Configuring CA backends
Following the installation and configuration of a CA connector, the connector must be connected to a third-party CA backend in SCM. This backend is attached to profiles for certificate issuance, and, when connecting to an Entrust or Digicert CA, used to connect a validated external organization to an organization in SCM.
Create third-party CA backends
-
Log in to SCM as a MRAO admin.
-
Navigate to and click the Add icon.
-
Add the information for your third-party CA using the information from the following table.
Field Description Backend Type
The third-party CA you are using.
Name
The name of the CA backend in SCM.
Connector
The CA connector to be used.
Local CA Backend
The name specified during backend creation to represent the CA backend.
-
Click Save.
The new CA backend is now displayed on the CA Backends page in SCM.
| The CA connector service is restarted each time a new backend is added. |
Create certificate profiles
-
Navigate to .
-
Click the Add icon.
-
Complete the Add Certificate Profile fields based on the information provided in the following table.
Field Description Profile Name
The name of the certificate profile.
CA Backend
The name of the CA backend in SCM.
Certificate Type
The type of certificate that can be issued using this certificate profile (Client, SSL, Code Signing, or Device Certificate).
Certificate Template
The template that controls the certificate policies.
Description
A description of the profile.
-
Click Next.
-
Complete the remaining Add Certificate Profile fields based on the information provided in the following table.
Field Certificate Type Description Terms
All
The validity period of certificates issued using the specified certificate profile.
Auto Revoke
Client
When selected, a person who reaches the max number of valid certificates will have their oldest certificate revoked automatically to allow the new enrollment to succeed.
Max Number of Valid Certificates
Client
The maximum number of valid certificates a user can have from this profile.
Requires approval
SSL, Device
When selected, the certificate request requires the approval of an additional administrator (DRAO, RAO, or MRAO).
Allow Renew
SSL
When enabled, the option to renew certificates is available via the SCM UI and related APIs.
Issuing CA
All
The CA’s Common Name.
MS Template
All
The template assigned to the CA in AD.
All MS templates must grant read and enroll access to the CA connector in order to function correctly.
Build Subject from AD information
All
When selected, Active Directory information is used for the subject, otherwise it’s built from the request.
In order to work, the selected template must have the following Issuance Requirement tab settings configured:
-
This number of authorized signatures selected and set as
1 -
Application policy set as
Certificate Request Agent
-
-
Click Save.
-
Navigate to .
-
Click the Add icon.
-
Complete the Add Certificate Profile fields based on the information provided in the following table.
Field Description Profile Name
The name of the certificate profile.
CA Backend
The name of the CA backend in SCM.
Certificate Type
The type of certificate that can be issued using this certificate profile (SSL).
Certificate Template
The template that controls the certificate policies.
Description
A description of the profile.
-
Click Next.
-
Complete the remaining Add Certificate Profile fields based on the information provided in the following table.
Field Description AWS Private CA
The name of the AWS private CA.
Signature Algorithm
The signature algorithm to be used when signing certificates.
AWS Template
The template assigned to the CA in ACM.
Terms
The validity period of certificates issued using the specified certificate profile.
Requires approval
When selected, the certificate request requires the approval of an additional administrator (DRAO, RAO, or MRAO).
Allow Renew
When enabled, the option to renew certificates is available via the SCM UI and related APIs.
-
Click Save.
-
Navigate to .
-
Click the Add icon.
-
Complete the Add Certificate Profile fields based on the information provided in the following table.
Field Description Profile Name
The name of the certificate profile.
CA Backend
The name of the CA backend in SCM.
Certificate Type
The type of certificate that can be issued using this certificate profile (SSL).
Certificate Template
The template that controls the certificate policies.
Description
A description of the profile.
-
Click Next.
-
Complete the remaining Add Certificate Profile fields based on the information provided in the following table.
Field Description DigiCert Product
The DigiCert product type to be linked with the certificate profile.
Terms
The validity period of certificates issued using the specified certificate profile.
Allowed Key Types
The key types (algorithms and sizes or curves) you want to allow for certificates created using the profile.
Requires approval
When selected, the certificate request requires the approval of an additional administrator (DRAO, RAO, or MRAO).
Allow Renew
When enabled, the option to renew certificates is available via the SCM UI and related APIs.
-
Click Save.
-
Navigate to .
-
Click the Add icon.
-
Complete the Add Certificate Profile fields based on the information provided in the following table.
Field Description Profile Name
The name of the certificate profile.
CA Backend
The name of the CA backend in SCM.
Certificate Type
The type of certificate that can be issued using this certificate profile (SSL).
Certificate Template
The template that controls the certificate policies.
Description
A description of the profile.
-
Click Next.
-
Complete the remaining Add Certificate Profile fields based on the information provided in the following table.
Field Description Entrust Template
The Entrust product type to be linked with the certificate profile.
Terms
The validity period of certificates issued using the specified certificate profile.
Requires approval
When selected, the certificate request requires the approval of an additional administrator (DRAO, RAO, or MRAO).
Allow Renew
When enabled, the option to renew certificates is available via the SCM UI and related APIs.
-
Click Save.
-
Navigate to .
-
Click the Add icon.
-
Complete the Add Certificate Profile fields based on the information provided in the following table.
Field Description Profile Name
The name of the certificate profile.
CA Backend
The name of the CA backend in SCM.
Certificate Type
The type of certificate that can be issued using this certificate profile (SSL).
Certificate Template
The template that controls the certificate policies.
Description
A description of the profile.
-
Click Next.
-
Complete the remaining Add Certificate Profile fields based on the information provided in the following table.
Field Description Google Cloud Certificate Authority
The name of the GCP private CA.
Google Cloud Template
The template assigned to the CA in GCP.
Terms
The validity period of certificates issued using the specified certificate profile.
Requires approval
When selected, the certificate request requires the approval of an additional administrator (DRAO, RAO, or MRAO).
Allow Renew
When enabled, the option to renew certificates is available via the SCM UI and related APIs.
-
Click Save.
Assign an external organization
When working with an Entrust or DigiCert CA, you must connect your validated external organization to an organization in SCM.
-
Log in to SCM as a MRAO admin.
-
Navigate to Organizations and select an existing organization or click the Add icon to create a new one.
-
Under your SCM organization, locate your external CA and click Assign.
-
In the External Organization Assignment dialog, select an external organization to connect with your SCM organization.
-
Click Save.