xca.sgml

一个跨平台的CA系统 实现了数字证书的制作、SSL安全通讯、加解密操作等功能

<!doctype linuxdoc system>


<article>

<title>XCA <!-- insert your title here -->
<author>Christian Hohnst&auml;dt, <tt/christian@hohnstaedt.de/ <!-- insert your name here -->
<date>$Date: 2004/06/20 17:46:15 $            <!-- always have a version number and a date -->
<abstract>                          <!-- the abstract: a short and precise description -->
<nidx>(your index root)</nidx>    <!-- add indexing keywords as you go along -->
                         <!-- nidx means the indexed word is not in output of main text, only in the index -->

This application is intended for creating and managing X.509 certificates
and RSA keys (DSA keys maybe supported in a later release
since they are not wideley used in PKI cryptography).
Everything that is needed for a CA is implemented.
All CAs can sign sub-CAs recursively. These certificate chains are shown clearly in a list-view.
For an easy company-wide use there are customiseable templates that can be used for certificate or request generation.
All crypto data is stored in a local Berkeley database. 
</abstract>



<!-- Table of contents -->
<toc>

<!-- Begin the document -->


<sect>Introduction

<p>
This application is intended as Certificate- and Key-store and as
signing application issuing certificates.

<p>
All data structures (Keys, Certificate signing requests, Certificates and Templates)
can be imported and exported in several formats like DER or PEM.
Import means reading a file from the filesystem and storing the data structure
into the database file, while exporting means to write the data structure
from the database file to the filesystem to be e.g imported into an other application.

<p>
When starting the application the first time, it needs a password to encrypt the
private keys in the database.
After starting the application all RSA keys are hold <bf>unencrypted</bf> in the RAM of the computer.
This is a security issue to be aware of.

<p>
The different parts are divided over 5 Tabs: Keys, Requests, Certificates, Templates and Revocation lists.
All items can be manipulated either by a context menu available by
right-clicking on the item, or by using the buttons at the right border.
Every item is identified by an internal name which is unique in one tab-view and is
always shown in the first column.

<sect1>File formats
<p>
There are several default file-formats to exchange cryptographic data with
other applications.
<itemize>
<item><bf>DER</bf> <bf>D</bf>istinguished <bf>E</bf>ncoding <bf>R</bf>ules is the binary ASN.1 encoding of the data.
<item><bf>PEM</bf> <bf>P</bf>rivacy-<bf>E</bf>nhanced <bf>M</bf>ail is the base64 encoded version of the 
	<bf>DER</bf> formated data with additional header and footer lines to be transported via e.g. E-mail
<item><bf>PKCS&num;X</bf> <bf>P</bf>ublic <bf>K</bf>ey <bf>C</bf>ryptography <bf>S</bf>tandards 
published by <url url="http://www.rsasecurity.com" name="RSA Laboratories">
	
</itemize>

<sect1>Further reading <label id="otherdoc">
<p>
<enum>
<item><url url="http://tldp.org/HOWTO/SSL-Certificates-HOWTO/" name="SSL Certificates HOWTO">
<item><url url="http://ospkibook.sourceforge.net/" name="OS-PKI book">
</enum>

<sect1>Copyright
<p>
<tscreen><verb>
/*
 * Copyright (C) 2001 Christian Hohnstaedt.
 *
 *  All rights reserved.
 *
 *
 *  Redistribution and use in source and binary forms, with or without 
 *  modification, are permitted provided that the following conditions are met:
 *
 *  - Redistributions of source code must retain the above copyright notice,
 *    this list of conditions and the following disclaimer.
 *  - Redistributions in binary form must reproduce the above copyright notice,
 *    this list of conditions and the following disclaimer in the documentation
 *    and/or other materials provided with the distribution.
 *  - Neither the name of the author nor the names of its contributors may be 
 *    used to endorse or promote products derived from this software without
 *    specific prior written permission.
 *
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 *
 * This program links to software with different licenses from:
 *
 *	http://www.openssl.org which includes cryptographic software
 * 	written by Eric Young (eay@cryptsoft.com)"
 *
 *	http://www.sleepycat.com
 *
 *	http://www.trolltech.com
 * 
 *
 *
 * http://www.hohnstaedt.de/xca
 * email: christian@hohnstaedt.de
 *
 */                           

</verb></tscreen>

<sect1>Credits
<p>

<tscreen><verb>
Kerstin Steinhauff &lt;tine (at) kerstine.de&gt;
        Arts and graphics

Ilya Kozhevnikov &lt;ilya (at) ef.unn.ru&gt;
        Compiling and testing the WIN32-port

Paul Kirner &lt;kirner (at) fhwgt.de&gt;
	Providing compile and test hardware

Wolfgang Glas &lt;wolfgang.glas (at) ev-i.at&gt;
	Implementation of SPKAC and UTF8 support

Bugreports and feature input:
	Frank Werner &lt;Frank (at) WeSoft.de&gt;
	Peter Bieringer &lt;pb (at) bieringer.de&gt;

</verb></tscreen>

Thank you very much.

