diff options
author | Yuuta Liang <yuutaw@students.cs.ubc.ca> | 2023-09-30 00:55:17 +0800 |
---|---|---|
committer | Yuuta Liang <yuutaw@students.cs.ubc.ca> | 2023-09-30 00:55:17 +0800 |
commit | 3731ab346255eea5b3a6723ddf906648a037f0af (patch) | |
tree | 728c7e27557c902a1442cab79b4728111864d5e4 | |
parent | c94aa747593191c40ce0b2bc21639bc45877c68e (diff) | |
download | jca-3731ab346255eea5b3a6723ddf906648a037f0af.tar jca-3731ab346255eea5b3a6723ddf906648a037f0af.tar.gz jca-3731ab346255eea5b3a6723ddf906648a037f0af.tar.bz2 jca-3731ab346255eea5b3a6723ddf906648a037f0af.zip |
Start the project
-rw-r--r-- | README.md | 59 |
1 files changed, 52 insertions, 7 deletions
@@ -1,10 +1,55 @@ -# My Personal Project +# JCAMgr (Java Certification Authority Manager) -## A subtitle +A simple but powerful X.509 certification authority written in Java. +It manages a X.509 CA (certification authority) and allows administrators to +submit a PKCS#10 CSR (certification signing request), apply CA policies, and +get the signed X.509 certificate back, using a GUI. It also has a GUI that +allows administrators to list, view, and revoke issued certificates and +sign X.509 CRLs (certificate revocation list). -A *bulleted* list: -- item 1 -- item 2 -- item 3 +Almost all organizations today are maintaining internal PKIs that allow +organization members (either users or servers) to easily trust other users +or computers through digital signature and X.509 certification by trusting a +single internal root certification authority (Root CA). A common deployment +of internal PKI is to have an online server or a GUI to fully manage that CA +and allow administrators to easily sign certificates and manage them, often +automatically through some Internet protocols (e.g., RFC8894 SCEP). Although +existing solutions exist, many are proprietary (e.g., Microsoft Active +Directory Certification Services, ADCS), paid (e.g., the AWS managed private +CA service costs about $300 a month), implemented in alternative languages +(e.g., Step CA), or lack of a GUI (e.g., Step CA). This project is extremely +useful for organization system administrators who would like to graphically +manage their certification authorities with an open-source solution. I am +also very eager to build such a project because I am very familiar with PKI +technologies, and I am also running two internal PKIs at my home, using raw +OpenSSL command line (honestly, not very user friendly) and ADCS (absolutely +proprietary). -An example of text with **bold** and *italic* fonts.
\ No newline at end of file +## User Stories + +As a user, I want to be able to: + +1. Import a CA cryptography key-pair and its corresponding X.509 certificate +into the program and view it. The private key must not be displayed or exported +in any format under any circumstances for security purposes. +2. Input CSRs, edit the certificate properties (e.g., subject, not before, +not after, serial, key usage, extended key usage, X.509v3 extensions, etc.), +sign it using the CA private key, and get the signed certificate in DER or +PEM-encoded-DER formats; then add that certificate to the signed-certs list. +3. List all the certificates this CA had signed, view their properties, and +optionally revoke any of them with a corresponding PKCS#10 reason. The +certificates must not be deleted from the list under any circumstances but +only revoked because some future administrators or the legal team may need +to audit it. +4. Publish base and optionally delta CRLs. +5. Add, enable, disable, or remove custom certificate templates (also called +policies) that constraints what each type of certificates can and cannot have +and their properties (e.g., TLS server certificates vs user logon certificates +must be different in many ways), and the user will be able to choose which +template they use after CSR input. +6. View audit logs like who did what at what time for legal audit uses. Audit +log entries must never be deleted. + +## Author + +Yuuta Liang <yuutaw@student.ubc.ca> |