With the plus button above the list with the elements you can create new certificates and signing requests. You can configure the following elements:
Input box | Description |
---|---|
Certificate Type |
Choose between the options Certificate to create a certificate
or a certification authority (CA) and a Certificate Signing Request.
With the latter, you create a certification request for a certificate or for a subordinate CA, which then
has to be signed by a higher-level CA to become valid.
Note: When selecting the option Certificate Signing Request,
neither the Validity nor the Signing CA can be selected as these are specified when the
certificate is signed. The created request appears under the certificates in a separate branch of the
certificate tree, Outstanding Certificate Signing Requests.
|
Common Name (CN) | Specify a name for this certificate. |
Private Key Password | Required: Enter a password to secure the private key. |
Show Password | Optional: Set a check mark in the check box to view the password. |
Validity | Set the starting time for the certificate’s validity period. The input boxes are already filled out with the current date as the creation date and the expiry date set to the same day one year later in the case of a certificate or 5 years later in the case of a certificate authority. To specify a different period, select one of the options provided or select the start and end date in the calendar that is displayed. The start and end dates are displayed in the following format: MM/DD/YYYY – MM/DD/YYYY (e.g. 04/18/2021 - 04/18/2031). |
Template |
Optional: Choose one of the Templates to fill-out the boxes
in the section "Options" and "Subject and SAN" with values from the template.
Important: If you select a template, any settings you made previously are overwritten!
|
Signing CA | Select the signing CA. |
CA Password | With a CA is selected this field is mandatory, unless it is one of the LCOS FX CAs listed in Table 1. Enter a password for the private key of the signing certification authority. The password is required because the public key of the new certificate is signed with the private key of the signing CA. |
Show CA Password | Optional: Set a check mark in the check box to view the password. |
Certificate Authority |
This option determines whether or not the certificate being created can also be used as a certification
authority to sign other certificates.
Important: Caution: There are different default periods of validity for certificates (1 year)
and Certificate Authorities (5 years). Changing this property causes the validity period to be
adjusted.
|
Path Length | Only available if Certificate Authority is selected. Here you determine how many sub-CA levels can be created with this CA. With a value of 0, no sub-CAs can be signed with this CA, i.e. only "normal" certificates can be signed with this CA. If the field is left blank, there is no limit. |
Key Usage | Click in the box for a choice of preset property values, e.g. data encryption. |
Encryption algorithm |
Select the algorithm you require from the list of results.
Note: If you select the option "NIST curves", you have to select the type of NIST curve from
the Curve field.
Note: However, the new algorithms NIST Curves, ed448 and ed25519 are only
partially supported or not yet supported at all by some services, e.g. in the reverse proxy.
|
Curve |
If you selected the option "NIST curves" under Encryption algorithm, you select the type of NIST curve here.
|
Key Size |
If you selected the option "RSA" under Encryption algorithm, you select the key size here.
Important: Note that key sizes below 2048 are no longer accepted by some services on the firewall,
such as mail and HTTPS proxy.
|
Hash Algorithm |
Select one of the available hash algorithms.
|
Extended Key Usage | Here you can click in the box to add further predefined property values from a list, such as the timestamp, for example. |
Subject |
Optional: From the drop-down list you can choose any number of subjects, such as Country (C), State (ST),
Organization (O), or Organizational Unit (OU), and enter the content in the input box to
the right. Click on on the
right-hand side to add an entry to the list. You can edit or delete any entry in the lists by clicking on
the appropriate icon.
Please refer to Icons and buttons for further
information.
Important: When you edit a Subject, a checkmark will
appear to the right of the entry. You first have to confirm your change with this checkmark before you can
save the certificate settings.
|
Subject Alternative Name (SAN) |
Optional: You can enter any number of custom names for different uses and select the appropriate types from
the drop-down list. The following types are available: E‑Mail, DNS,
DirName, URI, IP and RegID. Click on
on the right-hand side to add
a Subject Alternative Name (SAN) to the list. You can edit or delete any entry in the lists by clicking on
the appropriate icon.
Please refer to Icons and buttons for further
information.
Important: When you edit a Subject Alternative Name (SAN), a checkmark will appear to the right of the entry. You first have to confirm your change with this
checkmark before you can save the certificate settings.
|
With the buttons in the lower right corner of the editing field, you can create a new certificate and add it to the list of available certificates, or cancel the creation of a new certificate (Cancel).