Configuring the GlobalSign MSSL CA Template object

To enable Trust Protection Platform to manage GlobalSign certificates, you must configure the GlobalSign MSSL CA Template object. This object provides the information Trust Protection Platform needs to request, retrieve, and install certificates issued by the GlobalSign MSSL CA.

BEST PRACTICE Consider managing CA Template object settings using a policy. For more information, see Managing CA templates using policies.

To create and configure a GlobalSign MSSL CA template

From the TLS Protect menu bar, click Policy Tree.
From the Tree drop-down menu, click Policy.
In the Policy tree, select the folder where you want to create the CA Template object, and then click Add.
Click CA Template, then select GlobalSign MSSL to create it.
In the CA Name box, type a name for the new GlobalSign MSSL object.

Refer to the following table to complete the remaining CA template settings:

GlobalSign MSSL CA Template Configuration
Field	Description
Connection
Profile ID	The profile ID contains a string of numbers and letters that are associated with your vetted certificate profile. The Profile ID can be determined by logging in to the GlobalSign MSSL portal, clicking on the Manage Domains & Profiles link, and then clicking on the Toggle display of Profile ID & Domain ID link.
Domain ID (Optional)	The Domain ID contains a string of numbers and letters that are associated with each domain for which you can issue certificates. The Domain ID can be determined by logging in to the GlobalSign MSSL portal, clicking on the Manage Domains & Profiles link, and then clicking on the Toggle display of Profile ID & Domain ID link. If you choose not to specify a domain ID, then certificates may be enrolled using any domains that have been validated in your GlobalSign account. This allows for individual certificates that reference more than one domain and allows one CA template to be used for enrolling certificates that specify different domains. When the domain ID is specified, only that domain may appear in the certificate request.
Credential	Username and password that is used to authenticate to the GlobalSign MSSL portal.
Validate	Click this button to validate the Profile ID, Domain ID, and Credential settings by attempting to connect to and authenticate with GlobalSign. Once these credentials are validated, the Template list is populated with the products available to your organization.
Connect to Test Service	Configures the CA template to use GlobalSign's non-production service for testing purposes. When this option is enabled, certificates enrolled using the CA template are not generally trusted by clients because they are issued by an untrusted certificate authority.
Options
Template	Select one of the following certificate templates, which are retrieved from GlobalSign for issuance of certificates. Organization SSL Extended Validation (EV) SSL These templates are supported for domains that have completed the respective level of validation (OV or EV). One instance of the CA template must be created for each product template that corresponds to certificates that will be issued to the organization.
SAN Enabled	Select this option if you want this instance of the CA template to allow certificates to which it has been assigned to use Subject Alternative Names.
SAN Type	Identifies the format of Subject Alternative Name that is supported by this instance of the CA template. Fully Qualified Domain: Allows for a subject alt name such as domain.com to be used as subject alt name in the certificate. Internal hostname or IP Address: Allows for a subject alt name such as an internal server name (should not end with domain.com) or an IP Address to be used as subject alt name in the certificate. Subdomain: Allows for a subject alt name such as sub.domain.com to be used as subject alt name in the certificate. Unified Communication Certificate: Allows for a subject alt name such as 'mail.domain.com' to be used as subject alt name in the certificate.
Signature Algorithm	Specifies the algorithm to be used by GlobalSign when it signs a requested certificate. Supported values are SHA1 (default) and SHA2-256.
Validity Period
Available Validity Periods (Months)	Validity Periods that are supported by the GlobalSign MSSL CA.
Supported Validity Periods (Months)	Validity Periods that are available to be selected when configuring a GlobalSign MSSL certificate. To populate this list, select the Supported Validity Periods that you want to be available when configuring GlobalSign MSSL certificates in Policy Tree, and then click the right-arrow. Press Shift+click to select multiple, contiguous items. Press Ctrl+click to select multiple, discontiguous items.

(Optional) To see additional attributes, review the settings on the Support tab.
Click Save.

What's next?

After you create a CA object, you can select it from the Policy tree, and then view important information and manage various settings.

Click the General tab to view and modify log and permissions settings.
- Click the Log sub-tab to view any logged events that are triggered by the template object.
  
  IMPORTANT You must have the Read permission to view the Log tab.
  
  For more information about options found on the Log tab, see Viewing log events.
- On the Permissions sub-tab, you can configure the users or groups to whom you want to grant permissions to the new template object.
  
  Consider managing object permissions via parent objects so that you can take advantage of inheritance. For more information, see Permission inheritance and flow down.