Skip to main content

Create a certificate management policy

Notice

Creating a certificate management policy requires an existing certificate profile. Make sure a certificate profile is set up before proceeding.

Follow the steps below to create a certificate management policy in DigiCert® Device Trust Manager. This guide outlines how to create a certificate management policy, including each step of the create certificate management policy wizard.

  1. Sign in to DigiCert® ONE as a Solution Administrator.

  2. In the Device Trust Manager menu, select Certificate management > Certificate management policies.

  3. Select Create certificate management policy.

To create the certificate management policy, follow the steps in each section of the wizard as outlined below.

  1. Enter a Name for the certificate management policy.

  2. Choose a Division to assign the policy to. Only users from this division will be able to view and manage certificates under this policy.

  3. Select an Authentication policy if required for EST, SCEP, CMPv2, or ACME methods.

  4. Choose the device group association for the policy:

    • Select This certificate management policy will always be used with a device group to link certificates with device records. This association enables automated renewals, secure updates, and threat monitoring.

    • Select This certificate management policy will not be used with a device group to issue standalone certificates that are not linked to device records, which limits additional management capabilities.

  5. Choose the Certificate management methods that will be supported by this policy, such as single certificate requests, batch certificate requests, DigiCert TrustEdge agent, EST, CMPv2, or SCEP. [Admonition about how these will be configured in the cert management method step.]

  6. Select Next to proceed to the certificate settings step.

  1. Choose a Certificate profile that defines the certificate structure, including subject fields, extensions, and validity period.

  2. Select an Issuing CA from the available options. This is the Certificate Authority that will sign the certificates issued under this policy.

  3. Set the Keypair generation preferences:

    • Select Local keypair generation if the requestor will provide CSRs or public keys in their certificate request.

    • Select Server-side keypair generation if DigiCert will generate the keypairs and return the encrypted private key with the certificate.

    • Choose Allow the requestor to select local or server-side keypair generation at the time of their certificate request to provide flexibility during the certificate request process. If this option is chosen, specify the default key type and size, such as RSA 2048 or P-256.

  4. Select Next to continue to the certificate management method settings step.

Important

The options available in this step depend on the certificate management methods selected during the General settings step. Make sure that you select the appropriate methods in the General settings to access the relevant configuration options.

  1. If enabled, configure Single certificate request through portal and API settings:

    1. Set the encryption method for DigiCert server-side generated private keys:

      • Use TLS session encryption to protect the private key: Select this option to use TLS session-based encryption.

        • Choose the Private key file syntax passed in response to certificate requests through API for each algorithm.

      • Encrypt private key with an encryption certificate: Opt for this method to have the private key encrypted with a client-provided encryption certificate. You can:

        • Require the requestor to provide an encryption certificate at the time of their request.

        • Upload an encryption certificate.

        • Use an authentication certificate from your profile.

      • Encrypt the private key in a PKCS12 formatted file protected with a password: Choose this to package the private key in a PKCS12 file format.

        • Provide a passcode, or if left blank, a passcode must be set during each certificate request.

    2. Choose the API certificate requests - Certificates returned in response - Include certificate chain to root CA:

      • Include full chain of CAs and root CA to ensure the response contains the full certificate chain.

      • Include the issuing CA if only the intermediate CA should be returned.

      • Do not include any CAs if the response should not include any part of the chain.

    3. If applicable, enable Respond with certificate only - Removes additional certificate information to limit the response to the certificate without any supplemental details.

      • Choose the Default certificate file format to return.

    4. Enable Split response if the API should return different certificate components (for example, the certificate and chain) separately.

  2. If enabled, configure Batch certificate request through portal and API settings:

    1. Under Encryption certificate used to protect private keys generated in batch certificate requests, select one of the following options:

      • Require the requestor to provide an encryption certificate at the time of their certificate request: This option mandates that the requestor supplies an encryption certificate during the batch request.

      • Upload an encryption certificate: Choose this to upload an encryption certificate that will be used by default for protecting private keys.

      • Use an authentication certificate from my profile: This option uses an existing authentication certificate associated with your profile to encrypt private keys.

