Sectigo.com
Shop Enterprise Partners Resources

Set up your account

This guide is intended to introduce you to the process of creating and configuring the primary elements of your SCM Enterprise account as a precursor to requesting and managing certificates or utilizing SCM’s more advanced features. This guide focuses on basic setup options and does not cover more advanced configurations.

Before proceeding, please ensure you have satisfied the following prerequisites:

  • You have an active SCM Enterprise account.

  • You are a MRAO administrator or have been granted the necessary permissions to create and configure organizations, departments, and domains.

  • You are, or are in immediate contact with, a network or domain administrator capable of completing domain control validation (DCV).

The options available in the following sections may vary depending on your role and the configuration of your SCM Enterprise account.

Step one: Add your organizations

Organizations are created for the purpose of requesting, issuing, and managing certificates for domains and users.

An initial organization is created during the onboarding process. This section outlines how to add additional organizations if required. If you do not need to add additional organizations, proceed to Step three: Add your departments.

To add an organization, do the following:

  1. Navigate to Organizations.

  2. Click the Add icon.

  3. In the Add New Organization dialog, complete the fields based on the information provided in the following table.

    Field Description

    Organization Name

    The name of the organization.

    Secondary Organization Name

    An alternative or extended name for the organization.

    Alias

    During SAML authentication, the Alias attribute is compared with matching IdP attribute values to determine the organization(s) or department(s) the administrator can access.

    Contact emails

    Additional email addresses to be included as recipients of reports and notifications that are configured to include organization contacts as recipients.

    Address 1, 2, 3

    The street address of the organization.

    City

    The city in which the organization resides.

    State/Province

    The state or province in which the organization resides.

    Postal Code

    The postal code at which the organization resides.

    Country

    The country in which the organization resides.

    Organization Identifier

    Stands for the legal person identification based on identity type references allowed by the ETSI 319 412-1 standards and requirements.

  4. Click Next.

  5. Complete the certificate settings based on the information provided in the following table.

    Field Description

    General

    Password Policy

    When configured, certificate and enrollment passwords in the organization must adhere to the rules outlined in the selected policy.

    SSL Certificates

    Synchronize Expiration Date

    When configured, SSL certificates issued to the organization will expire on the specified day, and, optionally, month.

    Expiration occurs on the specified synchronization date closest to, and prior to, the expiry date determined by the certificate term selected on the certificate application form.

    The expiry date of certificates that have already been issued does not change but synchronized expiration is inherited upon renewal.

    Enable Web/REST API

    When enabled, applicants can enroll through the Web Service API for SSL certificates managed by the organization.

    This option is only available if enabled for your account. For more information, contact your Sectigo account manager.

    Make External Requester Mandatory

    When enabled, the External Requester field becomes mandatory on all enrollment forms for SSL certificates managed by the organization.

    External requester’s are additional email addresses included in the certificate that can be used for notifications. The field can be restricted to accept only email addresses matching a custom regular expression.

    This option prevents SSL certificate enrollment via MS Agent.

    Client Certificates

    Enable Web/REST API

    When enabled, applicants can enroll through the Web Service API for client certificates managed by the organization.

    This option is only available if enabled for your account. For more information, contact your Sectigo account manager.

    Default Profile

    When configured, the selected certificate profile is used during SOAP API enrollment for client certificate managed by the organization.

    Intune Certificate Exporter

    When configured, copies of client certificates and their accompanying private keys stored in Sectigo Key Vault can also be exported to MS Intune.

    Allow Key Recovery by Master Administrators

    When enabled, MRAO administrators can recover the private keys of client certificates issued by this organization. Before client certificates can be issued, a MRAO administrator must generate a MRAO key pair on the Legacy Key Encryption page. The public key is then used to encrypt each new client certificate before it’s securely stored. The private key may be provided to other MRAO administrators and used to recover the private keys of client certificates.

    This option can only be enabled when an organization is first created, after which it can only be disabled.

    Allow Key Recovery by Organization Administrators

    When enabled, RAO administrators can recover the private keys of client certificates issued by this organization. Before client certificates can be issued, a RAO administrator must generate a RAO key pair on the Legacy Key Encryption page. The public key is then used to encrypt each new client certificate before it’s securely stored. The private key may be provided to other RAO administrators and used to recover the private keys of client certificates.

    This option can only be enabled when an organization is first created, after which it can only be disabled.

    Allow Principal Name

    When enabled, client certificates may include a principal name in addition to the RFC822 name in the Subject Alternative Name (SAN) field.

    By default, the principal name is the primary email address of the end-user to whom the certificate is issued.

    Allow Principal Name Customization

    When enabled, you can configure the principal name to use something other than the primary email address of the end-user to whom the certificate is issued.

    Code Signing Certificates

    Enabled

    When enabled, code signing certificates can be issued to applicants associated with this organization.

    Device Certificates

    Default profile

    When configured, the selected certificate profile is used during SOAP API enrollment for device certificate managed by the organization.

