Creating an issuing CA under an online root CA
See below for how to create an issuing CA after Creating an online root CA.
To create an issuing CA
Navigate to Administration > PKIaaS Management.
In the side pane, click Add Private CA.
In Select CA, choose Issuing Certificate Authority.
Click Next to display the CA Information screen.
Enter the values described below .
Click Next to review the CA information.
Click Submit.
In the confirmation request, click OK to start the CA creation process.
When the CA creation completes, check the CA details in the CA grid view.
Refresh the grid. You will notice that the status changes to Active.
Friendly Name
Enter an informal name for the new CA.
Mandatory: Yes.
Signing Key Details
Select one of the algorithms described in Certification Authority instantiation.
Mandatory: Yes.
Region
This view-only field displays the region of the root CA.
You cannot change the region for an issuing CA. The region of the issuing CA will be decided by the region of the root CA that signs the issuing CA.
Enable OCSP
Check box if you want to enable OCSP for this issuing CA.
You cannot change this setting after provisioning the CA.
Mandatory: No.
Expiry Date
Select the expiry date for the CA certificate. Use the date picker or enter a date in the following format.
mm/dd/yyyyThe expiry date of an issuing CA must be earlier than the expiry date of the root CA.
Mandatory: No. If you do not assign a specific expiry date, the expiry period defaults to 10 years for issuing CAs.
Services
Select a predefined set of certificate profiles. For example,
Select Intune for Automating Intune enrollment with an Entrust-hosted Enrollment Gateway.
Select Active Directory for Automating enrollment with an on-premises Enrollment Gateway and WSTEP.
Mandatory: No.
Service Profiles
Select the certificate profiles you want to enable in the issuing CA.
Mandatory: No.
Distinguished Name Fields
Enter a value for each field in the Distinguished Name of the CA certificate.
Mandatory: Only the Common Name certificate field.