Skip to main content

Create certificate profiles for EST

You need one or more certificate profiles for Enrollment over Secure Transport (EST) in DigiCert​​®​​ Trust Lifecycle Manager.

In each profile, select EST as the enrollment method and configure the properties for the issued certificates. Upon creation of an EST-enabled profile, Trust Lifecycle Manager generates the unique EST server URLs that clients can use to enroll and renew certificates from that profile.

Let op

For detailed information about creating certificate profiles in Trust Lifecycle Manager, see Create certificate profiles.

Available certificate templates

Use the following base templates to create certificate profiles in Trust Lifecycle Manager for EST enrollment for devices or servers.

Template name

Seat type

Generic Device Certificate

Device

Generic Private Server Certificate

Server

Create a certificate profile

To create a certificate profile for EST-based enrollment:

  1. From the Trust Lifecycle Manager main menu, select Policies > Certificate profiles.

  2. Select the Create profile from template action at the top of the page.

  3. Select one of the base templates listed above as the basis for creating the certificate profile:

    • To enroll certificates for devices, select the Generic Device Certificate template.

    • To enroll certificates for servers, select the Generic Private Server Certificate template.

    Work through the profile creation wizard, focusing on the EST-related options described below and making other selections for your business needs and types of certificates you want to issue. After filling out each screen, select Next to move to the next screen.

  4. On the initial Primary options screen of the profile creation wizard, configure the:

    • General information: Select the applicable business unit and issuing CA, as discussed in the prerequisites.

    • Enrollment method: Select EST.

    • Authentication method: Choose one of the following methods to authenticate EST clients:

      Enrollment Code: Authenticate via codes. Select one of the following and configure the options for it:

      • Dynamic enrollment code: Requires you to create individual seat records and pre-register enrollment codes for them that EST clients can use to request certificates. Configure options for enrollment code expiration, length, and locking behavior.

      • Global enrollment code: Create a single enrollment code that any EST client can use to request a certificate without prior registration. Configure the maximum number of bad authentication attempts before locking a client out.

      TLS Certificate Auth: Authenticate via client certificates.

      • The issuing CA certificates must already be uploaded into the My root certificates page in Trust Lifecycle Manager.

      • Select which of these CAs are trusted to issue client authentication certificates. To authenticate, clients must present a certificate signed by one of these trusted CAs.

  5. On the Certificate options screen:

    • Subject DN and SAN fields: Select the fields to include in the Subject Distinguished Name (DN) and Subject Alternative Name (SAN) of issued certificates.

      For each field, make sure EST request is selected as the source of the field's value in order to read the value from the Certificate Signing Request (CSR) as submitted via the EST protocol.

      By default, only the Common name is included and configured to get its value from the EST request. If you only need a common name in your certificates, you don't need to make any other selections here.

  6. On the Advanced settings screen:

    • Seat ID Mapping: Select one of the available certificate fields to use as the seat ID when enrolling certificates via EST.

      Options here include any unique certificate fields that get their value from the EST request. The default selection is to use the certificate common name as the seat ID in Trust Lifecycle Manager.

    • Valid list of IP addresses: Optionally, if using client certificates for authentication (TLS Certificate Auth authentication method), you can enter valid IP addresses for clients that are allowed to request certificates via EST.

      Enter single IP addresses or use hyphens or CIDR blocks to specify ranges of valid IP addresses. If left empty, there will be no IP address restrictions for EST clients.

  7. Select Create to save the new certificate profile for EST-based enrollment.

    The system generates and displays the EST Enrollment URL and EST Renewal URL to use to enroll and renew certificates via EST.

    Use the copy icons to copy the URLs to your clipboard and save them in a secure location. Click OK to close the modal.

    Let op

    You can retrieve the EST URLs from the profile details display in Trust Lifecycle Manager at any time, using the dropdown menu below the profile name.

What's next