Adding a sub-authority
During the creation of a sub-CA, the windows are similar to those for the root CA. The configuration wizard for a sub-CA requires a “parent” reference from which it will copy information.
- Click on Add.
- Select Sub-authority.
- Enter a CN (mandatory).
This is a name that will help you identify your root authority, restricted to 64 characters. It may be the name of an organization, user, server, host, etc.
- Enter an ID (optional).
Here, you can add a shortcut to your CN, which will be useful for command lines.
- Select the parent authority: a sub-authority can only be used after the identification of its parent authority.
The authority suggested as the parent for the new sub-authority will be the default authority or the last authority selected before clicking on “Add > Sub-authority”.
Enter the password of the parent authority.
The icon allows you to view the password in plaintext to check that it is correct.
- Click on Next.
- Enter the password that will protect the sub-authority, then confirm it.
A progress bar indicates your password’s strength. Combine uppercase and lowercase letters with numbers and special characters for best results.
- You can enter your E-mail address in this field to receive a message confirming that your authority was created.
- If necessary, change the Key size (in bits).
Even though large keys are more effective, you are advised against using them with entry-level appliances as this will mean the key will take a long time to be generated.
- You can also change your authority's Validity (in days).
This field corresponds to the number of days for which your certification authority, and therefore your PKI, will be valid. The date affects all aspects of your PKI as indeed, once this certificate expires, all user certificates will also expire. This value cannot be changed later.
The value of this field must not exceed 3650 days.
- Click on Next.
- Where necessary, specify distribution points for certificate revocation lists and click on Add to indicate the URL to the CRL.
All this information will be embedded in the generated CAs and applications that use the certificate will be able to automatically retrieve the CRL in order to check the certificate’s validity.
If there are several distribution points, they will be applied in their order of appearance on the list.
- Click on Next.
You will be shown a summary of the information you entered.
- Click on Finish.
The sub-authority will automatically be added to the tree of authorities and identities defined on the firewall.
Displaying sub-authority details
Click once on the sub-authority to display its detailed information on the right side of the screen:
Data about the sub-authority is shown in four windows:
- The duration of its Validity: when it was issued and when it expires,
- Its recipient (Issued for): the sub-authority itself,
- Its Issuer: its parent authority,
- Its Fingerprints: serial number of the sub-authority, encryption and signature algorithms used, etc.
"Revocation (CRL)" tab
Rounds up information regarding the CRL: its la validity including the last and next update, the table of distribution points and the table of revoked certificates which should contain a serial number, a revocation date and a reason for the revocation (optional).
"Certificate profiles" tab
This tab shows the Key size (bits) and Encryption algorithm for the certification authority (including the authority's CRL validity (days), restricted to a maximum of 3650 days), user certificates, smart card certificates and server certificates.
These values can be changed later and are suggested by default when a sub-authority is created or when a certificate signed by the selected sub-authority is added.