<!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->

<sect>Command line options
<p>
Usage: <em>xca dbname.db &lt;options&gt;</em>
Next to the usual X command line options. There are the following
<itemize>
<item>-v show version information and exit
<item>-k expect all following non-option arguments to be RSA keys
<item>-r expect all following non-option arguments to be 
	Certificate signing requests or SPKAC requests
<item>-c expect all following non-option arguments to be Certificates
<item>-p expect all following non-option arguments to be PKCS#12 files
<item>-7 expect all following non-option arguments to be PKCS#7 files
<item>-l expect all following non-option arguments to be Revocation lists
<item>-t expect all following non-option arguments to be Xca templates
<item>-b set the database base-directory
<item>-d set the database filename
<item>-x Exit after processing all command line options
</itemize>

<p>
when invoked with one of the -k -r -c -p -7 -l -t options, the application 
will show the details of the items and import them into the database if 
desired.
If the application should exit afterwards, just supply the -x option. 
This behaviour enables xca to be used as default application for viewing
PKI items.

<!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->

<sect>Common actions
<p>
Many actions are common to all crypto parts and are mentioned here once for all.
The goal of this application is to provide an easy to use signing-tool and 
also a common place for all selected PKI items like requests or Certificates.
<sect1>Importing items
<p>
The import of an item can be done by either clicking the import button on the right
or via the context menu available by right clicking on the list background.
The import function is smart enough to probe all known formats there are:
<itemize>
<item><em>Keys:</em>  PEM private key, PEM public key, DER private key, DER public key, PKCS#8 private key.
<item><em>Requests</em> DER request, PEM request, Netscape SPKAC request.
<item><em>Certificates</em> DER certificate, PEM certificate 
(PKCS#12 and PKCS#7 certificates must be imported with an extra button,
 because they can contain more than one certificate)
</itemize>
After selecting the filename XCA will probe for the known formats of that item
and in case of an error it prompts the <em>last</em> OpenSSL error message.
It is possible to select more than one file by selecting them with SHIFT click.

<p>
When importing more than one Key, CRL, Certificate or Request
all items are shown in a Multi-import dialog.
When importing a PKCS#7 or PKCS#12 item, the contained Keys and Certificates are shown in the Multi-import dialog.
By using the Multi-import dialog the items can be examined, imported or dropped.

<p>
After reading the item it searches for this item in the database and if it is unique the item
is stored in the database, otherwise it shows a message containing the internal name of this item in the database.

<sect1>Details of an item
<p>
The details dialog can be accessed by double clicking the item, by the context menu or by
the button on the right.
The names of the issuers certificate and the corresponding key are "clickable" and their
content will be shown on "double-click"

<sect1>Renaming an item
<p>
An Item can be renamed via the context menu by right-clicking on the item
or by the <tt>Rename</tt> button on the right border.
If the new name of the item already exists in the database a <em>_01</em>
will be appended to keep the internal name unique.

<sect1>Deleting Items
<p>
Items can be deleted by the button on the right or via the context menu.
If a certificate signed by this application is going to be removed
the application will warn you once more, because you can not revoke a
deleted certificate. Thus only delete a certificate signed by you
if you never exported it. Certificate signing requests can be deleted
when they get signed, because they are not needed anymore. 
The request can be recovered from the resulting certificate by 
exporting the certificate to a request. 
This is however only possible if you own the private key of the 
certificate.


<!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->

<sect>The Wizard <label id="wizard">
<p>
The Wizard is the central part for collecting all data regarding Certificates,
Requests and Templates. It will be invoked whenever such an item is going 
to be created or, in case of a Template, is altered.

<sect1>Template selection
<p>
On this page the template to be used can be selected. All following pages will be 
preset to the appropriate values of the selected template. If you don't want to 
use a template just select the <tt>Empty Template</tt>.
If the checkbox labeled: <tt>Change the default extensions of the template</tt>
is checked the Wizard will show 3 more pages containing all certificate extensions.
The lazy people leave this checkbox unchecked.

<p>
For generating Certificates there is a drop-down list of all Requests that are available. 
If you don't want to sign a request but generate a certificate from scratch
or template, uncheck the checkbox to the left of the request list.
Also only for creating certificates the signer of the new certificate
can be selected wether it shall become a <em>self-signed</em> certificate
or get signed by one of the <ref id="ca_cert" name="CA certificates"> in the 
drop-down list.
<p>
This page is not shown when creating or changing templates.

<sect1>Personal settings
<p>
On this Page all personal data like country, name and Email address
can be filled in. Only the <tt>Internal name</tt> is mandatory.
The <tt>Country code</tt> field must either be empty or exactly contain
two letters representing your country code; e.g. <em>DE</em> for Germany.
If you want to create an SSL-server certificate the <tt>Common name</tt>
must contain the <em>DNS</em> name of the server.
<p>
Other rarely used <tt>name-entries</tt> can be selected in the dialog
below. Only items that were added using the <tt>add</tt>
button are recognized. All items can be added more than once, even those from above.
This is not very usual but allowed.

<p>
Keys can be generated here <em>on the fly</em> by pressing the button.
If there is no usable key and you need one, 
the key generation process will be invoked automatically.
The newly generated key will be stored in the database and stay there, 
even if you cancel the Wizard later. The drop-down list of the keys
does only contain keys that were not used by any other certificate or
request. The keylist is not available for creating or changing templates.
<p>
This page does not appear when signing a request, because the request does
contain all needed data from this page.

<sect1>X509v3 Extensions
<p>
The following 3 pages contain all fields for adjusting the certificate extensions.
It is not in the focus of this document to explain them in detail.
The most important are the <tt>Basic Constraints</tt> and the <tt>Validity</tt> range.
<p>
For more information consult the documents in <ref id="otherdoc">.
If you don't know what this is all about please read those documents before
creating any certificates.

<sect2>Basic Constraints
<p>
If the <tt>CA</tt> flag is set to true the certificate is recognized by XCA and other
instances as issuer for other certificates. Server-certificates or E-Mail certificates