Creating a Private CA

Overview

• Private CAs are classified into root CAs and subordinate CAs (intermediate CAs). A subordinate CA belongs to a root CA. A root CA can have multiple subordinate CAs.
• If this is your first time creating a private CA, you must create a root CA.
• A maximum of 100 CAs can be created for each user. Private CAs in the pending deletion state are also counted in the private CA quota until the private CAs are deleted.

Prerequisites

The account for creating a private CA has the PCA FullAccess permission.

Procedure

1. Log in to the management console.
2. Click in the upper left corner of the page and choose Security & Compliance > Cloud Certificate Management Service. The service console is displayed.
3. In the navigation pane on the left, choose Private Certificate Management > Private CAs.
4. In the upper right corner of the private CA list, click Create CA to switch to the Create CA page.
5. Configure the CA information.

   You need to specify the basic information, distinguished name, enterprise project, and certificate revocation configuration.

   1. Configure the basic information. Table 1 describes the parameters.

      Table 1 Basic information parameters

      Parameter	Description	Example Value
      CA Type	Indicates the type of the CA to be created. The values can be: Root CA: Select this option if you want to create a CA hierarchy. NOTE: If you create a private CA for the first time, you must create a root CA. Subordinate CA: Select this option if you want to add a layer to the existing CA hierarchy.	Root CA
      Key Algorithm	Indicates the key algorithm. The values can be: RSA2048 RSA3072 RSA4096 EC256 EC384	RSA2048
      Signature Algorithm	This parameter is displayed when CA Type is set to Root CA. You can select any of the following hash algorithms: SHA256 SHA384 SHA512 SHA256_PSS SHA384_PSS SHA512_PSS	SHA256
      Validity Period	This parameter is displayed when CA Type is set to Root CA. Indicates the validity period of a private certificate issuer. The longest period is 30 years.	3 years

   2. Configure the certificated distinguished name. Table 2 describes the parameters.

      Table 2 Parameters

      Parameter	Description	Example Value
      Common Name	Indicates the CA name.	N/A
      Country/Region	Indicates the country or region where your organization belongs. Enter the two-letter code of the country or region.	MA
      State/Province	Indicates the name of the province or state where your organization is located.	Kuala Lumpur
      Locality	Indicates the name of the city where your organization is located.	Kuala Lumpur
      Organization	The legal name of your company.	N/A
      Organizational Unit	Indicates the department name.	Cloud Dept

   3. Select an enterprise project from the Enterprise Project drop-down list.

      This option is only available if you have logged in using an enterprise account, or if you have enabled enterprise projects.

      To use this function, see section "Enabling the Enterprise Center" in the Enterprise Management User Guide. You can use an enterprise project to centrally manage your cloud resources and members by project.

      

      Value default indicates the default enterprise project. Resources that are not allocated to any enterprise projects under your account are displayed in the default enterprise project.

   4. (Optional) Configure certificate revocation.

      If you want to publish the certificate revocation list (CRL) for a private CA, you can configure parameters in this pane.

      If no configuration is required, skip this step.

      Configure certificate revocation information. Table 3 describes the parameters.

      Table 3 Certificate revocation parameters

      Parameter	Description
      OBS Authorization	Whether to authorize CCM to access your OBS bucket and upload the CRL file. If you want to authorize, click Authorize Now and complete the authorization as prompted. If you want to cancel the authorization, go to the IAM console to delete the PCAAccessPrivateOBS agency from the agency list. After the permission has been granted, follow-up operations do not require the permission to be granted again.
      Enable CRL publishing	Indicates whether to enable CRL publishing.
      OBS Bucket	Select an existing OBS bucket or click Create OBS Bucket to create an OBS bucket.
      CRL Update Period	Indicates the CRL update period. PCA will generate a new CRL at the specified time. You can set the period to an integer between 7 and 30. If you do not specify a value, it is set to 7 days by default.

   5. (Optional) Click Add Tag and configure a tag for the private CA.

      Tags can be used to identify private CA. You can use tags to group private CAs by usage, owner, or environment and manage them centrally. For details, see Overview.

6. Click Next to enter the confirmation page.
7. After confirming the information about the private CA, click Confirm and Create.

   If you create a root CA, the root CA is automatically activated after being created. If you create a subordinate CA, you need to manually activate it.

   After you create a subordinate CA, click Activate Now or Activate Later to determine whether to activate the subordinate CA immediately.

Follow-up Procedure

After a root CA is created, it can be used to issue private certificates. For details about how to apply for a private certificate, see Applying for a Private Certificate.

After a subordinate CA is created, you need to install a certificate and activate the CA. For details, see Activating a Private CA.