Step by Step guides

Beginners may follow these steps to easily create their first certificates. This guide shows the minimal requirements for various tasks. For more advanced use of XCA, users are encouraged to familiarize themselves with the applicable standards.

Create a new Database

If the New Certificate button is greyed out you first need to create a new database. If you have a database already you may need to open it instead.

  1. Click the File menu.

  2. Click New Database.

  3. Type the name of the new database into the file selector box.

  4. Enter a password into the New Password dialog.

  5. Click the OK button at the bottom.

Setting up a Root CA Certificate

  1. Click the Certificates tab.

  2. Click the New Certificate button.

  3. Make sure the Source tab is showing, clicking it if necessary.

    • At the bottom of the panel, ensure that the default CA template is showing, and click the Apply all button. This will fill in appropriate values under the Extensions, Key Usage, and Netscape tabs.

  4. Click the Subject tab.

    • Type in the internal name; this is for display purposes in the tool, only.

    • Fill in the required fields in the upper Distinguished Name section (Country name, State/Province, Locality, Organization, Common name, E-Mail address). The common name can be something like “ACME Certificate Authority”.

    • If you want to add in any additional parts to the distinguished name, use the Add button.

    • Select the desired private key or generate a new one.

  5. Click the Extensions tab.

    • The Time Range is probably fine (10 years). If you want to change the duration, then change it and click Apply.

  6. The CRL distribution point will be part of the issued certificates. It should however be thought about a common URL for all of them like http://www.example.com/crl/crl.der

  7. Click the OK button at the bottom.

You may wish to now issue an (initially) empty CRL. Follow the instructions given for issuing CRLs below, except that you do not actually revoke any certificate.

Creating a CA-Signed Host Certificate

  1. Click the Certificates tab.

  2. Click the New Certificate button.

  3. Make sure the Source tab is showing, clicking it if necessary.

    • At the bottom of the panel, select the template “(default) TLS_server” (or another suitable template, if you have created your own) and click the Apply button. This will fill in appropriate values under the Extensions, Key Usage, and Netscape tabs.

    • In the Signing section, select the certificate that will be used to sign the new certificate.

  4. Click the Subject tab.

    • Type in the internal name; this is for display purposes in the tool, only. For host certificates, the host FQDN (fully qualified domain name) is not a bad choice.

    • Fill in the required fields in the upper “Distinguished Name” section (Country code, State/Province, Locality, Organization, Common name, E-Mail address). For host certificates, the common name must be the FQDN to which you wish users to connect. This need not be the canonical name of the host, but can also be an alias. For example, if pluto.example.com is your web server and it has a DNS CNAME entry of www.example.com, then you probably want the Common Name value in the certificate to be www.example.com.

    • If you want to add in any additional parts to the distinguished name, use the drop-down box and Add button.

    • Select the desired private key or generate a new one.

  5. Click the Extensions tab.

    • Change the Time Range if desired and click Apply.

    • In the event that you need to revoke any certificates in the future, you should designate a certificate revocation list location. The location must be unique for this root certificate. XCA exports CRLs in either PEM or DER format with appropriate suffixes, so this should be considered when selecting the URL. Selecting a URI something like http://www.example.com/crl/crl.der is probably suitable.

      On the “CRL distribution point” line, click the Edit button. Type in the desired URI, then click Add. Add in any additional desired URIs in the same fashion. Click Validate and Apply. (Alternate mechanisms such as OCSP are beyond the scope of this guide.)

    • Click the OK button at the bottom

Creating a Self-Signed Host Certificate

This procedure is almost identical to that of creating a CA-Signed certificate with the following exceptions:

  1. When creating certificate, select “Create a self signed certificate” under the Source tab.

  2. Self-signed certificates cannot be revoked, so the CRL URI should be blank.

Setting Up A Template

If you have, or expect to have, multiple hosts under one domain and signed by the same root certificate, then setting up a template for your hosts can simplify host certificate creation and improve consistency.

The values of templates can be applied on the first tab of the certificate-generation dialog. It can be selected, whether the subject, the extensions or both parts of the template will be applied. This way a subject-only template may be defined and later applied together with the TLS_client or TLS_server template.

  1. Click on the Templates tab.

  2. Click on the New Template button

  3. Select an appropriate value for the Preset Template Values, then click OK

  4. Under the Subject tab, specify an internal name for the template.

  5. Fill in (or modify) any values that you wish to be populated when using the template. Leave the rest blank (notably the “Common Name” field).

  6. When all desired fields are filled in, click the OK button at the bottom of the window.

Your template is now ready for use when creating new certificates.

Alternatively, you may export an existing Certificate or Certificate signing request to a template by the Export-context menu of the item.

Revoking a Certificate issued by a CA

  1. Click the Certificates tab.

  2. Right-click on the certificate that you want to revoke and select Revoke

  3. Right-click the CA certificate that was used to sign the certificate being revoked. Select CA –> Generate CRL

  4. Click the OK button in the Create CRL dialog.

  5. Click on the Revocation lists tab in the main window.

  6. Right-click on the CRL you just generated and select Export. Select the desired format (probably DER) and click OK

  7. Copy the exported CRL to the location published in the issued certificate’s CRL Distribution Points.

  8. Optionally, delete older CRLs for the same CA certificate.