Skip to main content

Keypair profiles

Keypair profiles simplify keypair generation by preconfiguring values for all keypair options. Keypair profiles are only enforced when enabled on your account. You can assign specific keypair profiles to specific teams during  team creation.

Enable keypair profiles

You require the Manage keypairs permission to enable keypair profiles.

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu (top right) > Software Trust.

  3. Select Account > Account settings.

  4. Select the edit icon.

  5. Select the checkbox next to Require keypair profile to generate keypair.

  6. Select Update settings.

Create keypair profiles

You require the Manage keypair permission to create a keypair profile.

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu (top right) > Software Trust.

  3. Navigate to: Keypairs > Keypair profiles.

  4. Select Create keypair profile.

Complete these fields:

1. Keypair profile requirements

Field

Description

Profile name

Name to uniquely identify this keypair profile.

Profile type

Select Fixed (user cannot change values during keypair generation) or Customizable (user can change values during keypair generation)

Profile scope

Select System or Account (only an account scope user can choose account).

Keypair status

Select Online to generate keypairs that can be used to sign at any time.

Select Offline to generate keypairs that can only be used to sign during a release window.

Algorithm

Select MLDSA, RSAECDSA, and EdDSA (when you select EdDSA the key curve sets to Ed25519)

Security level / Key size / Key curve

Select MLDSA44MLDSA65, or MLDSA87 key size for MLDSA algorithms.

Select 20483072, or 4096 key size for RSA algorithms.

Select P-256 or P-384 key curve for ECDSA algorithms.

Ed25519 is the only allowed key curve for EdDSA algorithms.

Keypair category

Select Production or Test.

Keypair storage

Select one of the following key storage methods:

  • Level 3

    Key is stored in an HSM that is CA/B compliant. This storage method is FIPS 140-2 Level 2, Common Criteria EAL4+, an equivalent or higher, and therefore is compatible with publicly or privately trusted certificates.

  • Level 2

    Key is stored in an HSM with a certification is lower than level 3. This storage is only compatible for privately trusted certificates.

  • Level 1

    Key is stored in an uncertified but secure softHSM. This storage is only compatible for privately trusted certificates.

참고

To use use DPoD HSM storage, DPoD must be set up in CA Manager and enabled for your account.