SimpleAuthority is a fully functional Certification Authority, or Certificate Authority (CA), that is designed to be very easy to use. It generates and manages keys and certificates that provide cryptographic digital identities for people and/or computer servers. These identities are designed to be used in other applications such as for:
SimpleAuthority supports Windows, Mac OS-X and Linux platforms.
Unlike most CA products, SimpleAuthority does not require specialist PKI knowledge or supporting components like an external database. It is built on The Legion of the Bouncy Castle cryptographic library.
SimpleAuthority is free and contains no nag screens when used to manage up to 4 users. If you want to manage more users, or if you require advanced features, then you need to purchase a license.
SimpleAuthority contains no adware or other nasties.
SimpleAuthority generates standards-compliant keys and certificates suitable for use in almost any security application. These applications include, but are not limited to:
Certificates can be used to identify people and/or computer servers. Servers can be identified based on domain name or IP address.
Certificate status is highlighted using colour-coded "traffic light" icons (green, orange, red). This makes it easy to identify certificates that will expire soon or have already expired.
An iCalendar file can be generated and automatically updated containing certificate expiry dates. iCalender files can be read by numerous calendar applications including Apple iCal and Mozilla Sunbird.
Certificates can be published to an LDAP directory. This is an optional way of sharing certificates between users, for encrypting data from one user to another.
Certificate revocation and Certificate Revocation List (CRL) generation is supported, as an option for managing certificates that should no longer be trusted.
Identity files can be automatically and securely backed up. This allows for recovery of keys that may otherwise be lost, so that any data encrypted using these keys can be retrieved.
Keys and certificates can be generated using PKCS#12/DER format (used by most applications), or PEM format, without or without a password. Certificate key lengths, certificate contents and signature algorithms are fully configurable.
Certificate Signing Request (CSR) files from external applications can be processed. This allows keys to be generated by other applications and for the public key to be included in a certificate.
Multi-level CA hierarchies and self-signed certificates are supported.
SimpleAuthority is highly interoperable with security products, corporate directories and legacy CA products.
Data can be imported in formats including:
Data can be exported in formats including:
SimpleAuthority can be run using:
The main window provides an overview of the users in your organisation and the status of their certificates.
To generate keys and certificates:
.cer
) file you also generate a corresponding identity (.p12
) file. The identity file is password protected and includes the private key as well as the certificate..p12
or .pfx
) include both the user certificate and private key, and usually also the CA certificate. These files are protected (encrypted) by a password..cer
or .crt
) include a single certificate only..p7b
or .p7c
) include one or more certificates, often a user and the CA certificate..pem
) contain either a certificate or a private key. These files include printable characters only and most of the file is base-64 encoded. Private key PEM files may or may not be protected by a password.To configure an application for key and certificate use:
When using keys and certificates in a security application:
See Using Certificates for more details.
A Certification Authority (CA) must be generated before you can issue keys and certificates to users. This CA will be used to sign new user certificates.
To generate a new CA:
The CA generated by the above procedure is self-signed. This should meet the needs of most organisations.
Some organisations may require a more complex CA hierarchy. For example, a self-signed CA may be used to generate one or more subordinate CAs, each of which issues certificates to a subgroup of users or to the same user group but for different purposes.
To generate a CA hierarchy, start by first generating the self-signed "Root CA". This Root CA should then be used to generate user identities for all subordinate CAs. Each of these subordinate CA users should be configured with the Certification Authority Certificate Type. These subordinate CAs can then be used to issue user certificates or even other CA certificates by changing the Certification Authority selection in Options/Preferences.
The Select CA dialog provides options for managing any CAs that have been created, and provides a way to easily switch between CAs for signing new certificates. This dialog can also be used to
SimpleAuthority maintains a list of users on the left-hand side of the main window. Each user represents an entity that can be issued certificates. This may be a person or a computer server.
New users can be added by clicking on the New User button, or by selecting File > New User.
Users can be deleted by highlighting the user in the list and selecting File > Delete User. However, it is recommended that users are not deleted until all certificates issued to that user have expired. This is to ensure that an accurate record is maintained of all valid certificates that have been issued.
User details are shown in the top right-hand side of the main window. These details can be changed by clicking on the Edit User button, or by selecting File > Edit User. Changes will be incorporated into any new certificates that are issued for that user.
The user details normally includes fields for Subject Alternative Name (Email Address by default) and Organisational Unit. Multiple values can be specified for these fields by separating values with a semi-colon. You can also prefix values for the Subject Alternative Name with EMAIL:
, DNS:
, IP:
or URI:
to override the default type and specify that the value is an email address, DNS value, IP address or URI, respectively. These values can also be mixed, for example DNS:myserver.priv;IP:192.168.0.1
The user details also includes a notes field that can be used to store comments about the user. These comments are not included in any certificates. The notes field can be shown or hidden by selecting View > Show/Hide User Notes from the menu bar.
The default settings for new user details can be changed in Options/Preferences.
Some of these fields (and the corresponding fields in the main window) have check-boxes next to them. If the check-box is not selected, the associated field will not be included in the certificate.
