Skip to main content

Dynamic keypairs

When you create a dynamic keypair, you establish the parameters of your keypairs. Every 15 minutes, the dynamic keypair and certificate will be deleted and replaced with a new keypair and certificate using the same parameters. This ensures that each signature is unique and adds an additional layer of security.

Create a dynamic keypair

You require the Generate keypair permission to create a keypair.

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu (top right) > Software Trust.

  3. Navigate to: Keypairs > Create keypair.

  4. Complete the following fields:

    Field

    Description

    Keypair type

    Select Dynamic (keypair will change every time you complete a signature).

    Keypair alias

    Name to uniquely identify this keypair.

    Team

    Select a team that should have access to this keypair.

    Nota

    You will only see this field if you enable Teams under Account settings.

    Keypair profile

    Select a keypair profile. If you have selected a team. you will only see keypair profiles allocated to that team.

    Algorithm

    Select RSA, ECDSA, or EdDSA.

    Nota

    When you select EdDSA the key curve sets to Ed25519).

    Key size

    Select 2048, 3072, or 4096.

    Keypair category

    Select Production or Test.

    Keypair storage

    Select if the keypair should be generated and stored on HSM or Disk.

    Keypair status

    Select Online (can be used to sign anytime) or Offline (can only be used to sign during a scheduled release).

    Access

    Select Open (can be used by any account user) or Restricted (can only be used by specified users or a member of a specified user group.

    Allowed users

    For Restricted keypairs, you can specify which users can use the keypair.

    Allowed user groups

    For Restricted keypairs, you can specify one or more groups that are authorized to use the keypair.

    Generate certificate

    When this box is checked, the keypair will be generated with a corresponding default certificate for the keypair.

  5. Click Create keypair.

Refresh dynamic key

You can refresh a dynamic key from Software Trust Manager or SMCTL.

Dynamic keys in Audit logs

To search for recently refreshed dynamic keypairs:

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu (top right) > Software Trust.

  3. Navigate to: Logs > Audit logs.

  4. Identify the Type column and filter by Dynamic.

  5. Identify the Action column and filter by Refresh.

Dynamic keys in signature logs

To search for signatures completed with the dynamic key:

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu (top right) > Software Trust.

  3. Navigate to: Logs > Signature logs.

  4. Identify the Keypair alias column and filter by the keypair alias.

    or

    Identify the Keypair ID column and filter by the specific dynamic keypair ID.

En esta sección: