7.18.6 PKI Editor Configuration
Select the encryption algorithm and key size
Your selection really depends on your application:
- How long does the data need to be secure?
- How much does it cost and how much is it worth?
Recent standards currently recommend RSA key sizes of 1024 bits for corporate use and 2048 bits for extremely valuable keys like the root key pair used by a certifying authority.
Longer key sizes are more secure but this increased security comes at the cost of performance.
A doubling of the RSA module increases processing time requirements by a factor of 4 (public key operations - Signature Verification, Encryption) and 8 (private key operations - Signature Generation, Decryption).
Set the encryption algorithm and key size
Edit the project file and modify the algorithm and strength properties.
strength=1024
algorithm=*RSA | *DSA
certificate.signing.algorithm=*MD5RSA | *SHA1RSA | *SHA1DSA
When the algorithm is *RSA, choose certificate signing algorithm *MD5RSA or *SHA1RSA.
When the algorithm is *DSA, choose certificate signing algorithm *SHA1DSA.
The default key algorithm is *RSA.
The default signature algorithm is *SHA1RSA or *SHA1DSA depending on the key algorithm.
Set extended key usage
Additional key usage extensions can be added to the certificate request and client certificate by including 'extended.purpose' properties. A maximum of 20 properties can be included, starting from the sequence number of 1 and ending with the number 20.
To add the following extended key usages:
- Server Authentication (1.3.6.1.5.5.7.3.1)
- Client Authentication (1.3.6.1.5.5.7.3.2)
- Code Signing (1.3.6.1.5.5.7.3.3)
- Secure Email (1.3.6.1.5.5.7.3.4)
- Time Stamping (1.3.6.1.5.5.7.3.8)
- OCSP Signing (1.3.6.1.5.5.7.3.9)
extended.purpose.1=1.3.6.1.5.5.7.3.1
extended.purpose.2=1.3.6.1.5.5.7.3.2
extended.purpose.3=1.3.6.1.5.5.7.3.3
extended.purpose.4=1.3.6.1.5.5.7.3.4
extended.purpose.5=1.3.6.1.5.5.7.3.8
extended.purpose.6=1.3.6.1.5.5.7.3.9
Set CRL distribution
A CRL distribution extension can be included with each certificate.
crl.distribution=http://www.mycompany.com/CRLList.crl
crl.distribution=http://www.mycompany.com/crllist.html
Set Subject Alternative Names for SSL authentication
A list of SSL authentication Subject Alternative Names can be included with each certificate.
As part of the SSL trust process an SSL client program can compare the connection domain host with the domains listed in the subject alternative fields of the received SSL certificate.
Use the 'ssl.addresses' property to specify a list of IP addresses.
Use the 'ssl.domains' property to specify a list of host domain names.
ssl.addresses=10.2.0.173,10.2.0.174
ssl.domains=*.mycompany.com,support.mycompany.com,account.mycompany.com
Example PKI Editor project file
#JSFPKIEditor last values
#Sun Nov 02 22:34:20 GMT 2003
ca.keystore=ca-key.der
ca.keystore.password=
ca.certificate=ca-cert.der
ca.expiry=1/1/2005
request.keystore=request-key.der
request.keystore.password=
request.certificate=request-cert.der
certificate=certificate.der
blank.password=*yes
algorithm=*RSA
strength=1024
certificate.signing.algorithm=*SHA1RSA
serial=75
days=365
location.organization=ACME Corporation
location.unit=Rocket Powered Systems
location.locality=Nevada Desert
location.state=NV
location.country=US
location.name=Road Runner
extended.purpose.1=1.3.6.1.5.5.7.3.2
extended.purpose.2=1.3.6.1.5.5.7.3.1
You need to use a text editor to set the following properties
strength=1024
algorithm=*RSA | *DSA
certificate.signing.algorithm=*MD5RSA | *SHA1RSA | *SHA1DSA
blank.password=*YES | *NO