Updated on 2023-12-19 GMT+08:00

Activating a Private CA

A subordinate private CA must be activated after it is created. A subordinate private CA takes effect and can be used to issue private certificates only after it is activated.

This topic describes how to activate a subordinate CA. You can use either an internal private CA or external private CA to activate the subordinate CA.

  • Internal private CA: Use a private CA in CCM to activate a subordinate CA.
  • External private CA: Use a private CA from a third party to activate a subordinate CA.

Prerequisites

  • You have created a subordinate private CA. For details, see Creating a Private CA.
  • The subordinate CA is in the Pending activation state.

Activating a Subordinate Private CA with an Internal Private CA

  1. Log in to the management console.
  2. Locate the row of the subordinate CA and click Activate in the Operation column. In the Install CA Certificate and Activate CA page, configure the required parameters.

    1. Configure Issued From.

      Select Internal private CA.

    2. Configure the required parameters.
      Table 1 Parameters

      Parameter

      Description

      Common Name

      Indicates the name of the CA. The CA can be a root CA or a subordinate CA.

      After you select the CA, the system automatically displays the type and ID of the CA.

      Signature Algorithm

      Indicates the signature algorithm. The values can be:

      • SHA256
      • SHA384
      • SHA512

      Validity Period

      Indicates the validity period of a private CA. The longest period is 20 years.

      Path Length

      The path length of the subordinate CA. The path length controls how many layers of subordinate CAs the current subordinate CA can issue. (The last layer of the certificate chain is a private certificate).

      NOTE:

      A certificate chain is made up of root CAs, subordinate CAs, and private certificates in a fixed sequence to validate the trust of a certificate at a lower layer.

  3. Confirm the configuration and click OK.

Activating a Subordinate Private CA with a Third-Party Private CA

  1. Log in to the management console.
  2. Locate the row of the subordinate CA and click Activate in the Operation column. In the Install CA Certificate and Activate CA page, configure the required parameters.

    1. Configure Issued From. Select External private CA.
    2. Export the CSR.

      In the CA CSR pane, click Export File.

      The PEM CSR is exported to a file and is signed by a parent CA.

    3. Use the external CA to issue a certificate.

      Use your private CA to issue a certificate for the subordinate private CA you want to activate.

    4. Import the certificate.

      Import the certificate and certificate chain in the Import the Certificate Issued by an External CA pane.

      Table 2 Parameter descriptions

      Parameter

      Description

      Certificate

      Open the PEM file in the certificate to be uploaded as a text file with the extension .pem and copy the certificate content to this text box.

      Certificate Chain

      Open the PEM file in the certificate to be uploaded as a text file with the extension .pem and copy the certificate chain to this text box.

  3. Confirm the configuration and click OK.

    If the status of the subordinate CA changes to Activated, the subordinate CA has been activated.

Follow-up Procedure

After a subordinate CA is activated, it can be used to issue private certificates. For details about how to apply for a private certificate, see Applying for a Private Certificate.