Updated on 2023-09-21 GMT+08:00

Creating a Private CA

Huawei Cloud CCM provides you with the PCA service, which helps you set up an internal CA for your organization with low costs and use it to issue certificates with ease.

This topic describes how to create a private root CA and subordinate CA.


  • Private CAs are classified into root CAs and subordinate CAs (intermediate CAs). A subordinate CA belongs to a root CA. A root CA can have multiple subordinate CAs.
  • If this is your first time creating a private CA, you must create a root CA.
  • A maximum of 100 CAs can be created for each user. Private CAs in the pending deletion state are also counted in the private CA quota until the private CAs are deleted.


The account for creating a private CA has the PCA FullAccess permission.


  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Security & Compliance > Cloud Certificate Management Service. In the navigation pane on the left, choose Private Certificate Management > Private Certificate. The Private Certificate page is displayed.
  3. In the upper right corner of the private CA list, click Create CA to switch to the Create CA page.
  4. Configure the CA information.

    You need to specify the basic information, distinguished name, and certificate revocation configuration.

    1. Configure the basic information. Table 1 describes the parameters.

      Table 1 Basic information parameters



      Example Value

      CA Type

      Indicates the type of the CA to be created.

      The values can be:

      • Root CA: Select this option if you want to create a CA hierarchy.

        If you create a private CA for the first time, you must create a root CA.

      • Subordinate CA: Select this option if you want to add a layer to the existing CA hierarchy.

      Root CA

      Key Algorithm

      Indicates the key algorithm. The values can be:

      • RSA2048
      • RSA4096
      • EC256
      • EC384


      Signature Algorithm

      This parameter is displayed when CA Type is set to Root CA.

      You can select any of the following hash algorithms:

      • SHA256
      • SHA384
      • SHA512


      Validity Period

      This parameter is displayed when CA Type is set to Root CA.

      Indicates the validity period of a private certificate issuer. The longest period is 30 years.

      3 years

    2. Configure the certificated distinguished name. Table 2 describes the parameters.
      Figure 1 Distinguished name
      Table 2 Parameters



      Example Value

      Common Name

      Indicates the CA name.



      Indicates the country or region where your organization belongs. Enter the two-letter code of the country or region. For example, enter CN for China.



      Indicates the name of the province or state where your organization is located.



      Indicates the name of the city where your organization is located.



      The legal name of your company.


      Organizational Unit

      Indicates the department name.

      Cloud Dept.

    3. (Optional) Configure certificate revocation.

      If you want to use PCA to publish the certificate revocation list (CRL) for a private CA, you can configure parameters in this pane.

      Otherwise, skip this step.

      Table 3 describes the parameters.

      Figure 2 Certificate Revocation
      Table 3 Certificate revocation parameters



      OBS Authorization

      Whether to authorize PCA to access your OBS bucket and upload the CRL file.

      If you want to authorize, click Authorize Now and complete the authorization as prompted.

      If you want to cancel the authorization, go to the IAM console to delete the PCAAccessPrivateOBS agency from the agency list.

      After the permission has been granted, follow-up operations do not require the permission to be granted again.

      Enable CRL publishing

      Indicates whether to enable CRL publishing.

      OBS Bucket

      Select an existing OBS bucket or click Create OBS Bucket to create an OBS bucket.

      CRL Update Period

      Indicates the CRL update period. PCA will generate a new CRL at the specified time.

      You can set the period to an integer between 7 and 30. If you do not specify a value, it is set to 7 days by default.

  5. Click Next to enter the confirmation page.
  6. After confirming the information about the private CA, click Confirm and Create.

    If you create a root CA, the root CA is automatically activated after being created. If you create a subordinate CA, you need to manually activate it.

    After you create a subordinate CA, you can choose Activate Now or Activate Later.

Follow-up Procedure

After a root CA is created, it can be used to issue private certificates. For details about how to apply for a private certificate, see Applying for a Private Certificate.

After a subordinate CA is created, you need to install a certificate and activate the CA. For details, see Activating a Private CA.