Using Private CA

Prev Next

Available in Classic and VPC

Private CA allows you to operate private CAs to securely issue, manage, and revoke private certificates. You can manage revoked certificates in a separate list and check their details.

Note

Using Private CA involves various certification-related terms. To better understand the service, make sure to see Private CA glossary.

Private CA page

The basic description of using Private CA are as follows:

privateca-use_01_ko

Area Description
① Menu name Service name and number of CAs created.
② Basic features Create CA, view Private CA details, refresh Private CA screen.
③ Post-creation features Check CA certificate, set to disable or delete, issue and revoke private certificates.
④ CA list View CA list and details, manage OCSP, register certificates, delete expired certificates.

Check CA list

You can check the information for each CA in the created CA list. To view the information, follow these steps:

  1. In the NAVER Cloud Platform console, navigate to i_menu > Services > Security > Private CA.
  2. Check the details by clicking CA or the summary when the list of created CA appears.
    privateca-use_02_ko
    • Type: name of the private CA.
    • Name: name of the private CA.
    • Expiration date: the end date of the private CA's validity period.
    • Status: operational status of the private CA. For more information, see CA status.
    • CA Tag: a unique identifier used by customers to locate the resource.
    • Common name: the subject (issuer)'s common name.
    • Creation date: the date the private CA was created.
    • Issued certificates: number of certificates issued by the CA.
      • clouddbforredis_ico-02_vpc_ko: click to view the list of serial numbers for issued private certificates. Click a serial number to download the certificate file to your local PC.
        privateca-use_20_ko
    • CA issuer: for more information, see CA information URL.
    • CRL release point: URL for the Certificate Revocation List (CRL). For more information, see CA information URL.
    • OCSP: URL for the Online Certificate Status Protocol (OCSP). For more information, see CA information URL.
    • Memo: additional information about the CA.
    • [Download CSR] button: request file for enabling a CA in the registration pending status.
    • [Register certificate] button: click to register the signed certificate and issuing CA certificate to enable a CA in the registration pending status.

CA status

The availability of basic features varies depending on the CA status. The information of available basic features by status is as follows:

View CA certificate Disable/enable Request deletion Issue private certificate Revoke private certificate
Enable O Disable O O O O
Disable O Enable O O X X
Pending registration O X O X X
Expired O X X X X
Scheduled for deletion O X - X X
Permanently deleted X X X X X

When a CA becomes disabled, all features except for basic viewing are disabled by default. Certificate issuance is not allowed, and previously issued certificates may no longer be trusted depending on the authentication method. Features linked to deployed URLs are also unavailable. Therefore, CA status must be managed carefully, and disable/enable and requested for deletion that result in a status change should be proceeded with caution.

Note

Expired CAs can be permanently deleted by clicking the [Delete now] button. Recovery is not possible.
privateca-use_21_ko

CA information URL

Private certificates include three types of URL points that contain information necessary for validation and view.

privateca-use_03_ko

These can be viewed automatically through internal protocol communication or manually via the provided URLs. The CA information URLs included in private certificates issued by Private CA are either provided by default or added based on user requirements. Availability of each CA information URL is as follows:

  • Issuer Chain: provided by default by Private CA.
  • Certificate Revocation List (CRL): provided by default by Private CA.
  • Online Certificate Status Protocol (OCSP): provided by Private CA upon user request. For more information, see 6. Manage OCSP.

Create Private CA

Create a private CA. Private CA allows you to create both root CAs and intermediate CAs. To create a CA, steps 1 through 4 must be completed. 5. Register certificate is required only when creating an intermediate CA using the self-signing method. 6. Manage OCSP is optional and applies only to users who want to create OCSP.
To create a root CA or intermediate CA, follow these steps:

  1. In the NAVER Cloud Platform console, navigate to i_menu > Services > Security > Private CA.
  2. Click the [Subscribe] button.
    privateca-use_04_ko
  3. When the service subscription page appears, take the following steps in order:
Note

From the NAVER Cloud Platform portal, click [Subscribe] in Services > Security > Private CA to go directly to the page in Step 4.

1. General settings

Configure general information for creating a private CA. To configure the settings, follow these steps:

  1. When the General settings page appears, enter the required information.
    privateca-use_05_ko
    • Type: select the type of CA to create.
    • Name: enter the name of the CA, starting with a letter and using a combination of letters, numbers, hyphens, and underscores between 3 to 15 characters.
    • Memo: enter additional information about the CA, up to 1000 bytes.
  2. Click the [Next] button.

