Trust anchor certificates
DigiCert® Software Trust Manager's Trust anchor certificates feature is used to manage your root and intermediate (ICA) certificates. Trust anchor certificates are the foundation of trust and verify the authenticity your code signing certificates, establish a trust chain, and perform revocation checks within your system.
Trust anchor certificates are essential for importing certificates issued from hierarchies external to those provided by DigiCert, such as Apple hierarchies. The process involves importing the root and Intermediate Certificate Authority (ICA) certificates using trust anchors before importing the end entity certificate. This ensures that the trust chain is established correctly. After importing the necessary certificates, the keypair can be used for signing.
注記
Certificate profiles are used for obtaining certificates from CA Manager and CertCentral. Trust anchor certificates are associated with external hierarchies and are therefore not shown under Certificate profiles.
Follow this guide to import and manage your root and ICA certificates in Software Trust Manager.
Required permissions
This table outlines which permission or role must be assigned to the user to perform the actions described in this article.
User type | Permission |
---|---|
Account user | One of the following must be assigned to the user to perform this action:
|
System user | One of the following must be assigned to the user to perform this action:
|
Prerequisites
Before importing trust anchor certificates, ensure that the following requirements are met:
The certificate must not be expired.
The certificate Key Usage field must include digitalSignature.
The certificate CRL Distribution Points (CPD) extension must contain a CRL URL and the certificate must not be revoked when the revocation status is checked via the corresponding CRL.
The certificate Authority Information Access (AIA) extension must contain an OCSP URL and the certificate must not be revoked when revocation status is checked via the corresponding OCSP responder.
For root CAs only, the certificate must be self-signed.
Public certificates must not use SHA1 hash algorithms for the signature.
注記
Private certificates may use SHA1 hash algorithms for the signature.
Import trust anchor certificate
Follow this procedure to import and sign with code signing certificates issued by CAs other than DigiCert.
ヒント
When an account user uploads the root and ICA certificate an approval process is triggered that requires the system administrator to approve the certificate import. The approval process can be bypassed if the certificate is imported by a system user.
Step 1: Import root certificate
To import the root certificate:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Account > Trust anchor certificates.
Click Import trust anchor certificate.
Complete the following fields:
Field
Description
Trust anchor certificate alias
Provide a unique name identify this certificate in Software Trust Manager.
Trust anchor type
Select the certificate type:
Private
Private trust anchor certificates are specific to an organization's internal PKI and are used to establish trust within that organization's closed environment. They are not automatically trusted by external systems and are not part of the public trust infrastructure.
Public
Public trust anchor certificates are widely recognized and trusted by a broad range of systems and are used for securing internet communications.
注記
Trust anchor type can be changed by a system administrator during approval.
Access
Select the type of certificate access:
Restricted
Only allows this account to use this trust anchor certificate.
Open
Allows all accounts to use this trust anchor certificate.
注記
Trust anchor access can be changed by a system administrator during approval.
File type
Select the format based on the specific requirements of your system or application using the certificate. Many systems and software libraries can handle both formats, so the choice often comes down to compatibility and the need for human readability.
PEM
Base64 encoded format is human-readable and uses delimiters (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) to mark the start and end of the certificate data.
DER
This file type is encoded in binary format, is not human-readable, and is a compact representation of the certificate data that does not include any delimiters or extra formatting.
Upload
Upload the certificate. Supported file formats: .PEM,. KEY,. CRT, .CER, and .CERT.
Select Import trust anchor certificate.
注記
Performing this action requires an approval from the system administrator before you can begin using this certificate or import your ICA certificate. Ensure that the root certificate is approved before you import its ICA in step 2 below.
Step 2: Import ICA certificate
While importing an ICA certificate, Software Trust Manager checks if the root certificate (issuer) is in the system and automatically ties it to the root certificate.
To import the ICA certificate:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Account > Trust anchor certificates.
Click Import trust anchor certificate.
Complete the following fields:
Field
Description
Trust anchor certificate alias
Provide a unique name identify this certificate in Software Trust Manager.
Trust anchor type
Select the certificate type:
Private
Private trust anchor certificates are specific to an organization's internal PKI and are used to establish trust within that organization's closed environment. They are not automatically trusted by external systems and are not part of the public trust infrastructure.
Public
Public trust anchor certificates are widely recognized and trusted by a broad range of systems and are used for securing internet communications.
注記
Trust anchor type can be changed by a system administrator during approval.
Access
Select the type of certificate access:
Restricted
Only allows this account to use this trust anchor certificate.
Open
Allows all accounts to use this trust anchor certificate.
注記
Trust anchor access can be changed by a system administrator during approval.
File type
Select the format based on the specific requirements of your system or application using the certificate. Many systems and software libraries can handle both formats, so the choice often comes down to compatibility and the need for human readability.
PEM
Base64 encoded format is human-readable and uses delimiters (-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----) to mark the start and end of the certificate data.
DER
This file type is encoded in binary format, is not human-readable, and is a compact representation of the certificate data that does not include any delimiters or extra formatting.
Upload
Upload the certificate. Supported file formats: .PEM,. KEY,. CRT, .CER, and .CERT.
Select Import trust anchor certificate.
ヒント
Performing this action requires an approval from the system administrator before you can begin using this certificate.
Step 3: Activate trust anchor certificate
After your root and ICA certificate has been approved by the system user, the certificate will display as approved
in the status column to indicate that it is ready to be activated. If the status column indicates Pending approval
or Rejected
reach out to a system administrator for more information.
