Configuring Policy for Amazon Private CA

Go to

(Menu) > SIGN+ > GROUPS & POLICIES > CA Policy.

The CA Policy page is displayed.

Click + Create from the top-right corner of the page.

The CA Policy :: Create page is displayed.

Refer the Configuring Policy Details section in the SIGN+ Admin Guide to configure the following:

Policy Details
Group Selection
Compliance Check

In the CA Details section, from the Certificate Authority list in the left, select Amazon Private CA.

The CA Details section is updated to display fields relevant to Amazon Private CA.

Enter/Select the policy details for Amazon Private CA.

Table 1. Field description to create CA policy for Amazon Private CA

Field

Description

*CA Accounts

From the dropdown list, select the certificate authority account.

*Issuer Region

From the dropdown list, select the issuer region.

*Issuer Name

From the dropdown list, select the issuer name.

*Validity

In the Days, Month, and Year dropdown lists, enter the validity period(s) for the certificate.

You can enter more than one validity period in days/months/years, and one can then be chosen from the entered values at the time of certificate enrollment.

*Bit Length - Key Type

All the key types are listed with their corresponding bit length. You can select one or more than one bit length - key type pair from the dropdown list.

The discovered certificate's key type and bit length will be compared against the selected bit length - key type(s) to to check for compliance with the policy.

The selected bit length - key type(s) is enforced while performing any certificate request operations such as new, renew, regenerate. Amazon Private CA supports the following bit type and length:


Type	Length
RSA	2048 4096
EC	prime256v1 sec384r1

*Hash Function

From the dropdown list, select one or more than one supported Hash Function. The supported hash functions are:

SHA256
SHA384
SHA512

*Signature Algorithm

From the dropdown list, select the required signatire algorithm.

Note: The issuer will print the issuer algorithm that the users select from the Signature Algorithm in this field.

*: Mandatory fields

Enter/Select the Certificate parameters values.

Table 2. Field description for certificate parameters
Field	Description
Restrict Wild Card Certificate	Slide toggle switch to the ON position to restrict the creation of wild card certificates using the policy.
Host name	Enter the host name. The host name cannot start and end with a . (period)
*Allowed Domain Names	Enter only the white-listed domain names. Press enter after adding the domain name. Multiple domain names can be added.
Common Name	Enter the common name. For example, .domain.com This enforces domains for which a certificate can be requested. The common name is enforced at the time of performing any certificate request operations such as New, Renew, Regenerate. Note: Use the (asterisk) for the host part of the FQDN to enforce the domain. For example, .domain.com will only allow users to request certificates with domain.com. Allowed special characters: (Asterisk), - (hyphen), . (period) .
Organization	Enter the organization name. The discovered certificate's subject organization will be compared against the organization provided in the policy to check for compliance. The organization is enforced at the time of performing any certificate request operations such as New, Renew, Regenerate.
Organization Unit	Enter the organization unit. The discovered certificate's Subject Organization Unit will be compared against the organization unit provided in the policy to check for compliance. Organization Unit is enforced at the time of performing any certificate request operations such as New, Renew, Regenerate.
Locality	Enter the locality name. The discovered certificate's locality will be compared against locality provided in the policy to check for compliance. The locality is enforced at the time of performing any certificate request operations such as New, Renew, Regenerate.
State	Enter the state. The discovered certificate's state will be compared against the state provided in the policy to check for compliance. The state is enforced at the time of performing any certificate request operations such as New, Renew, Regenerate.
Country code	Enter the country code. The discovered certificate's country code will be compared against the country code provided in the policy to check for compliance. Country code is enforced at the time of performing any certificate request operations such as New, Renew, Regenerate.
Email	Enter the email address of the organization unit. The discovered certificate's email address will be compared against the email address provided in the policy to check for compliance. The email address is enforced at the time of performing any certificate request operations such as New, Renew, Regenerate.
Subject Alternative Name	Enter the subject alternative name (SAN). It helps enforce additional domains for which a certificate can be requested. The SAN is enforcedat the time of performing any certificate request operations such as New, Renew, Regenerate. Note: Use the * (asterisk) for the host part of the FQDN to enforce the domain. For example, .domain.com will only allow users to request certificates with domain.com. Allowed special characters: (Asterisk), - (hyphen), . (period)
: Mandatory fields*

Click Save CA Details.

A green tick mark is displayed in the Certificate Authority pane against Amazon Private CA to indicate that the details are successfully stored.

From the Group selection, select one or more groups to map to the policy.

From the Compliance Check section, to perform an immediate compliance check, enable Perform Compliance check.

Note: A scheduled compliance check will run periodically based on the settings defined in the job scheduler.

Click Create Policy.

The policy is created and a confirmation message is displayed.