Issue Intermediate CA certificates
You may have a scenario where you need to issue Intermediate CAs (ICAs) to devices, such as IoT gateways. These ICAs issue end-entity certificates to other devices. We refer to this as an Unmanaged CA. You can configure DigiCert® Device Trust Manager to support this.
Before you begin
Work with your DigiCert® account representative to make sure you have the following:
A DigiCert ONE account: Your organization must have an active DigiCert ONE account.
CA hierarchy: In CA Manager > Manage CAs, make sure your hierarchy includes:
A private root CA, and optionally,
An Intermediate CA.
Issuance settings: In CA Manager > Manage CAs, the Issue CA Intermediates setting must be set to Yes for the CA that will issue the ICAs.
If you're issuing from the root CA, this setting must be enabled on the root, and the root CA must be an online CA.
If you're issuing from an existing Intermediate CA, this setting must be enabled on that Intermediate CA, and it must also be an online CA.
Certificate template: In Device Trust Manager > Certificate management > Certificate templates:
Select the Basic Intermediate CA Certificate Template.
Clone it to make it available in your account.
Save the cloned template with a name of your choice.
This template enables the required
CA = true
basic constraint.
Licensing: In the Account Manager, make sure your account is assigned a Device Trust Manager Advanced license. The Licensing and plans includes the Unmanaged CA feature.
Also, your DigiCert ONE account admin should provide you with a user account that has the Solution Administrator role in Device Trust Manager.
Wichtig
If you're missing anything above, contact your DigiCert account representative.
Perform the following steps to issue Intermediate CA certificates:
Sign in to DigiCert ONE as a Solution Administrator:
one.digicert.com (US production)
one.nl.digicert.com (EU production)
demo.one.digicert.com (training, demos, proof of concepts, and pilots)
In DigiCert ONE, in the Manager menu (grid at top right), select Device Trust.
Perform the following steps to create a certificate profile:
In the Device Trust Manager menu, select Certificate management > Certificate profiles.
Click Create certificate profile.
Enter a Name for the certificate profile.
Under Template, select Intermediate CA, and choose the Intermediate CA certificate template that was cloned for your account.
Set the Common name field to Enabled.
Configure the Required attribute and Value sources to meet your requirements.
Click Create to create a certificate profile.
Before you begin, ensure you:
In DigiCert ONE, in the Manager menu (grid at top right), select Device Trust.
In the Device Trust Manager menu, select Certificate management > Certificate management policies.
ClickCreate certificate management policy.
Enter a Name for the certificate management policy.
Choose a Division to assign the policy to.
Under the Select the certificate management model, select Policy will be used for secure device lifecycle management. Requires an Advanced license.
Under the Certificate management methods, select the certificate management methods that this policy will support.
For example, you may want to use EST to request or receive the Intermediate CA certificates. For detailed information on various certificate management methods available, see Certificate management methods.
Optionally, select an Authentication policy.
Anmerkung
An Authentication policy is required when using EST, CMPv2, SCEP or ACME, allowing devices to authenticate using a passcode or an authentication certificate. When selecting a certificate request through pthe ortal and API, an authentication policy is optional if you intend to use an API key or a certificate in Account Manager to authenticate.
Click Next.
On the Certificate settings page, select an Intermediate certificate profile and choose the certificate profile you created earlier.
Select an Issuing CA and choose the root CA or the Intermediate CA that will issue new Intermediate CA certificates.
Set the desired Keypair generation preferences.
For detailed information on Keypairs, see Keypair generation settings.
Click Next.
Under Certificate management method settings, finish configuring each issuance method to meet your requirements.
Click Finish.
You can now request and receive Intermediate CA certificates from Device Trust Manager. How you request and receive depends on which certificate management method you configured in the certificate management policy:
Portal/REST API method: Go to Certificate management > Certificates > Request certificate.
EST method: See Configure and use EST.
SCEP method: See Configure and use SCEP.