注記
This action can be performed by a account user with the Manage certificate hierarchy permission, Lead or Team Lead role.
To activate a trust anchor certificate:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Account > Trust anchor certificates.
Hover over the trust anchor certificate alias that you want to activate.
Click the activate (play) icon that appears to the right of the certificate alias.
Step 4: Generate keypair
You require the View keypair
and Generate keypair
permission to create a keypair.
To generate a keypair:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Keypairs > Create keypair.
Complete the required fields.
Click Create keypair.
Step 5: Generate a CSR
You require the Manage keypair
permission to generate a CSR.
If the Generate CSR option is not visible in your account even though you have the correct permission, CSR generation may be disabled on your account. Learn more.
To generate a CSR:
Sign in to DigiCert ONE.
Navigate to the Manager menu (top right) > Software Trust.
Select Keypairs.
In the keypair alias column, identify the keypair you want to use to generate the CSR.
Hover over the specific keypair alias until icons appear to the right.
Select the more actions (⁝) icon.
Select Generate CSR.
Complete the following fields:
Field
Description
Organization
Select the organization name associated with this CSR from the drop-down menu. This is an optional field.
Email
Provide an email address associated with this CSR. This is an optional field.
Organizational Unit (OU)
Provide an organizational unit, often a department or team name associated with this CSR. Use a comma to list multiple OUs. This is an optional field.
Select Generate CSR.
Select one of the following options:
Select the copy icon next to CSR to copy the CSR in plaintext.
Select Download CSR to download the CSR as a file.
Step 6: Obtain a certificate from an external CA
Use the CSR generated in step 5 to obtain a certificate from a third party CA.
Step 7: Import certificate issued by external CA
You require the Import certificate
permission to import a code signing certificate.
To import a code signing certificate issued by a third party CA:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Keypairs.
Hover over keypair alias that you used to generate the CSR, until the ⁝ icon appears.
Click the ⁝ icon.
Select Import certificate.
Complete the following fields:
Field
Description
Certificate alias
Name to uniquely identify this certificate.
File type
Select file type. Supported file types .der and .pem.
Default certificate
Check this box if you want this certificate to be the default certificate for the keypair.
Upload
Upload the keypair. Supported file types: .pem and .key.
Select Import certificate.
注記
You are ready to sign with a code signing certificate issued by an external CA.
Trust anchor certificate statuses
After you import a root or ICA certificate, the status will display as Pending approval
. A system user with the Administrator role or Manage certificate hierarchy permission can either update, approve, reject, or lock the certificate.
If you are a system user with the Administrator role or Manage certificate hierarchy, follow the steps below to action a pending root certificate.
Update trust anchor certificate
To update a trust anchor certificate:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Account > Trust anchor certificates.
Hover over the trust anchor certificate alias that you want to update until the ⁝ icon appears.
Click on the ⁝ > Edit.
You are able to make the following changes:
Field
Description
Trust anchor type
Select the certificate type:
Private
Private trust anchor certificates are specific to an organization's internal PKI and are used to establish trust within that organization's closed environment. They are not automatically trusted by external systems and are not part of the public trust infrastructure.
Public
Public trust anchor certificates are widely recognized and trusted by a broad range of systems and are used for securing internet communications.
Access
Select the type of certificate access:
Restricted
Only allow this account to use this trust anchor certificate.
Open
Allows all accounts to use this trust anchor certificate.
Click Update.
Approve trust anchor certificate
When you approve the root certificate, an account user is allowed to upload the ICA certificate and establish the chain of trust.
To approve a trust anchor certificate:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Account > Trust anchor certificates.
Hover over the trust anchor certificate alias that you want to activate.
Click on the approve (thumbs-up) icon that appears to the right of the certificate alias.
Lock trust anchor certificate
When a trust anchor certificate is locked, an account user cannot approve or reject pending approval certificates, and cannot suspend, unsuspend, update the trust anchor certificate.
To lock a trust anchor certificate:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Account > Trust anchor certificates.
Hover over the trust anchor certificate alias that you want to activate.
Click the lock icon that appears to the right of the certificate alias.
Reject trust anchor certificate
When a trust anchor certificate is rejected, the certificate cannot be used or imported again.
To reject a trust anchor certificate:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Account > Trust anchor certificates.
Hover over the trust anchor certificate alias that you want to reject.
Click the reject (three dots) icon that appears to the right of the certificate alias.
Additional actions
Here are some additional actions you may need while managing your root and ICA certificates. These actions can be performed by an account user with the Manage certificate hierarchy permission, Lead or Team Lead role.
Download trust anchor certificate
To download a trust anchor certificate:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Account > Trust anchor certificates.
Click on the trust anchor certificate alias that you want to download.
Click on the download icon.
Deactivate trust anchor certificate
You can deactivate a trust anchor certificate to prevent it from being used, and then activate it later.
To deactivate a trust anchor certificate:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Account > Trust anchor certificates.
Hover over the trust anchor certificate alias that you want to activate.
Click the deactivate (pause) icon that appears to the right of the certificate alias.
Errors and solutions
The following error may occur while importing an ICA certificate.
Hierarchy chain validation/resolution failed
Error message:
Hierarchy chain validation/resolution failed
Description
This error can occur for multiple reasons, for example ICA import failed because Software Trust Manager was unable to tie the ICA certificate to the root certificate because the root certificate was not imported and approved first.
Solution
Import the root certificate (issuer).
Ensure that the system administrator approved the import.
Import the ICA certificate.