xca.sgml

一个跨平台的CA系统 实现了数字证书的制作、SSL安全通讯、加解密操作等功能

must have set this flag to <tt>false</tt>
<sect2>Validity Range
<p>
The <em>not Before</em> field is set to the current date and time of the
operating system and the <em>not After</em> field is set to the current date and time
plus the specified time range.
<p>
For templates the specified times are not saved, because it does not make much sense.
Rather the time range is stored and automatically applied when selecting this 
template. Applying the time range means to set notBefore to "now" and notAfter
to "now + time range"

<!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->

<sect>RSA Keys <label id="keys">
<p>
For asynchronous encryption and signing keys are needed. XCA only supports RSA keys
but not DSA keys. All keys are stored encrypted in the database using the 3DES algorithm.

<p>
All keys carry a use counter which counts the times it is used. For new
requests or certificates the list of available keys is reduced to
the keys with a use counter of 0.


<sect1>Generating Keys
<p>
The dialog asks for the internal name of the key and the keysize in bits.
Even if the drop-down list only shows the most usual values, any other value
can be added here by editing this box.
While searching for random prime numbers a progress bar is shown. Although the
Progressbar carries a <tt>Cancel</tt> button it has no effect clicking on it
since the underlaying <em>OpenSSL</em> routine does not support an abort.
So think twice before generating a 4096 bit key on a 80Mhz i486 PC ....
After the key generation is done the key will be stored in the database.

<sect1>Key export
<p>
Keys can be exported by either selecting the key and pressing <em>Export</em> or by
using the context-menu. This opens a Dialogbox where the following settings cn be adjusted:
<itemize>
<item>filename
<item>Outputformat (DER, PEM, PKCS#8)
<item>Public or Private Key
<item>Encryption of the exported file (yes/no)
</itemize>

The filename is the internal name plus a <tt>pem</tt>, <tt>der</tt> or <tt>pk8</tt> suffix.
When changing the fileformat, the suffix of the filename changes accordingly
Only PKCS&num;8 or PEM files can be encrypted, because
the DER format (although it could be encrypted)
does not support a way to supply the encryption algorithm
like e.g. <em>DES</em>.
Of course, encryption does not make sense if the private part is not exported.


<!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->

<sect>Certificate Signing Requests <label id="csr">
<p>
Certificate signing requests are described in PKCS&num;10 standard.
They are used to supply a Certification Authority with the 
needed information to issue a valid certificate for you 
without knowing your private key. This
includes your personal information and your public key.
<p>
Netscape SPKAC files can not be created or exported, but they can be imported and signed.
This requests are marked in the Signature field as SPKAC and a Netscape icon is
shown.

<sect1>Generating a new Request
<p>
After clicking on the <tt>New Request</tt> button the Certificate Wizard will be started to ask
all needed information for generating a new Request. See: <ref id="wizard" name="Wizard">
The request generation can also be invoked by the context menu of a certificate (Export->Request).
This menu point is only available if the private key of the certificate is available.
In this case all needed data is copied from the certificate and the Wizard is not invoked.

<sect1>Request export
<p>
Requests can be exported only by the context-menu. There is a sub-menu to select PEM or DER format.
The filename can be selected in the next dialog.

<sect1>Request details
<p>
All information contained in the request are shown. If the Keystore does contain
the private key corresponding to the request the keys internal name is shown in the
<tt>Key</tt> field.

<!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->

<sect>Certificates
<p>
All Certificates from the database are displayed in a tree view reflecting the chain dependencies.
If there is a CA certificate and several client certificates signed by this CA,
the client certificates can be shown by clicking on the plus sign of the CA certificate.

<sect1>CA certificates <label id="ca_cert">
<p>
XCA recognizes your CA certificates if the CA flag in the <em>Basic Constraints</em> is set to true
and if there is a corresponding private key.
In this case the <tt>CA</tt> submenu in the context-menu is enabled.

<p>
For building the chains the CA flag is disregarded instead it consideres the issuer name and
the signature to decide which certificate is the issuer.

<sect1>Generating certificates
<p>
After clicking on the <tt>New Certificate</tt> button the Certificate Wizard will be started to ask
all needed information for generating a new Certificate. See: <ref id="wizard" name="Wizard">
Certificate creation can also be invoked by the context menu of the certificate list background
or by the context menu of the request.
In this case the Wizard is preset with the Request to be signed.
<p>
If a <em>CA certificate</em> is selected in the certificate list, this
certificate is preselected as signer certificate on the second page of the Wizard.

<sect1>Certificate details
<p>
The signer is the internal name of the issuers certificate, <em>SELF SIGNED</em> if it is
self signed or <em>SIGNER UNKNOWN</em> if the issuer's certificate is not available.
The validity is set to <em>valid</em> if the certificate's dates are valid
or to <em>Not valid</em> if they are not, regarding to the internal time and date of the OS.
<p>
If the certificate has been revoked, the revocation date is shown instead.

