Certificate & Key Environment
Follow the steps below to complete setting up a Certificate & Key Environment.
NOTE As you proceed through these steps, note that some of the fields may not be editable, and some fields may not appear at all. This is based on the Environment Type you selected and the Environment Template settings that your Code Signing Administrator has established.
-
To prevent expired keys or certificates to be used for signing, enable Prevent Use Of Expired Environment.
DID YOU KNOW? Some code signing applications allow you to sign with expired code signing certificates. Enabling this option in CodeSign Protect prevents expired keys and certificates from being used to sign, even if a particular application allows it.
-
Select a Signing Flow to use for this Environment. The Flow you select will be invoked when the keys associated with this Environment are used.
-
Select a Key Storage Location, which is where the private key will be stored. Selecting Software stores the key in the Trust Protection Platform Secret Store.
Other options, such as HSMs, may be available based on key storage locations configured by your Code Signing Administrator. If you plan to import an existing key currently stored on an HSM, select the HSM that stores that key.
-
To re-use the same private key when the certificate is renewed, enable Re-Use private key. If disabled, a new private key will be generated upon certificate renewal.
-
Select a Creation Type, and then follow the instructions for the type you select below.
IMPORTANT Two Environments may not use the same certificate or private key. Make sure that each certificate or private key is assigned to only one CodeSign Protect Environment.
- Click the Create New radio button.
-
Complete the remaining fields using the following guidelines.
Field Guidelines Certificate Provider
The Certificate Authority (CA) that should be used for this Environment.
Include Certificate Chain
Select this checkbox if you want the certificate's chain pushed down from Trust Protection Platform to the workstations that use this environment.
DID YOU KNOW? Many signing applications will either report an error or report that the certificate isn't available if it doesn't trust the entire chain.
Key Algorithm
Select the encryption algorithm to use for the keys associated with this Environment. This becomes the Algorithm and Key Length that appear on the certificate.
Common Name
Most CAs use the Organization (O) name as the common name. You can leave this blank unless your CA allows you to specify your own Common Name.
For per-user environments, only macros are allowed to avoid duplicate certificates.
Organization
The Organization (O) name that appears as part of the Subject DN of the certificate.
For per-user environments, this field supports macros.
Learn more about using macrosUsing suggested macros (available in the user interface)
Following are commonly-used macros, which are suggested in the user interface:
- "$Identity[$Sign.User$]$"
- Resolves to the username for the key user from the identify provider
- "$Identity[$Sign.User$,Given Name]$"
- Resolves to given name for the key user from the identity provider
- "$Identity[$Sign.User$,Surname]$"
- Resolves to surname for the key user from the identity provider
- "$IdentityEmail[$Sign.User$]$"
- Resolves to surname for the key user from the identity provider
- "$Sign.User$"
- Resolves to the prefix universal GUID
- "$Sign.Project$"
- Resolves to the CodeSign Protect Project name, which is set by the Project Owner
- "$Sign.Environment$"
- Resolves to the CodeSign Protect Environment name, which is set by the Project Owner
- "$Sign.EnvironmentType$"
- Resolves to the environment type
Using custom macros
You can also use your own macro. For example, the following macro would resolve to the key user's
Department
value from your identify provider:"$Identity[$Sign.User$,Department]$
Learn more
For additional information on macros, see Macro overview.
Organizational Unit
The Organizational Unit (OU) name that appears as part of the Subject DN of the certificate.
For per-user environments, this field supports macros.
Learn more about using macrosUsing suggested macros (available in the user interface)
Following are commonly-used macros, which are suggested in the user interface:
- "$Identity[$Sign.User$]$"
- Resolves to the username for the key user from the identify provider
- "$Identity[$Sign.User$,Given Name]$"
- Resolves to given name for the key user from the identity provider
- "$Identity[$Sign.User$,Surname]$"
- Resolves to surname for the key user from the identity provider
- "$IdentityEmail[$Sign.User$]$"
- Resolves to surname for the key user from the identity provider
- "$Sign.User$"
- Resolves to the prefix universal GUID
- "$Sign.Project$"
- Resolves to the CodeSign Protect Project name, which is set by the Project Owner
- "$Sign.Environment$"
- Resolves to the CodeSign Protect Environment name, which is set by the Project Owner
- "$Sign.EnvironmentType$"
- Resolves to the environment type
Using custom macros
You can also use your own macro. For example, the following macro would resolve to the key user's
Department
value from your identify provider:"$Identity[$Sign.User$,Department]$
Learn more
For additional information on macros, see Macro overview.
SAN Email
The email address that appears as part of the Subject DN of the certificate.
For per-user environments, this field supports macros.
