Skip to main content

Import trust anchor certificate

Learn how to import and sign with code signing certificates issued by third-party CAs.

Sugerencia

When an account user uploads the root and ICA certificate, an approval process is triggered that requires the system administrator to approve the certificate import. The approval process can be bypassed if a system user imports the certificate.

Step 1: Import root certificate

  1. In the Software Trust menu, go to Account > Trust anchor certificates.

  2. Select Import trust anchor certificate.

  3. Complete the following fields:

    Field

    Description

    Trust anchor certificate alias

    Provide a unique name to identify this certificate.

    Trust anchor type

    Select the certificate type:

    • Private

      Private trust anchor certificates are specific to an organization's internal PKI. They're used to establish trust within that organization's closed environment. External systems don't automatically trust them. They aren't part of the public trust infrastructure.

    • Public

      A broad range of systems recognize and trust public trust anchor certificates.

    Nota

    During the approval process, a system administrator can change the trust anchor type.

    Access

    Select the type of certificate access:

    • Restricted

      Only allows this account to use this trust anchor certificate.

    • Open

      Allows all accounts to use this trust anchor certificate.

    Nota

    During the approval process, a system administrator can change the trust anchor access.

    File type

    Select the format based on the requirements of your system or application using the certificate. Many systems and software libraries can handle both formats, so the choice often comes down to compatibility and the need for human readability.

    • PEM

      Base64 encoded format is human-readable and uses delimiters (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) to mark the start and end of the certificate data.

    • DER

      This file type is encoded in binary format. It isn't human-readable and is a compact representation of the certificate data that doesn't include any delimiters or extra formatting.

    Upload

    Upload the certificate. Supported file formats: .PEM,. KEY,. CRT, .CER, and .CERT.

  4. Select Import trust anchor certificate.

    Nota

    You must get system administrator approval before using this certificate or importing your ICA certificate. Make sure the root certificate is approved before importing its ICA in Step 2.

Step 2: Import ICA certificate

While importing an ICA certificate, Software Trust checks if the root certificate (issuer) is in the system and automatically ties it to the root certificate.

  1. In the Software Trust menu, go to Account > Trust anchor certificates.

  2. Select Import trust anchor certificate.

  3. Complete the following fields:

    Field

    Description

    Trust anchor certificate alias

    Provide a unique name to identify this certificate.

    Trust anchor type

    Select the certificate type:

    • Private

      Private trust anchor certificates are specific to an organization's internal PKI. They're used to establish trust within that organization's closed environment. External systems don't automatically trust them. They aren't part of the public trust infrastructure.

    • Public

      A broad range of systems recognize and trust public trust anchor certificates.

    Nota

     

    Access

    Select the type of certificate access:

    • Restricted

      Only allows this account to use this trust anchor certificate.

    • Open

      Allows all accounts to use this trust anchor certificate.

    Nota

    During the approval process, a system administrator can change the trust anchor access.

    File type

    Select the format based on the specific requirements of your system or application using the certificate. Many systems and software libraries can handle both formats, so the choice often comes down to compatibility and the need for human readability.

    • PEM

      Base64 encoded format is human-readable and uses delimiters (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) to mark the start and end of the certificate data.

    • DER

      This file type is encoded in binary format. It isn't human-readable, and is a compact representation of the certificate data that doesn't include any delimiters or extra formatting.

    Upload

    Upload the certificate. Supported file formats: .PEM,. KEY,. CRT, .CER, and .CERT.

  4. Select Import trust anchor certificate.

    Sugerencia

    Performing this action requires an approval from the system administrator before you can begin using this certificate.

Step 3: Activate trust anchor certificate

Nota

To perform this action, you must have a user role that contains the Manage certificate hierarchy permission. Or you must be assigned to a Lead or Team Lead role.

After the system user approves your root and ICA certificate, the certificate will appear as Approved. This status indicates that it's ready to be activated. If the status column indicates Pending approval or Rejected, contact a system administrator.

  1. In the Software Trust menu, go to Account > Trust anchor certificates.

  2. Hover over the desired trust anchor certificate.

  3. Select the activate (activate_play_icon.png) icon.

Step 4: Generate keypair

Nota

To perform this action, you must have a user role that contains the View keypair and Generate keypair permissions.

  1. In the Software Trust menu, go to Keypairs > Keypairs.

  2. Select Create keypair.

  3. Complete the required fields.

  4. Select Create keypair.

Step 5: Generate a CSR

Nota

To perform this action, you must have a user role that contains the Manage keypair permission.

  1. In the Software Trust menu, go to Keypairs > Keypairs.

  2. Hover over the desired keypair, and then select the more actions (vertical_ellipses.png) icon.

  3. Select Generate CSR.

    • Even with the correct permissions, if the Generate CSR option isn't visible, then it may be disabled for your account. Learn more.

  4. Complete the following fields:

    Field

    Description

    Organization name (optional)

    Select the organization name associated with this CSR from the drop-down menu. This is an optional field.

    Email (optional)

    Provide an email address associated with this CSR. This is an optional field.

    Organizational unit (optional)

    Provide an organizational unit, often a department or team name associated with this CSR. Use a comma to list multiple OUs. This is an optional field.

  5. Select Generate CSR.

  6. Copy or download the CSR.

Step 6: Obtain a certificate from an external CA

Use the CSR generated in Step 5 to obtain a certificate from a third-party CA.

Step 7: Import certificate issued by third-party CA

Nota

To perform this action, you must have a user role that contains the Import certificate permission.

  1. In the Software Trustmenu, go to Keypairs > Keypairs.

  2. Hover over the desired keypair, and then select the more actions (vertical_ellipses.png) icon.

  3. Select Import certificate.

  4. Complete the following fields:

    Field

    Description

    Certificate alias

    Enter a name to uniquely identify this certificate.

    File type

    Select file type. Supported file types .der and .pem.

    Default Cert

    Check this box if you want this certificate to be the default certificate for the keypair.

    Cert

    Upload the keypair. Supported file types: .pem and .key.

  5. Select Submit.

Nota

You're ready to sign with a code signing certificate issued by a third-party CA.

En esta sección: