improvement] Full compliance with HTML v4.01 and CSS v2.0 (checked)
# [Improvement] Lighter and nicer graphical interface (CSS optimization)
# [Improvement] Apache v2.0.55 & LDAP abilities integration in order to operate LDAP authentication
# [Correction]  OpenSSL configuration sometimes file not found (I still don't know why)
# [Correction]  Return key wrong authentication submission in login form

openWebPKI v1.4
~~~~~~~~~~~~~~~
# [Release]     Major release
# [Evolution]   Two certificate generation modes (PKCS#12 & through the Microsoft CAPICOM cryptographic API)
# [Evolution]   Optional authentication (in order to be able to operate another stronger authentication way)
# [Evolution]   Unique certificate generation form (end user & application) 
# [Evolution]   Stored certificates & CRL archiving ability
# [Evolution]   Operations logging option (certificates life cycle & CRL update audit)
# [Evolution]   Certification chain export option into PKCS#12 file
# [Evolution]   Key size & validity period choice before certificate generation
# [Improvement] Session management
# [Improvement] Authentication form return key submission &amp; default login field focus
# [Improvement] Certificate validity period dates display
# [Improvement] Lighter 7-Zip package size (around 10 per cent) due to openSSL executable dynamic compilation
# [Improvement] CRL update page-setting
# [Improvement] CRL distribution point access (https://[FQDN]/[PUBLIC]/ca-*-last.crl)
# [Improvement] Reset & Key Ceremony batch scripts optimization
# [Improvement] Certificate status checking optimization
# [Improvement] E-mail format checking JavaScript event addition
# [Correction]  Several various but non critical mistakes
# [Correction]  Version number incoherence in auto-indexing head
# [Correction]  Stupid (bool) variable type conversion function behavior in configuration logging option
# [Correction]  CA Root temporary files suppression omitted during the Key Ceremony script
# [Security]    Read only config file display

openWebPKI v1.3
~~~~~~~~~~~~~~~
# [Release]     Major release
# [Evolution]   End user specific CA and dedicated associated profile
# [Evolution]   Consolidated & stand alone XML configuration file (Web module & kc)
# [Evolution]   Generated password length option
# [Evolution]   Extraction of the CA names into the XML configuration file
# [Improvement] Strong certificate generation code rationalization & translation
# [Improvement] Script conversion from batch to native PHP (kc.php & SSL server certificate generation)
# [Improvement] Validity period & key pair length configuration for generated certificates
# [Improvement] Validity period configuration for generated CRL & ARL
# [Improvement] CA Certificates validity according to the CA hierarchy (default values: 9 & 10 years)
# [Improvement] Installation simplification (3 steps only against 4 before, no openssl.cnf folder restriction)
# [Correction]  Version number incoherence in commentaries
# [Correction]  Password container configuration forgotten in session management
# [Correction]  English forgotten translations (CRL update...)
# [Security]    3-DES ciphered private key storage before cleaning (no clear transit)
# [Security]    Key Ceremony script calling from browser

openWebPKI v1.2
~~~~~~~~~~~~~~~
# [Release]     Standard release
# [Evolution]   Timestamp addition in CRL filenames in order to avoid crushing
# [Improvement] Dynamic password field hidding
# [Improvement] Common forms code simplification
# [Correction]  English translation mistakes corrections
# [Security]    Random PKCS#12 password generation

openWebPKI v1.1
~~~~~~~~~~~~~~~
# [Release]     Major release - English translation
# [Evolution]   Translation: site & module - not hard but unpleasant job - the longer, the better...
# [Evolution]   CSR management of both CA Signature & CA Encipherment
# [Improvement] Errors management
# [Improvement] Timestamp addition in certificates and PKCS#12 filenames in order to avoid crushing
# [Improvement] Hardening & 7-Zip compression package (BZip2 &amp; Tar archiving format forsaken)
# [Correction]  User typing coherence checking (pattern matching)

