Skip to main content

Prerequisites and workflow to use "Imported seat" licenses

Uploaded third-party certificates bound to the Imported seat license offer the most management options (see Assigned seat types). These certificates can be validated, revoked, suspended, or resumed from DigiCert​​®​​ Trust Lifecycle Manager after upload.

To assign this seat type, first use DigiCert® CA Manager to import the issuing CA and configure Certificate Revocation List (CRL), Authority Information Access (AIA), and Online Certificate Status Protocol (OCSP) parameters that match what's in the certificates.

Steps to use "Imported seat" licenses

Follow the below steps to make sure your third-party certificates get assigned the Imported seat type license when imported into DigiCert​​®​​ Trust Lifecycle Manager.

Some required steps depend on the certificates. For example, if the certificates do not include the AIA extension, you do not need to set up an AIA for them in DigiCert® CA Manager.

Important

Most of the below tasks can only be performed by an administrator with sufficient permissions:

  • For hosted DigiCert® ONE accounts, contact your DigiCert account representative for help.

  • For on-premises DigiCert® ONE deployments, contact your local DigiCert system administrator.

  1. Gain access to the root CA and any intermediate CAs for the issuing CA

    Either import the root CA and intermediate CAs into DigiCert® CA Manager or configure DigiCert® ONE to access the HSM(s) where the private keys and certificates for the root CA and intermediate CAs are located.

  2. Set up domains in DigiCert® CA Manager

    Use the DigiCert® CA Manager Domains function to set up one or more domains to match any CRL, AIA, or OCSP fields in the issuing CA certificate.

    Set the domain type to AIA issuer, CRL, and/or OCSP to match how it's used in the issuing CA certificate.

  3. Create a CRL in DigiCert® CA Manager

    If the issuing CA certificate has a CRL Distribution Point (CDP) field, create a matching CRL in DigiCert® CA Manager:

    1. From the CRLs page in DigiCert® CA Manager, select the Create CRL button.

    2. Select the corresponding root or intermediate CA in the Issuer dropdown.

    3. Configure the File name and File path fields to match the value of the CDP field in the issuing CA certificate.

  4. Create an AIA in DigiCert® CA Manager

    If the issuing CA certificate has an AIA issuer field, create a matching AIA in DigiCert® CA Manager:

    1. From the AIAs page in DigiCert® CA Manager, select the Create AIA button.

    2. Select the corresponding root or intermediate CA in the Issuer dropdown.

    3. Configure the File name and File path fields to match the value of the AIA issuer field in the issuing CA certificate.

  1. Gain access to the issuing CA

    Either import your issuing CA into DigiCert® CA Manager or configure DigiCert® ONE to access the HSM where the private key and certificate for your issuing CA are located.

  2. Set up domains in DigiCert® CA Manager

    Use the DigiCert® CA Manager Domains function to set up one or more domains to match any CRL, AIA, or OCSP fields in the end-entity certificates.

    Set the domain type to AIA issuer, CRL, and/or OCSP to match how it's used in the end-entity certificates.

  3. Create a CRL in DigiCert® CA Manager

    If the end-entity certificates have a CRL Distribution Point (CDP) field, create a matching CRL in DigiCert® CA Manager:

    1. From the CRLs page in DigiCert® CA Manager, select the Create CRL button.

    2. Select the issuing CA in the Issuer dropdown.

    3. Configure the File name and File path fields to match the value of the CDP field in the end-entity certificates.

    Note: Do not select the Generation enabled checkbox yet. CRL generation should not be enabled until after all the end-entity certificates have been uploaded.

  4. Create an AIA in DigiCert® CA Manager

    If the end-entity certificates have an AIA issuer field, create a matching AIA in DigiCert® CA Manager:

    1. From the AIAs page in DigiCert® CA Manager, select the Create AIA button.

    2. Select the issuing CA in the Issuer dropdown.

    3. Configure the File name and File path fields to match the value of the AIA issuer field in the end-entity certificates.

  1. Upload the end-entity certificates

    Upload the end-entity certificates from your old system via API or a DigiCert-provided tool.

    For API import, see Upload certificates with REST API.

  2. Upload the last CRL from the old system into DigiCert® CA Manager

    If the end-entity certificates use a CRL, import the last generated CRL from your old system into DigiCert® CA Manager so it knows which CRL numbers to use and can avoid duplicate numbers:

    1. From the CRLs page in DigiCert® CA Manager, select the CRL to view the details for it.

    2. Select the Import blob button to import the signed CRL blob.

  1. Update your DNS service

    Add DNS records to point to any CDP, AIA, and OCSP fields in the end-entity certificates at your DigiCert® ONE instance.

    For hosted DigiCert® ONE accounts, point these fields at the corresponding hosts in the one.digicert.com domain. For on-premises deployments, point them at hosts in your local domain.

    For example, if you are a hosted DigiCert® ONE customer, and your imported certificates contain a CDP field value of crl.example.com, add a CNAME record that points crl.example.com at crl.one.digicert.com.

    Contact your DigiCert representative or local system administrator for help determining which hosts to use.

  2. Enable CRL generation and publishing in DigiCert® CA Manager

    If the end-entity certificates use a CRL, enable CRL generation and publishing in DigiCert® CA Manager:

    1. From the CRLs page in DigiCert® CA Manager, select the CRL to view the details for it.

    2. In the Base settings section of the CRL details, make sure Publish enabled and Generation enabled are both set to Yes. Select the pencil icon to edit these fields.

Avertissement

For issuing CAs that use Certificate Revocation Lists (CRLs), failure to follow all of the above steps may result in CRLs not containing all the revoked certificates, or CRLs generated with old (or out of sequence) CRL numbers.

Issuing CAs that use the Online Certificate Status Protocol (OCSP) may require additional configuration of an OCSP Responder to validate imported certificates on an ongoing basis. Contact your DigiCert representative or local System Administrator for help.