Creating a SubCA Signed by an External CA

Some CA hierarchies have the requirement of being signed by an external Certificate Authority and sometimes other external CAs need to be signed by your CA.

When creating a CA that is signed by an external CA, you create a PKCS10 certificate request that is sent to the external CA. When the external CA returns your CAs certificate, this is processed, and the CA becomes activated.

The following describes how to create a CA signed by an external CA, either using the GUI or the CLI.

Creating a CA Signed by an External CA Using the GUI

To have your CA signed by an external CA, perform the following steps:

  1. Select Admin GUI > Certificate Authorities.
  2. Create a new CA in the same way as internal CAs, but when selecting signing CA, instead select External CA. The fields Certificate Profile, Validity, Subject Alternative Name and Policy Id will become unavailable.
  3. Specify the Description and CRL Specific data.
  4. Make sure that the certificate chain is available, in one of the following ways:
    • Select a (PEM encoded) file containing the CA certificate chain of the signing CA. If there is more than one top CA certificate, all their certificates should be appended into one single file in plain PEM format without blank lines before or after (see PEM File Example).
    • Append the chain to the signed certificate file in the same way as when receiving the request (see below).
    • Import the complete certificate chain beforehand as External CAs (under Certificate Authorities->Import CA Certificate).
  5. Click Make Certificate Request to display the generated PKCS10 certificate request. You can copy and paste it to the signing CA or download the PEM file.
  6. The external CA should sign the certificate request and return a certificate. Note that the newly created CA meanwhile will have the status Waiting for Certificate Response and only appear on the Edit CA page.
  7. When the Certificate Response has arrived, activate the new CA by selecting the waiting CA and click Edit on the Edit CA page.
  8. Click Receive Certificate Response (optionally specifying a password), upload the received certificate, and again click Receive Certificate Response.
  9. If the received certificate forms a valid certificate chain with the previously uploaded chain or contained a full chain, the status of the CA is set to Active.
  10. To optionally activate OCSP functionality for this new CA, edit it again and mark the OCSP functionality as active.
  11. The new externally signed CA is ready to use.

When uploading a chain, the certificates must be converted to PEM format if not already. To convert at file in DER encoding (.cer) using the following OpenSLL command:

openssl x509 -inform DER -in filename.cer -outform PEM -out filename.pem 

PEM File Example

The following displays an example of a plain PEM file for uploading as a certificate chain:

-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIIEvabM2CgLZcwDQYJKoZIhvcNAQEFBQAwMzETMBEGA1UE
AxMKV2FsdGVyIENBMTEPMA0GA1UEChMGV2FsdGVyMQswCQYDVQQGEwJTRTAeFw0w
MzA5MjkwOTI2MzRaFw0wNDA5MjgwOTM2MzRaMDMxEzARBgNVBAMTCldhbHRlciBD
QTExDzANBgNVBAoTBldhbHRlcjELMAkGA1UEBhMCU0UwggEgMA0GCSqGSIb3DQEB
AQUAA4IBDQAwggEIAoIBAQC3hXksEud68WwPWWHLJQQkTCuX/K32KHPPn/uPUzab
Cpc/FnaTmF9yEHmpFdAUr0v5ZPnxVQpcuwrDZc4YfaTLfyUHicQbkftsPAj/2hE4
UukS2j+nQQcJEnIY0vSZOAOLU3j4bf/RlS6Jl7TPFFfWTxuQF8AruQ+YhaE52JFi
SapGGXKQJxhsvKT91rLaWSFWNMTTLSDPaBXYEYFuFhLNclDJWf4whfxHSHHkARB/
3Z0XlT4sFj0fmqEQ6yQb6/WqMFK+1XAIBXZO2MXe26IigWkXw1GfkIx1+fbUPrzu
8EI2jb0TWl21j1+Mvh3APZtVj5FJNuZN9bgdbrq88hLXAgERo2QwYjAPBgNVHRMB
Af8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBgAwHQYDVR0OBBYEFNhHOtAwo8MOE/nI
zzg9KFxCYs8YMB8GA1UdIwQYMBaAFNhHOtAwo8MOE/nIzzg9KFxCYs8YMA0GCSqG
Sib3DQEBBQUAA4IBAQBHpvicbuJTACtpdwe6cF1nQ57FHnnYr+aAe+ZpH43R6R9d
eMps02nFAMSs5o8sbPokrpwAtk2yYwCohEFDkZ5JPzIBkgNlNnVHNNRHQTRJ6v6Q
F2MWUEPc1u5kxSjXEVMmZerG9oknMwpYFmkOnKF46vP3Njt/ExOeRAvCEQq2b8pz
2QGg8/IK6Omfi7IwxtVYUpgvhdcWekbFIlxkXZiEdlHNBIV1GzzPK1VEzg5kugD/
h6jeykrsKASx+55AkkBPt2kI+ZikVtp3SVhfZQMGY86c5QMQGlPWYNsr4ociyhfX
I52Qby+/HNG1ijpx66Z30lUMmXTtWtL4Cu8s7UvC
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICxzCCAa+gAwIBAgIIBfqGjbQu14swDQYJKoZIhvcNAQEFBQAwMzETMBEGA1UE
AxMKV2FsdGVyIENBMTEPMA0GA1UEChMGV2FsdGVyMQswCQYDVQQGEwJTRTAeFw0w
MzA5MjkwOTMzMDFaFw0wNDAxMDcwOTQzMDFaMDQxETAPBgNVBAMTCER1ZGUgQ0Ex
MRIwEAYDVQQKEwlEdWRlIEluYy4xCzAJBgNVBAYTAlNFMIGdMA0GCSqGSIb3DQEB
AQUAA4GLADCBhwKBgQCM1hR/DYPXfKDa3oVJbppV4OcYtn2XP9W5Kc1d0+U4qLOm
JsqIFHDWR07o1QFiPhc9z0UGtwYeE3CpQ8fG8zeur5e286PYptZIST77B9vOdQdl
PA+dFKFIaEwdzcS7H3Lf38WTE4D1OnyRX5jsiUe+YIQRtjv/Bmem+kSR84G9TwIB
EaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwYAMB0GA1UdDgQW
BBTDrXZGYXS9GyIUBOZrglhwNjjcnTAfBgNVHSMEGDAWgBTYRzrQMKPDDhP5yM84
PshcQmLPGDANBgkqhkiG9w0BAQUFAAOCAQEAdmTP1qVUcAKOf+/zvb2lcLKvFwKT
6KqDlO5NofjqCIfNgCjO2mO176cslnFIbEZQqgGIUnJ3AwfHKHj+U3kM3n5T29kF
xiLKxIDfjsY6qC03KHeGAgxI92XZyPsO1is6Y6qUnAmiwhIp5HS6E0+xIP1shmtJ
ZvqU8bueKUWSjx3JDzq+UNLX5pFkK0P0R90TCUEkBx1FNWqoWwb8zfAuO5zcNTEj
5E9esLjwxJQnIVPiA2l3FfZN9yomK+q7kTZJkX2kMx7G850lPR8CneXZT6bIOfck
Dw3PqQiroMNx2+gzC/f/wTXsF92aujyG+IZx1FIcNg/MoHXBWG7T8YrjnQ==
-----END CERTIFICATE-----

You can treat an internal CA (a CA residing on the same EJBCA instance as another CA) as an external CA. From the SubCA this works just like the normal case, but on the RootCA you will issue the SubCA as an end entity. 

This can be useful if you have an HSM setup where only one set of keys can be active at one time, for example using nCipher with two different, non-persistence, operator cards sets for the RootCA and the SubCA. Using the SubCA as an external CA you can still create the PKI but with only one CA active at a time.

Creating a CA Signed by an External CA Using the CLI

To create a CA signed by an external CA using the CLI, follow the steps below:

  • Create the CA generating a CSR. Note that the Crypto token password is set to foo123:
bin/ejbca.sh ca init CaSignedByExteral "CN=This CA is Signed by an external CA" soft foo123 secp256r1 ECDSA 365 null SHA256withECDSA --signedby External -externalcachain chain.pem

The file chain.pem contains the certificate chain of the external CA, as described above. Running the above command, a CSR named CaSignedByExteral_csr.der is saved to your disk, containing a PKCS#10 CSR in binary format. Send the CSR to the external CA and get the signed sub CA certificate returned back.

  • Import the sub CA certificate, activating your CA:
bin/ejbca.sh ca importcacert CaSignedByExteral subcacertificate.pem

The file subcacertificate.pem contains the received sub CA certificate.