Configuring Policy for HashiCorp Vault CA

Before You Begin

Certificate Group(s) must be available to map the Policy to them.
CA accounts (settings) must be available to which the policy is going to be created.
Key Algorithm, Encryption Type must be available under the CA accounts.
AppViewX permission required (Accounts > Roles - Click here to check Accounts management).

To configure a HashiCorp Vault CA policy:

Go to menu > KUBE+ > Groups & Policies > CA Policy.
On the CA Policy page, the configured policies are displayed, if any.

Note: KUBE+ is packaged with default policies they are Default and Certificate-Gateway.
Create a custom policy by clicking the Create button on the upper right corner of the CA Policy page.

On the CA Policy: Create page, enter details in the Policy Details section as described in the tables below.

Table 1. Policy Details - Field and Description Table
Field Name	Description
*Policy Name	Provide a unique name to identify the CA policy name. NOTE: No special characters other than ‘.’, ‘-’, and ’_’ are allowed. The name should not start with special characters.
Description	Provide a description of the policy.
Type	Select Strict (or) Suggestive. By default, Strict is selected. Strict - This enforces the standards defined in the policy where a user cannot modify any parameters. Suggestive - This suggests users with policy parameters. A user can modify suggested values if required.
Approval Required	When enabled, it will enforce the peer approval process for any requests made for new/renew/regenerate/reissue or revocation of certificates. Peer approving the request is defined in the approval workflow
Private Key Access	When enabled allows the user to download private keys from the holistic view.
Include Root and Intermediate certificates for compliance check	Enabling the option would validate if the Issuer and Root of the certificate are also compliant with the standard defined in the policy.
*: Mandatory fields

In the CA Details section, a list box Certificate Authority on the left displays all the available CAs. Select Hashicorp Vault.

Update the following fields in the CA Details section as described in the table below.

Table 2. CA Details - Field and Description Table
Field Name	Description
*CA Settings	The dropdown contains the names of the accounts created.
*Secret Engine	The single-select dropdown contains all the secret engines associated with the account. In a secret engine, a role describes an identity with a set of permissions, groups, or policies you want to attach to a user of the secret engine. User identity is often mapped to a specific role. Hence, a single secret engine needs to be selected to populate Role (below) specific to it.
*Role	The dropdown contains all the roles mapped to the secret engine.
*: Mandatory fields

Click the Add button.
The HashiCorp Vault CA Details table below the Add button displays the selected values in the dropdown.

Multiple values can be configured based on the available CA settings and secret engines with different Bit Length - Key Type and Hash Function. The supported values are as follows:
1. Key Type: RSA, EC
2. Bit Length:
  1. RSA key type: 2048 (default), 3072, or 4096
  2. EC key type: 224, 256 (default), 384, or 521
3. Hash Function: SHA-256, SHA-384, SHA-512
The CA Details table has options to View, Edit, and Delete.
1. To view the CA details, click the View link in the View column - The CA account details are displayed in a pop-up window with the Bit Length - Key Type and Hash Function.
2. To update the CA details, select the edit or pencil icon in the Edit column.
3. To delete the CA details, select the bin or delete icon.

Update the Certificate Parameters in the CA details section as described in the table below.

Note: The parameters are useful during certificate enrollment. One can pre-populate the listed certificate parameters when setting-up/requesting a certificate.

Table 3. Certificate Parameters - Field and Description Table
Field Name	Description
Common Name	Enter the fully qualified domain name (FQDN) or common name that exactly matches the web browser. NOTE: The only special characters allowed are the asterisk (*), hyphen (-), and period (.).
Organization	The name of the organization.
Organization Unit	The name of the organization unit.
Locality	The city in which the organization is located.
State	The state in which the organization is located.
Country	Country in which the organization is located.
Email	The email Ids of the organization contact. NOTE: Multiple comma-separated values are allowed. Example: [email protected], [email protected]
Subject Alternative Name	Enter the additional hostnames such as alternative websites or IP addresses that have to be protected with a single SSL certificate. It helps enforce additional domains for which a certificate can be requested. Subject Alternative Name is enforced while performing certificate request operations such as New, Renew, and Regenerate. NOTE: The only special characters allowed are the asterisk (*), hyphen (-), period (.), and the at sign (@).
Note: The discovered certificate's parameters (Organization, Organization Unit, Locality, State, Country, and Email) will be compared against the same parameters provided in the policy to identify if they are complaints. They are enforced while performing any certificate request operations such as New, Renew, and Regenerate. *: Mandatory fields

Click the Save CA Details button.

A green tick mark is displayed in the Certificate Authority pane against the HashiCorp Vault option to indicate the details are successfully saved.
In the Group Selection, select one or more groups to map to the policy. Refer to the Certificate Group section to add/update groups.
Under the Compliance Check section, enable the Perform Compliance Check option to perform an immediate compliance check.
Click the Create Policy button.
The Policy is created successfully.