Use the profile configuration wizard

Profile name: Enter a name to help identify the certificate profile.

Profile description (optional): Enter an optional description for the profile.

Business unit: Select the business unit to assign for certificates issued from this profile.

Issuing CA: Select the issuing CA to issue end-entity certificates for the profile.

Enrollment method: Select an enrollment method to use for requesting certificates from this profile.

Authentication method: Select a method to authenticate the enrollment requests and configure any required authentication options.

Certificate fields: Configure certificate validity period, signing algorithm, key type, and key size.

Some certificate profile types and enrollment methods support multiple key sizes. Select all possible key sizes you want to allow in your certificates. The final key size is determined based on what's sent in the CSR for each enrollment.

You can also customize the length of the certificate serial number for profiles configured using the three generic base templates. To do this, you must enable the Customize length of certificate serial number checkbox. The options that you can select from are:

Flow options: Configure if you can issue multiple certificates from the profile, and if you can override the default certificate validity by a REST API request.

Renewal options: Set renewal window, and configure grace period.

Subject DN and SAN fields: Configure Subject Distinguished Name (DN) and Subject Alternative Name (SAN) attributes for the profile. For technical details about supported certificate attributes, see Certificate attributes and extensions.

Configure extensions such as Basic constraints, Key usage, and Extended key usage to control certificate capabilities and permitted operations.

Review issuer and validation-related extensions, such as Authority information access, Authority key identifier, Certificate distribution points, and Subject key identifier, which help support certificate chain building and revocation checking.

Some private certificate types also support custom extensions.

Configure options such as Delivery formats, Email configuration and notifications, Contact details, Alerts, and Certificate owners.

Configure LDAP search settings and assign metadata to help organize, track, and manage certificates issued from the profile.

Apply Tags to help identify all certificates issued from a particular profile for tracking and management purposes in Trust Lifecycle Manager.

Some templates provide a Custom attributes option. These are user-defined metadata fields that store business-specific information if configured under Settings.

Select Certificate owners who should receive notifications for all certificates issued from this profile.

Configure Seat ID mapping where you can select a certificate field to be bound to your Seat ID. This is used to uniquely identify the entity (for example, the user, device, or server) that is using each seat license.

Upload a user instructions file for how to use the certificate for profiles configured with a web-based enrollment method (Browser PKCS12, CSR, or DigiCert Trust Assistant) and an authentication method of Enrollment Code, Manual Approval or DigiCert ONE Login.

Enable a grace period, which allows you to add the days before expiration to the renewed certificate. When not selected, the renewed certificate takes a strict validity period based on the set Certificate expires in value.

Configure the self-service portal option for some templates to allow end users to manage their own certificates via a web-based self-service portal, if enabled under Settings.

For Microsoft CA profiles configured with the SCEP method, you can regenerate the RA certificate used by the solution to decrypt SCEP before Microsoft CA issues the certificate. This ensures that:

To regenerate an RA certificate, select the Regenerate RA certificate button at the end of the wizard.