Configuring a CA Policy for IDnomic CA

  1. Go to (Menu) > CERT+ > GROUPS & POLICIES > CA Policy.
    The CA Policy page is displayed with a list of policies and their associated groups.
    Note: A Default policy will always be present in the list. Most of the roles are mapped to this policy. This policy can be used for any of the configured CAs.
  2. To create a custom policy, click +Create from the top-right corner of the CA Policy page.
    The CA Policy :: Create page is displayed.
  3. Refer the Configuring Policy Details section to configure the following:
    • Policy Details
    • Group Selection
    • Compliance Check
  4. In the CA Details section, from the Certificate Authority list in the left, select IDnomic.
    The CA Details section is updated to display fields relevant to IDnomic.
  5. Enter the CA details.
    Table 1. Field description for CA details
    Fields Description
    *CA Accounts The IDnomic CA accounts configured in the CA settings screen are listed. Select a CA account from the list to create the policy.
    *Certificate Management ProfileOR *Certificate Workflows If the selected CA Account is configured with a certificate profile then the field label is Certificate Management Profile and displays only certificate profiles. If configured with a registration authority (RA) the field label is Certificate Workflows and displays the certificate workflows.

    The Certificate Types corresponding to the selected CA account are listed. Select one (or) more Certificate Type from the list to create the policy.
    *Validity Enter the validity period for the certificate. The available options are:
    • Days - You may enter more than one validity period in days, to choose one in certificate enrollment.
    • Month - You can enter more than one validity period in Months, to choose one in certificate enrollment.
    • Year - You can enter more than one validity period in Year, to choose one in certificate enrolment.
    *Bit Length - Key Type All the Key Types are listed with corresponding Bit Length. You can select one (or) more than one Bit Length - Key Type(s) from the dropdown list.

    The discovered certificate's Key Type and Bit length will be compared against the selected Bit Length - Key Type(s) to identify if they are compliant with the policy. Selected Bit Length - Key Type(s) is enforced while performing any certificate request operations such as New, Renew, and Regenerate.
    *Hash Function Supported Hash Function(s) are listed here. You can select one (or) more Hash Function(s) from the dropdown list.

    The discovered certificate's Key Hash Algorithm will be compared against the selected Hash Function(s) to identify if they are compliant with the policy. Selected Hash Function(s) is enforced while performing any certificate request operations such as New, Renew, and Regenerate.
    *: Mandatory fields
  6. Click Add.
    The CA details are saved to the table and the confirmation message is displayed. You may use the Edit (pencil) option in the table to modify the configuration and the Remove (bin) option to delete the configuration.
  7. Enter the certificate parameters.
    Table 2. Field description for certificate parameters
    Fields Description
    Restrict Wild Card Certificate Restrict users of the associated group policy from requesting Wildcard Certificates. Choosing this option will not allow Common Name or DNS starting with *.
    Host name Enter the host name.

    The host name cannot start and end with a . (period)
    *Allowed Domain Names Enter only the whitelisted domain names.

    Press enter after adding the domain name. Multiple domain names can be added.
    Common Name Enter the common name. For example, *.domain.com

    This enforces domains for which a certificate can be requested. The common name is enforced at the time of performing any certificate request operations such as New, Renew, and Regenerate.

    Note: Use the * (asterisk) for the host part of the FQDN to enforce the domain. For example, *.domain.com will only allow users to request certificates with domain.com. Allowed special characters: *(Asterisk), - (hyphen), . (period).
    Organization Enter the organization name.

    The discovered certificate's subject organization will be compared against the organization provided in the policy to check for compliance. The organization is enforced at the time of performing any certificate request operations such as New, Renew, and Regenerate.
    Organization Unit Enter the organization unit. The discovered certificate's Subject Organization Unit will be compared against the organization unit provided in the policy to check for compliance. Organization Unit is enforced at the time of performing any certificate request operations such as New, Renew, and Regenerate.
    Locality Enter the locality name.

    The discovered certificate's locality will be compared against locality provided in the policy to check for compliance. The locality is enforced at the time of performing any certificate request operations such as New, Renew, and Regenerate.
    State Enter the state.

    The discovered certificate's state will be compared against the state provided in the policy to check for compliance. The state is enforced at the time of performing any certificate request operations such as New, Renew, and Regenerate.
    Country code Enter the country code.

    The discovered certificate's country code will be compared against the country code provided in the policy to check for compliance. Country code is enforced at the time of performing any certificate request operations such as New, Renew, and Regenerate.
    Email Enter the email address of the organization unit.

    The discovered certificate's email address will be compared against the email address provided in the policy to check for compliance. The email address is enforced at the time of performing any certificate request operations such as New, Renew, and Regenerate.
    Subject Alternative Name Enter the subject alternative name (SAN). It helps enforce additional domains for which a certificate can be requested. The SAN is enforced at the time of performing any certificate request operations such as New, Renew, and Regenerate.
    Note: Use the * (asterisk) for the host part of the FQDN to enforce the domain. For example, *.domain.com will only allow users to request certificates with domain.com. Allowed special characters: *(Asterisk), - (hyphen), . (period).
    *: Mandatory fields
  8. Click Save CA Details.
    A green tick mark is displayed in the Certificate Authority pane against the IDnomic option to indicate that the details are successfully saved.
  9. In the Group Selection, select one or more groups to map to the policy. Refer to the Certificate Group section to add/update groups.
  10. Under the Compliance Check section, enable the Perform Compliance Check option to perform an immediate compliance check.
  11. Click Create Policy button.
    The policy is created and a confirmation message is displayed.