GlobalSign MSSL CA

Configuring GlobalSign MSSL CA

To configure the GlobalSign MSSL CA:

  1. Go to menu > KUBE+ > CLUSTER PKI > Certificate Authority.
  2. Click the +Add icon on the top right of the page.
  3. Select the GlobalSign in the left side vendor list, and then click the GlobalSign MSSL tab.
  4. Update the following details in the General Information section as described in the table.
    Table 1. General Information - Field and Description Table
    Name Description
    *CA Account name A unique name to identify the CA setting.

    No special characters other than ‘.’, ‘-’,’_’ are allowed. The name should not start with special characters.
    *Purpose/Usage Certificate Type for which CLM actions will be enabled. For example, server and clients
    Proxy Required Enable this field if the CA communication needs to happen via Proxy. The proxy details configured in general settings will be used for communication.
    Data Center (AppViewX's CA agent) Select the data center through which the CA communication needs to happen.
    *: Mandatory fields
  5. Update the following details in the CA Configuration section as described in the table.:
    Table 2. CA Configuration Section - Field and Description Table
    Options Description
    *SSL URL Base URL of the SSL API
    *User Name Provide a username of the GCC to communicate with the CA.
    *Password Provide a password for the GCC to communicate with the CA.
    *: Mandatory fields
  6. Once all the details are configured, click Save.
  7. In GlobalSign MSSL, we can now fetch profiles and domains by clicking on the Fetch Profiles and Domain button.
    Note: The supported CSR key types are RSA 2048-8192, ECC P-256, ECC P-384 .

Validating GlobalSign MSSL

Once the GlobalSign settings are added, validation needs to be done to check whether the connection between AppViewX and GlobalSign is properly configured.

  1. Go to menu > KUBE+ > CLUSTER PKI > Certificate Authority
  2. Select the GlobalSign in the left side vendor list, and then click the GlobalSign MSSL tab.
  3. Click Check to validate the CA setting that is created.
  4. CA communication will be validated and the Connection Status will be shown as either Success or Failure.

Limitations

Case/Ticket number Fix Description
CA Setting Update

Users need to click on the Cancel button once the MSSL domain/profile. ID details are fetched from the GlobalSign MSSL account.

If the user clicks the Update button, MSSL domain/profile ID details will be removed from the associated policy. The steps to follow to update CA settings are as follows:

  1. On the GlobalSign MSSL CA settings page, after adding/editing values, click the Update button.

  2. Navigate back to updated CA settings and click the Fetch Profiles and Domain button.

  3. Click the Cancel button instead of Update to bypass the existing issue.
Default CA policy mapping The default CA policy is defined with all available values selected and validity data is mapped based on commonly used validity. Hence, it will not have values equivalent to API documents or CA portals. This can be modified or updated in the application accordingly to the default CA policy if changes are required.
Email Address The email address provided in the email address field on the enrollment page is not considered as the primary email value during CLM actions, instead, the email address field defined in the contact information of the logged-in user will be used. The help info message besides the Email address field on enroll/edit page is as – “If the user email address is configured, that will be used for GlobalSign CA approval actions. If the user email is not configured, then the email address provided in this field will be used" - the second part is not valid anymore.