Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.futurex.com/llms.txt

Use this file to discover all available pages before exploring further.

This section shows you how to create a CA group container on the KMES Series 3 that holds a representation of the issuing CA housed at DigiCert.

Set cloud credentials

Cloud credentials enable the KMES Series 3 device to interface with third-party services, such as DigiCert. In the Cloud Credentials, you can import the API Key generated in the previous section. Perform the following steps to import the API Key:
1
Log in to the KMES and select Cloud Credentials from the left-side menu.
2
In the bottom-right corner of the window, select [ Add Cloud Credential ].
3
In the Cloud Credential window, fill in the following information:
InformationDescription
NameUse this to identify the cloud credentials on the KMES Series 3. DigiCert does not use this.
ServiceSelect DigiCert Cert Central API.
Secret KeySelect [ Import ] and select the CSV file containing the API key from Digicert that you created in the previous section.
4
Select [ OK ] to save the cloud credential.

Managing certificate authorities

To complete the CA configuration, you need to perform the following tasks:
  1. Add a CA group container.
  2. Add external certificates.
  3. Add an issuance policy
The following sections show you how to perform these tasks.

Add a CA group container

Perform the following steps to add a CA group container:
1
Go to the Certificate Authorities tab on the left-side menu.
2
Right-click the window and select [ Add CA ] to create a new CA group container.
3
Specify the following information in the Certificate Authority window:
InformationDescription
NameA short text description of the CA group object, used for referencing on the device.
HostSpecification of a key encryption key to securely transport sensitive data, such as RSA private keys, to an external system; this is optional.
TypeThis specifies the CA type. In this case, you must select External DigiCert X.509.
Owner Group(Optional) Designates the KMES Series 3 user group that has full ownership permissions to this CA container object.
API CredentialChoose one of the DigiCert cloud credentials created. This allows the CA to connect to DigiCert.
4
Select [ OK ] to create the CA group container.

Add external certificates

Perform the following steps to add external certificates:
1
Right-click a CA group container and select Import> External Certificate(s).
2
In the Select an Intermediate window, highlight the intermediate certificates pulled from DigiCert that you wish to use and select [ OK ]*. You could also use the search bar at the top of the window to quickly locate an intermediate certificate.
3
In the Import Certificates window, choose the major key with which to verify the certificate and select [ Verify ].
If Verified, the certificate appears in the Verified panel.
4
Select [ OK ] to add the certificate.
Info:DigiCert products are signed by specific intermediate certificate authorities. When you import an external DigiCert certificate, that certificate’s intermediate CA determines which DigiCert products can be used with it. Only products that support the imported intermediate CA can be selected later when configuring an issuance policy.

Add an issuance policy

An issuance policy enables you to define the workflow of how certificates are deployed, who can deploy them, and what type of certificates can be deployed. If you want to associate additional domain names with a certificate, you must attach an X.509 Extension Profile to the certificate that supports Subject Alternate Names. For more information about configuring an X.509 Extension Profile that supports Subject Alternate Names, see the relevant Administrative Guide. Perform the following steps to add an issuance policy:
1
Expand the CA group container, right-click a certificate, and select Issuance Policy> Add.
2
In the Issuance Policy window, go to the DigiCert tab.
3
Fill in the following information as required:
InformationDescription
OrganizationSelect the correct organization from the list.
ProductSelect the correct SSL certificate type (such as Standard, Multi-Domain, EV, Code Signing, and so on). Available products depend on the imported DigiCert certificate and its intermediate CA.
If you select EV, you must add an approver in the Potential Approvers field.
Warning:
The Product must be compatible with the imported DigiCert certificate and its intermediate CA. The Product list is filtered automatically to show only supported options. If the selected product does not support the imported certificate’s intermediate CA, the signing request will be blocked and cannot be submitted.
Payment methodThe three payment methods are Default, Account Balance, and Profile.
Domain Control ValidationThe Domain Control Validation field might be editable, depending on the Product type you selected. This setting determines whether the CA verifies that the person making the request is authorized to use the domain related to that request before issuing an SSL.
Code Signing Provisioning If the Product type is Code Signing, you can edit this field. However, if the Product type is Standard SSL, for example, this field is disabled.
Potential ApproversIf using an extended validation (EV) certificate, you must have an approver. Select [ Add EV Contact ] to add an approver to the list. You can add only Approver users as EV contacts.
4
Select [ OK ] to save the settings.
You cannot change the Organization or Product fields without deleting and recreating the issuance policy. You can change all other fields without modifying the issuance policy.