All certificates from the database are displayed in a tree view reflecting the chain dependencies. If there is a CA certificate and several client certificates signed by this CA, the client certificates can be shown by clicking on the plus sign of the CA certificate.
XCA will recognize CA certificates if the CA flag in the Basic Constraints
is set to true.
If there is a corresponding private key, the CA
sub-menu in the context-menu will be enabled.
For building the chains the CA flag is disregarded, because there are some CAs without this flag. Instead it considers the issuer name and the signature to decide which certificate is the issuer. In case of more than one possible issuer, the one with the latest expiry date will be used as issuer to collect all issued certificates.
After clicking on the New Certificate button the Certificate input dialog will be started to ask
all needed information for generating a new Certificate. See:
The Certificate input dialog
Certificate creation can also be invoked by the context menu of the certificate list background
or by the context menu of the request.
In this case the Certificate input dialog is preset with the request to be signed.
If a CA certificate is selected in the certificate list, this
certificate will be preselected as issuing certificate.
The signer is the internal name of the issuers certificate, SELF SIGNED if it is self signed or SIGNER UNKNOWN if the issuer's certificate is not available. The validity is set to valid if the certificate's dates are valid or to Not valid if they are not, compared to the internal time and date of the OS.
If the certificate is revoked, the revocation date will be shown instead.
On the Subject and Issuer tab the distinguished name is also displayed in a format defined in RFC2253 for copy&paste.
When exporting PKCS#12 structures you are asked later for an encryption password.
A certificate transformation creates a new database entry based on the selected certificate.
Certificates can only be revoked, if the private key of the issuer's certificate is available. The certificate will be marked as revoked and the revocation date and reason will be stored with the CA certificate.
If more than one unrevoked certificate of the same issuer is selected, all of them will be revoked at once with the same revocation date and reason. The context menu shows this by adding the number of selected certificates in squared brackets.
To generate a CRL, revoke the appropriate certificates and select CA->Generate CRL in the context-menu of the signing certificate.
Certificates can only be renewed, if the private key of the issuer's certificate is available. Renewal is done by creating a new certificate as a copy of the original one with adjusted validity dates.
Use the Revoke old certificate check-box to automatically revoke the old
certificate.
If more than one certificate of the same issuer is selected, all of them will be renewed at once with the same validity dates. The context menu shows this by adding the number of selected certificates in squared brackets.
The context menu of CA certificates contains the CA sub-menu, which makes the following functions available:
Non existing certificates may be revoked by adding the serial number of the certificate. Since version 1.3.0 it is not required anymore to keep revoked certificates in the database, because the revocation information is stored together with the CA certificate.