A root Certificate Authority (CA) is the topmost entity in a hierarchy of digital certificates that establishes trust in a Public Key Infrastructure (PKI). The root CA issues and signs certificates for intermediate or issuing subordinate CAs, which in turn can issue certificates to end-users, servers, or devices.
To create a root CA:
Open the following URL in a Web browser.
https://<hostname>/v2/Where
<hostname>is the IP address or domain name selected in General.- Log in to the Management Console as the user described in Creating partition administrators.
- If the user administers more than one partition, select the partition on which to manage certificate authorities and certificates.
Click Certificate Authorities in the sidebar.
- Click Add and select Certificate Authority.
Select Root Authority.
- Click Add and complete the following values.
- Click Create.
- Check the details of the created CA — for example, the Serial Number of the certificate signing certificate.
CA Identifier
Write a unique identifier for the new CA in your PKI hierarchy. This identifier:
- Must contain 2-18 characters
- Can only include lowercase letters, numbers, hyphens (’-’), and underscores (’_')
After deleting a CA, wait 24 hours before creating a CA with the same identifier.
Friendly Name
Write a descriptive name for the CA in your partition.
Signing Key Details
Select a combination of cryptosystem and hash algorithm for the new CA to sign certificates.
The production release does not yet support some of the combinations listed below.
See the table below for the supported Classic keys.
Label | Key algorithm | Signature algorithm | VA key type | VA signature algorithm |
|---|---|---|---|---|
ECDSAP256+SHA256 | ECDSAP256 | ecdsa-with-SHA256 | RSA2048 | sha256WithRSAEncryption |
ECDSAP384+SHA384 | ECDSAP384 | ecdsa-with-SHA384 | RSA2048 | sha256WithRSAEncryption |
ECDSAP521+SHA512 | ECDSAP521 | ecdsa-with-SHA512 | RSA2048 | sha256WithRSAEncryption |
RSA-2048+PKCS15-SHA256 | RSA2048 | sha256WithRSAEncryption | RSA2048 | sha256WithRSAEncryption |
RSA-2048+PSS-SHA256 | RSA2048 | sha256WithRSAPSS | RSA2048 | sha256WithRSAPSS |
RSA-3072+PKCS15-SHA256 | RSA3072 | sha256WithRSAEncryption | RSA2048 | sha256WithRSAEncryption |
RSA-3072+PSS-SHA256 | RSA3072 | sha256WithRSAPSS | RSA2048 | sha256WithRSAPSS |
RSA-4096+PKCS15-SHA512 | RSA4096 | sha512WithRSAEncryption | RSA2048 | sha256WithRSAEncryption |
RSA-4096+PSS-SHA512 | RSA4096 | sha512WithRSAPSS | RSA2048 | sha256WithRSAPSS |
See the table below for the supported Post-Quantum (PQ) keys.
Label | Key algorithm | Signature algorithm | VA key type | VA signature algorithm |
|---|---|---|---|---|
Hash-SLH-DSA-SHA2-128f-With-SHA256 | Hash-SLH-DSA-SHA2-128f-With-SHA256 | Hash-SLH-DSA-SHA2-128f-With-SHA256 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHA2-128s-With-SHA256 | Hash-SLH-DSA-SHA2-128s-With-SHA256 | Hash-SLH-DSA-SHA2-128s-With-SHA256 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHA2-192f-With-SHA512 | Hash-SLH-DSA-SHA2-192f-With-SHA512 | Hash-SLH-DSA-SHA2-192f-With-SHA512 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHA2-192s-With-SHA512 | Hash-SLH-DSA-SHA2-192s-With-SHA512 | Hash-SLH-DSA-SHA2-192s-With-SHA512 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHA2-256f-With-SHA512 | Hash-SLH-DSA-SHA2-256f-With-SHA512 | Hash-SLH-DSA-SHA2-256f-With-SHA512 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHA2-256s-With-SHA512 | Hash-SLH-DSA-SHA2-256s-With-SHA512 | Hash-SLH-DSA-SHA2-256s-With-SHA512 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHAKE-128f-With-SHAKE128 | Hash-SLH-DSA-SHAKE-128f-With-SHAKE128 | Hash-SLH-DSA-SHAKE-128f-With-SHAKE128 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHAKE-128s-With-SHAKE128 | Hash-SLH-DSA-SHAKE-128s-With-SHAKE128 | Hash-SLH-DSA-SHAKE-128s-With-SHAKE128 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHAKE-192f-With-SHAKE256 | Hash-SLH-DSA-SHAKE-192f-With-SHAKE256 | Hash-SLH-DSA-SHAKE-192f-With-SHAKE256 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHAKE-192s-With-SHAKE256 | Hash-SLH-DSA-SHAKE-192s-With-SHAKE256 | Hash-SLH-DSA-SHAKE-192s-With-SHAKE256 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHAKE-256f-With-SHAKE256 | Hash-SLH-DSA-SHAKE-256f-With-SHAKE256 | Hash-SLH-DSA-SHAKE-256f-With-SHAKE256 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHAKE-256s-With-SHAKE256 | Hash-SLH-DSA-SHAKE-256s-With-SHAKE256 | Hash-SLH-DSA-SHAKE-256s-With-SHAKE256 | RSA2048 | sha256WithRSAEncryption |
ML-DSA-44 | ML-DSA-44 | ML-DSA-44 | RSA2048 | sha256WithRSAEncryption |
ML-DSA-65 | ML-DSA-65 | ML-DSA-65 | RSA2048 | sha256WithRSAEncryption |
ML-DSA-87 | ML-DSA-87 | ML-DSA-87 | RSA2048 | sha256WithRSAEncryption |
See the table below for the supported Composite keys.
