Generate Self-Signed Certificate window
Figure 41. Default view of the Generate Self-Signed Certificate window
This window opens when you click New at the bottom of the User Key Store tab.
A self-signed certificate provides data encryption only. Since it is not signed by a CA (Certificate Authority) it cannot verify server identify. Generating a self-signed certificate should be a temporary measure until a signed certificate is installed in the browser’s and station’s trust stores. After installing the signed certificate you should delete any self-signed certificates.
There is a limit of 64 characters for each of the following properties. Although blank properties are permitted, it is recommended to correctly fill in all properties, as not doing so may generate errors, or cause third-party CAs to reject your certificate. Spaces and periods are allowed. Enter full legal names.
| Name | Value | Description |
|---|---|---|
| Alias | text |
Provides a short name used to distinguish certificates from one another in the Key Store. This property is required. It may identify the type of certificate (root, intermediate, server), location or function. This
name does not have to match when comparing the server certificate with the CA certificate in the client’s Trust Store.
|
| Common Name (CN) | text, required, alphanumeric; do not use “*” or “?” as part of the name | Also known as the Distinguished Name, this field should be the host name. It appears as the Subject in the User Key Store. |
| Organizational Unit (OU) | text | The name of a department within the organization or a Doing-Business-As (DBA entry). Frequently, this entry is listed as "IT", "Web Security," "Secure Services Department" or left blank. |
| Organization (O) | text | The legally registered name of your company or organization. Do not abbreviate this name. This property is required. |
| Locality (L) | text | The city in which the organization for which you are creating the certificate is located. This is required only for organizations registered at the local level. If you use it, do not abbreviate. |
| State/Province (ST) | text | The complete name of the state or province in which your organization is located. This property is optional. |
| Country Code (C) | two-character ISO-format country code. | If you do not know your country's two-character code, check www.countrycode.org. This property is required. |
| Not Before | date |
Specifies the date before which the certificate is not valid. This date on a server certificate should not be earlier than
the Not Before date on the CA certificate used to sign it.
|
| Not After | date (defaults to one year from the Not Before date)
|
Specifies the expiration date for the certificate. This date on a server certificate should not be later than the Not After date on the CA certificate used to sign it.
A period no longer than a year ensures regular certificate changes making it more likely that the certificate contains the latest cryptographic standards, and reducing the number of old, neglected certificates that can be stolen and re-used for phishing and drive-by malware attacks. Changing certificates more frequently is even better. |
| Key Size | number |
Specifies the size of the keys in bits. Four key sizes are allowed: 1024 bits, 2048 bits (this is the default), 3072 bits,
and 4096 bits. Larger keys take longer to generate but offer greater security.
|
| Certificate Usage: | text | Specifies the purpose of the certificate: server, client or CA certificate. Other certificate management software utilities may allow other usages. |
| Alternate Server Name | text | This property provides a name other than the Subject (Common Name) that the system can use to connect to the server. Like the Common Name, the system uses the Alternative Server Name to validate the server certificate making it possible to specify both an IP (Internet Protocol) and FQDN (Fully Qualified Domain Name). |
| Email Address | email address | The contact address for this certificate. It may also be the address to which your signed certificate (.pem file) will be sent. |
| Key Usage | radio buttons (defaults to Digital signature)
|
Indicates the business scenario that requires authentication, encryption, and digital signing. The public and private keys associated with each certificate may be used to provide these secure features. For a description of each, refer to Key Usage options |
Key Usage options
Select this Key Usage option...
|
When... |
|---|---|
Digital signature |
the key is to be used to validate the authenticity of the server. |
Non-repudiation |
you need to ensure that a transferred message was sent and received by the parties claiming to have sent and received the message. This guarantees that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message. |
Key encipherment |
you need a protocol that encrypts keys. An example is S/MIME that encrypts a fast (symmetric) key using the public key from the certificate. The SSL protocol also performs key encipherment. |
Data encipherment |
your application calls for using the public key to encrypt user data as well as the cryptographic keys. |
Key agreement |
the sender and receiver of the public key need to derive the key without using encryption. The application can then use the public key to encrypt messages between the sender and receiver. Diffie-Hellman ciphers usually ensure key agreement. |
Certificate signing |
the subject public key is used to verify a signature on certificates. Only CA certificates may use this extension. |
CRL signing |
the subject public key is used to verify a signature on revocation information, such as a CRL (Certificate Revocation List-a list of digital certificates that have been rejected by a certificate authority). |
Encipher only |
key agreement is also enabled. This enables the public key to be used only for enciphering data while performing key agreement. |
Decipher only |
key agreement is also enabled. This enables the public key to be used only for deciphering data while performing key agreement. |