- Print
- PDF
Use Private CA
- Print
- PDF
Available in Classic and VPC
You can run private CAs to safely issue, manage, and revoke private certificates with Private CA. Revoked certificates are managed in a separate list, and their information can be viewed.
Various authentication-related-terms are used in Using Private CA. Make sure to refer to Private CA terms to help understanding.
Private CA page
The basics of using Private CA are as follows.
Area | Description |
---|---|
① Menu name | Service name and the number of CAs created |
② Basic features | Create CA, view Private CA details, refresh the Private CA page |
③ Post-creation features | View CA certificate, manage permissions, deactivation and deletion settings, issue and revoke private certificates |
④ CA list | View CA list and details, manage OCSP, register certificates, delete expired certificates |
View CA list
You can find information for each CA in the list of created CAs. The following describes how to view the information.
- Please connect to the NAVER Cloud Platform console.
- From the Platform menu, click and select between VPC and Classic.
- Click Services > Security > Private CA menus in this order.
- When the list of created CAs appear, view the summary information or click a CA to see the details.
- Type: Private CA's type
- Name: Private CA's name
- Expiry date and time: The date when the private CA's validity expires
- Status: Private CA's operation status, refer to CA status for more information
- CA Tag: CA unique identifier used by customers to identify resources
- Common Name: Subject (issuer)'s common name
- Creation date and time: Date when the private CA was created
- Issued certificates: Number of certificates issued by the CA
- : Click to view the list of the issued private certificates' serial numbers. Clicking a serial number will allow you to download the certificate file to the local PC.
- : Click to view the list of the issued private certificates' serial numbers. Clicking a serial number will allow you to download the certificate file to the local PC.
- CA issuer: Subject who issues the CA, refer to CA information URL for more details
- CRL deployment point: Certificate revocation list's URL information, refer to CA information URL for more details
- OCSP: Online certificate status protocol's URL information, refer to CA information URL for more details
- Memo: Additional information on the CA
- [Download CSR] button: Certificate signing request file to activate the CA, which is in the Registration pending status
- [Register certificate] button: Click if you'd like to register a signed certificate and certificate for issuing CA to activate the CA, which is in the Registration pending status
CA status
CA status determines the availability of the basic features. The features available for use in each status are as follows.
View CA certificate | Manage permissions | Deactivate/activate | Request deletion | Issue private certificate | Revoke private certificate | |
---|---|---|---|---|---|---|
Activated | O | O | Deactivate O | O | O | O |
Deactivated | O | X | Activate O | O | X | X |
Registration pending | O | X | X | O | X | X |
Expired | O | X | X | X | X | X |
To be destroyed | O | X | X | - | X | X |
Destroyed | X | X | X | X | X | X |
When a CA is in the Deactivated status, all functions except for view are not available. In particular, issuing certificates is not available. In addition, already issued certificates may become distrusted depending on the authentication method, and the features using deployed URLs also become unavailable. Therefore, CA status must be managed carefully. Please make sure to review thoroughly before you use the deactivation/activation and deletion request features which cause the CA status to change.
Expired CAs can be permanently deleted by clicking [Destroy now] button, which is irrevocable.
CA information URL
In a private certificate, three types of URL points are specified to view the information required for validating and viewing the certificate.
This information can be automatically viewed within the protocol upon connection. You may also directly view the information through the URL. The CA information URL included in a private certificate issued by Private CA can be provided by default, or provided according to the user's needs. How the CA information URL is provided is as follows.
- Issuer chain: Provided by default by Private CA
- Certificate revocation list (CRL): Provided by default by Private CA
- Online certificate status protocol (OCSP): Provided by Private CA if the user needs it Refer to 6. Manage OCSP for more information
Create private CA
Create a private CA. Root CAs and intermediate CAs can both be created in Private CA. The following Steps 1 through 4 are required stages to create a CA. Step 5. Register certificate is a stage required only if you want to create an intermediate CA using the direct signature method. Step 6. Manage OCSP is a stage only for the users who want to create an OCSP.
The following describes how to create a root CA or intermediate CA.
- Please connect to the NAVER Cloud Platform console.
