Create an enrollment profile
In DigiCert ONE®, in the Manager menu (top right), select DigiCert® IoT Trust Manager.
In the DigiCert® IoT Trust Manager menu, select Enrollment configurations > Enrollment profiles.
On the Enrollment profiles page, select Create profile.
Step 1: General settings
On the Create enrollment profile page, under General enrollment profile settings, complete the following tasks:
Enter the Enrollment profile name
This name is how you identify the profile on the Enrollment profile page and on forms that require an enrollment profile, such as the Certificate request form.
Select a device profile
In the Device profile dropdown, select the device profile.
Next to Select device profile, select the expand arrow to view the mandatory and optional fields included in the device profile.
If fields are not added to the device profile, you won't see anything.
Under Certificate enrollment methods, select the method for enrolling the certificates.
Only one enrollment method can be used in the enrollment profile. To use multiple enrollment methods, create an enrollment profile for each method.
DigiCert REST APIs and DigiCert ONE portal
Request certificates directly from DigiCert® IoT Trust Manager in DigiCert ONE or via the DigiCert® IoT Trust Manager REST API.
API
Integrate the certificate enrollment process with your system, tools, or assembly line using the DigiCert® IoT Trust Manager REST API.
Portal – single certificate enrollment
Enroll for a certificate directly from DigiCert® IoT Trust Manager in DigiCert ONE®.
Portal – batch enrollment
Enroll for a batch of certificates from DigiCert® IoT Trust Manager in DigiCert ONE.
Standard certificate enrollment protocols
Place certificate requests using any of the protocols listed below:
EST
Enrollment over Secure Transport Protocol (EST) relies on SSL/TLS to securely transport messages and certificates. This protocol enables you to tie the certificate signing request (CSR) to a trusted device over TLS. In this process, you put the private key on the device, so the certificate is sent only to the device requesting it.
SCEP
Simple Certificate Enrollment Protocol (SCEP) relies on secured messages passed over HTTP. This protocol uses shared secrets to authenticate the certificate to the device.
CMPv2
Certificate Management Protocol version 2 (CMPv2) is used for getting X.509 digital certificates from a Certificate Authority (CA). CMPv2 messages are self-contained, making the protocol independent of the transport mechanism and providing end-to-end security.
Automatic Certificate Management Environment (ACME)
Place certificate request using your ACME client. The client uses a set of JavaScript Object Notation (JSON) messages carried over HTTPS.
Certificate import
Use an existing certificate or XML file to define the enrollment profile fields.
Select Next.
Step 2a: Certificate settings
These settings appear when you select one of these enrollment methods: DigiCert REST APIs and DigiCert ONE portal, Standard certificate enrollment protocols, or Automatic Certificate Management Environment (ACME).
Select a certificate profile
The certificate profile sets the certificate details for the enrollment profile.
On the Certificate settings page, under Select a certificate profile, in the Certificate profile dropdown, select the certificate profile to use for the enrollment profile.
Next to Select certificate profile, select the expand arrow to view the profile details, such as the common name and signature algorithm.
Select issuing Certificate Authority (CA) certificate: Intermediate or Root
The CA certificate issues certificates requested through this enrollment profile.
Under Select issuing intermediate CA, in the Issuing intermediate CA dropdown, select the issuing CA certificate for the enrollment profile.
Next to Select issuing intermediate CA, select the expand arrow to view the profile details, such as the common name.
Select who should generate the keypairs for the certificate requests
This option only appears if you selected Portal – batch enrollment under DigiCert REST APIs and DigiCert ONE portal.
Under "Who generates the keypairs for the certificate requests?", select one of the following options and provide additional information as needed:
I will generate the keypairs and provide CSRs or public keys
When you request batch certificates, you must generate the keypairs and include the CSRs or public keys with the request.
DigiCert ONE generates the keypairs and returns encrypted certificates and private keys
When you request batch certificates, DigiCert ONE® generates the keypairs.
For batch certificate requests where DigiCert ONE generates the keypairs, the requestor must have an authentication certificate. We use the requestor's authentication certificate to encrypt the keypairs and certificates.
