Setting policy on a folder
You can configure policy settings for all certificates in the same folder. The configuration is done on the folder.
IMPORTANT You must have the View and Manage Policy permissions in order to see the Folders menu item.
To configure certificate policy on a folder
-
From the TLS Protect menu bar, click Configuration > Folders.
- In the list of folders, click the folder that you want to configure.
-
In the sidebar, click Certificate Policy.
Certificate Policy Settings Field
Description
General Settings
Contact
User or group Identities assigned to this object.Default system notifications are sent to the contact identities.
Default contact = master administrator
Approver
User or group Identities assigned to approve workflows (certificate approval or injection command) for the current Certificate object. For more information on defining Workflow objects, see Workflow object settings.
Default approver = master administrator
Management Type
Select either Unassigned, Monitoring, Enrollment, or Provisioning. If you can't make a change, it's because the policy is locked at a higher level.
Certificate Management types include the following:
- Monitoring: Trust Protection Platform monitors existing certificates and provides current information on the certificate status and lifecycle. When the certificate nears the end of its lifecycle, Trust Protection Platform notifies the administrator. It does not, however, renew the certificate. The administrator must manually create the CSR, send it to the Certificate Authority (CA), then retrieve and install the renewed certificate.
- Enrollment: Trust Protection Platform can automatically generate and submit CSRs to Certificate Authorities using the parameters defined in designated CA Template objects. If preferred, the administrator can manually generate the CSR, then upload it to Trust Protection Platform to complete the enrollment process with the appropriate CA. After the CA signs the certificate, Trust Protection Platform retrieves the certificate and securely stores it in the central database. The administrator must then download the certificate from Trust Protection Platform and install it on the target systems.
- Provisioning: Trust Protection Platform manages the entire certificate lifecycle—it automatically requests, installs, and monitors your system certificates.
- Unassigned: Unlicensed Trust Protection Platform certificates and keys that do not allow network validation, expiration monitoring, enrollment, provisioning, or onboard validation. However, they are included in selected reports and on the dashboard.
Subject DN
Organizational Unit
Department or division within the organization that is responsible for maintaining the certificate.
Organization Name that uniquely identifies the organization in the certificate.
City / Locality
The city or locality of the organization in the certificate.
State / Province
The state or province of the organization in the certificate.
Country
The country of the organization in the certificate.
Allow Domain Component
Check to allow domain component usage for certificates in this folder. This could allow you, for example, to use client authentication certificates to restrict access of the certificate to the sub-domain specified on the certificate using the domain component attribute.
This setting should only be used if the application server you are authenticating to is configured to support verification of domain components. You can configure a schedule to run these rules on a regular basis.
NOTE This is not a commonly used feature.
For more information about domain components, see About Domain Components.
Enrollment Settings
Renew automatically
Sets an auto-renewal of certificates in this folder based on the specified number of days before expiration.
CA Template
CA Template object that Venafi TLS Protect references to generate the CSR and submit it to the CA.
Key Algorithm
The algorithm to be used for keys assigned to this folder.
Key size (bits)
Certificate’s key strength.
If the key strength value conflicts with what the application can handle/requires, the application ignores the policy and sets the value accordingly. For example, if you set this value to 2048-bit encryption, but the target application cannot handle 2048-bit certificates, Trust Protection Platform generates the certificate CSR using 1024-bit encryption.
Reuse Private Key (Service Generated CSR)
Reuses the original private key when renewing the certificate.
Allows Users to Import Duplicate Certificates and Reuse Private Keys
Controls the reuse of certificates and private keys. When enabled, this permits you to import a certificate even if another certificate with the same private key already exists in the system. It would also allow you to renew a certificate without uploading / re-generating a new private key.
When disabled, if you are renewing a certificate with a user-provided CSR, you cannot reuse a CSR that is tied to a private key that has ever been uploaded to Trust Protection Platform. Also, when importing a certificate manually, through WebSDK and Web UI, you won't be able to upload a certificate that is already in the inventory.
We recommend you leave this option disabled (unchecked).
CSR Provided By
Determines how CSRs (Certificate Signing Request) are generated.
- Service Generated CSR:Trust Protection Platform automatically generates the CSR.
