For asynchronous encryption and signing there are keys needed. XCA only supports RSA keys and no DSA keys. All keys are stored encrypted in the database using the 3DES algorithm.
All keys do carry a use counter which counts the times it is used. For new requests or certificates the list of available keys is reduced to the keys with a use counter of 0.
The dialog asks for the internal name of the key and the keysize in bits.
Even if the drop-down list only shows the most usual values, any other value
can be added here by editing this box.
While searching for random prime numbers a progress bar is shown. Although the
Progressbar carries a Cancel
button it has no effect clicking on it
since the underlaying OpenSSL routine does not support an abort.
So think twice before generating a 4096 bit key on a 80Mhz i486 PC ....
After the key generation is done the key will be stored in the database.
Keys can be exported by either selecting the key and pressing Export or by using the context-menu. This opens a Dialogbox where the following settings cn be adjusted:
The filename is the internal name plus a pem
, der
or pk8
suffix.
When changing the fileformat, the suffix of the filename changes accordingly
Only PKCS#8 or PEM files can be encrypted, because
the DER format (although it could be encrypted)
does not support a way to supply the encryption algorithm
like e.g. DES.
Of course the encryption is senseless if the private part is not exported.