Add Subordinate CA Providers
Subordinate CA providers define the properties of Distributed Issuer's CA certificates—such as validity period, key algorithm, and subject fields—and link them to the CA accounts that sign them. Distributed Issuer signs workload certificates with these CA certificates, establishing a chain of trust.
Create multiple subordinate CA providers when you're using more than one CA account or different certificate templates for the same CA.
Prerequisites
Before you add a subordinate CA provider, make sure you have:
A parent Tenant Service Group account, to share resources with child tenants.
In Next-Gen Trust Security, a Superuser user role.
To Add a Subordinate CA Provider
Sign in to Next-Gen Trust Security.
Click Configuration > Issuer Sub CA Providers.
Click New and select a CA type.
Enter the following information.
| Field | Description |
|---|
| Name | Name of the subordinate CA provider; appears on the Issuer Sub CA Providers page. |
|
| Issuer Cert Validity | The validity period of Distributed Issuer's CA certificate. This should be at least as long as the validity period of any certificate Distributed Issuer will issue to its clients. Type in the value, then select a unit. |
(Optional) To use an HSM for Distributed Issuer's signing key, enable Require HSM and enter the following information.
| Field | Description |
|---|
| Partition label | Identifies the specific logical subdivision of an HSM that stores an application's cryptographic keys. |
| Partition Serial Number | Provides a unique, permanent numeric identifier for a specific subdivision within an HSM. |
| PIN | Enter the PIN required to access the HSM. Consult the vendor documentation for the required format of the PIN. |
| Allowed Client Libraries | (Optional) Specify the SHA-256 checksum of the PKCS#11 library Distributed Issuer is allowed to use. This ensures Distributed Issuer is connected to the correct client. If nothing is entered here, Distributed Issuer could use any PKCS#11 library, which could be a potential security risk. |
Under CSR Parameters, enter the certificate subject fields.
| Field | Description |
|---|
| Common Name | Suffix that gets appended to the instanceNaming value in the config.yaml file, which becomes the common name of the CA certificate for Distributed Issuer. |
| Organization | (Optional) Your organization's legal name helps your users verify that they can trust Distributed Issuer's certificate. |
| Organizational Unit | (Optional) The division of your organization that is managing the certificate. |
| City/Locality | (Optional) The city or locality of your organization. |
| State/Province | (Optional) The state or province of your organization. |
| Country | (Optional) The country of your organization. |
| Key Algorithm | The algorithm and key size (or curve) for the keypair Distributed Issuer will generate when it starts. |
Under Resource Consumers, choose which Tenant Service Groups can use this policy. Toggle Allow everyone to consume or select specific child tenants from the list.
Click Create.
What's Next?
Now that you have created a subordinate CA provider,
create a policy that sets rules for the certificates that Distributed Issuer issues to workloads.
