|[Front page] [Index]|
To configure an existing CA, click the CA name on the CA List page. This will open the Certification Authority page.
On the CA page several CA specific fields can be set. The first field, CA name, is a short and descriptive name that operators can easily identify. It does not have to match the subject name in the CA certificate. Description is a longer description viewed only by the operators. The CA Status is either Active or Inactive. CAs marked as Inactive cannot be used.
Certificate Publish Methods
Certificate Publish Methods describe the current publishing methods for certificates issued with the CA. The line shows the current protocol and server address, if applicable. The configuration can be changed on the Edit Certificate Publishing Method page by clicking the Edit Publish button. See Section Publishing Settings.
CRL Update and CRL Publish Methods
CRLs are published to a CRL distribution point. The Update Period, Advance, This Update Offset, and Next Update Offset (given in seconds) can be changed. They are updated in the Database when the Commit Changes button is clicked. Note that the next CRL is still published according to the old update settings.
By setting the Update Period value to zero, the operator can disable CRL updating. After that no new CRLs are automatically generated, but the operator can still request on-the-fly CRL generation by clicking View Distribution Points and then View Current CRL. The system generates the CRL with the validity period starting from the current time and ending after a configurable amount of time. (This is configured with the engine configuration file.)
Advance is the time marginal reserved for CRL generation. For example, if Update Period is
600 (10 minutes) and Advance is
120 (2 minutes), the system will every 8 minutes publish a CRL with a lifetime of 10 minutes. This is to ensure some overlap period, as there may be a delay before the CRL is generated and available for clients.
This Update Offset is the time reduced from the
thisUpdate field of the CRL. For example, if This Update Offset has been set to
1800 (30 minutes) and the publication time of the CRL is 13:00, the
thisUpdate field is set to 12:30. The option is useful to accomodate for PKI client clocks that are slightly off. PKI clients could, for example, reject a CRL that is published in the future from the clients' point of view.
Next Update Offset is the time added to the
nextUpdate field of the CRL. For example, if Update Period has been set to
3600 (1 hour) and Next Update Offset to
7200 (2 hours), the system will every hour publish a CRL with a lifetime of 3 hours. The option is useful to allow some overlap of CRL validity periods in case the CA is down or unreachable.
The CRL Update Type can be either periodic update only, or update after each revocation. If Update after revocation is selected, a new CRL will be generated each time a certificate is revoked, thus the CRL will always be up-to-date. In some situations, this option provides a useful substitute for OCSP. Note, however, that all clients do not necessarily get this new CRL if their old CRL is still valid (based on the update period). In environments that require true real-time certificate status information, only OCSP should be used.
By clicking the Edit Publish button on the CRL Publish Methods row the distribution point specific publishing configuration can be changed. See Section Publishing Settings. The active CRL distribution points can be viewed by clicking View Distribution Points.
The CRL Signature Algorithm can be selected from SHA-1, MD5, MD4, and MD2. SHA-1 is the default.
The CA certificate can be viewed by clicking the View Certificate button on the CA certificate row. The certificate can also be changed with the Change button, but this should be done only after extreme consideration! As all certificates issued by this CA are signed with the old CA certificate's key, all CRLs issued after the CA certificate change might be invalid for old certificates. Changing the CA certificate will in effect revoke all certificates issued by that CA before the change!
The Edit Policy button will display the separate policy editing page where the policy of the CA can be viewed and modified. See Section Policy Chains.
View Current CRL displays the currently active CRL for this CA. View Log shows all log events related to this CA.
Clicking the Restart publishing unpublished certificates button will search all active certificates issued by this CA that have pending or error as their publishing status. One by one, it tries to republish them. This is useful if many certificates have failed to publish correctly because of a network problem or misconfigured publishing information. The process is only started when this button is clicked and will continue in the background until finished.
The Restart publishing all certificates button is similar, but will instead republish all active certificates of this CA. This can be used, for example, if the LDAP server has changed and all certificates need to be added again.
Both of these two buttons should be used with care as they will generate a lot of Database and network traffic.