This chapter describes the steps to:
Set up a CA (Certification Authority)
Create a signing certificate
Distribute the certificate to the end-users
Setting up a x509 CA is a complex operation. It is recommended that the user gets familiar with x509 and public key cryptography in general by reading the links provided in the Technical and procedural choices chapter. See also the eAIP Security Risks and Mitigation Strategies in the eAIP Specification.
Please download and install the following software. You might need administrative privileges or ask your system administrator to perform the installation.
XCA: graphical interface to OpenSSL for management of x509 certificates. This tutorial covers version 0.4.4.
The steps to set up a Certification Authority for an organisation are the following:
Generate a private key / public key pair used by the CA
Generate a self-signed CA certificate
The CA is then able to sign certificates.
To create a certificate for the person or entity signing the eAIP package:
The signing person generates a private key / public key pair
The signing person generates a certificate signing request
The signing person sends the CSR to the CA
The CA signs the request, creates a certificate, and sends it back to the person or entity
The signing person imports the certificate and verifies it
The person or entity signing the eAIP package has a certificate and is able to sign eAIP packages, as described in How to sign an eAIP with x509
The steps are
Run the installer package, leaving the default options
After installation, run the XCA program from the Start Menu. You might be notified with the following messages which you may safely ignore.
You will be asked to enter a password to protect your keys and your configuration:
Enter a strong password twice and click OK. Please remember this password, as there is no way to retrieve it.
You are presented with the main interface of the application.
Click on the Certificate tab on top, then on the New certificate button. A wizard opens, click Next.
Leave the values to their default. Click Next.
Enter the CA key name you wish, and choose the key strength you need (at least 2048 is recommended). Click Create to start the key generation.
Enter the information relative to your organisation:
Internal name: A name by which you will recognise this certificate in the XCA software.
Organisation: The full name of your organisation.
Country Code: The ISO country code of your organisation.
Organ. Unit: The unit of the organisation which is responsible for the management of the certificates,
Country: The country of your organisation.
Common Name: The name by which this certificate will be known.
Locality: The city of your organisation.
E-Mail address: The email address at which the unit responsible for the management of certificates can be contacted.
At the bottom, in Private Key, make sure the name of the key you just generated is selected. Click Next.
Enter the following:
CA: Choose Yes, as this is a CA certificate.
Path Length: Enter 0 unless you wish to create sub CAs.
Key Identifier: Select both options to identify uniquely this key and certificate.
Validity: Enter the start and end dates of the validity of this certificate. Keep it long enough, as all certificates issued by this CA will no longer be considered valid after the expiration of the CA certificate.
CRL distribution point: Enter the URL precede by URI: at which you will post the Certificate Revocation List (list of certificates which are cancelled).
Click Next.
Specify in the Key Usage:
Critical
Certificate Sign: Enable this certificate to sign other certificates (primary purpose of a CA certificate).
CRL Sign: Enable this certificate to sign the Certificate Revocation List, defining the cancelled certificates.
Click Next.
Select in the Netscape Extensions:
SSL CA: If you want to use the same CA certificate to generate other certificates used for SSL communication.
S/MIME CA: Select this to enable this certificate to sign S/MIME certificates.
Object Signing CA: Select this to enable this certificate to sign mobile code (e.g. Java applets).
You may leave the rest blank, or fill the entries depending on your security policy. Click Next.
Review the information you have entered. If there are any mistakes, you may use the Back button to correct them. Click Finish.
You have created a CA certificate capable of signing Certificate Signing Requests and creating certificates for people in your organisation.
You need to export the CA certificate in order for other people to use it. Click on the certificate, and click on the Export button on the right. You are presented with the export interface. Enter:
Destination directory and name of the exported certificate file.
Export format: choose PEM.
You also need the associated key fingerprint for end-users to be able to check the validity of the certificate.
Right-click on the CA certificate and select Show details.
Note down the MD5 fingerprint.
Send the exported CA certificate to the person creating the signing key. You now have to wait for that person to send their Certificate Signing Request. This file will also be sent to all end-users to validate the signed eAIP packages sent by your organisation, as well as its associated fingerprint.
Creating a Certificate Signing Request is done by the actual person doing the signing of the eAIP packages. The steps are:
The steps are similar to those for the security administrator.
On the main window, click on the Certificate tab at the top, then on the Import button.
Navigate to the location where the certificate file sent to you is stored. Click Open.
The certificate appears in the list. Notice that its trust state is Not Trusted.
Right-click on the certificate, and select the Trust option.
The trust setting dialogue appears. Select Always trust this certificate. Click OK.
You notice that the trust setting of the certificate has changed.
Click on the Certificate signing request tab on top, then on New Request. The Certificate request wizard opens up. Click Next.
Leave the default values. Click Next.
Enter the key name you wish, and choose the key strength you need (at least 2048 recommended). Click Create to start the key generation.
Enter the information relative to your organisation:
Internal name: A name by which you will recognise this certificate in the XCA software.
Organisation: The full name of your organisation.
Country Code: The ISO country code of your organisation.
Organ. Unit: The unit of the organisation which is responsible for the management of the certificates,
Country: The country of your organisation.
Common Name: Your name, or the organisation unit if this certificate will be shared.
Locality: The city of your organisation.
E-Mail address: Your email address.
At the bottom, in Private Key, make sure name of the key you just generated is selected. Click Next.
Review carefully the information you have entered. If there is any mistake, use the Back button to correct them. Click Finish.
Signing the Certificate Signing Request to create Certificate step is done by the CA. The steps are:
In the main interface, click on the Certificate signing request tab on the top, then on the Import button on the right. You will be presented with a file dialogue. Navigate to the file that the signing party sent to you.
The Signing Request appears in the list. Right-click on it and select Show Details.
Double-check that the information entered is valid. If there is any errors, have the person resubmit a new Signing Request. Click OK when satisfied.
Right-click on the signing request, select Sign. You are presented with the signing wizard. Click Next.
Have the following selected:
Sign this certificate request: Leave the selected request in the drop-down menu
Use this certificate for signing: Select the CA certificate which is used for signing
Click on Next.
Fill in the Key identifier and the validity period. Please note that after a certificate has expired, another one must be regenerated. Click Next.
Select in the Key Usage Critical and Digital Signature. Click Next.
If you wish to allow the use of this certificate for other purposes (e.g. SSL or secured email using S/MIME) you may select other options, depending on your security policy. Click Next.
Check again the validity of the information. When satisfied, click Finnish.
Export the signing certificate from XCA by saving it to a file:
Select the Certificate tab on top. Right-click on the signing certificate and select the Export / File option.
In the Filename box, enter the path where you want to store the certificate, followed by the filename. For example: A:\Synclude eAIP Publisher.crt will save it on a floppy disk.
You can now send this file to the person signing the eAIP packages.
Open the XCA application.
Click on the Certificate tab on top. Click on the Import button on the right.
Navigate to the location of the certificate received from the CA. For example, if received on a floppy, navigate to A:\Synclude eAIP Publisher.crt.
You will see the signing certificate under the CA certificate. To verify the import stage was done properly, right-click on the signing certificate and select Show Details.
Verify that the Signed by is correct and that the status is trusted. Check that the Private Key field matches your private key.