The certificate authority is used to generate and sign certificate, there is 3 parts:
- web: which contains API to submit certificate signature request and to download signed certificate
- cliweb: which is a command line tool used to quickly generate private key and send certificate signature request, he will
also downlaod automatically the signed certificate as well as ca certificate.
- cli: is used to garbage collect certificate authority, all expired certificate, csr, crl and revocation will be trashed using this tool.
The first csr can be automatically signed, the rest will be signed by the adminitrator, first connection to /admin/ will ask to set password
the admin can see all csr (pending) then sign them. As soon as csr is signed, the client will download (cliweb) the certificate.
client can also renew or revoke his certificate using CA API. Renew and revoke are immediate, there is no admin approval.
on server side, the storage storage.py use sqlite to store all informations (certificat, csr, crl and revocations), there is no use of openssl here.
ca.py will invoke the storage to store or to get certificates.
the client store certificate directly on filesystem, so it can be read by apache, nginx, etc.