15.1 Creating a Locally Signed Certificate

By default, the Access Manager installation process creates the local CA that can issue and sign certificates and installs a certificate server that generates certificates, keys, and CSRs (certificate signing requests) and imports certificates and keys.

  1. Click Security > Certificates > New.

  2. Select Use local certificate authority.

    This option creates a certificate signed by the local CA (or Organizational CA), and creates the private key. For information about creating a CSR, see Generating a Certificate Signing Request.

  3. Specify a unique, system-wide name for the certificate that you can easily associate with the certificate’s purpose. The name must contain only alphanumeric characters and no spaces.:

  4. For Subject, click Edit to display a dialog box that lets you add the appropriate attributes for the subject name.

    The subject is an X.500 formatted distinguished name that identifies the entity that is bound to the public key in an X.509 certificate. Choose the subject name that the browser expects to find in the certificate. The name you enter must be fully distinguished. Completing all the fields creates a fully distinguished name that includes the appropriate types (such as C for country, ST for state, L for location, O for organization, OU for organizational unit, and CN for common name). For example, cn=AcmeWebServer.ou=Sales.o=Acme.c=US.

    Common name: If you are creating a certificate for an Identity Server, specify the DNS name of Identity Server. If you are creating a certificate for an Access Gateway, specify the published DNS name of the proxy service. Specifying values for the other attributes is optional.

    For more information about the other attributes, see Editing the Subject Name.

  5. Click OK and specify the following details:

    Signature algorithm: The algorithm you want to use (SHA-256 or SHA-512).

    Valid from: The date from which the certificate is valid. For externally signed certificates, the external certificate authority sets the validity period.

    Months valid: The number of months that the certificate is valid.

    Key size: The size of the key. Select 512, 1024, 2048, or 4096.

  6. (Optional) To configure advanced options, click Advanced Options.

  7. Configure the following options as necessary for your organization:

    Critical: Specifies that an application should reject the certificate if the application does not understand the key usage extensions.

    Encrypt other keys: Specifies that the certificate is used to encrypt keys.

    Encrypt data directly: Encrypts data for private transmission to the key pair owner. Only the intended receiver can read the data.

    Create digital signatures: Specifies that the certificate is used to create digital signatures.

    Non-repudiation: Links a digital signature to the signer and the data. This prevents others from duplicating the signature because no one else has the signer’s private key. Additionally, the signer cannot deny having signed the data.

  8. (Conditional) If you are creating a key for a certificate authority, configure the following options:

    This key is for a Certificate Authority: Specifies that this certificate is for the local configuration (eDirectory) certificate authority.

    If you create a new CA, all the keys signed by the CA being replaced no longer have a trusted CA. You might also need to reassign the new CA to all the trust stores that contained the old CA.

    Critical: Enforces the basic constraints you specify. Select one of the following:

    • Unlimited: Specifies no restriction on the number of subordinate certificates that the CA can verify.

    • Do not allow intermediate signing certificates in certificate chain: Prevents the CA from creating other CAs, but it can create server or user certificates.

    • Number of allowable intermediate signing certificates in signing chain: Specifies how many subordinate certificates are allowed in the certificate chain. Values must be 1 or more. Entering 0 creates only entity objects.

  9. (Optional) To create subject alternative names used by the certificate, click Edit Subject Alternate Names, then click New.

    Alternate names can represent the entity identified by the certificate. The certificate can identify the subject CN=www.OU=novell.O=com, but the subject can also be known by an IP address, such as 222.111.100.101, or a URI, such as www.novell.com, for example. For more information, see Section 15.3, Assigning Alternate Subject Names.

  10. Click OK.

  11. (Conditional) If you assigned alternate names, determine how you want applications to handle the alternate names. Select Critical if you want an application that does not understand the alternate name extensions to reject the certificate.

  12. Click OK.