CA management

Objective

  • To register a Certificate Authority (CA) in Oten KMS by uploading your CA file and signing it with an existing key. Once signed, the CA can be used for Google CSE or custom integrations.

How to use

Step 1 — Upload your CA file

  • Prepare your CA in .pem format

  • Drag and drop the file into the upload zone, or click to browse

  • KMS will parse the file and extract the certificate metadata (Subject, validity period, algorithm)

Tip: If you don't have a .pem file, you can convert from other formats using OpenSSL: openssl x509 -in ca.crt -out ca.pem -outform PEM

Step 2 — Select a signing key

  • Choose a key from your workspace that matches your CA's algorithm:

    • CA uses an EC key → select an EC key (e.g. P-256, P-384)

    • CA uses an RSA key → select an RSA key (e.g. RSA-2048, RSA-4096)

  • If no keys appear, your workspace may not have a key of the required algorithm. Create one first in Key Management before proceeding.

Why does this matter? Using a mismatched algorithm will result in an invalid signature. The signing key must be cryptographically compatible with the CA's key type.

Step 3 — Confirm & sign

  • Review the parsed certificate info (Subject, validity dates, algorithm)

  • Click Sign to proceed — this action cannot be undone

  • Once signed, the CA becomes active immediately

  • Download the signed .pem file to use in your workflow (Google CSE or custom integrations)

After signing

  • The signed CA will appear in your CA list with status Active

  • You can download the signed file at any time from the CA detail view

  • To revoke a CA, use the Revoke action in the CA detail — this cannot be reversed

Common issues

Issue
Cause
Fix

No keys shown in dropdown

No key matching the CA's algorithm in this workspace

Create an EC or RSA key first

Upload fails

File is not valid .pem format

Re-export your CA using OpenSSL

Sign button disabled

No key selected

Select a signing key from the dropdown

Last updated