Skip to main content

Auto-enrollment and renewal of a certificate

Nota

This feature is available from version 1.2.0.

When you sign in to DigiCert​​®​​ Trust Assistant, certificates will be automatically issued and renewed, based on the profile assigned by the administrator, into the respected tokens.

Prerequisites

The following are the prerequisites for auto-enrollment and auto-renewal:

  • Sign in to DigiCert Trust Assistant through DigiCert ONE login. Refer to User sign-in for more information.

  • Create a certificate profile with auto-enroll/renew certificates. You should be a part of an authorized user group if configured. Refer to Create DigiCert ONE login profile for more information.

  • Initialize the token with a PIN while using DigiCert Software KeyStore. Refer to Initialize token for more information.

  • Install the driver and set up the PIN while using hardware tokens. Refer to the Supported hardware token for more details.

Enrollment and renewal timings

DigiCert​​®​​ Trust Assistant checks for enrollment and renewal regularly.

After starting DigiCert​​®​​ Trust Assistant for the first time, it selects a random time within the first hour to perform the initial check (with separate times for enrollment and renewal). It then runs the check at the same time each day.

Additionally, an initial enrollment check occurs immediately after a successful sign-in to ensure certificates are issued immediately.

Auto-enrollment

If DigiCert​​®​​ Trust Assistant detects a profile assigned to you, it automatically enrolls and issues the certificate to the configured token. Depending on the token’s requirements, you may need to enter an access PIN or login password.

PIN requirement

The following chart shows the PIN password requirement for each token type during enrollment.

Tabella 1. PIN requirement

Token

PIN password requirement *

DigiCert Software KeyStore

PIN required

MacOS Keychain (shown as MacOS Crypto in Navigation Menu)

Login password required

Windows Certificate Store (shown as Windows CryptoAPI in Navigation Menu)

Not required

Hardware tokens

PIN required


* If you are already logged into the token and depending on the session configuration, it may not be required. Refer to Key storage management for more information about session management.

Using hardware tokens

If the hardware token is not plugged into the machine when auto enrollment check runs in the background, DigiCert Trust Assistant will send a notification which can be viewed in Notifications to plugin the token and link to trigger the enrollment manually.

Using multiple machines

If you manage multiple machines simultaneously, certificates with the same Subject DN can be issued to each machine from the same profile. This occurs automatically when you install DigiCert Trust Assistant on another machine and sign in. This is enabled when the profile has the Allow duplicate certificates option selected.

Nota

Automatic enrollment for multiple machines will not happen for profiles configured with hardware tokens.

Auto-renewal

When the certificate reaches the renewal window defined in the certificate profile, DigiCert​​®​​ Trust Assistant will renew the certificate automatically.

Auto-renewal is triggered in the following cases:

  • Renewal window reached: The certificate must be within the renewal period.

  • Valid status: Only valid certificates can be renewed. Expired, revoked, or suspended certificates cannot be renewed. If DigiCert Trust Assistant detects that no valid certificate exists for the profile, it will attempt to auto-enroll a new certificate.

  • Certificate must exist on the device: Certificates issued on another machine's software token cannot be renewed unless migrated. Certificates stored on a hardware token will be renewed automatically when plugged in.

  • Not already renewed: The certificate must not have been previously renewed.

PIN password requirement

This process is similar to enrollment. The main difference with renewal is that DigiCert requires a signature from the old certificate to verify proof of possession. This may result in two authentication steps: one for the old certificate and another for importing the new certificate.

If you are already logged into the token and depending on the session configuration, this may not be required. Refer to Key storage management for more information about session management.

Post-processing scripts

If a certificate profile is configured with post-processing scripts, they will run after a certificate is successfully issued or renewed.

You will receive a notification about the success or failure of these scripts. If a script fails, you can re-run it from the notification message.

For more details about post-processing scripts, refer to Post-processing Scripts.