Step 7: Create SSLCA as SubCA in Node A

This section describes how to create the third of the SubCAs which is SSLCA. This CA together with the other SubCAs will be installed in EJBCA Hardware Appliance node A (where ManagementCA and other SubCAs are installed) and will be signed by RootCA.

The following sections describe the actions you have to perform.

Create Crypto Token for SSLCA

Create a Crypto Token and generate public keys which will be used from SSLCA:

  1. Open the EJBCA Administration GUI and navigate to CA Functions > Crypto Tokens.
  2. Click Create New... .
  3. In the form New Crypto Token, enter the following values:

    • Name: Enter SSLCA CryptoToken
    • Type: Select PKCS#11
    • Authentication Code : Enter foo123
      Make sure that you have manually generated slot password for that slot.
    • PKCS#11 Reference Type: Select Slot ID
    • PKCS#11 Reference: Enter 4
  4. Click Save

    Crypto Token creation for SSLCA


  5. In the settings page, the following message will be visible: CryptoToken created successfully. Continue with creating the following keys.

  6. Underneath the table, enter defaultKeySSLCA (value for Alias) and RSA 4096 (value for Key Algorithm and Key Specification) and click Generate new key pair.
  7. Click the Test button in the table. The following message will appear: defaultKeySSLCA tested successfully.
  8. Underneath the table, enter signKeySSLCA (value for Alias) and RSA 4096 (value for Key Algorithm and Key Specification) and click Generate new key pair.
  9. Click the Test button in the table. The following message will appear: signKeySSLCA tested successfully.
  10. Underneath the table, enter testKeySSLCA (value for Alias) and RSA 1024 (value for Key Algorithm and Key Specification) and click Generate new key pair.
  11. Click the Test button in the table. The following message will appear testKeySSLCA tested successfully.

    Create keys for SSLCA


Create SSLCA

This section describes the actual creation of the SSLCA:

  1. Open CA Functions > Certification Authorities.
  2. Enter AuthCA in the field Add CA and click Create...:

    Create SSLCA in Certification Authorities
  3. In the Create CA form, make the following entries:

    • Signing Algorithm: Select SHA256WithRSA
    • Crypto Token: Select SSLCA CryptoToken

      Section 'CA certificate data' (not visible in screenshot)
    • Subject DN: Enter CN=SSLCA,O=EJBCA Course,C=SE
    • Signed By: Select External CA

      Section 'CRL specific data' (not visible in screenshot)
    • CRL Expire Period (*d *h *m): Enter 12h
      This field defines how long a CRL is valid for.The letter “d” after the number specifies days.
    • CRL Issue Interval (*d *h *m): Enter 0
      This defines how often the CRLs are to be issued. In this case the CRLs will be issued once every day but will be valid for two days.
    • CRL Overlap Time (*d *h *m): Enter 2h
      This value defines the number of minutes both CRLs are valid for. For example, thirty minutes before the first CRL will expire it will issue a new CRL.

    SSLCA settings
  4. In the section Externally signed CA creation/renewal click Browse... and upload the RootCA.pem file.

    This step is NOT needed in case you have imported RootCA as an External CA. Then RootCA.pem can be downloaded from the Public Web of the EJBCA Hardware Appliance which is installed the RootCA (check Use-Case: Import RootCA as External CA in node A).

  5. Click Make Certificate Request:

    Create CSR for SSLCA
  6. You will be asked to download or copy the request. Save the .csr file with Save File:

    Generation of CSR
  7. In the EJBCA Hardware Appliance where RootCA is installed (node B), you have to create an End Entity which will be binded with SSLCA certificate. Navigate to RA Functions >Add End Entities and provide the following values:

    • Username: Enter sslCA
    • Password and Confirm Password: Enter foo123
    • CN, Common name: Enter SSLCA
    • O, Organization: Enter EJBCA Course
    • C, Country (ISO 3166): Enter SE
    • Certificate Profile: Select SubCACertificateProfile
    • CA: Select RootCA
    • Token: Select User Generated
  8. Click Add

    Create an End Entity for SSLCA in EJBCA Hardware Appliance with installed RootCA
  9. Click Enroll > Create Certificate from CSR and make the following entries:

    • Username: Enter sslCA
      This is the End Entity you created before.
    • Enrollment code: Enter foo123
    • Click Browse... and upload the SSLCA_csr.pem
    • Result type: Select PEM - full certificate chain
      The chain is NOT needed if you have RootCA as External CA. Then it is enough to choose PEM - certificate only
      Check Use-Case: Import RootCA as External CA in node A
  10. Click OK:

    Sign CSR request for SSLCA
  11. Save AuthCA.pem file:

    Download signed .pem for SSLCA
  12. In the EJBCA Hardware Appliance where SSLCA is installed (node A), click Certification Authorities , highlight SSLCA, (Waiting for Certificate) and press Edit CA:

    Edit SSLCA
  13. In the section Externally signed CA creation/renewal > Step 2, Browse... and select the file SSLCA.pem.

  14. Click Receive Certificate Response:

    Upload signed CSR for SSLCA
  15. Navigate to Certification Authorities to see that SSLCA is now active:

    Activated SSLCA