Configuring Policy for Amazon CA

  1. Go to (Menu) > SIGN+ > GROUPS & POLICIES > CA Policy.
    The CA Policy page is displayed.
  2. Click + Create fromt the top-right of the page.
    The CA Policy:: Create page is displayed.
  3. Refer the Configuring Policy Details section in the SIGN+ Admin Guide to configure the following:
    • Policy Details
    • Group Selection
    • Compliance Check
  4. In the CA Details section, from the Certificate Authority pane in the left, select Amazon .
    Table 1. Field description for Amazon CA Details
    Fields Description
    *CA Accounts The Amazon CA accounts configured in the CA settings screen are listed. Select a CA account from the list to create the policy.
    *: Mandatory fields
  5. From the CA Accounts dropdown list., select the required CA account.
  6. Click Add.
    The CA details are saved to the table and the confirmation message is displayed.
  7. From the *Bit Length - Key Type dropdown list, select one (or more than one), bit length- key type pair(s).
    The discovered certificate's Key Type and Bit length will be compared against the selected B bit length- key type pair(s) to check for complaince with the policy. The Selected bit length- key type pair(s) is enforced while performing any certificate request operations such as New, Renew, Regenerate.
  8. From the *Hash Function dropdown list, select one (or more) hash functions.
    The discovered certificate's Key Hash Algorithm will be compared against the selected hash function to check for compliance with the policy. The selected hash function(s) is enforced while performing any certificate request operations such as New, Renew, Regenerate.
  9. Enter/Select the Certificate Parameters
    Table 2. Field description for certificate parameters
    Fields Description
    Host name Enter the host name.

    The host name cannot start and end with a . (period)
    *Allowed Domain Names Enter only the white-listed domain names.

    Press enter after adding the domain name. Multiple domain names can be added.
    Common Name Enter the common name. For example, *.domain.com

    This enforces domains for which a certificate can be requested. The common name is enforced at the time of performing any certificate request operations such as New, Renew, Regenerate.

    Note: Use the * (asterisk) for the host part of the FQDN to enforce the domain. For example, *.domain.com will only allow users to request certificates with domain.com. Allowed special characters: *(Asterisk), - (hyphen), . (period)
    .
    Subject Alternative Name Enter the subject alternative name (SAN). It helps enforce additional domains for which a certificate can be requested. The SAN is enforcedat the time of performing any certificate request operations such as New, Renew, Regenerate.
    Note: Use the * (asterisk) for the host part of the FQDN to enforce the domain. For example, *.domain.com will only allow users to request certificates with domain.com. Allowed special characters: *(Asterisk), - (hyphen), . (period)
    *: Mandatory fields
  10. Click the Save CA Details button to save the configuration. A green tick mark will be displayed in the Certificate Authority pane against the Amazon option to indicate that the details are successfully stored.
  11. From the Group selection, select one or more groups to map to the policy.
  12. From the Compliance Check section, to perform an immediate compliance check, enable Perform Compliance check.
    Note: A scheduled compliance check will run periodically based on the settings defined in the job scheduler.
  13. Click the Create Policy button to create a new policy.
    The policy is created and a confirmation message is displayed.