xca-4.html

一个小型证书管理系统

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.21">
 <TITLE>XCA : RSA Keys </TITLE>
 <LINK HREF="xca-5.html" REL=next>
 <LINK HREF="xca-3.html" REL=previous>
 <LINK HREF="xca.html#toc4" REL=contents>
</HEAD>
<BODY>
<A HREF="xca-5.html">Next</A>
<A HREF="xca-3.html">Previous</A>
<A HREF="xca.html#toc4">Contents</A>
<HR>
<H2><A NAME="keys"></A> <A NAME="s4">4.</A> <A HREF="xca.html#toc4">RSA Keys </A></H2>

<P>For asynchronous encryption and signing there are keys needed. XCA only supports RSA keys
and no DSA keys. All keys are stored encrypted in the database using the 3DES algorithm.</P>

<P>All keys do carry a use counter which counts the times it is used. For new
requests or certificates the list of available keys is reduced to
the keys with a use counter of 0.</P>


<H2><A NAME="ss4.1">4.1</A> <A HREF="xca.html#toc4.1">Generating Keys</A>
</H2>

<P>The dialog asks for the internal name of the key and the keysize in bits.
While searching for random prime numbers a progress bar is shown. Although the
Progressbar carries a <CODE>Cancel</CODE> button it has no effect clicking on it
since the underlaying <EM>OpenSSL</EM> routine does not support an abort.
So think twice before generating a 4096 bit key on a 80Mhz i486 PC ....
After the key generation is done the key will be stored in the database.</P>

<H2><A NAME="ss4.2">4.2</A> <A HREF="xca.html#toc4.2">Key export</A>
</H2>

<P>Keys can be exported by either selecting the key and pressing <EM>Export</EM> or by
using the context-menu. This opens a Dialogbox where you can change the following settings:
<UL>
<LI>filename</LI>
<LI>Outputformat (DER, PEM, PKCS#8)</LI>
<LI>Public or Private Key</LI>
<LI>Encryption of the exported file (yes/no)</LI>
</UL>
</P>
<P>The filename is the internal name plus a <CODE>pem</CODE> suffix.
If the desired fileformat is not PEM it is your responsibility
to change the suffix to <CODE>der</CODE> or <CODE>pk8</CODE>.
Only PKCS#8 or PEM files can be encrypted, because
the DER format (although it could be encrypted)
does not support a way to supply the encryption algorithm
like e.g. <EM>DES</EM>.
Of course the encryption is senseless if the private part is not exported.</P>



<HR>
<A HREF="xca-5.html">Next</A>
<A HREF="xca-3.html">Previous</A>
<A HREF="xca.html#toc4">Contents</A>
</BODY>
</HTML>