openWebPKI v1.0
~~~~~~~~~~~~~~~
# [Release]     First version widely diffused (still in french language)
# [Evolution]   Posted external CSR Signature
# [Evolution]   PKCS#12 password logging option
# [Evolution]   Multiple [OU] elements display in [Subject] certificate field (thanks to PHP v5.1)
# [Improvement] User typing coherence checking (allowed characters in CN, e-mail address & SIREN fields)
# [Improvement] Error management in abnormal cases
# [Improvement] Migration to PHP v5.1 & package hardening
# [Improvement] Batch scripts factorization (Linux compliance)
# [Improvement] Dynamic [key usage] options for application certificates
# [Improvement] Certificates profiles conformity with the PRIS v2.1 recommendation (French e-Government)
# [Improvement] Copyright deletion & migration to Creative Commons licence
# [Improvement] JavaScript forms codes rationalization & CSS v2.0 style sheet validity

openWebPKI v0.9
~~~~~~~~~~~~~~~
# [Release]     First version published (in french language)

---------------
End of document
   
Installation notice
-------------------

General note
~~~~~~~~~~~~
# Encoding format    UTF-8 / PC
# File contents      Installation howto
# Official Web site  http://www.pki.online.fr/
# Author's Web site  http://www.cymc.online.fr/
# Downloading sites  See the links heading on the Web site
# Development        Cedric CLEMENT - cedric.clement@gmail.com
                     Thanks to Sebastien PUJADAS for always up-to-date OpenSSL compilation
                     Thanks to Pierre LAGNIER for Time-stamping service debugging help
                     Thanks to Thomas ROHDE for the german translation

Presentation
~~~~~~~~~~~~
openWebPKI is a free and open source PKI solution which can be used to generate X.509 certificates based on
French e-Government standard profiles (the RGS v2.2 recommendation published by the DGME, formerly known as
the ADAE), and manage their life-cycle using a web-based interface. openWebPKI was designed to be a user-
friendly, turnkey solution (as opposed to other pieces of software). openWebPKI is fully based on open source
software, including Apache, PHP and OpenSSL.

openWebPKI uses plain text files to store data (as opposed to a RDBMS or LDAP directory), as such the
management of concurrent accesses is limited.

License for use and distribution
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This package is free open source software. You can redistribute it under the terms of by-nc-nd
license published by the Creative Commons corporation either version 3.0 or any later version.
Online license availability: http://creativecommons.org/licenses/by-nc-nd/3.0/legalcode

This program is distributed in the hope that it will be useful, but without any warranty, without
even the implied warranty of merchantability or fitness for a particular purpose. See the Creative
Commons by-nc-nd License for more details.

This software package uses strong cryptography, so even if it is created, maintained and distributed
from liberal countries in Europe (where it is legal to do this), it falls under certain export/import
and/or use restrictions in some other parts of the world. 

Please remember that export/import and/or use of strong cryptography software, providing cryptography
hooks or even just communicating technical details about cryptography software is illegal in some parts
of the world. So, when you import this package to your country, re-distribute it from there or even just
email technical suggestions or even source patches to the author or other people you are strongly advised
to pay close attention to any export/import and/or use laws which apply to you. The author of openWebPKI
and OpenSSL are not liable for any violations you make here. So be careful, it is your responsibility.

Disclaimer
~~~~~~~~~~
The author provides absolutely no warranty whatsoever regarding the use of openWebPKI. This solution should
not be used in a production environment without carrying out a proper risk analysis beforehand, and the
operational use of the solution should take into consideration the security stakes at hand, as prescribed
and endorsed by e.g. the Certificate Authority's Certification Policy, a full-scale audit of the assets that
are to be protected by the delivered certificates. The author shall not be liable for any indirect, special,
incidental, punitive, cover or consequential damages (including, but not limited to, damages for the inability
to use equipment or access data, loss of business, loss of profits, business interruption or the like),
arising out of the use of, or inability to use, openWebPKI and based on any theory of liability including
breach of contract, breach of warranty, tort (including negligence), product liability or otherwise, even if
the author has been advised of the possibility of such damages and even if a remedy set forth herein is found
to have failed of its essential purpose.

Technical requirements
~~~~~~~~~~~~~~~~~~~~~~
In order to run, the module openWebPKI needs a minima the following configuration:

