Certificate Providers

A certificate provider is a business unit that offers the support for multiple certificate authorities (CAs). The default available certificate provider provides support for the MTG CARA certificate authority.

1. View Certificate Providers

Available certificate providers can be viewed in the Administration / Certificate Providers / Show page. There is also a filter that an admin can use to view only the archived certificate providers. This filter can be triggered by pressing the Show Archived button in the Actions dropdown list.

2. Create Certificate Provider

Certificate provider creation can be accomplished in the Administration / Certificate Providers / Create page. The user must specify the name for the new certificate provider. Afterwards the user must specify the certificate provider type. The available options are MTG CARA, MS NDES, MS CA, GlobalSign, and in the future more options will be supported.

After selecting MTG CARA as the certificate provider type, additional fields related to the specific type fields will be displayed. Those fields are the CARA API URL where a CARA instance is running, the CARA application name of that instance, and the CARA application secret which is needed for the connection. These fields are required for the creation of an MTG CARA certificate provider.

After selecting MS NDES as the certificate provider type, additional fields related to the specific type fields will be displayed. Those fields are the NDES API URL where an NDES instance is running. Those fields are required for the creation of an NDES certificate provider.

You may choose Microsoft CA as the certificate provider type. To use the Microsoft CA certificate provider you must prepare your Windows infrastructure as described in MS CA Provider.

After selecting Microsoft CA as the certificate provider type, additional fields related to the specific type fields will be displayed. Those fields are the SSH Address where a Windows instance is running, the SSH Port which the Windows instance exposes and the SSH User and SSH Password that are used to connect to the Windows instance. Additionally, fallback fields are available. In case CLM systems fail to connect to main Windows instance, fallback values will be used, if present, to try to connect to secondary Windows instance. Fallback fields are not required and can be later added, removed, or edited.

You may also choose GlobalSign as the certificate provider type. To use the GlobalSign certificate provider you must possess a valid and active account at the Atlas-Portal of GlobalSign. There you can retrieve secrets and keys to connect to the GlobalSign CA to request certificates.

After selecting GlobalSign as the certificate provider type, additional fields related to the specific type fields will be displayed. Those fields are the GlobalSign API URL (defaults to emea.api.hvca.globalsign.com:8443/v2) where a GlobalSign instance is running, the GlobalSign Intended Use refers to the purpose of the certificate, the GlobalSign API Key and GlobalSign API Secret are the credentials linked with a GlobalSign account, the GlobalSign Keystore (in the format provided by the Atlas portal) and GlobalSign Keystore Password are needed to perform mTLS with GlobalSign server for given account, and the GlobalSign Proxy Host and GlobalSign Proxy Port refer to the address and port of the proxy server to be used.

Domain validation and other validations are performed outside the CLM platform. CLM serves solely to request the certificate. To successfully request a certificate the requirements regarding validation must be met.

3. Modify Certificate Provider

A user can modify a certificate provider by entering the Certificate Providers / Show tab. There, by pressing the certificate provider’s name, the user will be redirected to the certificate provider details page. An Edit button is available here, which starts the Edit functionality. Then, by pressing Cancel the certificate provider values return to the original ones, otherwise by pressing Save the certificate provider updates. More specifically the certificate provider name and certificate provider type are available for modifications.

By using a certificate provider type of MTG CARA, the CARA related fields become as well available for modification.

By using a certificate provider type of MS NDES, the NDES related fields become as well available for modification.

By using a certificate provider type of GlobalSign, the GlobalSign related fields become as well available for modification, an Update Keystore button is available here, which allows the entry of a new GlobalSign Keystore and Keystore Password on a pop-up window. Then, by pressing Cancel the Keystore values return to the original ones, otherwise by pressing Proceed the Certificate Provider updates.