Learn more about using macrosUsing suggested macros (available in the user interface)
Following are commonly-used macros, which are suggested in the user interface:
- "$Identity[$Sign.User$]$"
- Resolves to the username for the key user from the identify provider
- "$Identity[$Sign.User$,Given Name]$"
- Resolves to given name for the key user from the identity provider
- "$Identity[$Sign.User$,Surname]$"
- Resolves to surname for the key user from the identity provider
- "$IdentityEmail[$Sign.User$]$"
- Resolves to surname for the key user from the identity provider
- "$Sign.User$"
- Resolves to the prefix universal GUID
- "$Sign.Project$"
- Resolves to the CodeSign Protect Project name, which is set by the Project Owner
- "$Sign.Environment$"
- Resolves to the CodeSign Protect Environment name, which is set by the Project Owner
- "$Sign.EnvironmentType$"
- Resolves to the environment type
Using custom macros
You can also use your own macro. For example, the following macro would resolve to the key user's
Department
value from your identify provider:"$Identity[$Sign.User$,Department]$
Learn more
For additional information on macros, see Macro overview.
City
The city name that appears as part of the Subject DN of the certificate. This field is also known as the locale.
State
The state (ST) name that appears as part of the Subject DN of the certificate.
For per-user environments, this field supports macros.
Learn more about using macrosUsing suggested macros (available in the user interface)
Following are commonly-used macros, which are suggested in the user interface:
- "$Identity[$Sign.User$]$"
- Resolves to the username for the key user from the identify provider
- "$Identity[$Sign.User$,Given Name]$"
- Resolves to given name for the key user from the identity provider
- "$Identity[$Sign.User$,Surname]$"
- Resolves to surname for the key user from the identity provider
- "$IdentityEmail[$Sign.User$]$"
- Resolves to surname for the key user from the identity provider
- "$Sign.User$"
- Resolves to the prefix universal GUID
- "$Sign.Project$"
- Resolves to the CodeSign Protect Project name, which is set by the Project Owner
- "$Sign.Environment$"
- Resolves to the CodeSign Protect Environment name, which is set by the Project Owner
- "$Sign.EnvironmentType$"
- Resolves to the environment type
Using custom macros
You can also use your own macro. For example, the following macro would resolve to the key user's
Department
value from your identify provider:"$Identity[$Sign.User$,Department]$
Learn more
For additional information on macros, see Macro overview.
Country
The two character country code that appears as part of the Subject DN of the certificate. For a list of valid country codes see Country codes.
- Click Create Environment.
NOTE This option requires an Environment Template that has a connection the HSM that contains the key. Also, only Code Signing Administrators and Master Admins have rights to create environments that use existing HSM keys.
-
From the Private Key drop-down, select the key you want to associate with this Environment. Note that it may take a few minutes to retrieve the key references from the HSM.
-
From the Public HSM Key drop-down, select the public key to associate with this Environment. This list is populated after you select the private key.
-
Select whether you want to Manually enter Certificate information or Import Certificate information.
To import certificate information, you'll need to upload a PEM or PKCS#7 file.
If you are manually entering your certificate information, use the guidelines below to complete the fields.
Field Guidelines Certificate Provider
The Certificate Authority (CA) that should be used for this Environment.
Include Certificate Chain
Select this checkbox if you want the certificate's chain pushed down from Trust Protection Platform to the workstations that use this environment.
DID YOU KNOW? Many signing applications will either report an error or report that the certificate isn't available if it doesn't trust the entire chain.
Key Algorithm
Select the encryption algorithm to use for the keys associated with this Environment. This becomes the Algorithm and Key Length that appear on the certificate.
Common Name
Most CAs use the Organization (O) name as the common name. You can leave this blank unless your CA allows you to specify your own Common Name.
For per-user environments, only macros are allowed to avoid duplicate certificates.
Organization
The Organization (O) name that appears as part of the Subject DN of the certificate.
For per-user environments, this field supports macros.
Learn more about using macrosUsing suggested macros (available in the user interface)
Following are commonly-used macros, which are suggested in the user interface:
- "$Identity[$Sign.User$]$"
- Resolves to the username for the key user from the identify provider
- "$Identity[$Sign.User$,Given Name]$"
- Resolves to given name for the key user from the identity provider
- "$Identity[$Sign.User$,Surname]$"
- Resolves to surname for the key user from the identity provider
- "$IdentityEmail[$Sign.User$]$"
- Resolves to surname for the key user from the identity provider
- "$Sign.User$"
- Resolves to the prefix universal GUID
- "$Sign.Project$"
- Resolves to the CodeSign Protect Project name, which is set by the Project Owner
- "$Sign.Environment$"
- Resolves to the CodeSign Protect Environment name, which is set by the Project Owner
- "$Sign.EnvironmentType$"
- Resolves to the environment type
Using custom macros
You can also use your own macro. For example, the following macro would resolve to the key user's
Department
value from your identify provider:"$Identity[$Sign.User$,Department]$
Learn more
For additional information on macros, see Macro overview.
