The scope would be:
1. SME 7 server manager panel to generate a CSR.
Sure, although this is more of a client function. The server primarily should just accept and sign/reject CSRs, but this change would be simple enough.
2. SME 7 server manager panel to upload a signed certificate.
Done, in raw form. I focused primarily on a REST web service to do this programatically for my own purposes, but I can expand on my little test form and turn it into a proper upload form.
3. SME 7 server manager panel to generate a self signed certificate*
(*Anyone who decided not to renew a trial or purchased certificate would need a way to move back to a self signed cert that was at least as easy as moving to a trusted cert.)
Currently what I have looks for a custom plug-in package that can be built to provide a purchased Cert or intermediate CA to make a CA on the box. If neither of these are present then the plan is to make a self-signed cert for the CA. I had no plans to move back, but simply generate a new self-signed cert on such a change. I don't see a problem invalidating all of the Certs in the field at this point.
4. Support for 'chained root certificates' when required to build a proper chain of trust.
Currently provided in the REST interface when one's cert is downloaded. There is support for any additional certs that the admin wishes to export, although at most usually 2 are assumed, being the CA cert and the intermediate CA cert.
Optional features I would like:
5. Cron job to do a countdown nag that the certificate will expire in 21 days
Hardly the job of the CA, although it's easy to do.
6. Support for the cacert.org certificates (I don't know that this is necessarily any different to steps 1 and 2 above.
I don't think there's anything unique about cacert.org.
7. Affiliated certificate purchase partner to enable contribs to benefit directly from certificates sold.
Certainly not a big priority on my list. I think this can be done out of band by the admin.
I primarily want an easy way to 'try out' a purchased or third party cert (which are generally only good for a month) which doesn't need a visit to the command line. Hence no.3, the easy way back to a self signed cert at the touch of a button.
Personally, I'd visit the command-line. Tar up old CA. Regen CA with new cert. If you don't like it, blow away the CA and untar the old one. Again, it's doable but it's pretty specialized.
The renewal process needs to be able to retain the 'key' because CAcert do not require the key to be submitted to them again when they renew the certificate. (This may be common behaviour, I've always bought a new cert from someone else rather than renewed an existing cert with the same authority).
Ideally everything needs to work in a way that doesn't interfere with the built in methods of doing it
No.7 was a money generating thought - it needs more input from others to shape/direct/reject it.
Looking through the thread the current bounty looks to me to be:
dhardy $250
madadam $100
xjjk16x $100
Including the $50 I offered to NickCritten to buy the books
If you need a tighter brief I'm sure that we can arrange one .....
Cheers,
David.
I'll be exporting what I have soon. It won't satisfy these requirements but it may in time. Once it does I'm happy to take the bounty as a bonus for my work.
Mike