Skip to main content

Prerequisites and workflow to use "Imported seat" licenses

Uploaded third-party certificates bound to the Imported seat license offer the most management options (see Assigned seat types). These certificates can be validated, revoked, suspended, or resumed from DigiCert​​®​​ Trust Lifecycle Manager after upload.

To assign this seat type, first use DigiCert® CA Manager to import the issuing CA and configure Certificate Revocation List (CRL), Authority Information Access (AIA), and Online Certificate Status Protocol (OSCP) parameters that match what's in the certificates.

Steps to use "Imported seat" licenses

Follow the below steps to make sure your third-party certificates get assigned the Imported seat type license when imported into DigiCert​​®​​ Trust Lifecycle Manager.

Some required steps depend on the certificates. For example, if the certificates do not include the AIA extension, you do not need to set up an AIA for them in DigiCert® CA Manager.

Belangrijk

Most of the below tasks can only be performed by an administrator with sufficient permissions:

  • For hosted DigiCert ONE accounts, contact your DigiCert representative for help.

  • For on-premises DigiCert ONE platforms, contact your local System Administrator.

  1. Gain access to the issuing CA

    Either import your issuing CA into DigiCert® CA Manager or configure DigiCert ONE to access the HSM where the private key and certificate for your issuing CA is located.

  2. Set up domains in DigiCert® CA Manager

    Use the DigiCert® CA Manager Domains function to set up one or more domains to match any CRL, AIA, or OCSP fields in the certificates:

    • Add the domain if it doesn't already exist in DigiCert® CA Manager. This can only be performed by a DigiCert representative or your local System Administrator.

      • Set the domain type to AIA issuer, CRL, and/or OCSP to match how it's used in the certificates.

    • If the domain already exists in DigiCert® CA Manager, make sure it's configured with the correct function type(s) as noted above.

  3. Create a CRL in DigiCert® CA Manager

    If the certificates have a CRL Distribution Point (CDP) field, create a matching CRL in DigiCert® CA Manager:

    • From the CRLs page in DigiCert® CA Manager, select the Create CRL button.

    • Select the imported issuing CA in the Issuer dropdown.

    • Configure the File name and File path fields to match the value of the CDP field in the certificates.

    • Note: Do not select the Generation enabled checkbox yet. CRL generation should not be enabled until after all the certificates have been uploaded.

  4. Create an AIA in DigiCert® CA Manager

    If the certificates have an AIA issuer field, create a matching AIA in DigiCert® CA Manager:

    • From the AIAs page in DigiCert® CA Manager, select the Create AIA button.

    • Select the imported issuing CA in the Issuer dropdown.

    • Configure the File name and File path fields to match the value of the AIA issuer field in the certificates.

  5. Upload the end-entity certificates

    Upload the certificates from your old system via API or a DigiCert-provided tool. For API import, see Upload certificates with REST API.

  6. Upload the last CRL from the old system into DigiCert® CA Manager

    If the certificates use a CRL, import the last generated CRL from your old system into DigiCert® CA Manager so it knows which CRL numbers to use and can avoid duplicate numbers:

    • From the CRLs page in DigiCert® CA Manager, select the CRL to view the details for it.

    • Select the Import blob button to import the signed CRL blob.

  7. Update your DNS service

    Add DNS records to point any CDP, AIA, and OCSP fields in the certificates at your DigiCert ONE instance:

    • For hosted DigiCert ONE accounts, point these fields at the corresponding hosts in the one.digicert.com domain. For on-premises deployments, point them at hosts in your local domain.

    • For example, if you are a hosted DigiCert ONE customer, and your imported certificates contain a CDP field value of crl.example.com, add a CNAME record that points crl.example.com at crl.one.digicert.com.

    • Contact your DigiCert representative or local System Administrator for help determining which hosts to use.

  8. Enable CRL generation and publishing in DigiCert® CA Manager

    If the certificates use a CRL, enable CRL generation and publishing in DigiCert® CA Manager:

    • From the CRLs page in DigiCert® CA Manager, select the CRL to view the details for it.

    • In the Base settings section of the CRL details, make sure Publish enabled and Generation enabled are both set to Yes. Select the pencil icon to edit these fields.

Waarschuwing

For issuing CAs that use Certificate Revocation Lists (CRLs), failure to follow the above steps may result in CRLs not containing all the revoked certificates, or CRLs generated with old (or out of sequence) CRL numbers.

Issuing CAs that use the Online Certificate Status Protocol (OSCP) may require additional configuration of an OCSP Responder to validate imported certificates on an ongoing basis. Contact your DigiCert representative or local System Administrator for help.

In deze sectie: