Skip to main content
Skip table of contents

External CA

Introduction

Create CA Hierarchy Lab Overview - PART 3, Create the External Subordinate CA

Slide Deck: Create CA Hierarchy

Overview: This lab is used to create our EJBCA PKI Hierarchy lab environment, which will be used throughout this course.

The Create CA Hierarchy consists of three parts; creating a Root CA, a Subordinate CA, and an External Subordinate CA.

The third part of this lab focuses on creating the External Subordinate CA. This section is very similar to creating the Root CA, and Subordinate however there are some extra steps since we are simulating the External Subordinate CA which will be signed by the Root CA.

This section is divided into two parts where the first part is on the Root CA and the second part should be on the External CA. The External Sub CA, will be configured as if it was existing on a separate EJBCA instance (could exist in a separate organization or across the world). Although we don't have a separate instance setup for this lab, we will simulate this, by executing the steps as if the External Sub CA existed on a separate instance. As only one EJBCA instance is used in this training everything is performed on the same EJBCA installation, but we will try to make it a little bit clearer by informing which CA would have been used if there were one Root CA and one External CA.

  1. Clone the SUB CA certificate profile, which is provided as a template with EJBCA, and make modifications required for the lab environment i.e. select key algorithm, and key length etc.

  2. Create an End-Entity profile for the External Sub CA.

  3. Download the Root CA certificate to include with the External Sub CA Certificate Signing Request (CSR).

  4. Create a Crypto Token which allows EJBCA to access the External Subordinate CA keys.

  5. Create the External Subordinate CA, by making modifications specific for the External Subordinate CA, adding any asserted information, i.e. DN of the CA, assign the crypto keys to their usage, and configure CRL validity periods. Also during this step, the signed CSR will be imported back into the External Sub CA during creation.

Slide Reference

Create the crypto token first

Next create the certificate authority

External CA signed by the Root CA

The following steps are performed on the Root CA
Reminder: This is on the same instance since we do not have multiple instances of EJBCA for this lab

Create External Subordinate CA Certificate Profile on the Root CA

  1. Click CA Functions >> Certificate Profiles

  2. On SUBCA click Clone

  3. Enter ExternalSubCACertificateProfile and click Create from template

  4. Click Edit on the profile ExternalSubCACertificateProfile

  5. In the Available key algorithms list, select RSA

  6. In the Available bit lengths list, select 4096 bits

  7. In the Signature Algorithm list, select SHA256WithRSA

  8. In the Validity field, enter 10y 3mo

  9. For Path Length Constraint check Add… and set the Value field to 0

  10. For Certificate Policies check Use...

  11. In the Certificate Policy OID field, enter 2.5.29.32.0 (or insert your organization OID) and click Add

  12. Uncheck the Subject Alternative Name Use... checkbox

  13. Uncheck the Issuer Alternative Name Use... checkbox

  14. Uncheck the checkbox for LDAP DN Order

  15. In the Available CAs list, select Root CA

  16. Keep the other values as default

  17. Click Save

Create External Subordinate CA End Entity Profile on the Root CA

  1. Click RA Functions >> End Entity Profiles

  2. In the Add End Entity Profile field, enter ExternalSubCAEndEntityProfile and click Add Profile

  3. In the List of End Entity Profiles list, select ExternalSubCAEndEntityProfile and click Edit End Entity Profile

  4. For End Entity E-mail deselect Use

  5. In the Subject DN Attributes list select O, Organization and click Add

  6. In the O, Organization field

    • Enter the text PrimeKey Solutions AB

    • Select Required

    • Deselect Modifiable

  7. In the Subject DN Attributes list, select C, Country (ISO 3166) and click Add

  8. In the C, Country (ISO 3166) field

    • Enter the text SE

    • Select Required

    • Deselect Modifiable

  9. Scroll to the Main Certificate Data section, and locate the Default Certificate Profile list, select ExternalSubCACertificateProfile

  10. In the Available Certificate Profiles list, select ExternalSubCACertificateProfile

  11. In the Default CA list, select Root CA

  12. In the Available CAs list, select Root CA

  13. In the Default Token list, select User Generated

  14. In the Available Tokens list, select User Generated

  15. Click Save

Download Root CA Certificate

  1. Click CA Functions >> CA Structure & CRLs

  2. For Root CA click Download PEM file

  3. Save the file, Firefox will save all downloads to the user's downloads directory.

The following steps are performed on the External CA
Reminder: This is on the same instance since we do not have multiple instances of EJBCA for this lab

