Skip to main content

Issue Intermediate CA certificates

To perform this action, you must have a user role that contains the Solution administrator permission.

You may have a scenario where you need to issue Intermediate CAs (ICAs) to devices, such as IoT gateways. These ICAs issue end-entity certificates to other devices.  We refer to this as an Unmanaged CA. You can configure DigiCert® Device Trust Manager to support this.

Before you begin

Work with your DigiCert​​®​​ account representative to make sure you have the following:

  • A DigiCert ONE account: Your organization must have an active DigiCert ONE account.

  • CA hierarchy: In CA Manager > Manage CAs, make sure your hierarchy includes:

    • A private root CA, and optionally,

    • An Intermediate CA.

  • Issuance settings: In CA Manager > Manage CAs, the Issue CA Intermediates setting must be set to Yes for the CA that will issue the ICAs.

    • If you're issuing from the root CA, this setting must be enabled on the root, and the root CA must be an online CA.

    • If you're issuing from an existing Intermediate CA, this setting must be enabled on that Intermediate CA, and it must also be an online CA.

  • Certificate template: In Device Trust Manager > Certificate management > Certificate settings > Certificate templates:

    • Select the Basic Intermediate CA Certificate Template.

    • Clone it to make it available in your account.

    • Save the cloned template with a name of your choice.

    • This template enables the required CA = true basic constraint.

  • Licensing: In the Account Manager, make sure your account is assigned a Device Trust Manager Advanced license. The ライセンスとプラン includes the Unmanaged CA feature.

    Also, your DigiCert ONE account admin should provide you with a user account that has the Solution Administrator role in Device Trust Manager.

重要

If you're missing anything above, contact your DigiCert account representative.

Create a division

  1. In the Device Trust Manager menu, go to Divisions.

    Learn more about Divisions in Device Trust Manager.

  2. Select Create division.

  3. Enter a Name for the division and, optionally, a description.

  4. Select a Primary zone from the dropdown under the Rendezvous zones section.

  5. (Optional) Select a Secondary zone from the dropdown under the Rendezvous zones section as a backup.

  6. Select Create new division.

Create a certificate management policy

  1. In the Device Trust Manager menu, go to Certificate management > Certificate settings > Certificate templates.

  2. Select Create.

  3. Select a Certificate template from the list.

    注記

    Certificate templates are created and customized for your organization by DigiCert​​®​​. If no certificate templates appear on the Certificate templates page, or if you require modifications or a new template, contact you DigiCert​​®​​ account representative.

  4. Either create a new Certificate profile or select an existing Certificate profile to proceed to the Certificate management policy creation section.

    To create a new certificate profile, see 証明書プロファイルの作成.

  5. Proceed to create a new Certificate management policy.

  6. On the General settings section, provide a Name for the certificate management policy.

  7. Choose a Division to assign the policy to.

  8. Under Select the certificate management model, select Policy will be used for secure device lifecycle management. Requires an Advanced license.

    ヒント

    The scope of this tutorial is only to implement certificate issuance, not device management; hence, we recommend choosing the above certificate management model.

  9. Under the Certificate management methods, select the certificate management methods that this policy will support.

    For example, you may want to use EST to request or receive the Intermediate CA certificates. For detailed information on various certificate management methods available, see Certificate management methods.

  10. Optionally, select an Authentication policy.

    注記

    An Authentication policy is required when using EST, CMPv2, SCEP or ACME, allowing devices to authenticate using a passcode or an authentication certificate. When selecting a certificate request through pthe ortal and API, an authentication policy is optional if you intend to use an API key or a certificate in Account Manager to authenticate.

  11. Select Next  to proceed to the certificate settings.

  12. On the Certificate settings page, select an Intermediate certificate profile and choose the certificate profile you created earlier.

  13. Select an Issuing CA from the available options. This is the Certificate Authority that will sign the certificates issued under this policy.

    Learn more about Issuing CA in Device Trust Manager.

  14. Under the Keypair generation settings, set the desired Keypair generation preferences.

    For detailed information on Keypairs, see Keypair generation settings.

  15. Select Next to Create a certificate management policy.

Request an Intermediate CA certificate

You can now request and receive Intermediate CA certificates from Device Trust Manager. How you request and receive depends on which certificate management method you configured in the certificate management policy:

このセクションの内容: