How-To: Create a Subordinate/Issuing SSL CA in Azure

Learn how to create your own Issuing SSL CA and chain it up to a EZCA Root or Offline Root.

Prerequisites

  1. Registering the application in your tenant
  2. Selecting a Plan
  3. Create First Root CA

How To Create Issuing/Subordinate CA - Video Version

Overview - How To Create Issuing/Subordinate CA

A Subordinate or Issuing CA is critical on any PKI hierarchy this is the Certificate Authority in charge of issuing end certificates. In this page we will guide you on how you can create your own SSL CA and chain it up to a Root CA (EZCA Root or Offline Root).

Getting Started on Creating Your Issuing CA

  1. Go to https://portal.ezca.io/

  2. Login with an account that is registered as a PKI Admin in EZCA.

  3. Navigate to Certificate Authorities.

    EZCA Cloud PKI portal Certificate Authorities menu showing list of cloud CAs

  4. Click on the “Create CA”

    EZCA Cloud PKI portal Create CA button to begin creating a new certificate authority

  5. Select Subordinate/Intermediate CA.

    EZCA Cloud PKI Create CA type selection with Subordinate/Intermediate CA option selected

  6. Click Next

Entering CA Information

  1. Enter Common Name: This is the name of the CA how it will appear in the certificate.

  2. (Optional) Enter CA Friendly Name This is the name that will appear in the EZCA portal, by default we will use the Common Name

  3. (Optional) Enter the Organization The Organization field is an optional certificate field that usually has the company name.

  4. (Optional) Enter the Organization Unit The Organization Unit field is an optional certificate field that usually contains the unit that runs this CA (For example: IT or HR).

  5. (Optional) Enter the Country Code The Country Code field is an optional certificate field that identifies the country where this CA is located.

  6. Click Next.

    EZCA Cloud PKI Create CA Add Issuer Information form with Common Name, Organization, and Country fields

Cryptographic Requirements

  1. Unless you have specific compliance or security requirements, leave the default cryptographic values for best security and compatibility.

    EZCA Cloud PKI Create CA cryptographic key size selection showing RSA 2048, RSA 4096, ECDSA P256 and P384 options

Set Your CA Validity Period

  1. Select your Validity Period Learn more about Validity Period best practices

  2. Enter a Notification Email this email address (as well as the PKI Administrators) will get all the notifications for the lifecycle of the CA.

  3. Select the lifecycle action you want EZCA to take when expiry of the CA is approaching

  4. Select the percentage of lifetime of the certificate when you want EZCA to start taking Lifecycle actions.

    EZCA Cloud PKI Create CA validity period form with notification email, lifecycle action, and CRL settings

CA Certificate Revocation List

  1. Select if you want this CA should issue a CRL (Highly recommended)

  2. Click Next.

    EZCA Cloud PKI Create CA validity period and CRL distribution settings with Next button highlighted

CA Certificate Revocation List Advance Settings

  1. Click the expand button

    EZCA Cloud PKI Create CA CRL advanced settings expand button highlighted to reveal CRL configuration options

  2. Enter the desired CRL Validity Period in days

  3. Enter the desired CRL Overlap Period in hours

  4. (Optional) Enter the CRL endpoint where you will publish your CRLs

How To Enable OCSP (Online Certificate Status Protocol) For Your CA

Inside the CA Revocation advanced settings, you can enable OCSP for this CA. OCSP is only recommended if you have specific requirements for OCSP. While OCSP allows quicker revocation it increases the CA the cryptographic load and can limit the scalability of the CA (Basic CA allows 1 cryptographic activity per second, Premium CA 20 cryptographic activities per second, Isolated CA 160 cryptographic activities per second). Learn more about OCSP vs CRL

  1. If you want to enable OCSP, select the “Enable OCSP” option.

    EZCA Cloud PKI CRL advanced settings showing Enable OCSP checkbox with CRL validity and custom URL fields

  2. Enabling the OCSP will create an OCSP endpoint for this CA in the same region you select for your OCSP (this is included with the price of your CA). If you require extra scalability you can create multiple OCSPs for your certificate authority in different regions. Note: Each extra OCSP will be charged as an extra Certificate Authority.

    EZCA Cloud PKI CRL settings with OCSP enabled showing extra OCSP locations configuration panel

  3. Once you have setup your certificate revocation, click Next.

    EZCA Cloud PKI Create CA CRL settings page with Next button to proceed to issuance policy

Set The Certificate Issuance Policy

  1. The first thing we must select is what type of CA we want to create, in this example we are creating an “SSL CA” which can be used for Azure IoT our integrated Azure Key Vault, ACME or any other SSL/TLS use case. If you need a different type of CA, for example scep for an mdm or root CA, select the appropriate template.

    EZCA Cloud PKI Create CA issuance policy with SSL Template selected as the certificate issuing type

  2. Then, Enter the largest certificate lifetime that this CA can issue. EZCA automatically calculates the recommended maximum based on CA lifecycle best practices.

