How to Connect to GlobalSign


  1. Registering the application in your tenant
  2. Selecting a Plan (This is only available in premium plans)


If you are happy with EZCA’s certificate management capabilities and are looking to implement the same capabilities for your public SSL certificates, EZCA can help you with that. EZCA has a built-in integration with GlobalSign MSSL platform that allows you to issue and automate the lifecycle of your public SSL certificates.

Connecting EZCA to GlobalSign

  1. Navigate to your EZCA instance and select “Settings”
  2. Login with an account that is registered as a PKI Admin in EZCA.
  3. Navigate to Certificate Authorities. CA Menu
  4. Click on the “Create CA” Create CA
  5. Select “Public CA” Public CA
  6. Select “GlobalSign”
  7. Enter your MSSL Profile ID. This profile ID can be found inside your globalsign account. under the managed SSL tab. GlobalSign MSSL Profile ID
  8. Now you need to enter the GlobalSign credentials that you have assigned to EZCA.

    To Avoid security breaches or outages and to maintain separate accounts we highly recommend creating a special login for EZCA and not using your own credentials.

    GlobalSign Credentials
  9. Click on “Test Connection”. Once the connection is successful, click on “Next”.
  10. While all PKI administrators will get emails regarding this CA connection, we also allow for you to add an extra email such as your team’s distribution list where we will also send the alerts. Enter the email address under “Notification Email”
  11. Below you can see the list of all the domains that available for this CA. You can select the ones you want to enable by clicking the “manage domain” button. Test Connection
  12. Once you have added the domains that you want EZCA to manage, you can setup your issuance rules.

Issuance Rules

To enable more granular control who can request domain ownership in EZCA, we created to extra knobs PKI administrators can adjust to control domain ownership.

  1. Require domain registration approval. This option enables PKI administrators to set a group of approvers that must approve each domain registration before a user or group of users are registered as domain owners.
    1. To enable this option select the “require approval” option.
    2. Enter the users or AAD groups that can approve domain requests.
  2. The second way PKI administrators can control the registration of domains is to only allow specific users to request domains. This option enables PKI administrators to set a list of users that can request domains for this CA.
    1. To enable this option deselect the “Allow all users” option.
    2. Enter the users or AAD groups that can register domains. Sample issuance rules for domain ownership
  3. Select the issuance rules you require.

Certificate Lifecycle

The last step before creating your GlobalSign MSSL connection, is to setup your maximum certificate validity period. This is the maximum validity period that EZCA will allow for certificates issued by this CA. By default this is set to 90 days which is the maximum validity period allowed by the new Google requirement for 2024. However, if you are still not ready for this change you can set it to the number of days you would want your certificates.

GlobalSign MSSL platform does the management in months, so for a year, instead of 365 days, you would need to enter 359 days.

Connect to GlobalSign MSSL

Now we are ready to connect your CA to EZCA. Click on “Create CA” and your CA will be created. Connect to GlobalSign for automated certificate rotation

  1. Now that your CA is connected, you are ready to register your first domain owner and issue your first certificate.