Configuring Policy for Amazon CA

To configure an Amazon CA policy,

  1. Log in to AppViewX application with valid credentials.
  2. Click the menu button located in the upper left corner of the screen.
    The left navigation pane appears.
  3. Click CERT+.
    The CERT+ left navigation pane appears.
  4. Expand GROUPS & POLICIES.
  5. Click CA Policy.
    The CA Policy home page appears.
  6. Click + Create on the top-right of the page.

    The Create policy page appears.

  7. Refer Configuring Policy Details section in admin guide to configure,
    • Policy Details section
    • Group Selection section
    • Compliance Check section
  8. To configure a policy with Amazon details, click Amazon in the Certificate Authority pane on the left side of the screen.

    The following table provides the field description in the CA Details section:

    Name Description
    *CA Accounts The Amazon CA accounts configured in the CA settings screen are listed. Select a CA account from the list to create the policy.
    Note: The asterisk (*) symbol indicates a mandatory field.
  9. In the CA details section, select CA accounts from the dropdown list.
  10. Click the Add button.

    The CA details are saved to the table and the confirmation message displays.

  11. You can use the Remove option to delete the configuration.
  12. In the CA details section, select the Bit Length -Key Type(s), ECDSA curve(s), and Hash Function(s).

    The following table provides the field description in the CA Details section:

    Name Description
    *Bit Length - Key Type

    All the Key Types are listed with corresponding Bit Length. You can select one (or) more than one Bit Length - Key Type(s) from the drop-down.

    Note: The discovered certificate's Key Type and Bit length will be compared against the selected Bit Length - Key Type(s) to identify if they are complaint with the policy. Selected Bit Length - Key Type(s) is enforced while performing any certificate request operations such as New, Renew, and Regenerate.
    *ECDSA curve

    When Key Type is selected as EC, ECDSA curve corresponding to selected Key Type is listed.You can select one (or) more than one ECDSA curve from the drop-down. for a certificate.

    Note: The discovered certificate's Key elliptic curves will be compared against the selected ECDSA curve(s) to identify if they are complaint with the policy. Selected ECDSA curve(s) is enforced while performing certificate request operations such as New, Renew, and Regenerate. We recommend using P256/ P384/ P521 ECDSA curve while enrolling.
    *Hash Function

    Supported Hash Function(s) are listed. You can select one (or) more than one Hash Function(s) from the drop-down.

    Note: The discovered certificate's Key Hash Algorithm will be compared against the selected Hash Function(s) to identify if they are complaint with the policy. Selected Hash Function(s) is enforced while performing any certificate request operations such as New, Renew, and Regenerate.
    Note: The asterisk (*) symbol indicates a mandatory field.
  13. You can fill the Certificate parameters section based on your organization's policies and standards.

    The following table provides the field description in the Certificate parameters section:

    Name Description
    Common Name

    You can provide the common name. For example, *.domain.com

    It helps enforce domains for which a certificate can be requested. Common Name is enforced while performing any certificate request operations such as New, Renew, Regenerate.

    Note: Use Asterisk (*) for the host part of the FQDN to enforce the domain. For example, *.domain.com will only allow users to request certificates with domain.com. Allowed Special Characters: Asterisk (*), Hyphen (-), Period (.)
    Subject Alternative Name

    You can provide the subject alternative name (SAN)

    It helps enforce additional domains for which a certificate can be requested. Subject Alternative Name is enforced while performing certificate request operations such as New, Renew, and Regenerate.

    Note: Use Asterisk (*) for the host part of the FQDN to enforce the domain. For example, *.domain.com will only allow users to request certificates with domain domain.com. Allowed Special Characters: Asterisk (*), Hyphen (-), Period (.), At (@)
    Note: The asterisk (*) symbol indicates a mandatory field.
  14. Click the Save CA Details button to save the configuration. A green tick mark will be displayed in the Certificate Authority pane against the Amazon option to indicate the details are successfully stored.
  15. Click the Create Policy button to create a new policy.
  16. The policy is created and a confirmation message displays.