> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure the KMES Series 3

> Procedural guide to creating a CA group container in KMES Series 3 representing the DigiCert CA.

This section shows you how to create a CA group container on the KMES Series 3 that holds a representation of the issuing CA housed at DigiCert.

## Set cloud credentials

Cloud credentials enable the KMES Series 3 device to interface with third-party services, such as DigiCert. In the **Cloud Credentials**, you can import the API Key generated in the previous section. Perform the following steps to import the API Key:

<Steps>
  <Step>
    Log in to the KMES and select **Cloud Credentials** from the left-side menu.
  </Step>

  <Step>
    In the bottom-right corner of the window, select **\[ Add Cloud Credential ]**.
  </Step>

  <Step>
    In the **Cloud Credential** window, fill in the following information:

    <table>
      <thead>
        <tr>
          <th><em><strong>Information</strong></em></th>
          <th><em><strong>Description</strong></em></th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>Name</strong></td>
          <td>Use this to identify the cloud credentials on the KMES Series 3. DigiCert does not use this.</td>
        </tr>

        <tr>
          <td><strong>Service</strong></td>
          <td>Select<strong> DigiCert Cert Central API</strong>.</td>
        </tr>

        <tr>
          <td><strong>Secret Key</strong></td>
          <td>Select <strong>\[ Import ]</strong> and select the CSV file containing the API key from Digicert that you created in the previous section.</td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    Select **\[ OK ]** to save the cloud credential.
  </Step>
</Steps>

## Managing certificate authorities

To complete the CA configuration, you need to perform the following tasks:

1. Add a CA group container.
2. Add external certificates.
3. Add an issuance policy

The following sections show you how to perform these tasks.

### Add a CA group container

Perform the following steps to add a CA group container:

<Steps>
  <Step>
    Go to the **Certificate Authorities** tab on the left-side menu.
  </Step>

  <Step>
    Right-click the window and select **\[ Add CA ]** to create a new CA group container.
  </Step>

  <Step>
    Specify the following information in the **Certificate Authority** window:

    <table>
      <thead>
        <tr>
          <th><em><strong>Information</strong></em></th>
          <th><em><strong>Description</strong></em></th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>Name</strong></td>
          <td>A short text description of the CA group object, used for referencing on the device.</td>
        </tr>

        <tr>
          <td><strong>Host</strong></td>
          <td>Specification of a key encryption key to securely transport sensitive data, such as RSA private keys, to an external system; this is optional.</td>
        </tr>

        <tr>
          <td><strong>Type</strong></td>
          <td>This specifies the CA type. In this case, you <strong>must</strong> select <strong>External DigiCert X.509.</strong></td>
        </tr>

        <tr>
          <td><strong>Owner Group</strong></td>
          <td>(Optional) Designates the KMES Series 3 user group that has full ownership permissions to this CA container object.</td>
        </tr>

        <tr>
          <td><strong>API Credential</strong></td>
          <td>Choose one of the DigiCert cloud credentials created. This allows the CA to connect to DigiCert.</td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    Select **\[ OK ]** to create the CA group container.
  </Step>
</Steps>

### Add external certificates

Perform the following steps to add external certificates:

<Steps>
  <Step>
    Right-click a CA group container and select **Import**> **External Certificate(s)**.
  </Step>

  <Step>
    In the **Select an Intermediate** window, highlight the intermediate certificates pulled from DigiCert that you wish to use and select **\[ OK ]**\*. You could also use the search bar at the top of the window to quickly locate an intermediate certificate.
  </Step>

  <Step>
    In the **Import Certificates** window, choose the major key with which to verify the certificate and select **\[ Verify ]**.

    <Check>
      If Verified, the certificate appears in the Verified panel.
    </Check>
  </Step>

  <Step>
    Select **\[ OK ]** to add the certificate.
  </Step>
</Steps>

<Note>
  Info:

  DigiCert products are signed by specific intermediate certificate authorities. When you import an external DigiCert certificate, that certificate’s intermediate CA determines which DigiCert products can be used with it. Only products that support the imported intermediate CA can be selected later when configuring an issuance policy.
</Note>

### Add an issuance policy

An issuance policy enables you to define the workflow of how certificates are deployed, who can deploy them, and what type of certificates can be deployed.

If you want to associate additional domain names with a certificate, you must attach an X.509 Extension Profile to the certificate that supports Subject Alternate Names. For more information about configuring an X.509 Extension Profile that supports Subject Alternate Names, see the relevant Administrative Guide.

Perform the following steps to add an issuance policy:

<Steps>
  <Step>
    Expand the CA group container, right-click a certificate, and select **Issuance Policy**> **Add**.
  </Step>

  <Step>
    In the **Issuance Policy** window, go to the **DigiCert** tab.
  </Step>

  <Step>
    Fill in the following information as required:

    <table>
      <thead>
        <tr>
          <th><em><strong>Information</strong></em></th>
          <th><em><strong>Description</strong></em></th>
        </tr>
      </thead>

      <tbody>
        <tr>
          <td><strong>Organization</strong></td>
          <td>Select the correct organization from the list.</td>
        </tr>

        <tr>
          <td><strong>Product</strong></td>
          <td>Select the correct SSL certificate type (such as <strong>Standard</strong>, <strong>Multi-Domain</strong>, <strong>EV</strong>, <strong>Code Signing</strong>, and so on). Available products depend on the imported DigiCert certificate and its intermediate CA. <br />If you select <strong>EV</strong>, you must add an approver in the <strong>Potential Approvers</strong> field.<br /><Warning>Warning:<br />The Product must be compatible with the imported DigiCert certificate and its intermediate CA. The Product list is filtered automatically to show only supported options. If the selected product does not support the imported certificate’s intermediate CA, the signing request will be blocked and cannot be submitted.<br /></Warning></td>
        </tr>

        <tr>
          <td><strong>Payment method</strong></td>
          <td>The three payment methods are <strong>Default</strong>, <strong>Account Balance</strong>, and <strong>Profile</strong>.</td>
        </tr>

        <tr>
          <td><strong>Domain Control Validation</strong></td>
          <td>The Domain Control Validation field might be editable, depending on the <strong>Product type</strong> you selected. This setting determines whether the CA verifies that the person making the request is authorized to use the domain related to that request before issuing an SSL.</td>
        </tr>

        <tr>
          <td><strong>Code Signing Provisioning</strong> </td>
          <td>If the Product type is <strong>Code Signing</strong>, you can edit this field. However, if the Product type is <strong>Standard SSL</strong>, for example, this field is disabled.</td>
        </tr>

        <tr>
          <td><strong>Potential Approvers</strong></td>
          <td>If using an extended validation (EV) certificate, you must have an approver. Select <strong>\[ Add EV Contact ]</strong> to add an approver to the list. You can add only Approver users as EV contacts.</td>
        </tr>
      </tbody>
    </table>
  </Step>

  <Step>
    Select **\[ OK ]** to save the settings.
  </Step>
</Steps>

<Note>
  You cannot change the Organization or Product fields without deleting and recreating the issuance policy. You can change all other fields without modifying the issuance policy.
</Note>
