Configure the KMES Series 3
This section shows you how to create a CA group container on the KMES Series 3 that holds a representation of the issuing CA housed at DigiCert. To do this, perform the following actions:
- Create a CA group container and define it as External DigiCert X.509.
- Specify which DigiCert signing or issuing CA you want to use to issue certificates.
- Define an Issuance Policy for the CA group container.
Cloud credentials allow the KMES Series 3 device to interface with third-party services, such as DigiCert. In the Cloud Credentials, you can import the API Key generated in the previous section. Perform the following steps to import the API Key:
Log in to the KMES and select Cloud Credentials from the left-side menu.
At the bottom right of the window, select [ Add Cloud Credential ].
In the Cloud Credential window, fill in the following information:
Information
Description
Name
Use this to identify the cloud credentials on the KMES Series 3. DigiCert does not use this.
Service
Select DigiCert Cert Central API.
Secret Key
Select [ Import ] and select the CSV file containing the API key from Digicert that you created in the previous section.
Select [ OK ] to save the cloud credential.
To complete the CA configuration, you need to perform the following tasks:
- Add a CA group container.
- Add external certificates.
- Add an issuance policy
The following sections show you how to perform these tasks.
Go to the Certificate Authorities tab on the left-side menu.
Right-click the window and select [ Add CA ] to create a new CA group container.
Specify the following information in the Certificate Authority window:
Information
Description
Name
A short text description of the CA group object, used for referencing on the device.
Host
Specification of a key encryption key to securely transport sensitive data, such as RSA private keys, to an external system; this is optional.
Type
This specifies the CA type. In this case, you must select External DigiCert X.509.
Owner Group
(Optional) Designates the KMES Series 3 user group that has full ownership permissions to this CA container object.
API Credential
Choose one of the DigiCert cloud credentials created. This allows the CA to connect to DigiCert.
Select [ OK ] to create the CA group container.
Right-click a CA group container, and select Import > External Certificate(s).
In the Select an Intermediate window, highlight the intermediate certificates pulled from DigiCert that you wish to use, and select [ OK ]. You could also use the search bar at the top of the window to quickly locate an intermediate certificate.
In the Import Certificates window, choose the major key with which to verify the certificate and select [ Verify ].
If Verified, the certificate appears in the Verified panel.
Select [ OK ] to add the certificate.
An issuance policy enables you to define the workflow of how certificates are deployed, who can deploy them, and what type of certificates can be deployed.
If you want to associate additional domain names with a certificate, you must attach an X.509 Extension Profile to the certificate that supports Subject Alternate Names. For more information about how to configure an X.509 Extension Profile that supports Subject Alternate Names, see the relevant Administrative Guide.
Perform the following steps to add an issuance policy:
Expand the CA group container, right-click a certificate, and select Issuance Policy > Add.
In the Issuance Policy window, go to the DigiCert tab.
Fill in the following information as required:
Information
Description
Organization
Select the correct organization from the list.
Product
Select the correct SSL certificate type (such as Standard, Multi-Domain, EV, Code Signing, and so on). If you select EV, you must add an approver in the Potential Approvers field.
This field must match the type of certificate that you imported. If it does not match, it creates an invalid certificate.
Payment method
The three payment methods are Default, Account Balance, and Profile.
Domain Control Validation
The Domain Control Validation field might be editable, depending on the Product type you selected. This setting determines whether the CA verifies that the person making the request is in fact authorized to use the domain related to that request, before issuing an SSL.
Code Signing Provisioning
If the Product type is Code Signing, you can edit this field. However, if the Product type is Standard SSL, for example, this field is disabled.
Potential Approvers
If using an extended validation (EV) certificate, you must have an approver. Select [ Add EV Contact ] to add an approver to the list. You can add only Approver users as an EV contact.
Select [ OK ] to save the settings.
You cannot change the Organization or Product fields without deleting and recreating the issuance policy. You can change all other fields without modifying the issuance policy.