Prerequisites
Make sure these prerequisites are met to use third-party ACME clients with DigiCert® Trust Lifecycle Manager.
User permissions
To manage certificate profiles in Trust Lifecycle Manager, you need the user role of Manager or Certificate profile manager or a custom user role that includes the Manage profile permission.
DigiCert® CA Manager issuance
To use a third-party ACME client to request private certificates from DigiCert® CA Manager:
You need at least one issuing certificate authority (CA) set up in DigiCert® CA Manager.
For DigiCert® CA Manager issuance, you need Server seats allocated to the business units where the certificates will be deployed. To learn more, see Seat management.
External issuing CAs
To use a third-party ACME client to request certificates from an external issuing CA:
You need a connector to the external CA in question
To get public DigiCert® certificates via ACME, you need a CertCentral connector. Organizations must be prevalidated for public OV/EV certificates.
For external CA issuance, you need Certificate management seats allocated to the business units where the certificates will be deployed. To learn more, see Seat management.
Important
For help verifying or meeting any of these prerequisites, contact your DigiCert account representative.
Additional requirements for private on-premises DigiCert ONE users
Users with a private on-premises DigiCert ONE deployment need to install the private DigiCert ONE certificate into the local truststores of any systems that will use third-party ACME clients to manage certificates from Trust Lifecycle Manager.
Below are basic instructions for how to meet these private trust requirements. For more details about how to install and manage the CA certificates in a local truststore, consult the documentation for your operating system version.
Note: These requirements only apply to private on-premises DigiCert ONE users. They do not apply to users of the cloud-hosted DigiCert ONE service.
Windows truststore requirements
To automate certificates on a Windows system via a private on-premises DigiCert ONE server, install the private DigiCert ONE certificate into the Windows truststore as described below.
Active Directory deployment
Refer to this page on the Microsoft website for instructions about how to distribute the DigiCert ONE certificate via Active Directory.
Standalone deployment
To install the DigiCert ONE certificate on a standalone Windows system:
Copy the private DigiCert ONE certificate to the Windows system as a PEM-encoded file (.crt file extension). Note the certificate file location.
Launch the Windows
certlm.msc
tool as an administrator to manage the certificates on the local machine.Use the Import action to browse and import the DigiCert ONE certificate file into the list of Trusted Root Certification Authorities > Certificates.
Linux truststore requirements
To automate certificates on a Linux system via a private on-premises DigiCert ONE server, install the private DigiCert ONE certificate into the Linux truststore as follows:
Copy the private DigiCert ONE certificate to the Linux system as a PEM-encoded file (.crt file extension). Note the certificate file location.
Make sure the Linux ca-certificates package is installed. Install it if needed, for example, by running
apt-get install ca-certificates
oryum install ca-certificates
as root.Copy the .crt file for DigiCert ONE into the CA certificates directory. The location of this directory depends on your Linux distribution and version. See the table below for some possible locations.
Run the command as root to update the local truststore based on the current CA certificate files. The name of this command depends on your Linux distribution and version. See the table below for some possibilities.
Linux distribution | CA certificates directory | Command to update truststore |
---|---|---|
CentOS/RHEL | /etc/pki/ca-trust/source/anchors/ | |
SUSE | /usr/share/pki/trust/anchors/ | |
Ubuntu | /usr/local/share/ca-certificates/ | |