For each client, set the following field values in the Clients tab of the Configuration page.
Subject DN
The subject DN of the client.
You must issue the client a digital certificate with this subject DN.
Mandatory: Yes.
Tenant ID
One of the tenant identifiers listed under Tenants
This value is mapped with the client and is mutually exclusive with Integrator ID.
Mandatory: Yes.
Integrator ID
The integrator identifier.
This value is mapped with the client and is mutually exclusive with Tenant ID.
Mandatory: Yes.
Role
One of the following roles.
Role identifier | Role main permissions | Granted by default |
|---|---|---|
integrator | Access to multiple CAs. For example, as an organization providing services or capabilities to customers, such as Identity Management service providers like Microsoft Intune. | Default role for clients mapped to an integrator. |
policy‑constrained‑tenant | View a single CA. For example, as a consumer of the services provided by the Integrator. | Default role for clients mapped to a tenant. |
policy-override-tenant | Control the naming information in the certificates requested to a Security Manager CA. The CA policy of the requested certificate profile determines all other certificate content. | — |
read-only-integrator | Access multiple CAs and perform | — |
read-only-tenant | Access one CA and perform | — |
See the following table for a more detailed description of the permissions assigned to each predefined role.
Permission | integrator | policy- override- tenant | policy- constrained- tenant | read-only-integrator | read-only-tenant |
|---|---|---|---|---|---|
Access multiple CAs |
| Single CA only | Single Security Manager CA only |
| Single CA only |
Request explicit extensions |
|
|
|
|
|
Request private key usage period |
|
|
|
|
|
External public keys (no CSR) |
|
|
|
|
|
Override Proof of Possession |
|
|
|
|
|
Request explicit validity dates |
|
| Can shorten the lifetime in CSR enrollments (relative to the CA policy). |
|
|
CSR |
|
|
|
|
|
PKCS#12 |
|
|
|
|
|
Subject DN Naming Info (including subjectDn and previousSubjectDn optional parameters) |
|
|
|
|
|
Subject Alternative Names |
|
|
|
|
|
Manage certificates (revoke, suspend, unsuspend) |
|
|
|
|
|
Search in the certificate inventory |
|
|
|
|
|
Certificate events |
|
|
|
|
|
Authorized users can request certificates with the following contents.
- Certificate Lifetimes.
- Certificate naming information: Subject DN (subject to CA DIT constraints), Subject Alternative Names.
- Key Usage
- Private Key Usage Percentage
- Required Certificate Extensions
No client role can request the following extensions from a Security Manager CA.
- authorityKeyIdentifier (2.5.29.35)
- basicConstraints (2.5.29.19)
- cRLDistributionPoints (2.5.29.31)
- cRLNumber (2.5.29.20)
- entrustVersInfo (1.3.0040.113533.7.65.0)
- invalidityDate (1 2.5.29.24)
- issuingDistributionPoint (2.5.29.28)
- netscapeRevocationUrl (2.16.840.1.113730.1.3)
- reasonCode (2.5.29.21)
- subjectKeyIdentifier (2.5.29.14)
CA Gateway will ignore these extensions when included in a CSR sent from a client.
Each role can access any of the REST APIs. However, based on the role, the requested action is scoped to the allowed set of managed CAs.
Mandatory: No. This optional parameter defaults to the lowest privileged role.