Skip to main content

Create a certificate profile for CMP

You need one or more certificate profiles for Certificate Management Protocol (CMP) enrollment in DigiCert​​®​​ Trust Lifecycle Manager.

In each profile, select CMP as the enrollment method and configure the properties for the issued certificates. After a CMP-enabled profile is created, Trust Lifecycle Manager generates the unique CMP URL that is used to enroll and renew certificates using Initialization Request (IR) and Key Update Request (KUR) operations.

To create a certificate profile, perform the following steps:

  1. In the Trust Lifecycle Manager main menu, select Policies > Certificate profiles.

  2. Select the Create profile from template action at the top of the page.

  3. Select one of the following templates as the basis for creating the certificate profile:

    • Generic User Certificate

    • Generic Device Certificate

    • Generic Private Server Certificate

    • Private S/MIME Secure Email

    • Public S/MIME Secure Email using CMP (via CertCentral)

      Note

      If you have not yet created a CertCentral CA connector, you will see the summary steps to create one.

    • CertCentral Private Server Certificate (for Telefonica, via Oracle as their tech partner)

    • CertCentral Public Server Certificate (for Telefonica, via Oracle as their tech partner)

  4. On the initial Primary options screen of the profile creation wizard,

    1. Enter a profile name.

    2. Select a Business unit, Certificate type, and a publicly-trusted Issuing CA from the respective dropdown lists.

    3. Select CMP from the Enrollment method dropdown list.

    4. Select TLS Certificate Auth from the Authentication method dropdown list.

  5. Select Next and configure the following on the Certificate options page:

    • Validity period

    • Signing algorithm

    • Key type and size

    • Flow options

      Note

      Duplicate certificates are set to Yes. Also, we do not support a Cloud Key Escrow option yet.

    • Set the required Subject DN and SAN certificate fields. The source for the field values will be automatically set to CMP.

  6. Select Next to configure the Key Usages and Extended Key Usages extensions as per your S/MIME requirements.

  7. On the Additional options screen,

    • Add Organizations details. Select or search for an organization from the list of organizations available on your account. All issued certificates will be bound to the selected organization and include the Organization value inside the Subject DN.

    • Add Contact details. Select contact details (Name, Email, Phone) linked to the validated organization, or select custom contact details.

    • Optionally, enter one or more Tags to identify certificates issued from the profile being created.

  8. Select Next to configure Advanced settings:

    1. Leave the Seat ID Mapping value set to SAN RFC822 name (email).

    2. In the Service User binding dropdown, select the service user you created for GBS access.

  9. Select Create to save the profile configuration.

  10. Copy the CMP URL. This URL is required when configuring the email gateway software.

In this section: