Adding organizations and departments

Add an organization or department

  • Organization

  • Department

  1. Navigate to Organizations.

  2. Click the Add icon.

  3. In the Add New Organization dialog, complete the fields based on the information provided in the following table.

    Field Description

    Organization Name

    The name of the organization.

    Secondary Organization Name

    An alternative or extended name for the organization.

    Alias

    During SAML authentication, the Alias attribute is compared with matching IdP attribute values to determine the organization(s) or department(s) the administrator can access.

    Contact emails

    Additional email addresses to be included as recipients of reports and notifications that are configured to include organization contacts as recipients.

    Address 1, 2, 3

    The street address of the organization.

    City

    The city in which the organization resides.

    State/Province

    The state or province in which the organization resides.

    Postal Code

    The postal code at which the organization resides.

    Country

    The country in which the organization resides.

    Organization Identifier

    Stands for the legal person identification based on identity type references allowed by the ETSI 319 412-1 standards and requirements.

  4. Click Next.

  5. Complete the certificate settings based on the information provided in the following table.

    Field Description

    General

    Password Policy

    When configured, certificate and enrollment passwords in the organization must adhere to the rules outlined in the selected policy.

    SSL Certificates

    Synchronize Expiration Date

    When configured, SSL certificates issued to the organization will expire on the specified day, and, optionally, month.

    Expiration occurs on the specified synchronization date closest to, and prior to, the expiry date determined by the certificate term selected on the certificate application form.

    The expiry date of certificates that have already been issued does not change but synchronized expiration is inherited upon renewal.

    Enable Web/REST API

    When enabled, applicants can enroll through the Web Service API for SSL certificates managed by the organization.

    This option is only available if enabled for your account. For more information, contact your Sectigo account manager.

    Make External Requester Mandatory

    When enabled, the External Requester field becomes mandatory on all enrollment forms for SSL certificates managed by the organization.

    External requester’s are additional email addresses included in the certificate that can be used for notifications. The field can be restricted to accept only email addresses matching a custom regular expression.

    This option prevents SSL certificate enrollment via MS Agent.

    Client Certificates

    Enable Web/REST API

    When enabled, applicants can enroll through the Web Service API for client certificates managed by the organization.

    This option is only available if enabled for your account. For more information, contact your Sectigo account manager.

    Default Profile

    When configured, the selected certificate profile is used during SOAP API enrollment for client certificate managed by the organization.

    Intune Certificate Exporter

    When configured, copies of client certificates and their accompanying private keys stored in Sectigo Key Vault can also be exported to MS Intune.

    Allow Key Recovery by Master Administrators

    When enabled, MRAO administrators can recover the private keys of client certificates issued by this organization. Before client certificates can be issued, a MRAO administrator must generate a MRAO key pair on the Legacy Key Encryption page. The public key is then used to encrypt each new client certificate before it’s securely stored. The private key may be provided to other MRAO administrators and used to recover the private keys of client certificates.

    This option can only be enabled when an organization is first created, after which it can only be disabled.

    Allow Key Recovery by Organization Administrators

    When enabled, RAO administrators can recover the private keys of client certificates issued by this organization. Before client certificates can be issued, a RAO administrator must generate a RAO key pair on the Legacy Key Encryption page. The public key is then used to encrypt each new client certificate before it’s securely stored. The private key may be provided to other RAO administrators and used to recover the private keys of client certificates.

    This option can only be enabled when an organization is first created, after which it can only be disabled.

    Allow Principal Name

    When enabled, client certificates may include a principal name in addition to the RFC822 name in the Subject Alternative Name (SAN) field.

    By default, the principal name is the primary email address of the end-user to whom the certificate is issued.

    Allow Principal Name Customization

    When enabled, you can configure the principal name to use something other than the primary email address of the end-user to whom the certificate is issued.

    Code Signing Certificates

    Enabled

    When enabled, code signing certificates can be issued to applicants associated with this organization.

    Device Certificates

    Default profile

    When configured, the selected certificate profile is used during SOAP API enrollment for device certificate managed by the organization.

