Skip to main content

Use the profile configuration wizard

When you create a new certificate profile, DigiCert​​®​​ Trust Lifecycle Manager presents a step-by-step wizard to help you configure all of the required certificate options. The wizard screens and options you see depend on the base template you use as the basis for creating the new certificate profile.

This page describes the general workflow and available options for creating a certificate profile with the profile configuration wizard.

Before you begin

Identify the best certificate template to use to create your certificate profile. The certificate template determines:

  • Available certificate properties and use cases.

  • Issuing certificate authorities (CAs), enrollment methods, and certificate lifecycle automation options.

  • The seat type consumed for certificates issued from the certificate profile.

Note

You must have available seat licenses in your account for the selected certificate template. Contact your DigiCert account manager with questions regarding seat inventory.

Begin creating the certificate profile

Use one of the following methods to launch the profile configuration wizard for creating a new certificate profile:

  • From the certificate templates view (Policies > Base templates), select a certificate template by name to start creating a certificate profile from that template. Alternatively, open the actions (three dot) menu next to the certificate template name and select Create profile from template.

  • From the certificate profiles view (Policies > Certificate profiles), select the Create profile button above the table to start creating a certificate profile. This takes you to the certificate templates view. Select a certificate template by name to start creating a certificate profile from it.

Customize and save the new certificate profile

Follow the wizard to customize and save your certificate profile. The details you fill in depend on the certificate template you started with and your specific business needs for certificates issued with this profile.

Wizard screen

Description

Primary options

Configure the profile name, business unit, issuing CA, enrollment method, and authentication method.

Certificate options

Options can include validity period, algorithm, key type and size, renewal options, subject distinguished name (DN), and subject alternative name (SAN) fields.

  • Some profile types and enrollment methods support multiple key sizes. Select all possible key sizes you want to allow in your certificates. The final key size will be determined based on what's sent in the CSR for each enrollment.

  • You can customize the length of the certificate serial number for profiles configured using the three generic base templates. To do this, you must enable the Customize length of certificate serial number checkbox. The options that you can choose from are:

    • 16 bytes (32 hexadecimal characters)

    • 17 bytes (34 hexadecimal characters)

    • 18 bytes (36 hexadecimal characters)

    • 19 bytes (38 hexadecimal characters)

    • 20 bytes (40 hexadecimal characters) (default)

    Note

    We recommend that you use the 20 bytes option since it is more secure and reduces the possibility of serial number collisions.

  • See Certificate attributes and extensions for technical details about supported certificate options.

Extensions

Additional options for the extensions field in the certificates, such as key usage and extended key usage. Some private certificate types also support custom extensions.

Additional options

Options can include certificate delivery format, administrative contact options, notification options, LDAP search, tags, and custom attributes.

  • Apply tags to help identify all certificates issued from a particular profile for tracking and management purposes in Trust Lifecycle Manager.

  • Some templates provide a custom attributes option. These are user-defined metadata fields that store business-specific information if configured under Settings.

    Note

    Based on the selected enrollment method, the custom attributes are displayed. For example, if the enrollment method is Admin web request, DigiCert agent, or DigiCert sensor, any configured custom attributes will be displayed. Whereas, if the enrollment method is CSR, REST API, or 3rd-party ACME client, only the custom attributes with fixed values will be displayed.

Advanced settings

Options can include Seat ID mapping where you can select a certificate field to be bound to your Seat ID, used to uniquely identify an entity (User, Device or Server Seat) to the system, for licensing purposes.

  • You can upload a user instructions file for how to use the certificate for profiles configured with a web-based enrollment method (Browser PKCS12, CSR, or DigiCert Trust Assistant) and an authentication method of Enrollment Code, Manual Approval or DigiCert ONE Login.

  • You also have the option of enabling a Grace period, which allows you to add the days before expiration to the renewed certificate. When not selected, the renewed certificate takes a strict validity period based on the Certificate expires in value set above.

  • Some templates provide a self-service portal option. Enable this option to allow end users to manage their own certificates via a web-based self-service portal, if enabled under Settings.

  • For Microsoft CA profiles configured with the SCEP method, you can regenerate the RA certificate used by the solution to decrypt SCEP before Microsoft CA issues the certificate. This ensures that:

    • All issues related to RA certificate expiring and not being automatically renewed by Trust Lifecycle Manager are prevented.

    • You have a fresh RA key and RA certificate bound to the profile at all times helping adhere to security policies.

    To regenerate an RA certificate, click the Regenerate RA certificate button at the end of the wizard.

After filling in each screen, select the Next button to progress to the next screen. Select Back to return to previous screens to review or make changes.

When you're ready, select Create on the final screen to save the new certificate profile.