OwnCA is a self-hosted web panel that does what your pile of EasyRSA shell scripts does — stand up roots and intermediates, issue and revoke X.509 certificates, keep CRLs fresh — only from a UI instead of a terminal. It runs on stock OpenSSL with RSA, ECDSA and Ed25519; GOST R 34.10-2012 is strictly opt-in, and with it switched off you're on a clean, unpatched OpenSSL build with no engine to install.
One form replaces the build-server-full / build-client-full / sign-req incantations: pick a CA, optionally a profile, fill the Subject DN and SANs. Bring your own CSR or have the panel generate the key. GOST paramset selection only appears when GOST is enabled.
Stock .p12 (PBES2 / AES / SHA-256) works on any vanilla OpenSSL — the same bundle easyrsa export-p12 would hand you. The optional .gost.p12 (RFC 9337 + 9548, read by CryptoPro) is the only piece that wants a patched gost-engine; turn GOST off and you never touch it.
server, client, server_client, vpn, user, user_login, smartcard_logon, smime_sign, code_signing, timestamping — all with KU/EKU and OID-field bindings you can edit or clone.
The init-pki / build-ca step, made clickable: spin up root and intermediate CAs with any supported key family. Each CA carries its own distribution points — CRL, AIA, OCSP, SIA, freshestCRL, issuerAltName — embedded in every leaf it signs.
The bundled nginx serves the regular RSA/ECDHE suites out of the box. Enable GOST and it also terminates GOST2012-KUZNYECHIK-KUZNYECHIKOMAC on the same socket; leave it off and it's an ordinary TLS endpoint on stock OpenSSL.
CA material, issued certs and CRLs are flat files under OWNCA_STORAGE_DIR/. Postgres is only the metadata index — you can tar the storage dir and move a CA between hosts.
The pages below are the actual dashboard templates, rendered with hand-crafted mock data. Sidebar, panels, tables, lang switch — all live. Forms are intercepted (this is a static mirror), but every link goes somewhere.
Auth screen on the deep-navy demo background. Click Sign In to enter the panel.
Sign in →KPIs, your CAs, expiring-soon table, recently-issued feed.
Open dashboard →Stand up root and intermediate CAs across all four key families.
View CAs →Filterable list with per-column filters, status badges, paginator.
Browse certs →Pick CA → profile → fill Subject DN & SAN → issue or import CSR.
Run the wizard →KU / EKU registry, OID-field bindings, the Copy clone affordance.
Open profiles →X.509 subject, issuer, extensions, raw PEM, downloads — including .gost.p12.
Issuance-mode toggles plus the env-var matrix the dashboard reads at boot.
Open config →openssl version, gost-engine status, manual metadata refresh.
Open maintenance →dev_env mounts the source into the dashboard container with auto-reload — good for hacking on the panel. demo ships prebuilt images and can be sneakernet'd onto an air-gapped host as a single tarball.