Enroller chooses local, or DigiCert ONE generates the keys
Set the default value for the DigiCert ONE generated keypair
In the Default value when DigiCert ONE generates the keys dropdown, select the default value for the keypair.
Allow user to change
Check this box to allow the batch certificate requestor to change the keypair value.
Select Next.
Step 2b: Certificate settings
These settings appear when you select the Certificate import enrollment method.
Import a certificate or an XML file
Use the imported certificate or XML file to define the field attributes for the enrollment profile.
On the Certificate settings page, under Certificate settings, select Import certificate or XML sample and import the certificate or XML file.
If uploading an XML File, make sure it includes the enrollment fields as attributes.
If uploading an existing certificate, make sure it is in PEM format.
Verify that the enrollment fields are correct and then select Next.
Step 3: Device field mapping
This page allows you to determine which values entered during certificate enrollment should be used to populate the device profile fields. Device profile fields come from the device profile selected during Step 1: General settings.
For certificate requests placed from DigiCert® IoT Trust Manager in DigiCert ONE®, these fields appear in the Device values section of the certificate request form. |
On the Device field mapping page, use the Enrollment profile field dropdown to select the values you want to use to populate the Device profile fields.
Required versus not required mappings
If mappings are required, the Next button remains grayed out until you add the required mappings.
If mappings are not required, you can choose to leave the fields blank or add a mapping. Leaving the mapping blank does not stop you from selecting Next.
Items to note
<User provided> option
Instead of predefining what value to use, allow the requestor to add the value.
This option only appears when you select the DigiCert REST APIs and DigiCert ONE portal enrollment method.
<No mapping> option
If a mapping is not required and you don't want to include the mapping in your enrollment profile, use the No mapping option.
If a mapping is required, the No mapping option does not let you advance. You must define the value for the mapping (for example, IP_Address for Device Identifier).
This option appears when you select any of the following enrollment methods:
Standard certificate enrollment protocols
Automatic Certificate Management Environment (ACME)
Certificate import
Leaving a "not required" mapping blank
If unsure what value to use for the mapping, leave it blank. After creating the enrollment profile, you can update mapping as needed.
When ready, select Next.
Step 4: Usage restrictions (optional)
This page allows you to restrict or limit the usage of your enrollment profile. Configure only the restrictions and limitations needed for your profile.
If your profile does not require restrictions or limitations, select Finish. You can skip to What's next.
Allowed IP addresses
Option 1: Restrict IP address access to enrollment profile
Select Add IP address.
In the IP address field, enter an IP address.
Repeat the process for each additional IP address.
Option 2: Allow all IP addresses access to the enrollment profile
Select Limited; this moves the toggle to Unlimited.
When you set the IP addresses to unlimited, all previously entered "allowed" IP addresses are removed.
In the Limitation popup window, select Agree.
Operational hours
Option 1: Limit operational hour access to enrollment profile
Use the Time zone dropdown to select the time zone for the operating hours' restriction.
Under Hours, in the From and To fields, select the clock icons to set start and end times for operational hour access to the enrollment profile.
The clock is a 24-hour clock. Set start and end times in hours, minutes, and seconds.
Option 2: Allow 24-hour access to enrollment profile
Select Limited; this moves the toggle to Unlimited.
Operational dates
Option 1: Limit operational date access to enrollment profile
To set the start date for operational date access to the enrollment profile, in the Valid from field, select the calendar icon.
If you don't want to set a beginning date, leave the Valid from field blank. You can also select Limited; this moves the toggle to Unlimited.
To set the end date for operational date access to the enrollment profile, in the Valid to field, select the calendar icon.
If you don't want to set the ending date, leave the Valid to field blank. You can also select Limited; this moves the toggle to Unlimited.
Option 2: Allow unlimited operational date access to enrollment profile
Above Valid from select Limited; this moves the toggle to Unlimited.
Above Valid to select Limited; this moves the toggle to Unlimited.
When done, select Finish.