An intermediate subordinate Certificate Authority (CA):
- Operates under the authority of either a root CA or other intermediate subordinate CA.
- Issues digital certificates for issuing subordinate CAs or for other intermediate subordinate CAs.
See below for how to create an intermediate subordinate CA.
To create an intermediate subordinate CA:
Open the following URL in a Web browser.
https://<hostname>/v2/Where
<hostname>is the IP address or domain name selected in General.- Log in to the Certificate Authority user interface as a user with the Owners or CA Administrators roles on a partition.
- Select the partition on which to manage certificate authorities and certificates.
Click Certificate Authorities in the sidebar.
- Click Add and select Certificate Authority.
Select Root Authority.
- Click Add and complete the following values.
- Click Create.
- Check the details of the created CA — for example, the Serial Number of the certificate signing certificate.
CA Identifier
Type a unique identifier for the new Certificate Authority within its organization. This identifier:
- Must be 3-18 characters long.
- Can only include lowercase letters, numbers, underscores ("_"), and hyphens ("-").
Do not reuse the identifier of a Certificate Authority for up to 24 hours after it has been deleted.
Mandatory: Yes.
Friendly Name
Type a friendly name for the new certificate authority in the user interface.
Mandatory: Yes.
Parent CA Identifier
Select the parent Certificate Authority.
The selector list includes only root or intermediate authorities with the basic or intermediate authority profiles.
Mandatory: Yes.
Signing Key Details
Select a combination of cryptosystem and hash algorithm for the new CA to sign certificates.
See the table below for the supported Classic keys.
Label | Key algorithm | Signature algorithm | VA key type | VA signature algorithm |
|---|---|---|---|---|
ECDSAP256+SHA256 | ECDSAP256 | ecdsa-with-SHA256 | RSA2048 | sha256WithRSAEncryption |
ECDSAP384+SHA384 | ECDSAP384 | ecdsa-with-SHA384 | RSA2048 | sha256WithRSAEncryption |
ECDSAP521+SHA512 | ECDSAP521 | ecdsa-with-SHA512 | RSA2048 | sha256WithRSAEncryption |
RSA-2048+PKCS15-SHA256 | RSA2048 | sha256WithRSAEncryption | RSA2048 | sha256WithRSAEncryption |
RSA-2048+PSS-SHA256 | RSA2048 | sha256WithRSAPSS | RSA2048 | sha256WithRSAPSS |
RSA-3072+PKCS15-SHA256 | RSA3072 | sha256WithRSAEncryption | RSA2048 | sha256WithRSAEncryption |
RSA-3072+PSS-SHA256 | RSA3072 | sha256WithRSAPSS | RSA2048 | sha256WithRSAPSS |
RSA-4096+PKCS15-SHA512 | RSA4096 | sha512WithRSAEncryption | RSA2048 | sha256WithRSAEncryption |
RSA-4096+PSS-SHA512 | RSA4096 | sha512WithRSAPSS | RSA2048 | sha256WithRSAPSS |
See the table below for the supported Post-Quantum (PQ) keys.
The supported PQ keys may vary depending on the selected HSM and its configuration.
Label | Key algorithm | Signature algorithm | VA key type | VA signature algorithm |
|---|---|---|---|---|
Hash-SLH-DSA-SHA2-128f-With-SHA256 | Hash-SLH-DSA-SHA2-128f-With-SHA256 | Hash-SLH-DSA-SHA2-128f-With-SHA256 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHA2-128s-With-SHA256 | Hash-SLH-DSA-SHA2-128s-With-SHA256 | Hash-SLH-DSA-SHA2-128s-With-SHA256 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHA2-192f-With-SHA512 | Hash-SLH-DSA-SHA2-192f-With-SHA512 | Hash-SLH-DSA-SHA2-192f-With-SHA512 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHA2-192s-With-SHA512 | Hash-SLH-DSA-SHA2-192s-With-SHA512 | Hash-SLH-DSA-SHA2-192s-With-SHA512 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHA2-256f-With-SHA512 | Hash-SLH-DSA-SHA2-256f-With-SHA512 | Hash-SLH-DSA-SHA2-256f-With-SHA512 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHA2-256s-With-SHA512 | Hash-SLH-DSA-SHA2-256s-With-SHA512 | Hash-SLH-DSA-SHA2-256s-With-SHA512 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHAKE-128f-With-SHAKE128 | Hash-SLH-DSA-SHAKE-128f-With-SHAKE128 | Hash-SLH-DSA-SHAKE-128f-With-SHAKE128 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHAKE-128s-With-SHAKE128 | Hash-SLH-DSA-SHAKE-128s-With-SHAKE128 | Hash-SLH-DSA-SHAKE-128s-With-SHAKE128 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHAKE-192f-With-SHAKE256 | Hash-SLH-DSA-SHAKE-192f-With-SHAKE256 | Hash-SLH-DSA-SHAKE-192f-With-SHAKE256 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHAKE-192s-With-SHAKE256 | Hash-SLH-DSA-SHAKE-192s-With-SHAKE256 | Hash-SLH-DSA-SHAKE-192s-With-SHAKE256 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHAKE-256f-With-SHAKE256 | Hash-SLH-DSA-SHAKE-256f-With-SHAKE256 | Hash-SLH-DSA-SHAKE-256f-With-SHAKE256 | RSA2048 | sha256WithRSAEncryption |
Hash-SLH-DSA-SHAKE-256s-With-SHAKE256 | Hash-SLH-DSA-SHAKE-256s-With-SHAKE256 | Hash-SLH-DSA-SHAKE-256s-With-SHAKE256 | RSA2048 | sha256WithRSAEncryption |
ML-DSA-44 | ML-DSA-44 | ML-DSA-44 | RSA2048 | sha256WithRSAEncryption |
ML-DSA-65 | ML-DSA-65 | ML-DSA-65 | RSA2048 | sha256WithRSAEncryption |
ML-DSA-87 | ML-DSA-87 | ML-DSA-87 | RSA2048 | sha256WithRSAEncryption |
See the table below for the supported Composite keys.
