Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual page 177

Country
Select the country where the CA is operated.
Organisation, Organisational Unit, Locality, State
Optional values
Proceed with Next.
4 Enter a password in the second dialog. This password is always required when
using the CA—when creating a sub-CA or generating certificates. The text fields
have the following meaning:
Key Length
Key Length contains a meaningful default and does not generally need to be
changed unless an application cannot deal with this key length. The higher
the number the more secure your password is.
Valid Period (days)
The Valid Period in the case of a CA defaults to 3650 days (roughly ten
years). This long period makes sense because the replacement of a deleted
CA involves an enormous administrative effort.
Clicking Advanced Options opens a dialog for setting different attributes from
the X.509 extensions
(page 170)). These values have rational default settings and should only be changed
if you are really sure of what you are doing. Proceed with Next.
5 Review the summary. YaST displays the current settings for confirmation. Click
Create. The root CA is created then appears in the overview.
TIP
In general, it is best not to allow user certificates to be issued by the root CA.
It is better to create at least one sub-CA and create the user certificates from
there. This has the advantage that the root CA can be kept isolated and secure,
for example, on an isolated computer on secure premises. This makes it very
difficult to attack the root CA.
(Figure 17.4, "YaST CA Module—Extended Settings"
Managing X.509 Certification 165