Change Signing Algorithm on Root CA's Certificates

Over time, you may be required to migrate your CA from your original signing algorithm to a more complex one, such as migrating from SHA1 to SHA2. The following provides step-by-step instructions for changing the signing algorithm.

Note that the following does not cover switching the algorithm on certificates issued by your CA - to do so all you need to do is edit the relevant Certificate Profile. Instead, this covers a self-signed CAs own certificate. 

Step 1 - Clone old Certificate Profile

In the EJBCA CA UI, select Certificate Profiles and click Clone on the Certificate profile currently used by the CA for its own certificates. 

Step 2 - Switch CA to use new Certificate Profile 

From the CLI console, perform the following operation to switch the CA to use the new Certificate Profile:

$ /opt/ejbca/bin/ejbca.sh ca changecertprofile --caname "My Root CA" --certprofile "My New Certificate Profile"

Replace the values within quotations with the proper names. 

Step 3 - Configure new Certificate Profile

To configure the new Certificate Profile:

  1. In the EJBCA CA UI, select Certificate Profiles and click Edit on your new profile.
  2. Under Signature Algorithm, pick the new signing algorithm desired. 

Step 4 - Renew CA Certificate 

To renew the CA Certificate:

  1. In the EJBCA CA UI, select Certification Authorities and click Edit CA for your root CA.
  2. Under CA Life Cycle > Renew CA, verify that the existing key is being used and clear Create link certificate.
  3. Click Renew CA and confirm the renewal operation.