Thales DPoD
Thales Data Protection on Demand (DPoD) is a cloud-based platform that provides a wide range of Cloud HSM and key management services through a simple online marketplace.
If your account is hosted by DigiCert, contact your account manager to enable Thales DPoD integration. If your account is self-hosted, your system admin can enable Thales DPoD through these steps.
Belangrijk
DigiCert ONE supports integration only for North America-hosted Thales DPoD environments.
Enable DPoD
To enable DPoD:
Sign in to DigiCert ONE.
Select the Manager menu icon (top-right) > CA Manager.
In the left navigation menu, select HSM > DPoD.
Select the Enable DPoD icon (top-right).
Opmerking
Before moving on to the next steps:
Restart CA using the following command:
kubectl rollout restart deployment certificate-authority -n dcone
Wait until 1/1 is displayed for all items.
Refresh the DigiCert ONE webpage.
Add DPoD HSM
To add a DPoD HSM:
Sign in to DigiCert ONE.
Select the Manager menu icon (top-right) > CA Manager.
In the left navigation menu, select HSM > DPoD to view the Dpod instance page.
Under the HSM server section, select Add HSM server.
Complete the following fields:
Field
Description
Client nickname (optional)
Provide a user-friendly label for the HSM to make it easier to identify in your account.
Opmerking
Recommended nickname: {Account short name} DPoD
Example: DC1 DPoD
Client secret
Provide the client secret of your DPoD instance.
Client ID
Provide the client ID of your DPoD instance.
URL
Provide the client URL of your DPoD instance.
Select Add instance.
The DPoD instance should now appear in the HSM servers list.
Opmerking
Before moving on to the next steps:
Restart CA using the following command:
kubectl rollout restart deployment certificate-authority -n dcone
Wait until 1/1 is displayed for all items.
Refresh the DigiCert ONE webpage.
Register DPoD partitions
To register your DPoD partitions:
Sign in to DigiCert ONE.
Select the Manager menu icon (top-right) > CA Manager.
In the left navigation menu, select HSM > DPoD.
Under the Partitions section, click Register Partition.
Complete the following fields:
Field
Description
Partition
All unregistered partitions will show in the drop-down menu, select one.
Password
Provide the password for the DPoD partition.
Display name
Provide a user-friendly label associated with the partition to make it easier to identify in your account.
Opmerking
Recommended partition name: {account short name} {partition #}
Example: DC1 Partition 1
Allowed uses (optional)
Select one or more of the following:
New CA Keys
Allows new key generation for certificates.
New OSCP Responder Keys
Allows new key generation for OCSP.
Existing CA Keys
Stores existing keys.
Existing OSCP Responder Keys
Stores existing keys.
Key Escrow
Allows key escrow generation and signing. Required for key management in Software Trust Manager.
Tip
For testing purposes, add all uses.
Security level
Select one of the following security levels:
Level 3
Key is stored in an HSM that is CA/B compliant. This storage method is FIPS 140-2 Level 2, Common Criteria EAL4+, an equivalent or higher, and therefore is compatible with publicly or privately trusted certificates.
Level 2
Key is stored in an HSM with a certification is lower than level 3. This storage is only compatible for privately trusted certificates.
Level 1
Key is stored in an uncertified but secure softHSM. This storage is only compatible for privately trusted certificates.
Accounts that can use this HSM partition
Select one of the following:
No accounts (default)
Recommended when every user on DigiCert ONE should access the DPoD partition.
Selected accounts
When the DPoD partition is owned by a specific organization, select one or more accounts associated with the organization and users that should to use this DPoD partition.
All accounts
Let op
Never use this option.
Select Register partition.
Set DPoD as the default escrow partition (optional)
Only one partition can be the default escrow. Set the partition as the default escrow if it serves as the backup for every user on the DigiCert ONE account or is the sole HSM partition connected. The default escrow is designated for all escrow functions unless specified otherwise.
Opmerking
DPoDs hosted on GP2 is never the Default escrow, this designation is reserved for DigiCert hosted partitions.
To set the new partition as the default:
Sign in to DigiCert ONE.
Select the Manager menu icon (top-right) > CA Manager.
In the left navigation menu, select HSM > Registered partitions.
Hover over the display name of the partition that you want to set as the default until the ︙ icon appears.
Select Set as default escrow.
Create master escrow key
Opmerking
Creating a master escrow key and setting a partition use to "escrow" allows the partition to be used for escrowing. You can set up multiple master escrow keys.
To create a master escrow key:
Sign in to DigiCert ONE.
Select the Manager menu icon (top-right) > CA Manager.
In the left navigation menu, select HSM > Master escrow keys.
Select Create master escrow key.
Complete the following fields:
Field
Description
Make active
Check this box to activate the escrow key.
Tip
The escrow key must be active to generate keypairs in Software Trust Manager.
Name
Provide a user-friendly label associated with the partition to make it easier to identify in your account.
HSM provider (optional)
Select DPoD.
HSM partition
Select the associated DPoD partition.
Opmerking
Select a DPOD partition that allows escrow signing.
Select Create.