Skip to main content

Create a certificate profile with DigiCert Trust Assistant

Account Administrators with appropriate permissions can configure a certificate profile for DigiCert Trust Assistant. For more details on creating a profile, refer to Create certificate profiles.

To create a profile, select the following for each input:

  • Issuing CA - Select either an RSA or ECDSA-based issuing CA

  • Enrollment method - Select DigiCert Trust Assistant

Selecting DigiCert Trust Assistant as an enrollment method provides the following options as the target keystore:

  • Operating System KeyStore - Certificate is installed in KeyChain for macOS and Certificate Store for Windows.

    Nota

    Certificate installed via the Firefox browser also uses the operating system keystore instead of the built-in Firefox certificate store.

  • DigiCert Software KeyStore – Certificate is installed on a DigiCert proprietary software keystore protected with a PIN.

    Nota

    To use keys and certificates stored at DigiCert Software KeyStore from browsers or other applications, it is required that the Register provider/token is performed beforehand. This will register DigiCert Software KeyStore to the operating system.

    For Windows, local administrator privilege is required to install and register the provider. For macOS, no administrative privilege is required.

    Refer to DigiCert Software KeyStore for more details.

    When selecting Operating System KeyStore or DigiCert Software KeyStore for the keystore, you can allow the export of the private key by checking the Allow private keys to be exported option.

  • Hardware token - Certificate is installed on the hardware token of your choice.

    • When choosing Hardware token for the keystore, you can enforce the use of one or more specific hardware tokens. If the Any option is selected, tokens currently inserted on the end-user workstation and recognized by the DigiCert Trust Assistant will be shown as a selection during the enrollment flow.

    • Only the formally qualified tokens are recognized by DigiCert Trust Assistant. However, the non-qualified hardware tokens can be additionally recognized by modifying the .digicert-trust-assistant\config.json file inside the user's home directory. For more details on customizing the configuration file, refer to Add other hardware tokens.

  • Post-processing scripts - Use post scripts to configure certificates seamlessly.

    Selecting DigiCert Trust Assistant as an enrollment method also allows assigning one or more post-processing scripts as a part of post-certificate installation tasks. These post-processing scripts simplify the process for end users and ensure that the certificates are correctly configured for secure and seamless use.

    Nota

    For a successful execution of the post-processing script on the end user's computer, make sure that:

    • The root CA is added to Trusted Root Certification Authorities.

    • The complete certificate chain validation is established. This includes valid AIA, CDP, OCSP, and CRL extensions for end-entity and CA certificates.

    • If using a third-party platform for device management, make sure the PowerShell execution policy on Windows client computers is set to RemoteSigned.

    For more details including the code signing and CA certificates for system scripts, see Post-processing scripts.

In questa sezione: