Create certificate automation profiles
Certificate automation profiles define specific types of certificates you can issue and manage using DigiCert® Trust Lifecycle Manager automation services. Each certificate profile defines options such as the:
Issuing CA
Enrollment method
Key algorithm and size
Supported certificate fields
You create different profiles for different types of certificates you want to automate through Trust Lifecycle Manager.
Available base templates
To create a certificate profile in Trust Lifecycle Manager, you start with a base template and customize it for your organization's digital trust needs.
To find base templates that support managed automation, look for End-to-end certificate automation in the Use cases column on the Policies > Base templates page in Trust Lifecycle Manager.
The following table lists these available base templates, along with the certificate trust type(s), issuing CA, and required seat and CA connector types for each. To create certificate profiles for managed automation, start with one of these base templates:
Template name | Trust type | Issuing CA | Seat type | Connector |
---|---|---|---|---|
| Private | AWS Private CA | ||
| Private | DigiCert® CA Manager | N/A | |
| Private | DigiCert CertCentral® | ||
| Public | DigiCert CertCentral® | ||
| Public | Let's Encrypt | ||
| Private | Microsoft |
Aviso
Trust Lifecycle Manager provides an additional base template called CA Manager Private mTLS Certificate
for automating private mutual TLS (mTLS) authentication certificates in Istio service meshes. To learn more about this use case, see the Istio connector guide.
Enrollment methods
Each automation profile defines a specific enrollment method that can be used to request and install certificates from that profile.
You set the enrollment method under the Primary options on the first screen of the profile configuration wizard.
Managed automation
To enroll and manage certificates from the Trust Lifecycle Manager web console using its managed automation tools, select one of the following enrollment methods:
Enrollment method | Description |
---|---|
| Use a simple web-based form to request new certificates with automated delivery to servers, vaults, or the AWS cloud. Trust Lifecycle Manager delivers certificates to the selected systems via DigiCert agents, Azure Key Vault connectors, or AWS unified connectors, respectively. |
| Automate certificates on web servers. The DigiCert agent on each server coordinates the certificate enrollment process and downloads and installs the resulting certificates on the target endpoints. |
| Automate certificates on network appliances and cloud services. A DigiCert sensor on your network coordinates the certificate enrollment process and installs the resulting certificates on the target endpoints for the appliances/services it manages. |
Additional use cases
Additional automation-related enrollment methods for managing certificates:
Enrollment method | Description |
---|---|
| Manage certificates from the command-line interface (CLI) on web servers using the Trust Lifecycle Manager ACME service. For more information, see the Third-party ACME client integration guide. |
| Automate mutual TLS (mTLS) authentication certificates for an Istio service mesh using the Trust Lifecycle Manager ACME service. For more information, see the Istio connector guide. |
| Request and manage certificates using the Trust Lifecycle Manager REST API service. Use this enrollment method to integrate with and request certificates from ServiceNow. For more information, see the ServiceNow integration guide. |
Auto-renewal
Enable the auto-renew option to prevent outages and make sure you always have valid certificates installed on your systems.
You specify how far in advance of expiration to submit renewal requests, and Trust Lifecycle Manager automatically renews and deploys each certificate to its installed location(s) at that time.
You enable auto-renewal in the Certificate options > Renewal options section of the profile configuration wizard. You can schedule auto-renewal for:
30 days before certificate expiration: This is the default option.
Custom schedule: Specify the number of days before expiration to renew certificates, and the specific time to submit the request.
Notifications
You can set up account-wide notifications to send email alerts about all automated certificate lifecycle events in your account.
You can also set up custom notifications for a specific certificate automation profile, in the Additional options > Email configuration and notifications section of the profile configuration wizard. To configure custom notifications for a profile:
Select who to send the notifications to (requester and/or other recipients) for this profile. For other recipients, enter the email addresses.
Toggle on the Use custom template option for any automation events that should use custom notifications.
Customize the notification options for the event for certificates issued from this profile:
Edit the email subject or body for notifications.
Use the Send email notification checkbox to turn the event notifications on or off.
For renewal events, use the additional checkboxes under Renewal options to configure when the notifications get sent.
What's next
Each certificate under automated lifecycle management has an associated automation profile. When you need to deploy a new certificate on one of your systems, you select an automation profile based on the certificate type and enrollment method you need.