Skip to main content

Create certificate automation profiles

Certificate automation profiles define specific types of certificates you can issue and manage using DigiCert​​®​​ Trust Lifecycle Manager automation services. Each certificate profile defines options such as the:

  • Issuing CA

  • Enrollment method

  • Key algorithm and size

  • Supported certificate fields

You create different profiles for different types of certificates you want to automate through Trust Lifecycle Manager.

Available base templates

To create a certificate profile in Trust Lifecycle Manager, you start with a base template and customize it for your organization's digital trust needs.

To find base templates that support managed automation, look for End-to-end certificate automation in the Use cases column on the Policies > Base templates page in Trust Lifecycle Manager.

The following table lists these available base templates, along with the certificate trust type(s), issuing CA, and required seat and CA connector types for each. To create certificate profiles for managed automation, start with one of these base templates:

Template name

Trust type

Issuing CA

Seat type

Connector

AWS CA Private Server Certificate

Private

AWS Private CA

Certificate management

AWS Private CA

CA Manager Private Server Certificate

Private

DigiCert® CA Manager

Server

N/A

CertCentral Private Server Certificate

Private

DigiCert CertCentral®

Certificate management

CertCentral

CertCentral Public Server Certificate

Public

DigiCert CertCentral®

Certificate management

CertCentral

Let's Encrypt Public Server Certificate

Public

Let's Encrypt

Certificate management

Let's Encrypt

Microsoft CA Private Server Certificate

Private

Microsoft

Certificate management

Microsoft CA

Let op

Trust Lifecycle Manager provides an additional base template called CA Manager Private mTLS Certificate for automating private mutual TLS (mTLS) authentication certificates in Istio service meshes. To learn more about this use case, see the Istio connector guide.

Enrollment methods

Each automation profile defines a specific enrollment method that can be used to request and install certificates from that profile.

You set the enrollment method under the Primary options on the first screen of the profile configuration wizard.

Managed automation

To enroll and manage certificates from the Trust Lifecycle Manager web console using its managed automation tools, select one of the following enrollment methods:

Enrollment method

Description

Admin web request

Use a simple web-based form to request new certificates with automated delivery to servers, vaults, or the AWS cloud. Trust Lifecycle Manager delivers certificates to the selected systems via DigiCert agents, Azure Key Vault connectors, or AWS unified connectors, respectively.

DigiCert agent

Automate certificates on web servers. The DigiCert agent on each server coordinates the certificate enrollment process and downloads and installs the resulting certificates on the target endpoints.

DigiCert sensor

Automate certificates on network appliances and cloud services. A DigiCert sensor on your network coordinates the certificate enrollment process and installs the resulting certificates on the target endpoints for the appliances/services it manages.

Additional use cases

Additional automation-related enrollment methods for managing certificates:

Enrollment method

Description

3rd-party ACME client

Manage certificates from the command-line interface (CLI) on web servers using the Trust Lifecycle Manager ACME service. For more information, see the Third-party ACME client integration guide.

mTLS over ACME

Automate mutual TLS (mTLS) authentication certificates for an Istio service mesh using the Trust Lifecycle Manager ACME service. For more information, see the Istio connector guide.

REST API

Request and manage certificates using the Trust Lifecycle Manager REST API service. Use this enrollment method to integrate with and request certificates from ServiceNow. For more information, see the ServiceNow integration guide.

Auto-renewal

Enable the auto-renew option to prevent outages and make sure you always have valid certificates installed on your systems.

You specify how far in advance of expiration to submit renewal requests, and Trust Lifecycle Manager automatically renews and deploys each certificate to its installed location(s) at that time.

You enable auto-renewal in the Certificate options > Renewal options section of the profile configuration wizard. You can schedule auto-renewal for:

  • 30 days before certificate expiration: This is the default option.

  • Custom schedule: Specify the number of days before expiration to renew certificates, and the specific time to submit the request.

Notifications

You can set up account-wide notifications to send email alerts about all automated certificate lifecycle events in your account.

You can also set up custom notifications for a specific certificate automation profile, in the Additional options > Email configuration and notifications section of the profile configuration wizard. To configure custom notifications for a profile:

  1. Select who to send the notifications to (requester and/or other recipients) for this profile. For other recipients, enter the email addresses.

  2. Toggle on the Use custom template option for any automation events that should use custom notifications.

  3. Customize the notification options for the event for certificates issued from this profile:

    1. Edit the email subject or body for notifications.

    2. Use the Send email notification checkbox to turn the event notifications on or off.

    3. For renewal events, use the additional checkboxes under Renewal options to configure when the notifications get sent.

What's next

Each certificate under automated lifecycle management has an associated automation profile. When you need to deploy a new certificate on one of your systems, you select an automation profile based on the certificate type and enrollment method you need.