Create a certificate profile with DigiCert Trust Assistant
Account Administrators with appropriate permissions can configure a certificate profile for DigiCert Trust Assistant. For more details on creating a profile, refer to Create certificate profiles.
To create a profile, select the following for each input:
Issuing CA
Select either an RSA or ECDSA-based issuing CA to use DigiCert Trust Assistant.
Enrollment method
Select DigiCert Trust Assistant, and select target keystore options:
Operating System KeyStore - Certificate is installed in KeyChain for macOS and Certificate Store for Windows.
Nota
Certificates installed via the Firefox browser also use the operating system keystore instead of the built-in Firefox certificate store.
DigiCert Software KeyStore – Certificate is installed on a DigiCert proprietary software keystore protected with a PIN.
Nota
To use keys and certificates stored at DigiCert Software KeyStore from browsers or other applications, the Register provider/token must be performed in advance. This registers DigiCert Software KeyStore to the operating system. For Windows, local administrator privilege is required to install and register the provider. For macOS, no administrative privilege is required.
Refer to DigiCert Software KeyStore for more details.
When selecting Operating System KeyStore or DigiCert Software KeyStore for the keyStore, you can allow the export of the private key by checking the Allow private keys to be exported option.
Hardware token - Certificate is installed on the hardware token of your choice.
When choosing a Hardware token for the keystore, you can enforce the use of one or more specific hardware tokens. If the Any option is selected, tokens currently inserted on the end-user workstation and recognized by the DigiCert Trust Assistant will be shown as a selection during the enrollment flow.
Only the formally qualified tokens are recognized by DigiCert Trust Assistant. However, the non-qualified hardware tokens can be additionally recognized by modifying the
.digicert-trust-assistant\config.json
file inside the user's home directory. For more details on customizing the configuration file, refer to Add other hardware tokens.
Authentication method
Select one of the following authentication methods depending on the authentication requirement for your organization's needs:
DigiCert ONE Login - Authenticates users through a single sign-on service enabled in Account Manager. For this method, both manual and auto-enrollment and renewal are supported. For more details, see About DigiCert ONE login profile.
Auto-enroll/renew certificates - Select to allow automatic certificate issuance and renewal.
Restrict user access based on Identity Provider (IdP) metadata - Select this option to configure authorized user groups.
Enrollment Code - Authenticates users using pre-distributed enrollment codes. Refer to Enrollments for more information about this method.
Manual Approval - Authenticates users using manual approval by account administrators. Refer to Enrollments for more information about this method.
SAML IdP - Authenticates users through configured SAML Identity Provider. Refer to the following guides for configuration:
Nota
DigiCert ONE Login
and SAML IdP
looks similar with both using federated protocols as the authentication mechanism, but they are very different. DigiCert ONE Login
was added so that issuance and renewal of the certificates could be done automatically with minimum user intervention. For SAML IdP, entering the user credentials is required every time the user enrolls or renews a certificate.
For more details about DigiCert ONE Login
, see About DigiCert ONE login profile.
Post-processing scripts
Use post scripts to configure certificates seamlessly.
Selecting DigiCert Trust Assistant as an enrollment method also allows assigning one or more post-processing scripts as a part of post-certificate installation tasks. These post-processing scripts simplify the process for end users and ensure that the certificates are correctly configured for secure and seamless use.
Nota
For a successful execution of the post-processing script on the end user's computer, ensure the following:
The root CA is added to Trusted Root Certification Authorities.
The complete certificate chain validation is established. This includes valid AIA, CDP, OCSP, and CRL extensions for end-entity and CA certificates.
If using a third-party platform for device management, ensure that the PowerShell execution policy on Windows client computers is set to
RemoteSigned
.
For more details including the code signing and CA certificates for system scripts, see Post-processing scripts.