X Certificate and Key Management

XCA supports MySQL, MariaDB and PostgreSQL as database server. This article shows briefly how to setup a database for XCA. Generally it is as easy as:

  1. Create a database
  2. Create a user with full access to this database
  3. Setup network access permissions if required

The following examples assume:

  1. The database username as 'youruser'
  2. The database name as 'yourdbname'
  3. The password as 'yourpass'
  4. The Server IP as 10.1.0.1/16

PostgreSQL

Connect to your database as root:

$ sudo -u postgres psql
CREATE DATABASE yourdbname;
CREATE USER youruser WITH ENCRYPTED PASSWORD 'yourpass';
GRANT ALL PRIVILEGES ON DATABASE yourdbname TO youruser;

For remote access:

  1. Add the required "listen_addresses=localhost,10.1.0.1" in /etc/postgresql/9.1/main/postgresql.conf
  2. Enable the new user for remote access:
       $ sudo sh -c 'echo "host yourdbname youruser 10.1.0.0/16 md5" >> /etc/postgresql/9.1/main/pg_hba.conf'
  3. Reload the server:
       $ sudo /etc/init.d/postgresql reload

MySQL / MariaDB

Connect to your database as root:

mysql -u root -p
CREATE DATABASE yourdbname;
GRANT ALL PRIVILEGES ON yourdbname.* to 'youruser'@'localhost' IDENTIFIED BY "yourpass";
GRANT ALL PRIVILEGES ON yourdbname.* to 'youruser'@'10.1.%' IDENTIFIED BY "yourpass"; -- For network access only
FLUSH PRIVILEGES;

XCA Connection dialog

More than one XCA database in one remote database

The Table Prefix can be used to store more than one XCA database in the same remote database by using different table prefix settings.

Database passwords

When handling remote databases, there are 2 passwords. The first one for the database user 'youruser' (in this examples 'yourpass') to get permission to access the database server itself. XCA asks for it with:

"Please enter the password to access the database server 10.1.0.1 as user 'youruser'."

The second one is the encryption/decryption password for the private keys stored inside the database. This is the password XCA also manages for SQLite databases

"Please enter the password for unlocking the database: youruser@10.1.0.1/QMYSQL3:yourdbname"

This password is never transmitted over the network to the database server un-hashed. When using more than one XCA database in one server database only differing in the Table Prefix feature described above, the database server password for 'youruser' (in this examples 'yourpass') is the same for all those XCA databases. The password for encrypting and decrypting the private keys may be different for each.