    EZCA Cloud PKI Create CA issuance policy showing Maximum Certificate Validity Period field in days

Set the EKU (Extended Key Usage)

as you can see at the top of the page there is a waring about the EKUs, by default EZCA will enable the “all” EKU, which means that this CA can issue certificates for any use case. However, there are some libraries such as OpenSSL that do not support this EKU type. If you want to change the EKUs for a specific use case, you can do so by expanding the advanced settings and selecting the desired EKUs (unselect any before making other selections).

![EZCA Cloud PKI Create CA Extended Key Usages panel with Any EKU checked and individual EKU options listed](/images/ezca/ssl-ca-ekus.png)

Issuance Policy (Advanced Settings)

  1. Click the expand button

    EZCA Cloud PKI Create CA issuance policy page with Advance Settings expand button highlighted

Pre-Approved List of domains

  1. Since this is not a publicly trusted CA, by default EZCA will allow requesters to register any domains. If you want to limit which domains can this CA issue, Select the “Allow Only Pre-Approved List of Domains” option.

    EZCA Cloud PKI issuance policy domain rules with Allow Only Pre-Approved List of Domains option highlighted

  2. Upload a .txt file with your Pre-Approved domains (one per line), or enter them in the portal.

    EZCA Cloud PKI issuance policy showing pre-approved allowed domains list with upload and manual entry options

Allow Wildcard Domains

By default EZCA does not allow users to request certificates with wildcard domains (a domain that starts with *. which allows you to use that same certificate for all other subdomains). If you want EZCA to issue wildcard certificates, select the “Allow wild-card certificates” option.

EZCA Cloud PKI Create CA issuance policy with Allow wild-card certificates checkbox highlighted

Certificate Issuance Rules

To enable more granular control who can request domain ownership in EZCA, we created to extra knobs PKI administrators can adjust to control domain ownership.

  1. Require domain registration approval. This option enables PKI administrators to set a group of approvers that must approve each domain registration before a user or group of users are registered as domain owners.

    1. To enable this option select the “require approval” option.

    2. Enter the users or AAD groups that can approve domain requests.

      EZCA Cloud PKI issuance policy with Require Approval checkbox enabled and domain approvers list shown

  2. The second way PKI administrators can control the registration of domains is to only allow specific users to request domains. This option enables PKI administrators to set a list of users that can request domains for this CA.

    1. To enable this option deselect the “Allow all users” option.

    2. Enter the users or AAD groups that can register domains.

      EZCA Cloud PKI issuance policy with Allow all users unchecked and specific domain requesters list shown

  3. Once you are done setting up your issuance policy, click Next.

    EZCA Cloud PKI Create CA issuance policy page with Next button highlighted to proceed to location selection

Select Location

  1. Select the location where you want your CA to be created.

    EZCA Cloud PKI Create CA geo-redundancy page with Primary Location dropdown for selecting Azure region

How To Add Geo-Redundancy to Your PKI

EZCA Allows you to create multiple CAs across many regions to create Geo-Redundancy.

  1. Click the “Add Secondary Location” Button.

    EZCA Cloud PKI Create CA geo-redundancy page with Add Secondary Location button highlighted

  2. Enter the Location information.

    EZCA Cloud PKI Create CA secondary location panel with Common Name, Country, and Certificate Authority Location fields

  3. Add as many locations as needed.

Create CA

  1. Click Create.

    EZCA Cloud PKI Create CA final page with Create button highlighted to submit the new certificate authority

Chaining to EZCA Root CA

  1. Once the CA is requested, a Certificate Signing Request (CSR) will be created for each location.

    EZCA Cloud PKI Intermediate CA Has Been Requested page showing CA CSR PEM content and Chain to EZCA CA option

  2. If your desired Root CA is an EZCA CA, Select it from the dropdown and click create CA.

    EZCA Cloud PKI CA chaining page with Select Root CA dropdown and Create CA button highlighted

  3. Repeat these steps for each location.

  4. Your CA is ready to be used!

  5. Next step: Register your first domain

Chaining to Offline Root CA

If you prefer to chain your CA to an offline Root CA, follow these steps.

