Never Write Another Policy from Scratch
Templates that Just Work
Policies are the heart of MTG CLM, designed to eliminate error sources and reduce complexity in certificate creation. One-time policy configuration and consistent re-use, ensures reliable certificate issuance. This reliability enables minimizing operational overhead without making the process overly complicated.
Pre-Built Policy Templates
MTG CLM comes with comprehensive policy templates that provide error-free configuration for typical use cases. These templates eliminate the guesswork from certificate management and can be customized to meet your specific requirements.
Available Policy Templates and Applications
- S/MIME Email Certificates
-
Email certificate policy template that can be customized to allow only your organization’s email domain.
- Code Signing Certificates
-
Policy template specifically designed for software and application signing requirements.
- ACME Protocol Support
-
Template for automated certificate management using the ACME protocol.
- EST Protocol Support
-
Policy template for Enrollment over Secure Transport (EST) automated provisioning.
- Server Certificates
-
General-purpose template for server authentication across various applications.
Each template includes pre-configured cryptographic parameters, validation rules, and approval workflows optimized for your specific use case.
Creating Your First Policy
Basic Policy Configuration
-
Policy Name: Choose a descriptive name that clearly identifies the policy’s purpose and scope.
-
Approval Process: Configure manual approval requirements including dual-control or four-eyes approval processes for sensitive certificate types.
-
Validity Periods: Set allowed certificate lifespans (3 months, 6 months, 1 year, or custom ranges) to align with your security policies.
Certificate Authority Selection
Choose the appropriate CA from your connected PKI infrastructure:
-
MTG CARA: MTG’s enterprise PKI solution
-
Microsoft CA (AD CS): Integration with Active Directory Certificate Services
-
PSW with Sectigo: Public certificate authority integration
-
GlobalSign: Trusted global certificate authority for enterprise and public certificates
-
Additional CAs: The list of supported providers continues to expand
| For public certificates, PSW Sectigo integration provides certificate provisioning with automated validation. |
Template Signer Configuration
Template Signers reduce complexity and eliminate common configuration errors by providing pre-validated certificate templates. MTG CLM includes five essential Template Signer options:
-
Code Signing Certificate: For software and application signing
-
Machine: Device and system certificates
-
Person: Individual user certificates
-
Server: Server authentication certificates
-
Custom: Tailored templates for specific requirements
Select the appropriate template based on your certificate type to ensure proper field configuration and validation rules.
End-Entity Rules
End-Entity rules provide powerful mechanisms to enforce consistency and compliance:
- Mandatory Fields
-
Specify required certificate fields that must be completed.
- Field Validation
-
Define format requirements and validation rules for certificate subjects.
- Naming Conventions
-
Enforce organizational naming standards (e.g., all certificates must begin with "MTG.*").
- Domain Restrictions
-
Limit certificate issuance to specific domains or organizational units.
These rules help maintain certificate consistency while reducing manual errors during the issuance process.
Policy Implementation & Best Practices
After configuring your policy settings:
You can simply finalize the policy creation process and can then select it when creating a new certificate.
|
Next Steps
Once your policies are configured, you can proceed to Issue Your First Certificate using your newly created policy templates.
For detailed policy configuration options, refer to the comprehensive policies documentation.