2. Enter basic information

Set the basic information for the CA you want to create. The basic information you need to enter depending on the type selected in 1. General settings and the method selected in 2. Enter basic Information are as follows:

  • If you select a root CA: validity period, key type.
  • If you select an intermediate CA with an assigned parent CA: parent CA, validity period, key type.
  • If you select an intermediate CA with self-signed method: key type.
Note

The certificate validity period is set at the time of signing, so it cannot be specified when using the self-signing method.

To configure the settings, follow these steps:

  1. When the Enter basic information page appears, enter or select the necessary information.
    privateca-use_06_ko

    • Parent CA: when creating an intermediate CA, click to select.
      • Assigned parent CA method: click to select a CA already created in Private CA to automatically assign it as the issuer.
      • Self-signed method: select Self-sign if you want to proceed using a CA that you manage directly.
    Note

    If you're creating a root CA, the parent CA field is disabled and cannot be selected.

    • Validity period: enter the validity period of the CA in days, from 1 to 3650. To set the maximum allowed period, enter "MAX."
    • Key type: click to select the public key encryption algorithm to be used for the CA.
      • RSA2048: a type of Rivest–Shamir–Adleman (RSA) algorithm. For more information, see RFC7518.
      • RSA4096: a type of Rivest–Shamir–Adleman (RSA) algorithm. For more information, see RFC7518.
      • EC256: a type of Elliptic Curve (EC) algorithm. For more information, see Certicom documentation.
      • EC521: a type of algorithm. For more information, see Certicom documentation.

  2. Click the [Next] button.

Note

When creating an intermediate CA, the validity period cannot exceed the expiration date of the parent CA.

3. Enter advanced settings

Configure advanced settings for the CA you want to create. The following advanced settings are available:

  • Subject Info: identifier information for the certificate owner.
  • Address Info: address information to be included in the certificate.
  • Subject Alternative Names (SANs) Info: information for creating a multi-domain certificate (DNS, email, or IP addresses covered by a single certificate).
Note

SANs Info is not a required setting because CA certificates typically do not require SANs configuration.

To configure the settings, follow these steps:

  1. When the Enter advanced settings page appears, enter the Subject Info.
    privateca-use_07_ko
    • Common name: a unique identifier or general name of the certificate owner or issuer.
    • Organization (O): organization information of the certificate owner.
    • Department (OU): department information of the certificate owner.
  2. After completing the Subject Info settings, click or enter the Address Info.
    privateca-use_08_ko
    • Country: country to be included in the certificate.
    • State/Province: state or province to be included in the certificate.
    • Locality: city to be included in the certificate.
    • Street/Address: additional address information other than country, state, and city.
  3. After completing the Address Info settings, enter the Subject Alternative Names (SANs) Info.
    privateca-use_09_ko
    • DNS/Email SANs: enter domain, hostname, or email addresses. Use commas to separate multiple entries. The special character "*" is allowed when entering domains.
    • IP SANs: enter IP addresses. Use commas to separate multiple entries.
  4. Click the [Next] button.

4. Check

Once you've reviewed the CA information you want to create, start the creation process.

  1. When the CA information page appears, review the entered details and click the [Create] button.
    privateca-use_10_ko
  2. If you created an intermediate CA using the self-signed method, a CA registration pending popup window appears. Click the [OK] button to proceed.
  3. Once the list of created CAs appears, check the result.

5. Register certificate

If the intermediate CA was created using the self-signed method, a Certificate Signing Request (CSR) file is generated. You must sign and register the certificate within 24 hours of CSR generation. If the certificate is not registered within 24 hours, the CSR is automatically deleted. To sign and register a certificate, follow these steps:

  1. In the NAVER Cloud Platform console, navigate to i_menu > Services > Security > Private CA.

  2. To sign the certificate, click the [Download CSR] button for the intermediate CA that is in the registration pending status.
    privateca-use_11_ko

  3. There are several ways to sign a CSR file, but using openssl is one of the easiest methods to issue a certificate. The following is an example of command using openssl to sign a downloaded CSR file with your self-managed CA's private key (my_local_ca.key) to generate a certificate named TEST_SUB_crt.pem with a 365-day validity period.
    openssl x509 -req -days 365 -in MY_SUB_csr.pem -signkey my_local_ca.key -out TEST_SUB_crt.pem

  4. To register the signed certificate and the issuing CA certificate, click the [Register certificate] button of the intermediate CA in registration pending status.
    privateca-use_12_ko

    Caution

    Be cautious when using the issuing CA certificate as it is not the private key.

  5. When the Register certificate popup window appears, register the information you need.
    privateca-use_13_ko

    • Certificate chain: if the issuing CA has a hierarchical structure, register the full chain of certificates for the parent issuing CAs.
    • Certificate body: register the body of the signed certificate.

