skipca: Setting Up Trusted CAs

Certificates are the digital documents that testify to the binding of a public key to an individual or other entity for the purpose of preventing someone else from impersonating you. In order for two hosts running a security package to communicate, they must exchange certificates. The skipca command-line interface is used to designate a CA as trusted and to manage that database. skipca options are add, extract, init, list, delete, create, and revoke CA certificates.

You must either reboot the system or restart the key manager with skipd_restart before any changes will take effect.

This command has broad security implications. By designating a CA, you are trusting the identity of all certificates signed by that CA. Since root CA certificates are self-signed, there is no automated way to verify that a CA certificate actually comes from that CA. Before adding a CA certificate, you must be absolutely certain that the certificate is valid. Validity may be checked by having the CA publish the hash of its certificate publicly and comparing that hash with the hash obtained from the certificate.