The options dialog can be found in the file menu. All options are saved in the database and do not depend on the operating systems registry or configuration files.
This option applies to all strings converted to ASN1 strings. The selected string type is automatically set to the smallest possible and allowed type, covering all contained characters.
The list of allowed string types can be selected:
Older Windows versions and OpenSSL versions can not handle SHA256 and SHA512. This option allows to set the hash algorithm to SHA1 for instance.
After importing and generating new items a success message is shown. This switch disables the messages.
Since version 0.9.2 the expiration dates of certificates will be colorized. Red means expired or not yet valid. Yellow indicates certificates that only have 4/5 of their lifetime until expiration. The CRL expiration date will be marked red 2 days before expiration.
It is usually more clear to read "commonName" instead of e.g (german) "Allgemeine Bezeichnung". Same is true for "Extended key usage" or "Basic constraints". With this setting the translated terms are shown and the ToolTip of the entry shows the established term. If not set, the established term will be displayed and the ToolTip contains the translation.
The PKCS#11 token does probably not support all possible hashes for a signature operation. I.e. the EC and DSA signing algorithms are currently only defined with SHA1 in the PKCS#11 specification.
XCA does the hashing part of the digital signature in software outside the token and uses the token to sign the hash. That's why XCA may use additional hashing algorithms like ecdsaWithSha256.
If other applications that probably use the token hashing algorithms shall use the token, this option should be set.
With this option set the input and use of the legacy Netscape extensions will be suppressed. The certificate input dialog has no Netscape tab, the request and certificate columns don't show the Netscape extensions and when applying a template or converting certificates, the Netscape extensions are removed. However, the details of certificates and requests still show the netscape extensions if they exist.
A list of mandatory distinguished name entries may be specified to get a warning, whenever issuing a certificate that lacks one or more listed entries. This requirement is not checked when editing templates, because templates may have empty entries that will be filled during the rollout of the certificate.
This list may be used to change the list of the usual 7 distinguished name entries shown in the subject tab of the Certificate / Request / Template generation dialog to better fit ones needs.
Here you can select the path to one or more PKCS#11 libraries on your system.
If the list is empty, the
Token menu will be unavailable.