- User Provided CSR: CSR is manually generated by the administrator, then uploaded to Trust Protection Platform.
Trust Protection Platform always generates CSRs in compliance with the Certificate object’s current parent policy. If the CSR is user submitted, Trust Protection Platform does not accept the CSR unless it is “in policy.”
Validation Settings
Validate SSL/TLS connections for this certificate?
Select Yes or No. Yes will enable Trust Protection Platform to turn on daily TLS validation of this certificate.
Port
The network port that Trust Protection Platform will use to connect to the target device hosting the certificate when making the TLS connection.
Use certificate's Common Name
Validation scans include network addresses resolved from the common name of the certificate.
Use certificate's DNS Subject Alternative Names
Validation scans include network addresses resolved from the DNS Subject Alternative Names (SANs) of the certificate, if any.
Validate the chain returned by the hosting server
The chain returned by the hosting server is compared to the chain that Trust Protection Platform builds using its internal algorithm to ensure a match. By default, chain validation is enabled and affects the SSL/TLS validation result.
Advanced Settings
Managed By
Choose Aperture if the policy is managed by that application. If not, leave this field blank.
Certificate Origin
The friendly name of the system requesting the certificate. Used for reporting purposes only. (Requires Client Protect product.)
CSR Signature Algorithm
Choose either SHA-256, SHA-384, or SHA-512. The default is SHA-256.
To learn more about signing algorithms, see About signing algorithms.
Generate Key/CSR Remotely
Option to enable the remote generation of the key or CSR on the HSM (requires Venafi Advanced Key Protect).
When one or more of the following items are true, Remote Generation is not supported and, therefore, this setting is ignored:
-
You're using a driver that does not support remote generation.
To learn which drivers support remote generation, see Supported integrations: devices, applications, services and features supported by Venafi.
-
You're using a self-signed CA template to enroll a certificate; self-signed CA templates do not work with remote generation.
This is because Trust Protection Platform requires that the private key be stored centrally so that it can be used to sign the self-signed certificate.
- Your certificate is associated with more than one application; to work correctly, the certificate must be associated with one application.
- You have not set the certificate's management type setting to Provisioning.
Key Generation and Encryption Key
Encryption key used to generate the certificate’s private key.
Trust Protection Platform provides either an AES-256 software encryption key to generate private keys, or you can configure AES encryption keys stored on supported HSM devices to generate certificate private keys. For information on using your own encryption keys, see Working with system credentials
Enter the suffix of allowed domains. Example: acme.com or sales.acme.com
If you leave this field blank, ALL domains will be allowed.
Allow wildcard Common and Subject Alternative Name
Select to allow wildcards in the certificate's Common or Subject Alternative Names.
Allow duplicate Common and Subject Alternate Names
Select to allow duplicate Common or Subject Alternate Names.
To learn more, see About Subject Alternative Names (SANs).
Disable "Certificate Download Password" Complexity
The setting allows an administrator to revert back to the previous functionality where a password is required but there are no length or complexity requirements.
If this check box is not selected, the password requirements are:
-
Password is at least 12 characters.
-
Comprised of at least three of the following:
-
Uppercase alphabetic letters
-
Lowercase alphabetic letters
-
Numeric characters
-
Special characters
-
Private Key PBE (password-based encryption) Algorithm
This setting applies only to PKCS#8-formatted private keys downloaded from Aperture, WebAdmin, or WebSDK.
Choose the type of algorithm appropriate for your environment.
To learn more about PBE algorithms, see Using PBE (password-based encryption) algorithms to secure private keys.
NOTE The algorithms used to derive the protection key and encrypt the private key are not supported by all applications. Generally, the more secure the protection key and algorithm, the fewer applications will support it.
SAN Types Allowed
This allows you to control the SAN types that are allowed or not allowed for certificate enrollment.
The available SAN types that can be controlled by policy are:
- DNS
- IP
- UPN
- URI
If your system was installed with version 18.2 or older of Trust Protection Platform, all SAN types are allowed by default.
If your first installation of Venafi Platform was version 18.3 or later, only DNS SAN types are allowed by default.
Use this control to determine which SAN types you want to permit at this and lower folder levels.