- From the Platform menu, click and select between VPC and Classic.
- Click Services > Security > Private CA menus in this order.
- Click the [Request subscription] button.
- When the subscription request screen appears, proceed with the following steps in order.
Click the [Request subscription] button from Service > Security > Private CA in the NAVER Cloud Platform portal to go directly to the page in Step 4.
1. General settings
Set general information to create a private CA. The following describes how to configure settings.
- When the General settings page appears, enter the required information.
- Type: Select the type of CA to create
- Name: Enter the name of the CA to create between 3 to 15 characters. The name must start with an English letter and be a combination of English letters, numbers, and special characters (- and _)
- Memo: Enter additional information on the CA to create. The length must be 1000 bytes or less
- Click the [Next] button.
2. Enter basic information
Set basic information of the CA to create. The basic information to be entered according to the type selected in 1. General settings and the method selected in 2. Enter basic information.
- If the root CA (type) is selected: Expiration date, key type
- If the intermediate CA (type) and Parent CA specification (method) are selected: Parent CA, expiration date, key type
- If the intermediate CA (type) and Direct signature (method) are selected: Key type
A certificate's expiration date is set when it's signed. So, it's impossible to designate the expiration date for the Direct signature method.
The following describes how to configure settings.
- When the Enter basic information page appears, enter or select the required information.
- Parent CA: Click to select if an intermediate CA is to be created
- Parent CA specification method: Click to select the desired CA if you want to designate a CA that's already created in Private CA to play the role of the issuer
- Direct signature method: Click to select Sign directly if you want to use a customer-managed CA
NoteIf you are creating a root CA, the Parent CA item will be disabled and unavailable to select.
- Expiration date: Enter the lifespan of the CA to create between 1 and 3650 days. Enter "MAX" to set it to the maximum period possible to specify
- Key type: Click to select the public key encryption algorithm to be used for the CA to create
- RSA2048: A type of Rivest-Shamir-Adleman (RSA) algorithm, refer to RFC7518 for more information
- RSA4096: A type of Rivest-Shamir-Adleman (RSA) algorithm, refer to RFC7518 for more information
- EC256: A type of Elliptic Curves (EC) algorithm, refer to Certicom data for more information
- EC521: A type of algorithm, refer to Certicom data
- Parent CA: Click to select if an intermediate CA is to be created
- Click the [Next] button.
When you create an intermediate CA, its expiration date can't be later than its parent CA's expiration date.
3. Enter advanced settings information
Set advanced settings information of the CA to create. The following advanced settings information can be set.
- Subject info: Subject identification information of the certificate's owner
- Address info: Address information to be included in the certificate
- Subject alternative names (SANs) info: Information for creating multi-domain certificate (DNS/email and IP information to be protected with one certificate)
CA certificates generally don't require SANs settings, so the SANs information is not a required value.
The following describes how to configure settings.
- When the Enter advanced settings information page appears, enter Subject info.
- Common Name: Unique information or the issuer's common name with which the subject (certificate owner) can be identified
- Organization (O): Subject (certificate owner)'s organization information
- Organization Unit (OU): Subject (certificate owner)'s organization unit (department) information
- After completing the Subject info setting, click Address info to select or enter the information.
- Country: Country information to be included in the certificate
- State/Province: Information of state, province, or region name to be included in the certificate
- Locality: Information of city name to be included in the certificate
- Street/Address: Information of the rest of the address to be included in the certificate other than country, state/province, and city
- After completing the Address info setting, enter Subject alternative names info (SANs).
- DNS/Email SANs: Enter domain/host name or email address. Separate with commas if entering two or more The special character * (asterisk) can be used for entering domains
- IP SANs: Enter IP address, separate with commas if entering two or more
- Click the [Next] button.
4. Confirm
Confirm the CA information to create, and start creating.
- When the CA information confirmation screen appears, check the creation information, and then click the [Create] button.
- If you're creating an intermediate CA with the Direct signature method, then click the [Confirm] button when the CA registration pending pop-up window appears.
- For the rest of the procedure, refer to 5. Register certificate
- Check the result when the list of created CAs appears.
