Configuring the certificate management level
To address the needs of diverse organizations with varied security requirements, Trust Protection Platform provides four levels of certificate management:
|
Monitoring |
At this level, organizations can continuously monitor key and certificate assets for improved inventory and risk mitigation. Trust Protection Platform monitors existing certificates and provides current information on the certificate status and lifecycle. When the certificate nears the end of its lifecycle, Trust Protection Platform sends dynamically-generated expiration and escalation messages to certificate owners, consumers, and approvers. At the monitoring level of certificate management, however, Trust Protection Platform does not renew the certificate. The administrator must manually create the CSR, send it to the certificate authority (CA), then retrieve and install the renewed certificate. Once the certificate is manually installed, Trust Protection Platform can validate the certificate is installed and properly configured. Monitoring is enabled in the Certificate object configuration. |
|
Enrollment |
At this level, Trust Protection Platform interfaces directly with Certificate Authorities (CAs) to initiate and auto-enroll new or to-be-renewed certificate and key generation requests according to organization-defined workflow and approved folders. Trust Protection Platform automatically generates and submits CSRs to CAs using the parameters defined in designated CA Template objects. If preferred, administrators can manually generate the CSR, then upload it to Trust Protection Platform to complete the enrollment process with the appropriate CA. After the CA signs the certificate, Trust Protection Platform retrieves the certificate and securely stores it in the Secret Store. The administrator can then download the certificate from the Secret Store and install it on the target system(s). Enrollment is enabled in the Certificate object configuration. For an explanation of the managed stages of the certificate lifecycle, see About certificate lifecycle management. |
|
Provisioning |
At this level, Trust Protection Platform provides fully automated lifecycle management—it automatically requests, installs, renews, and monitors your system certificates and keys on a comprehensive set of systems and applications, producing consistent and repeatable processes that improve security, and operational and compliance risk postures. Provisioning is enabled in the Certificate object configuration. For an explanation of the managed stages of the certificate lifecycle, see About certificate lifecycle management. |
|
Unassigned |
Unlicensed Trust Protection Platform certificates that do not allow network validation, expiration monitoring, enrollment, provisioning, or onboard validation. However, they are included in selected reports and on the dashboard. |
To change a certificate's management type, see Changing the management type to Provisioning