This section describes how to create a CA certificate and what to think about.
You probably want to create a CA certificate with a long lifetime, 10 years at the very minimum. This is because you don't want to push out the certificate (as a trust anchor) to all you users again when the old CA certificate expires. Although a trust anchor can't really expire, not all software works in accordance with published standards.
Keep in mind the security requirements might be different 10-20 years into the future. For example, SHA1 is going to be withdrawn in 2010, so make sure you have enough buffering in your choice of digest/hash algorithms, signature algorithms and key lengths.
This command below can be used to generate a self-signed CA certificate.
hxtool issue-certificate \ --self-signed \ --issue-ca \ --generate-key=rsa \ --subject="CN=CertificateAuthority,DC=test,DC=h5l,DC=se" \ --lifetime=10years \ --certificate="FILE:ca.pem"
You just realised that your CA certificate is going to expire soon and that you need replace it with a new CA. The easiest way to do that is to extend the lifetime of your existing CA certificate.
The example below will extend the CA certificate's lifetime by 10 years. You should compare this new certificate if it contains all the special tweaks as the old certificate had.
hxtool issue-certificate \ --self-signed \ --issue-ca \ --lifetime="10years" \ --template-certificate="FILE:ca.pem" \ --template-fields="serialNumber,notBefore,subject,SPKI" \ --ca-private-key=FILE:ca.pem \ --certificate="FILE:new-ca.pem"
This example below creates a new subordinate certificate authority.
hxtool issue-certificate \ --ca-certificate=FILE:ca.pem \ --issue-ca \ --generate-key=rsa \ --subject="CN=CertificateAuthority,DC=dev,DC=test,DC=h5l,DC=se" \ --certificate="FILE:dev-ca.pem"