Certification Authority instantiation
PKIaaS provides the following CA instantiation capabilities.
CA types
Each customer may have one or more subordinate issuing CAs. You can:
Create an online root CA and add issuing CAs subordinate to this root CA.
Add an issuing CA signed by an external root CA – for example, your on-premise Microsoft root CA.
CA key and signature algorithms
The following CA key and signature algorithm pairs are supported.
|
Key algorithm |
Signature algorithm |
|
ECDSA P-256 |
ecdsa-with-SHA256 |
|
ECDSA P-384 |
ecdsa-with-SHA384 |
|
ECDSA P-521 |
ecdsa-with-SHA512 |
|
RSA 2048 |
sha256WithRSAEncryption |
|
RSA 3072 |
sha256WithRSAEncryption |
|
RSA 4096 |
sha512WithRSAEncryption |
The NIST recommends not using RSA2048 after Dec 31, 2030. See https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r5.pdf
Secure CA key management
All CA private keys are stored in Entrust nShield Connect XC high HSMs FIPS140-2 level 3.
CA creation time
CAs are automatically provisioned in ~60 seconds after submitting your request.
CA validity period
CA certificates have a default validity period of 20 years for root CAs and 10 years for subordinate issuing CAs. You can select a different period when creating each CA.
An issuing CA should have a minimum lifespan of 3 years to support some features. For example, to automate Intune/MDM enrollment using an Entrust Hosted Certificate Enrollment Gateway, an issuing CA must have at least 3 years of remaining lifespan when the Enrollment Gateway is created.