Skip to main content
Skip table of contents

Step 5: Create the SignCA as SubCA in Node A

You create the first of the SubCAs, the SignCA. To get this CA along with the other SubCAs, it is installed in the EJBCA Hardware Appliance (Node A) where the Management CA is installed) and signed by RootCA.

The following sections describe the actions you have to perform.

Create a Crypto Token for SignCA in Node A

Follow these steps to create a Crypto Token and generate public keys to be used by SignCA.

  1. Open EJBCA Enterprise.
  2. In the sidebar, in the CA Functions section, select Crypto Tokens.
  3. Click Create New... to open the New Crypto Token form:

  4. Specify the following values:

    • Name: Enter SignCA Crypto Token.
    • Type: Select PKCS#11 NG.
    • Auto-Activation: Activate this option.
    • : Leave empty.
    • PKCS#11 : Libarary: Leave the default Internal HSM.
    • PKCS#11  : Reference Type: Select Slot ID.
    • PKCS#11 : Reference: Enter 2.
      The index numbers will be different depending on the installation.
    • PKCS# 11 : Attribute File: Leave the Default
    • Authentication Code: Enter foo123
      Make sure that you have manually created the slot password for that slot. (See the HSM configuration in WebConf.)
    • Repeat Authentication Code: Enter foo123

  5. Click Save.
    In the settings page the following message will appear: Crypto Token created successfully.  

Create Keys for SignCA in Node A

  1. Continue to create the following keys. Underneath the table, enter defaultKeySignCA (value for Alias) and RSA 4096 (value for Key Algorithm and Key Specification) and set the -Key Usage- to: Sign / Verify.
  2. Click Generate new key pair to continue.

  3. Next click the Test button in the table.

  4. The following message will appear: defaultKeySignCA tested successfully.
  5. Underneath the table, enter signKeySignCA with RSA 4096 and and set the -Key Usage- to: Sign / Verify.
  6. Click Generate new key pair.
  7. Click the Test  button in the table. The following message will appear: signKeySignCA tested successfully.
  8. Repeat the steps. Now enter testKeySignCA with RSA 1024 and set the -Key Usage- to: Sign / Verify.

  9. Click Generate new key pair.

  10. Click the Test button in the table. The following message will testKeySignCA  tested successfully.

Create the SignCA in Node A

Proceed as follows to actually create the SignCA:

  1. Open EJBCA Enterprise.
  2. In the sidebar, in the CA Functions section, select Certification Authorities.
  3. Enter SignCA in the field Add CA and click Create:

  4. In the Create CA (CA Name: SignCA) form, specify the following:

    • CA Type: select X.509 CA
    • Crypto Token: select SignCA Crypto Token from the drop down menu.
    • Signing Algorithm: Select the option SHA256WithRSA
      : Select defaultKeySignCA from the drop down menu.
      certSignKey: Select signKeySignCA from the drop down menu. 
      crlSignKey: Use same as Certificate Signing Name (certSignKey).
      keyEncryptKey: -Default Key-
      Extended Services Key Specification: RSA 2048
      Key sequence format: numeric [0 - 9]
      Key sequence
      : 0000
      If you wish, enter a Description.

    • Section 'Directives'
      Activate the following entries.

    • Section 'CA Certificate Data'

      Subject DN: Enter the values CN=SignCA,O=EJBCA Course,C=SE
      Signed by: Select the option External CA
      When this option is selected, some fields will become read-only.
      Certificate Profile: SUBCA
      : enter ISO 8601 date (*y *mo *d *h *m *s) or end date of the certificate.
      Subject Alternative Name
      Certificate Policy OID: Leave policy OID blank to use default certificate profile values.
      Use UTF-8 in policy notice text
      PrintableString encoding in DN
      LDAP DN order
      Serial Number Octet Size: Set to 20

    • Section 'CRL Specific Data'

      If you activate the Microsoft CA Compatibility Mode, note that this decision cannot be reversed!

      Authority Key ID: activate Use
      CRL Number: activate Use
      The next four rows do not need entries.
      CRL Expire Period (*d *h *m): Enter the value 12h. This option defines how long a CRL is valid for.
      CRL Issue Interval (*d *h *m): Enter the value 0h. This option defines how often the CRLs are to be issued. In this case the CRLs will be issued once every day but will be valid for two days.
      CRL Overlap Time (*d *h *m): Enter the value 2h. The following rows in this section do not need entries.

    • Section 'Default CA defined validation data'
      This section does not require entries.

    • Section 'Approval Settings'
      This section does not require entries. The default settings can be applied.

    • Section 'Other data'
      : enter Externally signed CA creation/renewal
      CMS Service
      : no entry required
      Finish User:
      CMP RA Authentication Secret
      : no entry required
      Monitor if CA active (healthcheck): no entry required
      Request Processor: The default settings can be applied. None.

    • Section 'Externally signed CA creation/renewal'
      Click Browse... and upload the RootCA.pem file. 

    This step is NOT needed if you have imported RootCA as an External CA. Otherwise, RootCA.pem can be downloaded from the Public Web of the EJBCA Hardware Appliance which is installed the RootCA.

  5. Click Make Certificate Request:

  6. Save the .csr file with Save File.
  7. Click Make Certificate Request. You will be redirect to another page. Here click Back to Certificate Authorities.

Create an End Entity for SignCA with installed RootCA in Node A

  1. In the EJBCA Enterprise, navigate to the RA Web in the side menu.
  2. Open RA Web.
  3. From the top menu click the drop-down menu for Enroll.
  4. Choose Make new Request.

  5. Make the following entries in the Make Request form. The selection and entry fields are automatically expanded.
    Select Request Template
    Certificate Type
    : choose SubCAEndEntityProfile from the drop-down menu.
    Key-pair generation:
    ensure Provided by user is activated.
  6. Upload CSR

  7. Provide Request Info. These are required Subject DN Attributes.
    CN, Common Name: enter SignCA
    O, Organisation: enter the name of your organization
    C, Country: enter your Country code according to ISO 3166
  8. Provide User Name
    Username: enter SignCA


  9. Click Download PEM to continue.
  10. Save the SignCA.pem file:

  11. In the EJBCA Hardware Appliance where SignCA is installed (Node A), click Certification Authorities, select SignCA, (Waiting for Certificate) and press Edit CA.
  12. In the section Externally signed CA creation/renewal > Step 2, click Browse and search for the SignCA.pem.

  13. Click Receive Certificate Response:

  14. In the section CA Functions > Certification Authorities you will see that SignCA is now active:

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.