Crypto Token

The Crypto Token where the CA's key mappings are expected to exist.

The list of available Crypto Tokens are those that the administrator is authorized to view and use. The Crypto Token must also be active and contain a key that can be used with the CA signing algorithm in order to be shown.

If no crypto token has been specified, a soft (PKCS#12) crypto token can be automatically generated, and will have the same name as the CA. This crypto token will be set to automatically activate, and will have the default password foo123. This crypto token will also have the NODEFAULTPWD set as false, which allows the crypto token to be manipulated without using a password. Changing the password (via the CLI) or turning off auto activation will also invalidate the using the default password.

Using CLI

You can create CAs using the cli command:

Issuing the command will give usage instructions. An example is:

This will create a root CA with the DN C=SE,O=PrimeKey,CN=TestRoot. The keylength is 2048 bit (RSA) and the validity of the root certificate is 365 days. You need to quote the DN so it is treated as one argument.

PKIX requires that a CRL always is available even if it is empty. When creating a new CA the CA certificate is stored and published (if any Publishers are configured), and the initial CRL is created and stored/published.

Using Admin GUI

Creating CAs in the Admin GUI is done by selecting Certificate Authorities in the menu, entering a new CA name in the text field and clicking Create.

Using EJBCA's web service

In EJBCA Enterprise Edition, if EJBCA's web service is set up, it is also possible to create new CA by using the WS API call createCA in your application or with the Web Services CLI.