Skip to main content

Thales DPoD

Thales Data Protection on Demand (DPoD) is a cloud-based platform that provides a wide range of Cloud HSM and key management services through a simple online marketplace.

Tip

If your account is hosted by DigiCert, contact your account manager to enable these integrations. If your account is self-hosted, your system administrator can enable these integration by following the steps below.

Enable DPoD

To enable DPoD:

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu icon (top-right) > CA Manager.

  3. In the left navigation menu, select HSM > DPoD.

  4. Select the Enable DPoD icon (top-right).

Opmerking

Before moving on to the next steps:

  1. Restart CA using the following command:

    kubectl rollout restart deployment certificate-authority -n dcone
  2. Wait until 1/1 is displayed for all items.

  3. Refresh the DigiCert ONE webpage.

Add DPoD HSM

To add a DPoD HSM:

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu icon (top-right) > CA Manager.

  3. In the left navigation menu, select HSM > DPoD to view the Dpod instance page.

  4. Under the HSM server section, select Add HSM server.

  5. Complete the following fields:

    Field

    Description

    Client nickname (optional)

    Provide a user-friendly label for the HSM to make it easier to identify in your account.

    Opmerking

    Recommended nickname: {Account short name} DPoD

    Example: DC1 DPoD

    Client secret

    Provide the client secret of your DPoD instance.

    Client ID

    Provide the client ID of your DPoD instance.

    URL

    Provide the client URL of your DPoD instance.

  6. Select Add instance.

    The DPoD instance should now appear in the HSM servers list.

Opmerking

Before moving on to the next steps:

  1. Restart CA using the following command:

    kubectl rollout restart deployment certificate-authority -n dcone
  2. Wait until 1/1 is displayed for all items.

  3. Refresh the DigiCert ONE webpage.

Register DPoD partitions

To register your DPoD partitions:

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu icon (top-right) > CA Manager.

  3. In the left navigation menu, select HSM > DPoD.

  4. Under the Partitions section, click Register Partition.

  5. Complete the following fields:

    Field

    Description

    Partition

    All unregistered partitions will show in the drop-down menu, select one.

    Password

    Provide the password for the DPoD partition.

    Display name

    Provide a user-friendly label associated with the partition to make it easier to identify in your account.

    Opmerking

    Recommended partition name: {account short name} {partition #}

    Example: DC1 Partition 1

    Allowed uses (optional)

    Select one or more of the following:

    • New CA Keys

      Allows new key generation for certificates.

    • New OSCP Responder Keys

      Allows new key generation for OCSP.

    • Existing CA Keys

      Stores existing keys.

    • Existing OSCP Responder Keys

      Stores existing keys.

    • Key Escrow

      Allows key escrow generation and signing. Required for key management in Software Trust Manager.

    Tip

    For testing purposes, add all uses.

    Security level

    Select one of the following security levels:

    • Level 3

      Key is stored in an HSM that is CA/B compliant. This storage method is FIPS 140-2 Level 2, Common Criteria EAL4+, an equivalent or higher, and therefore is compatible with publicly or privately trusted certificates.

    • Level 2

      Key is stored in an HSM with a certification is lower than level 3. This storage is only compatible for privately trusted certificates.

    • Level 1

      Key is stored in an uncertified but secure softHSM. This storage is only compatible for privately trusted certificates.

    Accounts that can use this HSM partition

    Select one of the following:

    • No accounts (default)

      Recommended when every user on DigiCert ONE should access the DPoD partition.

    • Selected accounts

      When the DPoD partition is owned by a specific organization, select one or more accounts associated with the organization and users that should to use this DPoD partition.

    • All accounts

      Let op

      Never use this option.

  6. Select Register partition.

Set DPoD as the default escrow partition (optional)

Only one partition can be the default escrow. Set the partition as the default escrow if it serves as the backup for every user on the DigiCert ONE account or is the sole HSM partition connected. The default escrow is designated for all escrow functions unless specified otherwise.

Opmerking

DPoDs hosted on GP2 is never the Default escrow, this designation is reserved for DigiCert hosted partitions.

To set the new partition as the default:

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu icon (top-right) > CA Manager.

  3. In the left navigation menu, select HSM > Registered partitions.

  4. Hover over the display name of the partition that you want to set as the default until the icon appears.

  5. Select Set as default escrow.

Create master escrow key

Opmerking

Creating a master escrow key and setting a partition use to "escrow" allows the partition to be used for escrowing. You can set up multiple master escrow keys.

To create a master escrow key:

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu icon (top-right) > CA Manager.

  3. In the left navigation menu, select HSM > Master escrow keys.

  4. Select Create master escrow key.

  5. Complete the following fields:

    Field

    Description

    Make active

    Check this box to activate the escrow key.

    Tip

    The escrow key must be active to generate keypairs in Software Trust Manager.

    Name

    Provide a user-friendly label associated with the partition to make it easier to identify in your account.

    HSM provider (optional)

    Select DPoD.

    HSM partition

    Select the associated DPoD partition.

    Opmerking

    Select a DPOD partition that allows escrow signing.

  6. Select Create.