Партнёры:
Хостинг:
NAME
crca - create and initialize organization's Root CA key
package and certificate
SYNOPSIS
crca [-v] [-e exponent] [-k keypkg_owner]
[-l length]
AVAILABILITY
SUNWskica
DESCRIPTION
The crca utility creates and initializes a key package and
self-signed certificate for an organization's Root Certifi-
cation Authority (CA). The generated key package contains
(among other information) an RSA key pair and a dis-
tinguished name identifying the Root CA. The generated key
package and certificate are stored in the configured naming
service (see fns(5)).
The Root CA for which the key package and certificate
credentials are generated is identified by keypkg_owner,
which is an X.500 distinguished name in string representa-
tion. If no keypkg_owner is provided, the user who is run-
ning crca will be prompted for one.
The user is prompted to enter a password. This password is
used to generate an encryption key, under which the private
key in the key package is encrypted (using triple-DES
encryption).
The length and exponent arguments can be used to specify the
length of the key and the value of the public exponent of
the RSA key pair being generated.
Criteria for choosing your key length
The security of RSA depends on the difficulty of factoring
large numbers that are the product of two large primes. The
larger the key size, the greater the security, but also the
slower the RSA operations. To determine how long your key
should be, you have to consider both the intended security
and lifetime of the key, and the current state-of-the-art
factoring techniques. Currently, the following RSA key sizes
are supported by SKI: 512, 768, and 1024 bits. CAs should
choose the highest available key size when generating their
own keypair, since the validity of so many other key pairs
depends on the security of the one central key. Note that a
larger key size has some performance impact: Doubling the
key size would, on average, increase the time required for
public-key operations (encryption and signature verifica-
tion) by a factor of 4, and increase the time taken by
private-key operations (decryption and signing) by a factor
of 8. Key generation time would increase by a factor of 16
upon doubling the key size, but this is a relatively infre-
quent operation.
The default key length for a Root CA is 1024 bits.
Criteria for choosing the exponent of your public key
The RSA public key is composed of the public exponent and
the modulus. The two most commonly used values for the pub-
lic key exponent are: F0=3 and F4=65537 (which is hex 01 00
01). F4 stands for Fermat 4. The RSA algorithm calls for a
public key exponent that has no common divisor with (p-
1)(q-1), where p, q are the two primes. With F0 and F4, it
is easier to find a p and q for which that criterion is met.
F4 is a good choice for a public exponent because it is
large, prime, and of low weight, where weight refers to the
number of 1's in the binary representation.
The default value for the public exponent is F4.
Once the Root CA has been created, the ccreds(1) command can
be called to create credentials for other users, machines or
subordinate CAs.
Root Certification Authority Operations
Operations performed by a Root CA, including the execution
of crca, are sensitive operations and should be performed on
a standalone machine without any network access. Security
is important because of the sensitivity of the Root CA's
private key. A compromised Root CA's private key allows oth-
ers to impersonate that CA.
OPTIONS
The following options are supported:
-v Give verbose output.
-e exponent
Public exponent for RSA key generation. Either F0
(numeric value 3) or F4 (Fermat 4). By default, the
public exponent is F4.
-k keypkg_owner
CA identity. This is a Distinguished Name in print-
able representation, e.g. "o=SUN, c=US".
-l length
This is the key length. Supported key sizes are 512,
768, and 1024. Defaults to 1024.
SEE ALSO
keypkg(1), ccreds(1)
NOTES
For software shipped outside North America, only 512 bit RSA
key sizes are supported (default).
|
Закладки на сайте Проследить за страницей |
Created 1996-2024 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |