(hx509.info.gz) Creating a CA certificate
Info Catalog
(hx509.info.gz) Setting up a CA
(hx509.info.gz) Top
(hx509.info.gz) Issuing certificates
3.1 Creating a CA certificate
=============================
This section describes how to create a CA certificate and what to think
about.
3.1.1 Lifetime CA certificate
-----------------------------
You probably want to create a CA certificate with a long lifetime, 10
years at the shortest. This because you don't want to push out the
certificate (as a trust anchor) to all you users once again when the old
one just expired. A trust anchor can't really expire, but not all
software works that way.
Keep in mind the security requirements might be different 10-20 years
into the future. For example, SHA1 is going to be withdrawn in 2010, so
make sure you have enough buffering in your choice of digest/hash
algorithms, signature algorithms and key lengths.
3.1.2 Create a CA certificate
-----------------------------
This command below will create a CA certificate in the file ca.pem.
hxtool issue-certificate \
--self-signed \
--issue-ca \
--generate-key=rsa \
--subject="CN=CertificateAuthority,DC=test,DC=h5l,DC=se" \
--lifetime=10years \
--certificate="FILE:ca.pem"
3.1.3 Extending lifetime of a CA certificate
--------------------------------------------
You just realised that your CA certificate is going to expire soon and
that you need replace it with something else, the easiest way to do that
is to extend the lifetime of your CA certificate.
The example below will extend the CA certificate 10 years into the
future. You should compare this new certificate if it contains all the
special tweaks as the old certificate had.
hxtool issue-certificate \
--self-signed \
--issue-ca \
--lifetime="10years" \
--template-certificate="FILE:ca.pem" \
--template-fields="serialNumber,notBefore,subject,SPKI" \
--ca-private-key=FILE:ca.pem \
--certificate="FILE:new-ca.pem"
3.1.4 Subordinate CA
--------------------
This example create a new subordinate certificate authority.
hxtool issue-certificate \
--ca-certificate=FILE:ca.pem \
--issue-ca \
--generate-key=rsa \
--subject="CN=CertificateAuthority,DC=dev,DC=test,DC=h5l,DC=se" \
--certificate="FILE:dev-ca.pem"
Info Catalog
(hx509.info.gz) Setting up a CA
(hx509.info.gz) Top
(hx509.info.gz) Issuing certificates
automatically generated byinfo2html