Skip to main content
Skip table of contents

Change Signing Algorithm on Root CA's Certificates

Consider creating a new Root CA instead of re-keying an existing one. Having multiple Root CA certificates with different keys but using the same subject DN may lead to complicated and unexpected issues and behavior.

Over time, you may be required to migrate your CA from your original signing algorithm to a more complex one, such as migrating from SHA1 to SHA2. The following provides step-by-step instructions for changing the signing algorithm.

Note that the following does not describe changes to the algorithm on certificates issued by your CA (albeit it may be a side-effect) - to do so all you need to do is edit the relevant Certificate Profile. Instead, this covers a self-signed CAs own certificate. 

There are two settings that determine the signature algorithm on the CAs own certificate.

  1. The CA token signature algorithm
  2. The signature algorithm of the CA certificate profile.

The signature algorithm of the CA certificate profile is commonly set to Inherit from Issuing CA, meaning that the CA token signature algorithm is used. If the new signature algorithm should also be used when issuing end entity certificates, always ensure that the CA token signature algorithm is changed.

CA Token signature algorithm

Note that changing the CA token signature algorithm will also change the signature algorithm used by any certificate profile what has Inherit from Issuing CA set as signature algorithm (the default value in certificate profiles).

To switch CA to use new signature algorithm do the following. From the CLI console, perform the following operation to switch the CA to use a new signature algorithm:

BASH 
$ /opt/ejbca/bin/ejbca.sh ca changecatokensignalg --caname "My Root CA" --sigalg "signature algorithm"

Replace the values within quotations with the proper names. For example "my signature algorithm" can be SHA384WithRSA.

CA Certificate profile signature algorithm

If you need to change the signature algorithm of the Root CA certificate profile, i.e. it is not set to Inherit from Issuing CA, follow this guide.

Step 1 - Clone old Certificate Profile

In the EJBCA CA UI, select Certificate Profiles and click Clone on the Certificate profile currently used by the CA for its own certificates. 

Step 2 - Switch CA to use new Certificate Profile 

From the CLI console, perform the following operation to switch the CA to use the new Certificate Profile:

BASH 
$ /opt/ejbca/bin/ejbca.sh ca changecertprofile --caname "My Root CA" --certprofile "My New Certificate Profile"

Replace the values within quotations with the proper names. 

Step 3 - Configure new Certificate Profile

To configure the new Certificate Profile:

  1. In the EJBCA CA UI, select Certificate Profiles and click Edit on your new profile.
  2. Under Signature Algorithm, pick the new signing algorithm desired. 

Step 4 - Renew CA Certificate 

To renew the CA Certificate:

  1. In the EJBCA CA UI, select Certification Authorities and click Edit CA for your root CA.
  2. Under CA Life Cycle > Renew CA, verify that the existing key is being used and clear Create link certificate.
  3. Click Renew CA and confirm the renewal operation. 

Link certificates

If the checkbox Create link certificate is checked when renewing a Root CA a link certificate (NewWithOld) will automatically be created. This link certificate will use the old CA signature algorithm.


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close