5. Register certificate
If you've created an intermediate CA with the Direct signature method, a certificate signing request (CSR) file is created. You must sign the certificate within 24 hours of the CSR creation and register the certificate. The CSR is automatically deleted if you fail to register the certificate within 24 hours. The following describes how to sign and register a certificate.
- From the NAVER Cloud Platform console's Platform menu, click and select between VPC and Classic.
- Click Services > Security > Private CA menus in this order.
- To sign the certificate, click the [Download CSR] button of the intermediate CA which is in the Registration pending status.
- Out of various methods to sign on a CSR, one easy way is to use openssl to sign a CSR and issue a certificate. The following is a command example to create certificate TEST_SUB_crt.pem, which has 365 days of validity period, by signing the downloaded CSR with private key my_local_ca.key, which belongs to a CA directly managed using openssl.
openssl x509 -req -days 365 -in MY_SUB_csr.pem -signkey my_local_ca.key -out TEST_SUB_crt.pem
- To register the signed certificate and the issuer CA's certificate, click the [Register certificate] button of the intermediate CA in the Registration pending status.
CautionPlease note that the issuer CA's certificate is not the same as the CA's private key.
- When the Register certificate pop-up window appears, register the required information.
- Certificate chain: If the issuer CA is part of a hierarchy, then register all certificate chains of its parent issuer CAs
- Certificate body: Register the signed certificate body
- Click the [OK] button.
- Register the certificate in the list of private CAs, and check the changed status of the CA.
- Activated: The normal operation status where all features of the CA are available
The following is an example of a certificate chain file to be registered in Step 6.
-----BEGIN CERTIFICATE-----
MIIDbjCCAlagAwIBAgIUIee5Ez90s6yqnC1RHYBkw3NpNc4wDQYJKoZIhvcNAQEL
BQAwPjELMAkGA1UEBhMCS1IxDDAKBgNVBAoTA05CUDEhMB8GA1UEAwwYW0JFVEFd
IEJlYWdsZV9Jb1QgU3ViIENBMB4XDTIwMDYyOTAxMDkzMVoXDTI5MDQxNzE4NTYw
M1owPzELMAkGA1UEBhMCS1IxDDAKBgNVBAoTA05CUDESMBAGA1UECxMJQ2xvdWQg
....
z0rXUrhhU2KMXtylXfzJqZkj3VLqjoNmjFcCgeeweto/1A8in9UhK1KzSUVcKVlL
XcHpYjn3BoxbVV+EsVCjhz+9dtKASo9ptZUDrOHLrYnaONShGI6pwxj5Dew4ttvm
VE39KQYNcdt7ajrXMmVfatq2zk+PoiSDjZ5flbzJoIrK3TE1NAgXYpXYjzphBXZ2
Gt9B53lFQHNnnMDDnjbIiQUp
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUPIsBMXl3zeP5rSAcbahl6crbjwcwDQYJKoZIhvcNAQEL
BQAwPDELMAkGA1UEBhMCS1IxDDAKBgNVBAoTA05CUDEfMB0GA1UEAwwWW0JFVEFd
IE5DUCBQQ0EgUk9PVCBDQTAeFw0xOTA0MjIwMjE5NDVaFw0yOTA0MTcxODU2MTRa
MD4xCzAJBgNVBAYTAktSMQwwCgYDVQQKEwNOQlAxITAfBgNVBAMMGFtCRVRBXSBC
....
EWwyIcKDmymr7n14G15loPU0Q+cH2hTS/r9RXxw6Gjd7DnKcjF/970TR41tlxetW
f3DCAKP6KIUKh2eAy7HHt82HExP+KRLJbocA5QRwtwWY3zVIuHg6oLM5mdtDfBwl
kMLaJCAzSSgmcg63fQChz2kUuldaw7/5H1CI3i8VB+9JcM2l4imDhiaGlCquTKL3
VMfHx+eysnncEUxP54DD
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDaTCCAlGgAwIBAgIUNQfx2Rk2TqCM1o9PeN7/TJCz4iMwDQYJKoZIhvcNAQEL
BQAwPDELMAkGA1UEBhMCS1IxDDAKBgNVBAoTA05CUDEfMB0GA1UEAwwWW0JFVEFd
IE5DUCBQQ0EgUk9PVCBDQTAeFw0xOTA0MjAxODU1NDdaFw0yOTA0MTcxODU2MTda
MDwxCzAJBgNVBAYTAktSMQwwCgYDVQQKEwNOQlAxHzAdBgNVBAMMFltCRVRBXSBO
....
