SSL Certificates Service provides the Private Certificate Authority (PCA) service. This service allows you to create private certificate authorities (CAs) for your enterprise at low costs without the need to build and maintain public key infrastructure (PKI). This topic describes how to create a private CA in the SSL Certificates Service console by purchasing the PCA service.

Background information

Private CAs are divided into private root CAs and private intermediate CAs. A private intermediate CA is subordinate to a private root CA. A private root CA contains one or more private intermediate CAs. A private root CA issues only certificates for private intermediate CAs. Only private intermediate CAs can issue private certificates, including server certificates and client certificates.

If you have not created a private CA, you must first create a private root CA. After you complete the payment, a private root CA and a private intermediate CA are created. Then, you can create multiple private intermediate CAs under the private root CA based on the organizational structure of your enterprise. For example, you can create private intermediate CAs for different departments in your enterprise.

Procedure

  1. Log on to the SSL Certificates Service console.
  2. In the left-side navigation pane, click Private Certificates.
  3. Create a private CA.
    The operations that you need to perform vary based on whether a private CA is created. Perform one of the following steps as needed:
    • If you have not created a private CA, you must first create a private root CA. On the Private Certificates page, click Create a private root CA above the private CA list.
    • If you have created a private CA, you can create a private intermediate CA under a private root CA that is in the Enabled state. In the private CA list, find the private root CA that you want to use and that is in the Enabled state, and then click Create CA in the Actions column.
  4. On the buy page of PCA, complete the configurations.
    The following table describes the parameters.
    Parameter Description
    PCA Use Select a scenario for PCA. Valid values:
    • Internal Use in Enterprises (Without Regulatory Requirements): PCA is used for network communication that requires cryptographic technology among internal systems of an enterprise, such as the office automation (OA) and human resources (HR) systems. PCA enables user identity authentication and secure transmission of application data. PCA is not used to meet regulatory and industry specifications.
    • Compliance Use in Enterprises (with Regulatory Requirements): PCA is used to meet requirements of cryptographic technology compliance and digital authentication services. For example, PCA can be used in bank-enterprise direct link and digital signature scenarios.
    Certificate Algorithm Select a type of certificate algorithm that the private CA uses when it issues certificates.

    Valid values: RSA, SM (Chinese Cryptographic Algorithm), and ECC.

    Create Private Root CA Select whether you want to create a private root CA. Valid values:
    • Yes: Creates a private root CA and a private intermediate CA. The private intermediate CA is subordinate to the private root CA.
    • No: Skips the step of creating a private root CA. Only one private intermediate CA is created.

    In the Internal Use in Enterprises scenario, if you have not created a private CA, you must first create a private root CA. This means that you must select Yes. If you have created a private root CA, you can select No.

    In the Compliance Use in Enterprises scenario, this parameter is set to No by default. The parameter value cannot be changed.

    Service Duration to Purchase Select a service duration of PCA as needed. The minimum value is 1 Month.
    Note
    • You can apply for certificates from a private CA within the service duration of PCA that you purchase. After the PCA service expires, the private CA cannot issue certificates even if the number of remaining certificates that the private CA can issue is not 0.
    • The validity period of a private certificate issued by a private CA cannot exceed the service duration of PCA that you purchase. For example, if the service duration of PCA that you purchase is one month, the validity period of a private certificate issued by the private CA cannot exceed 31 days.
    Pre-purchased Certificates Select the number of certificates that the private CA can issue.
  5. Click Buy Now.
  6. Confirm your order and complete the payment.
    After you complete the payment, you can view the new private CA on the Private Certificates page in the SSL Certificates Service console.

    After you create a private CA for the first time, a private root CA and a private intermediate CA are created. By default, the value in the Status column for a new private CA is Disabled.

What to do next

Enable a private CA: After you create the private CA, you must enable it so that the private CA can issue private certificates.

Related operations

  • Claim a refund: You can claim a refund for a private CA that is in the Disabled state. If the private CA is enabled, you cannot claim a refund for the private CA.
  • Renew a private CA: A private CA cannot issue certificates after the PCA service expires. You can renew the PCA service to extend its service duration.