11.3.8.2. Procedure – Creating certificates

To create a certificate, complete the following steps.

1. From the menu, select PKI > Edit Certificates and click Certificates.

2. Click Generate, and fill the Generate CSR form.

   

   Figure 11.16. Creating a certificate

   1. Enter a Unique name that will identify the object containing the certificate and the key in MS.

   2. Select the host that will be the owner of the certificate from the combobox.

   3. If you want the certificate to be available on every site that is managed in MS, select Certificate available on all sites.

   4. Fill the Subject section of the request as appropriate. Into the Country field, enter only a two-letter id (for example, US). Enter a name for the certificate into the Common name field.

   5. Select the length of the key (1024, 2048, or 4096 bit).

      Note
      Longer keys are more secure, but the time needed to process key signing and verification operations (required for using encrypted connections) increases exponentially with the length of the key used. By default, 2048 bit is used. MC 1.0 can create only RSA keys, generating DSA keys is not supported.

      Warning
      If the certificates/keys have to be used on machines running older versions of the Windows operating system, using only 1024 bit long keys might be required, since these Windows versions typically do not support longer keys.

   6. Select the method (SHA256 or SHA512) to be used for generating the Signature digest (hash).

   7. By clicking on Extensions ..., the various purposes of the certificate can be specified. For details on X.509v3 extensions, see Appendix C, Further readings.

      

      Figure 11.17. Specifying extensions

   8. After specifying all the required options, click OK.

3. Navigate to the PKI management tab, and in the navigation window select the local CA to be used to sign the request (for example, MS_Agent_CA for transfer agents, and so on).

   

   Figure 11.18. Signing a certificate

4. Click on Sign. A window will be displayed listing the submitted but not yet signed CSRs. The list displays the distinguished name of the CSRs, this includes the various Subject fields (Country, locality, common name, and so on) specified when generating the request.

   

   Figure 11.19. Selecting the certificate to be signed

5. Set the validity period (Valid after/Valid before dates) of the certificate. A pop-up calendar is available through the ... button. Alternatively, after setting the Valid after date, the Length field can be used to specify the length of the validity in days, automatically updating the Valid before field.

6. By clicking on Extensions ..., various X.509 extensions can be specified. These extensions can be used to ensure in filters that only certificates used for their intended purpose are accepted.

7. Enter the password of the CA required for issuing new certificates, and click OK.