Configuring a CA Policy for Digicert CA

Go to

(Menu) > CERT+ > GROUPS & POLICIES > CA Policy.

The CA Policy page is displayed.

Click + Create from the top-right corner of the page.

The CA Policy :: Create page is displayed.

Refer the Configuring Policy Details section to configure the following:

Policy Details
Group Selection
Compliance Check

In the CA Details section, from the Certificate Authority list in the left, select DigiCert.

The CA Details section is updated to display fields relevant to DigiCert.

Enter the policy details for DigiCert.

Table 1. Field description for CA details
Fields	Description
*CA Account	From the dropdown list, select an existing CA account for which this policy is to be created.
*Division	Select the division from the dropdown list.
*Certificate Type	Certificate types corresponding to the selected CA account are listed. Select one (or) more certificate types from the list to create the policy.
*Validity	Enter a validity period for the certificate. The available options are: Days - You can enter more than one validity period in days, to choose one in certificate enrolment. Month - You can enter more than one validity period in Months, to choose one in certificate enrolment. Year - You can enter more than one validity period in Year, to choose one in certificate enrolment. Year - You can enter more than one validity period in Year, to choose one in certificate enrolment.
*: Mandatory fields

In the Vendor Specific Details section, select/enter the details as listed in the table

Table 2. Field description for Vendor Specific Details
Fields	Description
*Server Type	Select the server type from the dropdown list.
*: Mandatory fields

Click Add.

The CA details are added to the table below the Add button and a confirmation message is displayed.

Note: You can use the Edit option in the table to modify the configuration and the Remove option to delete the configuration.

Select the Bit Length -Key Type, ECDSA curve, and the Hash Function.

Based on your organization's policies and standards, enter values for the Certificate Parameters.

Table 3. Field description for certificate parameters
Fields	Description
Restrict Wild Card Certificate	Slide toggle switch to the ON position to restrict the creation of wild card certificates using the policy.
Host name	Enter the host name. The host name cannot start and end with a . (period)
*Allowed Domain Names	Enter only the whitelisted domain names. Press enter after adding the domain name. Multiple domain names can be added.
Common Name	Enter the common name. For example, .domain.com This enforces domains for which a certificate can be requested. The common name is enforced at the time of performing any certificate request operations such as New, Renew, and Regenerate. Note: Use the (asterisk) for the host part of the FQDN to enforce the domain. For example, .domain.com will only allow users to request certificates with domain.com. Allowed special characters: (Asterisk), - (hyphen), . (period).
Organization	Enter the organization name. The discovered certificate's subject organization will be compared against the organization provided in the policy to check for compliance. The organization is enforced at the time of performing any certificate request operations such as New, Renew, and Regenerate.
Organization Unit	Enter the organization unit. The discovered certificate's Subject Organization Unit will be compared against the organization unit provided in the policy to check for compliance. Organization Unit is enforced at the time of performing any certificate request operations such as New, Renew, and Regenerate.
Locality	Enter the locality name. The discovered certificate's locality will be compared against locality provided in the policy to check for compliance. The locality is enforced at the time of performing any certificate request operations such as New, Renew, and Regenerate.
State	Enter the state. The discovered certificate's state will be compared against the state provided in the policy to check for compliance. The state is enforced at the time of performing any certificate request operations such as New, Renew, and Regenerate.
Country code	Enter the country code. The discovered certificate's country code will be compared against the country code provided in the policy to check for compliance. Country code is enforced at the time of performing any certificate request operations such as New, Renew, and Regenerate.
Email	Enter the email address of the organization unit. The discovered certificate's email address will be compared against the email address provided in the policy to check for compliance. The email address is enforced at the time of performing any certificate request operations such as New, Renew, and Regenerate.
Subject Alternative Name	Enter the subject alternative name (SAN). It helps enforce additional domains for which a certificate can be requested. The SAN is enforced at the time of performing any certificate request operations such as New, Renew, and Regenerate. Note: Use the * (asterisk) for the host part of the FQDN to enforce the domain. For example, .domain.com will only allow users to request certificates with domain.com. Allowed special characters: (Asterisk), - (hyphen), . (period)
*: Mandatory fields

Click Save CA Details to save the configuration.

A green tick mark is displayed in the Certificate Authority pane against Digicert to indicate that the details are successfully stored.

From the Group selection section, select one or more groups to map to the policy.

From the Compliance Check section, to perform an immediate compliance check, enable Perform Compliance check.

Note: A scheduled compliance check will run periodically based on the settings defined in the job scheduler.

Click Create Policy to create a new policy.

The policy is created and a confirmation message displays.