The supported composite keys may vary depending on the selected HSM and its configuration.
Label | Key algorithm | Signature algorithm | VA key type | VA signature algorithm |
|---|---|---|---|---|
MLDSA44-ECDSA-P256-SHA256 | MLDSA44-ECDSA-P256-SHA256 | MLDSA44-ECDSA-P256-SHA256 | RSA2048 | sha256WithRSAEncryption |
MLDSA44-RSA2048-PKCS15-SHA256 | MLDSA44-RSA2048-PKCS15-SHA256 | MLDSA44-RSA2048-PKCS15-SHA256 | RSA2048 | sha256WithRSAEncryption |
MLDSA44-RSA2048-PSS-SHA256 | MLDSA44-RSA2048-PSS-SHA256 | MLDSA44-RSA2048-PSS-SHA256 | RSA2048 | sha256WithRSAPSS |
MLDSA65-ECDSA-P256-SHA512 | MLDSA65-ECDSA-P256-SHA512 | MLDSA65-ECDSA-P256-SHA512 | RSA2048 | sha256WithRSAEncryption |
MLDSA65-ECDSA-P384-SHA512 | MLDSA65-ECDSA-P384-SHA512 | MLDSA65-ECDSA-P384-SHA512 | RSA2048 | sha256WithRSAEncryption |
MLDSA65-RSA3072-PKCS15-SHA512 | MLDSA65-RSA3072-PKCS15-SHA512 | MLDSA65-RSA3072-PKCS15-SHA512 | RSA2048 | sha256WithRSAEncryption |
MLDSA65-RSA3072-PSS-SHA512 | MLDSA65-RSA3072-PSS-SHA512 | MLDSA65-RSA3072-PSS-SHA512 | RSA2048 | sha256WithRSAPSS |
MLDSA65-RSA4096-PKCS15-SHA512 | MLDSA65-RSA4096-PKCS15-SHA512 | MLDSA65-RSA4096-PKCS15-SHA512 | RSA2048 | sha256WithRSAEncryption |
MLDSA65-RSA4096-PSS-SHA512 | MLDSA65-RSA4096-PSS-SHA512 | MLDSA65-RSA4096-PSS-SHA512 | RSA2048 | sha256WithRSAPSS |
MLDSA87-ECDSA-P384-SHA512 | MLDSA87-ECDSA-P384-SHA512 | MLDSA87-ECDSA-P384-SHA512 | RSA2048 | sha256WithRSAEncryption |
MLDSA87-ECDSA-P521-SHA512 | MLDSA87-ECDSA-P521-SHA512 | MLDSA87-ECDSA-P521-SHA512 | RSA2048 | sha256WithRSAEncryption |
MLDSA87-RSA3072-PSS-SHA512 | MLDSA87-RSA3072-PSS-SHA512 | MLDSA87-RSA3072-PSS-SHA512 | RSA2048 | sha256WithRSAPSS |
MLDSA87-RSA4096-PSS-SHA512 | MLDSA87-RSA4096-PSS-SHA512 | MLDSA87-RSA4096-PSS-SHA512 | RSA2048 | sha256WithRSAPSS |
Expiration Date
Select an expiry date for the certificate signing certificate of the new CA.
After the expiry date, the CA cannot operate if the CA certificate has not been renewed.
Mandatory: No. This value defaults to the following dates.
CA Type | Default expiration date |
|---|---|
Root Certificate Authority | 20 years after the certificate is issued |
Issuing Certificate Authority | 10 years after the certificate is issued |
Enable CRL
This read-only box is always checked as PKIaaS authorities always provide a CRL publishing endpoint.
Enable OCSP
Check this box to enable an OCSP (Online Certificate Status Protocol) service for the new certificate authority.
Certificate Profiles
Select the authority certificate profiles the new root CA will support for issuing certificates to authorities.
- Click > to expand the profiles of the selected groups.
- Select the check boxes of the profiles you want to enable.
See a complete reference of these profiles in the Entrust PKIaaS online guide.
Profiles | URL |
|---|---|
Profiles for issuing authority certificates | |
Profiles for issuing subscriber certificates |
Mandatory: Select at least one profile.
Subject
Enter a value for each RFC5280 attribute in the certificate subject’s Distinguished Name (DN).
Field | Mandatory |
|---|---|
Common Name |
|
Organization |
|
Organizational Unit |
|
State/Province |
|
Locality Name |
|
Domain Component |
|
Country |
|
Alternatively, you can:
- Toggle the Advanced Subject switch
- Type a Distinguished Name (DN) including additional attributes.
The resulting Distinguished Name will uniquely identify the certificate signing certificate of your new CA — for example:
CN=MyRootCA, O=MyOrganization, L=MyCity, ST=MyState, C=US
Mandatory: Yes.