Step 4: (Recommended) Configure contacts and approvers
Who you assign as contacts and approvers of your certificates is an important part of your PKI strategy. This is especially true because employees continue to pose the greatest threat to securing trust. Typically, this is because many employees fail to follow security best practices.
BEST PRACTICE When a person, who is a contact (owner) for a certificate, leaves your organization, you can easily lose track of the certificate. The lack of a contact creates a security risk. To help ensure that at least one contact receives notifications pertaining to a certificate, you should assign groups as contacts. By assigning groups (rather than individuals) as the contact for a certificate, you reduce the risk of un-tracked (and potentially expired) certificates.
To configure contacts and approvers:
- From the Platform menu bar, click Policy Tree.
- In the Logging tree, be sure that SMTP channel is enabled. For more information, see SMTP channel object configuration.
-
To create the notification, copy an Email template and configure the email text. For example, use a Email to Owner Certificate Expiring template to notify contacts (Owners) about expiring certificates.
-
In Policy Tree or Aperture, policy, add at least one group or individual contact and one group or individual approver.
By default, the contact and approver is the Trust Protection Platform administrator. All objects under a given policy folder can inherit the contacts and approvers set on that policy folder; or you can specify contacts and approvers directly on objects within a policy folder. For more about how policy folders work, see Using policies to manage encryption assets.
- (Optional) You should set up workflows to require approvers to take a manual action, such as authorizing a certificate renewal in order for the renewal to take place.