Skip to main content

3-Tier PKI Tree Guide

This guide walks through building a basic 3-tier PKI hierarchy in OTPKI using the admin web interface. The resulting tree will have the following structure:

Root CA  (Tier 1 — self-signed, offline)
└── Policy CA (Tier 2 — signed by Root CA)
└── Issuing CA (Tier 3 — signed by Policy CA, issues end-entity certificates)

Prerequisites

  • OTPKI is running and accessible (see Getting Started).
  • You are logged in as an administrator.

Overview

StepWhat Will Be Created
1Soft DB KMS key storage configuration
2Three certificate profiles (Root CA, Policy CA, Issuing CA)
3Three ECDSA P-384 keys
4Self-signed Root CA
5Policy CA signed by Root CA
6Issuing CA signed by Policy CA

Step 1: Create a Key Storage Configuration

Before creating any keys, OTPKI needs at least one key storage configuration that tells it where and how to store private key material. For this guide we will use the built-in Soft DB KMS backend, which stores encrypted key material in the OTPKI database.

  1. Navigate to KeysKey Configurations in the left navigation.
  2. Click Create.
  3. Fill in the basic settings:
    • Name — e.g., Soft DB KMS - Default
    • Description — e.g., Software key storage for PKI hierarchy keys
    • Key Storage Driver — select SOFTDBKMS
  4. Optionally select an Encryption Key to encrypt stored private key material at rest.
  5. Skip Activation parameters for the software based KMS.
  6. Click Create Key Storage Config.

Step 2: Create Certificate Profiles

Certificate profiles define the X.509 extensions and constraints that will be applied to each CA certificate. We need three profiles, one per tier.

Navigate to ProfilesCertificate Profiles and click Create for each profile below.

2a. Root CA Profile

SectionFieldValue
Basic SettingsNameRoot CA Profile
Basic SettingsCertificate TypeRoot CA
Basic ConstraintsEnable✅ Checked
Basic ConstraintsMaximum Path Length2
Validity SettingsValidity Duration20 years
Key IdentifiersInclude SKI✅ Checked
Key IdentifiersInclude AKI☐ Unchecked (self-signed)
Key UsageEnable Key Usage Extension✅ Checked
Key UsageCritical✅ Checked
Key UsageCert Sign✅ Checked
Key UsageCRL Sign✅ Checked
tip

Setting the Max Path Length to 2 on the Root CA allows two levels of subordinate CAs (the Policy CA and the Issuing CA) beneath it, conforming to RFC 5280.

Click Create Certificate Profile.

2b. Policy CA Profile

SectionFieldValue
Basic SettingsNamePolicy CA Profile
Basic SettingsCertificate TypeSub CA
Basic ConstraintsInclude✅ Checked
Basic ConstraintsMax Path Length1
Validity SettingsDuration10 years
Key IdentifiersInclude SKI✅ Checked
Key IdentifiersInclude AKI✅ Checked
Key UsageEnable Key Usage Extension✅ Checked
Key UsageCritical✅ Checked
Key UsageCert Sign✅ Checked
Key UsageCRL Sign✅ Checked

Click Create Certificate Profile.

2c. Issuing CA Profile

SectionFieldValue
Basic SettingsNameIssuing CA Profile
Basic SettingsCertificate TypeSub CA
Basic ConstraintsInclude✅ Checked
Basic ConstraintsMax Path Length0
Basic ConstraintsSet Max Path Length to Zero✅ Checked
Validity SettingsDuration5 years
Key IdentifiersInclude SKI✅ Checked
Key IdentifiersInclude AKI✅ Checked
Key UsageEnable Key Usage Extension✅ Checked
Key UsageCritical✅ Checked
Key UsageCert Sign✅ Checked
Key UsageCRL Sign✅ Checked
tip

Setting the Max Path Length to 0 on the Issuing CA ensures that no further CAs can be created below it, only end-entity certificates.

Click Create Certificate Profile.


