Manualshelf

Datasheet

ManualsBrandsNovell ManualsSoftware00662644465449-OEM
651652653654655656657658659660
“main” (Installation and Administration) 2004/6/25 13:29 page 627 #653
i
i
i
i
i
i
i
i
26
Security in the Network
After selecting ‘Certificates’, see the dialog for administering CA certifi-
cates and sub-CAs. Reset compromised or otherwise unwanted sub-CAs
here using ‘Revoke’. Revocation is not enough to deactivate a sub-CA on
its own. Also publish revoked sub-CAs in a CRL. The creation of CRLs is
described in Section 26.1.2 on page 629.
Creating or Revoking User Certificates
To create client and server certificates, first enter a CA, as described in
26.1.2 on the facing page. User certificates should only be created in sub-
CAs to preserve root CA security. After clicking ‘Certificates...’, see the di-
alog for administering certificates, shown in Figure 26.3 on the next page.
The upper part contains a list of existing certificates, while the data for the
currently selected certificate appears below.
With ‘Add’, create new client and server certificates and add them to the
list of CAs. The dialog for recording data is very similar to the one for cre-
ating the CAs and the same principles apply. Additional remarks relate to
the e-mail addresses in certificates intended for e-mail signature and en-
cryption. The e-mail address of the sender (the private key owner) should
be contained in the certificate for the signature to enable the e-mail address
to assign the correct certificate. For certificate assignment during encryp-
tion, it is necessary for the e-mail address of the recipient (the public key
owner) to be included in the certificate. In addition, in the case of server
certificates, the host name of the server must be entered in the ‘Common
Name’ field. The default validity period for certificates is 365 days.
Note
If certificates for IPsec applications should be created with Win-
dows XP, client certificates must be used. There, the “KeyUsage”
extension contains the values expected by Windows.
Note
‘Revoke’ enables you to withdraw compromised or otherwise unwanted
certificates. However, revocation alone is not enough to deactivate a certifi-
cate. Also publish revoked certificates in a CRL. Section 26.1.2 on page 629
explains how to create CRLs. Revoked certificates can be completely re-
moved after publication in a CRL with ‘Delete’.
627SUSE LINUX Enterprise Server