Novell LINUX ENTERPRISE SERVER 11 - SECURITY Manual page 218

5 Review the summary. YaST displays the current settings for confirmation. Click
TIP
In general, it is best not to allow user certificates to be issued by the root CA.
It is better to create at least one sub-CA and create the user certificates from
there. This has the advantage that the root CA can be kept isolated and secure,
for example, on an isolated computer on secure premises. This makes it very
difficult to attack the root CA.
17.2.2 Changing Password
If you need to change your password for your CA, proceed as follows:
1 Start YaST and open the CA module.
2 Select the required root CA and click Enter CA.
3 Enter the password if you entered a CA the first time. YaST displays the CA key
4 Click Advanced and select Change CA Password. A dialog box opens.
5 Enter the old and the new password.
6 Finish with OK
17.2.3 Creating or Revoking a Sub-CA
A sub-CA is created in exactly the same way as a root CA.
NOTE
The validity period for a sub-CA must be fully within the validity period of the
"parent" CA. A sub-CA is always created after the "parent" CA, therefore, the
204 Security Guide
Create. The root CA is created then appears in the overview.
information in the Description tab (see Figure 17.2 ).