Certificate Providers

CLM can request certificates from various Certificate Authorities (CAs). One of these is a certificate provider. A certificate provider must be selected in a policy to specify where to request certificates. There are different types of certificate provider. One such provider is MTG CARA, which is always present and pre-configured in the SYSTEM realm. When this certificate provider is selected, certificates are issued by a CA that operates within MTG CARA.

Following is a complete list of the supported certificate providers:

View Certificate Providers

You can view available certificate providers in the Administration  Certificate Providers page. There is also a filter that an admin can use, to view archived certificate providers exclusively. This filter can be triggered by clicking the Show Archived button in the Actions dropdown list.

Create Certificate Provider

You can create a new certificate provider through Administration  Certificate Providers, or by simply clicking Create  Certificate Provider. You must specify a name, a type and type-specific parameters for the new certificate provider.

Modify Certificate Provider

You can modify a certificate provider by entering the Certificate Providers tab. There, by selecting the certificate provider’s name, you will be redirected to the certificate provider details page. Click Save for the certificate provider to update. Certificate provider type cannot be modified. Νame and type-specific parameters are available for modifications.

Archive Certificate Provider

You can archive or unarchive a certificate provider in the Administration  Certificate Providers page. Select a certificate provider’s ID, to open the certificate provider details page and then click Archive or Unarchive. To archive and un-archive in batch mode, tick the checkboxes of the desired realm and click the Archive All Selected and Undo-Archive All Selected buttons in the Actions dropdown button.

If a certificate provider has connected policies to it and needs to be archived, you should navigate to those policies and either modify them to use another certificate provider or archive and delete them. To do so, use the policy tables in the certificate provider details page that specify the policies, and CMP policies that are connected with the specific certificate provider. By selecting the name of one of the above-mentioned policies, you will be redirected to it.

If the policy is part of another realm (different from the currently entered realm), then you will automatically be entered into it, before redirecting to the policy.

Delete Certificate Provider

To delete an archived certificate provider, click Certificate Provider Details  Show Certificate Providers Table or navigate to the Administration  Archived Data Removal page. The Delete button becomes available in the Certificate Provider Details page, after archiving the entity.

View archived entities in the Show Certificate Providers Table page through Actions  Show Archived. You can now select certificate providers and delete them through Actions  Delete all selected.

You may also delete one certificate provider at a time, by clicking the row actions button and then Delete Certificate Provider. Finally, in the Choose entity to delete dropdown, click Certificate Providers.

As an extra safeguard there is the option to restrict the archived records for deletion, by date on which they were archived. In the Choose date calendar field select the date, before which the records should have been archived (to be deleted with this action) and click Delete. Only archived certificate providers can be deleted.

Check Certificate Provider Connection

Upon application startup, an initial connection check is made to every certificate provider in the system. Using the Check Connection button in the Certificate Provider Details page, you can check the connection of the configured certificate providers based on their given configuration.

Limitations of Certificate Providers

There are some options regarding cryptographic algorithms, request modes, and other aspects that are not supported by every certificate provider.

Supported Certificate Request Modes

There are three options to request a certificate:

  1. by providing a PKCS#10 request

  2. by delegating the key creation on CLM (server-side key pair)

  3. by providing the public key in raw format

Below you will find options supported by each certificate provider.

Table 1. Supported certificate request modes per certificate provider.
MTG CARA Microsoft NDES Microsoft CA GlobalSign PSW

PKCS#10

YES

NO

YES

YES

YES

Server-side key pair

YES

YES

YES

YES

YES

Public Key

YES

NO

NO

NO

NO

Supported Cryptographic Algorithms

Not all cryptographic algorithms are supported by every certificate provider. Below is shown which cryptographic algorithm is supported by each certificate provider.

Table 2. Supported cryptographic algorithms per certificate provider.
MTG CARA Microsoft NDES Microsoft CA GlobalSign PSW

RSA

YES

YES

YES

YES

Depends on PSW product

ECC

YES

NO

NO

YES

Depends on PSW product

EdDSA

YES

NO

NO

NO

Depends on PSW product

Supported ERS Components

There are several ERS components that integrate with MTG-CLM, like ERS EST, ERS ACME, etc. For the MTG CARA certificate provider all these components are supported. Due to internal limitations of the other providers and special properties of the different PKI protocols, it is not always feasible to use these component with other providers than MTG CARA. Especially the ERS EST server is exclusively supported by the MTG CARA certificate provider, because the SCEP requires a decryption operation with the private key of the CA. This operation is not available to other providers.