IQV7Vqgs0NsKqJ9rPKi88gu9x3y6/pEo8C9s2aTZ1l7sYauh00gySffRQeu2WCWx
mdxRKMRIlFaLFVHpXxGhga/DEvFo9EhouNP4CjaIe4FcvWBZ30Msp/fJbzg/Bnby
VXGZcU0qiFHZbIa7dViO0re5AujhqKt4HYuhT787xNLLyG95m/6XUKcEvxBGR9ZZ
vpDcpjcEC94qLxPHXg==
-----END CERTIFICATE-----
The extension field for CA (the CA option of the basic constraints) must be enabled in the CA certificates that are to be signed directly. See below for an example.
...
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
...
6. Manage OCSP
Private CA provides the online certificate status protocol (OCSP) feature by default for your convenience. You can activate the OCSP viewing feature and set it to be included in the private certificates to be issued if required.
Create OCSP
Create an OCSP in order to activate the OCSP feature which is provided by default and to deploy the OCSP URL to certificates. The certificates issued with the CA where an OCSP is created include the OCSP URL as below.
Authority Information Access:
OCSP - URI:{NCP PrivateCA OCSP URL}
CA Issuers - URI:{NCP PrivateCA CA URL}
X509v3 CRL Distribution Points:
Full Name:
URI:{NCP PrivateCA CRL URL}
The following describes how to create an OCSP.
- From the NAVER Cloud Platform console's Platform menu, click and select between VPC and Classic.
- Click Services > Security > Private CA menus in this order.
- Click and select the CA to create an OCSP, and then click the [Create] button in OCSP.
To view if a certificate is revoked, you can directly refer to the CRL, but you can also view the OCSP information provided by Private CA. The command to view the OCSP for viewing whether a certificate is revoked is as follows.
openssl ocsp -issuer {Chain cert} -cert {Cert} -header Host {NCP Private CA Host Name} -url {OCSP URL} -VAfile {OCSP Responder cert} -text
Delete OCSP
You can deactivate and delete the OCSP feature in use. The certificates issued with the CA where the OCSP is deleted are not going to include the OCSP URL. The following describes how to create an OCSP.
- From the NAVER Cloud Platform console's Platform menu, click and select between VPC and Classic.
- Click Services > Security > Private CA menus in this order.
- Click and select the CA to delete an OCSP, and then click the [Delete] button in OCSP.
- When the Delete OCSPpop-up window appears, click the [Delete] button.
View CA certificate
You can view each created CA's details and certificates issued, and download the certificate bodies and chain information in a PEM file. The following shows how to view or download CA certificates.
- From the NAVER Cloud Platform console's Platform menu, click and select between VPC and Classic.
- Click Services > Security > Private CA menus in this order.
- Click to select the CA to view, and click the [View CA certificate] button.
- When the CA certificate details pop-up window appears, check the required information.
- To download the certificate body or certificate chain, click the [Download] button.
- Click the [OK] button.
Root CAs don't have any parent CA, therefore the chain information won't be displayed in Step 4.
Manage permissions
You can register sub accounts to grant management permissions for each CA (specific CA selected by the user) or delete the registered sub accounts. Registering and deleting the permissions can only be done for the CAs that are activated.
To use the permission management feature, you need to add a sub account from NAVER Cloud Platform's Sub Account first. For how to create accounts in Sub Account, refer to Sub Account Guide.
The following describes how to register or delete permissions.
The Sub Account is provided free of charge upon subscription request. For an introduction on Sub Account and more details about pricing plans, refer to Managing Private CA permissions and the Service > Management & Governance > Sub Accountmenu in the NAVER Cloud Platform portal.
