The following describes how to create a Root CA and an Issuing CA.

Create Root CA

To create a Root CA:

  1. Click Certification Authorities under CA Functions.
  2. In the Add CA field, enter the CA name Corporate Root CA – G1 and click Create.
  3. On the Create CA page, select Corporate Root CA Crypto Token in the Crypto Token list.
  4. Ensure all keys are used appropriately.
    The keys previously created and named defaultKey, certSignKey, and testKey (in section Create Crypto Tokens) should be populated automatically with the rest as "- Default key".

  5. In the CA Certificate Data section, specify the following:
    1. Subject DN: Enter CN=Corporate Root CA - G1,O=Corporation,C=US.
    2. Signed by: Select Self Signed since this is the Root CA.
    3. Certificate Profile: Select Corporate Root CA Certificate Profile.
    4. Validity: Specify 25y.
    5. LDAP DN order: Clear Use.
  6. In the CRL Specific Data section, specify the following:
    1. Default CRL Dist. Point: Change the URL to your desired CRL URL.
    2. CRL Expire Period: Specify the interval for the CRL file to expire and no longer be valid. The default value 1 day (1d) can be changed to for example 3 days (3d).
  7. Click Create to create the Root CA.

Create Issuing CA

To create an Issuing CA:

  1. Under CA Functions, click Certification Authorities.
  2. In the Add CA field, enter the CA name Corporate Issuing CA – G1 and click Create.
  3. On the Create CA page, select Corporate Issuing CA Crypto Token in the Crypto Token list.
  4. Ensure that all keys are used appropriately. The keys created (in section Create Crypto Tokens) and named defaultKey, certSignKey, and testKey should be populated automatically with the rest as "- Default key".
  5. In the CA Certificate Data section, specify the following:
    1. Subject DN: Enter CN=Corporate Issuing CA - G1,O=Corporation,C=US.
    2. Signed by: Select Corporate Root CA – G1 since this is the Issuing CA and can automatically be signed by the Root CA we previously created (see Create Crypto Tokens).
    3. Certificate Profile: Select Corporate Issuing CA Certificate Profile.
    4. Validity: Specify 15y.

    5. LDAP DN order: Clear Use.

  6. In the CRL Specific Data section, specify the following:

    1. Default CRL Dist. Point: Change the URL to your desired CRL URL.

    2. CRL Expire Period: Specify the interval for the CRL file to expire and no longer be valid. The default value 1 day (1d) can be changed to for example 3 days (3d).
  7. In the Other Data section, Monitor if CA active (healthcheck): Select Activate as this CA should be up all the time issuing certificates and should therefore be monitored by health checks.
  8. Click Create to create the Issuing CA.