Policy object certificate settings
A policy object Certificate tab allows you to define settings, such as the certificate management type, for the subordinate certificate objects.
Certificate settings defined for a folder take precedence over the settings defined in the subordinate certificate objects if the values are locked. Otherwise, the policy’s certificate settings function as default values for subordinate certificate objects.
The following table describes Policy Tree Policy object Settings > Certificate tab.
Field |
Description |
Certificate Tab |
The Certificate tab defines certificate settings for subordinate certificate objects. Certificate settings defined at the folder level may take precedence over those defined in the subordinate Certificate objects. TIP The recipients and delivery method (email, SNMP trap, etc.) for expiration notifications are defined in Notification and Channel objects. You must configure the channel and notification objects to send notifications for expiration events. For more information, see Managing certificate notifications. |
General Information |
|
Contacts |
User or group identities assigned to subordinate certificate objects.Default system notifications are sent to the contact identities. |
Approvers |
User or group Identities assigned to approve workflows (certificate approval or injection command) for subordinate Certificate objects. For more information on defining Workflows, see Implementing certificate workflow management. For information on when Trust Protection Platform references approvers defined in the Certificate object, see the option Approver Assigned to Object. |
Management Type |
Level where subordinate certificates will be managed. The default is Provisioning. Trust Protection Platform provides the following levels of certificate management:
|
Managed by |
The Venafi application that manages the policy. Choose Aperture or User Portal if the policy is managed by that application. If not, leave this field blank. |
CSR Handling |
|
CSR Generation |
Determines how CSRs are generated. The default is Service Generated CSR:
|
Generate Key/CSR on Application |
Determines where the CSR and private key are generated. The default is No. IMPORTANT When one or more of the following items are true, Remote Generation is not supported and, therefore, the Generate Key/CSR on Application setting is ignored.
If you do not select this option, the CSR and private key are centrally generated on the Trust Protection Platform server, then securely copied to the application. If you do select this option, the CSR and private key are locally generated on the application’s server. In both cases, the certificate and private key are archived in the Trust Protection Platform database. |
Hash Algorithm |
For the certificate signing request, choose either SHA-1 or SHA-256. The default is SHA-256. |
Subject DN |
|
Organization |
Name that uniquely identifies the organization in the certificate. |
Organization Unit |
Department or division within the organization that is responsible for maintaining the certificate. |
City, State/Province, Country |
Location (city, state/province, and country) of your Organization or Organizational Unit. |
Domain White List |
|
Allowed Domains |
Enter the suffix of allowed domains. For example, .com acme.com, or sales.acme.com. If you leave this field blank, all domains will be allowed. |
Allow Wildcards |
The default is Yes. Select No to prohibit wildcards. |
Allow Duplicate Common and Subject Alternate Names |
The default is Yes. Select No to require unique names. |
Private Key |
|
Reuses the original private key when renewing the certificate. The default is No. |
|
Allow Users to Import Duplicate Certificates and Reuse Private Keys |
Controls the reuse of certificates and private keys. When enabled, this permits you to import a certificate even if another certificate with the same private key already exists in the system. It would also allow you to renew a certificate without uploading / re-generating a new private key. When disabled, if you are renewing a certificate with a user-provided CSR, you cannot reuse a CSR that is tied to a private key that has ever been uploaded to Trust Protection Platform. Also, when importing a certificate manually, through WebSDK and Web UI, you won't be able to upload a certificate that is already in the inventory. We recommend you leave this option disabled (unchecked). |
Key Algorithm |
The allowable algorithm for certificate encryption. Works in conjunction with Elliptic Curve. The default is RSA. Choose either RSA or ECC (Elliptic Curve Cryptography). |
Key Strength |
The certificate key strength. The default is 2048. If the key strength value conflicts with what the application can handle/requires, the application ignores the policy and sets the value accordingly. For example, if you set this value to 2048-bit encryption, but the target application cannot handle 2048-bit certificates, Trust Protection Platform generates the certificate CSR using 1024-bit encryption. |
Elliptic Curve |
The ECC size. Works in conjunction with Key Algorithm. The default is P256. NOTE The most broadly supported elliptic curve is P256. The other curves, P384 and P521, may be rejected by some CAs that support ECC. |
Other Information |
|
CA Template |
CA Template object that Trust Protection Platform references to generate the CSR and submit it to the CA. |
