Next Previous Contents

9. Certificates

All certificates from the database are displayed in a tree view reflecting the chain dependencies. If there is a CA certificate and several client certificates signed by this CA, the client certificates can be shown by clicking on the plus sign of the CA certificate.

9.1 CA certificates

XCA will recognize CA certificates if the CA flag in the Basic Constraints is set to true. If there is a corresponding private key, the CA submenu in the context-menu will be enabled.

For building the chains the CA flag is disregarded, because there are some CAs without this flag. Instead it consideres the issuer name and the signature to decide which certificate is the issuer.

9.2 Generating certificates

After clicking on the New Certificate button the Certificate input dialog will be started to ask all needed information for generating a new Certificate. See: The Certificate input dialog Certificate creation can also be invoked by the context menu of the certificate list background or by the context menu of the request. In this case the Certificate input dialog is preset with the request to be signed.

If a CA certificate is selected in the certificate list, this certificate will be preselected as signer certificate.

9.3 Certificate details

The signer is the internal name of the issuers certificate, SELF SIGNED if it is self signed or SIGNER UNKNOWN if the issuer's certificate is not available. The validity is set to valid if the certificate's dates are valid or to Not valid if they are not, compared to the internal time and date of the OS.

If the certificate is revoked, the revocation date will be shown instead.

On the Subject and Issuer tab the distinguished name is also displayed in a format defined in RFC2253 for copy&paste.

9.4 Certificate trust

The certificate trust can be changed by the context menu of the certificate. It can be set to:

9.5 Certificate export

When exporting PKCS#12 structures you are asked later for an encryption password.

9.6 Certificate revocation

Certificates can only be revoked, if the private key of the issuer's certificate is available. The certificate will be marked as revoked and the revocation date will be stored with the certificate.

To generate a CRL, revoke the appropriate certificates and select CA->GenerateCRL in the context-menu of the signing certificate.

9.7 Certificate renewal

Certificates can only be renewed, if the private key of the issuer's certificate is available. Renewal is done by creating a new certificate as a copy of the original one with adjusted validity dates.

9.8 CA special functions

The context menu of CA certificates contains the CA submenu, which makes the following functions available:

CA Properties


Next Previous Contents