The following outlines how to create a Hybrid X509 Root CA.

A Hybrid Certificate Authority (CA) is an X509 CA with two key pairs and two signing algorithms, where a combination of classic algorithms and PQC algorithms are used.

For more general information on Hybrid CAs, see Hybrid CA.

To create a Hybrid X509 Root CA in EJBCA, do the following:

Create Crypto Token and keys

To create a Hybrid Root CA crypto token and keys, follow these steps:  

  1. In the EJBCA menu, under CA Functions, click Crypto Tokens to open the Manage Crypto Tokens page.

  2. Click Create new and specify the following on the New Crypto Token page:

    • Name: Specify a name for the hybrid CA crypto token.

    • Type: Select Soft to create a soft crypto token.

    • Authentication Code: Enter a password to be used to activate the crypto token. Remember this password.

  3. Click Save to create the Root CA crypto token.

  4. Next, generate three CA keys:

  5. Generate a classic algorithm signKey, for example using RSA 2048, by specifying a name, algorithm, key specification, and then click Generate new keypair.

  6. Generate a PQC algorithm signKeyAlternative, for example using DILITHIUM2, by specifying a name, algorithm, key specification, and then click Generate new keypair.

  7. Generate a classic algorithm testKey, for example using RSA 2048, by specifying a name, algorithm, key specification, and then click Generate new keypair.

  8. Generate a defaultKey, using RSA 2048, by specifying a name name, algorithm, key specification, and then click Generate new keypair.

    CryptoToken_Hybrid_CA.png

You have now created the Root CA crypto token and keys.

Create Hybrid Root CA

To create the hybrid Root CA, follow these steps:

  1. In the EJBCA menu, under CA Functions, click Certification Authorities to open the Manage Certificate Authorities page.

  2. In the Add CA field, specify a name for the CA and click Create.

  3. On the Create CA page, update the following:

    • In the Crypto Token list, select the hybrid CA crypto token you created earlier.

    • For Alternative Signing Algorithm, select a PQC Alternative Signing Algorithm, for example DILITHIUM2, and verify that the certSignKey, alternativeCertSignKey, defaultKey and testKey are set correctly.

      Hybrid_CA_keys.png

    • Under CA Certificate Data, specify the following:

      • Subject DN: Specify the subject DN for the CA.

      • Signed by: Verify that Self Signed is selected since this is the Root CA. Self Signed means that this CA has signed itself, thus making it a Root CA.

      • Certificate Profile: Select a certificate profile. The certificate profile can either be the ROOTCA template, or a derivative of it.

      • Validity: Specify the Validity of the CAs certificate. In this example, 10 y.

        CA_Validity.png

  4. Click Create to create the hybrid Root CA.

Your hybrid Root CA is now online and listed on the Manage Certificate Authorities page.