Organizational Unit
The Organizational Unit (OU) name that appears as part of the Subject DN of the certificate.
For per-user environments, this field supports macros.
Learn more about using macrosUsing suggested macros (available in the user interface)
Following are commonly-used macros, which are suggested in the user interface:
- "$Identity[$Sign.User$]$"
- Resolves to the username for the key user from the identify provider
- "$Identity[$Sign.User$,Given Name]$"
- Resolves to given name for the key user from the identity provider
- "$Identity[$Sign.User$,Surname]$"
- Resolves to surname for the key user from the identity provider
- "$IdentityEmail[$Sign.User$]$"
- Resolves to surname for the key user from the identity provider
- "$Sign.User$"
- Resolves to the prefix universal GUID
- "$Sign.Project$"
- Resolves to the CodeSign Protect Project name, which is set by the Project Owner
- "$Sign.Environment$"
- Resolves to the CodeSign Protect Environment name, which is set by the Project Owner
- "$Sign.EnvironmentType$"
- Resolves to the environment type
Using custom macros
You can also use your own macro. For example, the following macro would resolve to the key user's
Department
value from your identify provider:"$Identity[$Sign.User$,Department]$
Learn more
For additional information on macros, see Macro overview.
SAN Email
The email address that appears as part of the Subject DN of the certificate.
For per-user environments, this field supports macros.
Learn more about using macrosUsing suggested macros (available in the user interface)
Following are commonly-used macros, which are suggested in the user interface:
- "$Identity[$Sign.User$]$"
- Resolves to the username for the key user from the identify provider
- "$Identity[$Sign.User$,Given Name]$"
- Resolves to given name for the key user from the identity provider
- "$Identity[$Sign.User$,Surname]$"
- Resolves to surname for the key user from the identity provider
- "$IdentityEmail[$Sign.User$]$"
- Resolves to surname for the key user from the identity provider
- "$Sign.User$"
- Resolves to the prefix universal GUID
- "$Sign.Project$"
- Resolves to the CodeSign Protect Project name, which is set by the Project Owner
- "$Sign.Environment$"
- Resolves to the CodeSign Protect Environment name, which is set by the Project Owner
- "$Sign.EnvironmentType$"
- Resolves to the environment type
Using custom macros
You can also use your own macro. For example, the following macro would resolve to the key user's
Department
value from your identify provider:"$Identity[$Sign.User$,Department]$
Learn more
For additional information on macros, see Macro overview.
City
The city name that appears as part of the Subject DN of the certificate. This field is also known as the locale.
State
The state (ST) name that appears as part of the Subject DN of the certificate.
For per-user environments, this field supports macros.
Learn more about using macrosUsing suggested macros (available in the user interface)
Following are commonly-used macros, which are suggested in the user interface:
- "$Identity[$Sign.User$]$"
- Resolves to the username for the key user from the identify provider
- "$Identity[$Sign.User$,Given Name]$"
- Resolves to given name for the key user from the identity provider
- "$Identity[$Sign.User$,Surname]$"
- Resolves to surname for the key user from the identity provider
- "$IdentityEmail[$Sign.User$]$"
- Resolves to surname for the key user from the identity provider
- "$Sign.User$"
- Resolves to the prefix universal GUID
- "$Sign.Project$"
- Resolves to the CodeSign Protect Project name, which is set by the Project Owner
- "$Sign.Environment$"
- Resolves to the CodeSign Protect Environment name, which is set by the Project Owner
- "$Sign.EnvironmentType$"
- Resolves to the environment type
Using custom macros
You can also use your own macro. For example, the following macro would resolve to the key user's
Department
value from your identify provider:"$Identity[$Sign.User$,Department]$
Learn more
For additional information on macros, see Macro overview.
Country
The two character country code that appears as part of the Subject DN of the certificate. For a list of valid country codes see Country codes.
-
Click Create Environment.
After you finish creating the Environment, you'll be able to see the HSM Key Label by opening the Project, selecting the Environment, and then clicking the Instances tab on the Environment properties.
NOTE The HSM Key Label is shown for single key Environments only.
NOTE The Key Storage Location for imported keys will be Software. Importing existing keys to an HSM is not supported.
- Upload your PKCS#12 or PFX file.
- Click Create Environment. The Environment is automatically created and added to the Project.
What's Next
If you need additional Environments as part of this Project, you can create those now. A Project can have as many Environments as needed, and the Environments can be any type.
If you're done creating Environments, you can submit your Project for approval.