Adding a root authority or displaying its details
During the creation of a sub-CA, the windows are similar to those for the root CA. The configuration wizard for a sub-CA requires a “parent” reference from which it will copy information.
Adding a sub-authority
- Click on Add.
- Select Sub-authority.
- Enter a CN (mandatory).
This is a name that will help you identify your root authority, restricted to 64 characters. It may be the name of an organization, user, server, host, etc. - Enter an ID (optional).
Here, you can add a shortcut to your CN, which will be useful for command lines. - Select the parent authority: a sub-authority can only be used after the identification of its parent authority.
The authority suggested as the parent for the new sub-authority will be the default authority or the last authority selected before clicking on “Add > Sub-authority”. -
Enter the password of the parent authority.
The iconallows you to view the password in plaintext to check that it is correct.
- Click on Next.
- Enter the password that will protect the sub-authority, then confirm it.
A progress bar indicates your password’s strength. Combine uppercase and lowercase letters with numbers and special characters for best results. - You can enter your E-mail address in this field to receive a message confirming that your authority was created.
- If necessary, change the Key size (in bits).
Even though large keys are more effective, you are advised against using them with entry-level appliances as this will mean the key will take a long time to be generated. - You can also change your authority's Validity (in days).
This field corresponds to the number of days for which your certification authority, and therefore your PKI, will be valid. The date affects all aspects of your PKI as indeed, once this certificate expires, all user certificates will also expire. This value cannot be changed later.
The value of this field must not exceed 3650 days. - Click on Next.
- Where necessary, specify distribution points for certificate revocation lists and click on Add to indicate the URL to the CRL.
All this information will be embedded in the generated CAs and applications that use the certificate will be able to automatically retrieve the CRL in order to check the certificate’s validity.
If there are several distribution points, they will be applied in their order of appearance on the list. - Click on Next.
You will be shown a summary of the information you entered. - Click on Finish.
The sub-authority will automatically be added to the tree of authorities and identities defined on the firewall.
Displaying sub-authority details
Click once on the sub-authority to display its detailed information on the right side of the screen.
Displaying details of an authority/editing certificate profiles linked to this authority
Click once on an authority to display its detailed information on the right side of the screen:
“Details” tab
Data about the authority is shown in four frames:
- The duration of its Validity: when it was issued and when it expires,
- Its recipient (Issued for): subject and details of the sub-authority certificate,
- Its Issuer: subject and details of the parent authority certificate,
- Its Details: serial number of the sub-authority, version, encryption and signature algorithms used, key type, key size, and Extended Key Usage (EKU).
"Revocation (CRL)" tab
This tab summarizes information regarding the CRL:
- Its validity, including the date of the last and next updates,
- A grid showing certificates signed by this CA that have been revoked. For each of these revoked certificates, the serial number, revocation date and reason for revocation (optional) are specified.
"Certificate profiles" tab
In this tab, you will see:
- Distribution points that provide the CA's CRL. Distribution points can be added or deleted from this grid.
- Suggested default values for the parameters that are involved when a new sub-authority or certificate is signed by the selected certification authority. These values can be changed.
NOTE
Changing the values of these parameters does not affect existing sub-authorities or certificates: recreate them if you wish to use the new values for these items.
These parameters are as follows:
- Key type (signature algorithm): the default value suggested is SECP.
- Key Size (bits): the default value suggested is 256.
- Validity (days): the default value suggested is 365 days for a certificate, and 3650 days for a CA.
- CRL validity duration (only for signing the certificate of a sub-authority): the default value suggested is 30 days (maximum allowed: 3650 days),
- Checksum: the default value used is sha256,
“Details” tab
Data about the sub-authority is shown in four windows:
- The duration of its Validity: when it was issued and when it expires,
- Its recipient (Issued for): the sub-authority itself,
- Its Issuer: its parent authority,
- Its Details: serial number of the sub-authority, version, encryption and signature algorithms used, key type, key size, etc.
"Revocation (CRL)" tab
Rounds up information regarding the CRL: its la validity including the last and next update, the table of distribution points and the table of revoked certificates which should contain a serial number, a revocation date and a reason for the revocation (optional).
"Certificate profiles" tab
This tab shows the Key size (bits) and Encryption algorithm for the certification authority (including the authority's CRL validity (days), restricted to a maximum of 3650 days), user certificates, smart card certificates and server certificates.
These values can be changed later and are suggested by default when a sub-authority is created or when a certificate signed by the selected sub-authority is added.