4. Archive Certificate Provider

A user can archive or unarchive a certificate provider by entering the Administration / Certificate Providers / Show page. There, by pressing a certificate provider’s ID, the user will be redirected to the certificate provider details page. By pressing Archive or Unarchive button the certificate provider will be archived or unarchived accordingly. Batch Archive and Batch Undo-Archive actions are also supported by selecting the checkboxes of the desired realm and choosing the Archive All Selected and Undo-Archive All Selected buttons in the Actions dropdown. In order for a certificate provider to be archived, it must have no connection with any policy. This means that if there are any connected Policies to a certificate provider then in order to archive it the user should navigate to those policies and either modify them to use another certificate provider or archive and delete them. This process can be helped by using the policy tables in the certificate provider details page that specify the policies, and CMP policies that are connected with the specific certificate provider. By pressing the name of one of those policies, the user is being redirected to that policy. If the policy is part of another realm (from the currently entered realm), then automatically the user is entering into it before redirecting to the policy.

5. Delete Certificate Provider

A user can delete an archived certificate provider through the Certificate Provider Details, the Show Certificate Providers Table or the Administration/Archived Data Removal page. In the Certificate Provider Details page after archiving the entity a Delete button will appear. In the Show Certificate Providers Table page by pressing Actions→Show Archived the table will show the archived entities, and here the certificate providers can be selected, and through Actions→Delete all selected they can be deleted. Furthermore, the user can delete one Certificate Provider at a time by pressing the row actions button and then Delete Certificate Provider. Finally, in the Choose entity to delete dropdown choose Certificate Providers. As an extra safeguard there is the option to restrict the archived records that are going to be deleted by the date on which they were archived. In the Choose date calendar select the date, before which the records should have been archived, in order to be deleted with this action and press Delete. Only archived certificate providers can be deleted.

6. Check Certificate Provider Connection

Upon application startup, an initial connection check is made to every certificate provider in the system. Furthermore, a user can check the connection of the configured certificate provider MTG CARA instance based on the given configuration, by using the Check Connection button in the Certificate Provider Details page.

7. Limitations of Certificate Providers

There are some options regarding cryptographic algorithms, request modes, long-term availability of private keys, and other aspects that are not supported by every certificate provider. In ths section we describe the options that are supported by each provider.

7.1. Supported Certificate Request Modes

There are three options to request a certificate. One is by providing a PKCS#10 request, a second is by delegating the key creation on CLM (server-side key pair), and the third is by providing the public key in raw format.

In Table 1 we show which option is supported by each certificate provider.

Table 1. Supported certificate request modes per certificate provider.
MTG CARA Microsoft NDES Microsoft CA GlobalSign

PKCS#10

YES

NO

YES

YES

Server-side key pair

YES

YES

YES

YES

Public Key

YES

NO

NO

NO

7.2. Supported Cryptographic Algorithms

Not all cryptographic algorithms are supported by every certificate provider. In Table 2 we show which cryptographic algorithm is supported by each certificate provider.

Table 2. Supported cryptographic algorithms per certificate provider.
MTG CARA Microsoft NDES Microsoft CA GlobalSign

RSA

YES

YES

YES

YES

ECC

YES

NO

NO

YES

EdDSA

YES

NO

NO

NO

7.3. Long-term Availability of Private Keys

Some providers do not store the private keys and these keys cannot be delivered by the provider. MTG-CLM does not store private keys and therefore in server-side key pair request mode, the generated key is available only during certificate creation. It is not possible to access the private keys if they are not retrieved immediately after creation.

Accessing private keys after issuing a certificate is only possible for the MTG-CARA certificate provider.

In Table 3 we show whether a private key is stored persistently in a certificate provider (the value is always) or whether it is accessible only once, after creation of the certificate (the value is once).

Table 3. Persistent storing of private keys per certificate provider.
MTG CARA Microsoft NDES Microsoft CA GlobalSign

always

once

once

once

7.4. Integration with Other Components

There are several ERS components that integrate with MTG-CLM, like MTG SCEP server, MTG ACME server, MTG CMP server, etc. For the MTG CARA certificate provider all these components are supported. Due to internal limitations of the other providers and special properties of the different PKI protocols, it is not always feasible to use these component with other providers than MTG CARA. Especially the MTG SCEP server is supported only by the MTG CARA certificate provider because the SCEP requires a decryption operation with the private key of the CA. This operation is not available to other providers.