Certificate Authority

From ConShell
Jump to: navigation, search


So you want to run a Certificate Authority to manage your Public Key Infrastructure (PKI)?

Mostly that just means a way to generate and sign certificate signing requests (CSR). Here are some tips that may help get you going.


First, you'll need to choose what software package you will use to manage all this. Here are a few choices...

As for myself, I choose Xca almost always because it is easy to work with and supports a wide-range of functionality. It does have drawbacks, namely that it does not provide self-service fulfillment like some of the heftier certificate authorities. There is no support for LDAP and a fancy web interface.

Create the CA

Here are some tips on creating the CA, some learned the hard way.

1. Choose SHA1 digest algorithm. MD5 is deprecated and SHA256 is not widely supported.

2. Specify good descriptions for Organization Name, Organizational Unit Name and Common Name. Example...

  • organzationName: Company Name, LLC.
  • organizationalUnitName: Company Name Certificate Services
  • commonName: Company Name Certificate Authority #N

Here is how it will look when branded into the certificate.

issuer=/O=CompanyName, LLC./OU=CompanyName Certificate Services/CN=CompanyName Certificate Authority #3

which leads me to...

3. Assign numbers to your CA certificates, starting with 1. This can be the same as the serial # if you want, it doesn't matter. Put the # in your commonName so it will "pop" when seen in customers/clients certificate store. It will also help simplify things when troubleshooting who a given Issuer was.

4. Choose a strong key for the CA - 2048 bits at least

5. Choose a nice, long validity term, 10 years at least, or 15 or 20.

6. If you are brave, choose to implement an intermediate CA scheme. This let's you delegate signing authority to other groups or divisions in your enterprise, all leading back to a single central trusted CA. However this invites operational complexity as the use of chaining is required by the users of certificates issued by the intermediary CA.

7. Setup a shared "escrow" folder where users can drop their certificate requests (CSR) and you (the signer) can put the signed certificates for pickup.

8. Decide in advance whether you plan to support revocation lists. These can take the form of a Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP). Not all applications support these things, so don't sweat this much... but if you do choose it, you'll want to indicate the URL of either the CRL or OSCP in your CA certificate I believe (or it may be in the signed certificates instead).

Steps to create a certificate authority in Xca

Here are the steps I use to create a CA in Xca.

  1. Start Xca
  2. create a new database
  3. click on "Certificates" tab
  4. click on "New Certificate" button
  5. Create a self signed certificate with the serial 1 (or whatever # this ca is)
  6. choose SHA1 as signature algorithm
  7. choose [default] CA template and click "Apply" button
  8. click on "Subject" tab
  9. specify Internal name: xyzca1
  10. specify Organisation: Company Name
  11. specify Organ. unit: Company Name Certificate Services
  12. specify Common name: Company Name Certificate Authority #1
  13. click "Generate a new key" button
  14. specify Name: xyzca1
  15. specify Keysize: 2048 bit
  16. click "Create" button
  17. the new key will be automatically chosen as the Private key
  18. click "OK" button and the certificate is created
  19. click on Certificates tab
  20. right-click on the new CA certificate labeled xyzca1, choose Export
  21. save xyzca1.crt on your filesystem. This can be put on the company website for distribution.


--fostermarkd 10:59, 5 September 2008 (PDT)