For Standard Initialization

The CA policy defines rules and templates to ensure certificate attributes comply with the organization.

To create a CA policy:

  1. Go to (Menu) icon > CERT+.
    The CERT+ left navigation pane appears.
  2. Click CA Policy from Groups & Policies on the LHS pane.
  3. Click + Create in the command bar to configure certificate practice standards for the business unit.

    The Policy Details page is displayed.

  4. Enter the details as described:
    Table 1. Field Description for Policy Details section
    Field Description
    *Policy Name Enter a unique name for the certificate policy.
    Description Enter the policy information.
    Policy Enforcement Type Choose any of the options:
    • Strict: While adding or updating the Certificate Authority (CA) connector, values provided as part of the Certificate Signing Request (CSR) information should match the values provided in the policy. If the values do not match the policy, you cannot save the CA connector details.
    • Suggestive: While adding or updating the Certificate Authority (CA) connector, values provided as part of the Certificate Signing Request (CSR) information do not have to be an exact match to the values provided in the policy. You can modify the values provided, but the certificate is then considered to be non-compliant.
    Certificate Requests Need Approval? Enable proper control through appropriate approvals for various actions performed on the group of certificates to which this policy is applicable.
    Enable Access to Private Key? Enable the option to allow private keys of the certificates to be exported.
    Enable certificate push-bind access for read-only user Enable the option to allow certificate push, bind and rollback operations from the holistic view for the user who got only read permission on the certificate group.
    Validate issuer and root certificate for compliance? Enable the option to check if issuer and root of the certificate are compliant to the standard defined in the policy.
    Email Address mandatory for Client Certificate Enable the option to set email address as mandatory during the client certificate enrollment.
    Note: Fields marked with red asterisk (*) symbol are mandatory.
  5. In the CA details section, enter the following information:
    Table 2. Field Description for CA details
    Field Description
    *CA Accounts Select the CA account name configured during initialization.
    Certificate Issuance From Select Issuer Name.
    *Issuer Location Select a location from the dropdown list.
    *Issuer Name Select issuer name from the dropdown list. This field appears only on selecting Issuer Name in the Certificate Issuance From field.
    *Validity Enter a value and press Enter.
    *Bit Length-Key Type Select a value from the dropdown list.
    *Hash Function Select a value from the dropdown list.
  6. [Optional] Certificate parameters section can be used later to help distinguish between multiple policies within the system.
    Table 3. Field Description for Certificate parameters section
    Field Description
    Restrict Wild Card Certificate Enable this option to restrict wildcard certificates.
    Host Name Enter a host name. Host name must not start or end with a period (.).
    Allowed Domain Names Type a domain name and press Enter.
    Common Name The fully qualified domain name (FQDN) or common name that exactly matches your web browser.
    Organization The name of the organization requesting the certificate.
    Organization Unit The division of the organization requesting the certificate.
    Locality The location of the organization requesting the certificate.
    State The state in which the organization is located.
    Country code The country and the country code in which the organization is located.
    Email The email contact details of the person responsible for maintaining the certificate.
    Subject Alternative Name Any additional hostnames, such as alternative websites, IP addresses and so on that have to be protected with the single SSL certificates.
  7. Click Save CA Details.
    The added CA account is displayed in the table. You can view the CA account details, edit, or delete the CA account using the options provided.
  8. Under the Group selection section, select the group(s) you want to include in the policy or create a new group to which the policy must be assigned.
    Note: You can search for the required group and add the frequently used keywords as favorites.
    Based on your selection, there will be a compliance report created under the dashboard for the list of certificates along with its non-compliant parameters relevant to this policy.
  9. Click Create Policy.
    Note: If you want to make any changes to the policy in the future, you can select the policy and make the respective changes. If you want to completely reset the policy data, click Reset beside the CA name on the right pane.