Adding a root authority
A root authority or “root CA” is an entity that signs, sends and maintains certificates and CRLs (Certificate Revocation Lists).
Once the certification authority has been entered, information entered can no longer be changed.
Creating a root authority
- Click on Add.
- Select Root authority.
- Enter a CN (mandatory).
This is a name that will help you identify your root authority, restricted to 64 characters. It may be the name of an organization, user, server, host, etc.
- Enter an ID (optional).
Here, you can add a shortcut to your CN, which will be useful for command lines.
- Enter the attributes of the authority. All this information will appear in the authority certificate and the certificates that it issues.
- Organization (O): Name of your company (e.g.: Stormshield).
- Organizational unit (OU): "Branch" of your company (e.g.: Documentation).
- Locality (L): City in which your company is located (e.g.: Boston).
- State or province (ST): State or province in which your company is located (e.g.: Massachusetts).
- Country (C): Select from the list the country in which your company is located (e.g.: USA).
- Click on Next.
- Enter the password that will protect the root authority, then confirm it.
A progress bar indicates your password’s strength. Combine uppercase and lowercase letters with numbers and special characters for best results.
- You can enter your E-mail address in this field to receive a message confirming that your authority was created.
- If necessary, change the Key size (in bits).
Even though large keys are more effective, you are advised against using them with entry-level appliances as this will mean the key will take a long time to be generated.
- You can also change your authority's Validity (in days).
This field corresponds to the number of days for which your certification authority, and therefore your PKI, will be valid. This date affects all aspects of your PKI, so once this certificate expires, all user certificates will expire as well. This value cannot be changed later.
The value of this field must not exceed 3650 days.
- Click on Next.
- Where necessary, specify distribution points for certificate revocation lists and click on Add to indicate the URL to the CRL.
All this information will be embedded in the generated CAs and applications that use the certificate will be able to automatically retrieve the CRL in order to check the certificate’s validity.
If there are several distribution points, they will be applied in their order of appearance on the list.
- Click on Next.
You will be shown a summary of the information you entered.
- Click on Finish.
The authority will automatically be added to the tree of authorities, identities and certificates defined on the firewall.
Displaying authority details
Click once on the authority to display its detailed information on the right side of the screen:
Data about the authority is shown in four windows:
- The duration of its Validity: when it was issued and when it expires,
- Its recipient (Issued for),
- Its Issuer: the authority itself,
- Its Fingerprints: serial number of the authority, encryption and signature algorithms used, etc.
"Revocation (CRL)" tab
Rounds up information regarding the CRL: its la validity including the last and next update, the table of distribution points and the table of revoked certificates which should contain a serial number, a revocation date and a reason for the revocation (optional).
The maximum lifetime of certificates has been increased to ten years.
"Certificate profiles" tab
This tab shows the Key size (bits), Validity (days) and Encryption algorithm for the certification authority (including the authority's CRL validity (days), restricted to a maximum of 3650 days), user certificates, smart card certificates and server certificates.
These values can be changed later and are suggested by default when a sub-authority is created or when a certificate signed by the selected authority is added.