# Creating a Root Certificate

## **Enroll**

Users with the Officer role can enroll a Root CA from the CA Certificates UI.

The workflow generates an HSM-backed CA key pair and either issues a self-signed root certificate or produces a CSR for external signing, as defined by policy (with M-of-N approvals if enabled

{% hint style="info" %}
Note: CA certificates and OCSP certificates are both generated using this UI.
{% endhint %}

<figure><img src="https://2804668976-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FOwstGDJbR4yGRTr2aEFp%2Fuploads%2FxKVKyAaxT5sFW7reZOKE%2Fimage.png?alt=media&#x26;token=f040c606-0f64-487b-b0f8-79faaa7761e0" alt=""><figcaption></figcaption></figure>

## Generate Key Pair

Click on "Generate Key Pair " to open the following dialog:

<figure><img src="https://2804668976-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FOwstGDJbR4yGRTr2aEFp%2Fuploads%2FRFIm1Wkto5v30qqAV5Ov%2Fimage.png?alt=media&#x26;token=cff2dfc4-17d2-4308-869c-a79dd0f6799e" alt=""><figcaption></figcaption></figure>

Enter the number of keys that you want to generate. In general, you will need 1 key for 1 CA and 1 more key, if that CA will receive an OCSP certificate.

Select the "Key Profile" you want to use from the first dropdown list.

<figure><img src="https://2804668976-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FOwstGDJbR4yGRTr2aEFp%2Fuploads%2Fd8qUwN5iCiZK5Mws5x3X%2Fimage.png?alt=media&#x26;token=94da3767-7ef7-4d85-b220-a7c0bd6e168e" alt=""><figcaption></figcaption></figure>

Choose the "Algorithm" from the drop-down

Select the "Signature algorithm". This will filter the element for the third dropdown list accordingly.

<figure><img src="https://2804668976-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FOwstGDJbR4yGRTr2aEFp%2Fuploads%2FGZvy9I6okw6ej0BzxJRG%2Fimage.png?alt=media&#x26;token=6a50a0a8-ccd1-428c-bbad-e807c180e359" alt=""><figcaption></figcaption></figure>

Select the "Key Algorithm" and "Key Size"

<figure><img src="https://2804668976-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FOwstGDJbR4yGRTr2aEFp%2Fuploads%2FAzDY4En5UBxXsqGMkRTN%2Fimage.png?alt=media&#x26;token=9fad6836-0132-4877-b89e-f9244ae50fb7" alt=""><figcaption></figcaption></figure>

Press "Proceed" to continue and authenticate the action via Username & Password or Hard/ Soft token basis.

<figure><img src="https://2804668976-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FOwstGDJbR4yGRTr2aEFp%2Fuploads%2FhMMczkTagP2gG3XZAFeD%2Fimage.png?alt=media&#x26;token=36a9fcb5-bffd-40a1-8527-e8eeb77d8c6c" alt=""><figcaption></figcaption></figure>

Click on "Generate Key Pair(s)" to generate the keys

<figure><img src="https://2804668976-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FOwstGDJbR4yGRTr2aEFp%2Fuploads%2Fe81o9GsTOSpljcXprY2Z%2Fimage.png?alt=media&#x26;token=0bffdb7f-6937-4a77-b8ee-24743a613949" alt=""><figcaption></figcaption></figure>

After the successful generation of the key pair, click on "View all" or "+ New" to continue with the new Key Pair creation.

## Generate CA Certificate

After creating a key pair, select the "Generate Certificate" or "CSR" option available in the "Action" column of the created key pair.

<figure><img src="https://2804668976-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FOwstGDJbR4yGRTr2aEFp%2Fuploads%2FHXepe9V2zl0ZLIwhS7SB%2Fimage.png?alt=media&#x26;token=be43a5bb-7a65-46ff-ab7e-4409e1e4ab75" alt=""><figcaption></figcaption></figure>

