Tutorial - Create your first Root CA using EJBCA
Learn how to set up your first Root CA using EJBCA.
In this tutorial, you will learn how to:
- Create a certificate profile
- Create a crypto token
- Create a CA
Prerequisites
Before you begin, you need a started EJBCA container and access to the EJBCA CA UI. To learn how to get started with EJBCA Community as a Docker container, you can follow the tutorial Start out with the EJBCA container.
Step 1 - Create certificate profile
When you first access the EJBCA Administration page, you will see the Management CA that was created. This is the CA that will issue all of the internal certificates for the administrators and the TLS connections you may need to connect to an external VA or RA, for example.
The first step towards creating your first CA is to create a certificate profile. The certificate profile defines the constraints of new certificates, for example, what keys it can use, and what the extensions will be. For an introduction to certificate profiles, see the Certificate Profiles Overview.
To create a certificate profile that will provide a template for creating the CA in a later step, do the following:
- In EJBCA, under CA Functions, click Certificate Profiles.
The Manage Certificate Profiles page displays a list with a number of default profiles. - Click Clone by the ROOTCA default template to create a new profile using that template.
- Name the new certificate profile MyRootCAProfile, and click Create from template.
- To edit the Root CA profile default values to fit your needs, find the newly created MyRootCAProfile profile displayed in the list and click Edit.
- On the Edit page, verify that the type is Root CA and update the following:
- For Available Key Algorithms, select RSA.
- For Available Bit Lengths, select 4096 bits.
- For Validity or end date of the certificate, specify 30y.
- Under X.509v3 extensions, clear the following:
- Authority Key ID
- Subject Alternative Name
- Issuer Alternative Name
- Under Other Data, disable the LDAP DN order as this is an older ordering for the DISTINGUISHED NAME component that is not recommended to use in this profile.
- To store the certificate profile, click Save.
The newly created MyRootCAProfile is displayed in the list of certificate profiles.
Step 2 - Create crypto token
In EJBCA, cryptographic keys are stored in a crypto token. A crypto token can either be stored in a database, known as a soft keystore, or on a Hardware Security Module (HSM). For more information on crypto tokens and available fields, see the Crypto Tokens Overview.
The following describes how to create a soft crypto token and the following keys:
- Sign key: Used for the digital signatures from the CA.
- Default key: Used for any encryption the CA needs to do.
- Test key: Usually only used in health checks or HSM keep-alive services.
It is good practice to number the sign and encrypt (default) keys when you create them so that you can reference them during the lifespan of the certificate.
To create a soft Root CA crypto token and keys, follow these steps:
In the EJBCA menu, under CA Functions, click Crypto Tokens.
- Click Create new and specify the following on the New Crypto Token page:
- Name: Name the Root CA crypto token MyFirstRootCACryptoToken.
- Authentication Code: Enter a password to be used to activate the crypto token if the container is restarted. Remember this password.
- Name: Name the Root CA crypto token MyFirstRootCACryptoToken.
- Click Save to create the Root CA crypto token.
- Next, create three key pairs:
- In the Name field that says signKey, specify myFirstRootCaSignKey0001, and click Generate new key pair to create the keys.
- Repeat to create default key: name the key myFirstRootCaEncryptKey0001, and click Generate new key pair.
Last, repeat to create a test key: name the key testkey, select the shorter bit length RSA 2048, and click Generate new key pair.
You have now created the Root CA crypto token and keys and can continue to create your first CA.
Step 3 - Create CA
To create a first Root CA, follow these steps:
- Click Certification Authorities under CA Functions.
- In the Add CA field, enter the name “MyFirstRootCA” and click Create.
- On the Create CA page, select the Root CA crypto token MyFirstRootCACryptoToken (created earlier in Step 2 - Create crypto token) in the Crypto Token list. The certSignKey and keyEncryptKey keys are automatically selected with the keys you created, for defaultKey, select your myFirstRootCaEncryptKey0001.
- Specify the following:
- Subject DN: Enter "CN = MyFirstRootCA, O = Keyfactor Community, C = SE".
- Validity: Specify 30y.
- LDAP DN order: Clear Use.
- CRL Expire Period: Update to a CRL lifetime of 3 months by entering 3 mo.
- Click Create to create the Root CA.
The created MyFirstRootCACryptoToken is displayed in the list of CAs.
Next steps
In this tutorial, you learned how to create a certificate profile and crypto token and keys to set up your first Root CA using EJBCA.
Next, you can customize your added CA to configure the default CRL distribution point, OCSP service URI and CA issuer URI to be included in certificates issued by this CA.
To learn more about creating a Root CA and Subordinate CA in a single EJBCA instance, see the tutorial Create a PKI Hierarchy in EJBCA.