Skip to main content

About this pillar

Trust Architecture Playbook: Issuance pillar

Executive summary

The design of your CA hierarchy is the foundational investment that everything downstream depends on. It determines the trust boundaries your organization operates within, the controls that govern who can issue certificates, and the operational complexity your PKI team inherits for years. Most enterprises already have some CA infrastructure in place. The Issuance pillar covers both building new CA hierarchies and rationalizing what you already have, connecting everything to DigiCert​​®​​ Trust Lifecycle Manager for unified management and governance.

Private CA hierarchies are the most customizable and require the most planning. Accordingly, this pillar focuses primarily on DigiCert® Private CA, the native DigiCert service for private-trust issuance. This pillar also covers public-trust issuance through DigiCert CertCentral®, and the CA connectors available for third-party certificate issuance. Trust Lifecycle Manager is CA-agnostic by design: the goal is a single management plane spanning your entire certificate estate, regardless of which CA issued each certificate.

Intended audience

  • PKI, cloud, and infrastructure teams

  • Security architecture and operations

  • Platform engineering and DevOps teams

  • Application/service owners

  • Governance/compliance stakeholders

Target outcomes

A well-executed CA design produces four outcomes that reduce risk, enable governance, and establish the foundation for certificate lifecycle automation:

  • Clear trust boundaries: Separate private and public trust, production and non-production, and high-risk or regulated use cases so that compromise or misconfiguration can be contained.

  • Rationalized CA hierarchy: Design root and intermediate CAs deliberately, with documented purpose, cryptographic standards, and operational policies that can be maintained and audited.

  • Governed issuance paths: Certificates are issued from DigiCert Private CA, CertCentral, or approved third-party CA connectors based on trust type, application/service requirements, and operational ownership.

  • Algorithm agility and PQC readiness: Your hierarchy is designed with cryptographic agility in mind, with algorithm baselines documented, and PQC use cases identified even if full adoption is deferred.

Importante

Key takeaway

CA hierarchy decisions are long-lived. Invest the planning time up front. Changes to fundamental hierarchy design after issuance has begun are expensive, disruptive, and operationally risky.

Quick start checklist (first 30 days)

The first 30 days should establish a working CA foundation without trying to redesign every PKI dependency at once:

  • Assess your current issuance landscape: Use baseline inventory and stakeholder interviews to identify existing private CAs and public CA accounts to transition or use for issuance within Trust Lifecycle Manager.

  • Choose your DigiCert Private CA deployment model: Decide between DigiCert-hosted or customer-hosted models based on your key custody, compliance, and operational requirements.

  • Document your CA hierarchy design: Define your private root and intermediate CA structure, including use-case mappings for each intermediate. Get sign-off from PKI owners and security architects before provisioning.

  • Provision your private root CA: Create your root CA in DigiCert Private CA. If using the customer-hosted deployment model, complete HSM setup and conduct a key ceremony first.

  • Create at least one issuing CA: Create an intermediate CA beneath your private root and configure CRL and OCSP revocation infrastructure before issuing any end-entity certificates.

  • Connect CertCentral and third-party CAs as needed: Add connectors for public issuance through DigiCert CertCentral, plus any additional CAs to use for issuing and managing certificates through Trust Lifecycle Manager.

What this pillar doesn't cover

The following topics are out of scope and covered elsewhere in the DigiCert documentation or Trust Architecture Playbook:

  • Certificate discovery and import operations.

  • Certificate issuance policy and profile design.

  • Enrolling and managing individual certificates.

  • Advanced post-quantum cryptography migration strategy.

  • Step-by-step configuration of CA services for DigiCert or third-party vendors.

In questa sezione: