Import trust anchor certificate
Follow this procedure to import and sign with code signing certificates issued by CAs other than DigiCert.
Astuce
When an account user uploads the root and ICA certificate an approval process is triggered that requires the system administrator to approve the certificate import. The approval process can be bypassed if the certificate is imported by a system user.
Step 1: Import root certificate
To import the root certificate:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Account > Trust anchor certificates.
Click Import trust anchor certificate.
Complete the following fields:
Field
Description
Trust anchor certificate alias
Provide a unique name identify this certificate in Software Trust Manager.
Trust anchor type
Select the certificate type:
Private
Private trust anchor certificates are specific to an organization's internal PKI and are used to establish trust within that organization's closed environment. They are not automatically trusted by external systems and are not part of the public trust infrastructure.
Public
Public trust anchor certificates are widely recognized and trusted by a broad range of systems and are used for securing internet communications.
Note
Trust anchor type can be changed by a system administrator during approval.
Access
Select the type of certificate access:
Restricted
Only allows this account to use this trust anchor certificate.
Open
Allows all accounts to use this trust anchor certificate.
Note
Trust anchor access can be changed by a system administrator during approval.
File type
Select the format based on the specific requirements of your system or application using the certificate. Many systems and software libraries can handle both formats, so the choice often comes down to compatibility and the need for human readability.
PEM
Base64 encoded format is human-readable and uses delimiters (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) to mark the start and end of the certificate data.
DER
This file type is encoded in binary format, is not human-readable, and is a compact representation of the certificate data that does not include any delimiters or extra formatting.
Upload
Upload the certificate. Supported file formats: .PEM,. KEY,. CRT, .CER, and .CERT.
Select Import trust anchor certificate.
Note
Performing this action requires an approval from the system administrator before you can begin using this certificate or import your ICA certificate. Ensure that the root certificate is approved before you import its ICA in step 2 below.
Step 2: Import ICA certificate
While importing an ICA certificate, Software Trust Manager checks if the root certificate (issuer) is in the system and automatically ties it to the root certificate.
To import the ICA certificate:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Account > Trust anchor certificates.
Click Import trust anchor certificate.
Complete the following fields:
Field
Description
Trust anchor certificate alias
Provide a unique name identify this certificate in Software Trust Manager.
Trust anchor type
Select the certificate type:
Private
Private trust anchor certificates are specific to an organization's internal PKI and are used to establish trust within that organization's closed environment. They are not automatically trusted by external systems and are not part of the public trust infrastructure.
Public
Public trust anchor certificates are widely recognized and trusted by a broad range of systems and are used for securing internet communications.
Note
Trust anchor type can be changed by a system administrator during approval.
Access
Select the type of certificate access:
Restricted
Only allows this account to use this trust anchor certificate.
Open
Allows all accounts to use this trust anchor certificate.
Note
Trust anchor access can be changed by a system administrator during approval.
File type
Select the format based on the specific requirements of your system or application using the certificate. Many systems and software libraries can handle both formats, so the choice often comes down to compatibility and the need for human readability.
PEM
Base64 encoded format is human-readable and uses delimiters (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) to mark the start and end of the certificate data.
DER
This file type is encoded in binary format, is not human-readable, and is a compact representation of the certificate data that does not include any delimiters or extra formatting.
Upload
Upload the certificate. Supported file formats: .PEM,. KEY,. CRT, .CER, and .CERT.
Select Import trust anchor certificate.
Astuce
Performing this action requires an approval from the system administrator before you can begin using this certificate.
Step 3: Activate trust anchor certificate
After your root and ICA certificate has been approved by the system user, the certificate will display as approved in the status column to indicate that it is ready to be activated. If the status column indicates Pending approval or Rejected reach out to a system administrator for more information.
Note
This action can be performed by a account user with the Manage certificate hierarchy permission, Lead or Team Lead role.
To activate a trust anchor certificate:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Account > Trust anchor certificates.
Hover over the trust anchor certificate alias that you want to activate.
Click the activate (play) icon that appears to the right of the certificate alias.
Step 4: Generate keypair
You require the View keypair and Generate keypair permission to create a keypair.
To generate a keypair:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Keypairs > Create keypair.
Complete the required fields.
Click Create keypair.
Step 5: Generate a CSR
You require the Manage keypair permission to generate a CSR.
If the Generate CSR option is not visible in your account even though you have the correct permission, CSR generation may be disabled on your account. Learn more.
To generate a CSR:
Sign in to DigiCert ONE.
Navigate to the Manager menu (top right) > Software Trust.
Select Keypairs.
In the keypair alias column, identify the keypair you want to use to generate the CSR.
Hover over the specific keypair alias until icons appear to the right.
Select the more actions (⁝) icon.
Select Generate CSR.
Complete the following fields:
Field
Description
Organization
Select the organization name associated with this CSR from the drop-down menu. This is an optional field.
Email
Provide an email address associated with this CSR. This is an optional field.
Organizational Unit (OU)
Provide an organizational unit, often a department or team name associated with this CSR. Use a comma to list multiple OUs. This is an optional field.
Select Generate CSR.
Select one of the following options:
Select the copy icon next to CSR to copy the CSR in plaintext.
Select Download CSR to download the CSR as a file.
Step 6: Obtain a certificate from an external CA
Use the CSR generated in step 5 to obtain a certificate from a third party CA.
Step 7: Import certificate issued by external CA
You require the Import certificate permission to import a code signing certificate.
To import a code signing certificate issued by a third party CA:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Keypairs.
Hover over keypair alias that you used to generate the CSR, until the ⁝ icon appears.
Click the ⁝ icon.
Select Import certificate.
Complete the following fields:
Field
Description
Certificate alias
Name to uniquely identify this certificate.
File type
Select file type. Supported file types .der and .pem.
Default certificate
Check this box if you want this certificate to be the default certificate for the keypair.
Upload
Upload the keypair. Supported file types: .pem and .key.
Select Import certificate.
Note
You are ready to sign with a code signing certificate issued by an external CA.