Step 3: Create Keys

Each CA requires its own private key. Navigate to KeysKeys and click Create for each key below.

3a. Root CA Key

FieldValue
NameRootCAKey
DescriptionPrivate key for the Root CA
Key TypeECDSA P-384
Key UsageSIGN_VERIFY
Key Storage ConfigSoft DB KMS - Default (created in Step 1)

Click Create Key.

3b. Policy CA Key

FieldValue
NamePolicyCAKey
DescriptionPrivate key for the Policy CA
Key TypeECDSA P-384
Key UsageSIGN_VERIFY
Key Storage ConfigSoft DB KMS - Default

Click Create Key.

3c. Issuing CA Key

FieldValue
NameIssuing CA Key
DescriptionPrivate key for the Issuing CA
Key TypeECDSA P-384
Key UsageSIGN_VERIFY
Key Storage ConfigSoft DB KMS - Default

Click Create Key.


Step 4: Create the Root CA

Navigate to Certificate AuthoritiesCertificate Authorities and click Create.

FieldValue
NameMy Root CA
DescriptionTier 1 — self-signed root of trust
KeyRootCAKey (created in Step 3a)
Signature AlgorithmChoose accordingly based on key algorithm
Certificate ProfileRoot CA Profile (created in Step 2a)
Parent CA(Leave blank as this is a self signed Root CA)

Click on the + Certificate Template Field option and select Subject Dn Attributes to add some Distinguished Name attributes. Click the + icon to add additional attributes

Attribute TypeValue
Common NameMy Root CA
Organization(your organization name)
...(enter as many RDNs as you wish)

Configure the CRL settings as appropriate for your environment, then click Create CA.

The Root CA certificate is now self-signed and active.


Step 5: Create the Policy CA

Click Create again on the Certificate Authorities page.

FieldValue
NameMy Policy CA
DescriptionTier 2 — Policy CA signed by Root CA
KeyPolicyCAKey (created in Step 3b)
Signature AlgorithmChoose accordingly based on key algorithm
Certificate ProfilePolicy CA Profile (created in Step 2b)
Parent CAMy Root CA (created in Step 4)

Click on the + Certificate Template Field option and select Subject Dn Attributes to add some Distinguished Name attributes. Click the + icon to add additional attributes

Attribute TypeValue
Common NameMy Policy CA
Organization(your organization name)
...(enter as many RDNs as you wish)

Configure the CRL settings as appropriate for your environment, then click Create CA.

OTPKI uses the Root CA to sign the Policy CA certificate. The chain is now: Root CA → Policy CA.


Step 6: Create the Issuing CA

Click Create one more time on the Certificate Authorities page.

FieldValue
NameMy Issuing CA
DescriptionTier 3 — Issuing CA signed by Policy CA
KeyIssuingCAKey (created in Step 3c)
Signature AlgorithmChoose accordingly based on key algorithm
Certificate ProfileIssuing CA Profile (created in Step 2c)
Parent CAMy Policy CA (created in Step 5)

Click on the + Certificate Template Field option and select Subject Dn Attributes to add some Distinguished Name attributes. Click the + icon to add additional attributes

Attribute TypeValue
Common NameMy Issuing CA
Organization(your organization name)
...(enter as many RDNs as you wish)

Configure the CRL settings as appropriate for your environment, then click Create CA.

The full 3-tier chain is now established: Root CA → Policy CA → Issuing CA.


Step 7: Verify the Hierarchy

On the Certificate Authorities page you should see all three CAs listed.
Click each CA to inspect its certificate and confirm the chain of trust:

  • My Root CA — self-signed, pathLen:2
  • My Policy CA — issued by My Root CA, pathLen:1
  • My Issuing CA — issued by My Policy CA, pathLen:0

The Issuing CA is now ready to issue end-entity certificates. Create an End-Entity Certificate Profile and associate it with My Issuing CA to begin issuing certificates.


Next Steps