Some CA hierarchies have the requirement of being signed by an external Certificate Authority and sometimes other external CAs need to be signed by your CA.
When creating a CA that is signed by an external CA, you create a PKCS10 certificate request that is sent to the external CA. When the external CA returns your CAs certificate, this is processed, and the CA becomes activated.
The following describes how to create a CA signed by an external CA, either using the GUI or the CLI.
Creating a CA Signed by an External CA Using the GUI
To have your CA signed by an external CA, perform the following steps:
Select Admin GUI > Certificate Authorities.
Create a new CA in the same way as internal CAs, but when selecting signing CA, instead select External CA. The fields Certificate Profile, Validity, Subject Alternative Name and Policy Id will become unavailable.
Specify the Description and CRL Specific data.
Make sure that the certificate chain is available, in one of the following ways:
Select a (PEM encoded) file containing the CA certificate chain of the signing CA. If there is more than one top CA certificate, all their certificates should be appended into one single file in plain PEM format without blank lines before or after (see PEM File Example).
Append the chain to the signed certificate file in the same way as when receiving the request (see below).
Import the complete certificate chain beforehand as External CAs (under Certificate Authorities->Import CA Certificate).
Click Make Certificate Request to display the generated PKCS10 certificate request. You can copy and paste it to the signing CA or download the PEM file.
The external CA should sign the certificate request and return a certificate. Note that the newly created CA meanwhile will have the status Waiting for Certificate Response and only appear on the Edit CA page.
When the Certificate Response has arrived, activate the new CA by selecting the waiting CA and click Edit on the Edit CA page.
Click Receive Certificate Response (optionally specifying a password), upload the received certificate, and again click Receive Certificate Response.
If the received certificate forms a valid certificate chain with the previously uploaded chain or contained a full chain, the status of the CA is set to Active.
To optionally activate OCSP functionality for this new CA, edit it again and mark the OCSP functionality as active.
The new externally signed CA is ready to use.
When uploading a chain, the certificates must be converted to PEM format if not already. To convert at file in DER encoding (.cer) using the following OpenSLL command:
openssl x509 -inform DER -in filename.cer -outform PEM -out filename.pem
PEM File Example
The following displays an example of a plain PEM file for uploading as a certificate chain:
You can treat an internal CA (a CA residing on the same EJBCA instance as another CA) as an external CA. From the SubCA this works just like the normal case, but on the RootCA you will issue the SubCA as an end entity.
This can be useful if you have an HSM setup where only one set of keys can be active at one time, for example using nCipher with two different, non-persistence, operator cards sets for the RootCA and the SubCA. Using the SubCA as an external CA you can still create the PKI but with only one CA active at a time.
Creating a CA Signed by an External CA Using the CLI
To create a CA signed by an external CA using the CLI, follow the steps below:
Create the CA generating a CSR. Note that the Crypto token password is set to foo123:
bin/ejbca.sh ca init CaSignedByExteral
"CN=This CA is Signed by an external CA"
soft foo123 secp256r1 ECDSA
SHA256withECDSA --signedby External -externalcachain chain.pem
The file chain.pem contains the certificate chain of the external CA, as described above. Running the above command, a CSR named CaSignedByExteral_csr.der is saved to your disk, containing a PKCS#10 CSR in binary format. Send the CSR to the external CA and get the signed sub CA certificate returned back.
Import the sub CA certificate, activating your CA:
bin/ejbca.sh ca importcacert CaSignedByExteral subcacertificate.pem
The file subcacertificate.pem contains the received sub CA certificate.