Configuring Policy for OpenTrust CA

  1. Go to menu > KUBE+ > Groups & Policies > CA Policy
    On the CA Policy page, the configured policies are displayed, if any.
    Note: KUBE+ is packaged with default policies they are Default and Certificate-Gateway.
  2. Create a custom policy by clicking the Create button on the upper right corner of the CA Policy page.
  3. Click + Create on the top-right of the page.

    The CA Policy: Create page is displayed.

  4. Refer Configure Policy Details section in admin guide to configure,
    • Policy Details
    • Group Selection
    • Compliance Check
  5. To configure a policy with OpenTrust details, click OpenTrust in the Certificate Authority pane on the left side of the page.
    The following table provides the field description in the CA Details section.
    Field Description
    *CA Account The OpenTrust CA accounts configured in CA settings screen are listed. Select a CA account from the list to create the policy.
    *Certificate Management Profile Select the certificate management profile from the dropdown list.
    *Zone Select the zone from the dropdown list.
    Note: The asterisk (*) symbol indicates a mandatory field.
  6. In the Profile Parameters section, select/enter the details as listed in the table.
    Field Description
    *Common Name Enter the common name for the policy.
    Organizational Unit Enter the organizational unit.
    Organization Enter the name of the organization.
    Note: The asterisk (*) symbol indicates a mandatory field.
  7. Click the Add button.
    The CA details are saved to the table and the confirmation message displays.
  8. You can use the Remove option to delete the configuration.
  9. In the CA details section, select Bit Length -Key Type, ECDSA curve, and Hash Function.
    The following table provides the description of other fields in the CA Details section:
    Table 1. Field Description for Bit Length, ECDSA curve, and Hash Function
    Name Description Purpose
    *Bit Length - Key Type All the Key Types are listed with corresponding Bit Length. You can select one (or) more than one Bit Length - Key Type(s) from the drop-down. The discovered certificate's Key Type and Bit length will be compared against the selected Bit Length - Key Type(s) to identify if they are complaint with the policy. Selected Bit Length - Key Type(s) is enforced while performing any certificate request operations such as New, Renew, Regenerate.
    *ECDSA curve When Key Type is selected as EC, ECDSA curve corresponding to selected Key Type is listed. You can select one (or) more than one ECDSA curve from the drop-down. for a certificate. The discovered certificate's Key elliptic curves will be compared against the selected ECDSA curve(s) to identify if they are complaint with the policy. Selected ECDSA curve(s) is enforced while performing certificate request operations such as New, Renew, and Regenerate. We recommend to use P256/ P384/ P521 ECDSA curve while enrolling.
    *Hash Function SupportedHash Function(s) are listed. You can select one (or) more than one Hash Function(s) from the drop-down. The discovered certificate's Key Hash Algorithm will be compared against the selected Hash Function(s) to identify if they are complaint with the policy. Selected Hash Function(s) is enforced while performing any certificate request operations such as New, Renew, Regenerate.
    Note: The asterisk (*) symbol indicates a mandatory field.
  10. You can fill the Certificate parameters section based on your organization's policies and standards.
    The following table provides the field description under the Certificate parameters section:
    Table 2. Certificate Parameters - Field Description Table
    Name Description
    Common Name

    You can provide the common name. For example, *.domain.com

    It helps enforce domains for which a certificate can be requested. Common Name is enforced while performing any certificate request operations such as New, Renew, Regenerate.

    Note: Use Asterisk (*) for the host part of the FQDN to enforce the domain. For example, *.domain.com will only allow users to request certificates with domain.com. Allowed Special Characters: Asterisk (*), Hyphen (-), Period (.)
    Organization

    You can provide the organization's name.

    The discovered certificate's Subject Organization will be compared against the organization provided in the policy to identify if they are complaints. The organization is enforced while performing any certificate request operations such as New, Renew, Regenerate.
    Organization Unit

    You can provide an organization unit.

    The discovered certificate's Subject Organization Unit will be compared against the organization unit provided in the policy to identify if they are Complaint. Organization Unit is enforced while performing any certificate request operations such as New, Renew, Regenerate.
    Locality

    You can provide a locality.

    The discovered certificate's Locality will be compared against the locality provided in the policy to identify if they are complaints. The locality is enforced while performing any certificate request operations such as New, Renew, Regenerate.
    State

    You can provide state.

    The discovered certificate's State will be compared against the state provided in the policy to identify if they are complaint. The state is enforced while performing any certificate request operations such as New, Renew, Regenerate.
    Country code

    You can provide a country code.

    The discovered certificate's Country code will be compared against the country code provided in the policy to identify if they are complaints. Country code is enforced while performing any certificate request operations such as New, Renew, Regenerate.
    Email

    You can provide an organization unit mail address.

    The discovered certificate's mail address will be compared against the email address provided in the policy to identify if they are Complaint. Mail address is enforced while performing any certificate request operations such as New, Renew, Regenerate.
    Subject Alternative Name

    You can provide the subject alternative name (SAN)

    It helps enforce additional domains for which a certificate can be requested. Subject Alternative Name is enforced while performing certificate request operations such as New, Renew, and Regenerate.

    Note: Use Asterisk (*) for the host part of the FQDN to enforce the domain. For example, *.domain.com will only allow users to request certificates with domain domain.com. Allowed Special Characters: Asterisk (*), Hyphen (-), Period (.), At (@)
    Note: The asterisk (*) symbol indicates a mandatory field.
  11. Click the Save CA Details button to save the configuration. A green tick mark displays in the Certificate Authority pane against the OpenTrust option to indicate the details are successfully stored.
  12. Click Create Policy button to create a new policy.
  13. The policy is created and a confirmation message displays.