Create service user

Service users do not have access to the DigiCert® KeyLocker UI. Service users are generally used for automation of workflows on a machine such as a build server because they can perform cryptographic actions and sign files using our client tools.

Service users are only identified by an alias and an email address for notifications.

Create service user

Follow these steps to create a service user:

Sign in to DigiCert ONE.
Navigate to Manager menu icon (top-right).
Select DigiCert® Account Manager.
In the left navigation bar, select Access > Service user.
Select Create service user.

Enter the following service user information:

Field	Description
Friendly name	A unique, easily identifiable name for the user.
Description	Further illustrate the purpose of this user. This is an optional field.
End date	Determines when the service user credential expires. This is an optional field.
Email	Email address of the person managing this credential.
Accounts that can use this service user	Select accounts that connect to this user.
DigiCert ONE Manager access	Select DigiCert® KeyLocker. Anmerkung Additionally select DigiCert® Account Manager if the user is required to manage other users, accounts, or organizations for the DigiCert ONE account.

Select Next.

Assign the necessary DigiCert® KeyLocker role for the service user:

Beispiel 1. KeyLocker Lead

The KeyLocker Lead role is usually assigned to an account lead who manages assets, users, and is able to sign with the key stored in DigiCert® KeyLocker.

The DigiCert® KeyLocker Lead role has the following permissions assigned:

Category	Permission	Description
User settings	Default	User can view their own user profile and generate their own API key and client authentication certificate in DigiCert® KeyLocker.
User settings	Manage user	User can: View details for all users, accounts, and organizations. Modify, add, or remove users. Generate the API key and client authentication certificate for service users because they do not have access to DigiCert® KeyLocker.
Account settings	Manage CertCentral API key	User can delete, disable, enable, setup, update and validate a CertCentral API key.
Certificates	View certificate	User can view certificate details in the account.
Certificates	Revoke certificate	User can revoke certificates in the account.
Keypairs	View keypair	User can view keypair details in the account.
Keypairs	Manage keypair	User can update the keypair alias.
Signatures	Sign	User can sign.

Beispiel 2. KeyLocker Signer

The KeyLocker Signer role is usually assigned to an engineer or an authenticated device that signs software.

The DigiCert® KeyLocker Signer role has the following permissions assigned:

Category	Permission	Description
User settings	Default	User can view their own user profile and generate their own API key and client authentication certificate in DigiCert® KeyLocker.
Certificates	View certificate	User can view certificate details in the account.
Keypairs	View keypair	User can view keypair details in the account.
Signature	Sign	User can sign.

Assign an Account Manager role for the service user, if necessary:

Beispiel 3. Account admin

The Account admin role is used for the primary point of contact for managing account setup and user access.