Skip to main content

プロファイル構成ウィザードの使用

新しい証明書プロファイルを作成すると、必要なすべての証明書オプションを簡単に設定できるステップバイステップのウィザードが DigiCert​​®​​ Trust Lifecycle Manager に表示されます。表示されるウィザードの画面とオプションは、新しい証明書プロファイルを作成する際の基準として使用するベーステンプレートによって異なります。

このページでは、プロファイル構成ウィザードを使用して証明書プロファイルを作成するための一般的なワークフローと使用可能なオプションを説明します。

開始する前に

証明書プロファイルを作成するのに最適な証明書テンプレートを特定します。証明書テンプレートによって決定されるものは次のとおりです。

  • 使用できる証明書プロパティとユースケース

  • 発行認証局(CA)、申請方法、自動化オプション

重要

Trust Lifecycle Manager アカウントで従来のライセンスモデル(さまざまなシートタイプがある)が使用されている場合は、ベーステンプレートごとに、それに対応したシートタイプがあります。アカウント内に該当するタイプの使用可能なシートが必要であり、使用可能なシートがないと、ベーステンプレートが無効になるため、そのテンプレートから証明書プロファイルを作成することができません。詳細については、「Legacy seat types」を参照してください。

Step 1: Begin creating the certificate profile

次のいずれかの方法を使用して、新しい証明書プロファイルを作成するためのプロファイル構成ウィザードを起動します。

  • 証明書テンプレートビュー([ Policies > Base templates ])で、証明書テンプレートの名前を選択して、そのテンプレートから証明書プロファイルの作成を開始します。また、証明書テンプレート名の横にあるアクション(3 つのドット)メニューを開いて、[テンプレートからプロファイルを作成]を選択することもできます。

  • 証明書プロファイルビュー([ Policies > Certificate profiles ])で、表の上にある[プロファイルの作成]ボタンを選択して、証明書プロファイルの作成を開始します。これで、証明書テンプレートビューが表示されます。証明書テンプレートの名前を選択して、そのテンプレートから証明書プロファイルの作成を開始します。

Step 2: Customize the certificate profile

Follow the Create certificate profile wizard to customize the certificate profile.

注記

The screens and options available in the wizard depend on the certificate template you started with and your specific business needs. The options described in this procedure are representative and may vary by template. Additional options may also be available depending on the selected template and configuration.

Configure details on the following screens as necessary. At any time, select Certificate preview to preview the certificate with the details you have configured.

On the Primary options screen of the wizard, configure the following:

  • Profile name: Enter a name to help identify the certificate profile.

  • Profile description (optional): Enter an optional description for the profile.

  • Business unit: Select the business unit to assign for certificates issued from this profile.

  • Issuing CA: Select the issuing CA to issue end-entity certificates for the profile.

  • Enrollment method: Select an enrollment method to use for requesting certificates from this profile.

  • Authentication method: Select a method to authenticate the enrollment requests and configure any required authentication options.

Select Next to continue to the Certificate options screen of the wizard.

On the Certificate options screen of the wizard, configure the following options:

  • Certificate fields: Configure certificate validity period, signing algorithm, key type, and key size.

    Some certificate profile types and enrollment methods support multiple key sizes. Select all possible key sizes you want to allow in your certificates. The final key size is determined based on what's sent in the CSR for each enrollment.

    You can also customize the length of the certificate serial number for profiles configured using the three generic base templates. To do this, you must enable the Customize length of certificate serial number checkbox. The options that you can select from are:

    • 16 bytes (32 hexadecimal characters)

    • 17 bytes (34 hexadecimal characters)

    • 18 bytes (36 hexadecimal characters)

    • 19 bytes (38 hexadecimal characters)

    • 20 bytes (40 hexadecimal characters) (default)

    注記

    We recommend that you use the 20-bytes option since it’s more secure and reduces the possibility of serial number collisions.

  • Flow options: Configure if you can issue multiple certificates from the profile, and if you can override the default certificate validity by a REST API request.

  • Renewal options: Set renewal window, and configure grace period.

  • Subject DN and SAN fields: Configure Subject Distinguished Name (DN) and Subject Alternative Name (SAN) attributes for the profile. For technical details about supported certificate attributes, see 証明書の属性とエクステンション.

Select Next to continue to the Extensions screen of the wizard.

On the Extensions screen of the wizard, you can view and configure extensions other than the SAN that define how a certificate is used and validated:

  • Configure extensions such as Basic constraints, Key usage, and Extended key usage to control certificate capabilities and permitted operations.

  • Review issuer and validation-related extensions, such as Authority information access, Authority key identifier, Certificate distribution points, and Subject key identifier, which help support certificate chain building and revocation checking.

  • Some private certificate types also support custom extensions.

Select Next to continue to the Additional options screen of the wizard.

On the Additional options screen, you can configure certificate delivery and management settings for the profile.

  • Configure options such as Delivery formats, Email configuration and notifications, Contact details, Alerts, and Certificate owners.

    注記

    If you sign in using single sign-on through your DigiCert​​®​​ account, you have access to customize and configure alert options. See View and manage profile-specific alerts for more information.

  • Configure LDAP search settings and assign metadata to help organize, track, and manage certificates issued from the profile.

  • Apply Tags to help identify all certificates issued from a particular profile for tracking and management purposes in Trust Lifecycle Manager.

  • Some templates provide a Custom attributes option. These are user-defined metadata fields that store business-specific information if configured under Settings.

    注記

    Available custom attributes vary based on the selected enrollment method. For example, different custom attributes may be available for web-based and automated enrollment methods.

  • Select Certificate owners who should receive notifications for all certificates issued from this profile.

Select Next to continue to the Advanced settings screen of the wizard.

On the Advanced settings screen, you can configure advanced profile options that affect certificate enrollment, lifecycle management, and end-user experience.

  • Configure Seat ID mapping where you can select a certificate field to be bound to your Seat ID. This is used to uniquely identify the entity (for example, the user, device, or server) that is using each seat license.

  • Upload a user instructions file for how to use the certificate for profiles configured with a web-based enrollment method (Browser PKCS12, CSR, or DigiCert Trust Assistant) and an authentication method of Enrollment Code, Manual Approval or DigiCert ONE Login.

  • Enable a grace period, which allows you to add the days before expiration to the renewed certificate. When not selected, the renewed certificate takes a strict validity period based on the set Certificate expires in value.

  • Configure the self-service portal option for some templates to allow end users to manage their own certificates via a web-based self-service portal, if enabled under Settings.

  • For Microsoft CA profiles configured with the SCEP method, you can regenerate the RA certificate used by the solution to decrypt SCEP before Microsoft CA issues the certificate. This ensures that:

    • All issues related to RA certificate expiring and not being automatically renewed by Trust Lifecycle Manager are prevented.

    • You have a fresh RA key and RA certificate bound to the profile at all times helping adhere to security policies.

    To regenerate an RA certificate, select the Regenerate RA certificate button at the end of the wizard.

Step 3: Save the certificate profile

Review the configuration before saving. Select Next to continue through the wizard, or select Back to return to previous screens and make changes.

When you're ready, select Create to save and create the new certificate profile.