Profiles
A profile in DigiCert® Private CA defines the certificate-issuance policy for a specific protocol and includes all parameters that the protocol itself can’t carry. For example:
Protocol and version (SCEP, EST, or CMP)
The issuing CA and certificate template
Certificate validity period and renewal window
Allowed key types and signature algorithms
Authentication methods
Profile setup
To enable protocol-based enrollment, you first create a profile for the desired protocol.
At a high level, the process involves:
Defining the issuance settings, such as the protocol, CA, and certificate template.
Specifying how the client authenticates its first request and subsequent renewals.
Setting validity, renewal window, and any protocol-specific options (for example, encryption algorithm for SCEP responses).
Save the configuration to generate a unique URL.
The URL is the main result of this setup. It serves as the endpoint your devices and apps use to connect to your private CA.
To create a profile or to see your existing profiles, select Profiles from the main menu in DigiCert® Private CA.
How a profile works?
Copy the URL from the profile details and configure your client application or device to use it to connect with your private CA. The URLs have this structure:
EST → /.well-known/est/CA_<ProfileID>/simpleenroll
SCEP → /certificate-authority/api/v1/scep/<ProfileID>/cgi-bin/pkiclient.exe
CMP → /certificate-authority/api/v1/cmp/<ProfileID>
The client uses this URL and its configured authentication method to:
Enroll for a new certificate
Renew an existing certificate
(CMP) Revoke a certificate