Add Policies
Policies set the rules that certificate requests must follow, such as allowed key algorithms, subject fields, and validity periods.
For example, to only issue certificates with RSA 4096 keys, create a policy that only allows that key algorithm. Any certificate request using a different algorithm is rejected.
Prerequisites
Before you create a policy, make sure you have:
A parent Tenant Service Group account, so you can share resources with child tenants.
In Next-Gen Trust Security, a Superuser user role.
To Add a Policy
Sign in to Next-Gen Trust Security.
Click Configuration > Workload Issuance Policies.
Click New.
Enter a policy Name.
Enter a Client Cert Validity, which is the maximum validity period for certificates issued under this policy and is used when clients don't specify a validity period. Clients can request shorter validity periods, but not longer ones.
Under
Subject, set the rules for the certificate subject fields, which identify the certificate owner. For each field, select a
Type and optionally enter a
Default Value, which accepts literal strings or
regular expressions.
| Field | Description |
|---|
| Common Name | The common name (CN) of the certificate subject. |
| Organization | Your organization's legal name. |
| Organizational Unit | The division of your organization that manages the certificate. |
| City/Locality | The city or locality of your organization. |
| State/Province | The state or province of your organization. |
| Country | The country of your organization. |
Under
Subject Alternative Names (SAN), set the rules for how the certificate can be used. For each field, select a
Type and optionally enter a
Default Value, which accepts literal strings or
regular expressions.
| Field | Description |
|---|
| DNS (SAN) | The DNS names that the certificate is valid for. |
| IP Address (SAN) | The IP addresses that the certificate is valid for. |
| Email Address (SAN) | The email addresses that the certificate is valid for. |
| URI Address (SAN) | The URIs that the certificate is valid for. |
Under Key Constraint, select one or more key algorithms that clients must use.
If selecting multiple algorithms, the client can use any algorithm. If no algorithm is specified, Distributed Issuer uses the Default Value.
Under Issuance Parameters, select key usage options as follows.
| Field | Description |
|---|
| Key Usage | Select the permitted uses for the certificate's key. For TLS certificates, select both Digital Signature and Key Encipherment. |
| Extended Key Usage | Select what the policy can be used for. Select Server Authentication for server certificates, Client Authentication for client certificates, or both options. |
Under Resource Consumers, choose which Tenant Service Groups can use this policy. Toggle Allow everyone to consume or select specific child tenants from the list.
Click Create to finish creating the policy.
What's Next?
Now that you have created a policy, it's time to add a Built-in Account with which Distributed Issuer authenticates with Next-Gen Trust Security, and to
save the credentials you'll need for installation.
