Building a hierarchy in DigiCert Private CA

Crypto4A: FIPS-validated HSM that supports classical algorithms (RSA, ECC, EdDSA) and post-quantum cryptography (ML-DSA and SLH-DSA).

Thales Luna: PKCS#11-based HSM that supports common enterprise CA key storage patterns. Luna Network HSMs are commonly used for online issuing CAs, while Luna USB HSMs may be used for offline root CA key storage. Newer firmware versions also support PQC.

Thales DPoD: Cloud-based HSM service available for North America-hosted environments. Used for online CA deployments only.

Configure HSM integration before creating any CAs. Migrating externally generated CA keys into an HSM later may not meet operational or compliance requirements and can complicate key provenance and auditability.

Where FIPS validation is a compliance requirement, FIPS 140 Level 2 is the typical minimum baseline, while Level 3 is commonly recommended for high-assurance or regulated environments. Confirm the required level with your compliance framework before finalizing your HSM selection.

HSM provider and partition for storing the root key

Common name (use something descriptive and stable; avoid product names or version numbers that could become inaccurate)

Validity period (typically 10 to 15 years) and path length constraint

Multi-person control: Define which roles must be present to authorize root CA signing operations (for example, PKI owner, security officer, CA operators, and a witness). Where supported by the HSM, use M-of-N or equivalent controls so no single individual can activate or use the root CA key alone.

Controlled environment: Offline root CA designs require an offline DigiCert Private CA instance and offline HSM, with a separate online instance for issuing CAs. Operate the offline root CA instance in a physically secure, air-gapped environment, and perform root CA key generation and signing operations only in that environment. Initialize and verify the HSM before generating any key material.

Documentation and artifacts: Record all steps, participants, and HSM details. Store the signed ceremony record and HSM backup tokens in geographically separate, physically secured offline locations.

The signing CA (root or intermediate)

A use-case-specific name (for example, Internal TLS, Device Identity, or Code Signing)

Validity period (typically 10 years for issuing CAs; shorter periods require more frequent CA rekeying but may be appropriate based on policy, risk, or cryptographic transition requirements)

CRL distribution points and OCSP responder URLs (configured and accessible before the CA issues any end-entity certificates)

Configure backup tokens during the initial key ceremony, before any CA keys are generated.

Store tokens offline in geographically separate, physically secured locations. Maintain at least two copies in separate sites.

Test restore procedures before your CA goes live. An untested backup is not a backup.

If your compliance framework requires key escrow, define the custodians, access procedures, and audit requirements before generating any key material.

HSM failure: Restore CA key material from backup tokens to a replacement HSM and validate issuance before declaring recovery complete.

Revocation service failure: Ensure CRL and OCSP services can be restored within your SLA. Consider a hot standby OCSP responder for high-availability environments.

Site failure (Active/Passive): Test the procedure for promoting the passive instance, including HSM activation and any DNS or load balancer changes required.

Scope: decide whether the CRL covers all certificate types or only end-entity certificates. Consider a separate Authority Revocation List (ARL) for subordinate CA certificates.

Validity and freshness: set a validity period and regeneration schedule that reflects your revocation latency requirements. Relying parties cache CRLs for their full validity period, so shorter validity improves freshness at the cost of increased distribution point load.

Use HTTP for CRL distribution points to avoid the certificate validation dependency cycles and performance overhead that can occur with HTTPS-hosted revocation endpoints.

Configure the default CRL distribution point URLs to embed in issued certificates. To use a custom CDP URL, first add the domain in DigiCert Private CA using the Domains function, then coordinate with DigiCert to complete the required CDN configuration. Contact your account representative to initiate this process.

Ensure relying parties in your environment can reach the configured CRL endpoints. If your environment uses outbound allowlists, allow by FQDN instead of IP as DigiCert ONE endpoints are delivered through CDNs and underlying IP addresses may change. To find the applicable CRL FQDN for your environment, see Platform IP addresses and URLs.

Host CRL distribution points on highly available infrastructure. An unreachable endpoint causes validation failures where hard-fail revocation checking is enforced.

Revocation endpoints must be accessible to all relying parties that validate certificates from your hierarchy.

Configure and verify CRL distribution points before any issuing CA enters production. Certificates issued without a valid CDP extension may fail validation where strict revocation checking is enforced.

OCSP responses are cryptographically signed by the issuing CA or a delegated OCSP responder certificate and cached by relying parties for the duration of the response validity period. Set response validity to balance freshness against responder load: shorter validity improves revocation latency but increases request volume.

Enable OCSP stapling on TLS servers where supported to reduce responder load and improve validation performance. Stapling may not be suitable for OCSP configurations that require nonce extensions in responses.

Configure the default OCSP responder URLs to embed in issued certificates. To use a custom AIA URL, first add the domain in DigiCert Private CA using the Domains function, then coordinate with DigiCert to complete the required CDN configuration. Contact your account representative to initiate this process.

Ensure relying parties in your environment can reach the configured OCSP endpoints. If your environment uses outbound allowlists, allow by FQDN instead of IP as DigiCert ONE endpoints are delivered through CDNs and underlying IP addresses may change. To find the applicable OCSP FQDN for your environment, see Platform IP addresses and URLs.

Configure OCSP responder URLs as part of your deployment setup and verify they're accessible before production issuance begins.

Deploy responders behind a load balancer for high availability.

Consider a hot standby responder for environments with strict availability requirements.

Configure OCSP responder URLs before any issuing CA enters production. Certificates issued without a valid AIA extension may fail validation where strict revocation checking is enforced.

HSM key replication: Both sites must have access to the same CA key material. Plan your HSM replication topology and configure backup tokens before generating any CA keys — retroactively adding a second site is more complex and may not be possible depending on your HSM configuration.

Load-balanced enrollment endpoints: Clients should connect to a virtual IP or DNS name, not directly to a specific CA instance, so failover is transparent to enrolling clients.

Shared revocation endpoints: Both sites must publish CRL and OCSP data to the same externally accessible endpoints to ensure revocation checking continues during a failover.