Adding a sub-authority

During the creation of a sub-CA, the windows are similar to those for the root CA. The configuration wizard for a sub-CA requires a “parent” reference from which it will copy information.

  1. Click on Add.
  2. Select Sub-authority.
  3. Enter a CN (mandatory).
    This is a name that will help you identify your root authority, restricted to 64 characters. It may be the name of an organization, user, server, host, etc.
  4. Enter an ID (optional).
    Here, you can add a shortcut to your CN, which will be useful for command lines.
  5. Select the parent authority: a sub-authority can only be used after the identification of its parent authority.
    The authority suggested as the parent for the new sub-authority will be the default authority or the last authority selected before clicking on “Add > Sub-authority”.

  6. Enter the password of the parent authority.
    The icon allows you to view the password in plaintext to check that it is correct.

  1. Click on Next.
  2. Enter the password that will protect the sub-authority, then confirm it.
    A progress bar indicates your password’s strength. Combine uppercase and lowercase letters with numbers and special characters for best results.
  3. You can enter your E-mail address in this field to receive a message confirming that your authority was created.
  4. If necessary, change the Key size (in bits).
    Even though large keys are more effective, you are advised against using them with entry-level appliances as this will mean the key will take a long time to be generated.
  5. You can also change your authority's Validity (in days).
    This field corresponds to the number of days for which your certification authority, and therefore your PKI, will be valid. The date affects all aspects of your PKI as indeed, once this certificate expires, all user certificates will also expire. This value cannot be changed later.
    The value of this field must not exceed 3650 days.
  6. Click on Next.
  7. Where necessary, specify distribution points for certificate revocation lists and click on Add to indicate the URL to the CRL.
    All this information will be embedded in the generated CAs and applications that use the certificate will be able to automatically retrieve the CRL in order to check the certificate’s validity.
    If there are several distribution points, they will be applied in their order of appearance on the list.
  8. Click on Next.
    You will be shown a summary of the information you entered.
  9. Click on Finish.

The sub-authority will automatically be added to the tree of authorities and identities defined on the firewall.

Displaying sub-authority details

Click once on the sub-authority to display its detailed information on the right side of the screen:

“Details” tab

Data about the sub-authority is shown in four windows:

  • The duration of its Validity: when it was issued and when it expires,
  • Its recipient (Issued for): subject and details of the sub-authority certificate,
  • Its Issuer: subject and details of the parent authority certificate,
  • Its Hashes: serial number of the sub-authority, version, encryption and signature algorithms used, etc.

"Revocation (CRL)" tab

This tab summarizes information regarding the CRL:

  • Its validity, including the date of the last and next updates,
  • A grid showing certificates signed by this CA that have been revoked. For each of these revoked certificates, the serial number, revocation date and reason for revocation (optional) are specified.

"Certificate profiles" tab

In this tab, you will see:

  • Distribution points that provide the CA's CRL. Distribution points can be added or deleted from this grid.
  • Suggested default values for the parameters that are involved when a new sub-authority or certificate is signed by the selected certification authority. These values can be changed.

NOTE
Changing the values of these parameters does not affect existing sub-authorities or certificates: recreate them if you wish to use the new values for these items.

These parameters are as follows:

  • Key type (signature algorithm): the default value suggested is RSA.
  • Key Size (bits): the default value suggested is 256.
  • Validity (days): the default value suggested is 365 days for a certificate, and 3650 days for a CA.
  • CRL validity duration (only for signing the certificate of a certification authority): the default value suggested is 30 days (maximum allowed: 3650 days),
  • Checksum: the default value used is sha256,