See below for how to create root or subordinate Certificate Authority instances.
To create a Certificate Authority instance
Log in to the Management Console as one of the users created in Creating Certificate Authority tenants. This user will be the tenant of the new Certificate Authority.
- In the content pane, click Manage Solution under Certificate Authority (CA).
- Click the Operations sidebar command.
- Click Organizations and select the organization to which the new CA will belong. You can also select Create Organization and create a new organization.
Do not use organization names such as 'test' and 'testuser' because they are used for testing operations.
- Click New.
- Configure the following settings.
- Click Submit to create the new Certificate Authority.
- Copy the password of the client PKCS #12 for consuming the Certificate Authority services.
Click Download to download a PKCS #12 credential file for each of the selected Administrators.
Do not lose the PKCS #12 files or passwords, as you cannot obtain them later.
CA Type
The type of Certificate Authority.
Type | Description |
|---|---|
Root Certificate Authority | A top-level Certificate Authority. |
Issuing Certificate Authority | An intermediate CA that is signed by a Root CA or another Subordinate CA. |
External Root Certificate Authority | A Root Certificate Authority that was not created with the Certificate Authorities solution. |
Mandatory: Yes.
CA ID
A unique identifier for the new Certificate Authority within its organization.
Identifier length | Supported characters |
|---|---|
3-18 characters | Lowercase letters, numbers, dashes ("-"), and underscores ("_"). |
Do not reuse the identifier of a Certificate Authority for up to 24 hours after it has been deleted.
Mandatory: Yes.
CA Key Type
The type of key the new Certificate Authority will use to sign certificates.
Key algorithm | Signature algorithm |
|---|---|
ECDSA P-256 | ecdsa-with-SHA256 |
ECDSA P-384 | ecdsa-with-SHA384 |
ECDSA P-521 | ecdsa-with-SHA512 |
RSA 2048 | sha256WithRSAEncryption |
RSA 3072 | sha256WithRSAEncryption |
RSA 4096 | sha512WithRSAEncryption |
The NIST will deprecate some algorithms after Dec 31, 2030. See https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf
Mandatory: Yes.
Certificate Profiles
The profiles the Certificate Authority will support for issuing certificates. See the Certificate profiles reference for a description of each profile.
Mandatory: Select at least one profile.
Issuer CA ID
The identifier of the root Certificate Authority.
Mandatory: When CA Type is Issuing Certificate Authority.
Expiration Date
The expiration date for the certificate signing certificate of the Certificate Authority.
Mandatory: No. This value defaults to the following dates.
CA Type | Default expiration date |
|---|---|
Root Certificate Authority | 20 years after the certificate is issued |
Issuing Certificate Authority | 10 years after the certificate is issued |
Attributes
The value of each attribute in the Distinguished Name (DN) of the Certificate Authority certificate.
Mandatory: Set at least the CN attribute of the Distinguished Name.
Auditors
The names of the users that will have auditing permission on the Certificate Authority.
On Certificate Authority creation, the Certificate Authorities solution will automatically generate client PKCS #12 files to authenticate these users.
Mandatory: No. When omitting this value, the Certificate Authority will not have users with auditor permission.
Administrators
The names of the users who will have administrative permissions on the new Certificate Authority. A CA can have multiple administrators and an administrator can be assigned to different CAs.
On Certificate Authority creation, the Certificate Authorities solution will automatically generate client PKCS #12 files to authenticate these users.
Mandatory: Add the name of at least one administrator.
OCSP Key Type
The type of key to sign OCSP responses at the following endpoint.
http://{pkihub}/ocsp/{organization}/{caid}{pkihub}is the domain name or IP address of the machine running PKI Hub.{organization}is the identifier of the CA organization.{caid}is the value of the CA ID field.
Mandatory: When CA Type is Issuing Certificate Authority.