11.2.3.1. Procedure – Creating a certificate

  1. Generate a private-public keypair.

    Tip

    The secure storage of private keys has to be solved.

  2. Prepare a certificate signing request (CSR). For filling the request form, the information contained in the distinguished name has to be provided (for example, common name, organization, and so on).

  3. The CSR is bundled together with the public key of the generated keypair.

  4. The organization selects a CA to sign the certificate request. The CSR has to be submitted to a special department of the CA, called Registration Authority (RA).

  5. The RA verifies the identity of the requestor.

    Note

    Submission of the CSR to the RA and the identity verification involves physically visiting the RA with all the papers it requires for verifying the identity of the organization and its representative (for example, documents of incorporation, ID cards, and so on).

  6. If the RA confirms the identity of the requestor, the CA signs the request using its private key, and issues the certificate.

    Tip

    If the certificate is to be used only internally (as in the case of Zorp components), an own CA with a self-signed certificate can be set up to sign the certificates.

  7. The requestor can now import and use the certificate on his machines.

  8. If a certificate loses its validity or becomes obsolete, it should not be accepted anymore and is to be revoked or refreshed.