>
    Strata Copilot
    Create a Custom Certificate Authority (CA)
    Focus
    Focus
    1. Home
    2. Next‑Gen Trust Security
    3. Next-Gen Trust Security
    4. Next-Gen Trust Security Overview
    5. Overview: Certificate Issuance
    6. Adding a Certificate Authority
    7. Create a Custom Certificate Authority (CA)
    Next‑Gen Trust Security

    Create a Custom Certificate Authority (CA)

    Table of Contents

    Create a Custom Certificate Authority (CA)

    Next-Gen Trust Security provides the ability to create connections to certificate authorities, including some that aren't already supported by Next-Gen Trust Security. With custom CAs, you can issue certificates, manually import certificates on demand, and schedule imports to ensure new certificates are added to Next-Gen Trust Security automatically.
    To help you understand how CA connectors developed using the framework look and feel in Next-Gen Trust Security, we have created and tested the EJBCA CA Connector.

    Prerequisites

    Before you try to set up a CA connector in Next-Gen Trust Security, you'll need to do the following:
    • You must have the Superuser role in Next-Gen Trust Security to create CA connectors.
    • Have a deployed VSatellite that can resolve the hostname to the IP address of your CA. Learn more about VSatellites
    • Your custom connector must exist in Next-Gen Trust Security. You can learn how to build and upload your connector by following the instructions on Dev Central. If you are using EJBCA, this step has already been done for you.

    High-level steps for setting up a CA connector in Next-Gen Trust Security

    Once the prerequisites are complete, you'll do all the following steps to create and configure a CA connector in Next-Gen Trust Security.

    Step 1: Export certificates and keys

    Before you can configure a CA connector, you need the root certificate for the CA's site, and the client authentication certificate (which includes the private key) in PEM format. Show me how

    Step 2: Create and configure the custom CA connector in Next-Gen Trust Security

    You need to provide Next-Gen Trust Security with information about the CA so that it can request certificates. This involves creating a new entry in the Certificate Authority inventory. Show me how

    Step 3: Create an issuing template for the new CA

    Issuing templates connect to certificate authorities and specify parameters to use for issuing certificates. Once you have created an issuing template, users in your TSG can begin requesting certificates using this CA connector. If you want to share the issuing template with child TSGs, you can do so from the issuing template settings. Show me how

    Step 4: Create a certificate request

    You can test if everything worked correctly by creating a new certificate request using the issuing template you've configured in the prior steps. Show me how

    © 2026 Palo Alto Networks, Inc. All rights reserved.