Skip to main content

Create the autoenrollment certificate profile

Once you have configured API access and prepared the configuration utility, create a certificate profile for Autoenrollment Server to use.

Avviso

Your administrator account needs to include at least the Certificate profile manager user role to create certificate profiles.

Create a certificate profile

  1. Sign in to DigiCert ONE and go to DigiCert​​®​​ Trust Lifecycle Manager.

  2. Select Policies > Certificate profiles from the main menu.

  3. Select Create profile from template.

  4. Select the certificate template for the type of certificate you need.

  5. Under the General information section, enter the profile Nickname and choose the Business Unit and issuing CA.

  6. From the Enrollment method dropdown, select Microsoft Autoenrollment.

    Nota

    Note: When Microsoft Autoenrollment is selected as the enrollment method, the Authentication method defaults to Active Directory.

  7. Select the desired Enrollment mode radio button:

    • Silent: Certificate enrollment is fully automatic and is not visible to the user

    • Inform user: Windows prompts the user to initiate a certificate enrollment

  8. Select keystore provider options to set the cryptographic provider that can be used for requests. The available options are:

    • Requests can use any provider available on the subject's computer: Select this if you want to generate the CSR/Keys using any provider available on subject's computer.

    • Requests must use one of the following providers: Select this, if you want to generate the CSR/Keys using specified provider in a selected priority order.

      1. Select providers: This option appears only when Requests must use one of the following providers is selected. Choose the provider from the dropdown list.

        Nota

        The Microsoft Platform Crypto Provider enables secure access to the machine’s Trusted Platform Module (TPM) 2.0 for generating user and device keys and certificates.

  9. Select the Allow private key to be exported checkbox under Other options if you want users to export their certificates and private keys.

    Nota

    Allow private key to be exported is not supported if Microsoft Platform Crypto Provider is selected.

  10. Select Publish certificate to Active Directory to allow certificates to be published to your Active Directory.

    Once you select Yes, you must assign a special permission to the Autoenrollment Server to allow certificate publishing. Refer to “Allow Publishing to Active Directory” for more details.

  11. Select Next.

  12. Under Certificate fields, select the validity period unit (Years, Months, or Days) and enter the value in the textbox.

    Nota

    You cannot issue an end entity certificate with a validity period longer than the remaining validity of the issuing CA. The issuing CA expiration date is shown as a reference in this section.

  13. Select the Algorithm from the available algorithms in the dropdown list. Available algorithms are based on the issuing CA selected for the profile.

  14. Select the Key type and attribute from the dropdown lists.

    Nota

    Support for larger key and curve sizes depends on the Trusted Platform Module vendor and version.

  15. Select the checkbox to Allow duplicate certificates if multiple certificates are to be issued for the same seat ID.

  16. Under Renewal options, select the Renewal window from the dropdown list. The default (recommended) value is 30 days.

  17. Select Subject DN and SAN fields from the dropdown list. Select as many fields as required for your certificates, then select Add fields.

  18. For each selected field, select the required source from the Source for the field’s value dropdown. The available options include Active Directory attribute, Fixed value, and From CSR. The Active Directory attribute option is the default value.

    Nota

    The From CSR source corresponds to the Supply in the request option. Values for these fields must be included in the Certificate Signing Request (CSR) submitted with the enrollment request. This feature is available in DigiCert Autoenrollment Server v2.26.1.0 or later.

  19. For Subject DN fields that support multiple values, select Add and specify the source and Active Directory attribute for each additional entry.

  20. Specify which certificate fields are mandatory using the Required checkbox.

  21. Specify the Active Directory attribute with multi-valued strings using the Multiple checkbox.

  22. The SAN fields allow multiple values to be added for each. Select the Add link and specify the source and value for each additional field. This is shown for RFC822 Name (Email) below but also applies for Other Name (UPN) and Other Name (Custom) fields.

  23. Specify the Key usage (KU) extension criticality and values. Note that the KU options shown differ depending on the certificate template being used.

  24. Specify the Extended key usage (EKU) extension criticality and values.

    Nota

    The KU options shown differ depending on the certificate template being used.

  25. Under Certificate delivery format, select the certificate format to use and chain certificates to include when certificates are issued.

  26. Under Email configuration & notifications, specify the template to be used for certificate revocation notification emails.

  27. Under Administrative contact, specify whether to include default or custom administrative contact details in certificate notification emails. Note that including internal support contact details for end users is optional but recommended.

  28. Under Seat ID Mapping, select the certificate field to be used as the seat ID. This uniquely identifies each enrollment entity, for licensing purposes.

  29. Under Service User binding, select the Service user API token to be bound to the certificate profile. If no Service user is selected from the dropdown, then all API tokens in the account will be able to manage this profile.

  30. Select Create. The newly created certificate profile is displayed in the certificate profiles list.

In questa sezione: