PKIaaS provides the following CA instantiation capabilities.
CA types
Each customer may have one or more subordinate issuing CAs. You can:
- Create an online root CA and add issuing CAs subordinate to this root CA.
- Add an issuing CA signed by an external root CA – for example, your on-premise Microsoft root CA.
CA key and signature algorithms
The following CA key and signature algorithm pairs are supported.
Key algorithm | Signature algorithm |
|---|---|
ECDSA P-256 | ecdsa-with-SHA256 |
ECDSA P-384 | ecdsa-with-SHA384 |
ECDSA P-521 | ecdsa-with-SHA512 |
RSA 2048 | sha256WithRSAEncryption |
RSA 3072 | sha256WithRSAEncryption |
RSA 4096 | sha512WithRSAEncryption |
The NIST will deprecate some algorithms after Dec 31, 2030. See https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf
Secure CA key management
All CA private keys are stored in Entrust nShield Connect XC high HSMs FIPS140-2 level 3.
CA creation time
CAs are automatically provisioned in ~60 seconds after submitting your request.
CA validity period
CA certificates have a default validity period of 20 years for root CAs and 10 years for subordinate issuing CAs. You can select a different period when creating each CA.
An issuing CA should have a minimum lifespan of 3 years to support some features. For example, to automate Intune/MDM enrollment using an Entrust Hosted Certificate Enrollment Gateway, an issuing CA must have at least 3 years of remaining lifespan when the Enrollment Gateway is created.