Hanzo
PlatformHanzo KMSPlatformPKIConcepts

Certificate Components

Learn the main components for managing certificates with Hanzo KMS.

Core Components

The following resources define how certificates are issued, shaped, and governed in Hanzo KMS:

  • Certificate Authority (CA): The trusted entity that issues X.509 certificates. This can be an Internal CA or an External CA in Hanzo KMS. The former represents a fully managed CA hierarchy within Hanzo KMS, while the latter represents an external CA (e.g. DigiCert, Let's Encrypt, Microsoft AD CS, etc.) that can be integrated with Hanzo KMS.
  • Certificate Policy: A policy structure specifying permitted attributes for requested certificates. This includes constraints around subject naming conventions, SAN fields, key usages, and extended key usages.
  • Certificate Profile: A configuration set specifying how leaf certificates should be issued for a group of end-entities including the issuing CA, a certificate policy, and the enrollment method (e.g. ACME, EST, API, etc.) used to enroll certificates.
  • Certificate: The actual X.509 certificate issued for a profile. Once created, it is tracked in Hanzo KMS’s certificate inventory for management, renewal, and lifecycle operations.

Access Control

Access control defines who (or what) can manage certificate resources and who can issue certificates within a project. Without clear boundaries, certificate authorities and issuance workflows can be misconfigured or misused.

To manage access to certificates, you assign role-based permissions at the project level. These permissions determine which certificate authorities, certificate policies, certificate profiles, and other related resources a user or machine identity can act on. For example, you may want to:

  • Have specific teams(s) manage your internal CA hierarchy or external CA integration configuration and have separate team(s) configure certificate profiles for requested certificates.
  • Limit which teams can manage certificate policies.
  • Have specific end-entities (e.g. servers, devices, users) request certificates from specific certificate profiles.

This model follows the principle of least privilege so that each user or machine identity can manage or issue only the certificate resources it is responsible for and nothing more.

How is this guide?

Last updated on

Certificate Lifecycle

Learn what is the certificate lifecycle and how it works.

Overview

On this page

Core Components
Access Control