PreviousNextUp[Front page] [Index]

Creating a New Certification Authority

New CAs can be created on the CA Hierarchy page. To start creating a new CA, click the Create New CA button on the bottom of the CA list.


gui-createnewcertificationauthority-19.gif
Figure : Creating a new certification authority

The main attributes of a CA are its name, description, status, and the CA certificate.

The CA name is a short internal name used mainly to identify the CA to the operators. It should be easily distinguishable and unique as it will be displayed in drop-down lists in several different displays in the system. SCEP enrollment clients may sometimes require this name to be formatted like a domain name.

Description should be a longer text that more precisely identifies the intended use of this CA. The CA Status is either Active or Inactive. CAs marked as Inactive cannot be used.

Preliminary Policy Settings

Preliminary decisions concerning the CA policy and publishing methods of the CA can also be done already on the Create New CA page. They can be configured more thoroughly later - the default options are provided on this page just to make the operator's life easier, since the publishing and policy editing do not need to be started from scratch.

The Default policy list displays three basic policy options, Deny all, Manual request approval, and Automatic request approval. When Deny all is selected, the CA will not issue any certificates before the policy is specifically activated. By selecting Manual request approval, the initial policy does not allow automatic issuance at all, instead all requests will be pending operator approval. When Automatic request approval is being employed, the CA will automatically issue the certificate if the request contains a valid shared key that can be associated to an entity.

Default validity period length defines what is the validity period that is included in the issued certificate.

Preliminary Publishing Settings

Preliminary publishing settings can also be chosen in the Create New Certification Authority page. Default publish setting defines the publishing schema that is being used. If an LDAP Publishing Service is already being added and configured, it can be selected in the LDAP Server Connection drop-down menu. LDAP Publishing Service defines the directory access including the server address and the directory administrator login name and password.

All of the above choices can be edited later, so setting them correctly is not critical at this stage.

CA Certificate

If a CA certificate is already in the Database (added by an external utility, previously created) it can be searched for by writing a free-text search string in the text box and clicking the Search button. The search results are displayed in a drop-down list. Note that if a result list is too long, it will be truncated. Therefore it is advisable to use precise search texts.

If there is no ready-made certificate in the Database, one must be created by clicking the Create New CA Certificate button. This will open the Make New Certificate page. See Section Creating Certificates for options available on this page. When the Proceed button is clicked, a certificate is created and the operator is returned to the CA creation page.

The CA certificate box is automatically updated with the newly created certificate. Note that if long key lengths are used, key generation can take a long time and the browser connection may time out, producing an error message. If this happens, the user should wait until the key generation process is complete and then restart the CA creation. The new certificate in the Database can be found, for example, by searching its subject name.

The new CA is created by clicking the Proceed button.


PreviousNextUp[Front page] [Index]