11.3.8.2. Procedure – Creating certificates

To create a certificate, complete the following steps.

  1. Select PKI > Edit Certificates from the menu and click Certificates.

  2. Click Generate, and fill the Generate CSR form.

    Creating a certificate

    Figure 11.18. Creating a certificate

    1. Enter a Unique Name that will identify the object containing the certificate and the key in MS. Note, that in case after filling in the Unique Name field, the Enter button is used, the value of the Unique Name field is also added to the Common Name field.

    2. Select the host from the combobox, who will be the owner of the certificate.

    3. If you want the certificate to be available on every site that is managed in MS, select Certificate available on all sites.

    4. Fill the Subject section of the request as appropriate. Into the Country field, enter only a two-letter ID (for example, US). Enter a name for the certificate into the Common name field. Note that in case the fields have been filled in at Site preferences, those values will automatically be offered here.

    5. Select the length of the key (1024, 2048, or 4096 bit).

      Note

      Longer keys are more secure, but the time needed to process key signing and verification operations (required for using encrypted connections) increases exponentially with the length of the key used. By default, 2048 bit is used.

      MC 2 can create only RSA keys, generating DSA keys is not supported.

      Warning

      If the certificates/keys have to be used on machines running older versions of the Windows operating system, using only 1024 bit long keys might be required, since these Windows versions typically do not support longer keys.

    6. Select the method (SHA256 or SHA512) to be used for generating the Signature digest (hash).

    7. By clicking on Extensions ..., the various purposes of the certificate can be specified. For details on X.509v3 extensions, see Appendix B, Further readings.

      Specifying extensions

      Figure 11.19. Specifying extensions

    8. After specifying all the required options, click OK.

  3. Navigate to the PKI management tab, and in the navigation window select the local CA to be used to sign the request (for example, MS_Agent_CA for transfer agents, and so on).

    Signing a certificate

    Figure 11.20. Signing a certificate

  4. Click on Sign. A window will be displayed listing the submitted but not yet signed certificate signing requests (CSRs). Note, that it is possible to use multi-select here. The list displays the distinguished name of the CSRs, this includes the various Subject fields (Country, locality, common name, and so on) specified when generating the request.

    Selecting the certificate to be signed

    Figure 11.21. Selecting the certificate to be signed

  5. Set the validity period (Valid after/Valid before dates) of the certificate. A pop-up calendar is available through the ... button. Alternatively, after setting the Valid after date, the Length field can be used to specify the length of the validity in days, automatically updating the Valid before field.

  6. By clicking on Extensions ..., various X.509 extensions can be specified. These extensions can be used to ensure in filters that only certificates used for their intended purpose are accepted.

    Note

    Note that although similar configration details can be defined when creating a certificate - and also different settings can be defined for each certificate, the settings defined here will overwrite any other configuration settings and only these settings will be applicable.

  7. Enter the password of the CA required for issuing new certificates, and click OK.