For the latest version, please use Certificate Lifecycle Manager 6.5.0!

Policies

A policy outlines the process and rules for certificate issuance. It defines:

  • the verification steps

  • the certificate authority that will issue the certificate

  • the allowed cryptographic parameters used for key pair generation

  • the naming constraints for end entities

Policies are bound to a realm, meaning that a specific policy exists and can be used only within the scope of that realm.

A realm can have multiple policies.

A policy contains a mapping to a certificate provider. A certificate provider is used to specify certificate authority that will be used to sign the certificate. By selecting the certificate provider, the additional MTG CARA specific template signer field will be displayed. A CARA template signer is a grouping of CA and certificate template that can be used together to issue a new certificate.

Policy Fields

Policy Name

The policy’s name. May contain up to 200 characters.

This is a mandatory field.

Manual Approval Required

Tied to the certificate creation procedure. If set to No the certificate is issued immediately. If set to Yes an authorized user must approve or decline the certificate request, before issuing a certificate.

Dual Control:

If set to true alongside with Manual Approval Required, two different authorized users must approve the specific certificate request under the two-person rule. This field is active only if Manual Approval Required is set to true.

Certificate Import Allowed

This options allows importing certificates that have been issued externally.

Self-Signed Allowed

Allows usage of self-signed certificates. These certificates are generated and signed by the entity itself rather than a trusted third-party Certificate Authority (CA).

Wildcard Allowed

Allows usage of wildcard certificates 🔗.

Enforce Active Certificate Uniqueness

Adds the restriction that no more than one active certificates can exist for the same end entity at the same time. An exception could be a specified amount of days before expiration for renewal purposes.

Enforce Active Certificate Uniqueness Before Expiration In Days

Defines number of days so that no two certificates can be issued for one end entity before one reaches the last N days of its active period. An appropriate error will be displayed when trying to create a certificate that does not apply to the above restriction. In case Enforce Active Certificate Uniqueness is set to false, this field is deactivated and ignored.

E-mail Verification Required

Enables end entity email verification. If set to Yes, an email will be sent to the end entity’s associated email with a link to verify the email possession. As long as the end entity has not verified its email address, the certificate request status is set to REQUIRES_EMAIL_VALIDATION. In case the end entity does not have an email, the email verification step will be skipped.

Certificate Provider

Allows the user to choose the certificate provider for the to-be-created policy.

This is a mandatory field.

Template Signer

Allows the user to choose a template for the to-be-created policy. This value may vary across different certificate providers.

This is a mandatory field.

Persist Private Key

Allows users to choose if their private key will be preserved in database. If disabled, the private key will be available for download once and will then be deleted.

This option is enabled by default.
During policy update, setting the Delete Existing Private Keys option to true will also result in existing private keys to be deleted.

Certificate Parameters

When no values are selected in below fields (except for Valid For), all values will be available upon certificate creation by default. Otherwise, upon certificate creation with this policy, only the chosen values will be available.
Valid For defines the period a certificate (issued using this specific policy) is requested to be valid.

Field

Options

Allowed Key Pair Modes

- PKCS10
- Server Generated
- Public Key

Allowed Crypto Algorithms

- RSA
- EC
- EdDSA
- MLDSA (PQC, experimental)
- SLHDSA (PQC, experimental)

Allowed RSA Key Sizes

- 2048
- 3072
- 4096
- 8192

Allowed EC Named Curves

- secp256r1 (P-256)
- secp384r1 (P-384)
- secp521r1 (P-521)
- brainpoolP256r1
- brainpoolP384r1
- brainpoolP512r1

Allowed EdDSA Curves

- curve25519
- curve448

Valid For (Required)

- 3 months
- 6 months
- 1 year
- 2 years
- CA decides

Enable CMP/SCEP RA

This field configures the cryptographic signers and keys used for securing communications in CMP and SCEP protocols. For CMP, it defines the trusted signer responsible for authenticating client-server messages during certificate enrollment, renewal, or revocation. In SCEP RA mode, it specifies both the signer for server responses and the decryption key required to process encrypted client payloads (e.g., certificate requests). These settings ensure message integrity, authentication, and confidentiality in certificate lifecycle transactions. By configuring this field, you can establish trust anchors and cryptographic parameters aligned with your PKI infrastructure.

CMP Certificate Provider

Specifies the concrete mechanisms, used to perform signing operations.

CMP Signer ID

Specifies the ID of the end entity signer in CARA, signing the CMP responses.

CMP Signature Algorithm

Signature algorithm used for signing CMP responses.

All 3 fields above are mandatory.
Related Sections
Further Reading