- From the NAVER Cloud Platform console's Platform menu, click and select between VPC and Classic.
- Click Services > Security > Private CA menus in this order.
- Click to select the CA to manage permissions, and then click the [Manage permissions] button.
- When the CA user management pop-up window appears, perform the management tasks required.
- Add managed account: Click to select the account to add, and then click the [Add] button
- Delete managed account: Click the [Delete] button of the account to be deleted
- Add managed account: Click to select the account to add, and then click the [Add] button
- Click the [Close] button.
If you click the [Sub Account] button in the CA user management pop-up window in Step 4, you can go to Sub Account to add, edit, or delete accounts.
Activate/deactivate
You can deactivate a normally operating CA or activate a deactivated CA if a need to do so arises. When deactivated, most CA features except for viewing are blocked. The following describes how you can activate or deactivate a CA.
- From the NAVER Cloud Platform console's Platform menu, click and select between VPC and Classic.
- Click Services > Security > Private CA menus in this order.
- Click and select the CA to set the activation status, and proceed with the next steps.
- If the Activated status needs to be changed to Deactivated: Click the [Deactivate] button
- If the Deactivated status needs to be changed to Activated: Click the [Activate] button
Request deletion
You can request to delete a CA you created. Once the deletion request is received, the CA will automatically be deleted (revoked) after the 72-hour grace period. For a CA waiting to be deleted, most functions except for viewing are blocked, just like a deactivated CA. It can't be recovered once automatically deleted, and the deletion may have serious repercussions to connected systems. Please proceed at own discretion.
The automatic deletion of the CA after the 72-hour grace period will include any lower-level CAs and certificates issued by the deleted CA. The certificates' operation and expiration status won't be considered. Once the CA is deleted, it can't be recovered since its private keys are permanently deleted. Decide carefully before proceeding with deletion. The deleted CA is no longer trusted, and all issued certificates can't be used for authentication.
If you want to cancel a deletion request for a CA, then click the [Cancel deletion] button before the 72-hour grace period is up. The deletion request will be withdrawn once you click the button, and the CA will be switched to the Deactivated status immediately. You can activate the CA to run it again. However, if you withdraw a deletion request for a CA which was in the Registration pending status, it will go back to the Registration pending status.
The following describes how to request a deletion.
- From the NAVER Cloud Platform console's Platform menu, click and select between VPC and Classic.
- Click Services > Security > Private CA menus in this order.
- Click and select the CA to request deletion, and then click the [Request deletion] button.
- When the Delete CA pop-up window appears, enter the name of the CA to delete in Enter CA name.
- Click the [Request deletion] button.
- Check the CA's status after the deletion request in the list of private CAs.
- To be destroyed: A deletion request has been received, and the CA is in the 72-hour grace period before it is permanently deleted.
- If you want to delete it immediately instead of deleting on the to-be-deleted date displayed on the Status field, click the [Delete now] button.
- When the Delete CA immediately pop-up window appears, check the precautions and click the [Delete] button.
The immediate CA deletion will include any lower-level CAs and certificates issued by the deleted CA. The certificates' operation and expiration status won't be considered. Once the CA is deleted, it can't be recovered since its private keys are permanently deleted. Decide carefully before proceeding with deletion. The deleted CA is no longer trusted, and all issued certificates can't be used for authentication.
Issue private certificate
You can issue private certificates from a CA created. The following describes how to issue a private certificate.
- From the NAVER Cloud Platform console's Platform menu, click and select between VPC and Classic.
- Click Services > Security > Private CA menus in this order.
- Click to select the CA you want to issue a private certificate from, and then click the [Issue private certificate] button.
- When the Issue private certificate pop-up window appears, enter the information for the certificate to be issued.
- Description for each item: Refer to 2. Enter basic information
- Click the [Issue] button.
- When the Private certificate details pop-up window appears, check the certificate information.
