Creating a certificate authority (CA) allows you to issue
certificates using your own private key. The corresponding CA public
key is itself contained within a certificate, called a CA Certificate.
You must distribute this certificate to clients in order for them
to access your server. A browser must contain this CA Certificate
in its "trusted root library" in order to trust certificates signed
by the CA's private key.
To create a certificate authority, perform the following steps:
Enter the information required to create a certificate
authority. You must complete all fields to create a valid CA certificate.
The certificate request is generated after you respond to the last
question.
PEM Passphrase
Encryption Bits The largest recommended size is 1024 bits. Encryption strength
is often described in terms of the size of the keys used to perform
the encryption; in general, longer keys provide stronger encryption.
Key length is measured in bits. Private key sizes larger than 1024
bits are incompatible with some versions of Netscape Navigator and
Microsoft Internet Explorer.
Default Days The default number of days until expiration for certificates
issued by the CA. A large number, such as 1825 (5 years) is usually
appropriate so that certificates signed with this key do not expire
too soon.
Certificate Key File Use OpenVMS syntax (defaults to SSL$KEY:SERVER_CA.KEY).
CA Certificate File Use OpenVMS syntax (defaults to SSL$CRT:SERVER_CA.CRT).
Country Name A certificate authority can define a policy that specifies
which distinguished names are optional and which are required. The
distinguished name is defined in the config file (.cnf), and is
usually made up of more than one field. The number and makeup of
the fields are defined by the certificate authority, and are found
in the config file under the [req_distinguished_name] field. A certificate
authority can also place requirements on the field contents, as
can users of certificates. As an example, a Netscape browser requires
that the common name for a certificate representing a server has
a name that matches a wildcard pattern for the domain name of that
server, such as *.xyz.com.
State or Province Name
City Name
Organization Name
Organization Unit Name
Common Name This can be any text string that you want to use to identify
the authority. The name can be generic, such as CA Authority, or
more specific, such as nodenameCA.
Email Address
Require Unique Subject Names If you accept the default or answer YES, then certificates
must have unique subject names. If you answer NO, then certificates
can have duplicate subject names, and are distinguished from one another
by the serial number that is assigned to them. Answering NO allows
you to have two certificates with the same subject name in the database.
This makes it easier to issue new certificates when the old certificates
are about to expire.
The UNIQUE_SUBJECT variable in the OPENSSL-VMS.CNF configuration
file is set to YES or NO, depending on the answer to the Require
Unique Subject Names question. After a CA and its database is created,
the UNIQUE_SUBJECT variable should not be changed. If at a later
time you want to change the setting, you must recreate the entire
database.
Display the Certificate
View the details of the certificate authority (if
you chose to display the certificate).
Version (SSL 3.0 protocol)
Serial number (Certificates issued by a CA have
a serial number that is unique to the certificates issued by that
CA.)
HP Open Source Security for OpenVMS Volume 2:... 
Using the Certificate Tool
