Change Signing Algorithm on Root CA's Certificates

Over time, you may be required to migrate your CA from your original signing algorithm to a more complex one, such as migrating from SHA1 to SHA2. The following provides step-by-step instructions for changing the signing algorithm.

Note that the following does not cover switching the algorithm on certificates issued by your CA - to do so all you need to do is edit the relevant Certificate Profile. Instead, this covers a self-signed CAs own certificate.

Step 1 - Clone old Certificate Profile

In the EJBCA CA UI, select Certificate Profiles and click Clone on the Certificate profile currently used by the CA for its own certificates.

Step 2 - Switch CA to use new Certificate Profile

From the CLI console, perform the following operation to switch the CA to use the new Certificate Profile:

$ /opt/ejbca/bin/ ca changecertprofile --caname "My Root CA" --certprofile "My New Certificate Profile"

Replace the values within quotations with the proper names.

Step 3 - Configure new Certificate Profile

To configure the new Certificate Profile:

  1. In the EJBCA CA UI, select Certificate Profiles and click Edit on your new profile.

  2. Under Signature Algorithm, pick the new signing algorithm desired.

Step 4 - Renew CA Certificate

To renew the CA Certificate:

  1. In the EJBCA CA UI, select Certification Authorities and click Edit CA for your root CA.

  2. Under CA Life Cycle > Renew CA, verify that the existing key is being used and clear Create link certificate.

  3. Click Renew CA and confirm the renewal operation.