Create a certificate profile with DigiCert Trust Assistant
Account Administrators with appropriate permissions can configure a certificate profile for DigiCert Trust Assistant. For more details on creating a profile, refer to Create certificate profiles.
To create a profile, select the following for each input:
Issuing CA
Select either an RSA or ECDSA-based issuing CA to use DigiCert Trust Assistant.
Enrollment method
Select DigiCert Trust Assistant, and select target keystore options:
Operating System KeyStore - Certificate is installed in KeyChain for macOS and Certificate Store for Windows.
Nota
Certificate installed via the Firefox browser also uses the operating system keystore instead of the built-in Firefox certificate store.
DigiCert Software KeyStore – Certificate is installed on a DigiCert proprietary software keystore protected with a PIN.
Nota
To use keys and certificates stored at DigiCert Software KeyStore from browsers or other applications, it is required that the Register provider/token is performed beforehand. This will register DigiCert Software KeyStore to the operating system.For Windows, local administrator privilege is required to install and register the provider. For macOS, no administrative privilege is required.
Refer to DigiCert Software KeyStore for more details.
When selecting Operating System KeyStore or DigiCert Software KeyStore for the keyStore, you can allow the export of the private key by checking the Allow private keys to be exported option.
Hardware token - Certificate is installed on the hardware token of your choice.
When choosing Hardware token for the keystore, you can enforce the use of one or more specific hardware tokens. If the Any option is selected, tokens currently inserted on the end-user workstation and recognized by the DigiCert Trust Assistant will be shown as a selection during the enrollment flow.
Only the formally qualified tokens are recognized by DigiCert Trust Assistant. However, the non-qualified hardware tokens can be additionally recognized by modifying the .digicert-trust-assistant\config.json file inside the user's home directory. For more details on customizing the configuration file, refer to Add other hardware tokens.
Authentication method
Select one of the following authentication methods depending on the authentication requirement for your organization needs:
DigiCert ONE Login - Authenticates users through a single sign-on service enabled in Account Manager. Auto-enroll and renew is only supported for this method.
Auto-enroll/renew certificates - Select to allow automatic certificate issuance and renewal.
Restrict user access based on Identity Provider (IdP) metadata - Select this option to configure authorized user groups.
Enrollment Code - Authenticates users using pre-distributed enrollment codes. Refer to Enrollments for more information about this method.
Manual Approval - Authenticates users using manual approval by account administrators. Refer to Enrollments for more information about this method.
SAML IdP - Authenticates users through configured SAML Identity Provider. Refer to following guides for configuration:
Nota
DigiCert ONE Login and SAML IdP looks similar with both using federated protocols as authentication mechanism, but they are very different. DigiCert ONE Login was added so that issuance/renewal of the certificates could be done automatically with minimum user intervention. Whereas for SAML IdP, entering of the user credential is required every time user enrolls or renews.
Post-processing scripts
Use post scripts to configure certificates seamlessly.
Selecting DigiCert Trust Assistant as an enrollment method also allows assigning one or more post-processing scripts as a part of post-certificate installation tasks. These post-processing scripts simplify the process for end users and ensure that the certificates are correctly configured for secure and seamless use.
Nota
For a successful execution of the post-processing script on the end user's computer, make sure that:
The root CA is added to Trusted Root Certification Authorities.
The complete certificate chain validation is established. This includes valid AIA, CDP, OCSP, and CRL extensions for end-entity and CA certificates.
If using a third-party platform for device management, make sure the PowerShell execution policy on Windows client computers is set to
RemoteSigned
.
For more details including the code signing and CA certificates for system scripts, see Post-processing scripts.