Click on  !\[A black flag on a white background

AI-generated content may be incorrect.]\(data:image/jpeg;base64,/9j/4AAQSkZJRgABAQEAkACQAAD/2wBDAAoHBwkHBgoJCAkLCwoMDxkQDw4ODx4WFxIZJCAmJSMgIyIoLTkwKCo2KyIjMkQyNjs9QEBAJjBGS0U+Sjk/QD3/2wBDAQsLCw8NDx0QEB09KSMpPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT3/wAARCAA0ADgDASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6/8QAHwEAAwEBAQEBAQEBAQAAAAAAAAECAwQFBgcICQoL/8QAtREAAgECBAQDBAcFBAQAAQJ3AAECAxEEBSExBhJBUQdhcRMiMoEIFEKRobHBCSMzUvAVYnLRChYkNOEl8RcYGRomJygpKjU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hpanN0dXZ3eHl6goOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4uPk5ebn6Onq8vP09fb3+Pn6/9oADAMBAAIRAxEAPwD1yLzpYwwcDNP8uf8A56Ci0/491ovLuOxtJLiX7kYyaTdtwSuHlz/89B+VHlz/APPQVi6F4ysNemeO33Iy/wB7vW+rq/3WB+hqrCIvLn/56Cjy5/8AnoKnpAwJ4IOKQytL50UZYuDiin3f/Hu1FABaf8e61HqkSTabOkgypQ8VJaf8e60l/wD8eM3+4amfwsqO6PCZZ5dP1GYWkhiwxAxU8PiPVoGzHeyCquo/8hKf/eqvketEG+VCkveZ0M3jjV5YdgnZTj7wrqPhxqN3etN9qnaX615tXoPwv+9NWsFuZz6HoN3/AMe7UUXf/Hu1FQWFp/x7rSX/APx4zf7hpbT/AI91qSSMSxsjdGGDSkrpoadnc8u8M+F7PxDe3kl5uwj4AWujm+GmjtERGJFbsc1u6RoVvo7zNASfNbcc1qU7KySFrds80Pwun+0cXKeVnp3rsvD/AIatPD8BS3yWb7xNbNFNNpWE1cgu/wDj3aii7/492opDC0/491qeiigAooooAKKKKAILv/j3aiiigD//2Q==) to start generating a CA certificate.

<figure><img src="https://2804668976-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FOwstGDJbR4yGRTr2aEFp%2Fuploads%2FPLTQaKA8lzzqw07K1NWK%2Fimage.png?alt=media&#x26;token=68516875-6cbc-469a-93b7-56bb448aa963" alt=""><figcaption></figcaption></figure>

The above window opens after clicking on “Action”.

There are two different options available for generation:

* Certificate – use the key to generate a new CA certificate directly.
* CSR – use the key to generate a Certificate Signing Request (CSR).

Choose "Certificate" if you want to directly generate a new CA certificate. This option is applicable if the CA is "self-signed" or the "issuing CA" is in the same instance

Choose "CSR" if the issuing CA is not on the same instance. This is the case if ROOT and SUB CAs are not operated on the same system.

{% hint style="info" %}
Note: You can operate CAs using the appliance functionalities that have their trust anchored outside the Appliance using the option CSR.
{% endhint %}

<figure><img src="https://2804668976-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FOwstGDJbR4yGRTr2aEFp%2Fuploads%2FQRMHK9ifbx8spzJVTCN2%2Fimage.png?alt=media&#x26;token=04de7980-b02a-4963-bda7-3a53c629802e" alt=""><figcaption></figcaption></figure>

CA Administrator created certificate profiles will be available under “Certificate profile” dropdown.

<figure><img src="https://2804668976-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FOwstGDJbR4yGRTr2aEFp%2Fuploads%2FiRqf7Rrenyh2RuFuaBDS%2Fimage.png?alt=media&#x26;token=71c2ac97-6c89-45ec-a7e3-79426c3f5c08" alt=""><figcaption></figcaption></figure>

For "Subject DN Details", enter all Subject Distinguished Name (Subject DN) information for the CA as per the certificate profile selection.

Press "Proceed" to continue. You will be prompted to authenticate the action using your officer token/ username & password. Press "Authenticate" to proceed.

<figure><img src="https://2804668976-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FOwstGDJbR4yGRTr2aEFp%2Fuploads%2F65r0qbpEWjnTaB9vXVid%2Fimage.png?alt=media&#x26;token=4da0bd89-9a93-48f3-b925-b184936308c8" alt=""><figcaption></figcaption></figure>

Officer is required to successfully authenticate and continue with “Create”.

<figure><img src="https://2804668976-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FOwstGDJbR4yGRTr2aEFp%2Fuploads%2F9f2O21z348l182L5aS0S%2Fimage.png?alt=media&#x26;token=7dc8d48c-f5c6-447a-a772-0f97c9da6ae5" alt=""><figcaption></figcaption></figure>

The "Certificate" will be created and downloadable.