If you want to leverage PKIaaS issuing CAs while maintaining the root of trust within your organization, PKIaaS allows you to sign an issuing CA using a non-PKIaaS root CA you owned.

For this use case, you must add your external root CA certificate in ECS Enterprise before adding an issuing CA (as explained in Adding an issuing CA under an external root CA).

To add an external root CA

  1. Navigate to Administration > PKIaaS Management.
  2. In the side pane, click Add Private CA.
  3. In Select CA, choose External Root Certificate Authority, and click Next

  4. Click Next to display the CA Information form.

  5. Enter the following information. 
  6. Click Next to review the external root CA information.

  7. Click Submit.
  8. When the CA creation completes, check the CA details in the CA grid view.
  9. Refresh the grid. You will notice that the status changes to Active.

Friendly Name

Enter an informal name for the new CA.

Mandatory: Yes.

Self-Signed Root Certificate

Paste the base64-encoded (PEM) self-signed root CA certificate.

Mandatory: Yes.

Region

Select the region in which the CA will be hosted.

The region of the root CA decides the region of the issuing CA.

Mandatory: Yes.