CA management
Objective
To register a Certificate Authority (CA) in Oten KMS by uploading your CA file and signing it with an existing key. Once signed, the CA can be used for Google CSE or custom integrations.
How to use

Step 1 — Upload your CA file
Prepare your CA in
.pemformatDrag and drop the file into the upload zone, or click to browse
KMS will parse the file and extract the certificate metadata (Subject, validity period, algorithm)
Tip: If you don't have a
.pemfile, you can convert from other formats using OpenSSL:openssl x509 -in ca.crt -out ca.pem -outform PEM
Step 2 — Select a signing key
Choose a key from your workspace that matches your CA's algorithm:
CA uses an EC key → select an EC key (e.g. P-256, P-384)
CA uses an RSA key → select an RSA key (e.g. RSA-2048, RSA-4096)
If no keys appear, your workspace may not have a key of the required algorithm. Create one first in Key Management before proceeding.
Why does this matter? Using a mismatched algorithm will result in an invalid signature. The signing key must be cryptographically compatible with the CA's key type.
Step 3 — Confirm & sign
Review the parsed certificate info (Subject, validity dates, algorithm)
Click Sign to proceed — this action cannot be undone
Once signed, the CA becomes active immediately
Download the signed
.pemfile to use in your workflow (Google CSE or custom integrations)
After signing
The signed CA will appear in your CA list with status Active
You can download the signed file at any time from the CA detail view
To revoke a CA, use the Revoke action in the CA detail — this cannot be reversed
Common issues
No keys shown in dropdown
No key matching the CA's algorithm in this workspace
Create an EC or RSA key first
Upload fails
File is not valid .pem format
Re-export your CA using OpenSSL
Sign button disabled
No key selected
Select a signing key from the dropdown
Last updated