DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 

(hx509.info.gz) Creating a CA certificate

Info Catalog (hx509.info.gz) Setting up a CA (hx509.info.gz) Top (hx509.info.gz) Issuing certificates
 
 3.1 Creating a CA certificate
 =============================
 
 This section describes how to create a CA certificate and what to think
 about.
 
 3.1.1 Lifetime CA certificate
 -----------------------------
 
 You probably want to create a CA certificate with a long lifetime, 10
 years at the shortest. This because you don't want to push out the
 certificate (as a trust anchor) to all you users once again when the old
 one just expired. A trust anchor can't really expire, but not all
 software works that way.
 
 Keep in mind the security requirements might be different 10-20 years
 into the future. For example, SHA1 is going to be withdrawn in 2010, so
 make sure you have enough buffering in your choice of digest/hash
 algorithms, signature algorithms and key lengths.
 
 3.1.2 Create a CA certificate
 -----------------------------
 
 This command below will create a CA certificate in the file ca.pem.
 
      hxtool issue-certificate \
          --self-signed \
          --issue-ca \
          --generate-key=rsa \
          --subject="CN=CertificateAuthority,DC=test,DC=h5l,DC=se" \
          --lifetime=10years \
          --certificate="FILE:ca.pem"
 
 3.1.3 Extending lifetime of a CA certificate
 --------------------------------------------
 
 You just realised that your CA certificate is going to expire soon and
 that you need replace it with something else, the easiest way to do that
 is to extend the lifetime of your CA certificate.
 
 The example below will extend the CA certificate 10 years into the
 future. You should compare this new certificate if it contains all the
 special tweaks as the old certificate had.
 
      hxtool issue-certificate \
          --self-signed \
          --issue-ca \
          --lifetime="10years" \
          --template-certificate="FILE:ca.pem" \
          --template-fields="serialNumber,notBefore,subject,SPKI" \
          --ca-private-key=FILE:ca.pem \
          --certificate="FILE:new-ca.pem"
 
 3.1.4 Subordinate CA
 --------------------
 
 This example create a new subordinate certificate authority.
 
      hxtool issue-certificate \
          --ca-certificate=FILE:ca.pem \
          --issue-ca \
          --generate-key=rsa \
          --subject="CN=CertificateAuthority,DC=dev,DC=test,DC=h5l,DC=se" \
          --certificate="FILE:dev-ca.pem"
 
Info Catalog (hx509.info.gz) Setting up a CA (hx509.info.gz) Top (hx509.info.gz) Issuing certificates
automatically generated byinfo2html