<sect1>Certificate trust
<p>
The certificate trust can be changed by the context menu of the certificate.
It can be set to:
<itemize>
<item><bf>Not trusted</bf> - never trust this certificate, even if we trust the issuer. 
This is the default for imported self-signed certificates.
<item><bf>Trust depends on issuer</bf> - only trust this certificate, if we trust the
issuer. This is the default for imported and generated non-self-signed certificates.
<item><bf>Always trust</bf> - always trust this certificate, even if we do not trust
the issuer's certificate or if it is absent. This is the default for generated 
self-signed certificates.
</itemize>

<sect1>Certificate export
<p>
The filename can be selected in the export dialog and the Export format:
<itemize>
<item><bf>PEM</bf> - PEM encoded
<item><bf>PEM with Certificate chain</bf> - PEM encoded certificate and all issuers up to the
root certificate in one file
<item><bf>PEM all trusted Certificates</bf> - List of all PEM encoded certificates
that are marked als <em>Always trusted</em> (usually all self-signed certificates)
in one file for e.g. apache as trusted cert store.
<item><bf>PEM all Certificates</bf> - All PEM encoded certificates in one file.
<item><bf>DER</bf> - DER encoded certificate.
<item><bf>PKCS#7</bf> - DER encoded PKCS#7 structure containing the certificate.
<item><bf>PKCS#7 with Certificate chain</bf> - DER encoded PKCS#7 structure containing the
	certificate and all issuers up to the root certificate.
<item><bf>PKCS#7 all trusted Certificates</bf> - DER encoded PKCS#7 structure containing all
	 certificates that are marked als <em>Always trusted</em>
<item><bf>PKCS#7 all Certificates</bf> - DER encoded PKCS#7 structure containing all certificates.
<item><bf>PKCS#12</bf> - PKCS#12 structure containing the certificate and the corresponding XXX (?)
<item><bf>PKCS#12</bf> - PKCS#12 structure containing the certificate, the corresponding 
private key and the chain of all issuers certificates.
</itemize>
<p>
When exporting PKCS#12 structures you are asked later for an encryption
password.

<sect1>Certificate revocation
<p>
Certificates can only be revoked, if the private key of the issuer's certificate
is available. The certificate will marked as revoked and the revocation date
will be stored with the certificate.

<sect1>Certificate renewal
<p>
Certificates can only be renewed, if the private key of the issuer's certificate
is available. Renewal is done by creating a new certificate as a copy of the original one
with adjusted validity dates.

<sect1>PKCS#7
<p>
PKCS#7 structures can be created by the context menu of the signing certificate.
The PKCS#7 structure can be either signed or encrypted. 
Therefore it will prompt for a file to be either signed or encrypted.
The resulting file has the original filename with ".p7s" suffix.

<sect1>CA special functions
<p>
The context menu of CA certificates contains the <em>CA</em> submenu.
that makes the following functions available:

<itemize>
<item><bf>Serial</bf> The serial number of the next certificate
signed by this issuer.
<item><bf>CRL days</bf> The days until the next CRL release.
<item><bf>Signing Template</bf> The default template for signing certificates.
<item><bf>Generate CRL</bf> Generate the CRL by collecting all revoked certificates
and their revocation date.
</itemize>

<sect>Certificate Revocation Lists
<p>
All certificates are issued for a restricted timeperiod of validity.
However it can happen that a certificate shoud not be used / becomes invalid
before the "not after" time in the certificate is reached. In this case
the issuing CA should revoke this certificate by putting it on the list of 
revoked certificates, signing it and publishing it.

<sect1>Generation of Certificate revocation lists
<p>
In XCA this can be done by the context-menu of the CA and the 
"revoke" entry in the context-menu of the issued certificate.
First all invalid certificates are marked as revoked and 
then a Certificate Revocation List should be created and will be stored in the
database. 
<p>

