Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
ContentsContents
Security and Hardening Guide
  1. Preface
  2. 1 Security and confidentiality
  3. I Authentication
    1. 2 Authentication with PAM
    2. 3 Using NIS
    3. 4 Setting up authentication clients using YaST
    4. 5 LDAP with 389 Directory Server
    5. 6 Network authentication with Kerberos
    6. 7 Active Directory support
    7. 8 Setting up a freeRADIUS server
  4. II Local security
    1. 9 Physical security
    2. 10 Software management
    3. 11 File management
    4. 12 Encrypting partitions and files
    5. 13 Storage encryption for hosted applications with cryptctl
    6. 14 User management
    7. 15 Restricting cron and at
    8. 16 Spectre/Meltdown checker
    9. 17 Configuring security settings with YaST
    10. 18 The Polkit authentication framework
    11. 19 Access control lists in Linux
    12. 20 Intrusion detection with AIDE
  5. III Network security
    1. 21 X Window System and X authentication
    2. 22 Securing network operations with OpenSSH
    3. 23 Masquerading and firewalls
    4. 24 Configuring a VPN server
    5. 25 Managing a PKI with XCA, X certificate and key manager
    6. 26 Improving network security with sysctl variables
  6. IV Confining privileges with AppArmor
    1. 27 Introducing AppArmor
    2. 28 Getting started
    3. 29 Immunizing programs
    4. 30 Profile components and syntax
    5. 31 AppArmor profile repositories
    6. 32 Building and managing profiles with YaST
    7. 33 Building profiles from the command line
    8. 34 Profiling your Web applications using ChangeHat
    9. 35 Confining users with pam_apparmor
    10. 36 Managing profiled applications
    11. 37 Support
    12. 38 AppArmor glossary
  7. V SELinux
    1. 39 Configuring SELinux
  8. VI The Linux Audit Framework
    1. 40 Understanding Linux audit
    2. 41 Setting up the Linux audit framework
    3. 42 Introducing an audit rule set
    4. 43 Useful resources
  9. A GNU licenses
Navigation
Applies to openSUSE Leap 15.6

25 Managing a PKI with XCA, X certificate and key manager Edit source

Abstract

Managing your own public key infrastructure (PKI) is traditionally done with the openssl utility. For admins who prefer a graphical tool, openSUSE Leap 15.6 includes XCA, the X Certificate and Key management tool (https://hohnstaedt.de/xca).

XCA creates and manages X.509 certificates, certificate requests, RSA, DSA and EC private keys, Smartcards and certificate revocation lists (CRLs). XCA supports everything you need to create and manage your own certificate authority (CA). XCA includes customizable templates that can be used for certificate or request generation. This chapter describes a basic setup.

25.1 Installing XCA Edit source

XCA is provided by the xca package:

> sudo zypper in xca

25.2 Creating a new PKI Edit source

XCA stores all cryptographic data in a database. When you are using XCA for the first time, and creating a new PKI, you must first create a new database by clicking File > New DataBase (Figure 25.1, “Create a new XCA database”).

Create a new XCA database
Figure 25.1: Create a new XCA database

25.2.1 Creating a new root CA Edit source

The following steps describe how to create a new root CA.

  1. Click the Certificates tab.

  2. Click the New Certificate button.

  3. Click the Source tab. At the bottom of the window, under Template for the new certificate, select the [default] CA template, then click Apply all.

  4. Click the Subject tab. Create an Internal Name, which identifies your new root CA internally, in XCA only.

    Complete the fields in the Distinguished Name section. Use the Add button to add any additional elements, if you require any.

  5. In the Private key drop-down, select your preferred private key if you have one, or generate a new key.

  6. Click the Extensions tab. Edit any attributes as necessary. The default Time Range is 10 years. The certificate revocation list distribution point is part of the issued certificates, and it is a good practice to use a common URL for all your certificates, for example, http://www.example.com/crl/crl.der. When you are finished click the OK button.

25.2.2 Creating a signed host certificate Edit source

The next step is to create a host certificate signed by your new certificate authority.

  1. Click the Certificates tab, then click the New Certificate button.

  2. On the Source tab, select the [default] TLS_server and click the Apply all button. This enters the appropriate values in the Extensions, Key usage, and Netscape tabs. In the Signing section, select the certificate that you created in Section 25.2.1, “Creating a new root CA”.

  3. Click the Subject tab. Create an internal name, which is for display purposes in XCA. A good practice is to use the host name, or the fully qualified domain name. Then fill in the fields in the Distinguished Name section. For host certificates, the common name must be the FQDN that your users use. This can be the canonical name of the host, or an alias. For example, if jupiter.example.com is your web server and it has a DNS CNAME entry of www.example.com, then you want the commonName value in the certificate to be www.example.com. To add any additional parts to the distinguished name, use the drop-down box and Add button. Select the desired private key or generate a new one.

  4. Click the Extensions tab. The default Time range is one year. If you change this, click the Apply button.

  5. It is a good practice to designate a certificate revocation list location. The location must be unique for this root certificate. XCA exports CRLs in either PEM or DER format with appropriate suffixes, so this should be considered when selecting the URL, for example something like http://www.example.com/crl/crl.der. On the CRL Distribution points line click the Edit button. Type in your URI, then click Add. Click Validate and Apply.

    Click the OK button.

25.2.3 Revoking a Certificate Edit source

  1. Click the Certificates tab.

  2. Right-click the certificate that you want to revoke, then click Revoke.

  3. Right-click the CA certificate that signed the certificate you want to revoke. Click CA > Generate CRL.

    Click the OK button in the Create CRL dialog.

  4. Click the Revocation lists tab in the main window. Right-click the CRL you just generated and select Export. Select the desired format (DER) and click OK.

    Copy the exported CRL to the location published in the issued certificate's CRL Distribution Points.

Print this page