> For the complete documentation index, see [llms.txt](https://oten.gitbook.io/kms-support/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oten.gitbook.io/kms-support/user-guide/publish-your-docs-2/ca-management.md).

# CA management

### Objective

* To register a Certificate Authority (CA) in Oten KMS by uploading your CA file and signing it with an existing key. Once signed, the CA can be used for Google CSE or custom integrations.

### How to use

<figure><img src="/files/6eAT1qeFgNKsHTQpVrma" alt=""><figcaption></figcaption></figure>

#### Step 1 — Upload your CA file

* Prepare your CA in **`.pem` format**
* Drag and drop the file into the upload zone, or click to browse
* KMS will parse the file and extract the certificate metadata (Subject, validity period, algorithm)

> **Tip:** If you don't have a `.pem` file, you can convert from other formats using OpenSSL: `openssl x509 -in ca.crt -out ca.pem -outform PEM`

#### Step 2 — Select a signing key

* Choose a key from your workspace that **matches your CA's algorithm**:
  * CA uses an **EC key** → select an EC key (e.g. P-256, P-384)
  * CA uses an **RSA key** → select an RSA key (e.g. RSA-2048, RSA-4096)
* If no keys appear, your workspace may not have a key of the required algorithm. Create one first in **Key Management** before proceeding.

> **Why does this matter?** Using a mismatched algorithm will result in an invalid signature. The signing key must be cryptographically compatible with the CA's key type.

#### Step 3 — Confirm & sign

* Review the parsed certificate info (Subject, validity dates, algorithm)
* Click **Sign** to proceed — this action cannot be undone
* Once signed, the CA becomes **active immediately**
* Download the signed `.pem` file to use in your workflow (Google CSE or custom integrations)

#### After signing

* The signed CA will appear in your CA list with status **Active**
* You can **download** the signed file at any time from the CA detail view
* To revoke a CA, use the **Revoke** action in the CA detail — this cannot be reversed

#### Common issues

| Issue                     | Cause                                                | Fix                                    |
| ------------------------- | ---------------------------------------------------- | -------------------------------------- |
| No keys shown in dropdown | No key matching the CA's algorithm in this workspace | Create an EC or RSA key first          |
| Upload fails              | File is not valid `.pem` format                      | Re-export your CA using OpenSSL        |
| Sign button disabled      | No key selected                                      | Select a signing key from the dropdown |
