Adding a root authority or displaying its details

A root authority or “root CA” is an entity that signs, sends and maintains certificates and CRLs (Certificate Revocation Lists).

NOTE
Once the certification authority has been created, information entered can no longer be changed.

Adding a root authority

  1. Click on Add.
  2. Select Root authority.
  3. Enter a CN (mandatory).
    This is a name that will help you identify your root authority, restricted to 64 characters. It may be the name of an organization, user, server, host, etc.
  4. Enter an ID (optional).
    Here, you can add a shortcut to your CN, which will be useful for command lines.
  5. Enter the attributes of the authority. All this information will appear in the authority certificate and the certificates that it issues.
  • Organization (O): Name of your company (e.g.: Stormshield).
  • Organizational unit (OU): "Branch" of your company (e.g.: Documentation).
  • Locality (L): City in which your company is located (e.g.: Boston).
  • State or province (ST): State or province in which your company is located (e.g.: Massachusetts).
  • Country (C): Select from the list the country in which your company is located (e.g.: USA).
  1. Click on Next.
  1. Enter the password that will protect the root authority, then confirm it.
    A progress bar indicates your password’s strength. Combine uppercase and lowercase letters with numbers and special characters for best results.
  2. You can enter your E-mail address in this field to receive a message confirming that your authority was created.
  3. If necessary, change the Key size (in bits).
    Even though large keys are more effective, you are advised against using them with entry-level appliances as this will mean the key will take a long time to be generated.
  4. You can also change your authority's Validity (in days).
    This field corresponds to the number of days for which your certification authority, and therefore your PKI, will be valid. This date affects all aspects of your PKI. Indeed, once this certificate expires, all user certificates will expire as well. This value cannot be changed later.
    The value of this field must not exceed 3650 days.
  5. Click on Next.
  6. Where necessary, specify distribution points for certificate revocation lists and click on Add to indicate the URL to the CRL.
    All this information will be embedded in the generated CAs and applications that use the certificate will be able to automatically retrieve the CRL in order to check the certificate’s validity.
    If there are several distribution points, they will be applied in their order of appearance on the list.
  7. Click on Next.
    You will be shown a summary of the information you entered.
  8. Click on Finish.

The authority will automatically be added to the tree of authorities, identities and certificates defined on the firewall.

Displaying details of an authority/editing certificate profiles linked to this authority

Click once on an authority to display its detailed information on the right side of the screen:

“Details” tab

Data about the authority is shown in four frames:

  • The duration of its Validity: when it was issued and when it expires,
  • Its recipient (Issued for): subject and details of the authority certificate,
  • Its Issuer: subject and details of the authority certificate,
  • Its Details: serial number of the authority, version, encryption and signature algorithms used, key type, key size, and Extended Key Usage (EKU).

"Revocation (CRL)" tab

This tab summarizes information regarding the CRL:

  • Its validity, including the date of the last and next updates,
  • A grid showing certificates signed by this CA that have been revoked. For each of these revoked certificates, the serial number, revocation date and reason for revocation (optional) are specified.

"Certificate profiles" tab

In this tab, you will see:

  • Distribution points that provide the CA's CRL. Distribution points can be added or deleted from this grid.
  • Suggested default values for the parameters that are involved when a new sub-authority or certificate is signed by the selected certification authority. These values can be changed.

NOTE
Changing the values of these parameters does not affect existing sub-authorities or certificates: recreate them if you wish to use the new values for these items.

These parameters are as follows:

  • Key type (signature algorithm): the default value suggested is SECP.
  • Key Size (bits): the default value suggested is 256.
  • Validity (days): the default value suggested is 365 days for a certificate, and 3650 days for a CA.
  • CRL validity duration (only for signing the certificate of a sub-authority): the default value suggested is 30 days (maximum allowed: 3650 days),
  • Checksum: the default value used is sha256,