I'm working on an automated CA for internal infrastructure that runs on Twisted Web and M2Crypto. The CA has its key. Other machines can send GET requests with the CSR as the body. Assuming things validate, the Helios server should respond in the body with the corresponding certificate.
The complete source and test files for the application are here:
http://bazaar.launchpad.net/~davidstrauss/helios-ca/trunk/files
Everything currently works (CSR request through certificate reply) except for validating the certificate:
root@helios:~/helios-ca# openssl verify -CAfile ca.crt test.pem test.pem: /C=US/ST=California/L=San Francisco/O=Pantheon Systems, Inc./OU=Infrastructure/CN=one.com/[email protected] error 7 at 0 depth lookup:certificate signature failure 4280:error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:255: 4280:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:173:
If I use openssl to sign the test certificate from the shell, things validate correctly. There must be something wrong with the signing code in Helios.
This is a related question:
http://stackoverflow.com/questions/2643903/how-to-generate-ca-signed-x509-certificate-by-m2crypto
Unfortunately, the resources linked from that previous question both use the same key pair for the CA and final certificate. This is silly for obvious reasons, and it makes those examples quite unhelpful for real-world PKI.