Post on 05-Oct-2020
Start XCA
Generating, signing and exporting keys and certificates with XCA
Generating, signing and exporting keys and certificates with XCA Page 1
Create a new database
Generating, signing and exporting keys and certificates with XCA
Generating, signing and exporting keys and certificates with XCA Page 2
Name and save your database
Generating, signing and exporting keys and certificates with XCA
Generating, signing and exporting keys and certificates with XCA Page 3
Select a password - you will need this every time you reopenthis database
Generating, signing and exporting keys and certificates with XCA
Generating, signing and exporting keys and certificates with XCA Page 4
Generate a new private key for the root CA
Generating, signing and exporting keys and certificates with XCA
Generating, signing and exporting keys and certificates with XCA Page 5
Name it something like s3c3_root - we are using 4098 bits forthe example
Generating, signing and exporting keys and certificates with XCA
Generating, signing and exporting keys and certificates with XCA Page 6
Your shiny new key
Generating, signing and exporting keys and certificates with XCA
Generating, signing and exporting keys and certificates with XCA Page 7
Create a new self-signed certificate
Generating, signing and exporting keys and certificates with XCA
Generating, signing and exporting keys and certificates with XCA Page 8
Make sure the selected template is CA and click on Applyextensions
Generating, signing and exporting keys and certificates with XCA
Generating, signing and exporting keys and certificates with XCA Page 9
Fill out the subject fields
Generating, signing and exporting keys and certificates with XCA
Generating, signing and exporting keys and certificates with XCA Page 10
In extensions, make sure it is marked as type "CertificationAuthority" and "Critical" and "Subject Key Identifier" checked- set lifetime to 10 years
Generating, signing and exporting keys and certificates with XCA
Generating, signing and exporting keys and certificates with XCA Page 11
Make sure Certificate Sign and CRL Sign are selected underKey usage and click OK
Generating, signing and exporting keys and certificates with XCA
Generating, signing and exporting keys and certificates with XCA Page 12
You should have a new CA Certificate now
Generating, signing and exporting keys and certificates with XCA
Generating, signing and exporting keys and certificates with XCA Page 13
Create a new client certificate - start with a new Certificatesigning request
Generating, signing and exporting keys and certificates with XCA
Generating, signing and exporting keys and certificates with XCA Page 14
Set the template to HTTPS_client and click Apply extensions
Generating, signing and exporting keys and certificates with XCA
Generating, signing and exporting keys and certificates with XCA Page 15
Fill out the subject and click on Generate a new key
Generating, signing and exporting keys and certificates with XCA
Generating, signing and exporting keys and certificates with XCA Page 16
Set the name of the server (server1 in this example) and add_client to the name - use a 2048 bit key or larger
Generating, signing and exporting keys and certificates with XCA
Generating, signing and exporting keys and certificates with XCA Page 17
Make sure to also select Non Repudiation in the Key usagepane and click OK
Generating, signing and exporting keys and certificates with XCA
Generating, signing and exporting keys and certificates with XCA Page 18
In the Certificates pane, click on New Certificate
Generating, signing and exporting keys and certificates with XCA
Generating, signing and exporting keys and certificates with XCA Page 19
Check Sign this request, uncheck copy extensions, make sureto check "Use this Certificate for signing" and use your root,select HTTPS_client in templates and click Apply all
Generating, signing and exporting keys and certificates with XCA
Generating, signing and exporting keys and certificates with XCA Page 20
Make sure Non Repudiation is also selected and click on OK
Generating, signing and exporting keys and certificates with XCA
Generating, signing and exporting keys and certificates with XCA Page 21
Generating a server certificate is the same as a client, exceptyou will use the HTTPS_server templateNote that you WILL need to choose "Use this Certificate for signing" and select your root key. I forgotto while building the screenshots and had to rebuild this certificate.
Generating, signing and exporting keys and certificates with XCA
Generating, signing and exporting keys and certificates with XCA Page 22
X Certificate and Key management
Generating, signing and exporting keys and certificates with XCA
Generating, signing and exporting keys and certificates with XCA Page 23
Export the keys for server 1, the private server key ...
Generating, signing and exporting keys and certificates with XCA
Generating, signing and exporting keys and certificates with XCA Page 24
... which should be named servername.pem (server1.pem forour example server1)
Generating, signing and exporting keys and certificates with XCA
Generating, signing and exporting keys and certificates with XCA Page 25
Export the client private key (servername_client.pem - orserver1_client.pem for our example server1)
Generating, signing and exporting keys and certificates with XCA
Generating, signing and exporting keys and certificates with XCA Page 26
Export the certificates - same naming scheme as the keys, butwith the crt extension
Generating, signing and exporting keys and certificates with XCA
Generating, signing and exporting keys and certificates with XCA Page 27
... client certificate the same
Generating, signing and exporting keys and certificates with XCA
Generating, signing and exporting keys and certificates with XCA Page 28
And don't forget the root CA certificate
Generating, signing and exporting keys and certificates with XCA
Generating, signing and exporting keys and certificates with XCA Page 29