<!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->
<sect>Object IDs
<p>
Private Object IDs and OID lists for the distinguished name or extended key
usage can be added in files listed below.
The files are:
<itemize>
<item><bf>oids.txt</bf> addidtional Object IDs
<item><bf>eku.txt</bf> Content of <tt>ExtendedKeyUsage</tt>
<item><bf>dn.txt</bf> Content of <tt>DistinguishedName</tt>
<item><bf>aia.txt</bf> Content of <tt>AuthorityInformationAccess</tt>
</itemize>
The search path for all the files is listed below.
<p>
<bf>Unix</bf>
<itemize>
<item>PREFIX/share/xca/ <newline>PREFIX is usually /usr or /usr/local
<item>/etc/xca/
<item>$HOME/xca/
</itemize>
<bf>Windows</bf>
<itemize>
<item>HKEY_LOCAL_MACHINE->Software->xca->Install_Dir <newline>e.g.: C:\Program Files\xca
<item>HKEY_CURRENT_USER->Software->xca->data_path <newline>e.g.: C:\Documents and Settings\%USER%\Application Data\xca
</itemize>
All Object IDs that are not official, but belong to your company
or organisation can be added in the file <tt>oids.txt</tt>.
All possilbe locations for this file are searched and all <tt>oids.txt</tt> files
found are loaded. This way the application-installer adds
some in /usr/share/xca, the Administrator in /etc/xca and the user in
$HOME/xca. The format of this file is:<newline>
<bf>OID</bf>:<bf>shortname</bf>:<bf>longname</bf><newline>
Leading and trailing spaces between the colons and the text are ignored.
Lines starting with a <bf>#</bf> are ignored.

<p>
The files containing OID lists (<tt>eku.txt, dn.txt, aia.txt</tt>) 
are handled in a different way, only the first one found is used. 
The format of this files is one entry per line. The entry can be either the
numerical OID like <tt>1.3.6.1.5.5.8.2.2</tt>, the short name like 
<tt>iKEIntermediate</tt> or the long name <tt>IP security end entity</tt>.
Lines starting with a <bf>#</bf> are ignored.
If this files shall contain new inofficial OIDs, they must be also mentioned 
in one of the <tt>oids.txt</tt> files.


<!-- %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -->
<sect>Appendix
<p>
Here one can find several examples for file formats:
<sect1>PEM 
<p>
<tscreen><verb>
-----BEGIN CERTIFICATE-----
MIIC0zCCAjygAwIBAgIQKNOqLomUfJxugwU5FHGCSjANBgkqhkiG9w0BAQQFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
LkNsYXNzIDIgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNOTcxMDEzMDAwMDAwWhcNMDQwMTA1MjM1OTU5WjBDMREwDwYDVQQKEwhWZXJp
U2lnbjEuMCwGA1UECxMlVmVyaVNpZ24gQ2xhc3MgMiBPblNpdGUgSW5kaXZpZHVh
bCBDQTCBnTANBgkqhkiG9w0BAQEFAAOBiwAwgYcCgYEA3CqZnW4z/LtBdsQ5Ho33
dueQD3RVYWFyPPg3SxsfCOkwHXDFFolgM0ZIf8bQmj12mMOhwaxS0Re5FARphlxh
T7NlZYtjou4hfEGvrXJAw02Rs0m+mPtXx1ousEun7wkk84GdOMWS2kqnmFGp2DB2
LWrWry9+2xEqhftlYFpF6BsCAQOjga0wgaowDwYDVR0TBAgwBgEB/wIBADBEBgNV
HSAEPTA7MDkGC2CGSAGG+EUBBwEBMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3
LnZlcmlzaWduLmNvbS9ycGEwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC52
ZXJpc2lnbi5jb20vcGNhMi5jcmwwCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQE
AwIBBjANBgkqhkiG9w0BAQQFAAOBgQCeTebTWFTbJFzaxCsD3432QbAsiAng0VcA
OzlDYn1BMIRT0NsrJbeTjQ8cOmvCkgesEPYsm+SniOktibXDJT+n87Can4+0CQBx
qUUsBUoG0PtMGjH4Vr/QD5sG8cMecG3FJR4CWwKitoz47h7sxM50B6RB9je1eIvS
1NMPRGO1nQ==
-----END CERTIFICATE-----
</verb></tscreen>

<sect1>SPKAC
<p>
<tscreen><verb>
SPKAC=MIIBPzCBqTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAw9eRsqOS9k
gd5Wk5Z2OWLCB8TuYlhRKpvfdIh6dZBERIQ/7xojDhOeg235Y/iWR0Jj9pXLOz2Q
dL7ppUwsGCnXXQGCdTG4OXAziBZTcLoMIxHzIvJ9pgX3APsuEWospGJzDPQv0sup
GCEiQK6qzAFa5BISQpIczHufBFGtLbGesCAwEAARYFaGVsbG8wDQYJKoZIhvcNAQ
EEBQADgYEAZOCMay68W5629GI/fj0R7AGJBQBCu79KtAxcnmiDhI4ELWIoB04wJg
GqlcdCY6eo1CHZN9LNVltzSUghVl/zPwaBFodhI6CbSnMfk+nkPa2psXQXoQs2+1
7QPXfOlqDvqyOhwGFnPDMYSLeYVwQjh/Miov+vPV5+8Qhc2owuh9A=
CN=Fred vom Jupiter
O=Jupiter Gas Ltd.
OU=CRM inner planets
L=Jupiter
</verb></tscreen>

</article>