HP Open Source Security for OpenVMS Volume 2: HP SSL for OpenVMS > Chapter 3 Using the Certificate Tool

Create a Certificate Authority

  Table of Contents


Creating a certificate authority (CA) allows you to issue certificates using your own private key. The corresponding CA public key is itself contained within a certificate, called a CA Certificate. You must distribute this certificate to clients in order for them to access your server. A browser must contain this CA Certificate in its "trusted root library" in order to trust certificates signed by the CA's private key.

To create a certificate authority, perform the following steps:

  1. Enter the information required to create a certificate authority. You must complete all fields to create a valid CA certificate. The certificate request is generated after you respond to the last question.

    • PEM Passphrase

    • Encryption Bits

      The largest recommended size is 1024 bits. Encryption strength is often described in terms of the size of the keys used to perform the encryption; in general, longer keys provide stronger encryption. Key length is measured in bits. Private key sizes larger than 1024 bits are incompatible with some versions of Netscape Navigator and Microsoft Internet Explorer.

    • Default Days

      The default number of days until expiration for certificates issued by the CA. A large number, such as 1825 (5 years) is usually appropriate so that certificates signed with this key do not expire too soon.

    • Certificate Key File

      Use OpenVMS syntax (defaults to SSL$KEY:SERVER_CA.KEY).

    • CA Certificate File

      Use OpenVMS syntax (defaults to SSL$CRT:SERVER_CA.CRT).

    • Country Name

      A certificate authority can define a policy that specifies which distinguished names are optional and which are required. The distinguished name is defined in the config file (.cnf), and is usually made up of more than one field. The number and makeup of the fields are defined by the certificate authority, and are found in the config file under the [req_distinguished_name] field. A certificate authority can also place requirements on the field contents, as can users of certificates. As an example, a Netscape browser requires that the common name for a certificate representing a server has a name that matches a wildcard pattern for the domain name of that server, such as *.xyz.com.

    • State or Province Name

    • City Name

    • Organization Name

    • Organization Unit Name

    • Common Name

      This can be any text string that you want to use to identify the authority. The name can be generic, such as CA Authority, or more specific, such as nodenameCA.

    • Email Address

    • Require Unique Subject Names

      If you accept the default or answer YES, then certificates must have unique subject names. If you answer NO, then certificates can have duplicate subject names, and are distinguished from one another by the serial number that is assigned to them. Answering NO allows you to have two certificates with the same subject name in the database. This makes it easier to issue new certificates when the old certificates are about to expire.

      NOTE: The UNIQUE_SUBJECT variable in the OPENSSL-VMS.CNF configuration file is set to YES or NO, depending on the answer to the Require Unique Subject Names question. After a CA and its database is created, the UNIQUE_SUBJECT variable should not be changed. If at a later time you want to change the setting, you must recreate the entire database.
    • Display the Certificate

  2. View the details of the certificate authority (if you chose to display the certificate).

    • Version (SSL 3.0 protocol)

    • Serial number (Certificates issued by a CA have a serial number that is unique to the certificates issued by that CA.)

    • Signature algorithm

    • Issuer (your distinguished name)

    • Validity (inception and expiration dates)

    • Public key information