3-Tier PKI Tree Guide
This guide walks through building a basic 3-tier PKI hierarchy in OTPKI using the admin web interface. The resulting tree will have the following structure:
Root CA (Tier 1 — self-signed, offline)
└── Policy CA (Tier 2 — signed by Root CA)
└── Issuing CA (Tier 3 — signed by Policy CA, issues end-entity certificates)
Prerequisites
- OTPKI is running and accessible (see Getting Started).
- You are logged in as an administrator.
Overview
| Step | What Will Be Created |
|---|---|
| 1 | Soft DB KMS key storage configuration |
| 2 | Three certificate profiles (Root CA, Policy CA, Issuing CA) |
| 3 | Three ECDSA P-384 keys |
| 4 | Self-signed Root CA |
| 5 | Policy CA signed by Root CA |
| 6 | Issuing CA signed by Policy CA |
Step 1: Create a Key Storage Configuration
Before creating any keys, OTPKI needs at least one key storage configuration that tells it where and how to store private key material. For this guide we will use the built-in Soft DB KMS backend, which stores encrypted key material in the OTPKI database.
- Navigate to Keys → Key Configurations in the left navigation.
- Click Create.
- Fill in the basic settings:
- Name — e.g.,
Soft DB KMS - Default - Description — e.g.,
Software key storage for PKI hierarchy keys - Key Storage Driver — select
SOFTDBKMS
- Name — e.g.,
- Optionally select an Encryption Key to encrypt stored private key material at rest.
- Skip Activation parameters for the software based KMS.
- Click Create Key Storage Config.
Step 2: Create Certificate Profiles
Certificate profiles define the X.509 extensions and constraints that will be applied to each CA certificate. We need three profiles, one per tier.
Navigate to Profiles → Certificate Profiles and click Create for each profile below.
2a. Root CA Profile
| Section | Field | Value |
|---|---|---|
| Basic Settings | Name | Root CA Profile |
| Basic Settings | Certificate Type | Root CA |
| Basic Constraints | Enable | ✅ Checked |
| Basic Constraints | Maximum Path Length | 2 |
| Validity Settings | Validity Duration | 20 years |
| Key Identifiers | Include SKI | ✅ Checked |
| Key Identifiers | Include AKI | ☐ Unchecked (self-signed) |
| Key Usage | Enable Key Usage Extension | ✅ Checked |
| Key Usage | Critical | ✅ Checked |
| Key Usage | Cert Sign | ✅ Checked |
| Key Usage | CRL Sign | ✅ Checked |
Setting the Max Path Length to 2 on the Root CA allows two levels of subordinate CAs
(the Policy CA and the Issuing CA) beneath it, conforming to RFC 5280.
Click Create Certificate Profile.
2b. Policy CA Profile
| Section | Field | Value |
|---|---|---|
| Basic Settings | Name | Policy CA Profile |
| Basic Settings | Certificate Type | Sub CA |
| Basic Constraints | Include | ✅ Checked |
| Basic Constraints | Max Path Length | 1 |
| Validity Settings | Duration | 10 years |
| Key Identifiers | Include SKI | ✅ Checked |
| Key Identifiers | Include AKI | ✅ Checked |
| Key Usage | Enable Key Usage Extension | ✅ Checked |
| Key Usage | Critical | ✅ Checked |
| Key Usage | Cert Sign | ✅ Checked |
| Key Usage | CRL Sign | ✅ Checked |
Click Create Certificate Profile.
2c. Issuing CA Profile
| Section | Field | Value |
|---|---|---|
| Basic Settings | Name | Issuing CA Profile |
| Basic Settings | Certificate Type | Sub CA |
| Basic Constraints | Include | ✅ Checked |
| Basic Constraints | Max Path Length | 0 |
| Basic Constraints | Set Max Path Length to Zero | ✅ Checked |
| Validity Settings | Duration | 5 years |
| Key Identifiers | Include SKI | ✅ Checked |
| Key Identifiers | Include AKI | ✅ Checked |
| Key Usage | Enable Key Usage Extension | ✅ Checked |
| Key Usage | Critical | ✅ Checked |
| Key Usage | Cert Sign | ✅ Checked |
| Key Usage | CRL Sign | ✅ Checked |
Setting the Max Path Length to 0 on the Issuing CA ensures that no further CAs can be
created below it, only end-entity certificates.
Click Create Certificate Profile.
