PHPki
Ruby Shoes Certificate Authority







WHY PHPki

PHPki is an Open Source Web based application for managing a "Public Key Infrastructure" within a small organization. PHPki may be used to create and manage digital certificates for use with S/MIME enabled e-mail clients, SSL servers, and VPN applications.

Most commercial certificate authorities (CA) require that certificates be issued to individual workstations, one at a time. The transaction required to obtain a commercial certificate must usually take place at the workstation on which the certifcate is to be installed, and can be complicated, confusing, and time consuming. Such a process does not allow for easy centralized administration of groups of certificates, where a single person within an organization or department must request, create, and install certificates on a number of workstations.

PHPki creates standard X.509 digital certificates which should work with most e-mail clients. It packages private certificates in the PKCS#12 format accepted by Microsoft e-mail clients PEM used by certain web servers. PKCS #12 certificates usually have a .P12 filename extension. Since most PKCS #12 certificates usually include the certificate's private key, they should never be distributed to the general public. PHPki's publicly distributable certificates are packaged in standard DER format.

Server

OVERVIEW

The process of creating and using digital certificates with PHPki is fairly easy.

THE MAIN MENU

All of the PHPki primary functions can be accessed from the Main Menu. It is possible to navigate back to the Main Menu from any screen by clicking the "Menu" link in the upper right corner of each page. Clicking the Public link will open a new browser window to the public content menu where the general public may search for certificates and download the Root Certificate and Certificate Revocation List.

REQUESTING A NEW CERTIFICATE

When you select "Request a New Certificate" from the Main Menu, you will be presented with the Certificate Request Form.

This form is used to collect the minimum necessary information required to issued a new digital certificate. All fields must be completed.

When you have complete filling in the form, click the "Submit Request" button. The information you submitted will be checked for errors, and a confirmation screen will be displayed.

Clicking the "Yes! Create and Download" button will cause a file download window to open in your browser, allowing you to save the certificate on your computer under whatever name you choose. The default name for each certificate is derived from the e-mail address provided in the certificate request form. You may download the certificate as many time as you wish as long as your browser remains on this page. If you navigate from this page, you will have to use the Certificate Management Control Panel to download the certificate again. Be sure to save all of your certificates in a safe and secure place. Doing so will make it easier for you to re-install a certificate on a user's workstation should the need arise.

After the download window closes, you may click the "Back" button to return to the form and request another certificate. All of the data you previously entered will be retained. This is to allow you to issue a large number of certificates without having to re-enter much of the form. As well, your form input will be saved as your default values for the future sessions

MANAGING YOUR CERTIFICATES WITH THE CONTROL PANEL

PHPki provides one convenient place to manage your certificates. It is called the Certificate Management Control Panel.

With the Control Panel you can display, download, revoke, and renew your certificates by simply clicking on the appropriate button to the right of each certificate entry. Your certificates are listed in columnar format, with the left-most color coded "Status" column showing whether a certificate is "Valid" or "Revoked". The listing can be sorted in any order by clicking on the column headings. An arrow graphic    beside a column heading indicates which column is being used to sort the listing. Clicking on the arrow graphic will cause the listing to alternate between ascending and descending sort order. You may find these sort features particularly useful if you are careful to plan and utilize the Department/Unit and Locality fields to categorize your certificates according to your particular organizational needs.

REVOKING A CERTIFICATE

At times it may become necessary to revoke or invalidate a certificate. This usually happens when an e-mail address is no longer valid, or the certificate's private key has been lost or compromised.

To revoke a certificate, click on the   icon next to the certificate entry in the Control Panel.

You will then be asked to confirm or cancel the revocation. Be absolutely sure of what you wish to do before clicking the "Yes" button. Once a certificate is revoked, it cannot be un-revoked. Well, this isn't completely true, as a revoked certificate can be renewed. Renewing a revoked certificate results in a new certificate being issued. Certificate renewal is covererd later.

If you click the "Yes" button, the certificate is revoked with no further interaction. The certificate's status in the Control Panel will change to Revoked.

DISPLAYING CERTIFICATE DETAILS

Certificates may be displayed in full detail by clicking the   icon next to a certificate's entry in the Control Panel. Although some users may find this feature useful, many will not find anything of interest in it.

RENEWING A CERTIFICATE

Certificates expire periodically. The usually length a time for which a certificate is valid is one year. With PHPki, you have the option to issue certificates with a more extended life span. Regardless, sooner or later your certificates will begin to expire.

To renew a certificate which has expired or is near expiration, simply click the   icon next to the certifcate's Control Panel entry. You will then be presented with a certificate renewal form.

The certificate renewal form takes the values for Common Name, E-mail Address, Organization, etc. from the original certificate. Those fields are disabled in the form, and cannot be changed. You are required to enter the original certificate's password and select a life span for the new certificate. If you do not enter the correct password that was assigned to the original certificate when it was created, you will not be able to renew the certificate. You may cancel this operation by clicking the "Back" button, which will take you back to the Control Panel.

If you click the "Submit Request" button to renew the certificate, it is renewed with no further interaction, and you will be returned to the Control Panel. You will notice a new Valid certificate in the Control Panel, and the old expired certificate is marked Revoked.

DOWNLOADING A CERTIFICATE

If you lose the original file you downloaded when you first created a certificate, you may download another copy of a certificate at any time by clicking the   icon next to the certificate's entry in the Control Panel. When downloading a certificate, you will be reminded that the certificate is a PRIVATE certificate, which SHOULD NEVER BE DISTRIBUTED TO THE PUBLIC. You may choose to download PKCS #12 or PEM formatted bundles.

GLOSSARY

Click here to view the complete PHPki glossary of terms.

GETTING ADDITIONAL HELP

Contact:
First-Name Last-Name
Company/Organization Name
Address Line #1
Address Line #2
City, State, ZipCode

Phone: (000) 000-0000
E-mail: someone@somewhere.com   E-mail is preferred.



PHPki v0.82 - Copyright 2003 - William E. Roadcap