Creating Subordinate CA from PKIaaS Root CA

To create subordinate CA from PKIaaS root CA:

  1. Go to (Menu) icon > PKI+ > CA Inventory.
    The CA Inventory page appears.
  2. Click +Create CA on the top-right corner of the page.
    The Create CA page is displayed.
  3. Enter the fields as described in the table.
    Table 1. Field Description for PKIaaS Management page
    Field Description
    Select CA Type
    *CA Name Provide a friendly name for reference with no special characters except dash (-) and underscore (_).
    Description Provide a description for the CA. The maximum character limit is 500. Special characters that are not supported include ', ", ;, <, >, &, $, |, #, \, `.
    Tier This is a ready-only field. In case of standard initialization, Standard is selected; else AppViewX PKIaaS Native if it was used for PKI initialization.
    Certificate Authority Type Select Subordinate CA.

    On clicking Subordinate CA, you see Root CA field with External and PKIaaS options.
    Root CA This field appears only on selecting Subordinate CA.

    Select PKIaaS if root CA is already in the AppViewX system.

    Note: Subordinate CAs need to activated and shows status as Create - Approval Pending until they are approved by the active custodians.
    *Issuer Name This field appears only on selecting Subordinate CA as PKIaaS.

    Select an issuer name from the dropdown list.
    *Template This field appears only if Tier = AppViewX PKIaaS Native. Select a template from the dropdown list.
    *Valid for Select the number of years to CA expiry.
    Configure CA Subject Name
    *CA Common Name Enter the root CA subject name.
    *Organization Enter the organization name owning the CA.
    Organization Unit Enter the business unit for CA operations.
    City Enter the city name.
    State Enter the state name.
    Country Enter the country of the organization.
    Configure CA Key Size and Algorithm
    CSR Generation Select AppViewX if you are generating keys using HashiCorp Vault, else select HSM.
    Use Existing Key Select this option if you want to use an existing key from HSM.
    *Device This field is displayed only when CSR Generation = HSM. Select a configured device from the dropdown list.
    *Key Handler Name This field is displayed only when CSR Generation = HSM. You can either create the new key in HSM by providing the reference name or use an existing key handler name (alias/label name) in HSM by running the following command:
    pkcs11-tool --module /path/to/pkcs11.so --list-objects
    Click Validate button:
    • If validation is successful, then a message, Key is available in the HSM, is displayed.
    • If validation is unsuccessful, then a message, Key is not available in the HSM, is displayed.
    • If the key provided is not supported by the CA being created, then a message, The algorithm for this key is not supported for CA creation, is displayed.
    *Key Size and Algorithm Select the CA key size and algorithm from the dropdown list. By default, RSA_PKCS1_4096_SHA256 is selected.
    Configure CA Artifacts
    Path Length Constraint This is an optional parameter in an issuing CA certificate; it defines the number of sub CA chains created under that specific issuing CA certificate holding the path constraint value. By default, the value is None.

    This field can have any of these values: 0, 1, 2, 3, or none. For example, if it is set to 2, it means that only two intermediate CAs are allowed between the end-entity certificate and this CA certificate. None indicates unlimited.
    Custodian Settings
    Custodian By default, the SaaS trial customer (logged in user) is added as the custodian. He/she will get the approval links via email for all the actions performed in the PKI hierarchy creation.

    Click Manage to add more custodians.
    Note: Fields marked with red asterisk (*) symbol are mandatory.
  4. Click Create.
    A window with the summary of values entered appears.
  5. Click Proceed to trigger the approval flow.
    The newly created CA appears in the table with the status as Create - Approval Pending.

    An email from AppViewX is sent to all the active custodians for approving the CA. If you want to abort the action, then click Abort.

  6. Click the here hyperlink in the email to be redirected to the AppViewX login page.
    On successfully logging in, the approval request is displayed with the Approve and Reject buttons.
    Tip: You can also approve by clicking the (Notification Center) on the top right-hand-corner of the page.
  7. Enter the comments and click Approve.
    A confirmation popup window appears if you want to submit the request.
  8. Click OK. Once the approval count reaches the minimum approval as set by the quorum number, the custodian is approved.
  9. Click the (Refresh) icon on the PKIaaS Management page to see the Active status. Click Resubmit if the action fails for any reason.
    Once the PKIaaS subordinate CA is activated, the status changes to Active.
  10. [Optional] Click the Audit Log against the CA to view the audit log details. You can also download the audit log by clicking the Download button on the Audit Log view page. The audit log is exported in the .xls format.
    Note: Once the audit log is fully loaded, the Loading button will turn to View. Refresh the page to see the View button.
  11. [Optional] Click the Approval Status column value link to check the update on approvals.