Certificate Management Service supports Private Certificate Authority (PCA). PCA allows you to create a private certificate authority (CA) for your enterprise at low costs. This way, you do not need to create or maintain public key infrastructure (PKI). This topic describes how to create a private CA in the Certificate Management Service console. After you create a private CA, PCA is automatically enabled.
Background information
Private CAs are classified into private root CAs and private intermediate CAs. A private intermediate CA is subordinate to a private root CA. A private root CA may include one or more private intermediate CAs. Only private intermediate CAs can issue private certificates, including server certificates and client certificates.
If this is your first time to create a private CA, you must first create a private root CA. After you create a private root CA, you can obtain one private root CA and one private intermediate CA. By default, the private intermediate CA has the quota to issue 10 private certificates.
You can create more private intermediate CAs for the existing private root CA based on the organizational structure of your enterprise. For example, you can use the private root CA to create private intermediate CAs for different departments of your enterprise. You can also purchase the quota for private certificates to issue more private certificates by using the existing private intermediate CA.
Create a private root CA
If this is your first time to create a private CA, perform the following operations to first create a private root CA:
What to do next
After you create a private CA, you must enable the private CA before you can use it to issue private certificates. For more information about how to enable a private CA, see Enable a private CA.
Related operations
- Create a private intermediate CA: After you create and enable a private root CA, you can create multiple private intermediate
CAs for the private root CA.
Note
- By default, a private intermediate CA created for the existing private root CA does not have the quota to issue private certificates. You cannot use this private intermediate CA to issue private certificates. After you create a private intermediate CA for the existing private root CA, you must purchase the required quota before you can use the private intermediate CA to issue private certificates.
- When you create a private intermediate CA for the existing private root CA, the value of the Certificate Algorithm parameter for the private intermediate CA is automatically set to that for the private root CA and cannot be modified.
Procedure: In the private CA list, find the private root CA that is in the Enabled state and click Create CA in the Actions column. On the page that appears, configure the parameters and complete the payment as prompted. - Purchase the quota to issue private certificates: If the existing private root CA does not have the sufficient quota to issue the
required number of private certificates, you can purchase extra quotas. This increases
the quota to issue private certificates for the private root CA.
Procedure: In the private CA list, find the private root CA for which you want to purchase the quota to issue private certificates and click Purchase Certificate in the Actions column. In the Purchase Certificate panel, enter the number of certificates based on your business requirements, click Purchase, and then complete the payment.Note If the quota that you purchase for a private root CA exceeds a threshold, you are not charged for the excess certificates that are issued. For more information about the threshold, join the DingTalk group numbered 32435999 for support.
- Assign certificates: After you purchase the quota to issue private certificates, you can assign the quota
to different private intermediate CAs of the private root CA.
Private certificates can be assigned only when the private root CA and the private intermediate CA meet the following conditions:
- The private root CA is in the Enabled state.
- The remaining quota of the private root CA is not 0.
- The private intermediate CA is in the Enabled state.
Procedure: In the private CA list, find the private root CA from which you want to assign the quota for private certificates, and click Assign Certificate in the Remaining Certificate Quota/Total column. In the Assign Certificate panel, select the private intermediate CA for which you want to assign the quota, specify the remaining quota of the private intermediate CA, and then click OK. - Claim a refund: You can request a refund for a private CA that is in the Disabled state. If the private CA is enabled, you cannot request a refund.
- Renew a private CA: After a private CA expires, you cannot use the private CA to issue private certificates. You can renew the private CA to continue to use it.