...

Allowing non-admins to request certificates

This has changed. Contact us if you need this functionality.

You can allow persons who are not admins in the SCM to request certificates ("enroll" in Sectigo-speak). To do that, go to Settings → Organizations and select your organization and select Edit. (Or, if this should apply only to a departement, after selecting the organization, use the Departments button, select the department, and use Edit on that instead).

• On the Certificate Settings → SSL Certificate Certificates tab, enable Self Enrollment and put a shared secret value in Access Code and copy the URL present below that field. You can now hand out this URL to persons who can use it with the access code to access the Certificate enrollment page for non-admins. As you can see when you test using it, it contains approximately the same fields as the "Add Certificate" pages in the SCM itself. Be aware that the email address is not checked (more than for having the right domain) so you need an out-of-band method of authenticating the requestor.
• If you have SAML attribute release working towards Sectigo (see "SAML Configuration" below), you can also enable "Self Enrollment via SAML", keep the Access Code secret and hand out the URL below the Token field to users. They will then have to authenticate using SAML before getting to the same kind of enrollment form as above. As the email address will now come from your IdP via SAML you can be more confident that it is correct, but it is up to you to decide if it is good enough, or you still will require additional conformation out-of-band before approving.
• Do not enable "Automatically Approve Self Enrollment Requests". At least, you will want to manually approve certificate requests arriving via this route!
• You might also want to customize the SSL Types for the Enrollment Form (on the right-hand side), to stop users from selecting certificate types you do not want them to. You can still keep the ability to select them in the SCM (the left-hand Admin UI selection). 2020-08-18: This does not work like this after the certificate profile changes earlier this summer. We will update this later.

Revoking SSL Certificates

Certificates issued on 2021-06-07 and later: You should be able to revoke them in SCM under Certificates → SSL Certificates, using the Revoke button with the certificate selected.

...

• Have your IdP configured correctly for Sectigo. See below under "SAML Configuration".
• Edit your organization object (use the pencil icon when the main Edit Organization card is shown) and set "Academic code (SCHAC Home Organization)" to the same value as your IdP sends for schacHomeOrganization. It will typically be your main domain, but confirm this with your IdP admins.
  

...

• Edit your organization object (use the pencil icon when the main Edit Organization card is shown) and set "Secondary Organization Name" to the name used in grid certificates (with åäö transcribed correctly to ASCII if needed, and with the same upper/lowercase conventions that you have used before with DigiCert). Please check existing certificates if you are unsure or as a last resort, ask us at SUNET TCS to help you check. As grid certificate subjects are used as "usernames" in systems, it is vital that the whole subject string is kept as it was before for your users.
  
• Email tcs@sunet.se about this so that we can ask for a validation of the secondary name as you cannot perform this step yourself.

...