FL MGUARD DM UNLIMITED 1.15.x
136
PHOENIX CONTACT 111024_en_01
– cA field of type BOOLEAN and
– pathLenConstraint field (optional) of type INTEGER
For CA certificates the cA field must be set to true. pathLenConstraint is only used if the
cA field is set to true and specifies the number of CA levels allowed below this certifi-
cate. Basic Constraints should be always marked as critical.
Please refer to Chapter 9.2.3 for requirements regarding the Basic Constraints exten-
sion.
– Key Usage
Key Usage controls the intended use of the certificate’s corresponding keys. A key can
be e.g. used to sign Certificate Revocation Lists (CRL), encrypt data or to sign certifi-
cates.
Please refer to Chapter 9.2.3 for requirements regarding the Key Usage extension.
– Subject Alternative Name
The extension Subject Alternative Name can be used to add more identifiers to the cer-
tificate. Subject Alternative Name can contain e.g. e-mail addresses, domain names
etc. It can be used as substitute for the Subject as well, which must be empty in this
case. Please note that the mdm CA is currently not able to handle Subject Alternative
Name extensions.
– CRL Distribution Points (CDP)
Certificates can be revoked, e.g. if a private key was compromised or if it is no longer
valid. Usually an application has to check whether a certificate is still valid, by checking
the validity period and/or by retrieving revocation information from a CRL distribution
point (CDP). To retrieve the information either Certificate Revocation Lists (CRL) can
be used or a dedicated protocol like OCSP. However, the certificate should contain the
information, which CDP should be contacted.
– Authority Information Access
Authority Information Access is not an X.509 standard extension, but an extension de-
fined by the PKIX working group (http://www.ietf.org/html.charters/pkix-charter.html).
Authority Information Access contains information about the issuing CA, e.g. policies,
further root certificates or where to retrieve the higher certificates in the chain, if the
complete chain is not contained in the certificate.
Depending on the settings of these extensions the receiver (not the owner) of a certifi-
cate accepts or denies the communication with the peer, thus preventing any misuse of
certificates and creating a higher level of security.
9.2.1 Create the CA certificates
Depending on your existing infrastructure the mdm CA needs the following certificates:
– A self-signed root certificate (CA
rootCert
) and the matching private key (CA
rootKey
).
If you have another upstream (root) CA in place, there is no need to generate the root
certificate and the matching private key.
The (self-signed) root certificate is distributed to all entities participating in the commu-
nication. It is used by the entities to verify the authenticity of the communication peer
and of any intermediate CAs in the certificate chain. The private key CA
rootKey
is used
to sign the self-signed root certificate.
– A CA certificate (CA
cert
) and the matching private key (CA
key
). This is the certificate
used by the CA to authenticate itself to other entities. This certificate has to be signed
with the root private key, i.e. either with CA
rootKey
or with the key of your existing root
CA. The private key CA
key
is used to sign the certificate request sent by the mdm serv-
er, i.e. it is used to issue certificates for the mGuards.
– A template certificate (CA
templCert
) which is used by the CA as template when issuing
end entity (mGuard) certificates.