The local CA is used to sign and verify the server certificate and may also be used to sign client certificate requests. To create and install a local CA, perform the following steps:
-
Log in to the ESKM Management Console using the admin username and the password you supplied in First run
-
Select the Security tab
-
In Certificates & CAs, click Local CAs
-
Enter information required by the Create Local Certificate Authority section of the window to create your local CA
Figure 1: Create Local CA window
a) Enter a Certificate Authority Name and Common Name. These may have the same value, for example ESKM Local CA
b) Enter your organizational information
c) Select the Algorithm. Utimaco recommends using an algorithm with security strength of at least 128 bits (e.g., ECDSA-P256)
d) Click Self-signed Root CA and enter the CA Certification Duration and Maximum User Certificate Duration. These values determine when the certificate must be renewed and should be set in accordance with your company’s security policies. The default value for both is 3650 days or 10 years
-
Click Create
-
If the local CA will be used to sign ESKM client certificate requests, add the CA to the
Trusted CA list
a) In Certificates & CAs, click Trusted CA Lists to display the Trusted Certificate
b) Click on the Default Profile Name (not the radio button)
c) In the Trusted Certificate Authority List, click Edit..
d) From the list of Available CAs in the right panel, select the CA you created in step 4. For example, ESKM Local CA
e) Click Add
f) Click Save
Repeat the steps above any time when another local CA is needed. For example, you may want to create a KMIP Local CA to support the KMIP Certify/Re-certify operations.