Step 7: Create SSLCA as SubCA in Node A
This section describes how to create the third of the SubCAs which is SSLCA. This CA together with the other SubCAs will be installed in EJBCA Hardware Appliance node A (where ManagementCA and other SubCAs are installed) and will be signed by RootCA.
The following sections describe the actions you have to perform.
Create Crypto Token for SSLCA
Create a Crypto Token and generate public keys which will be used from SSLCA:
- Open the EJBCA Administration GUI and navigate to CA Functions > Crypto Tokens.
- Click Create New... .
In the form New Crypto Token, enter the following values:
- Name: Enter SSLCA CryptoToken
- Type: Select PKCS#11
- Authentication Code : Enter foo123
Make sure that you have manually generated slot password for that slot.
- PKCS#11 Reference Type: Select Slot ID
- PKCS#11 Reference: Enter 4
Click SaveCrypto Token creation for SSLCA
In the settings page, the following message will be visible: CryptoToken created successfully. Continue with creating the following keys.
- Underneath the table, enter defaultKeySSLCA (value for Alias) and RSA 4096 (value for Key Algorithm and Key Specification) and click Generate new key pair.
- Click the Test button in the table. The following message will appear: defaultKeySSLCA tested successfully.
- Underneath the table, enter signKeySSLCA (value for Alias) and RSA 4096 (value for Key Algorithm and Key Specification) and click Generate new key pair.
- Click the Test button in the table. The following message will appear: signKeySSLCA tested successfully.
- Underneath the table, enter testKeySSLCA (value for Alias) and RSA 1024 (value for Key Algorithm and Key Specification) and click Generate new key pair.
Click the Test button in the table. The following message will appear testKeySSLCA tested successfully.Create keys for SSLCA
This section describes the actual creation of the SSLCA:
- Open CA Functions > Certification Authorities.
Enter AuthCA in the field Add CA and click Create...:Create SSLCA in Certification Authorities
In the Create CA form, make the following entries:
- Signing Algorithm: Select SHA256WithRSA
- Crypto Token: Select SSLCA CryptoToken
Section 'CA certificate data' (not visible in screenshot)
- Subject DN: Enter CN=SSLCA,O=EJBCA Course,C=SE
- Signed By: Select External CA
Section 'CRL specific data' (not visible in screenshot)
- CRL Expire Period (*d *h *m): Enter 12h
This field defines how long a CRL is valid for.The letter “d” after the number specifies days.
- CRL Issue Interval (*d *h *m): Enter 0
This defines how often the CRLs are to be issued. In this case the CRLs will be issued once every day but will be valid for two days.
- CRL Overlap Time (*d *h *m): Enter 2h
This value defines the number of minutes both CRLs are valid for. For example, thirty minutes before the first CRL will expire it will issue a new CRL.
In the section Externally signed CA creation/renewal click Browse... and upload the RootCA.pem file.
This step is NOT needed in case you have imported RootCA as an External CA. Then RootCA.pem can be downloaded from the Public Web of the EJBCA Hardware Appliance which is installed the RootCA (check Use-Case: Import RootCA as External CA in node A).
Click Make Certificate Request:Create CSR for SSLCA
You will be asked to download or copy the request. Save the .csr file with Save File:Generation of CSR
In the EJBCA Hardware Appliance where RootCA is installed (node B), you have to create an End Entity which will be binded with SSLCA certificate. Navigate to RA Functions >Add End Entities and provide the following values:
- Username: Enter sslCA
- Password and Confirm Password: Enter foo123
- CN, Common name: Enter SSLCA
- O, Organization: Enter EJBCA Course
- C, Country (ISO 3166): Enter SE
- Certificate Profile: Select SubCACertificateProfile
- CA: Select RootCA
- Token: Select User Generated
Click AddCreate an End Entity for SSLCA in EJBCA Hardware Appliance with installed RootCA
Click Enroll > Create Certificate from CSR and make the following entries:
- Username: Enter sslCA
This is the End Entity you created before.
- Enrollment code: Enter foo123
- Click Browse... and upload the SSLCA_csr.pem
- Result type: Select PEM - full certificate chain
The chain is NOT needed if you have RootCA as External CA. Then it is enough to choose PEM - certificate only
Check Use-Case: Import RootCA as External CA in node A
- Username: Enter sslCA
Click OK:Sign CSR request for SSLCA
Save AuthCA.pem file:Download signed .pem for SSLCA
In the EJBCA Hardware Appliance where SSLCA is installed (node A), click Certification Authorities , highlight SSLCA, (Waiting for Certificate) and press Edit CA:Edit SSLCA
In the section Externally signed CA creation/renewal > Step 2, Browse... and select the file SSLCA.pem.
Click Receive Certificate Response:Upload signed CSR for SSLCA
Navigate to Certification Authorities to see that SSLCA is now active:Activated SSLCA