Sākums Izpētīt Palīdzība
Pierakstīties
fr33domlover
/
Rel4tion-Wiki
spogulis no git://seek-together.space/wiki.git
Vērot 1
Pievienot zvaigznīti 0
Atdalīts 0
Faili Problēmas 0 Vikivietne
Koks: 8b3b2bbab2
Atzari Tagi
Rel4tion-Wiki
/
maint
/
admin
/
ca
/
tinyca
/
Creating_a_CA.mdwn

Creating_a_CA.mdwn 4.8 KB
Vēsture Neapstrādāts

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192 
  1. A Certificate Authority (CA) signs certificates, marking them as authenticated.
    2. 

  2. In other words, a CA signature on a certificate says "you can trust the owner of
    3. 

  3. this certificate". If you're used to visiting a certain website which your
    4. 

  4. browser trusts, and one day you visit and get a security warning, there's a
    5. 

  5. chance you're viewing a clone of the real website, made by a scammer, maybe in
    6. 

  6. hope to get your private account details. Without server authentication, you
    7. 

  7. wouldn't notice.
    8. 

  8. 

  9. I'm not saying SSL is the perfect solution to the problem, or a solution I would
    10. 

  10. design or spread if it was up to me, but I assume you have your reasons to use
    11. 

  11. it (and so do I).
    12. 

  12. 

  13. For large-scale use of certificates, i.e. large CAs, it is a good idea to create
    14. 

  14. sub-CAs. These sub-CAs manage their own certificates. It allows responsibility
    15. 

  15. to be delegated to other people and teams, each managing the certificates
    16. 

  16. related to its area/domain. With TinyCA, setting up sub-CAs is quite easy, and
    17. 

  17. the tutorials listed in [[Useful Links]] can help.
    18. 

  18. 

  19. However, for small-scale use it is not necessary. This guide is based on home
    20. 

  20. server experience and is focused on small home/community servers. For those,
    21. 

  21. it's easier to have a single CA which signs one certificate per service. One for
    22. 

  22. the website, one for Jabber server and so on. The number of users and services
    23. 

  23. will probably be small enough to make this approach work well.
    24. 

  24. 

  25. When running TinyCA for the first time (or any other time, until you create a
    26. 

  26. CA), it will automatically open the *Create CA* dialog:
    27. 

  27. 

  28. [[!img 1.1-create-ca-blank.png class="center"]]
    29. 

  29. 

  30. Now fill in the details.
    31. 

  31. 

  32. - __Name__: You can make this the same as data (I'm not sure it has to me the
    33. 

  33.   same, but some sources say it does and I didn't test to see whether it's
    34. 

  34.   true).
    35. 

  35. - __Data__: Choose a name which refers to yourself, or to your community, or to
    36. 

  36.   your organization - whoever is going to be represented digitally by the CA. I
    37. 

  37.   think it's better not to mention a specific website/resource in this field,
    38. 

  38.   because it should represent an entity (person, community, etc.) and not a
    39. 

  39.   specific resource (server, location, URL, etc.).
    40. 

  40. - __Password__: Make it long and hard to guess. You'll need it only when
    41. 

  41.   creating new certificates, which won't happen very often. You can write down
    42. 

  42.   the password and keep it somewhere safe - then you don't need to worry about
    43. 

  43.   forgetting it, and it can be longer.
    44. 

  44. - __Country, organization, etc.__: Fill if you want to. It's not critical. A CA
    45. 

  45.   can be managed by people from different countries, so the location you specify
    46. 

  46.   there isn't something people should rely on anyway.
    47. 

  47. - __E-mail address__: People will probably find a way to contact you through
    48. 

  48.   your website or service etc., but it doesn't hurt to have a real e-mail
    49. 

  49.   address in the certificate.
    50. 

  50. - __Valid for__: I'm not an expert, but I suppose having a long validity is
    51. 

  51.   okay. I saw the number 7300 (20 years) in other places. You can keep the
    52. 

  52.   default (10 years) if you want.
    53. 

  53. - __Keylength, digest__: Use the default values.
    54. 

  54. 

  55. Here's an example:
    56. 

  56. 

  57. [[!img 1.2-create-ca-filled.png class="center"]]
    58. 

  58. 

  59. When you're done, click OK. The CA Configuration window will appear.
    60. 

  60. 

  61. - __Key Usage__: Leave the default value.
    62. 

  62. - __Non/critical__: I read about it a bit. I'm still not sure I understant what
    63. 

  63.   it does, but it seems that __critical__ is the recommended common value used.
    64. 

  64.   If you know more, please share the knowledge :-)
    65. 

  65. - __nsCertType__: Change to "SSL CA, S/MIME CA, Object Signing CA".
    66. 

  66. - __subjectAltName__: Leave the default value.
    67. 

  67. - __authorityKeyIdentifier__: Leave the default value.
    68. 

  68. - __basicConstraints__: Leave the default value.
    69. 

  69. - __issuerAltName__: Leave the default value.
    70. 

  70. - __nsComment__: I'm not an expert, but it seems to be just a comment and its
    71. 

  71.   value isn't significant. Enter anything you wish, or leave the default.
    72. 

  72. - __nsCaRevocationUrl, nsRevocationUrl__: Address on the web where the
    73. 

  73.   certificate revocation list is accessible to clients. To determine if a
    74. 

  74.   certificate is valid, this list will be consulted to check if a certificate
    75. 

  75.   has been revoked. This cannot be changed after the creation of the CA, so you
    76. 

  76.   need to choose the location now. You can put the revocation list there later,
    77. 

  77.   but make sure the URL is valid and that you'll really be able to make the list
    78. 

  78.   accessible through it.
    79. 

  79. - __nsCaPolicyUrl, nsPolicyUrl__: A webpage where people read about the policy
    80. 

  80.   of the CA, and any certificate use policy you may have. You can write the
    81. 

  81.   actual document later, but you must set the web address now. Make sure you'll
    82. 

  82.   really be able to put the webpage on that address.
    83. 

  83. 

  84. Here's an example:
    85. 

  85. 

  86. [[!img 2-ca-config.png class="center"]]
    87. 

  87. 

  88. When you're done, click OK. The CA will be created you will be presented with
    89. 

  89. the main TinyCA window, containing the CA details. It will look like this:
    90. 

  90. 

  91. [[!img 3-ca-created.png class="center"]]
    92. 

  92.