Step 5: Create SignCA as SubCA in Node A

You will create the first of the SubCAs, that is, SignCA. To get this CA with the other SubCAs, it will be installed in the EJBCA Hardware Appliance node A (where Management CA is installed) and will be signed by RootCA.

The following sections describe the actions you have to perform.

Create Crypto Token for SignCA

Proceed as follows to create a CryptoToken and generate public keys which will be used from AuthCA.

  1. In the EJBCA Administration GUI, open CA Functions > Crypto Tokens
  2. Click Create New... to open the New Crypto Token form:

    Crypto Token creation for SignCA
  3. Specify the following values:

    • Name: Enter SignCA Crypto Token
    • Type: Select PKCS#11
    • Authentication Code: Enter foo123
      Make sure that you have manually generated the slot password for that slot.
    • Auto-activation: Activate this option.
    • PKCS#11 Reference Type: Select Slot ID
    • PKCS#11 Reference: Enter 2
      The index numbers will be different depending on the installation.
  4. Click Save. In the settings page the following message will appear: Crypto Token created successfully.  Continue with creating the following keys.
  5. Underneath the table, enter defaultKeySignCA (value for Alias) and RSA 4096 (value for Key Algorithm and Key Specification) and click Generate new key pair.
  6. Click the Test button in the table. The following message will appear: defaultKeySignCA tested successfully.
  7. Underneath the table, enter KeySignCA with RSA 4096 and click Generate new key pair.
  8. Click the Test  button in the table.  The following message will appear: signKeySignCA tested success-fully.
  9. Underneath the table, enter test KeySignCA with RSA 1024 and click Generate new key pair.

  10. Click the Test button in the table. The following message will testKeySignCA  tested successfully.

    Create keys for SignCA

Create SignCA

Proceed as follows to actually create the SignCA:

  1. Open CA Functions > Certification Authorities.
  2. Enter SignCA in the field Add CA and click Create:

    Create SignCA in Certification Authorities
  3. In the Create CA form, specify the following:

    • Signing Algorithm: Select the option SHA256WithRSA
    • Crypto Token: Select the option SignCA CryptoToken
    • Subject DN: Enter the values CN=SignCA,O=EJBCA Course,C=SE
    • Signed by: Select the option External CA
      When this option is selected, some fields will become read-only.
    • CRL Expire Period (*d *h *m): Enter the value 12h
      This option defines how long a CRL is valid for.
    • CRL Issue Interval (*d *h *m): Enter the value 0
      This option defines how often the CRLs are to be issued. In this case the CRLs will be issued once every day but will be valid for two days.
    • CRL Overlap Time (*d *h *m): Enter the value 2h

      Note that only some options are visible in the screenshot below.

    SignCA settings
  4. In the section Externally signed CA creation/renewal click Browse... and upload the RootCA.pem file.

    This step is NOT needed if you have imported RootCA as an External CA. Otherwise, RootCA.pem can be downloaded from the Public Web of the EJBCA Hardware Appliance which is installed the RootCA.

  5. Click Make Certificate Request:

    Create CSR for SignCA
  6. Save the .csr file with Save File.
  7. To check the status of the CAs, click Certification Authorities in the section CA Functions. Status for SignCA is Waiting for Certificate Response.

  8. In the EJBCA Hardware Appliance where RootCA is installed (node B), you have to create an end entity which will be binded with SignCA certificate. Navigate to RA Functions > Add End Entities and provide the following values:

    • End Entity Profile: Select the option SubCAEndEntityProfile
    • Username: Enter the value signCA
    • Password and Confirm Password: Enter the value foo123
    • CN, Common name: Enter the value SignCA
    • O, Organization: Enter the value EJBCA Course
    • C, Country (ISO 3166): Enter the value SE
    • Certificate Profile: Select the option SubCACertificateProfile
    • CA: Select the option RootCA
    • Token: Select the option User Generated

    Create an End Entity for SignCA in EJBCA Hardware Appliance with installed RootCA
  9. Click Add

  10. Open Enroll >Create Certificate from CSR and enter the following values:

    • Username: Enter the value signCA
      is the end entity you just created.
    • Enrollment code: Enter the value foo123
    • Request file: Click Browse and upload SignCA_csr.pem
    • Result type: Select the option PEM - full certificate chain
      The chain is NOT needed if you have RootCA as External CA. Then it is enough to select PEM - certificate only.

    Sign CSR request for SignCA
  11. Click OK

  12. Save the SignCA.pem file:

    Download signed .pem for SignCA
  13. In the EJBCA Hardware Appliance where SignCA is installed (node A), click Certification Authorities, select SignCA, (Waiting for Certificate) and press Edit CA.
  14. In the section Externally signed CA creation/renewal > Step 2, click Browse and search for the SignCA.pem.

  15. Click Receive Certificate Response:

    Upload signed CSR for SignCA
  16. In the section CA Functions > Certification Authorities you will see that SignCA is now active:

    Activated SignCA