Configuring Policy for Google CA

  1. Go to (Menu) > SIGN+ > GROUPS & POLICIES > CA Policy.
    The CA Policy page is displayed.
  2. Click + Create from the top-right corner of the page.
    The CA Policy: Create page is displayed.
  3. Refer the Configuring Policy Details section in the SIGN+ Admin Guide to configure the following:
    • Policy Details
    • Group Selection
    • Compliance Check
  4. In the CA Details section, from the Certificate Authority list in the left, select Google.
    The CA Details section is updated to display fields relevant to Google.
  5. Enter/Select the CA details.
    Table 1. Field description for CA details
    Field Description
    *CA Accounts The Google CA accounts configured in the CA settings screen are listed. Select a CA account from the list to create the policy.
    *Issuer Location The issuer locations corresponding to the selected CA account are listed. Select an issuer location from the list to create the policy.
    *Issuer Name The issuer names corresponding to the selected CA account are listed. Select an issuer name from the list to create the policy.
    *Validity In the Days, Month, and Year dropdown lists, enter the validity period(s) for the certificate.

    You can enter more than one validity period in days/months/years, and one can then be chosen from the entered values at the time of certificate enrollment.

    *Bit Length - Key Type From the dropdown list, select one (or more than one), bit length- key type pair(s).

    The discovered certificate's Key Type and Bit length will be compared against the selected B bit length- key type pair(s) to check for complaince with the policy. The Selected bit length- key type pair(s) is enforced while performing any certificate request operations such as New, Renew, Regenerate.
    *Hash Function From the dropdown list, select one (or more) hash functions.

    The discovered certificate's Key Hash Algorithm will be compared against the selected hash function to check for compliance with the policy. The selected hash function(s) is enforced while performing any certificate request operations such as New, Renew, Regenerate.
    *: Mandatory fields
  6. Enter/Select the certificate parameters.
    For the Policy Enforcement Type = Strict
    For the Policy Enforcement Type = Suggestive
    Table 2. Field description for certificate Parameters
    Field Description
    Restrict Wild Card Certificate Slide toggle switch to the ON position to restrict the creation of wild card certificates using the policy.
    Hostname

    This text field is displayed if the Policy Enforcement Type = Strict or Suggestive.

    Enter the unique name or label for the host.

    The field is mandatory only when the Policy Enforcement Type = Strict.
    Note: The hostname should not start or end with a dot.
    Allowed Domain Name

    This text field is displayed if the Policy Enforcement Type = Strict or Suggestive.

    The field is mandatory only when the Policy Enforcement Type = Strict.

    Enter the valid domain name (two parts separated by a dot, such as example.com)

    .
    Blocked Domain Name

    This text field is displayed only if the Policy Enforcement Type = Suggestive

    Enter the domain names (two parts separated by a dot, such as example.com) that need to be blocked

    .
    Common Name Enter the common name. For example, *.domain.com

    This enforces domains for which a certificate can be requested. The common name is enforced at the time of performing any certificate request operations such as New, Renew, Regenerate.

    Note: Use the * (asterisk) for the host part of the FQDN to enforce the domain. For example, *.domain.com will only allow users to request certificates with domain.com. Allowed special characters: *(Asterisk), - (hyphen), . (period)
    .
    Organization

    You can provide the organization's name.

    The discovered certificate's Subject Organization will be compared against the organization provided in the policy to identify if they are complaints. The organization is enforced while performing any certificate request operations such as New, Renew, Regenerate.
    Organization Unit

    You can provide an organization unit.

    The discovered certificate's Subject Organization Unit will be compared against the organization unit provided in the policy to identify if they are Complaint. Organization Unit is enforced while performing any certificate request operations such as New, Renew, Regenerate.
    Locality

    You can provide a locality.

    The discovered certificate's Locality will be compared against the locality provided in the policy to identify if they are complaints. The locality is enforced while performing any certificate request operations such as New, Renew, Regenerate.
    State

    You can provide state.

    The discovered certificate's State will be compared against the state provided in the policy to identify if they are complaints. The state is enforced while performing any certificate request operations such as New, Renew, Regenerate.
    Country code

    You can provide a country code.

    The discovered certificate's Country code will be compared against the country code provided in the policy to identify if they are complaints. Country code is enforced while performing any certificate request operations such as New, Renew, Regenerate.
    Email

    You can provide an organization unit mail address.

    The discovered certificate's mail address will be compared against the email address provided in the policy to identify if they are Complaint. Mail address is enforced while performing any certificate request operations such as New, Renew, Regenerate.
    Subject Alternative Name

    You can provide the subject alternative name (SAN)

    It helps enforce additional domains for which a certificate can be requested. Subject Alternative Name is enforced while performing certificate request operations such as New, Renew, and Regenerate.

    Note: Use Asterisk (*) for the host part of the FQDN to enforce the domain. For example, *.domain.com will only allow users to request certificates with domain domain.com. Allowed Special Characters: Asterisk (*), Hyphen (-), Period (.), At (@)
    *: Mandatory fields
    You can use the Edit option in the table to modify the configuration and Remove option to delete the configuration.
  7. Click Save CA Details to save the configuration.
    A green tick mark is displayed in the Certificate Authority pane against Google to indicate the details are successfully stored.
  8. From the Group selection, select one or more groups to map to the policy.
  9. From the Compliance Check section, to perform an immediate compliance check, enable Perform Compliance check.
    Note: A scheduled compliance check will run periodically based on the settings defined in the job scheduler.
  10. Click Create Policy button to create a new policy.
    The policy is created and a confirmation message is displayed.