After Creating an intermediate Certificate Authority or Creating an issuing Certificate Authority, follow the steps below if the parent CA is a root external CA.
To certify a CA with an external root CA
Open the following URL in a Web browser.
https://<machine>/management-consoleWhere
<machine>is the IP address or domain name of the machine hosting Cryptographic Security Platform.- Log in to the Management Console as one of the users created in Creating Certificate Authority tenants.
- In the content pane, click Manage Solution under Certificate Authority (CA).
- Select Operations in the sidebar.
- Under Organizations list, select the organization to which the intermediate or issuing CA belongs.
- In the CA grid, select the name of the intermediate or issuing CA.
- Click Download CSR in the Edit Certificate Authority dialog.
- Use the external CA to process the downloaded certificate signing request and issue the certificate. Make sure this certificate meets the RFC5280 requirements – for example:
- The certificate includes the Basic Constraints extension with the
caboolean set toTRUE. - The certificate includes the Key Usage extension with the
keyCertSignbit set. - The certificate includes other enabled bits, such as
cRLSignfor signing Certificate Revocation Lists (CRLs).
- The certificate includes the Basic Constraints extension with the
- Click Upload Certificate.
- Paste the Base64 encoding of the issued certificate.
- Click Submit.