Certificate Providers

Available certificate providers can be viewed in the Administration / Certificate Providers / Show page. There is also a filter that an admin can use to view only the archived certificate providers. This filter can be triggered by pressing the Show Archived button in the Actions dropdown list.

Certificate provider creation can be accomplished in the Administration / Certificate Providers / Create page. The user must specify the name for the new certificate provider. Afterwards the user must specify the certificate provider type. The available options are MTG CARA, MS NDES, MS CA, GlobalSign, and in the future more options will be supported.

After selecting MTG CARA as the certificate provider type, additional fields related to the specific type fields will be displayed. Those fields are the CARA API URL where a CARA instance is running, the CARA application name of that instance, and the CARA application secret which is needed for the connection. These fields are required for the creation of an MTG CARA certificate provider.

After selecting MS NDES as the certificate provider type, additional fields related to the specific type fields will be displayed. Those fields are the NDES API URL where an NDES instance is running. Those fields are required for the creation of an NDES certificate provider.

You may choose Microsoft CA as the certificate provider type. To use the Microsoft CA certificate provider you must prepare your Windows infrastructure as described in MS CA Provider.

After selecting Microsoft CA as the certificate provider type, additional fields related to the specific type fields will be displayed. Those fields are the SSH Address where a Windows instance is running, the SSH Port which the Windows instance exposes and the SSH User and SSH Password that are used to connect to the Windows instance. Additionally, fallback fields are available. In case CLM systems fail to connect to main Windows instance, fallback values will be used, if present, to try to connect to secondary Windows instance. Fallback fields are not required and can be later added, removed, or edited.

You may also choose GlobalSign as the certificate provider type. To use the GlobalSign certificate provider you must possess a valid and active account at the Atlas-Portal of GlobalSign. There you can retrieve secrets and keys to connect to the GlobalSign CA to request certificates.

After selecting GlobalSign as the certificate provider type, additional fields related to the specific type fields will be displayed. Those fields are the GlobalSign API URL (defaults to emea.api.hvca.globalsign.com:8443/v2) where a GlobalSign instance is running, the GlobalSign Intended Use refers to the purpose of the certificate, the GlobalSign API Key and GlobalSign API Secret are the credentials linked with a GlobalSign account, the GlobalSign Keystore (in the format provided by the Atlas portal) and GlobalSign Keystore Password are needed to perform mTLS with GlobalSign server for given account, and the GlobalSign Proxy Host and GlobalSign Proxy Port refer to the address and port of the proxy server to be used.

A user can modify a certificate provider by entering the Certificate Providers / Show tab. There, by pressing the certificate provider’s name, the user will be redirected to the certificate provider details page. An Edit button is available here, which starts the Edit functionality. Then, by pressing Cancel the certificate provider values return to the original ones, otherwise by pressing Save the certificate provider updates. More specifically the certificate provider name and certificate provider type are available for modifications.

By using a certificate provider type of MTG CARA, the CARA related fields become as well available for modification.

By using a certificate provider type of MS NDES, the NDES related fields become as well available for modification.

By using a certificate provider type of GlobalSign, the GlobalSign related fields become as well available for modification, an Update Keystore button is available here, which allows the entry of a new GlobalSign Keystore and Keystore Password on a pop-up window. Then, by pressing Cancel the Keystore values return to the original ones, otherwise by pressing Proceed the Certificate Provider updates.

A user can archive or unarchive a certificate provider by entering the Administration / Certificate Providers / Show page. There, by pressing a certificate provider’s ID, the user will be redirected to the certificate provider details page. By pressing Archive or Unarchive button the certificate provider will be archived or unarchived accordingly. Batch Archive and Batch Undo-Archive actions are also supported by selecting the checkboxes of the desired realm and choosing the Archive All Selected and Undo-Archive All Selected buttons in the Actions dropdown. In order for a certificate provider to be archived, it must have no connection with any policy. This means that if there are any connected Policies to a certificate provider then in order to archive it the user should navigate to those policies and either modify them to use another certificate provider or archive and delete them. This process can be helped by using the policy tables in the certificate provider details page that specify the policies, and CMP policies that are connected with the specific certificate provider. By pressing the name of one of those policies, the user is being redirected to that policy. If the policy is part of another realm (from the currently entered realm), then automatically the user is entering into it before redirecting to the policy.

A user can delete an archived certificate provider through the Certificate Provider Details, the Show Certificate Providers Table or the Administration/Archived Data Removal page. In the Certificate Provider Details page after archiving the entity a Delete button will appear. In the Show Certificate Providers Table page by pressing Actions→Show Archived the table will show the archived entities, and here the certificate providers can be selected, and through Actions→Delete all selected they can be deleted. Furthermore, the user can delete one Certificate Provider at a time by pressing the row actions button and then Delete Certificate Provider. Finally, in the Choose entity to delete dropdown choose Certificate Providers. As an extra safeguard there is the option to restrict the archived records that are going to be deleted by the date on which they were archived. In the Choose date calendar select the date, before which the records should have been archived, in order to be deleted with this action and press Delete. Only archived certificate providers can be deleted.

Upon application startup, an initial connection check is made to every certificate provider in the system. Furthermore, a user can check the connection of the configured certificate provider MTG CARA instance based on the given configuration, by using the Check Connection button in the Certificate Provider Details page.

There are some options regarding cryptographic algorithms, request modes, long-term availability of private keys, and other aspects that are not supported by every certificate provider. In ths section we describe the options that are supported by each provider.