PKIaaS provides the following CA instantiation capabilities.

CA types

Each customer may have one or more subordinate issuing CAs. You can:

  • Create an online root CA and add issuing CAs subordinate to this root CA.
  • Add an issuing CA signed by an external root CA – for example, your on-premise Microsoft root CA.

CA key and signature algorithms

The following CA key and signature algorithm pairs are supported.

Key algorithm

Signature algorithm

ECDSA P-256

ecdsa-with-SHA256

ECDSA P-384

ecdsa-with-SHA384

ECDSA P-521

ecdsa-with-SHA512

RSA 2048

sha256WithRSAEncryption

RSA 3072

sha256WithRSAEncryption

RSA 4096

sha512WithRSAEncryption

The NIST will deprecate some algorithms after Dec 31, 2030. See https://nvlpubs.nist.gov/nistpubs/ir/2024/NIST.IR.8547.ipd.pdf

Secure CA key management

All CA private keys are stored in Entrust nShield Connect XC high HSMs FIPS140-2 level 3.

CA creation time

CAs are automatically provisioned in ~60 seconds after submitting your request.

CA validity period

CA certificates have a default validity period of 20 years for root CAs and 10 years for subordinate issuing CAs. You can select a different period when creating each CA.

An issuing CA should have a minimum lifespan of 3 years to support some features. For example, to automate Intune/MDM enrollment using an Entrust Hosted Certificate Enrollment Gateway, an issuing CA must have at least 3 years of remaining lifespan when the Enrollment Gateway is created.