Configuring a CA

Context

The Certificate Authority Service provides a certificate issuance solution to address the problems arising from the unavailability of a CA or an existing CA that does not meet the requirements.

When importing a third-party certificate, ensure that the certificate is issued by a trusted CA. Otherwise, security risks exist.

Procedure

1. Choose System > About > Certificate Authority Service from the main menu.
2. Choose PKI Management > CA from the navigation tree on the left.
3. Click New and set required parameters.

   For detailed parameter descriptions, see Table 1.

   Table 1 CA parameters

   Parameter		Description	Value
   Label		Name of a CA.	The name is a string of 1 to 45 characters containing letters, digits, underscores (_), and hyphens (-). The name cannot be null or all (case insensitive).
   Status		You can create an activated, inactive, or pending CA. NOTE: Before uploading a CA certificate, you cannot apply for a certificate from a CA in the pending state.	By default, the CA created is activated.
   Signature algorithm		Signature algorithm used for a CA to issue certificates. NOTE: RSASSA-PSS is more secure than RSA. Currently, only TLS1.3 supports the certificate signed by RSASSA-PSS. TLS1.2 and earlier versions do not support the certificate signed by RSASSA-PSS. If the certificate issued by the user is used for TLS communication, confirm the TLS version before configuring the CA signature algorithm. Otherwise, the TLS communication may fail.	N/A
   Certificate SN length		Length of the unique number assigned by a CA to a certificate.	The value is an integer ranging from 18 to 40, in characters.
   Max validity period		Maximum validity period of a certificate.	You can set the certificate validity period in units of day, month, or year. The maximum validity period is 18250 days.
   New self-signed certificate		A certificate issued by a signing entity to itself, not by an authoritative CA. When creating a CA in self-signed mode, you need to select a certificate profile whose certificate level is Root CA and enter the user information configured in the profile.	N/A
   Upload certificate file	Certificate file	You can create a CA by uploading a local certificate file. In this mode, you will create a subordinate CA of the organization that issues the certificate file. This subordinate CA is used to issue certificates to lower-level organizations.	The certificate file must be in .p12, .pfx, or .jks format. Only one certificate can be uploaded, and the size of a single file cannot exceed 20 KB. The certificate file name is a string of 1 to 256 characters containing Chinese characters, digits, letters, underscores (_), and hyphens (-), spaces, dots (.) and round brackets. It cannot start with a dots (.) or space.
   	Certificate password	Password set for a certificate during certificate application. The password is contained in the .p12 file. You need to enter this password when uploading the certificate file.	N/A
   	Upload certificate chain	Upload the corresponding certificate chain. You can select multiple files. For example, if a level-3 CA certificate is imported, upload the corresponding level-1 and level-2 CA certificates.	The certificate chain file must be in .cer, .crt, or .pem format. A maximum of 10 files can be upload at a time. And the size of the file to be uploaded at a time cannot exceed 100 KB. The certificate file name is a string of 1 to 256 characters containing Chinese characters, digits, letters, underscores (_), and hyphens (-), spaces, dots (.) and round brackets. It cannot start with a dots (.) or space.
   New CSR file		When the CA status is Pending, New CSR file is automatically selected for certificate configuration mode.	N/A
   Signed by internal CA	Internal CA	In Signed by internal CA mode, a sub-CA is created for a CA. When creating a sub-CA using the internal CA signature, you need to select a CA as the parent CA.	N/A
   	Certificate profile	When creating a sub-CA in Signed by internal CA mode, you need to select a certificate profile whose certificate level is Subordinate CA and enter the user information configured in the profile.	N/A
   Key generation mode		You can use Software or HSM to generate keys.	N/A
   CRL generation interval		Interval for generating a CRL.	The value is an integer ranging from 1 to 60, in days.
   CRL generation time		Time when the CRL is generated.	N/A
   CRL overlap time		Period during which a user can obtain a new CRL before the old CRL is considered unavailable.	The value is an integer ranging from 1 to 60, in minutes.
   Include revocation reasons		Whether to include the revocation reason.	The default value is Yes.
   CRL server		Server to which a CRL is published.	N/A
   Publication mode		Whether a CRL is published manually or automatically. If you select Automatic, you must configure the CRL server and the publication period.	By default, Automatic is not selected, indicating that manual publishing is used. If you select Automatic, the default publishing interval is 60 minutes. The unit of the publishing interval can be minute, hour, or day. The maximum interval is 180 days.
   CRL distribution point		A location where CRLs are published, for example, http://IP address:Port number/caname.crl. You can obtain the CRL corresponding to the certificate based on this parameter. NOTE: The CRL obtained from the CRL distribution point can be used to verify the validity of the certificate issued by the CA. The Certificate Authority Service does not automatically release the CRL to the CRL distribution point. You need to maintain the validity of the CRL file at the distribution point.	Each CA can be configured with a maximum of four CRL distribution points.