  1. Once the CA is requested, a Certificate Signing Request (CSR) will be created for each location.

    EZCA Cloud PKI Intermediate CA Has Been Requested page showing CA CSR PEM content and Save CSR button

  2. Click the “Save CSR” Button.

    EZCA Cloud PKI CA request page with Save CSR button and Upload CA Certificate section for offline root chaining

  3. Once the CSR is download, follow your internal guidance to transfer that CSR to your offline Root CA.

  4. Open your “Certificate Authority” in Windows.

    Windows Certificate Authority MMC console showing local CA with Issued Certificates and Pending Requests folders

  5. Right click the CA.

  6. Select All Tasks -> Submit new Request.

    Windows ADCS CA right-click context menu showing All Tasks then Submit New Request option

  7. Select the downloaded CSR.

    Windows file browser Open Request File dialog with CSR file selected for submission to ADCS

  8. Click on pending requests.

    Windows ADCS Certification Authority MMC showing Pending Requests folder with submitted CSR

  9. Right click on the newly created request.

  10. Select All Tasks -> Issue.

  11. Click on Issued Certificates.

    Windows ADCS Issued Certificates folder showing newly signed subordinate CA certificate

  12. Double click on the newly created certificate.

    Windows Certificate dialog showing certificate details with General, Details, and Certification Path tabs

  13. Click on Details.

    Windows Certificate dialog with Details tab selected showing certificate properties

  14. Click on the “Copy ti File…” Button.

    Windows Certificate details page with Copy to File button highlighted to launch export wizard

  15. Click next

  16. Select the “Base-64 encoded X.509 (.CER) option.

    Windows Certificate Export Wizard format selection with Base-64 encoded X.509 CER option selected

  17. Click next.

  18. Select where you want to save the newly created certificate.

    Windows Certificate Export Wizard file save location step with browse button for choosing output path

  19. Click next.

  20. Click Finish.

    Windows Certificate Export Wizard completion page with Finish button highlighted

  21. This should create a .cer file in the location you selected.

    Windows Desktop with exported CER certificate file visible in file browser

  22. Follow you PKI team’s guidance on transferring the certificate file out of the offline CA into an internet connected computer.

  23. Once you have the certificate in an internet connected computer, go to https://portal.ezca.io/

  24. Login with an account that is registered as a PKI Admin in EZCA.

  25. Navigate to Certificate Authorities.

    EZCA Cloud PKI portal Certificate Authorities menu showing list of cloud CAs

  26. Click View details of the CA you want to import the certificate for.

    EZCA Cloud PKI My CAs page showing list of certificate authorities with View Details button highlighted

  27. Scroll down to the location you want to import, and click the “Upload CA Certificate” button.

    EZCA Cloud PKI CA details page showing Upload CA Certificate button for importing the signed certificate

  28. Select the newly created certificate file.

    Windows file browser showing CER certificate file to select for upload to EZCA

  29. Click on the “Save Certificate” button

    EZCA Cloud PKI CA import page with Save Certificate button to complete subordinate CA creation

  30. Repeat these steps for each location.

  31. Your CA is ready to be used!

  32. Next step: Register your first domain

How-To: Assign Domain Ownership for Certificate Management

EZCA enables full accountability for certificate ownership by assigning owners to each domain registered in EZCA. To register a new domain follow these steps.

How-To: Create a New SSL Certificate in EZCA and Automate its Certificate Lifecycle

EZCA enables you to create certificates in multiple ways. Azure Key Vault automatic integration, create certificates locally in your PC, and in your browser as well as on click renewals

How-To: View My SSL Certificates in EZCA

Once you have created and issued SSL certificates in EZCA, you can easily view and manage them through the EZCA portal.

How-To: Automatically Renew an X509 SSL Certificate

By Design certificates have an expiration date, when a certificate is approaching its expiration date, it is necessary to renew it. EZCA one click SSL certificate renewal allows you to quickly rotate your certificates.

How-To: Revoke an X509 SSL Certificate

This guide provides step-by-step instructions on how to revoke an SSL certificate in EZCA, which adds it to the Certificate Revocation List (CRL) to ensure it is no longer trusted.

How-To: Install an SSL Certificate

This guide will take you through the necessary steps install your newly created certificate into your Windows PC.

How-To: Enable ACME for Private PKI

In this page we go through how to set up our ACME agent allowing you to issue ACME certificates in your private Certificate Authority.

How-To: Automate Azure Key Vault Certificate Rotation with EZCA

This guide will walk you through the steps required to give EZCA access to your Azure Key Vault(s) to enable automated certificate rotation without manual intervention.

How-To: Automatically Rotate Entra ID (AAD) Application Certificates Using EZCA

Achieve cryptographic agility by automating your Azure AD application certificate rotation for free with EZCA’s automatic AAD application certificate rotation service.

How-To: Connect Existing Windows ADCS CA to Azure using EZCA

EZCA enables you to modernize your Windows Active Directory Certificate Services (ADCS) by connecting to EZCAs cloud based certificate management solution.

How-To: Create a CA and Connect to Azure IoT Services

X509 Certificates are the most secure way for IoT devices to authenticate with Azure. EZCA enables your to issue and manage IoT device certificates, and enable passwordless IoT authentication.

How-To: Troubleshoot SSL/Issuing Certificate Authorities in EZCA

Learn how to troubleshoot common issues when creating an issuing CA in Azure with EZCA, including how to sign and chain your CA to another EZCA CA or an external CA, and what to do if your EZCA Root CA is not showing up.