Personal tools
You are here: Home GRIA Documentation Documentation 5.1 How To's Setting up a Simple Certificate Authority (CA)
 

Setting up a Simple Certificate Authority (CA)

This How-to applies to: Any version.
This How-to is intended for: Site Administrators

Setting up a secure certificate authority and its associated policies is beyond the scope of this document. However, these instructions may be followed if you wish to set up a simple test authority.

Setting up a test Certificate Authority

Note: The following documentation covers XCA version 0.5.1.

  1. Download and install the XCA program:
  2. Run XCA.
  3. Click on the Certificates tab.
  4. Click on New Certificate.
  5. Select Create a self signed certificate. This is for the CA key, which is not signed by any higher authority.
  6. Select CA Template. This sets defaults useful for CAs.
  7. Click Next. You will be prompted to create a keypair (private key and corresponding public key). Name the key CA. The default Keysize of 1024 is fine.
  8. On the next page, enter details for the CA. Common name is something like MyCompany Test Certificate Authority. The other fields are your organisation's details. The internal name can be CA; this is the name XCA will use internally for the certificate.
  9. On the next page, ensure that the type is Certificate Authority and that Subject Key Identifier is turned on (this is needed for .NET interoperability).
  10. Accept the offered details on this and the following pages, which should be correct for a CA since you selected the CA template.
  11. Click Finish to create the CA certificate.

Signing certificates

You can now use your new Certificate Authority to sign other people's certificates. Other people will create certificates (for example, by using KeyToolGUI or the the Keystore web administration page) and will send you a Certificate Signing Request (.csr file).

To sign a request:

  1. Click on the Certificate signing requests tab.
  2. Click on Import.
  3. Open the .csr file you have been sent.
  4. Right-click on the signing request that now appears in the main list and choose Show Details from the menu.
  5. MAKE SURE that the details are correct, and perform checks to make sure that the certificate has been sent by its claimed owner. People are trusting you to sign only genuine certificates.
  6. Right-click on the signing request and choose Sign from the menu.
  7. Choose Use this Certificate for signing and select your CA certificate.
  8. Select Server Template when signing service provider certificates, and Client Template when signing users' personal certificates.
  9. Ensure that Subject Key Identifier is turned on (this is needed for .NET interoperability).
  10. Click Next and then Next again to reach the Netscape extensions page.
  11. Because a service provider must invoke methods on other service providers, a service provider certificate must be signed for use as both an SSL Server and an SSL Client.
  12. Click Next and then Finish to sign the certificate.

You should now send the signed certificate back to its owner, along with your CA certificate. To do this:

  1. Click on the Certificates tab.
  2. Right-click on the signed certificate and choose Export/File from the menu.
  3. Select PEM format and save the .crt file.
  4. Right-click on your CA certificate and export that in the same way, as CA.crt.
  5. Send both .crt files to the originator of the signing request.