Mirror of the Rel4tion website/wiki source, view at <http://rel4tion.org>
Clone
HTTPS:
git clone https://vervis.peers.community/repos/yEzqv
SSH:
git clone USERNAME@vervis.peers.community:yEzqv
Branches
Tags
Creating_a_Certificate.mdwn
Now it’s time to create a certificate for a web service you run. The examples below assume it’s a website certificate, but it could be anything else: A certificate for a mail server or for a Jabber server etc. The process involves two steps: First, the service operator generates a request and sends it to the CA. Then, the CA signs the request, “approving” the service as trusted as long as it holds the private key of the new certificate.
In TinyCA, select the Requests tab. Right-click inside the window and select “New request”. A request creation dialog will open:
[[!img 4.1-create-request-empty.png class=“center”]]
- Common Name: Must be the name users use to access your server, e.g. it would be www.gnu.org for the GNU website.
- E-mail Address: Address of the person/organization who will be running the service in which the certificate will be used. If you are your own CA this may be the same address as the CA’s. Otherwise, e.g. if a community member operates a CA for the community and you want to send them a request, they may be different.
- Password: Long, hard to guess, not the same password you used for the CA.
- Country, Organization, etc.: the defaults are copied from the CA. If they aren’t the right values for you, change them.
- KeyLength, Digest, Algorithm: Leave the default values. You can see them in the screenshot below.
Here’s an example:
[[!img 4.2-create-request-filled.png class=“center”]]
The new certificate will be listed in the Requests tab. As the CA, you are going to sign it. Right-click on the request and select “Sign request”.
[[!img 5.1-sign-request-menu.png class=“center”]]
You will need to choose between server and client request. In this case, select server (I guess the client option is for client certificates). You should now see a small dialog.
- CA password: The password you entered for the CA :-)
- Valid for: I’m not an expert, but my personaly impression is that when looking at certificates’ expiration dates, they seem to have roughly 1-3 years left. So the default 1-year time sounds reasonable. Again, I’m not an expert - if you want to understand the security concerns of expiration dates, you are welcome to go read about it. You’re also welcome to share your knowledge here and replace this “I’m not an expert” paragraph ;-)
Example:
[[!img 5.2-sign-request-filled.png class=“center”]]
Click OK. The certificate will be signed and upon success you’ll see something like this:
[[!img 5.3-sign-request-done.png class=“center”]]