  6. Click Save.

  1. Navigate to Organizations.

  2. Select the organization for which to add a department.

  3. Click Add Department.

  4. In the Add New Department dialog, complete the fields based on the information provided in the following table.

    Field Description

    Department Name

    The name of the department.

    Secondary Organization Name

    An alternative or extended name for the department.

    Alias

    During SAML authentication, the Alias attribute is compared with matching IdP attribute values to determine the organization(s) or department(s) the administrator can access.

    Contact emails

    Additional email addresses to be included as recipients of reports and notifications that are configured to include organization contacts as recipients.

    The complete address and Organization Identifier are inherited from the parent organization.
  5. Click Next.

  6. Complete the certificate settings based on the information provided in the following table.

    Field Description

    General

    Password Policy

    When configured, certificate and enrollment passwords in the department must adhere to the rules outlined in the selected policy.

    SSL Certificates

    Synchronize Expiration Date

    When configured, SSL certificates issued to the department will expire on the specified day and, optionally, month.

    Expiration occurs on the specified synchronization date closest to, and prior to, the expiry date determined by the certificate term selected on the certificate application form.

    The expiry date of certificates that have already been issued does not change but synchronized expiration is inherited upon renewal.

    Enable Web/REST API

    When enabled, applicants can enroll through the Web Service API for SSL certificates managed by the department.

    This option is only available if enabled for your account. For more information, contact your Sectigo account manager.

    Make External Requester Mandatory

    When enabled, the External Requester field becomes mandatory on all enrollment forms for SSL certificates managed by the department.

    External requester’s are additional email addresses included in the certificate that can be used for notifications. The field can be restricted to accept only email addresses matching a custom regular expression.

    This option prevents SSL certificate enrollment via MS Agent.

    Client Certificates

    Enable Web/REST API

    When enabled, applicants can enroll through the Web Service API for client certificates managed by the department.

    This option is only available if enabled for your account. For more information, contact your Sectigo account manager.

    Default Profile

    When configured, the selected certificate profile is used during SOAP API enrollment for client certificate managed by the department.

    Intune Certificate Exporter

    When configured, copies of client certificates and their accompanying private keys stored in Sectigo Key Vault can also be exported to MS Intune.

    Allow Key Recovery by Master Administrators

    When enabled, MRAO administrators can recover the private keys of client certificates issued by this department. Before client certificates can be issued, a MRAO administrator must generate a MRAO key pair on the Legacy Key Encryption page. The public key is then used to encrypt each new client certificate before it’s securely stored. The private key may be provided to other MRAO administrators and used to recover the private keys of client certificates.

    This option can only be enabled when an organization is first created, after which it can only be disabled.

    Allow Key Recovery by Organization Administrators

    When enabled, RAO administrators can recover the private keys of client certificates issued by this department. Before client certificates can be issued, a RAO administrator must generate a RAO key pair on the Legacy Key Encryption page. The public key is then used to encrypt each new client certificate before it’s securely stored. The private key may be provided to other RAO administrators and used to recover the private keys of client certificates.

    This option can only be enabled when an organization is first created, after which it can only be disabled.

    Allow Key Recovery by Department Administrators

    When enabled, DRAO administrators can recover the private keys of client certificates issued by this department. Before client certificates can be issued, a DRAO administrator must generate a DRAO key pair on the Legacy Key Encryption page. The public key is then used to encrypt each new client certificate before it’s securely stored. The private key may be provided to other DRAO administrators and used to recover the private keys of client certificates.

    This option can only be enabled when an organization is first created, after which it can only be disabled.

    Allow Principal Name

    When enabled, client certificates may include a principal name in addition to the RFC822 name in the Subject Alternative Name (SAN) field.

    By default, the principal name is the primary email address of the end-user to whom the certificate is issued.

    Allow Principal Name Customization

    When enabled, you can configure the principal name to use something other than the primary email address of the end-user to whom the certificate is issued.

    Code Signing Certificates

    Enabled

    When enabled, code signing certificates can be issued to applicants associated with this department.

    Device Certificates

    Default profile

    When configured, the selected certificate profile is used during SOAP API enrollment for device certificate managed by the department.

  7. Click Save.