PKIaaS root CA currently supports two types of subordinate Certification Authorities (CAs):

  • TLS Proxy CA.
  • Azure Firewall Subordinate CA.

To create an external subordinate CA, follow the steps described in Issuing certificates. The only difference from creating an end-entity certificate is you should select the following values.

Field

Value

​Certificate Authority

Select an online root CA with the External Sub-CA service. See Creating an online root CA for how to create this CA.

Certificate Profile

Select one of the Authority profiles.

An external subordinate CA issued by a PKIaaS root CA only consumes one PKIaaS Certificate license. Entrust does not charge for the certificates issued by an external subordinate CA because those certificates are considered external and not using the PKIaaS infrastructure.