See below for creating a root Certificate Authority (CA) with a self-signed certificate issued by the Certificate Authority solution.

To create a root Certificate Authority instance 

  1. Open the following URL in a Web browser. 

    https://<machine>/management-console

    Where <machine> is the IP address or domain name of the machine hosting Cryptographic Security Platform.

  2. Log in to the Management Console as one of the users created in Creating Certificate Authority tenants. This user will be the tenant of the new root Certificate Authority.
  3. In the content pane, click Manage Solution under Certificate Authority (CA).
  4. Select Operations in the sidebar.
  5. Select an organization under Organization List

    See Managing organizations for how to create or join an organization.

  6. Click New under Certificate Authority.
  7. Configure the following settings.
  8. Click Submit to create the new Certificate Authority.
  9. Copy the password of the client authentication PKCS #12 created for each new auditor or administrator (if any).

  10. Click Download PKCS12 to download the PKCS #12 files. Each PKCS #12 includes:
    • The certificate of the CA that issues the client certificates. This certificate is also available in the Certificate Authority for CA Gateway Clients tab.
    • A client certificate.
    • The private key of the client certificate.
  11. Save the PKCS #12 files and passwords in a secure place, as you cannot obtain them later. 

CA Type

Click Root Certificate Authority.

Mandatory: Yes.

CA ID

Type a unique identifier for the new Certificate Authority within its organization. This identifier:

  • Must be 3-18 characters long.
  • Can only include lowercase letters, numbers, underscores ("_"), and hyphens ("-").

Do not reuse the identifier of a Certificate Authority for up to 24 hours after it has been deleted.

Mandatory: Yes.

CA Key Type

The type of key the new Certificate Authority will use to sign certificates.

Key algorithm

Signature algorithm

ECDSA P-256

ecdsa-with-SHA256

ECDSA P-384

ecdsa-with-SHA384

ECDSA P-521

ecdsa-with-SHA512

RSA 2048

sha256WithRSAEncryption

RSA 3072

sha256WithRSAEncryption

RSA 4096

sha512WithRSAEncryption

NIST will deprecate some algorithms after Dec 31, 2030. See https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf

Mandatory: Yes. 

Certificate Profiles

The profiles the Certificate Authority will support for issuing certificates. See the Certificate profiles reference for a description of each profile.

Mandatory: Select at least one profile.

Expiration Date

The expiration date for the certificate signing certificate of the Certificate Authority. 

Mandatory: No. This value defaults to the following dates. 

CA Type

Default expiration date

Root Certificate Authority

20 years after the certificate is issued

Issuing Certificate Authority

10 years after the certificate is issued

Attributes

The value of each attribute in the Distinguished Name (DN) of the Certificate Authority certificate. 

Mandatory: Set at least the CN attribute of the Distinguished Name. 

Auditors

Enter the names of the users who will have auditor permission on the Certificate Authority. For each name, you can:

  • Enter a user name already assigned to another CA so that the user will have permissions on different CAs.
  • Enter a new user. 

Upon CA creation, the Management Console only displays download buttons for the client authentication PKCS #12 of the new users.

Mandatory: No. When omitting this value, the Certificate Authority will not have users with only auditing permission.

Use the trash icon to remove Auditor fields you do not want to fill out. Otherwise, they will display a Please fill out this field warning when you click Save.

Administrators

Enter the names of the users who will have administration permission on the Certificate Authority. For each name, you can:

  • Enter a user name already assigned to another CA so that the user will have permissions on different CAs.
  • Enter a new user. 

Upon CA creation, the Management Console only displays download buttons for the client authentication PKCS #12 of the new users.

Mandatory: Yes. Add the name of at least one administrator.