Configure the KMES Series 3

this section shows you how to create a ca group container on the kmes series 3 that holds a representation of the issuing ca housed at digicert to do this, perform the following actions create a ca group container and define it as external digicert x 509 specify which digicert signing or issuing ca you want to use to issue certificates define an issuance policy for the ca group container set cloud credentials cloud credentials allow the kmes series 3 device to interface with third party services, such as digicert in the cloud credentials , you can import the api key generated in the previous section perform the following steps to import the api key log in to the kmes and select cloud credentials from the left side menu at the bottom right of the window, select \[ add cloud credential ] in the cloud credential window, fill in the following information information description name use this to identify the cloud credentials on the kmes series 3 digicert does not use this service select digicert cert central api secret key select \[ import ] and select the csv file containing the api key from digicert that you created in the previous section select \[ ok ] to save the cloud credential managing certificate authorities to complete the ca configuration, you need to perform the following tasks add a ca group container add external certificates add an issuance policy the following sections show you how to perform these tasks add a ca group container go to the certificate authorities tab on the left side menu right click the window and select \[ add ca ] to create a new ca group container specify the following information in the certificate authority window information description name a short text description of the ca group object, used for referencing on the device host specification of a key encryption key to securely transport sensitive data, such as rsa private keys, to an external system; this is optional type this specifies the ca type in this case, you must select external digicert x 509 owner group (optional) designates the kmes series 3 user group that has full ownership permissions to this ca container object api credential choose one of the digicert cloud credentials created this allows the ca to connect to digicert select \[ ok ] to create the ca group container add external certificates right click a ca group container, and select import > external certificate(s) in the select an intermediate window, highlight the intermediate certificates pulled from digicert that you wish to use, and select \[ ok ] you could also use the search bar at the top of the window to quickly locate an intermediate certificate in the import certificates window, choose the major key with which to verify the certificate and select \[ verify ] if verified, the certificate appears in the verified panel select \[ ok ] to add the certificate add an issuance policy an issuance policy enables you to define the workflow of how certificates are deployed, who can deploy them, and what type of certificates can be deployed if you want to associate additional domain names with a certificate, you must attach an x 509 extension profile to the certificate that supports subject alternate names for more information about how to configure an x 509 extension profile that supports subject alternate names, see the relevant administrative guide perform the following steps to add an issuance policy expand the ca group container, right click a certificate, and select issuance policy > add in the issuance policy window, go to the digicert tab fill in the following information as required information description organization select the correct organization from the list product select the correct ssl certificate type (such as standard , multi domain , ev , code signing , and so on) if you select ev , you must add an approver in the potential approvers field this field must match the type of certificate that you imported if it does not match, it creates an invalid certificate payment method the three payment methods are default , account balance , and profile domain control validation the domain control validation field might be editable, depending on the product type you selected this setting determines whether the ca verifies that the person making the request is in fact authorized to use the domain related to that request, before issuing an ssl code signing provisioning if the product type is code signing , you can edit this field however, if the product type is standard ssl , for example, this field is disabled potential approvers if using an extended validation (ev) certificate, you must have an approver select \[ add ev contact ] to add an approver to the list you can add only approver users as an ev contact select \[ ok ] to save the settings you cannot change the organization or product fields without deleting and recreating the issuance policy you can change all other fields without modifying the issuance policy