Redwax Project

The Redwax Project provides a number of small and modular security tools to make it easy to build security services on the web.

The aim of the project is keep the security footprint and the number of dependencies as low as possible. The code is released as open source under the Apache License v2.

Recent Changes and other News


Redwax SignText v0.9.0 released for GTK and Adwaita, along with the crypto.signText() addon for Firefox.


Redwax SignText is added, an implementation of crypto.signText() allowing signing on the web.


Release v0.9.4 of the Redwax Tool. Read certificates and keys from a MacOS Keychain file. Explicit import of trusted PEM certificates.


Release v0.9.3 of the Redwax Tool. Output certificate expiry as ICAL calendar or reminder entries. Allow ordering of certificates and keys to cater for Postfix order as opposed to Httpd order. Allow control over the verification date, and allow expired certificates to be verified.


Release v0.9.2 of the Redwax Tool. Add ability to read and write certificates as given users or groups. Output SSH public keys, and DER certificates..


Release v0.9.1 of the Redwax Tool. Simplify the default behaviour of filters on the command line.


First release v0.9.0 of the Redwax Tool. Download available here.


Redwax Tool is added, the universal certificate conversion tool. Convert PEM to PEM, PKCS12, PKCS11 or NSS. Working towards the first release.


Experimental module added, mod_cms_verify, which can be used as a read through POST handler that verifies if the inbound data for the POST is digitally signed (CMS/PKCS#7 or with a defacto industry JSON pacakge).


Experimental module added, mod_cms_sign, which allows for on the fly creation of a PKCS#7 or CMS signed package of the data.


Experimental module added, mod_sign, which supports unmanaged keys, as used in DNSSec, DMARC and for the Google/Apple GAEN keys. It has a very simple REST api -- see the README.


All modules updated - no major change.s


RedWax is now in MacPorts for Apple macOS 10.9 and newer -- see mod_ca, mod_crl, mod_ocsp, mod_csr, mod_pkcs12, mod_scep, mod_timestamp and so on.


Not quite ready for primetime; but with support for AJP becoming scarce, there has been a need to get information from an Apache httpd (such as the certificate used to authenticate) to a backend server (Tomcat, etc) in a secure way.

These two new modules: mod_auth_bearer and mod_autht_jwt can handle the authenticaiton on bearer tokens (as used in JWT and OAuth2) and the passing/populating of those in a proxy. Still work in progress; and it does depend on the newly fangled apr-util 1.7 its secure json, jose and crypto sypport.

Depending on how things work out - it will either become part of the normal apache-httpd mainline distributions - or continued separately at (to be continued...).


RedWax Interoperability testsite for CSR (Microsoft/RFC2986/PKCS10 style) now open for business.


NixOS packages for redwax updated to latest versions (that also makes all NixOS tests pass).


Two new modules: mod_cert and mod_pkcs7 -- making it easier to publish the chain/intermediate certificates automatically.


Interoperability test site available; with timestamping and SCEP. To facilitate cross industry testing and standards development.


Update to 0.2.3 for mod_scep (release notes), mod_crl (release notes) and mod_csr (release notes). No security updates, minor improvements to autoconf, RPM improvements for Redhat, SUSE and europe oriented Mageia.


Update to 0.2.2 for mod_ocsp (release notes), mod_timestamp (release notes), mod_pkcs12 (release notes) and mod_spkac (release notes). No security updates, openssl workaround for missing APIs (0.9->1.x), minor improvements to autoconf, RPM improvements for Redhat, SUSE and europe oriented Mageia.


Update to 0.2.1 for all modules.

Redwax Server

The Redwax server consists of a series of modules for the Apache HTTP Server that can be combined together to form various types of certificate authorities.


Modules to support issuing certificates with SPKAC and SCEP, servicing certificate revocation with CRLs and OCSP, and creating timestamps.


Read the manual.


Find the latest and archived releases.

Getting Involved

Get access to the source code, issue tracker and mailing lists.

Redwax SignText

Web extension and native application to allow secure signing on the web.


Sign text from a webpage using a digital certificate. Implements crypto.signText() that was developed for Netscape and Firefox.


Find the latest and archived releases.

Getting Involved

Get access to the source code, issue tracker and mailing lists.

Redwax Tool

The universal certificate conversion tool.


Read certificates and keys from your chosen sources, filter the certificates and keys you're interested in, write those certificates and keys to the destinations of your choice.


Find the latest and archived releases.

Getting Involved

Get access to the source code, issue tracker and mailing lists.


The projects within Redwax follow a set of rules for the build and ongoing maintenance of the code.


Redwax projects meet a set of architecture requirements.

Release Process

For code to be considered a release of a the Redwax Project, a specific set of requirements must be met.

Code of Conduct

To facilitate communication between people from many different countries and cultures, and between individuals with very different backgrounds, Redwax has a code of conduct that those that particpate abide by.


All Redwax code is distrubuted under the Apache Software License (v2).

Contributor License Agreement

In order to make sure that Redwax can continue to distribute its code under the Apache License it needs to make sure that it also gets that permission from any volunteer (or company) that contributes. This Contributor License Agreements sets out the terms and conditions.