Novell LINUX ENTERPRISE SERVER 10 - INSTALLATION AND ADMINISTRATION 11-05-2007 Installation Manual page 826

TIP
In general, it is best not to allow user certificates to be issued by the root CA.
It is better to create at least one sub-CA and create the user certificates from
there. This has the advantage that the root CA can be kept isolated and secure,
for example, on an isolated computer on secure premises. This makes it very
difficult to attack the root CA.
42.2.2 Creating or Revoking a Sub-CA
A sub-CA is created in exactly the same way as a root CA. Do the following:
1 Start YaST and open the CA module.
2 Select the required CA and click Enter CA.
3 Enter the password if you entered a CA the first time. YaST displays the CA key
808 Installation and Administration
NOTE
The validity period for a sub-CA must be fully within the validity period
of the "parent" CA. Because a sub-CA is always created after the "parent"
CA, the default value leads to an error message. To avoid this, enter a
permissible value for the period of validity.
information in the tab Description (see Figure 42.2 ).