Certificate Providers
MTG CLM can request certificates from various Certificate Authorities (CAs).
One of these is a certificate provider.
A certificate provider must be selected in a policy, to specify where to request certificates.
There are different types of certificate providers.
One such provider is MTG CARA, which is always present and pre-configured within the SYSTEM realm.
When this certificate provider is selected, certificates are issued by a CA that operates within MTG CARA.
The following is a complete list of the supported certificate providers:
Check Certificate Provider Connection
Upon application startup, an initial connection check is made to every certificate provider in the system. Using the Check Connection button in the Certificate Provider Details page, you can check the connection of the configured certificate providers based on their given configuration.
Certificate Provider Realm Scoping
A certificate provider can be added to or removed from realms, adding control over which realms are allowed to use the certificate provider in policies.
Correlation and Visibility
One or more certificate provider(s) can be correlated with a realm during creation and update of that realm. Alternatively, certificate providers can be later added to or removed from realms.
When creating or updating policies within a realm, only certificate providers correlated with that realm will appear as options. A certificate provider cannot be removed from a realm if a policy within that realm uses that provider. To proceed with removing the certificate provider from the realm, policies that use the certificate provider must be first updated to use a different one.
Limitations of Certificate Providers
There are some options regarding cryptographic algorithms, request modes, and other aspects that are not supported by every certificate provider.
Supported Certificate Request Modes
There are three options to request a certificate:
-
by providing a PKCS#10 request
-
by delegating the key creation on CLM (server-side key pair)
-
by providing the public key in raw format
Below you will find options supported by each certificate provider.
| MTG CARA | Microsoft NDES | Microsoft CA | GlobalSign | PSW | PCSP | |
|---|---|---|---|---|---|---|
PKCS#10 |
YES |
NO |
YES |
YES |
YES |
YES |
Server-side key pair |
YES |
YES |
YES |
YES |
YES |
YES |
Public Key |
YES |
NO |
NO |
NO |
NO |
NO |
Supported Cryptographic Algorithms
Not all cryptographic algorithms are supported by every certificate provider. Below is shown which cryptographic algorithm is supported by each certificate provider.
| MTG CARA | Microsoft NDES | Microsoft CA | GlobalSign | PSW | PCSP | |
|---|---|---|---|---|---|---|
RSA |
YES |
YES |
YES |
YES |
Depends on PSW product |
YES |
ECC |
YES |
NO |
NO |
YES |
Depends on PSW product |
YES |
EdDSA |
YES |
NO |
NO |
NO |
Depends on PSW product |
NO |
Supported ERS Components
| There are several ERS components that integrate with MTG CLM, like MTG EST, MTG SCEP, etc. For MTG CARA certificate provider all components are supported. Due to internal limitations of other providers and special properties of different PKI protocols, it is not always feasible to use these components with other providers than MTG CARA. For example the ERS EST server is exclusively supported by MTG CARA certificate provider, because SCEP requires a decryption operation using the private key of the CA. This operation is not available to other providers. |