Jump to: navigation, search


Last version: 0.1.2
License: GPL
Languages: Bash
Status: Active

pca (Personal Certificate Authority) is a bash wrapper shell script for OpenSSL cryptography suite intended to make it easy to manage a TLS/SSL Certificate Authority for personal use. It provides a much more complete, cleaner and user-friendly interface than the script provided with the OpenSSL distribution.



  • CA operations:
    • Support for certificate signing for different purposes (server, client).
    • Support for certificate revocation and CRLs.
    • Simple backup, with optional GnuPG encryption.
    • No need to deal directly with the CA repository.
  • Non-CA operations:
    • Key and certificate signing request (CSR) generation.
    • Removal of key pass phrase (for unattended web servers).
    • Export to PKCS #12 format (for importing into clients).
  • Easy help access, all subcommands support the --help option.
  • XDG Base Directory compliant.


People like to see screenshots. Since this is a text tool, an output of the pca command itself shows an overview of all its functions.

~$ pca
Personal Certificate Authority 0.1.1 (2008-05-28)
Copyright (C) 2008 - Juliano F. Ravasi

This is free software.  You may redistribute copies of it under the terms
of the GNU General Public License <>.
There is NO WARRANTY, to the extent permitted by law.

Basic commands:
  help                  Displays help about pca usage.
  setup                 Setups initial files and parameters.

Certificate Authority (CA) commands:
  init                  Initializes your personal CA.
  update                Updates your CA database.
  crl                   Manages your CA Certificate Revocation List.
  backup                Makes a backup of your CA to the given file.
  purge                 Purges your personal CA files.

Certificate management commands:
  sign                  Signs a certificate request.
  revoke                Revokes a previously-signed certificate.
  list                  Lists certificates signed by your CA.
  show                  Displays information about a certificate.
  export                Exports a certificate.
  verify                Verifies trust chains of certificates.

Key management commands:
  genkey                Generates a new key and certificate request.
  genreq                Generates a new certificate request for a key.
  unlock                Exports a key without its pass phrase.
  pkcs12                Exports a key-certificate pair to a PKCS#12 file.

Crash course

There is no documentation yet, so, here is a crash course to get started with pca. If you get lost, use the --help option to get an idea of how to use any subcommand.

~$ pca setup
~$ pca init --rsa=1024 --key-cipher=aes256
~$ pca genkey your-key.key
~$ pca sign your-key.csr