Step 1: Create the RootCA

Instructions below will guide you on how to create a ROOT Certification Authority with the name RootCA in node B EJBCA Hardware Appliance.

Create a Certificate Profile for the RootCA

The first step is the creation of a certificate profile for the RootCA using Administration web-pages of EJBCA. We will use a template (ROOTCA) for that which we’ll clone.

When the CA is renewed it will look in the profile for the default values, simplifying the renewal process.

  1. Click Certificate Profiles in the section CAFunctions.
  2. Click Clone for ROOTCA:

    Certificate Profiles
  3. Set Name of new certificate profile to RootCACertificateProfile:

    Clone a certificate profile
  4. Click Create from template. The new profile is now displayed in the List of Certificate Profiles:

    Certificate Profiles
  5. Click Edit for the newly created profile and make the following changes:

    • Available bit lengths: Set to 4096
    • Validity: Set to 3650d
    • Path Length ConstraintEnable and set Value to 1
    • Available CAs: Select Any CA
  6. Click Save.

Create Crypto Token for RootCA

Create a CryptoToken and generate public keys which will be used from RootCA.

  1. Access the EJBCA Administration GUI.

  2. Navigate to CA Functions > CryptoTokens.

  3. Click Create New...

    Crypto Tokens
  4. In the form New Crypto Token, enter the following values and then click Save:

    • Name: Set to RootCA CryptoToken
    • Type: Set to PKCS#11
    • Authentication Code: Set to foo123
      (which was the password previously set)
      Make sure that you have manually generated slot password for that slot!
    • PKCS#11 Reference Type: Set to Slot ID
    • PKCS#11 Reference: Set to 2
      The index numbers will be different, depending on the installation
    • Auto-activation: Leave the box unchecked.
  5. In the Settings page the following message will be visible : Crypto Token created successfully..

To create the keys proceed as follows:

  1. Enter default Key as the key Alias.
  2. Click RSA 4096 and then the Generate new key pair button.
  3. Click the Test button.
  4. You should see the message "default Key tested successfully".
  5. Enter sign Key with RSA 4096 and click the Generate new key pair  button.
  6. Click the Test button. You should see the message "sign Key  tested successfully".
  7. Enter test Key with RSA 1024 and click the Generate new key pair button. The following message should be visible "test Key tested successfully".

    Keypair creation

Create a RootCA

This section involves the actual creation of the RootCA.

  1. Click Certification Authorities.

  2. Enter RootCA in the field AddCA and click Create:

    Certification Authorities
  3. In the Create CA form, make the following settings:

    • Signing Algorithm: Set to SHA256WithRSA
    • CryptoToken: Set to RootCA Crypto Token
    • Validity(*y *mo *d): Set to 10y
    • Subject DN: Set to CN=RootCA, O=EJBCA Course,C=SE
    • Certificate Profile: Select RootCACertificateProfile
    • CRL Expire Period (*d *h *m): Set to 2d. The value defines how long a CRL is valid for. The letter d specifies days.
    • CRL Issue Interval (*d*h*m): Set to 0d. The value defines how often the CRLs are to be issued. In this case the CRLs will be issued once everyday but will be valid for two days.
    • CRL Overlap Time (*d*h*m): Set to 6h. The value defines the number of minutes both CRLs are valid for. For example, thirty minutes before the first CRL will expire it will issue a new CRL.

    The values in this profile are for renewal.

  4. Click Create.