  # Web server:

    - Apache v2.x or higher
    - Scripts interpreter: PHP v5.x or higher
    - Compression tool: 7-Zip v4.x or higher

  # Cryptographic tools:

    - OpenSSL v0.9.x or higher: executable, libraries, Apache module & PHP extension
    - Message digest algorithms JavaScript implementation: SHA-256 v0.3 by Angel Marin & Paul Johnston
    - MCrypt & CrackLib: libraries & PHP extensions
    - Encryption: Rijndael (~ AES) or 3-DES (datas encipherment)
 
  # Apache modules:                        # PHP extensions:

    - mod_authz_host    - mod_env             - php_mbstring
    - mod_actions       - mod_log_config      - php_openssl
    - mod_alias         - mod_mime            
    - mod_auth_digest   - mod_mime_magic      
    - mod_cgi           - mod_negotiation     
    - mod_dir           - mod_setenvif
    - mod_ssl

  # Client browser abilities:

    - Scripting: Javascript v1.6 & VBscript v5.6 (optional)
    - Presentation layer: XHTML v1.1, CSS v3.0 & DHTML
    - Databases & configuration: XML v1.1 & XML Schema v1.1
    - Communication: SSL v3.0 128 bits (HTTPs) & XMLHTTPRequest compliance (Ajax)
    - Encryption: SHA-256 availability (FF & IE with Windows XP SP3 or Vista)

Automated installation
~~~~~~~~~~~~~~~~~~~~~~
Currently, this installation is only available under Microsoft Operating Systems.
The archive gathers every required component. 

1. Getting of the full distribution:
   - Archive download
   - Uncompressing into the folder [ C:\Program Files\ ]

2. Launching of the script [ C:\Program Files\Apache\bin\install.bat ] and thus following of the procedure:
   - 7-Zip, OpenSSL & dependencies installation
   - Key Ceremony script launching ([ \openWebPKI\private\kc.php ])
   - SSL server certificate generation
   - Apache service installation & launching

3. Finally, connection to the openWebPKI Web user interface:
   - Access:   defined URL      (default [ https://127.0.0.1/ ])
   - Login:    defined user     (default [ operator ]   - /!\ case sensitive)
   - Password: defined password (default [ openWebPKI ] - /!\ case sensitive)

Important notes
~~~~~~~~~~~~~~~
# The XML file [ C:\Program Files\Apache\openWebPKI\private\config.xml ] allows you to configure and to
  customize the default user, paths, passwords logging, certificates profiles & Authorities hierarchy...

# The shell script [ C:\Program Files\Apache\bin\install.bat ] has currently only been validated under
  Windows XP. On line number [ 6 ], the first argument [ operator ] indicates the operator user account,
  the second one [ openWebPKI ] indicates the CA unique password used for cryptograhic operations. Change
  this argument before launching the key Ceremony script in order to modify these default parameters !

# The previous shell script calls the PHP script [ C:\Program Files\Apache\openwebpki\private\kc.php ]
  which allows you to play again the key ceremony (every previous datas will be crushed).

# The PHP script [ C:\Program Files\Apache\openwebpki\private\reset.php ]
  allows you to reset the whole module in case of wrong way of use.

# The time-stamping service is available following the next URL: [ https://[FQDN]/ts.php ]

# The CRL distribution points are available following the URL: [https://[FQDN]/[PUBLIC]/[ca-id]-last.crl]

# The shell script [ C:\Progra~1\Apache\openWebPKI\private\ocsp.bat ]
  allows you to launch the OCSP responder service for each authority.

# A basic OCSP testing request may be find here: [ C:\Progra~1\Apache\openWebPKI\private\ocspreq.bat ]

# A basic TSA service testing request may be find here: [ C:\Progra~1\Apache\openWebPKI\private\tsr.bat ]

# The shell script [ C:\Program Files\Apache\bin\certs.bat ] allows you to auto-enroll generated certificates

# In order to allow multi-users authentication you should activate Apache SSL user authentication 
  (<SSLVerifyClient> directive) and check user habilitations through LDAP protocol.

