Home Explore Help
Sign In
fr33domlover
/
Rel4tion-Wiki
mirror of git://seek-together.space/wiki.git
Watch 1
Star 0
Fork 0
Files Issues 0 Wiki
Tree: 8b3b2bbab2
Branches Tags
Rel4tion-Wiki
/
maint
/
admin
/
ca
/
tinyca
/
Creating_a_Certificate.mdwn

Creating_a_Certificate.mdwn 2.5 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556 
  1. Now it's time to create a certificate for a web service you run. The examples
    2. 

  2. below assume it's a website certificate, but it could be anything else: A
    3. 

  3. certificate for a mail server or for a Jabber server etc. The process involves
    4. 

  4. two steps: First, the service operator generates a *request* and sends it to
    5. 

  5. the CA. Then, the CA signs the request, "approving" the service as trusted as
    6. 

  6. long as it holds the private key of the new certificate.
    7. 

  7. 

  8. In TinyCA, select the Requests tab. Right-click inside the window and select
    9. 

  9. "New request". A request creation dialog will open:
    10. 

  10. 

  11. [[!img 4.1-create-request-empty.png class="center"]]
    12. 

  12. 

  13. - __Common Name__: Must be the name users use to access your server, e.g. it
    14. 

  14.   would be *www.gnu.org* for the GNU website.
    15. 

  15. - __E-mail Address__: Address of the person/organization who will be running the
    16. 

  16.   service in which the certificate will be used. If you are your own CA this may
    17. 

  17.   be the same address as the CA's. Otherwise, e.g. if a community member
    18. 

  18.   operates a CA for the community and you want to send them a request, they may
    19. 

  19.   be different.
    20. 

  20. - __Password__: Long, hard to guess, *not* the same password you used for the
    21. 

  21.   CA.
    22. 

  22. - __Country, Organization, etc.__: the defaults are copied from the CA. If they
    23. 

  23.   aren't the right values for you, change them.
    24. 

  24. - __KeyLength, Digest, Algorithm__: Leave the default values. You can see them
    25. 

  25.   in the screenshot below.
    26. 

  26. 

  27. Here's an example:
    28. 

  28. 

  29. [[!img 4.2-create-request-filled.png class="center"]]
    30. 

  30. 

  31. The new certificate will be listed in the Requests tab. As the CA, you are going
    32. 

  32. to sign it. Right-click on the request and select "Sign request".
    33. 

  33. 

  34. [[!img 5.1-sign-request-menu.png class="center"]]
    35. 

  35. 

  36. You will need to choose between server and client request. In this case, select
    37. 

  37. server (I guess the client option is for client certificates). You should now
    38. 

  38. see a small dialog.
    39. 

  39. 

  40. - __CA password__: The password you entered for the CA :-)
    41. 

  41. - __Valid for__: I'm not an expert, but my personaly impression is that when
    42. 

  42.   looking at certificates' expiration dates, they seem to have roughly 1-3 years
    43. 

  43.   left. So the default 1-year time sounds reasonable. Again, I'm not an expert -
    44. 

  44.   if you want to understand the security concerns of expiration dates, you are
    45. 

  45.   welcome to go read about it. You're also welcome to share your knowledge here
    46. 

  46.   and replace this "I'm not an expert" paragraph ;-)
    47. 

  47. 

  48. Example:
    49. 

  49. 

  50. [[!img 5.2-sign-request-filled.png class="center"]]
    51. 

  51. 

  52. Click OK. The certificate will be signed and upon success you'll see something
    53. 

  53. like this:
    54. 

  54. 

  55. [[!img 5.3-sign-request-done.png class="center"]]
    56. 

  56.