- Issuer: Name of the CA which issued the private certificate
- Serial number: Unique number for identifying the private certificate
- Certificate body: Information of the certificate body Click the [Download] button to save it to the local PC
- Certificate private key: Information of the certificate's private key. Click the [Download] button to save it to the local PC
- Certificate chain: Certificate chain information, which is included if the issuer has a hierarchical structure. Click the [Download] button to save it to the local PC
- OCSP certificate: OCSP information which is included if a CA point URL has been created. Click the [Download] button to save it to the local PC
CautionPrivate CA does not save private certificate's private keys, which means they can't be obtained again once you leave the page. Make sure to download the private key issued for a private certificate and store it safely.
Revoke private certificate
You can revoke private certificates issued. Once revoked, the certificate will be registered to the certificate revocation list (CRL) immediately. The revocation can't be canceled, so proceed with caution. The following describes how to revoke a private certificate.
- From the NAVER Cloud Platform console's Platform menu, click and select between VPC and Classic.
- Click Services > Security > Private CA menus in this order.
- Click to select the CA from which the certificate you want to revoke was issued, and click the [Revoke private certificate] button.
- When the Revoke private certificate pop-up window appears, enter the serial number of the certificate to be revoked.
- How to view a certificate's serial number: Refer to View CA list
- Click the [Revoke] button.
- The serial number of a revoked certificate won't be deleted from the list of certificates issued. Therefore, make sure to refer to the CRL (or view OCSP) to check the revocation status for certificate validation.
- Lower-level CA certificates are displayed in the list of certificates issued, but can't be revoked directly. The lower-level CA certificates are automatically revoked once the CA is deleted.
The following is an example of CRL to which certificate revocations are registered.
$ curl {CRL URL} | openssl crl -text -noout
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /C=KR/ST=\xEA\xB2\xBD\xEA\xB8\xB0\xEB\x8F\x84/L=\xEC\x84\xB1\xEB\x82\xA8\xEC\x8B\x9C/O=Naver Cloud Platform/OU=Security Dev/CN=My sub CA
Last Update: Jul 15 15:29:22 2020 GMT
Next Update: Jul 18 15:29:22 2020 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:17:43:8A:2C:FD:8A:7C:20:44:6F:F1:52:6B:9D:7E:27:8F:E8:0B:0C
Revoked Certificates:
Serial Number: 658D43B364DD48B6F69AFB3E27010F6A42D61D66
Revocation Date: Jul 15 15:29:22 2020 GMT
Signature Algorithm: sha256WithRSAEncryption
23:9e:a9:a8:76:32:db:c3:2c:15:ba:3c:15:94:ea:ef:d2:fd:
3a:7d:0f:da:68:b2:69:8a:d0:c2:3e:21:19:f8:c7:b4:6a:a6:
2e:2f:c1:3b:13:61:a0:98:ff:6d:f8:40:8f:2f:5b:09:db:c8:
b6:85:5b:69:3b:5c:5a:8e:37:3a:12:eb:46:bd:e8:fd:4f:ba:
e3:94:a3:75:96:bb:3c:4c:4d:3e:25:f1:54:bd:ae:09:ca:63:
fb:31:2a:e4:b0:e0:de:0e:2f:83:f2:96:26:ef:7c:b8:c2:24:
80:ce:38:d5:d4:b4:e4:04:13:56:c1:c4:63:26:9d:34:c9:e4:
67:73:1d:0f:e0:5c:ca:b6:00:ea:f3:39:e6:f9:c8:67:07:3f:
d5:cc:ca:82:7a:45:ae:ff:6f:b4:5f:bc:62:a8:9c:0c:7e:d3:
88:e1:c9:5b:c8:d0:3c:b7:22:20:dd:3a:98:b9:82:61:25:e0:
3b:6f:e1:f7:ea:94:b0:e5:a8:9b:49:e4:1c:0d:bc:6a:25:65:
40:04:02:4b:eb:ea:71:d7:2f:74:85:c4:b9:aa:92:f2:60:e7:
6c:bd:85:5f:17:f2:ca:0f:35:b1:fb:5e:33:65:0f:d8:50:70:
2d:61:76:8d:19:d3:a0:f3:87:ee:7a:f8:10:fd:5f:c9:dc:44:
e4:c3:7c:00