>
    Strata Copilot
    Add Configurations
    Focus
    Focus
    1. Home
    2. Next‑Gen Trust Security
    3. Next-Gen Trust Security
    4. Next-Gen Trust Security Overview
    5. Overview: Certificate Issuance
    6. Distributed Issuer Overview
    7. Add Configurations
    Next‑Gen Trust Security

    Add Configurations

    Table of Contents

    Add Configurations

    Configurations are runtime settings that define how Distributed Issuer operates through a bootstrap performed at startup. They link a sub CA provider, policies, and client configurations that define which clients can interact with Distributed Issuer and how they authenticate.

    Prerequisites

    Note: If using a child Tenant Service Group, you can only create configurations with subordinate CA providers and policies that a parent Tenant Service Group has shared with you.

    Step 1: Add General Settings

    Add general configuration properties and optionally, enable logging.
    1. Sign in to Next-Gen Trust Security.
    2. Click Configuration > Issuer Configurations.
    3. On the Issuer Configurations page, click New.
    4. Enter a configuration Name.
    5. Select a Sub CA Provider.
    6. Select one or more Built-in Accounts. A Built-in Account can only connect to one configuration, but a single configuration can have multiple Built-in Accounts.
    7. (Optional) Under Advanced Security & Logging Settings, select Log certificate issuance information and Include raw certificate data.
    8. (Optional) If you'll install Distributed Issuer using a FIPS image, select Require Issuer instances to be FIPS compliant.
    9. Click Continue.

    Step 2: Configure Client Access

    The Client Configuration section controls how clients connect to Distributed Issuer. Select one or both network client options, or skip both for local-only access.

    Network clients (REST, gRPC, remote cert-manager)

    Select this option to allow clients to connect using JSON Web Token (JWT) authentication. See Network Clients with JWT to finish the configuration.

    Network clients authenticated with instance metadata

    Select this option to allow cloud VM instances to authenticate with signed identity documents. See Network Clients with Instance Metadata to finish the configuration.

    Local-only access

    If you select neither network client option, local access via Unix Domain Sockets (UDS) is always available. With this setup, cert-manager must be installed in the same environment.
    Do the following to finish the configuration.
    1. Under Policies, select the Allowed Policies that clients can use.
    2. Click Create to save the configuration.

    What's Next?

    Once the configuration is complete, it's time to install Distributed Issuer. Installation is CLI-based and requires access to your Kubernetes cluster or Linux host.
    For more information, see Installation Overview on the NGTS developer documentation site.

    © 2026 Palo Alto Networks, Inc. All rights reserved.