Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
documentation.suse.com / SUSE Linux Enterprise Server Documentation / Security and Hardening Guide / Network security / Managing a PKI with XCA, X certificate and key manager
Applies to SUSE Linux Enterprise Server 15 SP3

25 Managing a PKI with XCA, X certificate and key manager

Managing your own public key infrastructure (PKI) is traditionally done with the openssl utility. For admins who prefer a graphical tool, SUSE Linux Enterprise Server 15 SP3 includes XCA, the X Certificate and Key management tool (http://hohnstaedt.de/xca).

XCA creates and manages X.509 certificates, certificate requests, RSA, DSA, and EC private keys, Smartcards, and certificate revocation lists (CRLs). XCA supports everything you need to create and manage your own certificate authority (CA). XCA includes customizable templates that can be used for certificate or request generation. This chapter describes a basic setup.

25.1 Installing XCA

XCA is provided by the xca package:

> sudo zypper in xca

25.2 Creating a new PKI

XCA stores all cryptographic data in a database. When you are using XCA for the first time, and creating a new PKI, you must first create a new database by clicking File > New DataBase (Figure 25.1, “Create a new XCA database”).

Create a new XCA database
Figure 25.1: Create a new XCA database

25.2.1 Creating a new root CA

The following steps describe how to create a new root CA.

  1. Click the Certificates tab.

  2. Click the New Certificate button.

  3. Click the Source tab. At the bottom of the window, under Template for the new certificate, select the [default] CA template, then click Apply all.

  4. Click the Subject tab. Create an Internal Name, which identifies your new root CA internally, in XCA only.

    Complete the fields in the Distinguished Name section. Use the Add button to add any additional elements, if you require any.

  5. In the Private key drop-down, select your preferred private key if you have one, or generate a new key.

  6. Click the Extensions tab. Edit any attributes as necessary. The default Time Range is 10 years. The certificate revocation list distribution point will be part of the issued certificates, and it is a good practice to use a common URL for all of your certificates, for example http://www.example.com/crl/crl.der. When you are finished click the OK button.

25.2.2 Creating a signed host certificate

The next step is to create a host certificate signed by your new certificate authority.

  1. Click the Certificates tab, then click the New Certificate button.

  2. On the Source tab, select the [default] TLS_server and click the Apply all button. This enters the appropriate values in the Extensions, Key usage, and Netscape tabs. In the Signing section, select the certificate that you created in Section 25.2.1, “Creating a new root CA”.

  3. Click the Subject tab. Create an internal name, which is for display purposes in XCA. A good practice is to use the host name, or the fully-qualified domain name. Then fill in the fields in the Distinguished Name section. For host certificates, the common name must be the FQDN that your users will use. This can be the canonical name of the host, or an alias. For example, if jupiter.example.com is your web server and it has a DNS CNAME entry of www.example.com, then you probably want the commonName value in the certificate to be www.example.com. If you want to add in any additional parts to the distinguished name, use the drop-down box and Add button. Select the desired private key or generate a new one.

  4. Click the Extensions tab. The default Time range is one year. If you change this, click the Apply button.

  5. It is a good practice to designate a certificate revocation list location. The location must be unique for this root certificate. XCA exports CRLs in either PEM or DER format with appropriate suffixes, so this should be considered when selecting the URL, for example something like http://www.example.com/crl/crl.der. On the CRL Distribution points line click the Edit button. Type in your URI, then click Add. Click Validate and Apply.

    Click the OK button.

25.2.3 Revoking a Certificate

  1. Click the Certificates tab.

  2. Right-click on the certificate that you want to revoke, then click Revoke.

  3. Right-click the CA certificate that signed the certificate you want to revoke. Click CA > Generate CRL.

    Click the OK button in the Create CRL dialog.

  4. Click on the Revocation lists tab in the main window. Right-click on the CRL you just generated and select Export. Select the desired format (probably DER) and click OK.

    Copy the exported CRL to the location published in the issued certificate's CRL Distribution Points.