Issuing a new Root Certification Authority

1. Log in to the Stream Administration Interface.

2. Go to Create a new CA from the menu on the left.

3. Input your CA’s internal name and manage the DNs that you want to add (using the add_dn button on the top right corner) or to remove (using the remove_ca icon).

4. Select the Keystore that contains the key you want to use to generate this CA, then select the key that you want to use. If you do not have a keystore set up yet, please refer to the Managing Keystores & Keys section.

5. Select Selfsigned as a signing method, and pick the hash algorithm of your choice. Optionally, if you picked a PKCS#11 Keystore and an RSA key, you have the ability to use a PSS signature instead of the classic PKCS#1 one : if you wish to do so, just turn on the toggle. Note that your HSM must support the CKM_RSA_PKCS_PSS mechanism.

6. Set the lifetime of your CA in days. Optionally, you can set up a backdate and a path length. Once you are done, click "Add".

7. You can directly configure your CA from this menu, by turning on or off enrollment, trusting the CA for client authentication or server authentication or enforcing key unicity. Once you’re satisfied with your settings, click "Add".

If everything was ok, you should see your CA marked as managed on a new trust chain if you go to Certification Authorities > Trust chains:

Stream Trust Chain Menu