Creating CA's

After installation, which creates a default admin CA you can create more CAs.

Creating CAs can be made using the Admin GUI or the command line interface (CLI). The recommended way is using the Admin GUI, since it gives more control of all parameters.

Your CAs can be either

  • root CAs,

  • subordinate CAs to another CA in EJBCA

  • subordinate CAs to an external CA.

The initial admin CA is a RootCA.

Crypto Token

The Crypto Token where the CA's key mappings are expected to exist.

The list of available Crypto Tokens are those that the administrator is authorized to view and use. The Crypto Token must also be active and contain a key that can be used with the CA signing algorithm in order to be shown.

If no crypto token has been specified, a soft (PKCS#12) crypto token can be automatically generated, and will have the same name as the CA. This crypto token will be set to automatically activate, and will have the default password foo123. This crypto token will also have the NODEFAULTPWD set as false, which allows the crypto token to be manipulated without using a password. Changing the password (via the CLI) or turning off auto activation will also invalidate the using the default password.

Using CLI

You can create CAs using the cli command: ca init

Issuing the command will give usage instructions. An example is:

bin/ ca init TestRoot "C=SE,O=PrimeKey,CN=TestRoot" soft foo123 2048 RSA 365 --policy SHA256WithRSA

This will create a root CA with the DN C=SE,O=PrimeKey,CN=TestRoot. The keylength is 2048 bit (RSA) and the validity of the root certificate is 365 days. You need to quote the DN so it is treated as one argument.

PKIX requires that a CRL always is available even if it is empty. When creating a new CA the CA certificate is stored and published (if any Publishers are configured), and the initial CRL is created and stored/published.

Using Admin GUI

Creating CAs in the Admin GUI is done by selecting Certificate Authorities in the menu, entering a new CA name in the text field and clicking Create.

Using EJBCA's web service

In EJBCA Enterprise Edition, if EJBCA's web service is set up, it is also possible to create new CA by using the WS API call createCA in your application or with the Web Services CLI.