Step 3: Create Keys
Each CA requires its own private key. Navigate to Keys → Keys and click Create for each key below.
3a. Root CA Key
| Field | Value |
|---|---|
| Name | RootCAKey |
| Description | Private key for the Root CA |
| Key Type | ECDSA P-384 |
| Key Usage | SIGN_VERIFY |
| Key Storage Config | Soft DB KMS - Default (created in Step 1) |
Click Create Key.
3b. Policy CA Key
| Field | Value |
|---|---|
| Name | PolicyCAKey |
| Description | Private key for the Policy CA |
| Key Type | ECDSA P-384 |
| Key Usage | SIGN_VERIFY |
| Key Storage Config | Soft DB KMS - Default |
Click Create Key.
3c. Issuing CA Key
| Field | Value |
|---|---|
| Name | Issuing CA Key |
| Description | Private key for the Issuing CA |
| Key Type | ECDSA P-384 |
| Key Usage | SIGN_VERIFY |
| Key Storage Config | Soft DB KMS - Default |
Click Create Key.
Step 4: Create the Root CA
Navigate to Certificate Authorities → Certificate Authorities and click Create.
| Field | Value |
|---|---|
| Name | My Root CA |
| Description | Tier 1 — self-signed root of trust |
| Key | RootCAKey (created in Step 3a) |
| Signature Algorithm | Choose accordingly based on key algorithm |
| Certificate Profile | Root CA Profile (created in Step 2a) |
| Parent CA | (Leave blank as this is a self signed Root CA) |
Click on the + Certificate Template Field option and select Subject Dn Attributes to add some Distinguished Name attributes. Click the + icon to add additional attributes
| Attribute Type | Value |
|---|---|
| Common Name | My Root CA |
| Organization | (your organization name) |
| ... | (enter as many RDNs as you wish) |
Configure the CRL settings as appropriate for your environment, then click Create CA.
The Root CA certificate is now self-signed and active.
Step 5: Create the Policy CA
Click Create again on the Certificate Authorities page.
| Field | Value |
|---|---|
| Name | My Policy CA |
| Description | Tier 2 — Policy CA signed by Root CA |
| Key | PolicyCAKey (created in Step 3b) |
| Signature Algorithm | Choose accordingly based on key algorithm |
| Certificate Profile | Policy CA Profile (created in Step 2b) |
| Parent CA | My Root CA (created in Step 4) |
Click on the + Certificate Template Field option and select Subject Dn Attributes to add some Distinguished Name attributes. Click the + icon to add additional attributes
| Attribute Type | Value |
|---|---|
| Common Name | My Policy CA |
| Organization | (your organization name) |
| ... | (enter as many RDNs as you wish) |
Configure the CRL settings as appropriate for your environment, then click Create CA.
OTPKI uses the Root CA to sign the Policy CA certificate. The chain is now:
Root CA → Policy CA.
Step 6: Create the Issuing CA
Click Create one more time on the Certificate Authorities page.
| Field | Value |
|---|---|
| Name | My Issuing CA |
| Description | Tier 3 — Issuing CA signed by Policy CA |
| Key | IssuingCAKey (created in Step 3c) |
| Signature Algorithm | Choose accordingly based on key algorithm |
| Certificate Profile | Issuing CA Profile (created in Step 2c) |
| Parent CA | My Policy CA (created in Step 5) |
Click on the + Certificate Template Field option and select Subject Dn Attributes to add some Distinguished Name attributes. Click the + icon to add additional attributes
| Attribute Type | Value |
|---|---|
| Common Name | My Issuing CA |
| Organization | (your organization name) |
| ... | (enter as many RDNs as you wish) |
Configure the CRL settings as appropriate for your environment, then click Create CA.
The full 3-tier chain is now established:
Root CA → Policy CA → Issuing CA.
Step 7: Verify the Hierarchy
On the Certificate Authorities page you should see all three CAs listed.
Click each CA to inspect its certificate and confirm the chain of trust:
- My Root CA — self-signed,
pathLen:2 - My Policy CA — issued by
My Root CA,pathLen:1 - My Issuing CA — issued by
My Policy CA,pathLen:0
The Issuing CA is now ready to issue end-entity certificates. Create an End-Entity Certificate Profile and associate it with My Issuing CA to begin issuing certificates.
Next Steps
- Certificate Profiles Reference — full description of every profile setting.
- Key Management Reference — HSM and AWS KMS backend options.