  6. Click the [OK] button.

  7. After registering the certificate in the private CA list, check the updated CA status.

    • Enable: the CA is fully operational and all features are available.
Note

The following is an example of the certificate chain file to be registered in Step 6.

-----BEGIN CERTIFICATE-----
MIIDbjCCAlagAwIBAgIUIee5Ez90s6yqnC1RHYBkw3NpNc4wDQYJKoZIhvcNAQEL
BQAwPjELMAkGA1UEBhMCS1IxDDAKBgNVBAoTA05CUDEhMB8GA1UEAwwYW0JFVEFd
IEJlYWdsZV9Jb1QgU3ViIENBMB4XDTIwMDYyOTAxMDkzMVoXDTI5MDQxNzE4NTYw
M1owPzELMAkGA1UEBhMCS1IxDDAKBgNVBAoTA05CUDESMBAGA1UECxMJQ2xvdWQg
....
z0rXUrhhU2KMXtylXfzJqZkj3VLqjoNmjFcCgeeweto/1A8in9UhK1KzSUVcKVlL
XcHpYjn3BoxbVV+EsVCjhz+9dtKASo9ptZUDrOHLrYnaONShGI6pwxj5Dew4ttvm
VE39KQYNcdt7ajrXMmVfatq2zk+PoiSDjZ5flbzJoIrK3TE1NAgXYpXYjzphBXZ2
Gt9B53lFQHNnnMDDnjbIiQUp
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUPIsBMXl3zeP5rSAcbahl6crbjwcwDQYJKoZIhvcNAQEL
BQAwPDELMAkGA1UEBhMCS1IxDDAKBgNVBAoTA05CUDEfMB0GA1UEAwwWW0JFVEFd
IE5DUCBQQ0EgUk9PVCBDQTAeFw0xOTA0MjIwMjE5NDVaFw0yOTA0MTcxODU2MTRa
MD4xCzAJBgNVBAYTAktSMQwwCgYDVQQKEwNOQlAxITAfBgNVBAMMGFtCRVRBXSBC
....
EWwyIcKDmymr7n14G15loPU0Q+cH2hTS/r9RXxw6Gjd7DnKcjF/970TR41tlxetW
f3DCAKP6KIUKh2eAy7HHt82HExP+KRLJbocA5QRwtwWY3zVIuHg6oLM5mdtDfBwl
kMLaJCAzSSgmcg63fQChz2kUuldaw7/5H1CI3i8VB+9JcM2l4imDhiaGlCquTKL3
VMfHx+eysnncEUxP54DD
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDaTCCAlGgAwIBAgIUNQfx2Rk2TqCM1o9PeN7/TJCz4iMwDQYJKoZIhvcNAQEL
BQAwPDELMAkGA1UEBhMCS1IxDDAKBgNVBAoTA05CUDEfMB0GA1UEAwwWW0JFVEFd
IE5DUCBQQ0EgUk9PVCBDQTAeFw0xOTA0MjAxODU1NDdaFw0yOTA0MTcxODU2MTda
MDwxCzAJBgNVBAYTAktSMQwwCgYDVQQKEwNOQlAxHzAdBgNVBAMMFltCRVRBXSBO
....
IQV7Vqgs0NsKqJ9rPKi88gu9x3y6/pEo8C9s2aTZ1l7sYauh00gySffRQeu2WCWx
mdxRKMRIlFaLFVHpXxGhga/DEvFo9EhouNP4CjaIe4FcvWBZ30Msp/fJbzg/Bnby
VXGZcU0qiFHZbIa7dViO0re5AujhqKt4HYuhT787xNLLyG95m/6XUKcEvxBGR9ZZ
vpDcpjcEC94qLxPHXg==
-----END CERTIFICATE-----
Caution

When using a self-signed CA to issue a certificate, the CA certificate must have the CA extension field (basic constraints with CA option) enabled. An example is as follows:

...

X509v3 extensions:
     X509v3 Key Usage: critical
         Certificate Sign, CRL Sign
     X509v3 Basic Constraints: critical
         CA:TRUE

...

6. Manage OCSP

Private CA provides the Online Certificate Status Protocol (OCSP) feature by default for user convenience. If needed, you can enable the OCSP view feature and include it in the private certificate to be issued.

