Creating a CA certificate

Scenarios

Certificate-based authentication depends on CA certificates to issue, manage, and verify digital certificates, ensuring that network communication, identity authentication, and data exchange are secure. This section describes two creation methods. You can use either of them as required.

• Creating a root CA certificate. For details, see Creating a Root CA Certificate.
• Creating a subordinate CA certificate. For details, see Creating a Subordinate CA Certificate.

• A tenant can create up to three CA certificates. These certificates are dedicated for certificate-based authentication.
• Note on certificate private key rotation:
  • A public-private key pair is valid for a period of time, and is used to issue a user certificate for smart card authentication.
  • Valid public-private key pairs are assigned to users, each key pair to one user.
  • When a public-private key pair is about to expire, the user will be reassigned another valid key pair.

Creating a Root CA Certificate

1. Log in to the console.
2. In the navigation pane, choose Tenant Configuration > Basic Settings.
3. Click Enable under certificate-based authentication.
4. Click Creating a CA Certificate on the right of the private CA certificate.
5. Specify basic certificate information, as shown in Table 1.

   Table 1 CA certificate configuration

   Type	Parameter	Description	Example Value
   Basic Information	CA Type	Root CA: created on the Workspace console.	Root CA
   	Key algorithm	RSA3072 and RSA4096 are supported for certificate-based authentication key algorithms. SHA256 and SHA512 are supported for signature hash algorithms.	RSA 3072
   	Signature Hash Algorithm	A combination technology of digital signatures used to ensure data integrity and source authenticity. It consists of the hash algorithm and the signature algorithm. The hash algorithm (for example, SHA-256) generates a fixed-length digest of data. The signature algorithm (for example, RSA) generates a hash-encrypted signature using the private key.	SHA256
   	Validity period	Validity period of the CA certificate, which ranges from 10 to 30 years.	10 years
   Certificate Unique Identifier Name (DN)	CA Name (CN)	Name of the CA certificate.	pca-xxxx
   	Country/Region	Country/Region where the certificate is issued.	CN/US
   	Province	Province where the certificate is issued.	-
   	City	City where the certificate is issued.	-
   	Company Name (0)	Name of the company that issued the certificate.	-
   	Department Name (OU)	Name of the department that issued the certificate.	IT
   Certificate Revocation Configuration	CRL Distribution Point	A CRL distribution point (CDP) is one or more URL addresses contained in a digital certificate. It specifies where a client can download the latest certificate revocation list (CRL) to check whether the certificate has been revoked.	CDP URL: https://smartcard.domain name.com/smartcard.crl
   	CRL Update Period	CRL must be updated periodically on the client. The range is 3,650–10,950 days.	3,650 days

6. Click Next and confirm the CA certificate information.
7. Click OK.
   

   For details about CA certificate management, see Certificate Configuration.

Creating a Subordinate CA Certificate

1. Log in to the console.
2. In the navigation pane, choose Tenant Configuration > Basic Settings.
3. Click Enable under certificate-based authentication.
4. Click Creating a CA Certificate on the right of the private CA certificate.
5. Specify basic certificate information, as shown in Table 2.

   Table 2 CA certificate configuration

   Type	Parameter	Description	Example Value
   Basic Information	CA Type	Subordinate CA: issued based on the enterprise's own PKI system.	Subordinate CA
   	Key algorithm	RSA3072 and RSA4096 are supported for certificate-based authentication key algorithms. SHA256 and SHA512 are supported for signature hash algorithms.	RSA 3072
   	Signature Hash Algorithm	A combination technology of digital signatures used to ensure data integrity and source authenticity. It consists of the hash algorithm and the signature algorithm. The hash algorithm (for example, SHA-256) generates a fixed-length digest of data. The signature algorithm (for example, RSA) generates a hash-encrypted signature using the private key.	SHA256
   	Validity period	Validity period of the CA certificate, which ranges from 10 to 30 years.	10 years
   Certificate Unique Identifier Name (DN)	CA Name (CN)	Name of the CA certificate.	pca-xxxx
   	Country/Region	Country/Region where the certificate is issued.	CN/US
   	Province	Province where the certificate is issued.	-
   	City	City where the certificate is issued.	-
   	Company Name (0)	Name of the company that issued the certificate.	-
   	Department Name (OU)	Name of the department that issued the certificate.	IT
   Certificate Revocation Configuration	CRL Distribution Point	A CRL distribution point (CDP) is one or more URL addresses contained in a digital certificate. It specifies where a client can download the latest certificate revocation list (CRL) to check whether the certificate has been revoked.	CDP URL: https://smartcard.domain name.com/smartcard.crl
   	CRL Update Period	CRL must be updated periodically on the client. The range is 3,650–10,950 days.	3,650 days

6. Click Next and confirm the CA information.
   1. Click Export CSR as a file under CA CSR and save the cert.csr file as prompted.
   2. Provide the cert.csr file to the administrator. The administrator issues the certificate in the enterprise's own PKI system.
      

      Double-click the issued certificate and click Details to check if the certificate contains the fields shown in the following figure.

      

   3. Obtain the certificate file issued by the administrator and copy its content to the text box of the Import certificates issued by an external CA section.
      Figure 1 Importing certificate content
      

   4. Click OK.
      

      The certificate provided by the administrator supports only the .pem format.

7. Click OK.
   

   For details about CA certificate management, see Certificate Configuration.