Creating CA's

After installation, which creates a default admin CA you can create more CAs.

Creating CAs can be made using the Admin GUI or the command line interface (CLI). The recommended way is using the Admin GUI, since it gives more control of all parameters.

Your CAs can be either

  • root CAs,

  • subordinate CAs to another CA in EJBCA

  • subordinate CAs to an external CA.

The initial admin CA is a RootCA.

Using CLI

You can create CAs using the cli command:

ejbca.sh ca init

Issuing the command will give usage instructions. An example is:

bin/ejbca.sh ca init TestRoot "C=SE,O=PrimeKey,CN=TestRoot" soft foo123 2048 RSA 365 --policy 2.5.29.32.0 SHA256WithRSA

This will create a root CA with the DN C=SE,O=PrimeKey,CN=TestRoot. The keylength is 2048 bit (RSA) and the validity of the root certificate is 365 days. You need to quote the DN so it is treated as one argument.

PKIX requires that a CRL always is available even if it is empty. When creating a new CA the CA certificate is stored and published (if any Publishers are configured), and the initial CRL is created and stored/published.

Using Admin GUI

Creating CAs in the Admin GUI is done by selecting Certificate Authorities in the menu, entering a new CA name in the text field and clicking Create.

Using EJBCA's web service

In EJBCA Enterprise Edition, if EJBCA's web service is set up, it is also possible to create new CA by using the WS API call createCA in your application or with the Web Services CLI.