Skip to main content

Create a certificate profile for CMP

To enroll certificates using the Certificate Management Protocol (CMP), you need one or more CMP-enabled certificate profiles.

In each profile, select CMP as the enrollment method and configure the properties for the issued certificates. After a CMP-enabled profile is created, Trust Lifecycle Manager generates the unique CMP URL that is used to enroll and renew certificates using Initialization Request (IR) and Key Update Request (KUR) operations.

Available base templates

Use any of the following base templates to create certificate profiles with the CMP enrollment method:

  • Generic User Certificate

  • Generic Device Certificate

  • Private S/MIME Secure Email

  • Public S/MIME Secure Email using CMP (via CertCentral)

  • CertCentral Private Server Certificate

  • CertCentral Public Server Certificate

注意

When configuring a profile using a supported base template with CMP as the Enrollment Method, you can select either Enrollment Code or TLS Certificate Auth to authenticate certificate requests.

Create CMP-enabled profiles for public S/MIME certificates

To create a certificate profile for public S/MIME certificates using CMP-based enrollment, follow these steps:

  1. In the Trust Lifecycle Manager main menu, select Policies > Certificate profiles.

  2. Select Create profile from template.

  3. Select the Public S/MIME Secure Email using CMP (via CertCentral) template.

    注意

    If you have not yet created a CertCentral CA connector, you will see the summary steps to create one.

  4. On the initial Primary options screen of the profile creation wizard,

    1. Enter a profile name.

    2. Select a Business unit, Certificate type, and a publicly-trusted Issuing CA from the respective dropdown lists.

    3. Select CMP from the Enrollment method dropdown list.

    4. Select TLS Certificate Auth from the Authentication method dropdown list.

  5. Select Next and configure the following on the Certificate options page:

    • Validity period

    • Signing algorithm

    • Key type and size

    • Flow options

      注意

      Duplicate certificates are set to Yes. Also, we do not support a Cloud Key Escrow option yet.

    • Set the required Subject DN and SAN certificate fields. The source for the field values will be automatically set to CMP.

  6. Select Next to configure the Key Usages and Extended Key Usages extensions as per your S/MIME requirements.

  7. On the Additional options screen,

    • Add Organizations details. Select or search for an organization from the list of organizations available on your account. All issued certificates will be bound to the selected organization and include the Organization value inside the Subject DN.

    • Add Contact details. Select contact details (Name, Email, Phone) linked to the validated organization, or select custom contact details.

    • Optionally, enter one or more Tags to identify certificates issued from the profile being created.

  8. Select Next to configure Advanced settings:

    1. Leave the Seat ID Mapping value set to SAN RFC822 name (email).

    2. In the Service User binding dropdown, select the service user you created for GBS access.

  9. Select Create to save the profile configuration.

  10. Copy the CMP URL. This URL is required when configuring the email gateway software.

本节内容如下: