Skip to main content

Create an ACME-based profile for private AWS certificates

Before you begin

You need a connector that links DigiCert​​®​​ Trust Lifecycle Manager to the AWS Private CA account.

Create the certificate profile

  1. From the DigiCert​​®​​ Trust Lifecycle Manager main menu, select Policies > Certificate profiles.

  2. Select the Create profile from template button at top.

  3. Select the AWS CA Private Server Certificate template as the basis for creating the profile.

  4. Fill in the Primary options for your new certificate profile:

    • Profile name: Enter a friendly name for this profile.

    • Business unit: Select the business unit (BU) for certificates issued from this profile. The business unit needs Certificate management seats allocated to it before certificates can be issued (see Prerequisites).

    • Connector: Select the connector used to link to your AWS Private CA account.

    • Enrollment method: Select 3rd-party ACME client.

  5. Select the Certificate options for certificates issued from this profile:

    • Certificate expires in: Enter the validity period length and select units.

    • Signing algorithm: Select an available signing algorithm.

  6. Select any Extensions to use when issuing certificates.

  7. Select any Additional options for:

    • Email configuration and notifications: Email communications settings for certificate lifecycle event notifications.

    • LDAP search: Whether certificates should be searchable via LDAP.

    • Contact details: Add an administrative contact for issued certificates.

    • Tags: Enter custom tags to apply to all certificates issued from this profile. Tags help identify the certificates for tracking and management purposes.

  8. Select Create to save the new certificate profile and generate the ACME credentials for it. The ACME URL and EAB credentials popup window launches, showing the following fields:

    • ACME Directory URL: Base URL to use when requesting certificate automations. For hosted DigiCert ONE accounts, this should be https://one.digicert.com/mpki/api/v1/acme/v2/directory

    • KID: Key identifier for your new certificate profile.

    • HMAC key: Used to encrypt and authenticate your account key during automation events.

  9. Copy your unique external account binding (EAB) credentials and store them somewhere safe. You can use the "copy" icon next to each field to copy it into your clipboard or select the Copy all button to copy them all at once.

  10. After copying the new ACME credentials, Close the popup window.

Note

When you create an ACME-based certificate profile, the ACME credentials for it are displayed only once. There is no way to retrieve this information once you have navigated away from it. If you ever lose your ACME credentials, you will need to regenerate the ACME credentials for that profile.

Dans cette section​: