CA connectors and third-party issuance
Trust Architecture Playbook: Issuance pillar
DigiCert® Trust Lifecycle Manager is CA-agnostic and enables centralized management across your entire issuance infrastructure. In addition to DigiCert Private CA and CertCentral, Trust Lifecycle Manager provides CA connectors for a range of private and public trust issuance platforms. Use these connectors to integrate third-party CAs and manage all your certificates in a single inventory.
注記
This section covers the issuance capabilities of each CA connector. Discovery and import of existing certificates from third-party CAs is covered in the Baseline pillar. Existing third-party CA connectors used for imports can also be used for issuance.
CA connector best practices
These recommendations apply across all CA connector types.
Recommendation | Description |
|---|---|
Connect your primary issuing CAs first. | Prioritize the CAs from which you issue the most certificates or that serve your most critical use cases. |
One connector per CA account. | Each connector links Trust Lifecycle Manager to a specific CA account or instance. Configure a connector for each CA account if you have multiple. |
Multiple sensors per connector. | To enable fault tolerant connectivity, select multiple DigiCert sensors for managing each CA connector. If one of the sensors fails, Trust Lifecycle Manager will automatically fail over and use one of the other sensors. |
Enable server-sent heartbeats for each sensor. | Enable the Server Sent Event Heartbeat setting for any sensor that acts as the managing sensor for a CA connector, so the sensor can pass issuance requests to the CA in near real time. |
Upload root and intermediate CA certificates. | For any connected CA, upload CA certificates for the root and intermediates to Trust Lifecycle Manager to enable accurate chain analysis and crypto hygiene checks. |
Private trust connectors
AWS Private CA is Amazon's managed private CA service, commonly used in AWS-centric environments for issuing workload and infrastructure certificates. The connector enables issuing and managing AWS Private CA certificates through certificate profiles and lifecycle tooling in Trust Lifecycle Manager.
Use this connector when your teams are already issuing from AWS Private CA and you want to bring those certificates under centralized management without migrating them to DigiCert Private CA.
Microsoft Active Directory Certificate Services (ADCS) is the dominant private CA in Windows-centric enterprise environments. The connector enables issuing certificates from your ADCS deployment through Trust Lifecycle Manager certificate profiles and managing their full lifecycle from a single inventory.
Use this connector to issue, manage, and automate deployment of certificates from your existing Microsoft CA while planning any longer-term migration if desired.
重要
The DigiCert sensor used to manage the Microsoft CA integration must be installed on a dedicated Windows system — not on the CA server itself — that is on the same domain or in the same forest as the Microsoft CA server.
Step CA (smallstep) is an open-source private CA commonly used in DevOps and cloud-native environments for short-lived workload identity certificates. The connector enables issuing and managing Step CA certificates through certificate profiles and lifecycle tooling in Trust Lifecycle Manager.
Use this connector when you have a Step CA deployment serving developer or cloud-native workloads and want to bring those certificates under centralized management.
Public trust connectors
Let's Encrypt is a free public-trust CA that issues DV TLS certificates with a 90-day validity period. The connector enables issuing and managing Let's Encrypt certificates through certificate profiles and lifecycle tooling in Trust Lifecycle Manager.
Use this connector to issue, manage, and automate deployment of Let's Encrypt certificates alongside other CAs from a single platform. Let's Encrypt's 90-day validity period makes automated renewal essential.
GlobalSign is a commercial public trust CA. The connector integrates with GlobalSign Certificate Center (GCC) and enables issuing and managing GlobalSign public TLS certificates directly from Trust Lifecycle Manager.
Use this connector when you have an existing GlobalSign GCC account and want to issue, manage, and automate deployment of GlobalSign certificates alongside other CAs from a single platform.
Sectigo is a commercial public trust CA. The connector enables issuing and managing Sectigo public TLS certificates directly from Trust Lifecycle Manager.
Use this connector when you have an existing Sectigo account and want to issue, manage, and automate deployment of Sectigo certificates alongside other CAs from a single platform.