Skip to main content

Create a certificate profile with DigiCert Trust Assistant

Account Administrators with appropriate permissions can configure a certificate profile for DigiCert Trust Assistant. For more details on creating a profile, refer to Create certificate profiles.

To create a profile, select the following for each input:

Issuing CA

Select either an RSA or ECDSA-based issuing CA to use DigiCert Trust Assistant.

Enrollment method

Select DigiCert Trust Assistant, and select target keystore options:

  • Operating System KeyStore - Certificate is installed in KeyChain for macOS and Certificate Store for Windows.

    Nota

    Certificate installed via the Firefox browser also uses the operating system keystore instead of the built-in Firefox certificate store.

  • DigiCert Software KeyStore – Certificate is installed on a DigiCert proprietary software keystore protected with a PIN.

    Nota

    To use keys and certificates stored at DigiCert Software KeyStore from browsers or other applications, the Register provider/token must be performed in advance. This registers DigiCert Software KeyStore to the operating system. For Windows, local administrator privilege is required to install and register the provider. For macOS, no administrative privilege is required.

    Refer to DigiCert Software KeyStore for more details.

    When selecting Operating System KeyStore or DigiCert Software KeyStore for the keyStore, you can allow the export of the private key by checking the Allow private keys to be exported option.

  • Hardware token - Certificate is installed on the hardware token of your choice.

    • When choosing a Hardware token for the keystore, you can enforce the use of one or more specific hardware tokens. If the Any option is selected, tokens currently inserted on the end-user workstation and recognized by the DigiCert Trust Assistant will be shown as a selection during the enrollment flow.

    • Only the formally qualified tokens are recognized by DigiCert Trust Assistant. However, the non-qualified hardware tokens can be additionally recognized by modifying the .digicert-trust-assistant\config.json file inside the user's home directory. For more details on customizing the configuration file, refer to Add other hardware tokens.

Authentication method

Select one of the following authentication methods depending on the authentication requirement for your organization needs:

  • DigiCert ONE Login - Authenticates users through a single sign-on service enabled in Account Manager. Auto-enroll and renew is only supported for this method. For more details, see About DigiCert ONE login profile.

    • Auto-enroll/renew certificates - Select to allow automatic certificate issuance and renewal.

    • Restrict user access based on Identity Provider (IdP) metadata - Select this option to configure authorized user groups.

Nota

DigiCert ONE Login and SAML IdP looks similar with both using federated protocols as the authentication mechanism, but they are very different. DigiCert ONE Login was added so that issuance and renewal of the certificates could be done automatically with minimum user intervention. For SAML IdP, entering the user credentials is required every time the user enrolls or renews a certificate.

For more details about DigiCert ONE Login, see About DigiCert ONE login profile.

Post-processing scripts

Use post scripts to configure certificates seamlessly.

Selecting DigiCert Trust Assistant as an enrollment method also allows assigning one or more post-processing scripts as a part of post-certificate installation tasks. These post-processing scripts simplify the process for end users and ensure that the certificates are correctly configured for secure and seamless use.

Nota

For a successful execution of the post-processing script on the end user's computer, ensure the following:

  • The root CA is added to Trusted Root Certification Authorities.

  • The complete certificate chain validation is established. This includes valid AIA, CDP, OCSP, and CRL extensions for end-entity and CA certificates.

  • If using a third-party platform for device management, ensure that the PowerShell execution policy on Windows client computers is set to RemoteSigned.

For more details including the code signing and CA certificates for system scripts, see Post-processing scripts.