Skip to content

Create a Certificate Authority

A Certificate Authority (CA) is a trusted entity that issues digital certificates. To establish this trust, the CA itself must have a certificate. This certificate is typically self-signed, meaning the CA signs its own certificate. This self-signed certificate serves as the root of trust for all certificates issued by the CA. Without this self-signed certificate, the CA would not be able to validate the authenticity of the certificates it issues, and the entire chain of trust would be broken Therefore, creating a self-signed certificate for the CA is a crucial first step in setting up a Public Key Infrastructure (PKI).

Prerequisites

  • TeskaLabs SeaCat PKI up and running in a default setup (SoftHSMv2 configured for an active tenant).
  • Access to a Web User Interface

Steps

  1. Navigate to the "Certificates" > "Create a certificate" screen

    Create a CA certificate

  2. Fill in the form

    • Select "Create a Self-Signed Certificate" option at "Source" tab
    • Select "Generate a new private key" option at "Private Key" dropdown
    • Type a label for the private key, i.e. "My CA Private Key"
    • Select "SoftHSM" at Private Key Provider dropdown, the private key will be generated in the HSM
    • Select "MySoftHSMToken" at PKCS#11 Token dropdown
    • Select "RSA" at Key Type dropdown
    • Select "4096" at Key Size dropdown
    • Select "Certificate Authority" at "Apply template" dropdown
    • Fill the label of the CA at "General" tab, i.e. "My CA"
    • Prolong the validity of the CA certificate at "Valid to", 10 years is a good default
    • Fill a Common Name for the CA at "Subject" tab, i.e. "My CA", feel free to add more fields to the subject
    • Click "Create" button to create a certificate

    You can also modify other certificate attributes according your specific needs.

  3. Review the created CA certificate

    Review a CA certificate

    Congratulations! You have created a CA certificate.

    You can download the CA certificate using a "Download" icon at the top right corner of the card.

    Now you can create a certificate for a user or a device.