All certificates from the database are displayed in a tree view reflecting
the chain dependencies.
If there is a CA certificate and several client certificates signed by this CA,
the client certificates can be shown by clicking on the plus sign of the CA certificate.
XCA will recognize CA certificates if the CA flag in the
is set to true.
If there is a corresponding private key, the
submenu in the context-menu will be enabled.
For building the chains the CA flag is disregarded, because there are some
CAs without this flag.
Instead it consideres the issuer name and the signature to decide which certificate is the issuer.
After clicking on the
New Certificate button the Certificate input dialog will be started to ask
all needed information for generating a new Certificate. See:
The Certificate input dialog
Certificate creation can also be invoked by the context menu of the certificate list background
or by the context menu of the request.
In this case the Certificate input dialog is preset with the request to be signed.
CA certificate is selected in the certificate list, this
certificate will be preselected as signer certificate.
The signer is the internal name of the issuers certificate, SELF SIGNED if it is
self signed or SIGNER UNKNOWN if the issuer's certificate is not available.
The validity is set to valid if the certificate's dates are valid
or to Not valid if they are not, compared to the
internal time and date of the OS.
If the certificate is revoked, the revocation date will be shown instead.
On the Subject and Issuer tab the distinguished name is
also displayed in a format defined in RFC2253 for copy&paste.
The certificate trust can be changed by the context menu of the certificate.
It can be set to:
- Not trusted - never trust this certificate, even if
we trust the issuer. This is the default for imported
- Trust depends on issuer - only trust this certificate,
if we trust the issuer. This is the default for imported and
generated non-self-signed certificates.
- Always trust - always trust this certificate, even if
we do not trust the issuer's certificate or if it is absent.
This is the default for generated self-signed certificates.
- Clipboard Copy to clipboard as PEM file
- File Export to external file.
The filename can be selected in the export dialog and the Export format:
- PEM - PEM encoded
- PEM with Certificate chain - PEM encoded certificate
and all issuers up to the root certificate in one file
- PEM all trusted Certificates - List of all PEM encoded
certificates that are marked als Always trusted
(usually all self-signed certificates) in one file for e.g.
apache as trusted cert store.
- PEM all Certificates - All PEM encoded certificates
in one file.
- DER - DER encoded certificate.
- PKCS#7 - DER encoded PKCS#7 structure containing
- PKCS#7 with Certificate chain - DER encoded
PKCS#7 structure containing the
certificate and all issuers up to the root certificate.
- PKCS#7 all trusted Certificates - DER encoded
PKCS#7 structure containing all
certificates that are marked als Always trusted
- PKCS#7 all Certificates - DER encoded PKCS#7 structure
containing all certificates.
- PKCS#12 - PKCS#12 structure containing the certificate
and the corresponding private key
- PKCS#12 - PKCS#12 structure containing the certificate,
the corresponding private key and the chain of all
- PEM cert + key - concatenation of the private key
and certificate in a format used by apache or the
X509 patch for OpenSSH.
- PEM cert + PKCS8 key - concatenation of the
private key in PKCS#8 format and certificate.
- Request Create a PKCS#10 request by using the data from the certificate.
- Token Store certificate on the Security token containing the private key
- Other token Store certificate on any Security token
- Template Create a template from the content of this certificate.
- OpenSSL config Create an OpenSSL config file from the contents of this certificate, which can be used to generate a similar certificate with openssl (openssl req -new -x509 -config <file>)
When exporting PKCS#12 structures you are asked later for an encryption
Certificates can only be revoked, if the private key of the issuer's certificate
is available. The certificate will be marked as revoked and the revocation date
will be stored with the certificate.
To generate a CRL, revoke the appropriate certificates and select CA->GenerateCRL in the context-menu of the signing certificate.
Certificates can only be renewed, if the private key of the issuer's certificate
is available. Renewal is done by creating a new certificate as a copy of the original one
with adjusted validity dates.
The context menu of CA certificates contains the CA submenu,
which makes the following functions available:
- Generate CRL Generate the CRL by collecting all
revoked certificates and their revocation date.
- Serial The serial number of the next certificate
signed by this issuer.
- Use random serial number Use a 64bit random serial numbers for certificates signed by this issuer.
- CRL days The days until the next CRL release.
- Signing Template The default template for
- Use random serial numbers generates an 8 byte unique serial number for every newly issued certificate