Create EZCA CA

Prerequisites

  1. EZCA Subscription

Overview

Having certificate based authentication requires you to have a Certificate Authority that will issue certificates for your smart cards. We recommend using a PKI as a service CA such as our EZCA tool to have a compliant, HSM backed CA without all the management overhead.

Getting Started

  1. Go to https://portal.ezca.io/
  2. Login with an account that is registered as a PKI Admin in EZCA.
  3. Navigate to Certificate Authorities. CA Menu
  4. Click on the “Create CA” Create CA
  5. Select Subordinate/Intermediate CA. Select CA Type
  6. Click Next

Entering CA Information

  1. Enter Common Name: This is the name of the CA how it will appear in the certificate.
  2. (Optional) Enter CA Friendly Name This is the name that will appear in the EZCA portal, by default we will use the Common Name
  3. (Optional) Enter the Organization The Organization field is an optional certificate field that usually has the company name.
  4. (Optional) Enter the Organization Unit The Organization Unit field is an optional certificate field that usually contains the unit that runs this CA (For example: IT or HR).
  5. (Optional) Enter the Country Code The Country Code field is an optional certificate field that identifies the country where this CA is located.
  6. Click Next. CA Details

Cryptographic Requirements

  1. Unless you have specific compliance or security requirements, leave the default cryptographic values for best security and compatibility. Crypto Details

Validity Period

  1. Select your Validity Period Learn more about Validity Period best practices
  2. Enter a Notification Email this email address (as well as the PKI Administrators) will get all the notifications for the lifecycle of the CA.
  3. Select the lifecycle action you want EZCA to take when expiry of the CA is approaching
  4. Select the percentage of lifetime of the certificate when you want EZCA to start taking Lifecycle actions. Lifecycle Details

CA Certificate Revocation List

  1. Select if you want this CA should issue a CRL (Highly recommended)
  2. Click Next. CRL Details

CA Certificate Revocation List Advance Settings

Changes to this section are only recommended for PKI experts with specific requirements.

  1. Click the expand button CRL Details
  2. Enter the desired CRL Validity Period in days
  3. Enter the desired CRL Overlap Period in hours
  4. (Optional) Enter the CRL endpoint where you will publish your CRLs

    Custom CRL endpoints are supported by EZCA by adding the CRL endpoint as the CRL endpoint in the certificate. However, your PKI admins are responsible from getting the CRL from EZCA and posting it in that specific endpoint.

  5. Click Next. CRL Details
  6. Change the issuing template to “Smart Card Template”. Smart Card Template
  7. Set the desired smart card certificate lifetime.
  8. In another tab, open your EZSmartCard instance and in the settings page copy the Subscription ID. EZSmartCard Subscription ID
  9. Paste the subscription ID into the “EZSmartCard Instance ID” field. EZSmartCard Subscription ID in EZCA
  10. Click Next.

Select Location

  1. Select the location where you want your CA to be created. Create CA

Add Geo-Redundancy

EZCA Allows you to create multiple CAs across many regions to create Geo-Redundancy.

Each location will be charged as an extra Certificate Authority.

  1. Click the “Add Secondary Location” Button. Create Secondary Location
  2. Enter the Location information. Create Secondary Location
  3. Add as many locations as needed.

Create CA

  1. Click Create. Create CA

Chaining to EZCA Root CA

  1. Once the CA is requested, a Certificate Signing Request (CSR) will be created for each location. CSR Created
  2. If your desired Root CA is an EZCA CA, Select it from the dropdown and click create CA. CSR Created
  3. Repeat these steps for each location.
  4. Your CA is ready to be used!

Chaining to Offline Root CA

  1. Once the CA is requested, a Certificate Signing Request (CSR) will be created for each location. CSR Created
  2. Click the “Save CSR” Button. CSR Created
  3. Once the CSR is download, follow your internal guidance to transfer that CSR to your offline Root CA.
  4. Open “Certificate Authority”. ADCS
  5. Right click the CA.
  6. Select All Tasks -> Submit new Request. ADCS
  7. Select the downloaded CSR. ADCS
  8. Click on pending requests. ADCS
  9. Right click on the newly created request.
  10. Select All Tasks -> Issue.
  11. Click on Issued Certificates. ADCS
  12. Double click on the newly created certificate. ADCS
  13. Click on Details. ADCS
  14. Click on the “Copy ti File…” Button. ADCS
  15. Click next
  16. Select the “Base-64 encoded X.509 (.CER) option. ADCS
  17. Click next.
  18. Select where you want to save the newly created certificate. ADCS
  19. Click next.
  20. Click Finish. ADCS
  21. This should create a .cer file in the location you selected. ADCS
  22. Follow you PKI team’s guidance on transferring the certificate file out of the offline CA into an internet connected computer.
  23. Once you have the certificate in an internet connected computer, go to https://portal.ezca.io/
  24. Login with an account that is registered as a PKI Admin in EZCA.
  25. Navigate to Certificate Authorities. CA Menu
  26. Click View details of the CA you want to import the certificate for. CA Menu
  27. Scroll down to the location you want to import, and click the “Upload CA Certificate” button. CA Import
  28. Select the newly created certificate file. CA Import
  29. Click on the “Save Certificate” button CA Import
  30. Repeat these steps for each location.
  31. Your CA is ready to be used!