Tutorial - Create a PKI Hierarchy in EJBCA
Learn how to create a multi-tier Certificate Authority (CA) hierarchy in EJBCA.
It is recommended to create a multi-tier hierarchy of CAs. With this setup, a root CA (trust anchor) only issues certificates to subordinate CAs, giving them authority to issue new certificates. Subordinate CAs can issue certificates directly to end entities or create additional levels of subordinate CAs. The main benefit of this is that the root CA can be tightly controlled and be given a long validity time, while subordinate CAs can have shorter validity and, if necessary, be revoked. This way, the need to update and replace trusted root CA certificates is minimized.
Different subordinate CAs can also be administered by different teams, even if they are hosted in the same EJBCA instance. You may for example have one CA for internal entities and one for external, different CAs across regions, different CAs for different purposes, and so on.
In this tutorial, you will learn how to:
- Create a Root CA and subordinate CA in the same EJBCA instance
- Create a new certificate profile based on an existing profile
- Configure CRL Distribution Points
- Configure Authority Information Access URIs
Prerequisites
Before you begin, you need a running EJBCA instance. Also, to learn how to create a Root CA profile template, see the tutorial Create your first Root CA using EJBCA.
Step 1 - Create certificate profiles
The first step towards creating a CA hierarchy is to create certificate profiles for the Root CA and Sub CA. The certificate profile defines the constraints of new certificates, for example, what keys it can use, and what the extensions will be. For an introduction to certificate profiles, see the Certificate Profiles Overview.
Create Root CA certificate profile
The following provides steps for creating a Root CA certificate profile by cloning the MyRootCAProfile certificate profile created in the tutorial Create your first Root CA using EJBCA.
To create a certificate profile for creating the Root CA in a later step, do the following:
- In EJBCA, under CA Functions, click Certificate Profiles.
The Manage Certificate Profiles page displays a list with default profiles and the Root CA Profile created in the previous tutorial Create your first Root CA using EJBCA. - Click Clone next to the MyRootCAProfile template to use that as a basis for creating your new Root CA profile.
- Name the new certificate profile MyPKIRootCAProfile, and click Create from template.
- To edit the profile values to fit your needs, find the newly created MyPKIRootCAProfile displayed in the list and click Edit.
- On the Edit page, update the following to use elliptic curve keys instead of RSA keys:
- For Available Key Algorithms, select ECDSA.
- For Available ECDSA curves, select P-256 / prime256v1 / secp256r1.
- For Available Key Algorithms, select ECDSA.
- Click Save to store the Root CA certificate profile.
The newly created MyPKIRootCAProfile is displayed in the list of certificate profiles.
Create Sub CA certificate profile
To create a certificate profile for creating the Sub CA in a later step, do the following:
- On the EJBCA Manage Certificate Profiles page, click Clone by the SUBCA default template to create a new profile using that template.
- Name the new certificate profile MyPKISubCAProfile, and click Create from template.
- To edit the profile values to fit your needs, find the newly created MyPKISubCAProfile displayed in the list and click Edit.
- On the Edit page, update the following to use elliptic curve keys instead of RSA keys:
- For Available Key Algorithms, select ECDSA.
- For Available ECDSA curves, select P-256 / prime256v1 / secp256r1.
- For Signature Algorithm, verify that Inherit from Issuing CA is selected.
- For Validity or end date of the certificate, specify 15y.
- Under X.509v3 extensions, update the following:
- Select Path Length Constraint and set it to 0 to ensure that this Sub CA cannot issue any further sub CAs beneath it and is only allowed to issue end entity certificates.
Under X.509v3 extensions - Validation data, update the following:
Enable CRL Distribution Points.
Enable Use CA defined CRL Distribution Point to allow setting a value for the distribution point in your Root CA.
Enable Authority Information Access.
Enable Use CA defined OCSP locator.
Enable Use CA defined CA issuer.
- Under Other Data, clear LDAP DN order.
- For Available Key Algorithms, select ECDSA.
- Click Save to store the Sub CA certificate profile.
The newly created MyPKISubCAProfile is displayed in the list of certificate profiles.
Step 2 - Create crypto tokens
In EJBCA, cryptographic keys are stored in a crypto token. A crypto token can either be stored in a database, known as a soft keystore, or on a Hardware Security Module (HSM). For more information on crypto tokens and available fields, see the Crypto Tokens Overview.
The following describes how to create a soft crypto token and the following keys:
- Sign key: Used for the digital signatures from the CA.
- Default key: Used for any encryption the CA needs to do, such as key recovery.
- Test key: Usually only used in health checks or HSM keep-alive services.
It is good practice to number the sign and encrypt (default) key labels when you create them so that you can easily increment them when renewing the certificate authority.
Create Root CA crypto token
To create a soft Root CA crypto token and keys, follow these steps:
In the EJBCA menu, under CA Functions, click Crypto Tokens.
- Click Create new and specify the following on the New Crypto Token page:
- Name: Name the Root CA crypto token MyPKIRootCACryptoToken.
- Authentication Code: Enter a password to be used to activate the crypto token if the container is restarted. Remember this password.
- Name: Name the Root CA crypto token MyPKIRootCACryptoToken.
- Click Save to create the Root CA crypto token.
- Next, generate three CA keys:
- In the Name field that says signKey, specify myPkiRootCaSignKey0001, select P-256 / prime256v1 / secp256r1 as defined in the certificate profile, and then click Generate new key pair to create the keys.
- Repeat to create the default encryption key: name the key myPkiRootCaEncryptKey0001, select RSA 4096, and then click Generate new key pair.
