Sectigo-specific sections in MPKI
Sections on this page:
Depending on the contract, the necessary settings have to be made here. These are provided by Sectigo.
Parameters |
Description |
|
|---|---|---|
Specifies the URI that is to be accessed via the MPKI. Specified by Sectigo. |
||
Specified by Sectigo. |
||
Specified by Sectigo. |
||
Obtained from Sectigo, provided that the connection has been established and valid login data have been entered. The number of displayed organisations and certificate types depends on the settings in the Sectigo WebGUI. |
||
Obtained from Sectigo, provided that the connection has been established and valid login data have been entered. For the possible types displayed below, the certificate validity period may also be indicated.
|
||
|
Sectigo Persona Validated Certificate. Term |
Example for certificate types from the Sectigo Portfolio. Additional information on the differences between the individual certificate types can be obtained from Sectigo. |
|
GEANT Personal Certificate |
These are certificate types for charitable organisations, for example (see also Connect to Sectigo /first note)
|
GEANT IGTF-MICS Personal |
||
GEANT IGTF-MICS-Robot Personal |
||
GEANT IGTF-Classic-Robot Email |
||
Due to the manner in which Users are created, problems may occur when obtaining certificates if the field Name of the User contains an email address (see warning in the description of the field Name) or if the indicated name does not correspond to the CA conventions for the successful obtainment of a certificate.
In this case, it is possible to deconstruct the entry in the field Name of the User by using regular expressions such that a CA-compliant format is created.
The default entry (?<GN>.+) (?<SN>.+) deconstructs the entry in the field Name of the User into given name (GN) and surname (SN). Based on the entry John Doe this would be deconstructed into GN=John SN=Doe . In the event of several given names in the field Name 1st given name 2nd given name surname the deconstructed expression would be as follows GN=1st first name 2nd first name SN=surname
If the field Name of the User contains email addresses, these can be deconstructed as well. If the usual email format firstname.surname@company.tld is used, the regular expression would be as follows (?<GN>.*)\.(?<SN>.*)@.* In the example john.doe@mycompany.tld this would also be deconstructed into GN=John SN=Doe . |
||
(new in 13.0.8) Under certain circumstances it is necessary to set the validation status to 'HIGH' in the Sectigo MPKI Connector when a certificate is issued for the user for whom the certificate is stored in Sectigo. This is actually a setting in the Sectigo profile for the certificates to be issued. |
||
|
In addition to the entries mentioned above, the IP address ofthe SEPPmail Secure E-Mail Gateway must be activated in the Sectigo customer portal for automatically obtaining the certificates! |
Section Domain specific parameters (optional)
These parameters are to be set for at least one Organisation ID. If, based on the Default parameters, the customer has several Organisation IDs, for each Organisation ID, one Domain Entry appears.
After saving the domain specific option via Save entries, another input field appears in each case.
Parameters |
Description |
||
|---|---|---|---|
Will be obtained from Sectigo if the login (see Default parameters) has been successful. |
|||
Specifies the email domains for which the following parameters should be valid. Only domains which were also named when the application was submitted to the certification body, or which were later validated separately, may be entered.
|
|||
see Default parameters. |
|||
Settings for the automatic renewal of certificates.
|
The validity period of the certificates of the individual users can be found in the file user-stats.csv which comes with the Daily Report (see also Groups statisticsadmin). This is especially helpful if no automatic renewal of certificates has been set. |
Parameters |
Description |
|||
|---|---|---|---|---|
|
This option is inactive by default and pre-set to 30. Initiates the automatic renewal of certificates of active users (User) if the remaining validity period is the set value. One pre-condition in this respect is that the corresponding user sends an email within the set overlap time. This prevents certificates from being obtained for "corpses" in the User menu, including certificates subject to a fee, if applicable. The thus initiated process runs overnight (!) .
|
|||
|
By default, this option is inactive. This function obtains a certificate for all existing active User, who are not in possession of a valid (!) certificate, automatically overnight (!).
Active User are users who have sent an email in the last 30 days and do not have the State inactive.
|
|||
By clicking on Add or update..., the intermediate certificates under X.509 Root Certificates required for supplementing the certificate chain when signing are added/updated.
|
||||
The changes made are saved via the Save button.