  6. Click Save.

  7. Repeat as required to add additional organizations.

Step two: Validate your organizations

In addition to standard Domain Validation (DV) certificates, Sectigo offers Organization Validation (OV) and Extended Validation (EV) certificates.

Extended Validation is not within the scope of this guide.

Organization validation requires the details of the organization to be verified by a Sectigo validation specialist before OV certificates can be issued. If the information provided for your organization can be confirmed, validation will be completed without further action. If the information cannot be confirmed, the administrator who initiated validation will be contacted for additional information.

If you do not require OV certificates, proceed to Step three: Add your departments.

To validate an organization, do the following:

  1. Navigate to Organizations.

  2. Select the organization you want to validate.

  3. Click Validate.

  4. Click OK.

  5. Select the certificate types to be included in the validation request.

  6. Click Start.

  7. Repeat as required for each organization that requires validation.

Step three: Add your departments

Departments are created under a parent organization. Like organizations, they are created for the purpose of requesting, issuing, and managing certificates for domains and users.

To add a department, do the following:

  1. Navigate to Organizations.

  2. Select the organization for which to add a department.

  3. Click Add Department.

  4. In the Add New Department dialog, complete the fields based on the information provided in the following table.

    Field Description

    Department Name

    The name of the department.

    Secondary Organization Name

    An alternative or extended name for the department.

    Alias

    During SAML authentication, the Alias attribute is compared with matching IdP attribute values to determine the organization(s) or department(s) the administrator can access.

    Contact emails

    Additional email addresses to be included as recipients of reports and notifications that are configured to include organization contacts as recipients.
    The complete address and Organization Identifier are inherited from the parent organization.

  5. Click Next.

  6. Complete the certificate settings based on the information provided in the following table.

    Field Description

    General

    Password Policy

    When configured, certificate and enrollment passwords in the department must adhere to the rules outlined in the selected policy.

    SSL Certificates

    Synchronize Expiration Date

    When configured, SSL certificates issued to the department will expire on the specified day and, optionally, month.

    Expiration occurs on the specified synchronization date closest to, and prior to, the expiry date determined by the certificate term selected on the certificate application form.

    The expiry date of certificates that have already been issued does not change but synchronized expiration is inherited upon renewal.

    Enable Web/REST API

    When enabled, applicants can enroll through the Web Service API for SSL certificates managed by the department.

    This option is only available if enabled for your account. For more information, contact your Sectigo account manager.

    Make External Requester Mandatory

    When enabled, the External Requester field becomes mandatory on all enrollment forms for SSL certificates managed by the department.

    External requester’s are additional email addresses included in the certificate that can be used for notifications. The field can be restricted to accept only email addresses matching a custom regular expression.

    This option prevents SSL certificate enrollment via MS Agent.

    Client Certificates

    Enable Web/REST API

    When enabled, applicants can enroll through the Web Service API for client certificates managed by the department.

    This option is only available if enabled for your account. For more information, contact your Sectigo account manager.

    Default Profile

    When configured, the selected certificate profile is used during SOAP API enrollment for client certificate managed by the department.

    Intune Certificate Exporter

    When configured, copies of client certificates and their accompanying private keys stored in Sectigo Key Vault can also be exported to MS Intune.

    Allow Key Recovery by Master Administrators

    When enabled, MRAO administrators can recover the private keys of client certificates issued by this department. Before client certificates can be issued, a MRAO administrator must generate a MRAO key pair on the Legacy Key Encryption page. The public key is then used to encrypt each new client certificate before it’s securely stored. The private key may be provided to other MRAO administrators and used to recover the private keys of client certificates.

    This option can only be enabled when an organization is first created, after which it can only be disabled.

    Allow Key Recovery by Organization Administrators

    When enabled, RAO administrators can recover the private keys of client certificates issued by this department. Before client certificates can be issued, a RAO administrator must generate a RAO key pair on the Legacy Key Encryption page. The public key is then used to encrypt each new client certificate before it’s securely stored. The private key may be provided to other RAO administrators and used to recover the private keys of client certificates.

    This option can only be enabled when an organization is first created, after which it can only be disabled.

    Allow Key Recovery by Department Administrators

    When enabled, DRAO administrators can recover the private keys of client certificates issued by this department. Before client certificates can be issued, a DRAO administrator must generate a DRAO key pair on the Legacy Key Encryption page. The public key is then used to encrypt each new client certificate before it’s securely stored. The private key may be provided to other DRAO administrators and used to recover the private keys of client certificates.

    This option can only be enabled when an organization is first created, after which it can only be disabled.

    Allow Principal Name

    When enabled, client certificates may include a principal name in addition to the RFC822 name in the Subject Alternative Name (SAN) field.

    By default, the principal name is the primary email address of the end-user to whom the certificate is issued.

    Allow Principal Name Customization

    When enabled, you can configure the principal name to use something other than the primary email address of the end-user to whom the certificate is issued.

    Code Signing Certificates

    Enabled

    When enabled, code signing certificates can be issued to applicants associated with this department.

