Managing organizations and departments
Edit organization or department details
Editing a validated organization’s details will initiate revalidation of the organization. Once you initiate organization revalidation, you cannot issue OV certificates for your organization until revalidation is completed. |
-
Navigate to Organizations.
-
Select the organization you want to edit, and click the Edit icon.
-
In the Edit Organization Details dialog, edit the organization’s details based on the information provided in the following table.
Field Description Organization Name
The name of the organization.
Secondary Organization Name
An alternative or extended name for the organization.
Alias
During SAML authentication, the Alias attribute is compared with matching IdP attribute values to determine the organization(s) or department(s) the administrator can access.
Contact emails
Additional email addresses to be included as recipients of reports and notifications that are configured to include organization contacts as recipients.
Address 1, 2, 3
The street address of the organization.
City
The city in which the organization resides.
State name
The state or province in which the organization resides.
Postal Code
The postal code at which the organization resides.
Country
The country in which the organization resides.
Organization Identifier
Stands for the legal person identification based on identity type references allowed by the ETSI 319 412-1 standards and requirements.
-
Click Save.
-
Navigate to Organizations.
-
Expand the appropriate parent organization, select the department you want to edit, and click the Edit icon.
-
In the Edit Department Details dialog, edit the department’s details based on the information provided in the following table.
Field Description Department Name
The name of the department.
Secondary Organization Name
An alternative or extended name for the department.
Alias
During SAML authentication, the Alias attribute is compared with matching IdP attribute values to determine the organization(s) or department(s) the administrator can access.
Contact emails
Additional email addresses to be included as recipients of reports and notifications that are configured to include organization contacts as recipients.
The complete address and Organization Identifier are inherited from the parent organization. -
Click Save.
Edit certificate settings
-
Navigate to Organizations.
-
Select the organization with the certificate settings you want to edit, and click Certificate Settings.
-
Update the organization’s certificate settings based on the information provided in the following table.
Field Description General
Password Policy
When configured, certificate and enrollment passwords in the organization must adhere to the rules outlined in the selected policy.
SSL Certificates
Synchronize Expiration Date
When configured, SSL certificates issued to the organization will expire on the specified day, and, optionally, month.
Expiration occurs on the specified synchronization date closest to, and prior to, the expiry date determined by the certificate term selected on the certificate application form.
The expiry date of certificates that have already been issued does not change but synchronized expiration is inherited upon renewal.
Enable Web/REST API
When enabled, applicants can enroll through the Web Service API for SSL certificates managed by the organization.
This option is only available if enabled for your account. For more information, contact your Sectigo account manager.
Make External Requester Mandatory
When enabled, the External Requester field becomes mandatory on all enrollment forms for SSL certificates managed by the organization.
External requester’s are additional email addresses included in the certificate that can be used for notifications. The field can be restricted to accept only email addresses matching a custom regular expression.
This option prevents SSL certificate enrollment via MS Agent.
Client Certificates
Enable Web/REST API
When enabled, applicants can enroll through the Web Service API for client certificates managed by the organization.
This option is only available if enabled for your account. For more information, contact your Sectigo account manager.
Default Profile
When configured, the selected certificate profile is used during SOAP API enrollment for client certificate managed by the organization.
Intune Certificate Exporter
When configured, copies of client certificates and their accompanying private keys stored in Sectigo Key Vault can also be exported to MS Intune.
Allow Key Recovery by Master Administrators
When enabled, MRAO administrators can recover the private keys of client certificates issued by this organization. Before client certificates can be issued, a MRAO administrator must generate a MRAO key pair on the Legacy Key Encryption page. The public key is then used to encrypt each new client certificate before it’s securely stored. The private key may be provided to other MRAO administrators and used to recover the private keys of client certificates.
This option can only be configured when an organization is first created, after which it cannot be modified.
Allow Key Recovery by Organization Administrators
When enabled, RAO administrators can recover the private keys of client certificates issued by this organization. Before client certificates can be issued, a RAO administrator must generate a RAO key pair on the Legacy Key Encryption page. The public key is then used to encrypt each new client certificate before it’s securely stored. The private key may be provided to other RAO administrators and used to recover the private keys of client certificates.
This option can only be configured when an organization is first created, after which it cannot be modified.
Allow Principal Name
When enabled, client certificates may include a principal name in addition to the RFC822 name in the Subject Alternative Name (SAN) field.
By default, the principal name is the primary email address of the end-user to whom the certificate is issued.
