Skip to main content

Obtain a client authentication certificate

You can use a client authentication certificate, referred to as a Registration Authority (RA) certificate, to authenticate Autoenrollment Server requests to DigiCert ONE. Use this method instead of an API token if you will integrate with Windows Hello for Business.

Your RA certificate can be stored on a Hardware Security Module (HSM) or in a software key store in PFX format. The RA certificate storage option you choose determines how the RA certificate must be enrolled.Obtain an RA Certificate to Store in an HSMObtain an RA Certificate as a Software File

Nota

DigiCert recommends the use of a Hardware Security Module to ensure the security of the RA certificate and its corresponding private key. Anyone who has access to the RA certificate and private key can act on your organization's behalf, so the secure storage of your certificate and key is important.

Obtain an RA certificate to store in an HSM

Refer to the HSM guide for details.

Obtain an RA certificate as a software file

Follow the below steps to create a service user (credential which is not bound to an account user) and bind an authentication certificate to use with Autoenrollment Server.

Create the service user and authentication certificate

  1. Navigate to Account Manager.

  2. Select Access from the left navigation menu, then Service User.

  3. Select Create Service user.

  4. On the service user details page, enter the following details:

    • Friendly name: Nickname for the service user.

    • Description (optional): Description of the service user's purpose.

    • End date (optional): Expiration date for the service user.

    • Email: To send notifications regarding the service user.

    • Accounts that can use this service user: Account access for the service user.

    • DigiCert ONE Manager access: Select CA and Trust Lifecycle.

  5. Select Next.

  6. On the Roles and permissions page, assign the following user roles:

    • For CA Manager: Read only

    • For Trust Lifecycle Manager: User and certificate manager and Certificate profile manager

    Aviso

    Alternatively, you can create and assign custom user roles that include the following permissions at minimum:

    For CA Manager: View CA and View CA configuration. For Trust Lifecycle Manager: Certificate management: Manage create plus Profiles & templates: Manage enrollment and Manage profile.

  7. Select Add user.

  8. Each service user has an API token associated with it by default. The token ID isdisplayed in a popup box once the service user is created. If you intend to use thisservice user to make API requests, copy the token ID value and store it in a safelocation—this value will be shown only once.

  9. Navigate to the Service User section and select the service user you created in step7.

  10. Under the Authentication Certificates section, select Create Authentication certificate.

  11. On the Generate authentication certificate page, enter the following details:

    • Nickname

    • End date

  12. Select Generate certificate.

  13. The password for certificate installation will be displayed on popup box. Copy the password and store it in a safe location – this value will be shown only once.

  14. Select Download certificate.

  15. Move the downloaded certificate to the machine running Autoenrollment Server.