Help Center> Cloud Certificate & Manager> Getting Started> Applying for a Private Certificate> Step 2: Creating a Private CA
View PDF

Step 2: Creating a Private CA

This section describes how to create a private CA. The private CA can be a root CA or a subordinate CA.

A maximum of 100 CAs can be created for each user. Private CAs in the pending deletion state are also counted in the private CA quota until the private CAs are deleted.

Procedure

  1. Log in to the management console.
  2. In the navigation pane on the left, click and choose Cloud Certificate Management Service under Security & Compliance. On the displayed CCM homepage, choose CA Management > Private CA.
  3. In the upper left corner of the private CA list, click Create CA to switch to the Create CA page.
  4. Configure the CA information.

    You need to specify the basic information, distinguished name, and certificate revocation configuration.

    1. Configure the basic information. Table 1 describes the parameters.
      Figure 1 Basic information
      Table 1 Basic information parameters

      Parameter

      Description

      Example Value

      CA Type

      Indicates the type of the CA to be created.

      The values can be:

      • Root CA: Select this option if you want to create a CA hierarchy.
        NOTE:

        If you create a private CA for the first time, you must create a root CA.

      • Subordinate CA: Select this option if you want to add a layer to the existing CA hierarchy.

      Root CA

      Key Algorithm

      Indicates the key algorithm. The values can be:

      • RSA2048
      • RSA4096
      • EC256
      • EC384

      RSA2048

      Signature Algorithm

      This parameter is displayed when CA Type is set to Root CA.

      Indicates the signature algorithm. The values can be:

      • SHA256
      • SHA384
      • SHA512

      SHA256

      Validity Period

      This parameter is displayed when CA Type is set to Root CA.

      Indicates the validity period of a private certificate issuer. The longest period is 30 years.

      3 years
    2. Configure the certificated distinguished name. Table 2 describes the parameters.
      Figure 2 Distinguished name
      Table 2 Parameters

      Parameter

      Description

      Example Value

      Common Name

      Indicates the CA name.

      -

      Country/Region

      Indicates the country or region where your organization belongs. Enter the two-letter code of the country or region.

      CN

      State/Province

      Indicates the name of the province or state where your organization is located.

      ShenZhen

      City

      Indicates the name of the city where your company is located.

      GuangZhou

      Organization

      Indicates the legal name of your company.

      Huawei Technologies Co., Ltd.

      Organizational Unit

      Indicates the department to which your organization belongs.

      Cloud Dept.
    3. (Optional) Configure certificate revocation.

      If you want to publish the certificate revocation list (CRL) for a private CA, you can configure parameters in this pane.

      Otherwise, skip this step.

      Table 3 describes the parameters.

      Figure 3 Revoking a certificate
      Table 3 Certificate revocation parameters

      Parameter

      Description

      OBS Authorization

      Indicates whether to authorize PCA to access your OBS bucket and upload the CRL file.

      If you want to authorize, click Authorize Now and complete the authorization as prompted.

      If you want to cancel the authorization, go to the IAM console to delete the PCAAccessPrivateOBS agency from the agency list.

      After the permission has been granted, follow-up operations do not require the permission to be granted again.

      Enable CRL publishing

      Indicates whether to enable CRL publishing.

      OBS Bucket

      Select an existing OBS bucket or click Create OBS Bucket to create an OBS bucket.

      CRL Update Period

      Indicates the CRL update period. PCA will generate a new CRL at the specified time.

      Enter an integer between 7 and 30.

  5. Click Next to enter the confirmation page.
  6. After confirming that the information is correct, click Confirm and Create.

    If you create a root CA, the root CA is automatically activated after being created. If you create a subordinate CA, you need to manually activate it.

    After you create a subordinate CA, click Activate Now or Activate Later to determine whether to activate the subordinate CA immediately.

Follow-up Procedure

After a root CA is created, it can be used to issue private certificates. For details about how to apply for a private certificate, see Step 4: Applying for a Private Certificate.

After a subordinate CA is created, you need to install a certificate and activate the CA. For details, see Step 3: Activating a Private CA.