Create Root CA Certificate Profile

Certificate Profiles model how our CAs look with regards to the different types of certificates, DN contents, extensions and so on.

To manage Certificate Profiles, open the Manage Certificate Profiles page (CA Functions Certificate Profiles > CA Functions).

The following section describes how to create a Root CA Profile.

Create Root CA Profile

Follow these steps to create a Root CA Profile:

  1. Clone the ROOTCA profile to create your own for the Root CA you are going to create:
    1. Click Clone next to the ROOTCA profile.
    2. Specify Corporate Root CA Certificate Profile and click Create from template in Name of new certificate profile, .
  2. Click Edit on the Corporate Root CA Certificate Profile and specify the following:

    1. Available key algorithms: Select desired key algorithm, for example, RSA.
    2. Available bit lengths: Select desired bit lengths, for example, 2048-4096.
    3. Validity or end date of the certificate: Keep the validity at the default 25y7d.
    4. CRL Distribution Points: Select if desired. CRLs hold the revocation status of certificates.

      NOTE To make your CRL Distribution Point be on an internal server to your network, use an internal DNS name. It is recommended to put the CRL URL behind a CNAME or load balanced VIP. This way it is stamped in the certificate as something that should not ever change, but the system serving the CRL behind the VIP can.

      To make your CRL Distribution Point public, use a public DNS name that points to an IP. If using EJBCA Cloud AWS, using an Elastic IP is not recommended since this IP/URL will change if the node is shut down invalidating the CRL location.

      To allow clients to fetch the CRL from the CA directly and have Apache in front of EJBCA, remove port 8080 from the URL and change the DNS name as required. EJBCA does not know if Apache exists and internally responds to 8080 in most cases.

      Example URLs:
      From EJBCA server directly: http://ip-172-16-0-148.ec2.internal/ejbca/publicweb/webdist/certdist?cmd=crl&issuer=CN=Corporate_Root_CA,O=Corporation,C=US.
      Served from Webserver: http://crl.corporate-dns-url.com/corporate_root_ca.crl (you must setup a script to fetch and copy the file to the URL you choose).

    5. Clear LDAP DN order (to get X509 DN ordering) for greater compatibility with systems that use certificates.
    6. Click Save to save the Root CA Profile.