xca-7.html

一个跨平台的CA系统 实现了数字证书的制作、SSL安全通讯、加解密操作等功能

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.21">
 <TITLE>XCA : Certificates</TITLE>
 <LINK HREF="xca-8.html" REL=next>
 <LINK HREF="xca-6.html" REL=previous>
 <LINK HREF="xca.html#toc7" REL=contents>
</HEAD>
<BODY>
<A HREF="xca-8.html">Next</A>
<A HREF="xca-6.html">Previous</A>
<A HREF="xca.html#toc7">Contents</A>
<HR>
<H2><A NAME="s7">7.</A> <A HREF="xca.html#toc7">Certificates</A></H2>

<P>All Certificates from the database are displayed in a tree view reflecting the chain dependencies.
If there is a CA certificate and several client certificates signed by this CA,
the client certificates can be shown by clicking on the plus sign of the CA certificate.</P>

<H2><A NAME="ca_cert"></A> <A NAME="ss7.1">7.1</A> <A HREF="xca.html#toc7.1">CA certificates </A>
</H2>

<P>XCA recognizes your CA certificates if the CA flag in the <EM>Basic Constraints</EM> is set to true
and if there is a corresponding private key.
In this case the <CODE>CA</CODE> submenu in the context-menu is enabled.</P>

<P>For building the chains the CA flag is disregarded instead it consideres the issuer name and
the signature to decide which certificate is the issuer.</P>

<H2><A NAME="ss7.2">7.2</A> <A HREF="xca.html#toc7.2">Generating certificates</A>
</H2>

<P>After clicking on the <CODE>New Certificate</CODE> button the Certificate Wizard will be started to ask
all needed information for generating a new Certificate. See: 
<A HREF="xca-4.html#wizard">Wizard</A>
Certificate creation can also be invoked by the context menu of the certificate list background
or by the context menu of the request.
In this case the Wizard is preset with the Request to be signed.</P>
<P>If a <EM>CA certificate</EM> is selected in the certificate list, this
certificate is preselected as signer certificate on the second page of the Wizard.</P>

<H2><A NAME="ss7.3">7.3</A> <A HREF="xca.html#toc7.3">Certificate details</A>
</H2>

<P>The signer is the internal name of the issuers certificate, <EM>SELF SIGNED</EM> if it is
self signed or <EM>SIGNER UNKNOWN</EM> if the issuer's certificate is not available.
The validity is set to <EM>valid</EM> if the certificate's dates are valid
or to <EM>Not valid</EM> if they are not, regarding to the internal time and date of the OS.</P>
<P>If the certificate has been revoked, the revocation date is shown instead.</P>

<H2><A NAME="ss7.4">7.4</A> <A HREF="xca.html#toc7.4">Certificate trust</A>
</H2>

<P>The certificate trust can be changed by the context menu of the certificate.
It can be set to:
<UL>
<LI><B>Not trusted</B> - never trust this certificate, even if we trust the issuer. 
This is the default for imported self-signed certificates.</LI>
<LI><B>Trust depends on issuer</B> - only trust this certificate, if we trust the
issuer. This is the default for imported and generated non-self-signed certificates.</LI>
<LI><B>Always trust</B> - always trust this certificate, even if we do not trust
the issuer's certificate or if it is absent. This is the default for generated 
self-signed certificates.</LI>
</UL>
</P>

<H2><A NAME="ss7.5">7.5</A> <A HREF="xca.html#toc7.5">Certificate export</A>
</H2>

<P>The filename can be selected in the export dialog and the Export format:
<UL>
<LI><B>PEM</B> - PEM encoded</LI>
<LI><B>PEM with Certificate chain</B> - PEM encoded certificate and all issuers up to the
root certificate in one file</LI>
<LI><B>PEM all trusted Certificates</B> - List of all PEM encoded certificates
that are marked als <EM>Always trusted</EM> (usually all self-signed certificates)
in one file for e.g. apache as trusted cert store.</LI>
<LI><B>PEM all Certificates</B> - All PEM encoded certificates in one file.</LI>
<LI><B>DER</B> - DER encoded certificate.</LI>
<LI><B>PKCS#7</B> - DER encoded PKCS#7 structure containing the certificate.</LI>
<LI><B>PKCS#7 with Certificate chain</B> - DER encoded PKCS#7 structure containing the
certificate and all issuers up to the root certificate.</LI>
<LI><B>PKCS#7 all trusted Certificates</B> - DER encoded PKCS#7 structure containing all
certificates that are marked als <EM>Always trusted</EM></LI>
<LI><B>PKCS#7 all Certificates</B> - DER encoded PKCS#7 structure containing all certificates.</LI>
<LI><B>PKCS#12</B> - PKCS#12 structure containing the certificate and the corresponding XXX (?)</LI>
<LI><B>PKCS#12</B> - PKCS#12 structure containing the certificate, the corresponding 
private key and the chain of all issuers certificates.</LI>
</UL>
</P>
<P>When exporting PKCS#12 structures you are asked later for an encryption
password.</P>

<H2><A NAME="ss7.6">7.6</A> <A HREF="xca.html#toc7.6">Certificate revocation</A>
</H2>

<P>Certificates can only be revoked, if the private key of the issuer's certificate
is available. The certificate will marked as revoked and the revocation date
will be stored with the certificate.</P>

<H2><A NAME="ss7.7">7.7</A> <A HREF="xca.html#toc7.7">Certificate renewal</A>
</H2>

<P>Certificates can only be renewed, if the private key of the issuer's certificate
is available. Renewal is done by creating a new certificate as a copy of the original one
with adjusted validity dates.</P>

<H2><A NAME="ss7.8">7.8</A> <A HREF="xca.html#toc7.8">PKCS#7</A>
</H2>

<P>PKCS#7 structures can be created by the context menu of the signing certificate.
The PKCS#7 structure can be either signed or encrypted. 
Therefore it will prompt for a file to be either signed or encrypted.
The resulting file has the original filename with ".p7s" suffix.</P>

<H2><A NAME="ss7.9">7.9</A> <A HREF="xca.html#toc7.9">CA special functions</A>
</H2>

<P>The context menu of CA certificates contains the <EM>CA</EM> submenu.
that makes the following functions available:</P>
<P>
<UL>
<LI><B>Serial</B> The serial number of the next certificate
signed by this issuer.</LI>
<LI><B>CRL days</B> The days until the next CRL release.</LI>
<LI><B>Signing Template</B> The default template for signing certificates.</LI>
<LI><B>Generate CRL</B> Generate the CRL by collecting all revoked certificates
and their revocation date.</LI>
</UL>
</P>

<HR>
<A HREF="xca-8.html">Next</A>
<A HREF="xca-6.html">Previous</A>
<A HREF="xca.html#toc7">Contents</A>
</BODY>
</HTML>