Provide a new tool to easily manage a public-key infrastructure, for use with server packages shipped in Ubuntu.

Release Note

The new upki tool allows to easily create and deploy certificates and public/private keypairs for use with various server stacks in Ubuntu Server, including openvpn.


Several packages make use of SSL certificates and public/private keys. They all tend to ship their own tools (apache2-ssl-certificate for apache2) which sometimes are not packaged in a usable way (easy-rsa for openvpn). Those tools are all different, sometimes only produce self-signed certificates, can be complex and don't handle deployment. So, rather than packaging and shipping a separate tool for each stack, it makes sense to provide a single CLI tool to manage a simple CA that can support all the different package needs.

User stories

  • As a openvpn user, I want to generate certificates and keys for my VPN setup. I use upki (with its openvpn plugin) and it creates and deploys the required items for me.
  • As an apache2 sysadmin, I want to generate a certificate for my HTTPS website. I use upki (with its apache2 plugin) and it generates a certificate signed by my own local CA.
  • As the same apache2 sysadmin, I want to get a certificate for my website that is recognized by default on browsers. I use upki to generate a CSR and send it to the external CA of my choice.



  • Python-based
  • upki core handles key generation
  • service-specific "plugins" expose commands meaningful to that specific service



Test/Demo Plan


Unresolved issues


BoF agenda and discussion

UDS discussion notes


  • User-friendly interface to certificate generation
  • Service-oriented plugins for deployment and service-specific needs


  • Package easy-rsa
    • Low-cost, but non-extensible
    • Not suitable for all use cases (i.e. it has some bias towards OpenVPN use)
    • Potentially a worthy goal simply for OpenVPN users, since the current packaging is not ideal
    • Upstream designed it from a "run script in CA directory" perspective, will need a delta with upstream to be FHS-compliant
  • upki: rewrite easy-rsa in python, same feature set, extensible for, say, publication
  • openca
    • more complete solution
    • upstream not very active but CAcert still contributing to it


  • easy-rsa for Lucid (or basic upki)
  • upki for the next LTS cycle


  • Wizard mode, that could help in generating a CSR, showing some snippets of config file, etc
  • Is there an official group to chown certs to? ie: same cert for Postfix + Apache (yes, ssl-cert)
  • How to deal with ssl certs for Apache virtual hosting
  • OpenLDAP: need to work with self-signed (add tls_checkpeer and TLS_REQCERT in the ldap.conf file?)
  • some kind of notification that certificate will expire in X days
    • motd entry, email, nagios/nrpe check
  • install easy-pki with openssl (it should be small, so it won't take precious resources)


EasyPKISpec (last edited 2009-12-03 08:47:18 by lns-bzn-48f-81-56-218-246)