Certificate Management Service supports Private Certificate Authority (PCA). PCA allows you to build a private certificate authority (CA) for your enterprise in an efficient manner. Then, you can issue and manage self-signed private certificates within your enterprise. Private certificates are used to authenticate applications and encrypt and decrypt the data of your enterprise.

Supported regions

You can use PCA only in the Germany (Frankfurt) region.

If you use PCA, the data of your private certificates is stored on Certificate Management Service servers in the Germany (Frankfurt) region.

Scenarios

PCA is suitable for the scenarios in which you need to encrypt internal application data by using cryptographic technologies. In these scenarios, regulatory requirements and industry standards are not involved. The cryptographic technology of PCA enables secure data transmission, data encryption and decryption, and identity authentication between internal applications. These applications include internal office automation (OA) and human resources (HR) systems.

Billing

PCA supports only the subscription billing method. Before you can use PCA, you must purchase PCA for specific months or years.

For more information about the pricing of PCA, see Billing.

Procedure

Step Description References Cancellation
1 Purchase PCA to create a private CA.

The first time you create a private CA, you must create a private root CA. Then, you can obtain one private root CA and one private intermediate CA. You can create more private intermediate CAs for the existing private root CA based on your business requirements.

Notice The validity period of the private certificates that are issued by the private CA is determined based on the validity period of the private CA that you create in this step. When the private CA expires, the private certificates also expire. For example, if you create a private CA that is valid for one month, the validity period of your private certificates is up to one month.
Create a private CA If the private CA that you create is in the Disabled state, you can claim a refund for the private CA. After the refund is approved, you can delete the private CA from the private CA list.

For more information, see Claim a refund.

Notice You cannot claim a refund for a private CA that is enabled.
2 Enable the private CA.

The first time you enable the private CA, you must enable the private root CA and then the private intermediate CA.

Enable a private CA If a private CA is in the Enabled state, you can revoke the private CA. After the private CA is revoked, you can delete it from the private CA list.

For more information, see Revoke a private CA.

Notice You cannot claim a refund for a private CA that is revoked.
3 Apply for a private certificate from the enabled private intermediate CA.

A root CA can issue only certificates for intermediate CAs. Only intermediate CAs can issue private certificates including server certificates and client certificates.

Apply for a private certificate If a private certificate is in the Normal state, you can revoke the private certificate. After the private certificate is revoked, you can delete it from the private certificate list.

For more information, see Revoke a private certificate.

4 Export and issue the private certificate to a specified user for installation and use.

A server certificate must be installed on a server, and a client certificate must be installed on a client browser.

Export a private certificate None.
5 Renew the private CA.
  • If you want to use a private CA after it expires, you can renew it before it expires to extend its service life.
  • If you want to continue to use a private CA that expired, you can reactivate it to extend its service life.
Renew a private CA None.