|
For the latest version, please use Certificate Lifecycle Manager 6.3.0! |
Your First Certificate in Minutes: It only takes 4 Steps
Issuing your first certificate with MTG CLM is straightforward and secure. This guide walks you through the complete process, ensuring you understand each step and can confidently issue certificates for your specific needs.
Before You Begin: Prerequisites
Ensure you have access to:
-
The desired realm for certificate issuance.
-
At least one configured policy that matches your certificate requirements.
-
End entity information (entity details).
-
Understanding of your key generation preference (server-side or PKCS#10 request).
| If you need to create a policy first, refer to the policy configuration instructions page. |
Certificate Issuance Process
MTG CLM guides you through certificate issuance using an intuitive wizard. Access it by clicking the Create… → Certificate button in the top-right corner of any page.
Choose Realm
Your certificate will be issued within your current realm. Each realm maintains its own policies, end entities, and certificate authorities, ensuring proper isolation and governance.
For realm management details, see realms.
Choose Policy
Select the policy that defines your certificate parameters:
-
Certificate Authority (CA) that will issue the certificate
-
Certificate template with predefined attributes
-
Validation rules and approval requirements
| You can select an existing policy or create a new one during this step. |
Choose End Entities
Select one or more end entities for certificate issuance:
-
Existing End Entities: Choose from your current end entity list.
-
New End Entity: Create a new end entity during the process.
| End entities must comply with your selected policy rules. If policy changes create mismatches, certificate issuance will fail with a clear error message. |
User Certificate Validation: For user certificates, the system automatically verifies that end entity attributes match your identity provider data.
Request Processing and Approval
After completing the wizard, MTG CLM creates a certificate request. Processing depends on your policy configuration:
Automatic Approval: Certificate issued immediately if policy allows.
Email Verification: End entity must verify email before issuance.
Manual Approval: Designated approvers review and approve the request.
Track request status in the certificate requests section.
Common Scenarios and Tips
S/MIME Email Certificates: Configure policies with email protection key usage for secure email signing and encryption. Verify the certificate includes the user’s email address in the subject alternative name field.
Server Certificates: Use policies configured for server authentication with appropriate subject alternative names (SANs).
User Certificates: Ensure end entity email addresses match your identity provider for uninterrupted validation.
Device Certificates: Consider using server-side key generation for centralized key management.
Troubleshooting
- Policy Mismatch
-
Verify end entity attributes comply with policy requirements.
- Validation Failures
-
Check that user information matches identity provider data.
- CA Connection Issues
-
Ensure selected CA is operational and accessible.
- Request Declined
-
Review policy requirements and resubmit with correct information.
Next Steps
Once your certificate is issued:
-
Download and Deploy: Access your certificate from the certificates section.
-
Set Up Notifications: Configure notification templates for lifecycle alerts.
-
Plan Renewals: Understand renewal processes before certificates expire.
Your first certificate is just the beginning. MTG CLM provides comprehensive lifecycle management to keep your certificates secure and up-to-date.