Table of Contents
A certificate is a so called digital ID card. The correctness of a certificate will be guarnteed by a certificate from a higher level of the hierarchy. Such a certificate is called CA certificate.
Certificate Informations
serial number of the certificate
a subject (name)
the corresponding public key to the private key of the certificate owner
the name of the issuer
the version of the certificate
the used cryptoalgorithms to create the certificate
the validity period
some extensions
the digital signature of the certificate
There are two types of requests CSRs and CRRs. CSRs are used to ask a trustcenter for a certificate. CRR are used to ask a trustcenter to revoke a certificate if it is corrupted. There are two important standards for CSRs - PKCS#10 and SPKAC. OpenCA can handle both standards automatically.
CSR Informations
a subject (name)
the version of the request
the corresponding public key to the private key of the certificate owner
some attributes
It is fairly well known that there are two versions of Xenroll.dll used by versions of IE to create certificate requests and manage CSPs etc.. OpenCA since version 0.9.1 has managed them via the ieCSR.vbs scripts.
We have noticed that if a user has Win2K and IE6 SP1 then the version of xenroll.dll does not work and the users can see no CSPs to manage their certs with. A patch is required from Microsoft (323172) for Win2k, or it needs to go up to SP3. You can host a copy of the latest xenroll.dll on your web site under a CertControl directory and it will be downloaded and installed automatically.
As far as we can tell, the latest xenroll.dll is a different file, but shares the same identifiers as the pre-patched version. We have noticed that the isCSR.vbs (as of 0.9.1) is written in such a way as to not expect there to be a non working version of xenroll.dll, so there is a bit of a gap.
Initialize the SubCA (initialize database, generate secret key, generate request)
export request
untar the export (to get the careq.pem), the next steps are only correct if you use OpenCA for your Root CA
Point to the Root CA public interface -> request a certificate -> server request -> browse for the careq.pem and submit the request
Point to the Root CA RA interface and approuve the request, upload to the Root CA CA; point to CA interface, issue the certificate
Download the certificate for the sub CA via the RA or public interface of the Root CA
rename the file to cacert.pem and manually make a new tar
Point your browser to the SubCA CA interface and import CA certificate approuved by Root CA