Skip to main content

Import trust anchor certificate

Follow this procedure to import and sign with code signing certificates issued by CAs other than DigiCert.

Tip

When an account user uploads the root and ICA certificate an approval process is triggered that requires the system administrator to approve the certificate import. The approval process can be bypassed if the certificate is imported by a system user.

Step 1: Import root certificate

To import the root certificate:

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu (top right) > Software Trust.

  3. Navigate to: Account > Trust anchor certificates.

  4. Click Import trust anchor certificate.

  5. Complete the following fields:

    Field

    Description

    Trust anchor certificate alias

    Provide a unique name identify this certificate in Software Trust Manager.

    Trust anchor type

    Select the certificate type:

    • Private

      Private trust anchor certificates are specific to an organization's internal PKI and are used to establish trust within that organization's closed environment. They are not automatically trusted by external systems and are not part of the public trust infrastructure.

    • Public

      Public trust anchor certificates are widely recognized and trusted by a broad range of systems and are used for securing internet communications.

    Note

    Trust anchor type can be changed by a system administrator during approval.

    Access

    Select the type of certificate access:

    • Restricted

      Only allows this account to use this trust anchor certificate.

    • Open

      Allows all accounts to use this trust anchor certificate.

    Note

    Trust anchor access can be changed by a system administrator during approval.

    File type

    Select the format based on the specific requirements of your system or application using the certificate. Many systems and software libraries can handle both formats, so the choice often comes down to compatibility and the need for human readability.

    • PEM

      Base64 encoded format is human-readable and uses delimiters (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) to mark the start and end of the certificate data.

    • DER

      This file type is encoded in binary format, is not human-readable, and is a compact representation of the certificate data that does not include any delimiters or extra formatting.

    Upload

    Upload the certificate. Supported file formats: .PEM,. KEY,. CRT, .CER, and .CERT.

  6. Select Import trust anchor certificate.

    Note

    Performing this action requires an approval from the system administrator before you can begin using this certificate or import your ICA certificate. Ensure that the root certificate is approved before you import its ICA in step 2 below.

Step 2: Import ICA certificate

While importing an ICA certificate, Software Trust Manager checks if the root certificate (issuer) is in the system and automatically ties it to the root certificate.

To import the ICA certificate:

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu (top right) > Software Trust.

  3. Navigate to: Account > Trust anchor certificates.

  4. Click Import trust anchor certificate.

  5. Complete the following fields:

    Field

    Description

    Trust anchor certificate alias

    Provide a unique name identify this certificate in Software Trust Manager.

    Trust anchor type

    Select the certificate type:

    • Private

      Private trust anchor certificates are specific to an organization's internal PKI and are used to establish trust within that organization's closed environment. They are not automatically trusted by external systems and are not part of the public trust infrastructure.

    • Public

      Public trust anchor certificates are widely recognized and trusted by a broad range of systems and are used for securing internet communications.

    Note

    Trust anchor type can be changed by a system administrator during approval.

    Access

    Select the type of certificate access:

    • Restricted

      Only allows this account to use this trust anchor certificate.

    • Open

      Allows all accounts to use this trust anchor certificate.

    Note

    Trust anchor access can be changed by a system administrator during approval.

    File type

    Select the format based on the specific requirements of your system or application using the certificate. Many systems and software libraries can handle both formats, so the choice often comes down to compatibility and the need for human readability.

    • PEM

      Base64 encoded format is human-readable and uses delimiters (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) to mark the start and end of the certificate data.

    • DER

      This file type is encoded in binary format, is not human-readable, and is a compact representation of the certificate data that does not include any delimiters or extra formatting.

    Upload

    Upload the certificate. Supported file formats: .PEM,. KEY,. CRT, .CER, and .CERT.

  6. Select Import trust anchor certificate.

    Tip

    Performing this action requires an approval from the system administrator before you can begin using this certificate.

Step 3: Activate trust anchor certificate

After your root and ICA certificate has been approved by the system user, the certificate will display as approved in the status column to indicate that it is ready to be activated. If the status column indicates Pending approval or Rejected reach out to a system administrator for more information.

Note

This action can be performed by a account user with the Manage certificate hierarchy permission, Lead or Team Lead role.

To activate a trust anchor certificate:

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu (top right) > Software Trust.

  3. Navigate to: Account > Trust anchor certificates.

  4. Hover over the trust anchor certificate alias that you want to activate.

  5. Click the activate (play) icon that appears to the right of the certificate alias.

Step 4: Generate keypair

You require the View keypair and Generate keypair permission to create a keypair.

To generate a keypair:

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu (top right) > Software Trust.

  3. Navigate to: Keypairs > Create keypair.

  4. Complete the required fields.

  5. Click Create keypair.

Step 5: Generate a CSR

You require the Manage keypair permission to generate a CSR.

If the Generate CSR option is not visible in your account even though you have the correct permission, CSR generation may be disabled on your account. Learn more.

To generate a CSR:

  1. Sign in to DigiCert ONE.

  2. Navigate to the Manager menu (top right) > Software Trust.

  3. Select Keypairs.

  4. In the keypair alias column, identify the keypair you want to use to generate the CSR.

  5. Hover over the specific keypair alias until icons appear to the right.

  6. Select the more actions (⁝) icon.

  7. Select Generate CSR.

  8. Complete the following fields:

    Field

    Description

    Organization

    Select the organization name associated with this CSR from the drop-down menu. This is an optional field.

    Email

    Provide an email address associated with this CSR. This is an optional field.

    Organizational Unit (OU)

    Provide an organizational unit, often a department or team name associated with this CSR. Use a comma to list multiple OUs. This is an optional field.

  9. Select Generate CSR.

  10. Select one of the following options:

    1. Select the copy icon next to CSR to copy the CSR in plaintext.

    2. Select Download CSR to download the CSR as a file.

Step 6: Obtain a certificate from an external CA

Use the CSR generated in step 5 to obtain a certificate from a third party CA.

Step 7: Import certificate issued by external CA

You require the Import certificate permission to import a code signing certificate.

To import a code signing certificate issued by a third party CA:

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu (top right) > Software Trust.

  3. Navigate to: Keypairs.

  4. Hover over keypair alias that you used to generate the CSR, until the icon appears.

  5. Click the icon.

  6. Select Import certificate.

  7. Complete the following fields:

    Field

    Description

    Certificate alias

    Name to uniquely identify this certificate.

    File type

    Select file type. Supported file types .der and .pem.

    Default certificate

    Check this box if you want this certificate to be the default certificate for the keypair.

    Upload

    Upload the keypair. Supported file types: .pem and .key.

  8. Select Import certificate.

Note

You are ready to sign with a code signing certificate issued by an external CA.