Auto-enrollment and renewal of a certificate
Note
This feature is available from version 1.2.0.
When you sign in to DigiCert® Trust Assistant, certificates will be automatically issued and renewed, based on the profile assigned by the administrator, into the respected tokens.
Pre-requisites
The following must be met for auto-enrollment and auto-renewal to work:
Sign in to DigiCert Trust Assistant through DigiCert ONE login. Refer to User sign-in for more information.
Create a certificate profile with auto-enroll/renew certificates. You should be a part of an authorized user group if configured. Refer to Create DigiCert ONE login profile for more information.
Initialize the token with a PIN while using DigiCert Software KeyStore. Refer to Initialize token for more information.
Install the driver and set up the PIN while using hardware tokens. Refer to the Supported hardware token for more details.
Enrollment and Renewal Timings
DigiCert Trust Assistant checks for enrollment and renewal regularly.
After starting DigiCert Trust Assistant for the first time, it selects a random time within the first hour to perform the initial check (with separate times for enrollment and renewal). It then runs the check at the same time each day.
Additionally, an initial enrollment check occurs immediately after a successful sign-in to ensure certificates are issued immediately.
Auto-enrollment
If DigiCert Trust Assistant detects a profile assigned to you, it automatically enrolls and issues the certificate to the configured token. Depending on the token’s requirements, you may need to enter an access PIN or login password.
PIN requirement
The following chart shows the PIN password requirement for each type of tokens during enrollment.
Token | PIN password requirement * |
|---|---|
DigiCert Software KeyStore | PIN required |
MacOS Keychain (shown as MacOS Crypto in Navigation Menu) | Login password required |
Windows Certificate Store (shown as Windows CryptoAPI in Navigation Menu) | Not required |
Hardware tokens | PIN required |
* If you are already logged into the token and depending on the session configuration, it may not be required. Refer to Key storage management for more information about session management.
Using hardware tokens
If the hardware token is not plugged into the machine when auto enrollment check runs in the background, DigiCert Trust Assistant will send a notification which can be viewed in Notifications to plugin the token and link to trigger the enrollment manually.
Using multiple machines
If you manage multiple machines simultaneously, certificates with the same Subject DN can be issued to each machine from the same profile. This occurs automatically when you install DigiCert Trust Assistant on another machine and sign in. This is enabled when the profile has the Allow duplicate certificates option selected.
Warning
Automatic enrollment for multiple machines will not happen for profiles configured with hardware tokens.
Auto renewal
When the certificate reaches the renewal window defined in the certificate profile, DigiCert Trust Assistant will renew the certificate automatically.
Auto renewal is triggered in the following cases:
Renewal window reached: The certificate must be within the renewal period.
Valid status: Only valid certificates can be renewed. Expired, revoked, or suspended certificates cannot be renewed. If DigiCert Trust Assistant detects that no valid certificate exists for the profile, it will attempt to auto-enroll a new certificate.
Certificate must exist on the device: Certificates issued on another machine's software token cannot be renewed unless migrated. Certificates stored on a hardware token will be renewed automatically when the token is plugged in.
Not already renewed: The certificate must not have been previously renewed.
PIN password requirement
This process is similar to enrollment. The main difference with renewal is that DigiCert requires a signature from the old certificate to verify proof of possession. This may result in two authentication steps: one for the old certificate and another for importing the new certificate.
But if you are already logged into the token and depending on the session configuration, this may not be required. Refer to Key storage management for more information about session management.
Post-processing scripts
If a certificate profile is configured with post-processing scripts, they will run after a certificate is successfully issued or renewed.
You will receive a notification about the success or failure of these scripts. If a script fails, you can re-run it from the notification message.
For more details about post-processing scripts, refer to Post-processing Scripts.