Configuring a CA Policy for Futurex

  1. Go to menu > KUBE+ > Groups & Policies > CA Policy.
    On the CA Policy page, the configured policies are displayed, if any.
    Note: KUBE+ is packaged with default policies they are Default and Certificate-Gateway.
  2. Click + Create from the top-right corner of the page.
    The CA Policy : Create page is displayed.
  3. Enter/Select the Policy Details.
    These details define the rules and templates for a certificate policy to ensure that certificate attributes are in compliance with the organization.
    Table 1. Field description for Policy Details
    Fields Description
    *Policy name Enter a unique name for the CA policy.
    Constraints:
    • Only the following special characters are considered valid: ., -, and _.
    • The policy name cannot start with a special character (including the valid ones).
    Description Enter additional details related to the rules and guidelines enforced by the policy.
    Policy Enforcement Type The policy enforcement type defines whether users can modify the policy parameters.
    Depending on your requirement, select one from the following values:
    • Strict: This selection will enforce the standards defined in the policy, not allowing users to modify any parameters.
    • Suggestive: This selection will suggest policy parameters, allowing the user to modify the suggested values as required.
    Certificate Requests Need Approval To enforce peer approval process for any certificate requests raised, turn on the Certificate Requests Need Approval toggle.

    All CLM actions, such as certificate creation/renewal/regeneration/reissue/revocation, will now be executed after due approval is received.

    Peer approval for requests is defined in the approval workflow.
    Enable Access to Private Key To allow the user to download private keys from the holistic view and the certificate inventory, turn on the Enable Access to Private Key toggle..
    Enable certificate push-bind access for a read-only user To allow users with only read-only access to perform the certificate push, bind, and rollback operations from the holistic view, turn on the Enable certificate push-bind access for a read-only user toggle.
    Validate issuer and root certificate for compliance? To validate the issuer and root of a certificate for compliance with the policy standards, enable the Validate issuer and root certificate for compliance? toggle.
    Email Address mandatory for Client Certificate At the time of client certificate enrollment, to set the email address field as mandatory, turn on the Email Address mandatory for Client Certificate toggle.
    Note: This feature is not applicable for SwissSign CA.
    Enable Public Key Validation during CSR Upload? To validate the public key included in the CSR uploaded for certificate enrollment, renewal, regenerate, or reissuance, turn on the Enable Public Key Validation during CSR Upload?.
    *: Mandatory fields
  4. In the CA Details section:
    1. From the Certificate Authority list on the left, select Futurex.
      The section is updated to display the fields required to configure a Futurex policy.
    2. Enter/Select the CA details.
      Table 2. Field description for CA Details
      Fields Description
      *CA Accounts From the dropdown list, select the CA account names of the CA settings that will be mapped to this policy.
      *Issuance Policy From the dropdown list, select one from the list of issuance policies retrieved for the CA account name selected above.

      The issuance policy selected defines the set of rules and conditions under which certificates can be issued using this policy. This may include constraints like key length, usage, subject naming, and validity period.
      *Root CA From the dropdown list, select the root CA for this certificate.

      This is the trusted root certificate authority that anchors the certificate chain. All issued certificates will ultimately chain up to this root.
      *Signing CA From the dropdown list, select the Certificate Authority that will sign the requested certificate.
      *Validity Using the Days, Months, and Years dropdown lists, select a validity period for the certificate.

      Days: You can enter more than one validity period in days, to choose one in certificate enrolment.

      Months: You can enter more than one validity period in Months, to choose one in certificate enrolment.

      Year: You can enter more than one validity period in Year, to choose one in certificate enrolment.
      *Bit Length - Key Type From the *Bit Length - Key Type dropdown list, select the required bit length- key type pair(s).

      The discovered certificates' key type and bit length will be compared against the selected bit length- key type pair(s) to check for compliance with the policy. The selected bit length- key type pair(s) is enforced while performing any certificate request operations.
      *Hash Function From the dropdown list, select one (or more) hash functions.