Label | Key algorithm | Signature algorithm | VA key type | VA signature algorithm |
|---|---|---|---|---|
MLDSA44-ECDSA-P256-SHA256 | MLDSA44-ECDSA-P256-SHA256 | MLDSA44-ECDSA-P256-SHA256 | RSA2048 | sha256WithRSAEncryption |
MLDSA44-RSA2048-PKCS15-SHA256 | MLDSA44-RSA2048-PKCS15-SHA256 | MLDSA44-RSA2048-PKCS15-SHA256 | RSA2048 | sha256WithRSAEncryption |
MLDSA44-RSA2048-PSS-SHA256 | MLDSA44-RSA2048-PSS-SHA256 | MLDSA44-RSA2048-PSS-SHA256 | RSA2048 | sha256WithRSAPSS |
MLDSA65-ECDSA-P256-SHA512 | MLDSA65-ECDSA-P256-SHA512 | MLDSA65-ECDSA-P256-SHA512 | RSA2048 | sha256WithRSAEncryption |
MLDSA65-ECDSA-P384-SHA512 | MLDSA65-ECDSA-P384-SHA512 | MLDSA65-ECDSA-P384-SHA512 | RSA2048 | sha256WithRSAEncryption |
MLDSA65-RSA3072-PKCS15-SHA512 | MLDSA65-RSA3072-PKCS15-SHA512 | MLDSA65-RSA3072-PKCS15-SHA512 | RSA2048 | sha256WithRSAEncryption |
MLDSA65-RSA3072-PSS-SHA512 | MLDSA65-RSA3072-PSS-SHA512 | MLDSA65-RSA3072-PSS-SHA512 | RSA2048 | sha256WithRSAPSS |
MLDSA65-RSA4096-PKCS15-SHA512 | MLDSA65-RSA4096-PKCS15-SHA512 | MLDSA65-RSA4096-PKCS15-SHA512 | RSA2048 | sha256WithRSAEncryption |
MLDSA65-RSA4096-PSS-SHA512 | MLDSA65-RSA4096-PSS-SHA512 | MLDSA65-RSA4096-PSS-SHA512 | RSA2048 | sha256WithRSAPSS |
MLDSA87-ECDSA-P384-SHA512 | MLDSA87-ECDSA-P384-SHA512 | MLDSA87-ECDSA-P384-SHA512 | RSA2048 | sha256WithRSAEncryption |
MLDSA87-ECDSA-P521-SHA512 | MLDSA87-ECDSA-P521-SHA512 | MLDSA87-ECDSA-P521-SHA512 | RSA2048 | sha256WithRSAEncryption |
MLDSA87-RSA3072-PSS-SHA512 | MLDSA87-RSA3072-PSS-SHA512 | MLDSA87-RSA3072-PSS-SHA512 | RSA2048 | sha256WithRSAPSS |
MLDSA87-RSA4096-PSS-SHA512 | MLDSA87-RSA4096-PSS-SHA512 | MLDSA87-RSA4096-PSS-SHA512 | RSA2048 | sha256WithRSAPSS |
Select an expiry date for the certificate signing certificate of the new CA.
After the expiry date, the CA cannot operate if you have not renewed the CA certificate.
Enable CRL
This read-only box is always checked as PKIaaS authorities always provide a CRL publishing endpoint.
Enable OCSP
Check this box to enable an OCSP (Online Certificate Status Protocol) service for the new certificate authority.
Certificate Profiles
Select the authority certificate profiles the new root CA will support for issuing certificates to authorities.
- Click + to expand the profiles on the selected groups.
- Select the check boxes of the profiles you want to enable.
See https://docs.pkiaas.entrust.com/profiles/browse for the certificate profiles supported by the Entrust PKI.
Subject
Enter a value for each RFC5280 attribute in the certificate subject’s Distinguished Name (DN).
Field | Mandatory |
|---|---|
Common Name |
|
Organization |
|
Organizational Unit |
|
State/Province |
|
Locality Name |
|
Domain Component |
|
Country |
|
Alternatively, you can:
- Toggle the Advanced Subject switch
- Type a Distinguished Name (DN) including additional attributes.
The resulting Distinguished Name will uniquely identify the certificate signing certificate of your new CA — for example:
CN=MyRootCA, O=MyOrganization, L=MyCity, ST=MyState, C=US