See below for creating a certificate issuing or subordinate Certificate Authority (CA).
If the root CA of the new issuing CA is an external root CA, you must have the certificate issued by the root CA for the issuing CA at hand.
To create an issuing Certificate Authority
Open the following URL in a Web browser.
https://<machine>/management-consoleWhere
<machine>is the IP address or domain name of the machine hosting Entrust PKI Hub.- Log in to the Management Console as one of the users created in Creating Certificate Authority tenants. This user will be the tenant of the new issuing Certificate Authority.
- In the content pane, click Manage Solution under Certificate Authority (CA).
- Click the Operations sidebar command.
- In the Organizations list, select an existing organization or select Create Organization to create one, as explained in Creating Certificate Authority organizations.
- Click New.
- Configure the following settings.
- Click Submit to create the new Certificate Authority.
- Copy the password of the client authentication PKCS #12 created for each new auditor or administrator (if any).
- Click Download to download the PKCS #12 files.
Do not lose the PKCS #12 files or passwords, as you cannot obtain them later.
- If the root CA of the new issuing CA is an external root CA, click Upload certificate and paste a PEM-encoded certificate signing certificate issued by the root CA.
CA Type
Click Issuing Certificate Authority.
Mandatory: Yes.
CA ID
Type a unique identifier for the new Certificate Authority within its organization. This identifier:
- Must be 3-18 characters long.
- Can only include lowercase letters, numbers, underscores ("_"), and hyphens ("-").
Do not reuse the identifier of a Certificate Authority for up to 24 hours after it has been deleted.
Mandatory: Yes.
CA Key Type
The type of key the new Certificate Authority will use to sign certificates.
Key algorithm | Signature algorithm |
|---|---|
ECDSA P-256 | ecdsa-with-SHA256 |
ECDSA P-384 | ecdsa-with-SHA384 |
ECDSA P-521 | ecdsa-with-SHA512 |
RSA 2048 | sha256WithRSAEncryption |
RSA 3072 | sha256WithRSAEncryption |
RSA 4096 | sha512WithRSAEncryption |
NIST will deprecate some algorithms after Dec 31, 2030. See https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf
Mandatory: Yes.
Certificate Profiles
The profiles the Certificate Authority will support for issuing certificates. See the Certificate profiles reference for a description of each profile.
Mandatory: Select at least one profile.
Issuer CA ID
The identifier of the root Certificate Authority.
Mandatory: Yes.
Expiration Date
The expiration date for the certificate signing certificate of the Certificate Authority.
Mandatory: No. This value defaults to the following dates.
CA Type | Default expiration date |
|---|---|
Root Certificate Authority | 20 years after the certificate is issued |
Issuing Certificate Authority | 10 years after the certificate is issued |
Attributes
The value of each attribute in the Distinguished Name (DN) of the Certificate Authority certificate.
Mandatory: Set at least the CN attribute of the Distinguished Name.
Auditors
Enter the names of the users who will have auditor permission on the Certificate Authority. For each name, you can:
- Enter a user name already assigned to another CA so that the user will have permissions on different CAs.
- Enter a new user.
Upon CA creation, the Management Console only displays download buttons for the client authentication PKCS #12 of the new users.
Mandatory: No. When omitting this value, the Certificate Authority will not have users with only auditing permission.
Use the trash icon to remove Auditor fields you do not want to fill out. Otherwise, they will display a Please fill out this field warning when you click Save.
Administrators
Enter the names of the users who will have administration permission on the Certificate Authority. For each name, you can:
- Enter a user name already assigned to another CA so that the user will have permissions on different CAs.
- Enter a new user.
Upon CA creation, the Management Console only displays download buttons for the client authentication PKCS #12 of the new users.
Mandatory: Yes. Add the name of at least one administrator.
OCSP Key Type
The type of key to sign OCSP responses at the following endpoint.
http://{pkihub}/ocsp/{organization}/{caid}{pkihub}is the domain name or IP address of the machine running PKI Hub.{organization}is the identifier of the CA organization.{caid}is the value of the CA ID field.
Mandatory: Yes.