Allow Principal Name Customization
When enabled, you can configure the principal name to use something other than the primary email address of the end-user to whom the certificate is issued.
Code Signing Certificates
Enabled
When enabled, code signing certificates can be issued to applicants associated with this organization.
Device Certificates
Default profile
When configured, the selected certificate profile is used during SOAP API enrollment for device certificate managed by the organization.
-
Click Save.
-
Navigate to Organizations.
-
Expand the appropriate parent organization, select the department with the certificate settings you want to edit, and click Certificate Settings.
-
Update the department’s certificate settings based on the information provided in the following table.
Field Description General
Password Policy
When configured, certificate and enrollment passwords in the department must adhere to the rules outlined in the selected policy.
SSL Certificates
Synchronize Expiration Date
When configured, SSL certificates issued to the department will expire on the specified day and, optionally, month.
Expiration occurs on the specified synchronization date closest to, and prior to, the expiry date determined by the certificate term selected on the certificate application form.
The expiry date of certificates that have already been issued does not change but synchronized expiration is inherited upon renewal.
Enable Web/REST API
When enabled, applicants can enroll through the Web Service API for SSL certificates managed by the department.
This option is only available if enabled for your account. For more information, contact your Sectigo account manager.
Make External Requester Mandatory
When enabled, the External Requester field becomes mandatory on all enrollment forms for SSL certificates managed by the department.
External requester’s are additional email addresses included in the certificate that can be used for notifications. The field can be restricted to accept only email addresses matching a custom regular expression.
This option prevents SSL certificate enrollment via MS Agent.
Client Certificates
Enable Web/REST API
When enabled, applicants can enroll through the Web Service API for client certificates managed by the department.
This option is only available if enabled for your account. For more information, contact your Sectigo account manager.
Default Profile
When configured, the selected certificate profile is used during SOAP API enrollment for client certificate managed by the department.
Intune Certificate Exporter
When configured, copies of client certificates and their accompanying private keys stored in Sectigo Key Vault can also be exported to MS Intune.
Allow Key Recovery by Master Administrators
When enabled, MRAO administrators can recover the private keys of client certificates issued by this department. Before client certificates can be issued, a MRAO administrator must generate a MRAO key pair on the Legacy Key Encryption page. The public key is then used to encrypt each new client certificate before it’s securely stored. The private key may be provided to other MRAO administrators and used to recover the private keys of client certificates.
This option can only be configured when an department is first created, after which it cannot be modified.
Allow Key Recovery by Organization Administrators
When enabled, RAO administrators can recover the private keys of client certificates issued by this department. Before client certificates can be issued, a RAO administrator must generate a RAO key pair on the Legacy Key Encryption page. The public key is then used to encrypt each new client certificate before it’s securely stored. The private key may be provided to other RAO administrators and used to recover the private keys of client certificates.
This option can only be configured when a department is first created, after which it cannot be modified.
Allow Key Recovery by Department Administrators
When enabled, DRAO administrators can recover the private keys of client certificates issued by this department. Before client certificates can be issued, a DRAO administrator must generate a DRAO key pair on the Legacy Key Encryption page. The public key is then used to encrypt each new client certificate before it’s securely stored. The private key may be provided to other DRAO administrators and used to recover the private keys of client certificates.
This option can only be configured when a department is first created, after which it cannot be modified.
Allow Principal Name
When enabled, client certificates may include a principal name in addition to the RFC822 name in the Subject Alternative Name (SAN) field.
By default, the principal name is the primary email address of the end-user to whom the certificate is issued.
Allow Principal Name Customization
When enabled, you can configure the principal name to use something other than the primary email address of the end-user to whom the certificate is issued.
Code Signing Certificates
Enabled
When enabled, code signing certificates can be issued to applicants associated with this department.
Device Certificates
Default profile
When configured, the selected certificate profile is used during SOAP API enrollment for device certificate managed by the department.
-
Click Save.
Edit delegated domains
-
Navigate to Organizations.
-
Select the organization with domains you want to edit, and click Domains.
-
Select the domain you want to edit, and click Edit.
-
Select or deselect Active depending on whether you want the domain to be available for certificate issuance.
-
Enter a description that provides any contextual information required.
-
Click Save.
-
Navigate to Organizations.
-
Expand the appropriate parent organization, select the department with the domains you want to edit, and click Domains.
-
Select a domain, and click Edit.
-
Select or deselect Active depending on whether you want the domain to be available for certificate issuance.
-
Enter a description that provides any contextual information required.
-
Click Save.