Login with an account that is registered as a PKI Admin in EZCA.
Navigate to Certificate Authorities.
Click on the “Create CA”
Select Subordinate/Intermediate CA.
Click Next
Entering CA Information
Enter Common Name: This is the name of the CA how it will appear in the certificate.
(Optional) Enter CA Friendly Name This is the name that will appear in the EZCA portal, by default we will use the Common Name
(Optional) Enter the Organization The Organization field is an optional certificate field that usually has the company name.
(Optional) Enter the Organization Unit The Organization Unit field is an optional certificate field that usually contains the unit that runs this CA (For example: IT or HR).
(Optional) Enter the Country Code The Country Code field is an optional certificate field that identifies the country where this CA is located.
Click Next.
Cryptographic Requirements
Unless you have specific compliance or security requirements, leave the default cryptographic values for best security and compatibility.
Enter a Notification Email this email address (as well as the PKI Administrators) will get all the notifications for the lifecycle of the CA.
Select the lifecycle action you want EZCA to take when expiry of the CA is approaching
Select the percentage of lifetime of the certificate when you want EZCA to start taking Lifecycle actions.
CA Certificate Revocation List
Select if you want this CA should issue a CRL (Highly recommended)
Click Next.
CA Certificate Revocation List Advance Settings
Changes to this section are only recommended for PKI experts with specific requirements.
Click the expand button
Enter the desired CRL Validity Period in days
Enter the desired CRL Overlap Period in hours
(Optional) Enter the CRL endpoint where you will publish your CRLs
Custom CRL endpoints are supported by EZCA by adding the CRL endpoint as the CRL endpoint in the certificate. However, your PKI admins are responsible from getting the CRL from EZCA and posting it in that specific endpoint.
Click Next.
Issuance Policy
Enter the largest certificate lifetime that this CA can issue. EZCA automatically calculates the recommended maximum based on CA lifecycle best practices.
Issuance Policy (Advanced Settings)
This section gives you grater granularity on who can request. This is not required for most organizations.
Click the expand button
Pre-Approved List of domains
Since this is not a publicly trusted CA, by default EZCA will allow requesters to register any domains. If you want to limit which domains can this CA issue, Select the “Allow Only Pre-Approved List of Domains” option.
Upload a .txt file with your Pre-Approved domains (one per line), or enter them in the portal.
Allow Wildcard Domains
By default EZCA does not allow users to request certificates with wildcard domains (a domain that starts with *. which allows you to use that same certificate for all other subdomains). If you want EZCA to issue wildcard certificates, select the “Allow wild-card certificates” option.
Issuance Rules
To enable more granular control who can request domain ownership in EZCA, we created to extra knobs PKI administrators can adjust to control domain ownership.
Require domain registration approval. This option enables PKI administrators to set a group of approvers that must approve each domain registration before a user or group of users are registered as domain owners.
To enable this option select the “require approval” option.
Enter the users or AAD groups that can approve domain requests.
The second way PKI administrators can control the registration of domains is to only allow specific users to request domains. This option enables PKI administrators to set a list of users that can request domains for this CA.
To enable this option deselect the “Allow all users” option.
Enter the users or AAD groups that can register domains.
Once you are done setting up your issuance policy, click Next.
Select Location
Select the location where you want your CA to be created.
Add Geo-Redundancy
EZCA Allows you to create multiple CAs across many regions to create Geo-Redundancy.
Each location will be charged as an extra Certificate Authority.
Click the “Add Secondary Location” Button.
Enter the Location information.
Add as many locations as needed.
Create CA
Click Create.
Chaining to EZCA Root CA
Once the CA is requested, a Certificate Signing Request (CSR) will be created for each location.
If your desired Root CA is an EZCA CA, Select it from the dropdown and click create CA.