Configuring Policy for DigiCert CA

To configure a DigiCert CA policy,

  1. Go to menu > KUBE+ > Groups & Policies > CA Policy
    On the CA Policy page, the configured policies are displayed, if any.
    Note: KUBE+ is packaged with default policies they are Default and Certificate-Gateway.
  2. Click + Create on the top-right of the page.
  3. Refer Configure Policy Details section in admin guide to configure,
    • Policy Details
    • Group Selection
    • Compliance Check
  4. On the CA Policy: Create page, click digicert in the Certificate Authority pane on the left side of the page.
    Table 1. CA Details - Field Description Table
    Field Description
    *CA Account The GlobalSign CA accounts configured in CA settings screen are listed. Select a CA account from the list to create the policy.
    *Division Select the division from the dropdown list.
    *Certificate Type The Certificate Types corresponding to the selected CA account are listed. Select one (or) more Certificate Type from the list to create the policy.
    *Validity

    Enter the validity period for the certificate. The available options are:

    Days - You can enter more than one validity period in days, to choose one in certificate enrolment.

    Month - You can enter more than one validity period in Months, to choose one in certificate enrolment. Year - You can enter more than one validity period in Year, to choose one in certificate enrolment.
    Note: The asterisk (*) symbol indicates a mandatory field.
  5. In the Vendor Specific Details section, select/enter the details as listed in the table
    Table 2. Vendor Specific Details
    Field Description
    *Server Type Select the server type from the dropdown list.
    Note: The asterisk (*) symbol indicates a mandatory field.
  6. Click the Add button.
    The CA details are saved to the table and the confirmation message displays.
  7. You can use the Edit option in the table to modify the configuration and the Remove option to delete the configuration.
  8. In the CA details section, select Bit Length -Key Type, ECDSA curve, and Hash Function.
  9. You can fill the Certificate parameters section based on your organization's policies and standards.
    Table 3. Certificate Parameters - Field Description Table
    Name Description
    Common Name

    You can provide the common name. For example, *.domain.com

    It helps enforce domains for which a certificate can be requested. Common Name is enforced while performing any certificate request operations such as New, Renew, and Regenerate.

    Note: Use Asterisk (*) for the host part of the FQDN to enforce the domain. For example, *.domain.com will only allow users to request certificates with domain.com. Allowed Special Characters: Asterisk (*), Hyphen (-), Period (.)
    Organization

    You can provide the organization's name.

    The discovered certificate's SubjectOrganization will be compared against the organization provided in the policy to identify if they are complaints. The organization is enforced while performing any certificate request operations such as New, Renew, and Regenerate.
    Organization Unit

    You can provide an organization unit.

    The discovered certificate's Subject Organization Unit will be compared against the organization unit provided in the policy to identify if they are Complaint. Organization Unit is enforced while performing any certificate request operations such as New, Renew, and Regenerate.
    Locality

    You can provide a locality.

    The discovered certificate's Locality will be compared against the locality provided in the policy to identify if they are complaints. The locality is enforced while performing any certificate request operations such as New, Renew, and Regenerate.
    State

    You can provide state.

    The discovered certificate's State will be compared against the state provided in the policy to identify if they are complaints. The state is enforced while performing any certificate request operations such as New, Renew, and Regenerate.
    Country code

    You can provide a country code.

    The discovered certificate's Country code will be compared against the country code provided in the policy to identify if they are complaints. Country code is enforced while performing any certificate request operations such as New, Renew, and Regenerate.
    Email

    You can provide an organization unit mail address.

    The discovered certificate's mail address will be compared against the email address provided in the policy to identify if they are complaints. Mail address is enforced while performing any certificate request operations such as New, Renew, and Regenerate.
    Subject Alternative Name

    You can provide the subject alternative name (SAN)

    It helps enforce additional domains for which a certificate can be requested. Subject Alternative Name is enforced while performing certificate request operations such as New, Renew, and Regenerate.

    Note: Use Asterisk (*) for the host part of the FQDN to enforce the domain. For example, *.domain.com will only allow users to request certificates with domain domain.com. Allowed Special Characters: Asterisk (*), Hyphen (-), Period (.), At (@)
    Note: The asterisk (*) symbol indicates a mandatory field.
  10. Click the Save CA Details button to save the configuration. A green tick mark will be displayed in the Certificate Authority pane against the DigiCert option to indicate the details are successfully stored.
  11. Click the Create Policy button to create a new policy.
  12. The policy is created and a confirmation message displays.