Subordinate CA

Introduction

Create CA Hierarchy Lab Overview - PART 2, Create the Subordinate CA

Slide Deck: Create CA Hierarchy

Overview: This lab is used to create our EJBCA PKI Hierarchy lab environment, which will be used throughout this course.

The Create CA Hierarchy consists of three parts; creating a Root CA, a Subordinate CA, and an External Subordinate CA.

1. The second part of this lab focuses on creating the Subordinate CA. This section is very similar to creating the Root CA in the previous section.

   1. Create a Crypto Token which allows EJBCA to access the Subordinate CA keys.

   2. Clone the SUBCA certificate profile, which is provided as a template with EJBCA, and make modifications required for the lab environment i.e. select key algorithm, and key length etc.

   3. Create the Subordinate CA, by making modifications specific for the Subordinate CA, adding any asserted information, i.e. DN of the CA, assign the crypto keys to their usage, and configure CRL validity periods.

Slide Reference

Create Subordinate CA Crypto Token

1. Click CA Functions >> Crypto Tokens

2. Click Create new

3. In the Name field, enter subcacryptotoken

4. In the Type list, select PKCS#11 NG

5. Click the Auto Activation checkbox, to enable the crypto-token to auto-activate

6. In the PKCS#11 Library list, select P11 Proxy if not already selected

7. In the PKCS#11 Reference Type list, select Slot/Token Label

8. In the PKCS#11 Reference list, select SUB_CA_SLOT

9. In the Authentication Code field, enter the password for the slot (password on the training system is foo123)

10. In the Repeat Authentication Code field, re-enter the password from previous step

11. Click Save

12. Enter signKey00001 as the name for the new key, choose RSA 4096 from the list, select Sign and Encrypt for key usage and click Generate new key pair

13. Click Test for the new key created, the result should be signKey00001 tested successfully

14. Enter defaultKey00001 as the name for the new key, choose RSA 4096 from the list, select Sign and Encrypt for key usage, and click Generate new key pair

15. Click Test for the new key created, the result should be defaultKey00001 tested successfully

16. Enter testKey as the name for the new key, choose RSA 1024 from the list, select Sign and Encrypt for key usage, and click Generate new key pair

17. Click Test for the new key created, the result should be testKey tested successfully

Create Subordinate CA Certificate Profile

1. Click CA Functions >> Certificate Profiles

2. On SUBCA click Clone

3. Enter SubCACertificateProfile and click Create from template

4. Click Edit on the profile SubCACertificateProfile

5. In the Available key algorithms list, select RSA

6. In the Available bit lengths list, select 4096 bits

7. In the Signature Algorithm list, select SHA256WithRSA

8. In the Validity field, enter 10y 3mo

9. Uncheck the Subject Alternative Name Use... checkbox

10. Uncheck the Issuer Alternative Name Use... checkbox

11. Uncheck the LDAP DN order checkbox

12. In the Available CAs list, select Root CA

13. Keep the other values as default

14. Click Save

Create Subordinate CA

1. Click CA Functions >> Certification Authorities

2. In the Add CA field, enter Sub CA and click Create…

3. In the Crypto Token list, select subcacryptotoken

4. In the defaultKey list, select defaultKey00001

5. In the certSignKey list, select signKey00001

6. In the testKey list, select testKey

7. In the Subject DN field, enter CN=Sub CA,O=PrimeKey Solutions AB,C=SE

8. In the Signed By list, select Root CA

9. In the Certificate Profile list, select SubCACertificateProfile

10. In the Validity field, enter 10y 3mo

11. In the Certificate Policy OID field, enter 2.5.29.32.0 or insert your organization OID

12. In the LDAP DN Order, uncheck the checkbox

13. In the CRL Expire Period field, enter 2d

14. In the CRL Issue Interval field, enter 1d

15. In the CRL Overlap Time field, enter 0m

16. In the Monitor if CA active (healthcheck), check Activate

17. Click Create