Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Security and Hardening Guide
  1. Preface
  2. 1 Security and confidentiality
  3. 2 Common Criteria
  4. I Authentication
    1. 3 Authentication with PAM
    2. 4 Using NIS
    3. 5 Setting up authentication clients using YaST
    4. 6 LDAP with 389 Directory Server
    5. 7 Network authentication with Kerberos
    6. 8 Active Directory support
    7. 9 Setting up a freeRADIUS server
  5. II Local security
    1. 10 Physical security
    2. 11 Software management
    3. 12 File management
    4. 13 Encrypting partitions and files
    5. 14 Storage encryption for hosted applications with cryptctl
    6. 15 User management
    7. 16 Restricting cron and at
    8. 17 Spectre/Meltdown checker
    9. 18 Configuring security settings with YaST
    10. 19 Authorization with PolKit
    11. 20 Access control lists in Linux
    12. 21 Intrusion detection with AIDE
  6. III Network security
    1. 22 X Window System and X authentication
    2. 23 Securing network operations with OpenSSH
    3. 24 Masquerading and firewalls
    4. 25 Configuring a VPN server
    5. 26 Managing a PKI with XCA, X certificate and key manager
    6. 27 Improving network security with sysctl variables
    7. 28 Enabling compliance with FIPS 140-2
  7. IV Confining privileges with AppArmor
    1. 29 Introducing AppArmor
    2. 30 Getting started
    3. 31 Immunizing programs
    4. 32 Profile components and syntax
    5. 33 AppArmor profile repositories
    6. 34 Building and managing profiles with YaST
    7. 35 Building profiles from the command line
    8. 36 Profiling your Web applications using ChangeHat
    9. 37 Confining users with pam_apparmor
    10. 38 Managing profiled applications
    11. 39 Support
    12. 40 AppArmor glossary
  8. V SELinux
    1. 41 Configuring SELinux
  9. VI The Linux Audit Framework
    1. 42 Understanding Linux audit
    2. 43 Setting up the Linux audit framework
    3. 44 Introducing an audit rule set
    4. 45 Useful resources
  10. A Achieving PCI DSS compliance
  11. B GNU licenses
Applies to SUSE Linux Enterprise Server 15 SP3

26 Managing a PKI with XCA, X certificate and key manager


Managing your own public key infrastructure (PKI) is traditionally done with the openssl utility. For admins who prefer a graphical tool, SUSE Linux Enterprise Server 15 SP3 includes XCA, the X Certificate and Key management tool (http://hohnstaedt.de/xca).

XCA creates and manages X.509 certificates, certificate requests, RSA, DSA, and EC private keys, Smartcards, and certificate revocation lists (CRLs). XCA supports everything you need to create and manage your own certificate authority (CA). XCA includes customizable templates that can be used for certificate or request generation. This chapter describes a basic setup.

26.1 Installing XCA

XCA is provided by the xca package:

> sudo zypper in xca

26.2 Creating a new PKI

XCA stores all cryptographic data in a database. When you are using XCA for the first time, and creating a new PKI, you must first create a new database by clicking File > New DataBase (Figure 26.1, “Create a new XCA database”).

Create a new XCA database
Figure 26.1: Create a new XCA database

26.2.1 Creating a new root CA

The following steps describe how to create a new root CA.

  1. Click the Certificates tab.

  2. Click the New Certificate button.

  3. Click the Source tab. At the bottom of the window, under Template for the new certificate, select the [default] CA template, then click Apply all.

  4. Click the Subject tab. Create an Internal Name, which identifies your new root CA internally, in XCA only.

    Complete the fields in the Distinguished Name section. Use the Add button to add any additional elements, if you require any.

  5. In the Private key drop-down, select your preferred private key if you have one, or generate a new key.

  6. Click the Extensions tab. Edit any attributes as necessary. The default Time Range is 10 years. The certificate revocation list distribution point will be part of the issued certificates, and it is a good practice to use a common URL for all of your certificates, for example http://www.example.com/crl/crl.der. When you are finished click the OK button.

26.2.2 Creating a signed host certificate

The next step is to create a host certificate signed by your new certificate authority.

  1. Click the Certificates tab, then click the New Certificate button.

  2. On the Source tab, select the [default] TLS_server and click the Apply all button. This enters the appropriate values in the Extensions, Key usage, and Netscape tabs. In the Signing section, select the certificate that you created in Section 26.2.1, “Creating a new root CA”.

  3. Click the Subject tab. Create an internal name, which is for display purposes in XCA. A good practice is to use the host name, or the fully-qualified domain name. Then fill in the fields in the Distinguished Name section. For host certificates, the common name must be the FQDN that your users will use. This can be the canonical name of the host, or an alias. For example, if jupiter.example.com is your web server and it has a DNS CNAME entry of www.example.com, then you probably want the commonName value in the certificate to be www.example.com. If you want to add in any additional parts to the distinguished name, use the drop-down box and Add button. Select the desired private key or generate a new one.

  4. Click the Extensions tab. The default Time range is one year. If you change this, click the Apply button.

  5. It is a good practice to designate a certificate revocation list location. The location must be unique for this root certificate. XCA exports CRLs in either PEM or DER format with appropriate suffixes, so this should be considered when selecting the URL, for example something like http://www.example.com/crl/crl.der. On the CRL Distribution points line click the Edit button. Type in your URI, then click Add. Click Validate and Apply.

    Click the OK button.

26.2.3 Revoking a Certificate

  1. Click the Certificates tab.

  2. Right-click on the certificate that you want to revoke, then click Revoke.

  3. Right-click the CA certificate that signed the certificate you want to revoke. Click CA > Generate CRL.

    Click the OK button in the Create CRL dialog.

  4. Click on the Revocation lists tab in the main window. Right-click on the CRL you just generated and select Export. Select the desired format (probably DER) and click OK.

    Copy the exported CRL to the location published in the issued certificate's CRL Distribution Points.

Print this page