Skip to content

Keyfactor/globalsign-mssl-caplugin

BranchesTags

Repository files navigation

GlobalSign MSSL Gateway AnyCA Gateway REST Plugin

Integration Status: production Release Issues GitHub Downloads (all assets, all releases)

Support · Requirements · Installation · License · Related Integrations

The GlobalSign CAPlugin enables the Synchronization, Enrollment, and Revocation of TLS Certificates from the GlobalSign Certificate Center.

Compatibility

The GlobalSign MSSL Gateway AnyCA Gateway REST plugin is compatible with the Keyfactor AnyCA Gateway REST 25.2.0 and later.

Support

The GlobalSign MSSL Gateway AnyCA Gateway REST plugin is supported by Keyfactor for Keyfactor customers. If you have a support issue, please open a support ticket with your Keyfactor representative. If you have a support issue, please open a support ticket via the Keyfactor Support Portal at https://support.keyfactor.com.

To report a problem or suggest a new feature, use the Issues tab. If you want to contribute actual bug fixes or proposed enhancements, use the Pull requests tab.

Requirements

Certificate Chain

To enroll for certificates, the Keyfactor Command server must trust the certificate chain. After creating your Root and/or Subordinate CA, ensure the certificate chain is imported into the AnyGateway and Command Server certificate store.

API Allow List

The GlobalSign API filters requests based on IP addresses. Ensure the appropriate IP addresses are allowed to make requests to the GlobalSign API.

Domain Point of Contact

This extension uses the contact information of the GCC Domain point of contact for certificate enrollment. These fields are required for submission and must be populated in the Domain's point of contact section, which can be found in the GlobalSign Portal under the Manage Domains page.

Installation

  1. Install the AnyCA Gateway REST per the official Keyfactor documentation.

  2. On the server hosting the AnyCA Gateway REST, download and unzip the latest GlobalSign MSSL Gateway AnyCA Gateway REST plugin from GitHub.

  3. Copy the unzipped directory (usually called net6.0 or net8.0) to the Extensions directory:

    Depending on your AnyCA Gateway REST version, copy the unzipped directory to one of the following locations:
Program Files\Keyfactor\AnyCA Gateway\AnyGatewayREST\net6.0\Extensions
Program Files\Keyfactor\AnyCA Gateway\AnyGatewayREST\net8.0\Extensions

    The directory containing the GlobalSign MSSL Gateway AnyCA Gateway REST plugin DLLs (net6.0 or net8.0) can be named anything, as long as it is unique within the Extensions directory.

  4. Restart the AnyCA Gateway REST service.

  5. Navigate to the AnyCA Gateway REST portal and verify that the Gateway recognizes the GlobalSign MSSL Gateway plugin by hovering over the ⓘ symbol to the right of the Gateway on the top left of the portal.

Configuration

  1. Follow the official AnyCA Gateway REST documentation to define a new Certificate Authority, and use the notes below to configure the Gateway Registration and CA Connection tabs:

    • Gateway Registration

      GlobalSign supports the following Root certificates: GlobalSign Root Certificates.
      Root_R3 is commonly used throughout MSSL. Define the root certificate you wish to use on the Gateway registration tab.
      Each additional Root will require a separate CA setup.

    • CA Connection

      Populate using the configuration fields collected in the requirements section.

      • GlobalSignUsername - GlobalSign MSSL API Username
      • GlobalSignPassword - GlobalSign MSSL API Password
      • DateFormatString - Date format string. Default is yyyy-MM-ddTHH:mm:ss.fffZ
      • OrderAPIProdURL - MSSL Order Prod API URL. Default is https://system.globalsign.com/kb/ws/v2/ManagedSSLService
      • OrderAPITestURL - MSSL Order Test API URL. Default is https://test-gcc.globalsign.com/kb/ws/v2/ManagedSSLService
      • QueryAPIProdURL - MSSL Query Prod API URL. Default is https://system.globalsign.com/kb/ws/v1/GASService
      • QueryAPITestURL - MSSL Query Test API URL. Default is https://test-gcc.globalsign.com/kb/ws/v1/GASService
      • TestAPI - Enable the use of the test GlobalSign API endpoints. Default is false.
      • DelayTime - This is the number of seconds between retries when attempting to download a certificate. Default is 150.
      • RetryCount - This is the number of times the AnyGateway will attempt to pickup an new certificate before reporting an error. Default is 5.
      • SyncIntervalDays - OPTIONAL: Required if SyncStartDate is used. Specifies how to page the certificate sync. Should be a value such that no interval of that length contains > 500 certificate enrollments.
      • SyncStartDate - If provided, full syncs will start at the specified date.

  2. Define Certificate Profiles and Certificate Templates for the Certificate Authority as required. One Certificate Profile must be defined per Certificate Template. It's recommended that each Certificate Profile be named after the Product ID. The GlobalSign MSSL Gateway plugin supports the following product IDs:

    • PEV_SHA2
    • PEV
    • PV
    • PV_SHA2
    • PV_INTRA
    • PV_INTRA_SHA2
    • PV_INTRA_ECCP256
    • PV_CLOUD
    • PV_CLOUD_ECC2

  3. Follow the official Keyfactor documentation to add each defined Certificate Authority to Keyfactor Command and import the newly defined Certificate Templates.

  4. In Keyfactor Command (v12.3+), for each imported Certificate Template, follow the official documentation to define enrollment fields for each of the following parameters:

    • CertificateValidityInYears - Number of years the certificate will be valid for
    • SlotSize - Maximum number of SANs that a certificate may have - valid values are [FIVE, TEN, FIFTEEN, TWENTY, THIRTY, FOURTY, FIFTY, ONE_HUNDRED]
    • RootCAType - The certificate's root CA - Depending on certificate expiration date, SHA_1 not be allowed. Will default to SHA_2 if expiration date exceeds sha1 allowed date. Options are GlobalSign R certs.

Valid GlobalSign SAN Usage

GlobalSign supports specific combinations of SAN types with certain GlobalSign products. For example, a Private IP can only be used as a SAN with a PV_INTRA Certificate.
Please refer to the GlobalSign documentation for more information on SAN usage: GlobalSign MSSL API User Guide (Section 2.2.5)

Enrollment Fields

Required Enrollment Fields

The following fields are required for enrollment on all certificate templates:

  • ContactName: Set Data Type to 'string' when creating the field. The name of the contact person for the certificate. This is required by the GlobalSign API.

PV_INTRA Specific Enrollment Fields

The following fields are available for use in the enrollment of PV_INTRA Certificates:

  • PrivateDomain: Set Data Type to 'string' when creating the field. Set to true if enrolling a certificate for a private domain (e.g., .local, .lab, etc.).
    • If PrivateDomain is set to true, the following fields must also be specified:
      • RequesterEmail: Set Data Type to 'string' when creating the field. The contact email address for the enrollment. Required by the GlobalSign API.
      • RequesterTel: Set Data Type to 'string' when creating the field. The contact telephone number for the enrollment. Required by the GlobalSign API.
  • InternalIP: Set Data Type to 'string' when creating the field. Set to true if an IP SAN attached during a PV_INTRA certificate enrollment is a private IP address (e.g., 10.x.x.x, 192.168.x.x, etc.).

License

Apache License 2.0, see LICENSE.

Related Integrations

See all Keyfactor Any CA Gateways (REST).

About

Globalsign MSSL AnyGateway REST CAPlugin

Topics

keyfactor-anyca-plugin

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases 3

1.0.0 Latest
Aug 5, 2025
+ 2 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages