xca.sgml

一个小型证书管理系统

<!doctype linuxdoc system>


<article>

<title>XCA <!-- insert your title here -->
<author>Christian Hohnst鋎t, <tt/christian@hohnstaedt.de/ <!-- insert your name here -->
<date>$Date: 2002/12/17 21:56:29 $            <!-- always have a version number and a date -->
<abstract>                          <!-- the abstract: a short and precise description -->
<nidx>(your index root)</nidx>    <!-- add indexing keywords as you go along -->
                         <!-- nidx means the indexed word is not in output of main text, only in the index -->

This application is intended for creating and managing X.509 certificates
and RSA keys (DSA keys maybe supported in a later release
since they are not wideley used in PKI cryptography).
Everything that is needed for a CA is implemented.
All CAs can sign sub-CAs rekursively. These certificate chains are shown clearly in a list-view.
For an easy company-wide use there are customiseable templates that can be used for certificate or request generation.
All crypto data is stored in a local Berkeley database. 
</abstract>



<!-- Table of contents -->
<toc>

<!-- Begin the document -->


<sect>Introduction

<p>
<nidx>(your index root)!introduction</nidx>   <!-- here introduction is a sub entry of template, exclamationmark is separator -->
This application is intended as Certificate and Keystore and as 
signing application issuing certificates.

<p>
All datastructures (Keys, Certificate signing requests, Certificates and Templates) can be imported
and exported in several formats like DER or PEM.
Import means reading a file from the filesystem and storing the datastructure
into the databasefile, while exporting means to write the datastructure
from the databasefile to the filesystem to be e.g imported to an other application.

<p>
When starting the application the first time, it needs a password to encrypt the
private keys in the database.
After starting the application all RSA keys are hold <bf>unencrypted</bf> in the RAM of the computer.
This is a security issue to be aware of.

<p>
The different parts are divided over 4 Tabs: Keys, Requests, Certificates and Templates.
All items can be manipulated either by a context menu available by
right-clicking on the item, or by using the buttons at the right border.
Every item gets an internal name which is unique in one tab-view and is
always shown in the first column.

<sect1>File formats
<p>
There are several default file-formats to exchange cryptographic the data with
other applications.
<itemize>
<item><bf>DER</bf> is the ASN.1 encoding of the data.
<item><bf>PEM</bf> is the base64 encoded version of the <bf>DER</bf> formatted data 
	with additional header and footer lines to be transported via e.g. E-mail
<item><bf>PKCS&num;X</bf> <bf>P</bf>ublic <bf>K</bf>ey <bf>C</bf>ryptography <bf>S</bf>tandards 
	published by <url url="http://www.rsasecurity.com" name="RSA Laboratories">
	
</itemize>

<sect1>Further reading <label id="otherdoc">
<p>
<enum>
<item><url url="http://tldp.org/HOWTO/SSL-Certificates-HOWTO/" name="SSL Certificates HOWTO">
<item><url url="http://ospkibook.sourceforge.net/" name="OS-PKI book">
</enum>

<sect1>Copyright
<p>
<tscreen><verb>
/*
 * Copyright (C) 2001 Christian Hohnstaedt.
 *
 *  All rights reserved.
 *
 *
 *  Redistribution and use in source and binary forms, with or without 
 *  modification, are permitted provided that the following conditions are met:
 *
 *  - Redistributions of source code must retain the above copyright notice,
 *    this list of conditions and the following disclaimer.
 *  - Redistributions in binary form must reproduce the above copyright notice,
 *    this list of conditions and the following disclaimer in the documentation
 *    and/or other materials provided with the distribution.
 *  - Neither the name of the author nor the names of its contributors may be 
 *    used to endorse or promote products derived from this software without
 *    specific prior written permission.
 *
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 *
 * This program links to software with different licenses from:
 *
 *	http://www.openssl.org which includes cryptographic software
 * 	written by Eric Young (eay@cryptsoft.com)"
 *
 *	http://www.sleepycat.com
 *
 *	http://www.trolltech.com
 * 
 *
 *
 * http://www.hohnstaedt.de/xca
 * email: christian@hohnstaedt.de
 *
 */                           

</verb></tscreen>

<sect1>Credits
<p>

In this version I have the pleasure of acknowledging
<tscreen><verb>
Kerstin Steinhauff &lt;tine (at) kerstine.de&gt;
        Arts, graphics, testing, SuSE rpm building

Ilya Kozhevnikov &lt;ilya (at) ef.unn.ru&gt;
        Compiling and testing the WIN32-port
</verb></tscreen>

Thank you very much.

<!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->

<sect>Common actions
<p>
Many actions are common to all crypto parts.
<sect1>Importing items
<p>
The import of an item can be done by either clicking the import button on the right
or via the context menu available by right clicking on the list background.
The import function is smart enough to probe all known formats as there are:
<itemize>
<item><em>Keys:</em>  PEM private key, PEM public key, DER private key, DER public key, PKCS8 private key.
<item><em>Requests</em> DER request, PEM request.
<item><em>Certificates</em> DER certificate, PEM certificate (PKCS#12 and in future PKCS#7 certificates
	must be imported with an extra button, because they can contain more than one certificate)
</itemize>
After selecting the filename XCA will probe for the known formats of that item
and in case of an error it prompts the <em>last</em> OpenSSL error message.

<p>
After reading the item it searches for this item in the database and if it is unique the item
is stored in the database, otherwise it shows a message containing the internal name of the item
in the database.

<sect1>Details of an item
<p>
The details dialog can be accessed by double clicking the item, by the context menu or by
the button on the right.
The details dialog shows the internal name of the item, 
which can be changed here and will be accepted when clicking <tt>Ok</tt>.

the keysize and the modulus which is effectively the public part of the key and showing it to others is no security risk.
The private part is not shown, only the availibility is mentioned.

<sect1>Renaming an item
<p>
The Key can also be renamed via the context menu by right-clicking on the item
or by the <tt>Rename</tt> button on the right border.
If the new name of the item already exists in the database a <em>_01</em> will be appended to keep
the internal name unique.

<sect1>Deleting Items
<p>
Items can be deleted by the button on the right or via the context menu.

<!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->

<sect>The Wizard <label id="wizard">
<p>
The Wizard is the central part for collecting all data regarding Certificates,
Requests and Templates. It will be invoked for generating Requests, Certificates
and Templates and for changing Templates.

<sect1>Template selection
<p>
On this page the template to be used can be selected. All following pages will be 
preset to the appropriate values of the selected template. If you don't want to 
use a template just select the <tt>Empty Template</tt>.
If the checkbox labeled: <tt>Change the default extensions of the template</tt>
is checked the Wizard will show 3 more pages containing all certificate extensions.
The lazy people leave this checkbox unchecked.

<p>
For generating Certificates there is a drop-down list of all Requests that are available. 
If you don't want to sign a request but generate a certificate from scratch
or template, uncheck the checkbox to the left of the request list.
Also only for creating certificates the signer of the new certificate
can be selected wether it shall become a <em>self-signed</em> certificate
or get signed by one of the <ref id="ca_cert" name="CA certificates"> in the 
drop-down list.
<p>
This page is not shown when creating or changing templates.

<sect1>Personal settings
<p>
On this Page all personal data like country, name and Email address
can be filled in. Only the <tt>Internal name</tt> is mandatory.