5If you override the defaults, provide the following information in the next few screens:
ÂÂ A unique serial number for the root certificate
ÂÂ The number of days the CA functions before expiring
ÂÂ The type of user certificate this CA is signing
ÂÂ Whether to create a CA website for users to access for CA certificate distribution
6Click Continue.
7Provide the Certificate Assistant with the requested information and click Continue.
You need the following information to create a CA:
ÂÂ An email address of the responsible party for certificates
ÂÂ The name of the issuing authority (you or your organization) ÂÂ The organization name
ÂÂ The organization unit name
ÂÂ The location of the issuing authority
8Select a key size and an encryption algorithm for the CA certificate and then click
Continue.
A larger key size is more computationally intensive to use, but much more secure. The algorithm you choose depends more on your organizational needs than a technical consideration.
DSA and RSA are strong encryption algorithms. DSA is a United States Federal Government standard for digital signatures.
9Select a key size and an encryption algorithm for the certificates to be signed, and then click Continue.
10Select the Key Usage Extensions you need for the CA certificate and then click
Continue.
At a minimum, you must select Signature and Certificate Signing.
11Select the Key Usage Extensions you need for the certificates to be signed and then click Continue.
Default key use selections are based on the type of key selected earlier in the Assistant.
12Specify other extensions to add the CA certificate and click Continue.
13Select the keychain “System” to store the CA certificate.
14Choose to trust certificates on this computer signed by the created CA.
15Click Continue and authenticate as an administrator to create the certificate and key pair.
16Read and follow the instructions on the last page of the Certificate Assistant. You can now issue certificates to trusted parties.
Chapter 4 Enhancing Security
67
