| What is roCA? |
|
roCA is a
distribution of software to operate an
X509 certificate authority. It uses the software TinyCA to
create and revoke certificates for CAs, users and SSL servers.
The main regard of this software is security. The software is
written on a CDROM so it cannot be altered by anyone. If certificates
have to be created or revoked, the host is booted from CDROM.
This makes it close to impossible for an attacker to get access
to the certificate authority. The keys and certificates of the
CA are stored on an USB memory stick which can usually be kept
in a secure place. This way it is easy to operate a certificate
authority without the need for special CA hard- and
software.
|
| |
| Where to get it? |
|
You can find an ISO image
of the roCA CD on here, the
MD5 checksum of the image is 50b41f5451c40fe3db1d799852b74c6c.
You can use this detached signature
to verify the authenticity of the image. The signature is made by
my PGP-Key, userid 0x4403EB31. Please be aware that
the image is about 460MB. This image has to be burned directly
to a cdrom. The created CDROM is bootable, so you should
then be able to start roCA by restarting your computer.
|
| |
| How to start? |
|
After the first start of this
CDROM you have to create a permanent home directory on an
USB memory stick. Afterwards the CA software will be installed
on it. The generated certificates and revocation lists
as well as the CA configuration will be kept on this memory stick.
Here are the necessary first steps to proceed:
|
| |
|
|
- If you just started roCA for
the first time, you have to create a permanent home directory
on an USB stick first. Plug the USB medium into one of
your USB ports.
- From the menu at the bottom of the
screen choose the KNOPPIX menu (the second button from the left),
choose "Configure" and then "Create a persistent KNOPPIX home
directory").
Select the correct device (usually /dev/sda1), choose to
create an image on the device and choose AES-encryption for
the device. This way all the files on the USB stick will be
encrypted so the whole certification authority is
stored on it securely. You have to remember the password that
you have chosen for the encrypted image.
- Reboot your computer from
the CDROM again. On startup you will be queried for the
password of your encrypted home directory.
- Click on the "Signature"
button on the bottom of the screen (the one with a pen
writing on paper). This button starts TinyCA, which allows
you to create and run your own CAs. If you start it the first
time, the CA software
from the CDROM is installed to the USB stick. This way you
can update to more recent versions of the software without
getting a new roCA version (though this may be a security
risk).
|
| |
| Caveats: |
|
Please do not use the
function "Save KNOPPIX configuration". It will also save the CA
directory. When you restore the saved configuration, your
actual CA directory is overwritten. This may result in loss of
all certificates and keys which were created after saving the
configuration.
|
| |
| |
|
When booting with
kernel 2.6, USB sticks were not recognized. The default is to
use kernel 2.4 which works fine.
|
| |
| How to proceed? |
|
Here are a few links
to further documentation on the net (though usually you should not
connect your roCA host to the internet for security reasons).
|
| |
| |
|
The software TinyCA
can be found at http://tinyca.sm-zone.net/.
|
| |
| |
|
A good base for
getting information about X509 certificates is the X509
style guide by Peter Gutmann.
|
| |
| |
|
Some detailed information
about the X.509 extensions and their usage can be fetched from the
according RFCs (requests for comments) of the IETF. At this time
the most actual document is RFC 3647.
|
| |
| |
|
There are some good
German documents that provide detailed knowledge about creating
and operating a certificate authority. These can be found at
the DFN-PCA
which operates
the PKI of the German research network (DFN). Especially the
reports
and the manuals
may be of interest.
|
| |
| |
|
If you have further
questions regarding this software or if you have problems in getting
this thing started, you can send
me a mail.
|
| |
| DISCLAIMER: |
|
This is experimental
software. Use at your own risk.
Under no circumstances may knopper.net or any of the authors or
distributors of this software be held liable for damage to hardware
or software, lost data or other damage either direct or indirect
caused by using this software.
In some countries, cryptographic software may be subject to import/export
restrictions or subject to software patents. This software may not be
used or disseminated in those countries.
Otherwise, it is subject to the
usual rules of the gpl license. If you do not wish to abide by these
rules, you may not use or disseminate this software.
|
| |
| History |
|
Changelog of roCA.
|
| |
| 0.2.1 (2005-01-10) |
|
Second release. Fixed a
bug in the calculation of free space on USB media. Based on
english version of Knoppix 3.7.
|
| |
| 0.1.9 (2004-08-18) |
|
Initial Version of
roCA. Based on Knoppix 3.4.
|
| |
| |