Create a certificate profile with DigiCert Trust Assistant
Account Administrators with appropriate permissions can configure a certificate profile for DigiCert Trust Assistant. For more details on creating a profile, refer to Create certificate profiles.
To create a profile, select the following for each input:
Issuing CA
Select either an RSA or ECDSA-based issuing CA to use DigiCert Trust Assistant.
Enrollment method
Select DigiCert Trust Assistant, and select target keystore options:
Operating System KeyStore - Certificate is installed in KeyChain for macOS and Certificate Store for Windows.
注記
Certificates installed via the Firefox browser also use the operating system keystore instead of the built-in Firefox certificate store.
DigiCert Software KeyStore – Certificate is installed on a DigiCert proprietary software keystore protected with a PIN.
注記
To use keys and certificates stored at DigiCert Software KeyStore from browsers or other applications, the Register provider/token must be performed in advance. This registers DigiCert Software KeyStore to the operating system. For Windows, local administrator privilege is required to install and register the provider. For macOS, no administrative privilege is required.
Refer to DigiCert Software KeyStore for more details.
When selecting Operating System KeyStore or DigiCert Software KeyStore for the keyStore, you can allow the export of the private key by checking the Allow private keys to be exported option.
Hardware token - Certificate is installed on the hardware token of your choice.
When choosing a Hardware token for the keystore, you can enforce the use of one or more specific hardware tokens. If the Any option is selected, tokens currently inserted on the end-user workstation and recognized by the DigiCert Trust Assistant will be shown as a selection during the enrollment flow.
Only the formally qualified tokens are recognized by DigiCert Trust Assistant. However, the non-qualified hardware tokens can be additionally recognized by modifying the
.digicert-trust-assistant\config.jsonfile inside the user's home directory. For more details on customizing the configuration file, refer to Add other hardware tokens.
Authentication method
Select one of the following authentication methods depending on the authentication requirement for your organization's needs:
DigiCert ONE Login - Authenticates users through a single sign-on service enabled in Account Manager. For this method, both manual and auto-enrollment and renewal are supported. For more details, see About DigiCert ONE login profile.
Auto-enroll/renew certificates - Select to allow automatic certificate issuance and renewal.
Restrict user access based on Identity Provider (IdP) metadata - Select this option to configure authorized user groups.
Enrollment Code - Authenticates users using pre-distributed enrollment codes. Refer to Enrollments for more information about this method.
Manual Approval - Authenticates users using manual approval by account administrators. Refer to Enrollments for more information about this method.
SAML IdP - Authenticates users through configured SAML Identity Provider. Refer to the following guides for configuration:
注記
DigiCert ONE Login and SAML IdP looks similar with both using federated protocols as the authentication mechanism, but they are very different. DigiCert ONE Login was added so that issuance and renewal of the certificates could be done automatically with minimum user intervention. For SAML IdP, entering the user credentials is required every time the user enrolls or renews a certificate.
For more details about DigiCert ONE Login, see About DigiCert ONE login profile.
Post-certificate installation
The post-certificate installation option will be available only if any post-processing scripts are available for the profile. If required, select the post-processing script or scripts from the Scripts available for this profile. For more details about post-processing scripts, see Post-processing scripts.
Manual and auto key recovery of escrowed certificates
From version 1.2.2, users can recover certificates (manually or automatically) that were issued and escrowed in the DigiCert cloud. For details, see Manual and auto recovery of escrowed certificates.