Configuring CA backends
Following the installation and configuration of a CA connector, the connector must be connected to a third-party CA backend in SCM. This backend is attached to profiles for certificate issuance, and, when connecting to an Entrust or Digicert CA, used to connect a validated external organization to an organization in SCM.
Create third-party CA backends
-
Log in to SCM as a MRAO admin.
-
Navigate to
and click Add. -
Add the information for your third-party CA using the information from the following table.
Field Description Backend Type
The third-party CA you are using
Name
The name of the CA backend in SCM
Connector
The CA connector to be used
Local CA Backend
The name specified during backend creation to represent the CA backend
-
Click Save.
The new CA backend is now displayed on the CA Backends page in SCM.
The CA connector service is restarted each time a new backend is added. |
Create certificate profiles
-
Navigate to
. -
Click Add.
-
Complete the Add Certificate Profile fields based on the information provided in the following table.
Field Description Profile Name
The name of the certificate profile
CA Backend
The name of the CA backend in SCM
Certificate Type
The type of certificate that can be issued using this certificate profile (Client, SSL, Code Signing, or Device Certificate)
Certificate Template
The template that controls the certificate policies
Description
A description of the profile
-
Click Next.
-
Complete the remaining Add Certificate Profile fields based on the information provided in the following table.
Field Certificate Type Description Terms
All
The validity period of certificates issued using the specified certificate profile
Auto Revoke
Client
When selected, a person who reaches the max number of valid certificates will have their oldest certificate revoked automatically to allow the new enrollment to succeed
Max Number of Valid Certificates
Client
The maximum number of valid certificates a user can have from this profile
Requires approval
SSL, Device
When selected, the certificate request requires the approval of an additional administrator (DRAO, RAO, or MRAO)
Allow Renew
SSL
When enabled, the option to renew certificates is available via the SCM UI and related APIs
Issuing CA
All
The CA’s Common Name
MS Template
All
The template assigned to the CA in AD
All MS templates must grant read and enroll access to the CA connector in order to function correctly.
Build Subject from AD information
All
When selected, Active Directory information is used for the subject, otherwise it’s built from the request.
In order to work, the selected template must have the following Issuance Requirement tab settings configured:
-
This number of authorized signatures selected and set as
1
-
Application policy set as
Certificate Request Agent
-
-
Click Save.
-
Navigate to
. -
Click Add.
-
Complete the Add Certificate Profile fields based on the information provided in the following table.
Field Description Profile Name
The name of the certificate profile
CA Backend
The name of the CA backend in SCM
Certificate Type
The type of certificate that can be issued using this certificate profile (SSL)
Certificate Template
The template that controls the certificate policies
Description
A description of the profile
-
Click Next.
-
Complete the remaining Add Certificate Profile fields based on the information provided in the following table.
Field Description AWS Private CA
The name of the AWS private CA
Signature Algorithm
The signature algorithm to be used when signing certificates
AWS Template
The template assigned to the CA in ACM
Terms
The validity period of certificates issued using the specified certificate profile
Requires approval
When selected, the certificate request requires the approval of an additional administrator (DRAO, RAO, or MRAO)
Allow Renew
When enabled, the option to renew certificates is available via the SCM UI and related APIs
-
Click Save.
-
Navigate to
. -
Click Add.
-
Complete the Add Certificate Profile fields based on the information provided in the following table.
Field Description Profile Name
The name of the certificate profile
CA Backend
The name of the CA backend in SCM
Certificate Type
The type of certificate that can be issued using this certificate profile (SSL)
Certificate Template
The template that controls the certificate policies
Description
A description of the profile
-
Click Next.
-
Complete the remaining Add Certificate Profile fields based on the information provided in the following table.
Field Description DigiCert Product
The DigiCert product type to be linked with the certificate profile
Terms
The validity period of certificates issued using the specified certificate profile
Allowed Key Types
The key types (algorithms and sizes or curves) you want to allow for certificates created using the profile
Requires approval
When selected, the certificate request requires the approval of an additional administrator (DRAO, RAO, or MRAO)
Allow Renew
When enabled, the option to renew certificates is available via the SCM UI and related APIs
-
Click Save.
-
Navigate to
. -
Click Add.
-
Complete the Add Certificate Profile fields based on the information provided in the following table.
Field Description Profile Name
The name of the certificate profile
CA Backend
The name of the CA backend in SCM
Certificate Type
The type of certificate that can be issued using this certificate profile (SSL)
Certificate Template
The template that controls the certificate policies
Description
A description of the profile
-
Click Next.
-
Complete the remaining Add Certificate Profile fields based on the information provided in the following table.
Field Description Entrust Template
The Entrust product type to be linked with the certificate profile
Terms
The validity period of certificates issued using the specified certificate profile
Requires approval
When selected, the certificate request requires the approval of an additional administrator (DRAO, RAO, or MRAO)
Allow Renew
When enabled, the option to renew certificates is available via the SCM UI and related APIs
-
Click Save.
-
Navigate to
. -
Click Add.
-
Complete the Add Certificate Profile fields based on the information provided in the following table.
Field Description Profile Name
The name of the certificate profile
CA Backend
The name of the CA backend in SCM
Certificate Type
The type of certificate that can be issued using this certificate profile (SSL)
Certificate Template
The template that controls the certificate policies
Description
A description of the profile
-
Click Next.
-
Complete the remaining Add Certificate Profile fields based on the information provided in the following table.
Field Description Google Cloud Certificate Authority
The name of the GCP private CA
Google Cloud Template
The template assigned to the CA in GCP
Terms
The validity period of certificates issued using the specified certificate profile
Requires approval
When selected, the certificate request requires the approval of an additional administrator (DRAO, RAO, or MRAO)
Allow Renew
When enabled, the option to renew certificates is available via the SCM UI and related APIs
-
Click Save.
Assign an external organization
When working with an Entrust or DigiCert CA, you must connect your validated external organization to an organization in SCM.
-
Log in to SCM as a MRAO admin.
-
Navigate to Organizations and select an existing organization or click Add to create a new one.
-
Under your SCM organization, locate your external CA and click Assign.
-
In the External Organization Assignment dialog, select an external organization to connect with your SCM organization.
-
Click Save.