For creating certificates, keys are needed. All keys are stored encrypted in the database using the 3DES algorithm. The password can be changed for each key. The password type means:
All keys carry a use counter which counts the times it is used. When creating new requests or certificates the list of available keys is reduced to the keys with a use counter of 0. This can be overridden by the checkbox next to the key list.
When importing an EC key with explicit curve parameters, the corresponding curve OID is searched and set if found.
The dialog asks for the internal name of the key and the keysize in bits. For EC keys, a list of curves is shown. It contains all X9.62 curves and many others.
EC Brainpool curves are also supported when linking with OpenSSL 1.0.2.
Even if the drop-down list only shows the most usual key sizes, any other value may be set here by editing this box. While searching for random prime numbers a progress bar is shown in the bottom of the base application. After the key generation is done the key will be stored in the database.
When checking the
Remember as default box, the settings
(Key-type, key-size or EC curve) will be remembered and preset for the
next key generation dialog. This option is not available
when generating token keys.
For every connected token providing the Key-generate facility an entry in the drop-down menu of the keytypes will be shown. It contains the name of the token and the valid key-sizes.
In case of EC keys generated on a token, the list of possible curves is restricted based on informations provided by the token (Key size and FP/F2M). The token may support even less ECParameters / OIDs. When selecting an EC curve not supported by the token an error will occure. Please consult the documentation of the provider of the PKCS#11 library.
Keys can be exported by either selecting the key and pressing Export or by using the context-menu. It may be chosen to export the key to the clipboard as PEM public, SSH2 public or unencrypted PEM private format. In case of a file export a dialogbox opens where next to the filename one of the following formats may be selected:
The filename is the internal name plus a
When changing the fileformat, the suffix of the filename changes accordingly.
Only PKCS#8 or PEM files can be encrypted, because
the DER format (although it could be encrypted)
does not support a way to supply the encryption algorithm
Of course, encryption does not make sense if the private part is not exported.