Skip to main content

Prerequisites

Before importing trust anchor certificates, ensure that the following requirements are met:

  • The certificate must not be expired.

  • The certificate Key Usage field must include digitalSignature.

  • The certificate CRL Distribution Points (CPD) extension must contain a CRL URL and the certificate must not be revoked when the revocation status is checked via the corresponding CRL.

  • The certificate Authority Information Access (AIA) extension must contain an OCSP URL and the certificate must not be revoked when revocation status is checked via the corresponding OCSP responder.

  • For root CAs only, the certificate must be self-signed.

  • Public certificates must not use SHA1 hash algorithms for the signature.

    Note

    Private certificates may use SHA1 hash algorithms for the signature.

Required permissions

This table outlines which permission or role must be assigned to the user to perform the actions described in this article.

User type

Permission

Account user

One of the following must be assigned to the user to perform this action:

  • Manage certificate hierarchy permission

  • Lead role

  • Team Lead role

System user

One of the following must be assigned to the user to perform this action: