Requesting a Cross or Bridge certificate

If you have set up your own CA you can request another CA to cross certify your CA, or you can get certified by Bridge CA such as the Federal Bridge. This is done in the following way:

  1. In the 'Edit CA' page, choose a CA that you intend to get cross certified by another CA by and click on 'Edit'.
  2. In the lower part of the screen, click on 'Make Certificate Request' and skip upload of the signing certificate chain.
  3. Save the created PKCS#10 certificate request to disc and send to the other CA.

Now you have a certificate request to send to the other CA or Bridge CA. When the other CA have issued a certificate for you, everything is completed. You don't need to (and usually should not) import the cross-certificate or bridge-certificate in EJBCA. What you need to do is make sure the clients using the certificates issued by your CA have access to the correct certificate chain. If you are cross-certified with several other CA, multiple possible certificate chains exist.

Handling the certificate chains on clients is out of the scope for EJBCA.

If you choose to upload the resulting certificate chain, this will convert your CA from an internal CA to an externally signed CA.