Create a Sectigo CA template

Creating a CA template is the first step in integrating Sectigo with Code Sign Manager - Self-Hosted.

Prerequisites

You'll need the following to complete this procedure:

  • Administrative access to your CyberArk Configuration Console or the Code Sign Manager - Self-Hosted MMC snap-in.

  • A supported Luna HSM. If your Luna HSM is not connected to Trust Protection Foundation, first go through the steps in Setting up Code Sign Manager - Self-Hosted to use HSM keys.

  • Sectigo code signing credentials (Client ID, Client Secret, and Endpoint URL) from your Sectigo Certificate Manager portal.

    NOTE  The Sectigo credentials required for Code Sign Manager - Self-Hosted are different from those used in Certificate Manager - Self-Hosted.

    IMPORTANT  CyberArk cannot always verify the accuracy steps for third-party products. If you have questions, refer to the Sectigo documentation.

    1. Sign in to Sectigo Certificate Manager.

    2. From the menu, click Enrollment > REST.

    3. Select Code Signing Certificates REST API, and then click Accounts.

    4. (Conditional) If the account you plan to use already exists, select that credential, and then click Edit.

      Verify that the Certificate Profile is Sectigo OV Code Signing (Key Attestation). If the profile is something else, change it or go to the next step to create a new profile.

      The Client ID and Client Secret are shown in the Authentication section.

      The Web Client URL is the base URL shown in the How to use Enrollment REST API section. For example, if https://venafitest.enroll.hard.sectigo.com/v3/api-docs is shown, then the Web Client URL is https://venafitest.enroll.hard.sectigo.com.

    5. (Conditional) If the account does not already exist, click New and complete the form. Make sure to select Sectigo OV Code Signing (Key Attestation) for the Profile.

      After you save, the Client ID and Client Secret are shown.

      The Web Client URL is the base URL shown in the How to use Enrollment REST API section. For example, if https://venafitest.enroll.hard.sectigo.com/v3/api-docs is shown, then the Web Client URL is https://venafitest.enroll.hard.sectigo.com.

Create and configure a new Sectigo template object

  1. Open CyberArk Configuration Console or the Code Sign Manager - Self-Hosted MMC snap-in.

  2. From Code Signing > Certificate Authority Templates, click Create, and then select Sectigo Code Sign CA connector.

  3. Specify a name for the new CA template. This name displays when you add a CA template to an Environment Template.

  4. Click Create. The Configure New Connector screen appears.

  5. Add a Description and one or more Contacts for this CA template.

  6. Click the Client ID and Secret drop-down list.

    1. (Conditional) If you do not have the credential yet, select the folder where you want to store the credential, and then click Create.

    2. Give this credential an Object Name, Description, and a Contact, then click Create.

    3. Enter your Sectigo Code Signing Client ID and Client Secret from the Prerequisites section above, and then click Save.

    (Conditional) If you already have a Sectigo Code Signing credential with the correct Client ID and Client Secret, select it, and then click Select. Verify that the information is correct, and then click Save.

  7. Enter the End Point URL from the Prerequisites section above.

  8. Select whether to enable SAN and allow reissuance.

    Option Description
    SAN Enabled

    Configures the current CA template object to support CSRs with DNS-based Subject Alt Name (SAN) values.
    Allow Reissuance

    Lets you reissue certificates so that you can add SANs to existing certificates without wasting certificate units or incurring unnecessary charges.

Next steps

Your Sectigo CA connector is now ready to be assigned to an Environment Template. Follow the steps to add a certificate template under the "Add a Single Template" heading.

Overall Sectigo configuration roadmap

The following table summarizes all of the steps needed to configure your Sectigo integration with Code Sign Manager - Self-Hosted. For the sake of completeness, it includes creating the CA template, which is documented above.

Overview of steps to complete Sectigo configuration
Step Task Notes
1 Create a CA template

  • See the steps above
2 Assign the CA temple to an Environment Template

  • Sectigo requires a Single Certificate Environment type.

  • Luna HSM supports only RSA and EC keys. When creating the Environment Template, be sure those key types are selected as available key types.
4 Create an Environment that uses the Sectigo Environment Template

  • This Environment can be added to a new Project or to and existing Project.

  • When creating the Environment, follow the steps for a Certificate & Key Environment. Select your new Sectigo template as the Environment Template.
5 Import attestation file

  • The attestation file is required to complete the CSR.
6 Approve certificate request in Sectigo Certificate Manager

  • Once the CSR is submitted to Sectigo, it must be approved in Sectigo Certificate Manager.

  • After approval, the certificate and key will be available to sync to Code Sign Clients