Next Previous Contents

5. RSA Keys

For asynchronous encryption and signing there are keys needed. XCA only supports RSA keys and no DSA keys. All keys are stored encrypted in the database using the 3DES algorithm.

All keys do carry a use counter which counts the times it is used. For new requests or certificates the list of available keys is reduced to the keys with a use counter of 0.

5.1 Generating Keys

The dialog asks for the internal name of the key and the keysize in bits. While searching for random prime numbers a progress bar is shown. Although the Progressbar carries a Cancel button it has no effect clicking on it since the underlaying OpenSSL routine does not support an abort. So think twice before generating a 4096 bit key on a 80Mhz i486 PC .... After the key generation is done the key will be stored in the database.

5.2 Key export

Keys can be exported by either selecting the key and pressing Export or by using the context-menu. This opens a Dialogbox where you can change the following settings:

The filename is the internal name plus a pem suffix. If the desired fileformat is not PEM it is your responsibility to change the suffix to der or pk8. Only PKCS#8 or PEM files can be encrypted, because the DER format (although it could be encrypted) does not support a way to supply the encryption algorithm like e.g. DES. Of course the encryption is senseless if the private part is not exported.


Next Previous Contents