Skip to content

Create a GlobalSign Atlas certificate authority

Before you begin

You're going to need a few things to complete the CA configuration.

  • A GlobalSign account. If you don't have an account yet, go here to get started.
  • Your GlobalSign credentials file.
How do I create the GlobalSign credentials file?
  1. Log into the GlobalSign Atlas web portal.
  2. Navigate to Access Credentials > API Credentials, and click Generate an API Credential (the button, upper right).
  3. Select Encrypted File and click Continue.
  4. Paste in the following public key (which corresponds to the private key TLS Protect Cloud will use to decrypt the .enc file), and click Continue. 
    -----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt95Jiu9oz1sw69XGCKB6
iwdUuiDFjQrSlKS1dikPmR9/Ska0D9trZdIEGe8YTEC2xy9p+LyUFkFRrNEOJadQ
z8RG8O7CtNzc6dFdDgmGjVswmrn7J/bi+k1mfw4YsFXUR2eYVu+1AQZ+oVHruN4F
9kZWekEgL4EdC/isnaYwx+QoAcZObDYgduQEXpHwD5STfIeifdzfnc2boOYEpxWq
QwtXl59hAVgzFSNv/asPS3aBuOKvpWhKF3MyIDIUqgL1znBXuG3iojWqyJUTvPPp
JI+tLxcCC3ACuQpCBZAzwH4sNzPNyCqCGzKXakgD/+UAX61CyS6eiNNEH6FkFqb1
uQIDAQAB
-----END PUBLIC KEY-----
  5. Select the Atlas server to which the credential will be linked, and click Continue.
  6. Select the identity to which the credential will be linked, and click Continue.
  7. Enter a name for the API credential, and click Continue.
  8. Click the DOWNLOAD KEY & SECRET AS .enc button, and save the file (this is the file you upload into TLS Protect Cloud when creating a GlobalSign Atlas CA Account).
  1. Sign in to Venafi Control Plane.

  2. Click Integrations > Certificate Authorities.

  3. Click New > GlobalSign.

  4. Enter a Name that this CA should be called in TLS Protect Cloud.

  5. Browse to your Credentials File.

    See the Before You Begin section at the top of this page for details on how to get this file.

  6. Click Validate.

    After you authenticate, we'll show you GlobalSign's validation policy. This is a list of requirements that your certificate request must comply with before GlobalSign will issue a certificate for you. We'll also display this information in a more readable form when you start setting up policies for your organization.

Example validation policy

{

'validity': {'secondsmin': 60, 'secondsmax': 7776000, 'notBeforeNegativeSkew': 200, 'notBeforePositiveSkew': 200},

'subjectDn': {

  'commonName': {

    'presence': 'REQUIRED',

    'format': '^([a-z0-9-_]+\\.)*(venafi\\.io|vfidev\\.com|thehotelcook\\.com)$'

  },

  'organization': {'presence': 'STATIC', 'format': 'Venafi, Inc.'},

  'organizationalUnit': {'isStatic': false, 'list': ['^.*$'], 'mincount': 0, 'maxcount': 3},

  'country': {'presence': 'STATIC', 'format': 'US'},

  'state': {'presence': 'STATIC', 'format': 'UT'},

  'locality': {'presence': 'STATIC', 'format': 'Salt Lake City'},

  'streetAddress': {'presence': 'FORBIDDEN', 'format': ''},

  'email': {'presence': 'FORBIDDEN', 'format': ''},

  'joiLocalityName': {'presence': 'FORBIDDEN', 'format': ''},

  'joiStateOrProvinceName': {'presence': 'FORBIDDEN', 'format': ''},

  'joiCountryName': {'presence': 'FORBIDDEN', 'format': ''},

  'businessCategory': {'presence': 'FORBIDDEN', 'format': ''}

},

'extendedKeyUsages': {

  'ekus': {

    'isStatic': true,

    'list': ['1.3.6.1.5.5.7.3.2', '1.3.6.1.5.5.7.3.1'],

    'mincount': 2,

    'maxcount': 2

  }, 'critical': false

},

'publicKey': {'keyType': 'RSA', 'allowedLengths': [4096, 3072, 2048], 'keyFormat': 'PKCS10'},

'publicKeySignature': 'FORBIDDEN'

}

What's Next

This CA is now ready to be added to one or more certificate issuing templates. To do this, select this CA when creating certificate issuing templates.