Signing an External CA

In some cases, you might want to have one of your CAs signing another external CA. This is typically performed in the following steps:

Assuming both your CA and the external CA are using EJBCA, the set up is performed as described in the following steps.

Step 1: Create Profiles on Your CA Machine

It is recommended to create a dedicated certificate profile and an end entity profile for the external CA on your CA machine, instead of using the built-in profiles. The advantage is more flexibility and better management features.

To create a certificate profile and an end entity profile on your CA machine, do the following:

  1. Go to the CA Web, and select the CA Functions > Certificate Profiles menu option.

  2. Add a new certificate profile, and use "Sub CA" as template by selecting the Type option Sub CA.

  3. In the Available CAs list, select the CA that is going to sign the CSR.

    images/download/attachments/143730096/available_cas.png



  4. Make additional adjustments as required and save the certificate profile.

  5. Select the End Entity Profiles menu option.

  6. Create a new end entity profile. Pick your recently created certificate profile, the CA that is going to sign the CSR and select User Generated as token type:

    images/download/attachments/143730096/end_entity_profile.png



  7. Make additional adjustments as required and save the end entity profile.

Step 2: Add End Entity

To add an end entity on your CA machine, do the following:

  1. In the RA Web, select the Enroll > Make new request menu option.

  2. Add a new end entity using the end entity profile you created in the previous Step 1: Create Profiles on Your CA Machine.

    images/download/attachments/143730096/Screenshot_2022-04-06_at_10.12.40.png

Step 3: Create CSR

To create a CSR on the external CA machine, do the following:

  1. On the external CA machine, go to the CA Web, select the menu option CA Functions > Certificate Authorities, enter Sub CA in the Add CA field, and then click Create.

  2. To make this CA an externally signed CA, select the Signed By option External CA.

    images/download/attachments/143730096/signed_by.png



  3. To save the CA and create a CSR, click Make Certificate Request.

    images/download/attachments/143730096/make_certificate_request.png

  4. Save the CSR to for example a USB stick and transfer it to your CA machine.

Step 4: Sign CSR and Issue CA Certificate

To sign the CSR and issue the CA certificate using the appropriate CA on your CA machine, do the following:

  1. Go to the RA Web on your CA machine, and select the Enroll > Use Username menu option.

    images/download/attachments/143730096/Screenshot_2022-04-06_at_10.18.32.png



  2. Enroll using the username and enrollment code you specified when adding the end entity. Then save the certificate on for example a USB stick and transfer it to the external CA machine.

Step 5: Import CA Certificate

To import the CA certificate on the external CA machine, do the following:

  1. On the external CA machine, go to the CA Web, select the menu option CA Functions > Certificate Authorities, and edit the CA you signed in the previous Step 4: Sign CSR and Issue CA Certificate.

  2. Upload the CA certificate and click Receive Certificate Response to import the externally signed CA certificate and activate the CA.

    images/download/attachments/143730096/activate_ca.png