Create the autoenrollment certificate profile
Once you have configured API access and prepared the configuration utility you need to create a certificate profile for Autoenrollment Server to use.
Notice
Your administrator account needs to include at least the Certificate profile manager user role to create certificate profiles.
Create a certificate profile
Sign into DigiCert ONE and navigate to DigiCert® Trust Lifecycle Manager.
Select Policies > Certificate profiles from the main menu.
Select Create profile from template.
Select the certificate template for the type of certificate you need.
Note
Note: The appropriate license for the seat type of the template selected must be purchased and available in your account, otherwise that template’s link will be disabled.
Under the General information section, enter the profile Nickname and choose the Business Unit and issuing CA.
From the Enrollment method dropdown, select Microsoft Autoenrollment.
Note
Note: When Microsoft Autoenrollment is selected as the enrollment method, the Authentication method defaults to Active Directory.
Select the desired Enrollment mode radio button:
Silent — Certificate enrollment is fully automatic and is not visible to the user
Inform user — Windows prompts the user to initiate a certificate enrollment
Check Allow private key to be exported if users need to be able to export their certificates and private keys.
Check Publish certificate to Active Directory to allow certificates to be published to your Active Directory.
When selecting Yes, you will need to assign a special permission to the Autoenrollment Server to allow certificate publishing. Refer to “Allow Publishing to Active Directory” for more details.
Select Next.
Under Certificate fields, select the validity period unit (Years, Months, or Days) and enter the value in the textbox.
Note
You cannot issue an end entity certificate with a validity period longer than the remaining validity of the issuing CA. The issuing CA expiration date is shown as a reference in this section.
Select the Algorithm from the available algorithms in the dropdown list. Available algorithms are based on the issuing CA selected for the profile.
Select the Key type and attribute from the dropdown lists.
Select the checkbox to Allow duplicate certificates if multiple certificates are to be issued for the same seat ID.
Under Renewal options, select the Renewal window from the dropdown list. The default (recommended) value is 30 days.
Select Subject DN and SAN fields from the dropdown list. Select as many fields as required for your certificates, then select Add fields.
For each selected field, the Source for the field’s value dropdown list on the right defaults to Active Directory attribute, as this is the only currently supported source for autoenrollment certificate profiles.
Note
Note: that some Subject DN fields allow multiple values to be added. Select Add and specify the source and Active Directory attribute field for each additional entry. The example shown below shows the Organization units field.
Sign into DigiCert ONE and navigate to DigiCert® Trust Lifecycle Manager.
Select Policies > Certificate profiles from the main menu.
Select Create profile from template.
Select the certificate template for the type of certificate you need.
Note that the appropriate license for the seat type of the template selected must be purchased and available in your account, otherwise that template’s link will be disabled.
Under the General information section, enter the profile Nickname and choose the Business Unit and issuing CA.
From the Enrollment method dropdown, select Microsoft Autoenrollment.
Note that when Microsoft Autoenrollment is selected as the enrollment method, the Authentication method defaults to Active Directory.
Select the desired Enrollment mode radio button:
Silent — Certificate enrollment is fully automatic and is not visible to the user
Inform user — Windows prompts the user to initiate a certificate enrollment
Check Allow private key to be exported if users need to be able to export their certificates and private keys.
Check Publish certificate to Active Directory to allow certificates to be published to your Active Directory.
When selecting Yes, you will need to assign a special permission to the Autoenrollment Server to allow certificate publishing. Refer to “Allow Publishing to Active Directory” for more details.
Select Next.
Under Certificate fields, select the validity period unit (Years, Months, or Days) and enter the value in the textbox.
Note
You cannot issue an end entity certificate with a validity period longer than the remaining validity of the issuing CA. The issuing CA expiration date is shown as a reference in this section.
Select the Algorithm from the available algorithms in the dropdown list. Available algorithms are based on the issuing CA selected for the profile.
Select the Key type and attribute from the dropdown lists.
Select the checkbox to Allow duplicate certificates if multiple certificates are to be issued for the same seat ID.
Under Renewal options, select the Renewal window from the dropdown list. The default (recommended) value is 30 days.
Select Subject DN and SAN fields from the dropdown list. Select as many fields as required for your certificates, then select Add fields.
For each selected field, the Source for the field’s value dropdown list on the right defaults to Active Directory attribute, as this is the only currently supported source for autoenrollment certificate profiles.
Note that some Subject DN fields allow multiple values to be added. Select Add and specify the source and Active Directory attribute field for each additional entry. The example shown below shows the Organization units field.
Specify which certificate fields are mandatory using the Required checkbox.
The SAN fields allow multiple values to be added for each. Select the Add link and specify the source and value for each additional field. This is shown for RFC822 Name (Email) below but also applies for Other Name (UPN) and Other Name (Custom) fields.
Specify the Key usage (KU) extension criticality and values. Note that the KU options shown differ depending on the certificate template being used.
Specify the Extended key usage (EKU) extension criticality and values. Note that the EKU options shown differ depending on the certificate template being used.
Under Certificate delivery format, select the certificate format to use and chain certificates to include when certificates are issued.
Under Email configuration & notifications, specify the template to be used for certificate revocation notification emails.
Under Administrative contact, specify whether to include default or custom administrative contact details in certificate notification emails. Note that including internal support contact details for end users is optional but recommended.
Under Seat ID Mapping, select the certificate field to be used as the seat ID. This uniquely identifies each enrollment entity, for licensing purposes.
Under Service User binding, select the Service user API token to be bound to the certificate profile. If no Service user is selected from the dropdown, then all API tokens in the account will be able to manage this profile.
Select Create. Your newly created certificate profile is now displayed in the certificate profiles list.