How to Create a Root CA in Azure


  1. Registering the application in your tenant
  2. Selecting a Plan

How To Create a Root CA in Azure - Video Version

Overview - How To Create a Root CA in Azure

As mentioned in the CA Overview a Root CA is needed to be the root of trust for your PKI Deployment. In this page we will guide you on how you can create your own Root CA either using EZCA or creating your own offline CA.

Getting Started on Creating Your Root CA

  1. Go to
  2. Login with an account that is registered as a PKI Admin in EZCA.
  3. Navigate to Certificate Authorities. View Azure CAs Menu
  4. Click on the “Create CA” Create CA in the cloud
  5. Select Root CA. Select Root CA Type
  6. Click Next

Entering CA Information

  1. Enter Common Name: This is the name of the CA how it will appear in the certificate.
  2. (Optional) Enter CA Friendly Name This is the name that will appear in the EZCA portal, by default we will use the Common Name
  3. (Optional) Enter the Organization The Organization field is an optional certificate field that usually has the company name.
  4. (Optional) Enter the Organization Unit The Organization Unit field is an optional certificate field that usually contains the unit that runs this CA (For example: IT or HR).
  5. (Optional) Enter the Country Code The Country Code field is an optional certificate field that identifies the country where this CA is located.
  6. Click Next. CA Details

Cryptographic Requirements

  1. Unless you have specific compliance or security requirements, leave the default cryptographic values for best security and compatibility. PKI Cryptographic Details

Validity Period

  1. Select your Validity Period Learn more about Validity Period best practices
  2. Enter a Notification Email this email address (as well as the PKI Administrators) will get all the notifications for the lifecycle of the CA.
  3. Select the lifecycle action you want EZCA to take when expiry of the CA is approaching

    For Root CAs we recommend to have a manual Lifecycle since the new Root will have to be added to the trusted root stores of your clients which requires manual steps from the IT team.

  4. Select the percentage of lifetime of the certificate when you want EZCA to start taking Lifecycle actions. Azure Certificate Authority Lifecycle Details

CA Certificate Revocation List

  1. Select if you want this CA should issue a CRL (Highly recommended)
  2. Click Next. CRL Details

CA Certificate Revocation List Advance Settings

Changes to this section are only recommended for PKI experts with specific requirements.

  1. Click the expand button CRL Details
  2. Enter the desired CRL Validity Period in days
  3. Enter the desired CRL Overlap Period in hours
  4. (Optional) Enter the CRL endpoint where you will publish your CRLs

    Custom CRL endpoints are supported by EZCA by adding the CRL endpoint as the CRL endpoint in the certificate. However, your PKI admins are responsible from getting the CRL from EZCA and posting it in that specific endpoint.

  5. Click Next. CRL Details

CA Issuance Policy

  1. Select the Certificate Template you want this CA to Issue. Leave as “Subordinate CA Template” unless creating a 1 tier PKI (Not Recommended) CA Template

  2. Enter the largest certificate lifetime that this CA can issue. EZCA automatically calculates the recommended maximum based on CA lifecycle best practices. CA Max Certificate lifetime

  3. Set your EKU (Extended Key Usage) for the CA. These are the key usages that the certificates are used for, by default it is “All”. However, some radius servers and Linux based systems use open SSL which does not support the all EKU.

  4. Click Next. Next

Select The Location for Your Certificate Authority

  1. Select the location where you want your CA to be created.
  2. Click Create Create Root CA

Download Your Certificate Authority Certificate

  1. Once the CA is created download the certificate and push it to all your devices as a trusted root. Download Root Certificate Authority Certificate