Key Generation |
Encryption key to generate the certificate private key. By default, Trust Protection Platform provides an AES-256 encryption key—the Venafi Platform software key—to generate private keys. However, you can also configure Trust Protection Platform to use AES encryption keys stored on supported HSM devices to generate certificate private keys. Your system is protected by either a hardware or a software encryption key (or both). |
Encryption Key |
Encryption key to use to protect the certificate private key. The system uses either a hardware or software key (or both). The software encryption key secures data in the Trust Protection Platform database, and is stored in the Windows registry. You can also configure Trust Protection Platform to use AES encryption keys stored on supported HSM devices to encrypt your system certificates. For information, see Managing system encryption keys . |
Disable Automatic Renewal: |
Disables enrollment and provisioning for the current certificate. This means that Venafi TLS Protect does not attempt to renew or install the current certificate. However, Venafi TLS Protect still provides monitoring, validation, and notification for the certificate object. Additionally, the certificate is represented in Dashboard statistics and system reports. The default is No. Trust Protection Platform automatically selects this option when it renews a certificate in response to a SCEP request. |
Allow Simple Passwords for Private Key Downloads |
The setting to control whether simple or strong passwords are required for private key downloads. The default is No. |
Private Key PBE (password-based encryption) algorithm |
This setting applies to private keys that are downloaded using the PEM format. Options include: Insecure but good system compatibility, Insecure but better system compatibility (SHA1 3DES), High security but low system compatibility (SHA256 AES256), The default is High security but low system compatibility (SHA256 AES256). You should not change it unless you have an incompatible system that cannot be upgraded. For more information, see Using PBE (password-based encryption) algorithms to secure private keys. NOTE The algorithms used to derive the protection key and encrypt the private key are not supported by all applications. Generally, the more secure the protection key and algorithm, the fewer applications will support it. |
Renewal Window |
Number of days prior to expiration that Trust Protection Platform begins the renewal operation. The default and recommended value is 30 days. |
Validation |
The purpose of Network Validation is to confirm that the certificate is functional and to verify that the correct certificate is being used. Network Validation requires network access to the server where the application is installed. |
Disable SSL/TLS Validation |
Disables Network Validation, including all related notifications, for subordinate Certificate objects. |
Network Port |
Port that the Validation Manager uses to connect to the server where the application is installed. The Validation Manager uses an SSL connection to validate the application’s associated certificate. The default port is 443. |
Use certificate's Common Name |
Require validation scans to use a DNS lookup to resolve the certificate Common Name. Validation occurs on the certificate at every IP address returned from the DNS lookup. The default is Yes. |
Use certificate's DNS Subject Alternative Names |
Require validation scans to validate DNS Subject Alternative Names (SANs) of the certificate, if any. The default is No. |
Validate the chain returned by the hosting server |
Validate the chain returned by the hosting server to the chain that Trust Protection Platform builds using its internal algorithm to ensure a match. The default is yes, meaning chain validation is enabled and it affects the SSL/TLS validation result. |
Available only in the Root Policy object. |
|
Approved for Issuance |
Available only in the Root Policy object. Select certificate authorities (CAs) you want to be considered trusted and approved issuers. This list is useful in identifying certificates issued by unapproved CAs. You can configure the Critical Alerts widget in the product dashboard to identify certificates that do not match your approved CA list. |
Active Directory Certificate Authentication |
Device, user, server, and certificates policy settings related to Active Directory certification authentication and SID (security identifier). |
Allow certificates with AD Security Identifier (SID) |
The default is No. If set to No, Trust Protection Platform will not allow certificates with an SID extension. |
Allow security identifiers outside of connected identities |
The default is No. Controls whether Trust Protection Platform allows unknown SID (security identifier). If set to No and Trust Protection Platform cannot find the provided SID value in AD, the certificate request is rejected. |
Automatically include requester identity |
The default is Yes. Applies to WebSDK. If set to Yes, the WebSDK requester identity is set as the AD security identifier (SID) identity, unless provided with the request. If Trust Protection Platform cannot resolve objectSid from the WebSDK requester identity, it is ignored. If the resolved SID value doesn’t match the policy settings, then the request is rejected. |
AD Security Identifier source |
Choose between:
|