Creating a Private CA
CCM helps you set up an internal CA for your organization with low costs and use it to issue certificates with ease.
This topic describes how to create a private root CA and subordinate CA.
Overview
- Private CAs are classified into root CAs and subordinate CAs (intermediate CAs). A subordinate CA belongs to a root CA. A root CA can have multiple subordinate CAs.
- If this is your first time creating a private CA, you must create a root CA.
- A maximum of 100 CAs can be created for each user. Private CAs in the pending deletion state are also counted in the private CA quota until the private CAs are deleted.
Prerequisites
The account for creating a private CA has the PCA FullAccess permission.
Procedure
- Log in to the management console.
- Click in the upper left corner of the page and choose . In the navigation pane on the left, choose . The Private Certificate page is displayed.
- In the upper right corner of the private CA list, click Create CA to switch to the Create CA page.
- Configure the CA information.
You need to specify the basic information, distinguished name, and certificate revocation configuration.
- Configure the basic information. Table 1 describes the parameters.
Figure 1 Basic Information
Table 1 Basic information parameters Parameter
Description
Example Value
CA Type
Indicates the type of the CA to be created.
The values can be:
- Root CA: Select this option if you want to create a CA hierarchy.
NOTE:
If you create a private CA for the first time, you must create a root CA.
- Subordinate CA: Select this option if you want to add a layer to the existing CA hierarchy.
Root CA
Key Algorithm
Indicates the key algorithm. The values can be:
- RSA2048
- RSA4096
- EC256
- EC384
RSA2048
Signature Algorithm
This parameter is displayed when CA Type is set to Root CA.
You can select any of the following hash algorithms:
- SHA256
- SHA384
- SHA512
SHA256
Validity Period
This parameter is displayed when CA Type is set to Root CA.
Indicates the validity period of a private certificate issuer. The longest period is 30 years.
3 years
- Root CA: Select this option if you want to create a CA hierarchy.
- Configure the certificated distinguished name. Table 2 describes the parameters.
Table 2 Parameters Parameter
Description
Example Value
Common Name
Indicates the CA name.
N/A
Country/Region
Indicates the country or region where your organization belongs. Enter the two-letter code of the country or region.
FR
State/Province
Indicates the name of the province or state where your organization is located.
Paris
Locality
Indicates the name of the city where your organization is located.
Paris
Organization
The legal name of your company.
-
Organizational Unit
Indicates the department name.
Cloud Dept.
- (Optional) Configure certificate revocation.
If you want to use PCA to publish the certificate revocation list (CRL) for a private CA, you can configure parameters in this pane.
Otherwise, skip this step.
Table 3 describes the parameters.
Figure 2 Certificate Revocation
Table 3 Certificate revocation parameters Parameter
Description
OBS Authorization
Whether to authorize PCA to access your OBS bucket and upload the CRL file.
If you want to authorize, click Authorize Now and complete the authorization as prompted.
If you want to cancel the authorization, go to the IAM console to delete the PCAAccessPrivateOBS agency from the agency list.
After the permission has been granted, follow-up operations do not require the permission to be granted again.
Enable CRL publishing
Indicates whether to enable CRL publishing.
OBS Bucket
Select an existing OBS bucket or click Create OBS Bucket to create an OBS bucket.
CRL Update Period
Indicates the CRL update period. PCA will generate a new CRL at the specified time.
You can set the period to an integer between 7 and 30. If you do not specify a value, it is set to 7 days by default.
- Configure the basic information. Table 1 describes the parameters.
- Click Next to enter the confirmation page.
- After confirming the information about the private CA, click Confirm and Create.
If you create a root CA, the root CA is automatically activated after being created. If you create a subordinate CA, you need to manually activate it.
After you create a subordinate CA, you can choose Activate Now or Activate Later.
Follow-up Procedure
After a root CA is created, it can be used to issue private certificates. For details about how to apply for a private certificate, see Applying for a Private Certificate.
After a subordinate CA is created, you need to install a certificate and activate the CA. For details, see Activating a Private CA.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.