Over time, you may be required to migrate your CA from your original signing algorithm to a more complex one, such as migrating from SHA1 to SHA2. The following provides step-by-step instructions for changing the signing algorithm.
Note that the following does not cover switching the algorithm on certificates issued by your CA - to do so all you need to do is edit the relevant Certificate Profile. Instead, this covers a self-signed CAs own certificate.
Step 1 - Clone old Certificate Profile
In the EJBCA CA UI, select Certificate Profiles and click Clone on the Certificate profile currently used by the CA for its own certificates.
Step 2 - Switch CA to use new Certificate Profile
From the CLI console, perform the following operation to switch the CA to use the new Certificate Profile:
$ /opt/ejbca/bin/ejbca.sh ca changecertprofile --caname "My Root CA" --certprofile "My New Certificate Profile"
Replace the values within quotations with the proper names.
Step 3 - Configure new Certificate Profile
To configure the new Certificate Profile:
- In the EJBCA CA UI, select Certificate Profiles and click Edit on your new profile.
- Under Signature Algorithm, pick the new signing algorithm desired.
Step 4 - Renew CA Certificate
To renew the CA Certificate:
- In the EJBCA CA UI, select Certification Authorities and click Edit CA for your root CA.
- Under CA Life Cycle > Renew CA, verify that the existing key is being used and clear Create link certificate.
- Click Renew CA and confirm the renewal operation.