    Device Certificates

    Default profile

    When configured, the selected certificate profile is used during SOAP API enrollment for device certificate managed by the department.

  7. Click Save.

  8. Repeat as required to add additional departments.

Step four: Add an administrator

Depending on their role, administrators in SCM Enterprise are responsible for certificate lifecycle management, policy enforcement, access control, and ensuring organization compliance.

The primary administrator privileges and restrictions are divided as follows:

  • MRAO administrator — A Master Registration Authority Officer (MRAO) administrator can make changes across all organizations and departments in an enterprise account without any restrictions.

  • RAO administrator — A Registration Authority Officer (RAO) administrator can perform operations on specific organizations and departments and for specific certificate types.

  • DRAO administrator — A Department Registration Authority Officer (DRAO) can only perform operations on specific departments and for specific certificate types.

To add a standard administrator, do the following:

  1. Navigate to Settings  Admins.

  2. Click the Add icon.

  3. In the Add Admin Type dialog, select Standard.

  4. Click Next.

  5. Complete the Add New Admin fields based on the information provided in the following table.

    Field Description

    Username

    The administrator’s username for the purpose of identification and access.

    Email

    The administrator’s email address.

    Forename, Surname

    The administrator’s first name (forename) and last name (surname).

    Title

    The administrator’s title.

    Telephone Number

    The administrator’s phone number.

    Street, Locality, State/Province, Postal Code, Country

    The administrator’s address details.

    Relationship

    The nature of the administrator’s relationship with the organizations or departments that they are delegated to (such as, employee or third party).

  6. Click Next.

  7. Complete the Roles & Privileges tab fields.

    1. Select an administrator role.

    2. For RAO and DRAO administrators, select the certificate types and organizations or departments that can be managed.

    3. Assign administrator privileges based on the information provided in the following table.

      Field Description

      Allow creation of peer admin users

      The administrator can create other administrators of their own level or lower.

      Allow editing of peer admin users

      The administrator can edit other administrators of their own level or lower.

      Allow deleting of peer admin users

      The administrator can remove other administrators of their own level or lower.

      Allow to manage organizations/departments

      The administrator can do the following:

      • Create new organizations

      • View, edit, and delete delegated organizations

      • Create new departments under delegated organizations

      • Manage certificate settings, notification templates, access control lists, and EV details for delegated organizations

      Allow DCV

      The administrator can initiate domain control validation for newly created domains.

      Allow SSL details changing

      The administrator can change SSL certificate request details prior to approval.

      Automatically approve certificate requests

      Certificate requests initiated by the administrator are automatically approved.

      Allow certificate revocation

      The administrator can revoke certificates.

      MS AD Discovery

      The MRAO administrator can access the Settings  MS Agents page, download and install MS Agents, and view the certificates and web servers discovered by MS Agents by scanning respective AD servers.

      Allow download keys from Key Vault

      The administrator can download certificate private keys stored in Sectigo Key Vault.

      Approve domain delegation

      The administrator can approve domain delegation requests by other administrators of their own level or lower.

  8. Complete the Authentication tab fields.

    1. Enter and confirm a password for the new administrator.

    2. (Optional) Select a valid client certificate for use in authentication.

    3. (Optional) Configure SAML IdP by selecting an identity provider and entering the appropriate EPPN.

  9. Click Save.

  10. Repeat as required to add additional administrators.

Step five: Add your domains

Before requesting SSL, client, or code signing certificates you must add your domains to SCM and delegate them to organizations and departments for management.

To add a domain, do the following:

  1. Navigate to Domains.

  2. Click the Add icon.

  3. Enter your fully qualified domain name (FQDN) or wildcard domain.

  4. In the Create Domain dialog, select or deselect Active depending on whether you want the domain to be available for certificate issuance.

  5. (Optional) Enter a description that provides any contextual information required.

  6. Configure CT logging based on the information in the following table.

    Field Description

    Monitor CT Logs for publicly issued certificates including this domain

    When selected, CT logs are monitored for publicly issued certificates/precertificates that include this domain.

    This feature is useful for detecting unauthorized certificates issued for your domain.

    Include sub-domains

    When selected, sub-domains are included in the CT log monitoring.

    Certificate Bucket

    The certificate bucket used to collect certificates/precertificates from CT logs.

  7. Select which organizations and/or departments the domain should be delegated to and for which certificates.

  8. Click Save.

    Depending on your role and how your account is configured, the creation and delegation of a domain may require additional administrator approval.

  9. Repeat as required to add additional domains.

Step six: Validate your domains

Domains must be validated before publicly trusted certificates can be issued. If a domain is used only for private certificates, it does not require validation.

To validate a domain using the email method, do the following:

  1. Navigate to Domains.

  2. Select the domain to be validated, and click Validate.

  3. Select the Email DCV method.

  4. Click Start.

  5. Select an appropriate email address.

  6. Click Submit.

  7. Once you receive the validation email, click the included validation link.

  8. Repeat as required for each domain that requires validation.

Related documentation

For more information on the topics covered in this guide, see the following: