Signing an External CA

In some cases you might want to have one of your CA:s signing another external CA. This can be done in two ways:

1. Create a certificate profile and an end entity profile for Sub CAs. The certificate profile must be of type 'Sub CA' (almost at the bottom of the edit certificate profile page).

2. Create an End Entity where you select a SubCA certificate profile when adding the end entity.

3. Issue the CA certificate as you would normally issue any end entity certificate.

4. The SubCA can be managed and revoked conveniently just as other end entities.

Using an end entity is the recommended way to sign Sub CAs, because of the better management features.

In EJBCA 5.0.x and before it was possible to manage external CAs in a more visible manner. This feature is no longer available.