Configuring CA backends

Following the installation and configuration of a CA connector, the connector must be connected to a third-party CA backend in SCM. This backend is attached to profiles for certificate issuance, and, when connecting to an Entrust or Digicert CA, used to connect a validated external organization to an organization in SCM.

Create third-party CA backends

  1. Log in to SCM as a MRAO admin.

  2. Navigate to Issuers  CA Backends and click the Add icon.

    SCM home page
  3. Add the information for your third-party CA using the information from the following table.

    Field Description

    Backend Type

    The third-party CA you are using.

    Name

    The name of the CA backend in SCM.

    Connector

    The CA connector to be used.

    Local CA Backend

    The name specified during backend creation to represent the CA backend.

  4. Click Save.

    The new CA backend is now displayed on the CA Backends page in SCM.

The CA connector service is restarted each time a new backend is added.

Create certificate profiles

  • Microsoft

  • AWS

  • DigiCert

  • Entrust

  • GCP

  1. Navigate to Enrollment  Certificate Profiles.

  2. Click the Add icon.

  3. Complete the Add Certificate Profile fields based on the information provided in the following table.

    Field Description

    Profile Name

    The name of the certificate profile.

    CA Backend

    The name of the CA backend in SCM.

    Certificate Type

    The type of certificate that can be issued using this certificate profile (Client, SSL, Code Signing, or Device Certificate).

    Certificate Template

    The template that controls the certificate policies.

    Description

    A description of the profile.

  4. Click Next.

  5. Complete the remaining Add Certificate Profile fields based on the information provided in the following table.

    Field Certificate Type Description

    Terms

    All

    The validity period of certificates issued using the specified certificate profile.

    Auto Revoke

    Client

    When selected, a person who reaches the max number of valid certificates will have their oldest certificate revoked automatically to allow the new enrollment to succeed.

    Max Number of Valid Certificates

    Client

    The maximum number of valid certificates a user can have from this profile.

    Requires approval

    SSL, Device

    When selected, the certificate request requires the approval of an additional administrator (DRAO, RAO, or MRAO).

    Allow Renew

    SSL

    When enabled, the option to renew certificates is available via the SCM UI and related APIs.

    Issuing CA

    All

    The CA’s Common Name.

    MS Template

    All

    The template assigned to the CA in AD.

    All MS templates must grant read and enroll access to the CA connector in order to function correctly.

    Build Subject from AD information

    All

    When selected, Active Directory information is used for the subject, otherwise it’s built from the request.

    In order to work, the selected template must have the following Issuance Requirement tab settings configured:

    • This number of authorized signatures selected and set as 1

    • Application policy set as Certificate Request Agent

  6. Click Save.

  1. Navigate to Enrollment  Certificate Profiles.

  2. Click the Add icon.

  3. Complete the Add Certificate Profile fields based on the information provided in the following table.

    Field Description

    Profile Name

    The name of the certificate profile.

    CA Backend

    The name of the CA backend in SCM.

    Certificate Type

    The type of certificate that can be issued using this certificate profile (SSL).

    Certificate Template

    The template that controls the certificate policies.

    Description

    A description of the profile.

  4. Click Next.

  5. Complete the remaining Add Certificate Profile fields based on the information provided in the following table.

    Field Description

    AWS Private CA

    The name of the AWS private CA.

    Signature Algorithm

    The signature algorithm to be used when signing certificates.

    AWS Template

    The template assigned to the CA in ACM.

    Terms

    The validity period of certificates issued using the specified certificate profile.

    Requires approval

    When selected, the certificate request requires the approval of an additional administrator (DRAO, RAO, or MRAO).

    Allow Renew

    When enabled, the option to renew certificates is available via the SCM UI and related APIs.

  6. Click Save.

  1. Navigate to Enrollment  Certificate Profiles.

  2. Click the Add icon.

  3. Complete the Add Certificate Profile fields based on the information provided in the following table.

    Field Description

    Profile Name

    The name of the certificate profile.

    CA Backend

    The name of the CA backend in SCM.

    Certificate Type

    The type of certificate that can be issued using this certificate profile (SSL).

    Certificate Template

    The template that controls the certificate policies.

    Description

    A description of the profile.

  4. Click Next.

  5. Complete the remaining Add Certificate Profile fields based on the information provided in the following table.

    Field Description

    DigiCert Product

    The DigiCert product type to be linked with the certificate profile.

    Terms

    The validity period of certificates issued using the specified certificate profile.

    Allowed Key Types

    The key types (algorithms and sizes or curves) you want to allow for certificates created using the profile.

    Requires approval

    When selected, the certificate request requires the approval of an additional administrator (DRAO, RAO, or MRAO).

    Allow Renew

    When enabled, the option to renew certificates is available via the SCM UI and related APIs.

  6. Click Save.

  1. Navigate to Enrollment  Certificate Profiles.

  2. Click the Add icon.

  3. Complete the Add Certificate Profile fields based on the information provided in the following table.

    Field Description

    Profile Name

    The name of the certificate profile.

    CA Backend

    The name of the CA backend in SCM.

    Certificate Type

    The type of certificate that can be issued using this certificate profile (SSL).

    Certificate Template

    The template that controls the certificate policies.

    Description

    A description of the profile.

  4. Click Next.

  5. Complete the remaining Add Certificate Profile fields based on the information provided in the following table.

    Field Description

    Entrust Template

    The Entrust product type to be linked with the certificate profile.

    Terms

    The validity period of certificates issued using the specified certificate profile.

    Requires approval

    When selected, the certificate request requires the approval of an additional administrator (DRAO, RAO, or MRAO).

    Allow Renew

    When enabled, the option to renew certificates is available via the SCM UI and related APIs.

  6. Click Save.

  1. Navigate to Enrollment  Certificate Profiles.

  2. Click the Add icon.

  3. Complete the Add Certificate Profile fields based on the information provided in the following table.

    Field Description

    Profile Name

    The name of the certificate profile.

    CA Backend

    The name of the CA backend in SCM.

    Certificate Type

    The type of certificate that can be issued using this certificate profile (SSL).

    Certificate Template

    The template that controls the certificate policies.

    Description

    A description of the profile.

  4. Click Next.

  5. Complete the remaining Add Certificate Profile fields based on the information provided in the following table.

    Field Description

    Google Cloud Certificate Authority

    The name of the GCP private CA.

    Google Cloud Template

    The template assigned to the CA in GCP.

    Terms

    The validity period of certificates issued using the specified certificate profile.

    Requires approval

    When selected, the certificate request requires the approval of an additional administrator (DRAO, RAO, or MRAO).

    Allow Renew

    When enabled, the option to renew certificates is available via the SCM UI and related APIs.

  6. Click Save.

Assign an external organization

When working with an Entrust or DigiCert CA, you must connect your validated external organization to an organization in SCM.

  1. Log in to SCM as a MRAO admin.

  2. Navigate to Organizations and select an existing organization or click the Add icon to create a new one.

  3. Under your SCM organization, locate your external CA and click Assign.

  4. In the External Organization Assignment dialog, select an external organization to connect with your SCM organization.

  5. Click Save.