User Tools

Site Tools

MiniCA X.509 certificate and key manager

The server core can be used, but now it is better to rewrite it in Golang, now it has all the necessary functionality.

MiniCA is a web application for creating and managing X.509 certificates and private keys.

With MiniCA you can:

  1. Create or import pairs of root certificates and keys.
  2. Create and store encryptions and export a lot of user certificates.
  3. Revoke/unrevoke certificates.
  4. Create and export a revocation list.
  5. Use national symbols in certificate names.

The number of managed certificates is limited by your server hardware and your browser. I use this application to manage more than 3,000 corporate certificates.

Currently, the application version is beta, (maybe) requires some refinemenl but work well.

Features and capacity

  • Import/export certificates and keys are PEM coded
  • CA private key storage format is encrypted using PKCS#5 with CA password.
  • “End user” private key is stored in AES256-CBC and encrypted by CA public key with a random secure keyword. It can be decrypted only with the CA private key and CA password.
  • Export of private keys encrypted as PKCS#5 with your password.
  • Command-line tool for mass import of certificates and keys.
  • KISS interface.
  • By default I use SQLite3 for storage of certificates but in theory you can use another DBMS: PostgreSQL or MySQL.
  • The application is written in Perl and you can easily modify it.

Dear fans of PHP, Ruby, JS and others programming languages, I'm sorry, but Perl is the best choice for such purposes because its cryptographic modules cover the entire life cycle of X.509 certificates.


Login: officer, password: 1234567
Master and CA passwords also 1234567



To build and run the application you must install these perl modules:

You can download perl patches below. FreeBSD ports are here:

Update 2017-Jun-20: patchs commited to FreeBSD ports.



Build and start

# wget
# tar xf minica-xxx.tar.xz
# cd minica-xxx
# adduser minica

# ./configure --prefix=/usr/local
# make install

# cd /var/db/minica
# cp minica.db.example  minica.db
# cp
# chown minica minica.db

# cd /usr/local/etc/minica
# cp minica.conx.example minica.conf

# /usr/local/sbin/minica
# more /var/log/minica/minica.log


Crypt::OpenSSL::CA patches

Crypt::OpenSSL::RSA patches

Patched sources

Restrictions for the release

  • Only PEM.
  • Only RSA.
  • Don't know how to make coffee.


  1. It's personal project for myself, and I don't don't care to be limited to a single corporate installation.
  2. I'm commited to the obligation to the “open source” community.

With sufficient interest of the community, I will continue to improve and develop this application. I can add scp/sftp transport for CRL distribution, PKCS#12 form of certificate and key export, etc.


Click image to see more details.

  • Application data flow from CA HTML form to certificate storage/database.


  • Application data flow from database to exported certificate-key pair.


  • Generic OOP model of the application.