After installation, which creates a default admin CA you can create more CAs.
Creating CAs can be made using the Admin GUI or the command line interface (CLI). The recommended way is using the Admin GUI, since it gives more control of all parameters.
Your CAs can be either
subordinate CAs to another CA in EJBCA
subordinate CAs to an external CA.
The initial admin CA is a RootCA.
You can create CAs using the cli command:
ejbca.sh ca init
Issuing the command will give usage instructions. An example is:
bin/ejbca.sh ca init TestRoot "C=SE,O=PrimeKey,CN=TestRoot" soft foo123 2048 RSA 365 --policy 126.96.36.199.0 SHA256WithRSA
This will create a root CA with the DN C=SE,O=PrimeKey,CN=TestRoot. The keylength is 2048 bit (RSA) and the validity of the root certificate is 365 days. You need to quote the DN so it is treated as one argument.
PKIX requires that a CRL always is available even if it is empty. When creating a new CA the CA certificate is stored and published (if any Publishers are configured), and the initial CRL is created and stored/published.
Using Admin GUI
Creating CAs in the Admin GUI is done by selecting Certificate Authorities in the menu, entering a new CA name in the text field and clicking Create.