Last, repeat to create a test key: name the key testKey, select P-256 / prime256v1 / secp256r1 as the CA signing key is using, and then click Generate new key pair.
You have now created the Root CA crypto token and keys.
Create Sub CA crypto token
To create a soft Sub CA crypto token and keys, follow these steps:
In the EJBCA menu, under CA Functions, click Crypto Tokens.
- Click Create new and specify the following on the New Crypto Token page:
- Name: Name the Root CA crypto token MyPKISubCACryptoToken.
- Auto-activation: Select use to allow EJBCA to save the password and reapply it after a restart so that the Sub CA is always available.
- Authentication Code: Enter a password for auto-activation.
- Name: Name the Root CA crypto token MyPKISubCACryptoToken.
- Click Save to create the Sub CA crypto token.
- Next, generate the same three keys for the Sub CA:
- In the Name field that says signKey, specify myPkiSubCaSignKey0001, select P-256 / prime256v1 / secp256r1 as defined in the certificate profile, and then click Generate new key pair to create the keys.
- Repeat to create the default encryption key: name the key myPkiSubCaEncryptKey0001, select RSA 4096, and then click Generate new key pair.
Last, repeat to create a test key: name the key testKey, select P-256 / prime256v1 / secp256r1 as the CA signing key is using, and then click Generate new key pair.
You have now created the Sub CA crypto token and keys.
Step 3 - Create CAs
Now that you have created the certificate profiles and CA keys, you can bring them together to create the CA hierarchy.
Once you have decided on your hierarchy of CAs, you need to decide how long each certificate should be valid. A rule of thumb is that a Sub CA should have half the validity period of its issuing CA. A typical setup, used in this example two-tier hierarchy, would be to set the Root CA to 30 years, the second level CAs to 15 years. This means that one planned Sub CA renewal will be needed during the lifetime of the root CA.
Create Root CA
To create the Root CA, follow these steps:
- Click Certification Authorities under CA Functions.
- In the Add CA field, enter the name “MyPKIRootCA-G1” and click Create.
- On the Create CA page, update the following:
- Select the Root CA crypto token MyPKIRootCACryptoToken (created earlier in Step 2 - Create crypto token) in the Crypto Token list.
- For Signing Algorithm, select SHA512withECSDSA.
- Map the keys for their intended usages: the certSignKey and keyEncryptKey keys are automatically selected with the keys you created, for defaultKey, select your myPkiRootCaEncryptKey0001.
- Under CA Certificate Data, specify the following:
- Subject DN: Enter "CN = My PKI Root CA - G1, O = Keyfactor Community, C = SE".
- Signed By: Self Signed.
- Certificate Profile: Select the MyPKIRootCAProfile created in Step 1 - Create certificate profiles.
- Validity: Specify 30y.
- LDAP DN order: Clear Use.
- Under CRL Specific Data, specify the following:
- CRL Expire Period: Update to a CRL lifetime of 3 months by entering 3mo.
- CRL Overlap Time: Set to 0m as automatic CRL issuing is not used.
- Under Default CA defined validation data, define default values to be used in certificate profiles that are issued by the CA:
- Default CRL Distribution Point: http://my.pki/crls/MyPKIRootCA-G1.crl
- OCSP service Default URI: http://my.pki/ocsp
- CA issuer Default URI: http://my.pki/certs/MyPKIRootCA-G1.crt
- Click Create to create the Root CA.
The created MyPKIRootCA-G1 is displayed in the list of CAs.
Create Sub CA
To create the Sub CA, follow these steps:
- Click Certification Authorities under CA Functions.
- In the Add CA field, enter the name “MyPKISubCA-G1” and click Create.
- On the Create CA page, update the following:
- Select the Sub CA crypto token MyPKISubCACryptoToken (created earlier in Step 2 - Create crypto token) in the Crypto Token list.
- For Signing Algorithm, select SHA256withECSDSA.
- Map the keys for their intended usages: the certSignKey and keyEncryptKey keys are automatically selected with the keys you created, for defaultKey, select your myPkiSubCaEncryptKey0001.
- Under CA Certificate Data, specify the following:
- Subject DN: Enter "CN = My PKI Sub CA - G1, O = Keyfactor Community, C = SE".
- Signed By: Select MyPKIRootCA-G1 to have it signed by the local Root CA.
- Certificate Profile: Select the MyPKISubCAProfile created in Step 1 - Create certificate profiles.
- Validity: Specify 15y.
- LDAP DN order: Clear Use.
- Under CRL Specific Data, specify the following:
- CRL Expire Period: Update to a CRL lifetime of 3 days by entering 3d.
- CRL Issue Interval: Enter 1d to enable automatic CRL issuing and for a new CRL to be created one day after the previous CRL was created.
- CRL Overlap Time: Set to 0m since the issue interval is already set and there is no need to specify the overlap which is the time in advance of the expiring a new CRL should be created.
- Under Default CA defined validation data, define default values to be used in certificate profiles that are issued by the CA:
- Default CRL Distribution Point: http://my.pki/crls/MyPKISubCA-G1.crl
- OCSP service Default URI: http://my.pki/ocsp
- CA issuer Default URI: http://my.pki/certs/MyPKISubCA-G1.crt
- Click Create to create the Sub CA.
The created MyPKISubCA-G1 is displayed in the list of CAs.
You have now created a two-tier public key infrastructure (PKI) hierarchy with a Root CA and subordinate CA.
Next steps
In this tutorial, you learned how to create certificate profiles, crypto tokens and keys, and bring that information together to create the Root CA and Sub CA in a two-tier public key infrastructure (PKI) hierarchy.
Next, you can start issuing end entity certificates following the tutorial Issue TLS server certificates with EJBCA.