Certificate authority instantiation

PKIaaS provides the following Certificate Authority (CA) instantiation capabilities.

• CA types
• CA key and signature algorithms
• Secure CA key management
• CA creation time
• CA validity period

CA types

Each customer may have one or more subordinate issuing CAs. You can:

• Create an online root CA and add issuing CAs subordinate to this root CA.
• Add an issuing CA signed by an external root CA – for example, your on-premise Microsoft root CA.

Secure CA key management

All CA private keys are stored in Entrust nShield Connect XC High HSMs FIPS140-2 level 3.

CA creation time

CAs are automatically provisioned in ~60 seconds after submitting your request.

CA validity period

CA certificates have a default validity period of 20 years for root CAs and 10 years for subordinate issuing CAs. You can select a different period when creating each CA.

⚠ An issuing CA should have a minimum lifespan of 3 years to support some features. For example, to automate Intune/MDM enrollment using an Entrust Hosted Certificate Enrollment Gateway, an issuing CA must have at least 3 years of remaining lifespan when the Enrollment Gateway is created.