After you’ve familiarized yourself with OpenPGP CA’s concepts, let’s get started using it!
First, we install OpenPGP CA (or, alternatively, you can run OpenPGP CA in Docker).
As prerequisites, we need to install:
Rust and Cargo (see https://www.rust-lang.org/tools/install)
The C-dependencies of Sequoia PGP (see “Building Sequoia”)
(e.g. on Debian bookworm, you need at least
apt install rustc cargo clang pkg-config nettle-dev libssl-dev libsqlite3-dev)
libpcsclite to build OpenPGP card support:
apt install libpcsclite-dev(at runtime,
pcscdis used, so if you want to use cards, that service must be running)
Then we build the latest OpenPGP CA version from the crates.io registry:
$ cargo install openpgp-ca
After a successful build, the resulting binary is available in
You might want to add that directory to your
$PATH (or make the
oca binary otherwise easily accessible).
Now, you should be able to run OpenPGP CA as follows:
$ oca --help
OpenPGP CA uses an SQLite database to keep track of its state. This database is stored in a single file in the filesystem. This file is the only element of the filesystem that OpenPGP CA modifies - and it is the only file that you need to backup to have a copy of the full state of your OpenPGP CA instance.
To use OpenPGP CA, you need to specify where the database file is stored (there is no default location). There are two methods to configure the database file:
- You can set the
- Alternatively, the parameter
-dsets the database file explicitly (this overrides the environment variable).
We’re going to use the latter method in our examples.
If the configured database file doesn’t exist, it will be created implicitly.
If you operate multiple instances of OpenPGP CA, you can easily use
separate SQLite files: you just need one file per instance. You can then switch between
instances by setting the
OPENPGP_CA_DB environment variable to
point to the correct database file for each instance, or you can use the
Offline instances, encryption
The OpenPGP CA database contains sensitive data: in particular, it contains information about the users, it can contain revocation certificates - and, most importantly, the private key of OpenPGP CA1.
Because of this, the database file(s) needs to be protected. Depending on the
needs of your organization, this might mean storing the OpenPGP CA database
on encrypted storage, and/or running OpenPGP CA on an airgapped machine (that is,
one that is not connected to a network).
OpenPGP CA’s workflows have not yet been optimized for offline operation. But, we intend to add support for this in the future.
If you’re stuck, then you can use the “–help” option to get information about any command or subcommand, for instance:
$ oca --help
$ oca user --help
$ oca user import --help
The private CA key is only stored in the CA database in “softkey” mode. When using the OpenPGP card backend, the CA private key is not stored in the CA database. ↩︎