Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 624 — #650
i
i
i
i
i
i
i
i
Proprietary PKI
YaST contains modules for the elementary management of X.509 certifi-
cates. This mainly involves the creation of CAs, sub-CAs and their certifi-
cates. At this point it should be noted that the services of a PKI go far be-
yond simply creating and distributing certificates and CRLs. The operation
of a PKI is a service that also requires a well-conceived administrative in-
frastructure. The continuous updating of certificates and CRLs requires
very complex management, which is provided by commercial PKI prod-
ucts and can also be partly automated. YaST functionality for creating and
distributing CAs and certificates cannot provide this background informa-
tion at present. In general, the PKI products currently available under Open
Source are subject to the commercial versions. To set up a “small” PKI, you
can use the YaST modules described below. However, you should use com-
mercial products to set up an “official” — or even commercial — PKI.
26.1.2 YaST Modules for CA Management
YaST provides two modules for elementary CA management. The func-
tionality of these two modules is explained below on the basis of the key
activities when administering CAs.
Creating a Root CA
The first step when setting up a PKI is to create a root CA. This is achieved
using ‘Security and Users’ ➝ ‘CA Management’ in the YaST control center.
After the module has been started, first see a list of all existing CAs. ‘Create
Root CA’ opens the first of three dialogs for entering CA-related data.
Enter the basic data for the CA in the first dialog, shown in Figure 26.1 on
the facing page. For ‘Common Name’ enter the name to use to refer to the
CA. ‘CA Name’ should be the technical name of the CA. Directory names,
among other things, are derived from this name, which is why only the
characters specified in the help can be used. The technical name is also
displayed in the overview when the module is started. Several e-mail ad-
dresses can be entered that can be seen by the CA user. This can be helpful
for inquiries. Select the country where the CA is operated in ‘Country’.
After clicking ‘Next’, enter a password in the second dialog. This password
is always required when using the CA — when creating a sub-CA or gen-
erating certificates. ‘Key Length’ already contains a meaningful default and
does not generally need to be changed unless an application cannot deal
with this key length. The ‘validity period’ in the case of a CA is 3650 days
624 26.1. X.509 Certification with YaST