PreviousNextUp[Front page] [Index]

Creating Certificates

The Create Certificate option allows creating a new certificate in the system. Clicking the button will open the Make New Certificate page, which is very similar to the regular request editing page. The buttons at the bottom of the page are different, as only the Proceed and Cancel buttons are available.

This option can be used to create CA certificates, for example. See Section Creating a New Certification Authority.

Most fields on this page correspond to those on the Certification Request page. See Processing Requests. Fill in data as necessary.

Figure : The Make New Certificate page - CA certificate

Validity period defaults to the current time. At least Not after should be changed to a later value.

Key generation parameters can be adjusted by clicking Set Key Generation Parameters. This opens the Key Generation / Import page. On this page, Key Provider Type, Key type, and Key size can be selected. If a hardware security module (HSM) is used, additional settings are available. See Section CA Private Key Options. Clicking Continue will return to the Make New Certificate page.

After this, the selected key type and length are shown in the Public key field on the Make New Certificate page.

The CRL distribution point extension is usually added to the certificate in the policy processing stage by the issuing CA. However, certificate creation through the Create Certificate option bypasses all CA policies. Thus, the CRL distribution point needs to be explicitly added when creating the certificate. Selecting From Issuing CA Configuration adds the CRL distribution extension to the certificate. Selecting Static URI allows a URI to be entered in the text box.

Clicking the Proceed button will start the key and certificate creation.

Creating a CA Certificate

When the page is accessed from CA creation, some of the certificate attributes are pre-filled with usable default values. Also, two extensions are selected by default.

Basic Constraints must be set on all CA certificates with the CA flag set. The path length can be used to control whether this CA can issue other CA certificates. Path length is the maximum number of CA certificates that can be located under this certificate in path validation. Setting this value to zero means that this CA can issue only end-user certificates.

Key usage is also defined with a few default bits. CRL Sign and Key Cert Sign must be defined in the CA certificate because it must be able to sign the certificates and CRLs it issues.

If the Make New Certificate page was accessed from CA creation, clicking Proceed will return the operator to the CA creation page. Note, however, that key generation may take some time depending on key size.

PreviousNextUp[Front page] [Index]