Skip to main content

Create a certificate profile for REST API

To create a profile using the REST API enrollment method:

  1. In DigiCert​​®​​ Trust Lifecycle Manager, go to Policies > Certificate profiles.

  2. Select Create profile from template.

  3. Select Public S/MIME Secure Email (via CertCentral) base template.

  4. On the Primary options page, configure the following:

    • Profile name: Enter a profile name.

    • Business unit: Select the appropriate business unit.

    • Connector: Select the CertCentral connector.

    • CertCentral division: Select a division to associate certificates with the linked CertCentral account.

    • Certificate type: Select the certificate type to define the S/MIME validation method.

    • Generation type: Select one of the following options:

      • Strict: Issues a Public S/MIME certificate that complies with strict S/MIME Baseline Requirements.

      • Multipurpose: Issues a Public S/MIME certificate that supports both email signing and encryption.

      Note

      • Strict and multipurpose generation certificates support a maximum validity period of 825 days.

      • For sponsor-validated certificate types, selecting strict or multipurpose requires the Subject DN (GivenName/Surname or Pseudonym). Common Name is not supported.

      • For strict generation certificates, the client_auth EKU and data_encipherment KU are not supported and are removed from the profile wizard.

    • Issuing CA: Select a publicly trusted issuing CA.

    • Select REST API as the enrollment method.

  5. Select Next.

  6. On the Certificate options page:

    • Under Certificate fields, select the certificate validity period, key type and size, and signing algorithm.

    • Under Renewal options, set the renewal window.

    • Under Subject DN and SAN fields, configure the required Subject DN and SAN certificate fields, and their sources.

    Note

    Allow duplicate certificates option is system-enabled to allow issuing duplicate certificates with the same Subject DN.

  7. On the Extensions page, configure the required Key Usages and Extended Key Usages extension details.

  8. Select Next.

  9. On the Additional options page:

    • Under Email configuration & notifications, enable and configure revocation email templates.

    • Under Organization and contact details, select the organization and contact details. All issued certificates are bound to the selected organization and include the organization value inside the Subject DN.

  10. Select Next.

  11. On the Advanced settings page, select one or more service users configured with an API key or certificate to manage this profile. If no service user is selected, all account-bound API keys or certificates can manage the profile.

  12. Select Create to save the profile configuration.

In this section: