Create an ACME-based profile for private Microsoft certificates
Before you begin
You need a Microsoft CA connector that links DigiCert® Trust Lifecycle Manager to the Microsoft certificate authority (CA) for issuing the certificates.
Create the certificate profile
From the DigiCert® Trust Lifecycle Manager main menu, select Policies > Certificate profiles.
Select the Create profile from template button at top.
Select the Microsoft CA Private Server Certificate template as the basis for creating the profile.
Fill in the Primary options for your new certificate profile:
Profile name: Enter a friendly name for this profile.
Business unit: Select the business unit (BU) for certificates issued from this profile. The business unit needs Certificate management seats allocated to it before certificates can be issued (see Prerequisites).
Connector: Select the CA connector for your Microsoft issuing CA.
Issuing CA certificate template: Select the external certificate template that the Microsoft CA uses to issue certificates.
Enrollment method: Select 3rd-party ACME client.
Verify the Certificate options and Extensions the Microsoft CA will use when issuing certificates. These come from the issuing CA certificate template you selected in the previous step. To make changes, go back and select a different issuing CA certificate template.
Select any Additional options for:
Email configuration and notifications: Email communications settings for certificate lifecycle event notifications.
Contact details: Add an administrative contact for issued certificates.
Tags: Enter custom tags to apply to all certificates issued from this profile. Tags help identify the certificates for tracking and management purposes.
Select Create to save the new certificate profile and generate the ACME credentials for it. The ACME URL and EAB credentials popup window launches, showing the following fields:
ACME Directory URL: Base URL to use when requesting certificate automations. For hosted DigiCert ONE accounts, this should be https://one.digicert.com/mpki/api/v1/acme/v2/directory
KID: Key identifier for your new certificate profile.
HMAC key: Used to encrypt and authenticate your account key during automation events.
Copy your unique external account binding (EAB) credentials and store them somewhere safe. You can use the "copy" icon next to each field to copy it into your clipboard or select the Copy all button to copy them all at once.
After copying the new ACME credentials, Close the popup window.
Note
When you create an ACME-based certificate profile, the ACME credentials for it are displayed only once. There is no way to retrieve this information once you have navigated away from it. If you ever lose your ACME credentials, you will need to regenerate the ACME credentials for that profile.