Policies
A policy outlines the process and rules for certificate issuance. It defines the verification steps, the certificate authority that will issue the certificate, the allowed cryptographic parameters used for key pair generation and the naming constraints for end entities.
Policies are bound to a realm, meaning that a specific policy exists and can be used only within the scope of that realm. A realm can have multiple policies.
A policy contains a mapping to a certificate provider. A certificate provider is used to specify certificate authority that will be used to sign the certificate. By selecting the certificate provider, the additional MTG CARA specific template signer field will be displayed. A CARA template signer is a grouping of CA and certificate template that can be used together to issue a new certificate.
Policy Fields
Manual Approval Required (dropdown options):
Tied to the certificate creation procedure. If set to No the certificate is issued immediately. If set to Yes an authorized user must approve or decline the certificate request, before issuing a certificate.
Dual Control (dropdown options):
If set to true alongside with Manual Approval Required
, two different authorized users must approve the specific certificate request under the two-person rule.
This field is active only if Manual Approval Required
is set to true.
Allowed Valid For Values (dropdown options):
The period a certificate (issued using this specific policy) is allowed to be valid.
Certificate Import Allowed (dropdown options):
This options allows importing certificates that have been issued externally.
Self-Signed Allowed (dropdown options):
Allows usage of self-signed certificates. These certificates are generated and signed by the entity itself rather than a trusted third-party Certificate Authority (CA).
Wildcard Allowed (dropdown options):
Allows usage of wildcard certificates.
Enforce Active Certificate Uniqueness (dropdown options):
Adds the restriction that no more than one active certificates can exist for the same end entity at the same time. An exception could be a specified amount of days before expiration for renewal purposes.
Enforce Active Certificate Uniqueness Before Expiration In Days (dropdown options):
Defines number of days so that no two certificates can be issued for one end entity before one reaches the last N days of its active period.
An appropriate error will be displayed when trying to create a certificate that does not apply to the above restriction.
In case Enforce Active Certificate Uniqueness
is set to false, this field is deactivated and ignored.
E-mail Verification Required (dropdown options):
Enables end entity email verification. If set to Yes, an email will be sent to the end entity’s associated email with a link to verify the email possession. As long as the end entity has not verified its email address, the certificate request status is set to REQUIRES_EMAIL_VALIDATION. In case the end entity does not have an email, the email verification step will be skipped.
Cryptographic Parameters
When no values are selected in these fields, all values will be available upon certificate creation by default. Otherwise, upon certificate creation with this policy, only the chosen values will be available. |
Field |
Options |
|
- PKCS10 |
|
- RSA |
|
- 2048 |
|
- secp256r1 (P-256) |
|
- curve25519 |
Enable CMP/SCEP RA
This field configures the cryptographic signers and keys used for securing communications in CMP and SCEP protocols. For CMP, it defines the trusted signer responsible for authenticating client-server messages during certificate enrollment, renewal, or revocation. In SCEP RA mode, it specifies both the signer for server responses and the decryption key required to process encrypted client payloads (e.g., certificate requests). These settings ensure message integrity, authentication, and confidentiality in certificate lifecycle transactions. By configuring this field, you can establish trust anchors and cryptographic parameters aligned with your PKI infrastructure.
CMP Certificate Provider
(mandatory):
Specifies the concrete mechanisms, used to perform signing operations.
CMP Signer ID
(mandatory):
Specifies the ID of the end entity signer in CARA, signing the CMP responses.
CMP Signature Algorithm
(mandatory):
Signature algorithm used for signing CMP responses.