After installation, which creates a default admin CA you can create more CAs.
Creating CAs can be made using the Admin GUI or the command line interface (CLI). The recommended way is using the Admin GUI, since it gives more control of all parameters.
Your CAs can be either
subordinate CAs to another CA in EJBCA
subordinate CAs to an external CA.
The initial admin CA is a RootCA.
The Crypto Token where the CA's key mappings are expected to exist.
The list of available Crypto Tokens are those that the administrator is authorized to view and use. The Crypto Token must also be active and contain a key that can be used with the CA signing algorithm in order to be shown.
If no crypto token has been specified, a soft (PKCS#12) crypto token can be automatically generated, and will have the same name as the CA. This crypto token will be set to automatically activate, and will have the default password foo123. This crypto token will also have the NODEFAULTPWD set as false, which allows the crypto token to be manipulated without using a password. Changing the password (via the CLI) or turning off auto activation will also invalidate the using the default password.
You can create CAs using the cli command:
ejbca.sh ca init
Issuing the command will give usage instructions. An example is:
bin/ejbca.sh ca init TestRoot "C=SE,O=PrimeKey,CN=TestRoot" soft foo123 2048 RSA 365 --policy 220.127.116.11.0 SHA256WithRSA
This will create a root CA with the DN C=SE,O=PrimeKey,CN=TestRoot. The keylength is 2048 bit (RSA) and the validity of the root certificate is 365 days. You need to quote the DN so it is treated as one argument.
PKIX requires that a CRL always is available even if it is empty. When creating a new CA the CA certificate is stored and published (if any Publishers are configured), and the initial CRL is created and stored/published.
Using Admin GUI
Creating CAs in the Admin GUI is done by selecting Certificate Authorities in the menu, entering a new CA name in the text field and clicking Create.