Create OCSP

To enable the default OCSP feature and deploy the OCSP URL in the certificate, create an OCSP. Certificates issued by a CA with OCSP enabled include the following OCSP URL:

  Authority Information Access:
      OCSP - URI:{NCP PrivateCA OCSP URL}
      CA Issuers - URI:{NCP PrivateCA CA URL}
  X509v3 CRL Distribution Points:
      Full Name:
        URI:{NCP PrivateCA CRL URL}

To create an OCSP, follow these steps:

  1. In the NAVER Cloud Platform console, navigate to i_menu > Services > Security > Private CA.
  2. To create OCSP, select the CA to create and click the [Create] button in the OCSP section.
    privateca-use_14_ko
Note

You can check the revocation status of a certificate by referencing the CRL directly, or by viewing the OCSP information provided by Private CA. To view OCSP and check certificate revocation status, use the following command:

openssl ocsp -issuer {Chain cert} -cert {Cert} -header Host {NCP Private CA Host Name} -url {OCSP URL} -VAfile {OCSP Responder cert} -text

Delete OCSP

You can disable and delete an OCSP that is currently in use. Certificates issued by a CA after deleting OCSP no longer include the OCSP URL. To create an OCSP, follow these steps:

  1. In the NAVER Cloud Platform console, navigate to i_menu > Services > Security > Private CA.
  2. To delete OCSP, select the CA and click the [Delete] button in the OCSP section.
  3. When the Delete OCSP popup window appears, click the [Delete] button.

View CA certificate

You can view details for each created CA and its issued certificates, and download the certificate body and chain information as a PEM file. To view or download a CA certificate, follow these steps:

  1. In the NAVER Cloud Platform console, navigate to i_menu > Services > Security > Private CA.
  2. Select the CA you want to check and click the [View CA certificate] button.
  3. When the CA certificate details popup window appears, review the necessary information.
  4. To download the certificate body or certificate chain, click the [Download] button.
  5. Click the [OK] button.
Note

For root CAs, chain information is not displayed in Step 4. since there is no parent CA.

Enable/disable

You can change a normal CA in use to a disabled status for certain reasons, or change a disabled CA back to an enabled status. When a CA is disabled, most features become unavailable except for viewing. To enable/disable CA, follow these steps:

  1. In the NAVER Cloud Platform console, navigate to i_menu > Services > Security > Private CA.
  2. Click the CA to set enable/disable status and proceed the following:
    • If you want to change the enabled status to disabled, click the [Disable] button.
    • If you want to change the disabled status to enabled, click the [Enable] button.

Request deletion

You can request to delete a created CA. When a deletion request is received, it is automatically deleted (revoked) after a 72-hour waiting period. A CA pending deletion is treated like a disabled CA, with most features disabled except for viewing. Once automatically deleted, recovery is not possible. Proceed with caution, as it may severely impact integrated systems.

Caution

After the 72-hour waiting period, the CA is automatically deleted without verifying the operational status or expiration of certificates issued by that CA, including any subordinate CAs. Once a CA is deleted, its private key is permanently erased and cannot be recovered, so proceed with caution. Once deleted, a CA is no longer trusted and its issued certificates can't be used for authentication.

To cancel a deletion request for a CA that is pending deletion, click the [Cancel deletion] button before the 72-hour waiting period has elapsed. After clicking the button, the deletion request is canceled and the key is immediately placed in the disabled status. If you want to use the CA again, you can switch it to enabled status. However, if you cancel a deletion request for a CA that is in registration pending status, it returns to the registration pending status.
To proceed with the deletion request, follow these steps:

  1. In the NAVER Cloud Platform console, navigate to i_menu > Services > Security > Private CA.
  2. To request deletion, select the CA and click the [Request deletion] button.
  3. When the CA deletion popup window appears, enter the name of the CA you want to delete in the Enter CA name field.
    privateca-use_16_ko
  4. Click the [Request deletion] button.
  5. Check the CA status that changed after the deletion request in the Private CA list.
    • Pending deletion: a deletion request has been received and is waiting 72 hours for complete deletion.
  6. If you want to delete the key immediately without deleting it on the scheduled deletion date shown in the Status field, click the [Delete now] button.
    privateca-use_17_ko
  7. When the Immediately delete CA popup window appears, check the cautions and click the [Delete] button.
    privateca-use_18_ko
Caution

The CA is deleted immediately without verifying the operational status or expiration of certificates issued by that CA, including any subordinate CAs. Once a CA is deleted, its private key is permanently erased and cannot be recovered, so proceed with caution. Once deleted, a CA is no longer trusted and its issued certificates can't be used for authentication.

