Versions Compared

Old Version 9

changes.mady.by.user Kent Engström

Saved on

compared with

New Version 10

changes.mady.by.user Kent Engström

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

You can now go on to create admins (see below) that are DRAOs connected to just this department instead of being RAOs for the whole organization.

...

Domains connected to the department

If you add department admins (DRAOs) that can approve certificates for their department, you will most likely want to limit them to their own domain (department-example.com) or a subdomain of your main domain (department.example.org) if we imagine that your main domain is example.org.

...

In the second case with a subdomain of your already validated main domain, you will still add department.example.org and *.departement.example.org with delegation to the department but you will not have to initiate DCV again, as the SCM is smart enough to know that example.org is already validation. As for your main domain, you should expect department.example.org to show as Validated at once, and *.department.example.org with some delay.

Admins

You create additional admins (RAOs for your whole organization or DRAOs for departments you have created) under the Admins tab with the Add button. You can also edit existing admins by clicking on the line to check them and then using the Edit button.

  • Fill in login (with a suitable user name), email, forename and surname. We advice you to leave the rest of the contact information empty, as it is not needed.
  • At the moment, we advice you not to use the Identity Provider and IdP Person Id fields until Sectigo has told us exactly how and when they work.
  • A password has to be provided for a new admin. The first time they login they will have to change it.
  • Select the desired privileges under Privileges. Do not check "WS API Use Only" (will be explained later).
  • Select the desired roles under Roles which means selecting the right combinations of level (RAO for your organization or DRAO for a department you have created) and certificate type (SSL, client or code signing).
  • When done, you have to communicate the selected password to the new admin (it is not emailed by the system).

It has been reported that some privileges cannot be assigned by one RAO to another. If that affects you, email tcs@sunet.se to have it fixed manually.

SSL Certificates

Applying for and approving certificates in the SCM as an admin

Go to Certificates → SSL Certificates and press Add to request a certificate.

  • Select the Manual creation of CSR mode
  • Provide a CSR by pasting it into the text area or upload it as a file using the Upload CSR button.
  • Select and fill in the right information in the Basic info step. Make sure you select a multi-domain certificate type to get a text box to fill in Subject Alternative Names if needed. If you request this on behalf of somebody else, you can add their email address as External Requester.
  • You can use "Click here for advanced options" to get access to a comment field where you can enter information you want to be able to see later. Do not remove address fields using the Remove checkboxes as that seems to cause the certificate to be stalled as the information will not match the pre-validated organization information.
  • On the next screen, accept or decline auto-renewal and finish with OK.

If your admin has the "Allow SSL auto approve" privilege selected, the certificate will be automatically approved (which makes sense, because why would you have entered all the above stuff if you did not want to approve the certificate) and will show up as "Applied".

If your admin does not have that privilege selected, the certificate will show up as "Requested" and you will have to approve it by selecting it and using the Approve button.

When the certificate has been issued, its status will be shown as "Issued" and you will get an email about it.

If needed, you can also download the certificate by clicking on the line to check it and using the Details button, then the Select button to the right of "Download The Certificate".

EV Certificates

We will update this section when a SUNET TCS member has found the need for an EV certificate, gone through the procedure and shared the experience with us.

Grid Certificates

We are waiting for the grid certificate profiles to be correct before advising you about them.

Allowing non-admins to request certificates

You can allow persons who are not admins in the SCM to request certificates ("enroll" in Sectigo-speak). To do that, go to Settings → Organizations and select your organization and select Edit. (Or, if this should apply only to a departement, after selecting the organization, use the Departments button, select the department, and use Edit on that instead).

  • On the SSL Certificate tab, enable Self Enrollment and put a shared secret value in Access Code and copy the URL present below that field. You can now hand out this URL to persons who can use it with the access code to access the Certificate enrollment page for non-admins. As you can see when you test using it, it contains approximately the same fields as the "Add Certificate" pages in the SCM itself. Be aware that the email address is not checked (more than for having the right domain) so you need an out-of-band method of authenticating the requestor.
  • If you have SAML attribute release working towards Sectigo (see "SAML Configuration" below), you can also enable "Self Enrollment via SAML", keep the Access Code secret and hand out the URL below the Token field to users. They will then have to authenticate using SAML before getting to the same kind of enrollment form as above. As the email address will now come from your IdP via SAML you can be more confident that it is correct, but it is up to you to decide if it is good enough, or you still will require additional conformation out-of-band before approving.
  • Do not enable "Automatically Approve Self Enrollment Requests". At least, you will want to manually approve certificate requests arriving via this route!
  • While you are at it, you will want to Customize the Server Software so the users are not presented with a gazillion choices. Also, you might also want to customize the SSL Types for the Enrollment Form (on the right-hand side), to stop users from selecting certificate types you do not want them to. You can still keep the ability to select them in the SCM (the left-hand Admin UI selection).

Client Certificates

FIXME: write about the coming self-service portal (the equivalent to digicert.com/sso) but also about how to issue client certificates using the SCM as such.

Code Signing Certificates

We will update this section when a SUNET TCS member has found the need for a code signing certificate, gone through the procedure and shared the experience with us.

Notifications

Advise admins to customize as neededm but at least add a notification for expiring SSL certificates.

SAML Configuration

Pål to write about what needs to be configured on the IdP side, both for general attribute release so it works to authenticate using ones IdP towards the SCM system, and also the specific attributes that will be used to the Sectigo version of the client certificates self-service-via-SAML portal.

API

Point to API documentation.

Discuss creating API users and how to use the WS API only privilege.

Tell admins to enable Web API for Org/Dept tab "SSL Certificate" to make API work for that part.