# In order to check the conformity of the generated certificate, CRL or token profiles, the French
  e-Government (DGME & ANSSI) toolbox is available following the next URL : http://bao.dgme.fr/

# In order to use SHA-256 under Microsoft Windows XP, you will need to install the Service Pack 3.

# An OpenSSL <ocsp> application limitation is explained here: http://www.nabble.com/OCSP-problems-td23650525.html

# The extensions presented in the request are considered during the certificate profile generation.

---------------
End of document
Notice : some of the following screenshots may be not up-to-date anymore.
I did not completly refresh this page since the version 2.9. 

Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=FR, O=openWebPKI, OU=0002 123456789, CN=END USER
Validity
    Not Before: Jan  8 15:50:22 2010 GMT
    Not After : Jan  7 15:50:22 2013 GMT
Subject: C=FR, O=Entity designation, OU=0002 123456789, CN=Firstname SURNAME
Subject Public Key Info:
 Public Key Algorithm: rsaEncryption
  RSA Public Key: (2048 bit)
  Modulus (2048 bit): [...]
  Exponent: 65537 (0x10001)
X509v3 extensions:
 X509v3 Subject Key Identifier: [...]
 X509v3 Authority Key Identifier: keyid:[...]
 X509v3 Basic Constraints: critical CA:FALSE
 X509v3 Key Usage: critical Non Repudiation
 X509v3 CRL Distribution Points: URI:http://fqdn/end-user.crl
 X509v3 Subject Alternative Name:email:surname.name@entity.com
 X509v3 Certificate Policies:
  Policy: X509v3 Any Policy
   CPS: http://fqdn/end-user-policy.pdf
 Authority Information Access: OCSP - URI:http://fqdn/ocsp-end-user/
 qcStatements: QcCompliance, QcSSCD
Signature Algorithm: sha256WithRSAEncryption [...]
 

--------------------------------------------------
Key Ceremony initialisation        openWebPKI v3.1
--------------------------------------------------
7-Zip compression utility installation:   [ done ]
OpenSSL and dependencies installation:    [ done ]
Unique configuration file generation:     [ done ]
Revocation & serial databases creation:   [ done ]
CA key pairs generation for hierarchy:    [ done ]
Certificate Signing Requests generation:  [ done ]
CA <ca-root> certificate self-signature:  [ done ]
CA <ca-user> CRT signature by <ca-root>:  [ done ]
CA <ca-serv> CRT signature by <ca-root>:  [ done ]
HTTPS server CRT signature by <ca-serv>:  [ done ]
TS Authority CRT signature by <ca-serv>:  [ done ]
OCSP respnd. CRT signature by <ca-serv>:  [ done ]
OCSP responders launching script writing: [ done ]
First CRLs generation & publication:      [ done ]
Apache Web server service installation:   [ done ]
Apache Web server service starting:       [ done ]
--------------------------------------------------
End of the Key Ceremony  http://www.pki.online.fr/
--------------------------------------------------
The Time Stamping Authority service is available:
[ https://127.0.0.1/ts.php ]
--------------------------------------------------
The OCSP responders launching script is available:
[ C:/Progra~1/Apache/openWebPKI/private/ocsp.bat ]
--------------------------------------------------
The ARL / CRL distribution points are available:
[ https://127.0.0.1/public/ca-root-last.crl ]
[ https://127.0.0.1/public/ca-user-last.crl ]
[ https://127.0.0.1/public/ca-serv-last.crl ]
--------------------------------------------------
Cryptographic module:  OpenSSL v0.9.8k 25 Mar 2009
Time-stamping module:  OpenSSL v1.0.0 beta version
Web server & scripts:  Apache v2.2.11 / PHP v5.3.0
--------------------------------------------------

Authentication

Administration

Pkcs12

Generation

Capicom

Revocation

Status

Store


Update: 05/16/2012 10:09 Links   |   Screenshots  |  ChangeLog  |  Installation Cédric CLEMENT  
cedric.clement@gmail.com