Create a certificate

Via this page, a self-signed certificate can be created.

Name: This value is shown on the certificates page to identify a certificate in the database. It has no meaning for the created certificate itself.

Days valid: Specify for how many days the certificate is valid.

IP Name or IP Address: This is the hostname for which the certificate will be valid. It will be used for the Common Name in the subject of the certificate.

The following optional properties can also be added to the certificate subject of the certificate.

- Country Code

- State or Province name

- Locality or City

- Organization

- Organizational unit

- E-Mail address

Additionally, multiple subject alternative names for the host can be specified. These are alternative names for which the certificate is valid. Currently three different types of subject alternative names can be added via the web interface:

- DNS: Specifies a DNS domain name. If the Apresa has multiple different IP names, they can all be specified as a DNS name.

- IP: Specifies an IP address. Adding a IP address name, will also make the certificate valid if the Apresa is approached directly via its IP address.

- URI: Specifies a uniform resource indicator, like a SIP URI.

Empty alternative names will not be included in the certificate.

The option "Copy common name to subject alternative name" is on by default and will copy the Common Name (filled in as IP Name or IP Address) to the subject alternative names. If this is not desired, this option may be unchecked.

Note that when a self signed certificate is used, warnings may be generated or the certificate may be rejected entirely. For example, if a self signed certificate is used for an HTTPS connection, browsers will warn about this. To get around these issues, the certificate would have to be imported by the clients that are connecting to the Apresa. Alternatively, a certificate issued by a trusted certificate authority can be uploaded to the Apresa instead.

Note: If you have manually configured lighttpd to use a custom certificate on the command line, this configuration might be overwritten or create a conflict, when configuring HTTPS certificates in the web interface.

Advanced settings

Enabling this checkbox will show more options for including certificate extensions. The default selection should suffice for most applications, but if desired adjustment to these extensions can be made here. Note that for a certificate signing request that while the extensions may be included, it is up to the certificate authority to decide if these extensions should be copied back into the signing certificate.

Common to all extensions

Critical: Marks the extensions as critical. If an extension is marked as critical and an application does not understand the extension, the certificate must be rejected. If the extension is not marked as critical, it can be ignored

Basic Constraints

Include: Include this extension in the certificate

CA certificate: Enable if the certificate is a certificate authority certificate.

Path length: If the certificate is a CA certificate, the path length indicates the maximum number of CAs that can appear below this one in a certificate chain

Key usage

Indicates for what purposes the public key of contained in the certificate may be used. If no key usage is selected, this extension will be omitted.

Extended key usage

Further refines the key usage extensions. If no extended key usage is selected, this extension will be omitted.

Secret Key:

Key type: This setting controls which type of keypair is generated for the certificate. By default, a keypair based on the RSA algorithm is generated. On Debian 10 elliptic curve keypairs can also be generated.

RSA bits: The length of the RSA key. The default length is 2048 and should be sufficient. The key length can be increased if desired, but this will require a higher computational cost.

Curve type: Which elliptic curve should be used to generate an elliptic curve keypair.