Skip to main content

Enterprise PKI Manager

Enhancements

SCEP Service - Support for the provisioning of certificates via Simple Certificate Enrollment Protocol (SCEP), authenticated via a unique Enrollment Code that is pre-registered against a Seat ID. The SCEP server accepts both HTTP and HTTPS POST and GET requests for all SCEP operations. A new Enrollment Method called "SCEP" must be selected when creating a profile that is to be used to issue certificates via the SCEP protocol. Operations supported by this initial SCEP release are, based on IETF's 'draft-gutmann-scep-16' specification (https://tools.ietf.org/id/draft-gutmann-scep-16.html):

  • GetCACaps- to retrieve the capabilities (operations and algorithms) the SCEP service supports. It supports both a generic URL to retrieve the capabilities without authentication (https://one.digicert.com/mpki/api/v1/scep/cgi-bin/pkiclient.exe?operation=GetCACaps), and a URL based on your certificate profile ID (https://one.digicert.com/mpki/api/v1/scep/PROFILE-GUID/cgi-bin/pkiclient.exe?operation=GetCACaps)

  • GetCACert- to download the Issuing CA certificate bound to your SCEP-enabled profile

  • PKIOperation-PKCSReq message - to enroll for a certificate against your SCEP-enabled profile

Audit Log Enhancements - The audit trail logs page has been enhanced to also log failed SCEP transactions and show the corresponding error message, to help customers troubleshoot their SCEP-based integrations.

Profile Certificate Fields Redesign - Redesign and enhancements to the way fields are added and configured to a profile:

  • Selection of certificate fields is based on a drop-down list, from where you can select multiple fields to be added to your profile in a single step

  • Each field now has its own individual data source, e.g. Fixed value, Entered manually, SCEP request

  • Each data source can be configured as Required or Optional

  • For newly created profiles, you can now add/delete/reconfigure certificate fields once the profile has been saved.

    注記

    For existing/saved profiles with fields set as Required, you will NOT be able to delete such fields. If required, you must create/clone a new profile.

REST API Enhancements

  • Enrollment end-point: Ability to set an enrollment code and its expiry date against a Seat ID via the enrollment REST API end-point. Check the updated Swagger API documentation for details.

  • Certificate authentication: support for certificate-based authentication instead of using an API KEY. You must create/download a Client Authentication certificate (in PKCS12 format) from the Account Manager application, which can then be used to configure your REST Client application to strongly authenticate to your account/profile. Profiles configured with the "REST API" enrollment method have been updated with a section that allows you optionally bind a User on your account against a specific profile. The REST API end-point for certificate-based authentication must be prefixed with 'clientauth', e.g. https://clientauth.one.digicert.com/mpki/api/v1/hello