4. Click Next.
5. In the profile association list, select the profile to be associated.
   

   • Configure an associated profile for the CA to issue certificates. The associated profile must be a sub-CA profile or an end-entity profile.

   • A CA must be associated with at least one profile, and a maximum of 16 profiles can be associated.

6. In the default profile list, select an associated profile as the default profile.
   

   • During certificate application using CMP or privacy CA protocol, if the request carries the profile name parameter, the specified profile is used; if the request does not carry the profile name parameter, the default profile of the CA is used.
   • Only one default profile can be set for a CA.

7. Click Submit.
   

   • You can click Reset to clear parameter settings.
   • You can also click Back to return to the previous page.

Follow-up Procedure

• Deactivating a CA

  For a created and activated CA, you can access the CA page and click Deactivate CA in the Operation column of the CA to deactivate it.

• Activating a CA

  For a created but inactivated CA, you can access the CA page and click Active CA in the Operation column of the CA to activate it.

• Downloading CSR

  For a created but pending CA, you can download the CSR file directly after creating a CA or click Download CSR on the CA page to download the CSR file of the CA.

• Uploading a CA certificate
  For a created but pending CA, you can access the CA page and click Upload CA certificate in the Operation column of the CA to upload a CA certificate.

  

  • The certificate file or certificate chain must be in .cer, .crt, or .pem format. Only one certificate can be uploaded, and the size of a single file cannot exceed 100 KB. The certificate file name is a string of 1 to 256 characters containing Chinese characters, digits, letters, underscores (_), and hyphens (-), spaces, dots (.) and round brackets. It cannot start with a dots (.) or space.
  • If the certificate issued by the current CA is used to sign the CMP request packet, the CA uses the current CA and CA certificate chain to verify the signature certificate of the request packet.
  • For a CA that has been created and is in the pending state, if the CA certificate is not uploaded within 15 days, the CA will be deleted.

Related Tasks

• Querying a CA

  Choose PKI Management > CA. Click a CA name to view the CA details on the CA Information tab page, including the status, Certificate SN length, signature algorithm, associated profile, and default profile.

• Querying a CA certificate

  Choose PKI Management > CA. Click a CA name to view the CA details on the CA Certificate tab page, including the version, SN, subject, and validity period.

  

  If the CA status is pending, you cannot view the CA certificate information.

• Querying an associate certificate

  Choose PKI Management > CA. Click a CA name to view the CA details on the Associate Certificate tab page, including the version, SN, subject, and validity period.

  

  • OldWithNew: Certificate generated when the CA key is updated. The certificate contains the public key of the old key. The validity period of the certificate is the same as that of the old CA. For the entity that uses the new certificate of the root CA as the trust root, if such an entity is not verified, you need to obtain the OldWithNew certificate of the root CA. The verification process is to use the root CA's new key to verify the old key, and then use the old key to verify the end entities that are originally subordinated to the old root CA.
  • NewWithOld: Certificate generated when the CA key is updated, including the public key of the new key. The effective date of the certificate is that of the new CA, and the expiration date is that of the old CA. For entities that use the old certificate of the root CA as the trust root, apply for a new certificate as soon as possible. During this period, if entities that use the new certificate of the root CA as the trust root need to be verified, obtain the NewWithOld certificate of the root CA first. The verification process is to use the root CA's old key to verify the new key, and then use the new key to verify the end entities that are originally subordinated to the new root CA.
• Downloading an associate certificate

  Choose PKI Management > CA. Click a CA name, and click Download on the Associated Certificate tab page to download the CA certificate to the local computer. If you select download multiple certificates, the selected certificates are combined and downloaded to a .pem certificate file.

• Modifying a CA

  Choose PKI Management > CA. Click Modify in the Operation column of a CA to modify its configuration.

  

  • When modifying the CA configuration, you can only modify the Max validity period, Certificate SN length, CRL generation interval, CRL generation time, CRL overlap time, Include revocation reasons, CRL server, Publication mode, CRL distribution point, associated profile, and default profile of the CA.
  • When you create a CA by uploading a file, if a certificate chain file has been uploaded, the Upload Certificate Chain option is not displayed when you configure the CA.
  • When you create a CA by uploading a file, if the certificate chain file is not uploaded or fails to be uploaded, the Upload Certificate Chain option is displayed when you configure the CA.
  • If the CA status is pending, the CA configuration information cannot be modified.
• Searching for a CA

  Choose PKI Management > CA. Enter a CA name in the search box and click to find the specified CA and view its details. The Certificate Authority Service supports fuzzy search by CA name.

• Searching for an associated profile

  When creating or modifying a CA on the PKI Management > CA page, enter the name of an associated profile in the search box on the page for setting associated profiles, and click to find the specified associated profile. The Certificate Authority Service supports fuzzy search by associated profile name.

• Searching for a default profile

  When creating or modifying a CA on the PKI Management > CA page, enter the name of a default profile in the search box on the page for setting default profiles, and click to find the specified default profile. The Certificate Authority Service supports fuzzy search by default profile name.