Creating a Root Certificate

Enroll

Users with the Officer role can enroll a Root CA from the CA Certificates UI.

The workflow generates an HSM-backed CA key pair and either issues a self-signed root certificate or produces a CSR for external signing, as defined by policy (with M-of-N approvals if enabled

Note: CA certificates and OCSP certificates are both generated using this UI.

Generate Key Pair

Click on "Generate Key Pair " to open the following dialog:

Enter the number of keys that you want to generate. In general, you will need 1 key for 1 CA and 1 more key, if that CA will receive an OCSP certificate.

Select the "Key Profile" you want to use from the first dropdown list.

Choose the "Algorithm" from the drop-down

Select the "Signature algorithm". This will filter the element for the third dropdown list accordingly.

Select the "Key Algorithm" and "Key Size"

Press "Proceed" to continue and authenticate the action via Username & Password or Hard/ Soft token basis.

Click on "Generate Key Pair(s)" to generate the keys

After the successful generation of the key pair, click on "View all" or "+ New" to continue with the new Key Pair creation.

Generate CA Certificate

After creating a key pair, select the "Generate Certificate" or "CSR" option available in the "Action" column of the created key pair.

Click on to start generating a CA certificate.

The above window opens after clicking on “Action”.

There are two different options available for generation:

Certificate – use the key to generate a new CA certificate directly.
CSR – use the key to generate a Certificate Signing Request (CSR).

Choose "Certificate" if you want to directly generate a new CA certificate. This option is applicable if the CA is "self-signed" or the "issuing CA" is in the same instance

Choose "CSR" if the issuing CA is not on the same instance. This is the case if ROOT and SUB CAs are not operated on the same system.

Note: You can operate CAs using the appliance functionalities that have their trust anchored outside the Appliance using the option CSR.

CA Administrator created certificate profiles will be available under “Certificate profile” dropdown.

For "Subject DN Details", enter all Subject Distinguished Name (Subject DN) information for the CA as per the certificate profile selection.

Press "Proceed" to continue. You will be prompted to authenticate the action using your officer token/ username & password. Press "Authenticate" to proceed.

Officer is required to successfully authenticate and continue with “Create”.

The "Certificate" will be created and downloadable.

PreviousManage emCA NextCreating an Issuer CA Certificate

Last updated 14 days ago