xca-5.html

一个跨平台的CA系统 实现了数字证书的制作、SSL安全通讯、加解密操作等功能

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
 <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.21">
 <TITLE>XCA : RSA Keys </TITLE>
 <LINK HREF="xca-6.html" REL=next>
 <LINK HREF="xca-4.html" REL=previous>
 <LINK HREF="xca.html#toc5" REL=contents>
</HEAD>
<BODY>
<A HREF="xca-6.html">Next</A>
<A HREF="xca-4.html">Previous</A>
<A HREF="xca.html#toc5">Contents</A>
<HR>
<H2><A NAME="keys"></A> <A NAME="s5">5.</A> <A HREF="xca.html#toc5">RSA Keys </A></H2>

<P>For asynchronous encryption and signing keys are needed. XCA only supports RSA keys
but not DSA keys. All keys are stored encrypted in the database using the 3DES algorithm.</P>

<P>All keys carry a use counter which counts the times it is used. For new
requests or certificates the list of available keys is reduced to
the keys with a use counter of 0.</P>


<H2><A NAME="ss5.1">5.1</A> <A HREF="xca.html#toc5.1">Generating Keys</A>
</H2>

<P>The dialog asks for the internal name of the key and the keysize in bits.
Even if the drop-down list only shows the most usual values, any other value
can be added here by editing this box.
While searching for random prime numbers a progress bar is shown. Although the
Progressbar carries a <CODE>Cancel</CODE> button it has no effect clicking on it
since the underlaying <EM>OpenSSL</EM> routine does not support an abort.
So think twice before generating a 4096 bit key on a 80Mhz i486 PC ....
After the key generation is done the key will be stored in the database.</P>

<H2><A NAME="ss5.2">5.2</A> <A HREF="xca.html#toc5.2">Key export</A>
</H2>

<P>Keys can be exported by either selecting the key and pressing <EM>Export</EM> or by
using the context-menu. This opens a Dialogbox where the following settings cn be adjusted:
<UL>
<LI>filename</LI>
<LI>Outputformat (DER, PEM, PKCS#8)</LI>
<LI>Public or Private Key</LI>
<LI>Encryption of the exported file (yes/no)</LI>
</UL>
</P>
<P>The filename is the internal name plus a <CODE>pem</CODE>, <CODE>der</CODE> or <CODE>pk8</CODE> suffix.
When changing the fileformat, the suffix of the filename changes accordingly
Only PKCS#8 or PEM files can be encrypted, because
the DER format (although it could be encrypted)
does not support a way to supply the encryption algorithm
like e.g. <EM>DES</EM>.
Of course, encryption does not make sense if the private part is not exported.</P>



<HR>
<A HREF="xca-6.html">Next</A>
<A HREF="xca-4.html">Previous</A>
<A HREF="xca.html#toc5">Contents</A>
</BODY>
</HTML>