User details can be imported from LDIF or vCard files. This allows an LDAP directory or address book application to be used to populate user details, rather than typing them in manually.
Select Import > Users from LDIF... or Import > Users from vCard... from the menu bar to import user details. Importing from an LDIF file also allows user certificates to be imported.
When importing user details, the user name, email address, organisational unit and organisation fields are retrieved from the import file. The country, certificate type and certificate validity settings are based on the default certificate settings in Options/Preferences.
Each user has a name, which is used to identity the user. The user name is displayed in the list of users and at the top right-hand side of the main window (in large font).
For people, the name should be the person's full name, e.g. Paul Cuthbert
.
For computer servers, the name can be the server domain name or IP address, e.g. simpleauthority.com
or 192.168.0.100
. Both IPv4 and IPv6 addresses are supported. Domain names may also include wild-cards, e.g. *.simpleauthority.com
or server*.simpleauthority.com
.
SimpleAuthority maintains a record of which users are "active" and which are "inactive". Active users need their certificates replaced shortly before they expire. Inactive users may be people that have left the organisation or computer servers that are no longer used.
A user must be active before they can be issued a certificate.
A user must be inactive before they can be deleted.
Users can be toggled between active and inactive states using the check-box in the list of users, or by highlighting the user in the list and selecting File > Make User Active or File > Make User Inactive from the menu bar.
Inactive users can be hidden from view by selecting View > Hide Inactive Users.
The main window displays a list of users and the list of certificates for the selected user. In each case, the certificate status of the selected item is indicated by the coloured circle in the Status column:
Circles that have a red cross over them (e.g. ) represent certificates that have been revoked and can therefore no longer be used. See revoking certificates for details.
Expired certificates can be hidden from view by selecting View > Hide Expired Certificates.
The certificate expiry warning period is configurable in Options/Preferences.
A new certificate can be generated for the selected user by clicking on the New Certificate button or by selecting File > New Certificate. The selected user must be active before a new certificate can be generated.
The new certificate contents will be based on the current settings for the selected user, shown at the top right of the main window. The certificate key length and signature algorithm is controlled from Default Certificate Settings in Options/Preferences.
Generating a new certificate involves generating the corresponding identity file (.p12
for PKCS#12 format). This file includes the private key, protected by a password. It is written to the output directory defined in the Identity Files section of Options/Preferences.
The identity file password can be randomly generated or it can be set manually. When a randomly generated password is used the password is written to a text (.txt
) file alongside the identity file.
The Identity Files section of Options/Preferences also lets you control:
.cer
for DER format) will also be written to the output directory - which can be useful if you need to distribute the certificate such as for encryption purposesOnce a new certificate has been generated, the identity file and corresponding password must be sent to the owner of the keys. For security reasons, these two pieces of information should not be sent together, and preferably not using the same communications channel. A recommended approach is to email the identity file to the user and to tell them or SMS them the password.
SimpleAuthority supports the processing of Certificate Signing Request (CSR) files. CSR files can be generated by applications including IIS, Cisco routers and most Hardware Security Modules (HSMs). They include information for a requested new certificate including the certificate public key.
Select Import > Certificate Signing Request... from the menu bar to process a certificate signing request. You will be prompted to select the resulting certificate type and the certificate validity period. You will also be given the option of using the original CSR request to specify the user certificate details, or overriding these with custom settings.
Some certificate signing requests include certificate extensions that are requested for the final certificate. In these cases, an "Include extension requests from CSR" check box is provided for selecting whether the requested extensions should be included.
When a certificate signing request is processed, a new user entry is automatically created if required to register the new certificate with.
Certificates contain numerous fields, including extensions that provide additional information about a certificate owner and in some cases control what the certificate can and cannot be used for. To avoid having to work out what each extension does and which ones need to be used, SimpleAuthority uses "certificate types". The certificate type is effectively a template for what gets included in the certificate, as recommended by standards such as rfc5280 and as required to maximise interoperability.
The default certificate types are:
(License required) Certificate types can be customised under Certificate Types in Options/Preferences, or by selecting Advanced Settings... when generating a new self-signed CA. The default certificate types (listed above) cannot be deleted or modified, however they can be copied to generate a new certificate type with customised settings.
Select View, Edit or Copy to open a dialog containing certificate type configuration settings.
The first few settings control the name of the certificate type, whether the certificate is self-signed or not, and the cryptographic algorithms to use. Following this are the user details that should be included in the certificate subject distinguished name, for identifying the owner of the certificate. The remaining settings relate to certificate extensions that may be included in the certificate. These control which extensions are used, whether or not an extension is marked as critical, and the extension contents.
From rfc5280, marking an extension as critical has the following effect:
A certificate-using system MUST reject the certificate if it encounters a critical extension it does not recognize or a critical extension that contains information that it cannot process. A non-critical extension MAY be ignored if it is not recognized, but MUST be processed if it is recognized.
A summary of what each of the certificate extensions is used for is shown below. Refer to rfc5280 for further details.