Configuring Policy for GlobalSign MSSL CA

  1. Go to menu > KUBE+ > Groups & Policies > CA Policy
    On the CA Policy page, the configured policies are displayed, if any.
    Note: KUBE+ is packaged with default policies they are Default and Certificate-Gateway.
  2. Click + Create button to configure GlobalSign MSSL based policy.
  3. Refer Configure Policy Detailssection in the admin guide to configure,
    • Policy Details section
    • Group Selection section
    • Compliance Check section
  4. On the CA Policy: Create page, click GlobalSign MSSLin the Certificate Authority pane on the left side of the screen.

    The following table provides the field description under CA Details section:

    Table 1. CA Details - Field Description Table
    Name Type Mandatory Description Validation
    CA Accounts Select Yes The GlobalSign MSSL CA accounts configured on the CA settings screen are listed. Select a CA account from the list to create the policy. NA
    Product Type Select Yes All Managed SSL Product Types require that the Organization's information and at least one Domain be registered in the Managed SSL account prior to ordering. NA
    Signature Algorithm Select Yes Select the Signature Algorithm from the drop-down list. NA
    MSSL Profile Allowed Domain Name Select Yes Select the MSSL Profile Allowed Domain Name from the drop-down list. NA
    Validity Text Yes Provide the value and press Enter. Enforce Certificate Validity period for selected Certificate Type. The certificate validity of GlobalSign MSSL CA is represented in Day(s) and Year(s). One (or) more than one period can be added. NA
    Note: The asterisk (*) symbol indicates a mandatory field.
  5. Select CA accounts, Product Type, Signature Algorithm, MSSL Profile Allowed Domain Name, and Validity under CA details section and provide Validity period.
  6. Click Add button. The CA details are saved to the table and the confirmation message is displayed.
  7. You can use Edit option in the table to modify the configuration and the Remove option to delete the configuration.

    The following table provides the field description under the CA Details section:

    Table 2. Field Description for Bit Length and ECDSA curve
    Name Type Mandatory Description Purpose
    Bit Length - Key Type Multi select Yes All the Key Types are listed with corresponding Bit Length. You can select one (or) more than one Bit Length - Key Type(s) from the drop-down. The discovered certificate's Key Type and Bit length will be compared against the selected Bit Length - Key Type(s) to identify if they are compliant with the policy. Selected Bit Length - Key Type(s) is enforced while performing any certificate request operations such as New, Renew, Regenerate.
    ECDSA Curve Multi select Yes The ECDSA curve's values get auto-populated once the details are configured/selected and the Add button is clicked. A discovered certificate's key elliptic curves will be compared against the information to identify if there is a complaint. Additionally, the below details will also be enforced while performing certificate request operations such as New, Renew, and Regenerate. We recommend using the P256/ P384/ P521 ECDSA curve while enrolling for a certificate.
    Note: The asterisk (*) symbol indicates a mandatory field.
  8. Select Bit Length -Key Type, ECDSA curve, Hash Function under CA details section.

    The following table provides the field description under the Certificate parameters section:

    Table 3. Certificate Parameters - Field Description Table
    Name Type Mandatory Description Validation
    Host Name Text No You can provide the hostname. The hostname should not start and end with a dot/fullstop(.)
    Common Name Text No

    You can provide the common name.For example, *.domain.com

    It helps enforce domains for which a certificate can be requested. Common Name is enforced while performing any certificate request operations such as New, Renew, Regenerate.

    		Use Asterisk (*) for the host part of the FQDN to enforce the domain. For example, *.domain.com will only allow users to request certificates with domain.com. Allowed Special Characters: Asterisk (*), Hyphen (-), Period (.)
    Organization Text No

    You can provide organization name.

    The discovered certificate's SubjectOrganization will be compared against the organization provided in the policy to identify if there are complaints. Organization is enforced while performing any certificate request operations such as New, Renew, Regenerate.

    		 NA
    Organization Unit Text No

    You can provide an organizational unit.

    The discovered certificate's Subject Organization Unit will be compared against the organization unit provided in the policy to identify if there is a Complaint. Organization Unit is enforced while performing any certificate request operations such as New, Renew, Regenerate.

    		 NA
    Locality Text No

    You can provide a locality.

    The discovered certificate's Locality will be compared against the locality provided in the policy to identify if they are Complaint. Locality is enforced while performing any certificate request operations such as New, Renew, Regenerate.

    		 NA
    State Text No

    You can provide state.

    The discovered certificate's State will be compared against the state provided in the policy to identify if there is a complaint. State is enforced while performing any certificate request operations such as New, Renew, Regenerate.

    		 NA
    Country code Text No

    You can provide a country code.

    The discovered certificate's Country code will be compared against the country code provided in the policy to identify if there are complaints. Country code is enforced while performing any certificate request operations such as New, Renew, Regenerate.

    		 NA
    Email Text No

    You can provide the organization unit mail address.

    The discovered certificate's mail address will be compared against the mail address provided in the policy to identify if there is a complaint. Mail address is enforced while performing any certificate request operations such as New, Renew, Regenerate.

    .

    		 NA
    Subject Alternative Name Text Area No

    You can provide the subject's alternative name (SAN)

    It helps enforce additional domains for which a certificate can be requested. Subject Alternative Name is enforced while performing certificate request operations such as New, Renew, and Regenerate.

    		Use Asterisk (*) for the host part of the FQDN to enforce the domain. For example, *.domain.com will only allow users to request certificates with domain domain.com. Allowed Special Characters: Asterisk (*), Hyphen (-), Period (.), At (@)
    Note: The asterisk (*) symbol indicates a mandatory field.
  9. You can fill in the Certificate parameters section based on your organization's policies and standards.
  10. Click the Save CA Details button to save the configuration. A green tick mark will be displayed in the Certificate Authority pane against the GlobalSign MSSLoption to indicate the details are successfully stored.
  11. Click Create Policy button to create a new policy.
  12. The policy is created and a confirmation message is displayed.