    2. Choose the Private key file syntax passed in response to certificate requests through API for each algorithm.

    3. Under My requests will be submitted using a comma separated value (CSV) file, select:

      • A CSV file containing the values required to request certificates will be provided when making batch certificate requests: This indicates that a CSV file with device-specific data will be used for the batch process.

      • A range of MAC addresses will be specified for the common name of the certificates in the batch request: This setting automatically assigns common names using a starting MAC address, the number of certificates, and an increment value for each certificate.

    4. Set the Certificate format and file extension:

      • Choose the Default certificate file format (e.g., PEM or other available formats).

      • Select the Format of the file containing your batch of certificates (e.g., Zipped file containing your certificates).

      • Optionally, specify the Certificate file extension if needed.

      • Enable Match the certificate file extension for private keys to ensure that private keys use the same extension as the certificates.

    5. Configure Certificate chain options:

      • Include root and intermediate certificates only as separate files in the download package: This option packages only the root and intermediate certificates as standalone files.

      • Also package intermediate certificates with each end entity certificate: Includes intermediate certificates alongside each end-entity certificate.

      • Also package root and intermediate certificates with each end entity certificate: Bundles both root and intermediate certificates with every end-entity certificate.

    6. Select the Batch results log format:

      • Choose CSV or JSON for the format of the log file that includes the results of each certificate request in the batch.

    7. Under When the batch request is finished, send email to these contacts, provide the email addresses to receive notifications once the batch process completes.

    8. In Select an option for who can download the batch of certificates:

      • Only users with a DigiCert ONE user account assigned to my account and with the proper permission may download the batch of certificates: Restricts downloads to authorized DigiCert ONE users.

      • Allow users without a DigiCert ONE user account to download the batch certificates: Permits non-DigiCert ONE users to download the certificates.

  3. If enabled, configure TrustEdge agent settings:

    1. Choose a Request format type. The request format type determines how TrustEdge agent structures the certificate request.

      • PKCS10: A standard Certificate Signing Request (CSR) format that includes the public key and identifying information of the requester

      • CMC: A flexible certificate request format that supports a range of certificate management functions. Choose an issuing CA with this type.

    2. Optionally, choose a request format specification:

      • TPM2_ATTEST: This option uses Trusted Platform Module (TPM) 2.0 to provide device attestation, allowing the device to present proof of its identity and integrity.

      • SKG: Secure Key Generation (SKG) employs the device’s secure hardware module to generate keys and verify the device’s identity.

      • TRUSTED_SIGNER: With this option, the device uses a pre-approved trusted key to sign the certificate request.

    3. Enter any certificate attributes key alias. The certificate attributes key alias is a unique identifier used to specify which key the TrustEdge agent should use when requesting certificates. This helps distinguish between multiple keys stored on the device, ensuring the correct key is referenced during certificate operations.

    4. Choose which key algorithms are used for certificates requested via the TrustEdge agent.

    5. Under Certificate Attributes passed in a CSR you can specify custom attributes that will be included in the Certificate Signing Request (CSR).

      • Select Add optional certificate attribute fields to add supported attributes.

    6. Choose a Key source. This is where the key will be generated.

  4. If enabled, set details for CMPv2 (Certificate Management Protocol version 2):

    • By default, Explicit client confirmation is selected. Deselect if this is not needed.

    • If Explicit client confirmation is selected, define the expiration time for requests.

  5. Select Next to continue to the usage restrictions step.

Configure limitations for when and how the certificate management policy can be used.

  1. If needed, toggle individual usage restrictions to limit certificate management policy usage:

    • Allowed IP addresses: Toggle to add and enter each IP address, IP address range, or wildcard IP addresses specify the IP addresses or ranges that are permitted to request certificates. This can include single IPs, ranges, or wildcard IPs.

    • Operational hours: Toggle to set the operational hours by choosing a Time zone and defining the Hours during which certificate requests are allowed.

    • Operational dates: Toggle to set a start date (Valid from) and an end date (Valid to) for when the certificate management policy can be used.

  2. Select Finish to create the certificate management policy.