13.9 Send certiﬁcates
13 CERTIFICATE AUTHORITY (CA)
Revoked certiﬁcate Add a new certiﬁcate to the list of certiﬁcates to be re-
voked by entering the serial number of the certiﬁcate (in hex form) in the “Re-
voked certiﬁcate” edit box and clicking the “Add” button.
Nextupdate The“next update” is the date at which theCA claims it will issue
.If the CA contains a CRL distribution point (see section13.1)
make sure that a new CRL is available and download-able from the CRL distri-
bution point before the CRL expires. The next update is speciﬁed in days from
the date of the CRL creation.
Update existing CRL If “update existing CRL” is selected an existing CRL
is updated with the new serial numbers. The new CRL will contain the serial
numbers of the old CRL and the new serial numbers. If “update existing CRL”
is not selected a completely new CRL will be created with only the new serial
numbers. It’s best to always update an existing CRL because certiﬁcates that
are previously revoked should remain revoked.
The CRL will be signed by the issuing CA. A CRL
should be signed to make it possible for external parties to check whether the
CRL is a valid CRL and is issued the CA. Windows versions prior to “XP-sp3”
donot support “SHA256WithRSA”orbetter. If olderWindows versions should
besupported you are advisedtouse“SHA1WithRSA”.Ifsupport forolderWin-
dows versions is not required you are advised to select “SHA256 With RSA”.
Clicking the “Create CRL” button will create the new CRL. The new CRL will be
automatically added to the CRL store (see section11). If the CA speciﬁes a
CRL distribution point the CRL should be published. Download the CRL from
the CRL store and upload it to the CRL distribution point URL.
13.9 Send certiﬁcates
Sometimes end-users requirea copyof theircertiﬁcates (andprivate keys). For
example they experienced a system crash and had to completely reinstall the
system (and forgot to make a backup).
The “Send certiﬁcates” page can be used to send a new copy of the certiﬁ-
cate and private key to an external user. This is also known as “key escrow”.
Clicking “Send certiﬁcates” opens the “Send selected certiﬁcates to recipient”
page (see ﬁgure51). Sending CA certiﬁcates by email is not allowed. This is
done to prevent accidental leakage of CA certiﬁcates.
Password This has already been explained. See section13.4.
SMS password This has already been explained. See section13.4.