Create Crypto Token on the External Subordinate CA

  1. Click CA Functions >> Crypto Tokens

  2. Click Create new

  3. In the Name field, enter externalsubcacryptotoken

  4. In the Type list, select PKCS#11 NG

  5. Click the Auto Activation checkbox, to enable the crypto-token to auto-activate

  6. In the PKCS#11 Reference Type list, select Slot/Token Label

  7. In the PKCS#11 Reference list, select EXTERNAL_SUB_CA_SLOT

  8. In the Authentication Code field, enter the password for the slot (password on the training system is foo123)

  9. In the Repeat Authentication Code field, re-enter the password from previous step 

  10. Click Save

  11. Enter signKey00001 as the name for the new key, choose RSA 4096 from the list, select Sign/Encrypt for key usage and click Generate new key pair

  12. Click Test for the new key created, the result should be signKey00001 tested successfully

  13. Enter defaultKey00001 as the name for the new key, choose RSA 4096 from the list, select Sign/Encrypt for key usage and click Generate new key pair

  14. Click Test for the new key created, the result should be defaultKey00001 tested successful

  15. Enter testKey as the name for the new key, choose RSA 1024 from the list, select Sign/Encrypt for key usage and click Generate new key pair

  16. Click Test for the new key created, the result should be testKey tested successfully

Create External Subordinate CA

  1. Click CA Functions >> Certification Authorities

  2. In the Add CA field, enter External Sub CA and click Create

  3. In the Crypto Token list, select externalsubcacryptotoken

  4. In the defaultKey list, select defaultKey00001

  5. In the certSignKey list, select signKey00001

  6. In the testKey list, select testKey

  7. In the Subject DN field, enter CN=External Sub CA,O=PrimeKey Solutions AB,C=SE

  8. In the Signed By list, select External CA

  9. Uncheck the checkbox for LDAP DN Order

  10. In the CRL Expire Period field, enter 2d

  11. In the CRL Issue Interval field, enter 1d

  12. In the CRL Overlap Time field, enter 0m

  13. In the Monitor if CA active (healthcheck), check Activate

  14. From Externally signed CA creation/renewal click Browse, click Downloads and select RootCA.cacert.pem

  15. Click Make Certificate Request

  16. Click Download PEM file

  17. Save the file

The following steps are performed on the Root CA
Reminder: This is on the same instance since we do not have multiple instances of EJBCA for this lab

  1. Open a browser and go to the Admin Web on the Root CA

  1. Click RA Functions >> Add End Entity

  2. In the End Entity Profile list, select ExternalSubCAEndEntityProfile

  3. In the Username field, enter External Sub CA

  4. In the Password field, enter the password for the slot (password on the training system is foo123)

  5. In the Confirm Password field, repeat the password

  6. In the CN, Common name field, enter External Sub CA

  7. In the Certificate Profile list, select ExternalSubCACertificateProfile

  8. In the CA list, select Root CA

  9. In the Token list, select User Generated

  10. Click Add

  11. Click RA Web, from the ribbon menu across the top of page

  12. Select Enroll >> Use Username

If you can't see the Enroll menu then click the hamburger menu in the upper right corner

  1. In the Username field, enter External Sub CA

  2. In the Enrollment code field, enter the password from step 22

  3. Click Check

  4. Click Browse… click Downloads, select External Sub CA_csr.pem click select

  5. Click Download PEM full chain

  6. Save the file as "External Sub CA.pem"

The following steps are performed on the External CA
Reminder: This is on the same instance since we do not have multiple instances of EJBCA for this lab

  1. Open a browser and go to the Admin Web on the External Subordinate CA

  1. Click CA Functions >> Certification Authorities

  2. In the List of Certification Authorities the list, select External Sub CA

  3. Click Edit CA

  4. For Externally signed CA creation/renewal, Step 2 - Import Certificate click Browse

  5. Click Downloads

  6. Select External Sub CA.pem click select

  7. Click Receive Certificate Response

  8. The result should be Certificate Response received successfully, CA Activated

? Question and Answers ?


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close