After creating an intermediate or issuing subordinate CA, follow the steps below if the parent CA was created as described in Importing an external root authority.

To certify a CA with an external root CA:

1. Open the following URL in a Web browser. 

   https://<hostname>/v2/

   Where <hostname> is the IP address or domain name selected in General.

2. Log in to the Management Console as the user described in Creating partition administrators. 
3. If the user administers more than one partition, select the partition on which to manage certificate authorities and certificates. 
   

4. Click Certificate Authorities in the sidebar.

   

5. In the CA grid, select the name of the intermediate or issuing CA.

6. Click the three dots ("…") at the top-right of the page.

   
7. Select Download Certificate Request to download the Certificate Signing Request (CSR) generated for the subordinate CA.

8. Issue the subordinate CA certificate by signing the downloaded CSR with the private key of the external root CA. Make sure this certificate meets the RFC5280 requirements – for example:

   • The certificate includes the Basic Constraints extension with the ca boolean set to TRUE.
   • The certificate includes the Key Usage extension with the keyCertSign bit set.
   • The certificate includes other enabled bits, such as cRLSign for signing Certificate Revocation Lists (CRLs).
9. Select Import Issuing Certificate Authority to upload the subordinate CA certificate.