      The discovered certificates' key hash algorithm will be compared against the selected hash function to check for compliance with the policy. The selected hash function(s) is/are enforced while performing any certificate request operations.
      *: Mandatory fields
    3. Click Add.
      The CA details are added to the table below the Add button and a confirmation message is displayed.
      Note: You can use the Edit option in the table to modify the configuration and the Remove option to delete the configuration.
    4. Enter/Select the Certificate Parameters for the policy.
      The parameters of a discovered certificate will be compared the values entered in this section to assess its compliance with this policy.
      Table 3. Field description for CA Details
      Fields Description
      Restrict Wild Card Certificate To restrict the creation of wild card certificates using this policy, turn on the Restrict Wild Card Certificate toggle.

      A wildcard certificate is a type of SSL/TLS certificate that secures a domain and all its subdomains using a single certificate. This could possess a security risk considering that if this certificate is compromised, all its subdomains become vulnerable.
      Host Name Enter a host name that will be used to identify the domain secured by the certificate.
      Constraints:
      • The host name cannot start and end with a . (period).
      • If a host name is not specified here, the user is allowed to enter a host name of their choice at the time for creating certificate requests for CLM actions.
      Allowed Domain Names Enter the domain names that must be whitelisted for this policy.

      Multiple domain names can entered, separated by the Enter key.

      If this field is left blank, by default, all domains will be whitelisted for the CLM actions that use this policy.
      Blocked Domain Names Enter the domain names that must be blacklisted for this policy.

      Multiple domain names can entered, separated by the Enter key.

      If this field is left blank, by default, all domains will be blacklisted for the CLM actions that use this policy.
      Common Name Enter the common name. For example, *.domain.com

      This enforces domains for which a certificate can be requested. The common name is enforced at the time of performing any certificate request operations such as New, Renew, and Regenerate.

      Note: Use the * (asterisk) for the host part of the FQDN to enforce the domain. For example, *.domain.com will only allow users to request certificates with domain.com. Allowed special characters: *(Asterisk), - (hyphen), . (period).
      Organization Enter the organization name.

      The discovered certificates' Subject Organization is checked for compliance with this value. The organization name is enforced while performing any certificate request operations.
      Organization Unit Enter the name of the business unit of the organization.

      The discovered certfiicates' Subject Organization Unit is checked for compliance with this value. The organization unit name is enforced while performing any certificate request operations.
      Locality Enter the organization's locality name.

      The discovered certfiicates' Locality is checked for compliance with this value. The locality name is enforced while performing any certificate request operations.
      State Enter the name of the state in which the organization is located.

      The discovered certfiicates' State is checked for compliance with this value. The state name is enforced while performing any certificate request operations.
      Country code Enter the organization's country code.

      The discovered certfiicates' Country Code is checked for compliance with this value. The state name is enforced while performing any certificate request operations.
      Email Enter the organization unit's official email address.

      The email address specified for the discovered certfiicates' is checked for compliance with this value. The value is enforced while performing any certificate request operations.
      Subject Alternative Name Enter the subject alternative name (SAN) applicable for this policy. The SAN helps enforce additional domains for which a certificate can be requested. It is enforced at the time of performing certificate request operations.
      Note: Use the * (asterisk) for the host part of the FQDN to enforce the domain. For example, *.domain.com will only allow users to request certificates with domain.com. Allowed special characters: *(Asterisk), - (hyphen), . (period)
      *: Mandatory fields
    5. Click Save CA Details.
      A green tick mark is displayed in the Certificate Authority list against Futurex to indicate that the details are successfully stored.
  5. Under the Group selection section, select one or more groups to map to the policy.
  6. Under the Compliance Check section, to perform an immediate compliance check, enable Perform Compliance check.
  7. Click Create Policy.
    The policy is created and a confirmation message is displayed.