Step 6: Create AuthCA as SubCA in Node A

Here we will create the second of the SubCAs which is AuthCA. This CA together with the other SubCAs will be installed in EJBCA Hardware Appliance node A (where ManagementCA is installed) and will be signed by RootCA.

The following sections describe the actions you have to perform.

Create Crypto Token for AuthCA

At that point we will create a Crypto Token and generate public keys which will be used from AuthCA.

  1. In the EJBCA Administration GUI, navigate to CA Functions > Crypto Tokens.
  2. Click Create New....
  3. In the New Crypto Token form specify the following:

    • Name: Auth CryptoToken
    • Type: PKCS#11
    • Authentication Code : foo123
      (STOP) Make sure that you have manually generated slot password for that slot.
    • PKCS#11 Reference Type:    Slot ID
    • PKCS#11 Reference: 3 - The index numbers will be different depending on the installation
    • Click the Auto-activation box
  4. Click  Save

    Crypto Token creation for AuthCA
  5. In the settings page, the message CryptoToken created successfully will be displayed. Continue with creating the following keys.

  6. Underneath the table, enter defaultKeyAuthCA (value for Alias) and RSA 4096 (value for Key Algorithm and Key Specification) and click Generate new key pair.

  7. Click the Test button in the table. The following message will appear: defaultKeyAuth tested successfully.

    Create keys for AuthCA
  8. Underneath the table, enter signKeyAuthCA (value for Alias) and RSA 4096 (value for Key Algorithm and Key Specification) and click Generate new key pair.

  9. Click the Test button in the table. The following message will appear: signKeyAuthCA tested successfully.

  10. Underneath the table, enter testKeyAuthCA (value for Alias) and RSA 1024 (value for Key Algorithm and Key Specification) and click Generate new key pair.

  11. Click the Test button in the table. The following message will appear: testKeyAuthCA tested successfully.

Create AuthCA

This section describes the actual creation of the AuthCA.

  1. Click Certification Authorities.
  2. Enter AuthCA in the Add CA field.
  3. Click Create...

    Create AuthCA in Certification Authorities
  4. In the Create CA form, make the following entries:

    • Signing Algorithm: Select SHA256WithRSA
    • Crypto Token: Select Auth CryptoToken

      Section 'Ca certificate data' (not visible in screenshot):
    • Subject DN: Enter CN=AuthCA,O=EJBCA Course,C=SE
    • Signed By: Select External CA

      Section 'CRL specific data' (not visible in screenshot):
    • CRL Expire Period (*d *h *m): Enter 12h
      This field defines how long a CRL is valid for. The letter d specifies days.
    • CRL Issue Interval (*d *h *m): Enter 0
      This field defines how often the CRLs are to be issued. In this case the CRLs will be issued once every day but will be valid for two days.
    • CRL Overlap Time (*d *h *m): Enter 2h
      This value defines the number of minutes both CRLs are valid for. For example, thirty minutes before the first CRL will expire it will issue a new CRL.

    Create CA settings
  5. In the section Externally signed CA creation/renewal click Browse... and upload the RootCA.pem file.

    This step is NOT needed in the case that you have imported RootCA as an External CA. Otherwise, RootCA.pem can be downloaded from the Public Web of the EJBCA Hardware Appliance which is installed the RootCA (check Use-Case: Import RootCA as External CA in node A).

  6. Click Make Certificate Request:

    Create CSR for AuthCA
  7. You will be asked to download or copy the request. Save the .csr file with Save File:

    Generation of CSR
  8. Check the status of the CAs: Click Certification Authorities in the section CA Functions. The status for AuthCA is Waiting for Certificate Response:

    Certification Authorities status
  9. In the EJBCA Hardware Appliance where RootCA is installed (node B), you need to create an End Entity which will be binded with AuthCA certificate. Navigate to RA Functions > Add End Entities and provide the following values:

    • Username: Enter authCA
    • Password and Confirm Password: Enter foo123
    • CN, Common name: Enter AuthCA
    • O, Organization: Enter EJBCA Course
    • C, Country (ISO 3166): Enter SE
    • Certificate Profile: Enter SubCACertificateProfile
    • CA: Select RootCA
    • Token: Select User Generated
  10. Click Add:

    Create an End Entity for AuthCA in the PKI Appliance where RootCA is installed
  11. Click Enroll > Create Certificate from CSR and enter the following:

    • Username: Enter authCA
      This is the End Entity you created before.
    • Enrollment code: Enter foo123
    • Click Browse... and upload the AuthCA_csr.pem
    • Result type: Select PEM - full certificate chain
      The chain is NOT needed if you have RootCA as External CA. Then it is enough to choose PEM - certificate only
      Check Use-Case: Import RootCA as External CA in node A
  12. Click OK.

    Sign CSR request for AuthCA
  13. Save the AuthCA.pem file:

    Download signed .pem for AuthCA
  14. In the EJBCA Hardware Appliance where AuthCA is installed (node A), click Certification Authorities, highlight AuthCA, (Waiting for Certificate) and press Edit CA:

    EditAuthCA
  15. In the section Externally signed CA creation/renewal > Step 2, click Browse... and select the file AuthCA.pem.

  16. Click for Receive Certificate Response:

    Upload signed CSR for AuthCA
  17. Navigate to Certification Authorities to see that AuthCA is now active:

    Activated AuthCA