Certificate Management Service supports Private Certificate Authority (PCA). PCA allows you to create a private certificate authority (CA) for your enterprise at low costs. This way, you do not need to create or maintain public key infrastructure (PKI). This topic describes how to create a private CA in the Certificate Management Service console. After you create a private CA, PCA is automatically enabled.

Background information

Private CAs are classified into private root CAs and private intermediate CAs. A private intermediate CA is subordinate to a private root CA. A private root CA may include one or more private intermediate CAs. Only private intermediate CAs can issue private certificates, including server certificates and client certificates.

If this is your first time to create a private CA, you must first create a private root CA. After you create a private root CA, you can obtain one private root CA and one private intermediate CA. By default, the private intermediate CA has the quota to issue 10 private certificates.

You can create more private intermediate CAs for the existing private root CA based on the organizational structure of your enterprise. For example, you can use the private root CA to create private intermediate CAs for different departments of your enterprise. You can also purchase the quota for private certificates to issue more private certificates by using the existing private intermediate CA.

Create a private root CA

If this is your first time to create a private CA, perform the following operations to first create a private root CA:

  1. Log on to the SSL Certificates Service console.
  2. In the left-side navigation pane, click Private Certificates.
  3. In the upper-left corner of the Private Certificates page, click Purchase Private Root CA.
  4. In the Purchase Private Root CA panel, configure the parameters. Purchase Private Root CA
    The following table describes the parameters.
    Parameter Description
    Commodity Module PCA Service is automatically selected. This option allows you to create a private CA for your enterprise to maintain and manage certificates.
    PCA Usage For Internal Compliance is automatically selected. PCA is suitable for enterprises that require encrypted communication between the internal systems of the enterprises to implement identity authentication and secure transmission of application data. The internal systems include office automation (OA) and human resources (HR) systems. PCA is not used to meet regulatory requirements or industry specifications.
    Commodity Specifications Create Root CA is automatically selected.
    Certificate Algorithm The type of algorithm that is used when you use the private CA to issue certificates.

    Valid values: RSA, SM (Chinese Cryptographic Algorithm), and ECC.

    Subscription Duration The subscription duration of the private CA. The minimum value is 1 Month.
    Note
    • You can use a private CA to issue private certificates within the subscription duration of the private CA. After the private CA expires, you can no longer use the private CA to issue private certificates even if the quota to issue private certificates is not used up.
    • The validity period of private certificates issued by a private CA cannot exceed the subscription duration of the private CA. For example, if you set Subscription Duration to 1 Month, the validity period of private certificates that are issued by the private CA cannot exceed 30 days.
  5. Click Buy Now.
  6. Confirm your order and complete the payment.
    After you complete the payment, you can view the newly created private CA on the Private Certificates page in the SSL Certificates Service console. After you create a private root CA, you can obtain one private root CA and one private intermediate CA. By default, both the private root CA and the private intermediate CA are in the Disabled state. Private CA

What to do next

After you create a private CA, you must enable the private CA before you can use it to issue private certificates. For more information about how to enable a private CA, see Enable a private CA.

Related operations

  • Create a private intermediate CA: After you create and enable a private root CA, you can create multiple private intermediate CAs for the private root CA.
    Note
    • By default, a private intermediate CA created for the existing private root CA does not have the quota to issue private certificates. You cannot use this private intermediate CA to issue private certificates. After you create a private intermediate CA for the existing private root CA, you must purchase the required quota before you can use the private intermediate CA to issue private certificates.
    • When you create a private intermediate CA for the existing private root CA, the value of the Certificate Algorithm parameter for the private intermediate CA is automatically set to that for the private root CA and cannot be modified.
    Procedure: In the private CA list, find the private root CA that is in the Enabled state and click Create CA in the Actions column. On the page that appears, configure the parameters and complete the payment as prompted. Create a private CA
  • Purchase the quota to issue private certificates: If the existing private root CA does not have the sufficient quota to issue the required number of private certificates, you can purchase extra quotas. This increases the quota to issue private certificates for the private root CA.
    Procedure: In the private CA list, find the private root CA for which you want to purchase the quota to issue private certificates and click Purchase Certificate in the Actions column. In the Purchase Certificate panel, enter the number of certificates based on your business requirements, click Purchase, and then complete the payment. Purchase Certificate
    Note If the quota that you purchase for a private root CA exceeds a threshold, you are not charged for the excess certificates that are issued. For more information about the threshold, join the DingTalk group numbered 32435999 for support.
  • Assign certificates: After you purchase the quota to issue private certificates, you can assign the quota to different private intermediate CAs of the private root CA.
    Private certificates can be assigned only when the private root CA and the private intermediate CA meet the following conditions:
    • The private root CA is in the Enabled state.
    • The remaining quota of the private root CA is not 0.
    • The private intermediate CA is in the Enabled state.
    Procedure: In the private CA list, find the private root CA from which you want to assign the quota for private certificates, and click Assign Certificate in the Remaining Certificate Quota/Total column. In the Assign Certificate panel, select the private intermediate CA for which you want to assign the quota, specify the remaining quota of the private intermediate CA, and then click OK. Assign Certificate Panel
  • Claim a refund: You can request a refund for a private CA that is in the Disabled state. If the private CA is enabled, you cannot request a refund.
  • Renew a private CA: After a private CA expires, you cannot use the private CA to issue private certificates. You can renew the private CA to continue to use it.