Issue private certificate

You can issue private certificates from a created CA. To issue a private certificate, follow these steps:

  1. In the NAVER Cloud Platform console, navigate to i_menu > Services > Security > Private CA.

  2. Select the CA from which you want to issue the certificate, then click the [Issue private certificate] button.

  3. When the Issue private certificate popup window appears, enter the required certificate information.

  4. Click the [Issue] button.

  5. When the Private certificate details popup window appears, review the certificate information.

    • Issuer: name of the CA that issued the private certificate.
    • Serial number: unique identifier for the private certificate.
    • Certificate body: contents of the certificate. Click the [Download] button to save it to your local PC.
    • Private key: private key of the certificate. Click the [Download] button to save it to your local PC.
      privateca-use_19_ko
    • Certificate chain: information on the certificate chain included when the issuer has a hierarchical structure. Click the [Download] button to save it to your local PC.
    • OCSP certificate: OCSP information is included if a CA point URL has been generated. Click the [Download] button to save it to your local PC.
    Caution

    Private CA does not store the private key of the issued certificate. Once you leave this screen, you are not able to retrieve it again. Make sure to download and store the private key of the issued certificate immediately.

Revoke private certificate

You can revoke a private certificate that has been issued. Once revoked, the certificate is immediately added to the Certificate Revocation List (CRL). This action cannot be undone, so proceed with caution. To revoke a private certificate, follow these steps:

  1. In the NAVER Cloud Platform console, navigate to i_menu > Services > Security > Private CA.
  2. Select the CA that issued the certificate, then click the [Revoke private certificate] button.
  3. When the Revoke private certificate popup window appears, enter the serial number of the certificate to revoke.
    • Checking certificate's serial number: for more information, see CA list.
  4. Click the [Revoke] button.
Caution
  • The serial number of a revoked certificate is not removed from the list of issued certificates. For validation of a certificate, always check its revocation status using the CRL or OCSP.
  • Subordinate CA certificates are displayed in the list of issued certificates but cannot be revoked manually. They are automatically revoked when the CA is deleted.
Note

An example of a CRL with revoked certificate entries is as follows:

$ curl {CRL URL} | openssl crl -text -noout

Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: /C=KR/ST=\xEA\xB2\xBD\xEA\xB8\xB0\xEB\x8F\x84/L=\xEC\x84\xB1\xEB\x82\xA8\xEC\x8B\x9C/O=Naver Cloud Platform/OU=Security Dev/CN=My sub CA
        Last Update: Jul 15 15:29:22 2020 GMT
        Next Update: Jul 18 15:29:22 2020 GMT
        CRL extensions:
            X509v3 Authority Key Identifier:
                keyid:17:43:8A:2C:FD:8A:7C:20:44:6F:F1:52:6B:9D:7E:27:8F:E8:0B:0C

Revoked Certificates:
    Serial Number: 658D43B364DD48B6F69AFB3E27010F6A42D61D66
        Revocation Date: Jul 15 15:29:22 2020 GMT
    Signature Algorithm: sha256WithRSAEncryption
         23:9e:a9:a8:76:32:db:c3:2c:15:ba:3c:15:94:ea:ef:d2:fd:
         3a:7d:0f:da:68:b2:69:8a:d0:c2:3e:21:19:f8:c7:b4:6a:a6:
         2e:2f:c1:3b:13:61:a0:98:ff:6d:f8:40:8f:2f:5b:09:db:c8:
         b6:85:5b:69:3b:5c:5a:8e:37:3a:12:eb:46:bd:e8:fd:4f:ba:
         e3:94:a3:75:96:bb:3c:4c:4d:3e:25:f1:54:bd:ae:09:ca:63:
         fb:31:2a:e4:b0:e0:de:0e:2f:83:f2:96:26:ef:7c:b8:c2:24:
         80:ce:38:d5:d4:b4:e4:04:13:56:c1:c4:63:26:9d:34:c9:e4:
         67:73:1d:0f:e0:5c:ca:b6:00:ea:f3:39:e6:f9:c8:67:07:3f:
         d5:cc:ca:82:7a:45:ae:ff:6f:b4:5f:bc:62:a8:9c:0c:7e:d3:
         88:e1:c9:5b:c8:d0:3c:b7:22:20:dd:3a:98:b9:82:61:25:e0:
         3b:6f:e1:f7:ea:94:b0:e5:a8:9b:49:e4:1c:0d:bc:6a:25:65:
         40:04:02:4b:eb:ea:71:d7:2f:74:85:c4:b9:aa:92:f2:60:e7:
         6c:bd:85:5f:17:f2:ca:0f:35:b1:fb:5e:33:65:0f:d8:50:70:
         2d:61:76:8d:19:d3:a0:f3:87:ee:7a:f8:10:fd:5f:c9:dc:44:
         e4:c3:7c:00