Skip to main content

Standard keypairs

A keypair refers to a public key and an associated private key. The public key encrypts data that can only be decrypted by its associated private key, thereby establishing an encrypted connection.

View keypair

You require the View keypair permission to create a keypair.

You can view keypairs from Software Trust Manager or SMCTL.

Generate keypair

You require the View keypair and Generate keypair permission to create a keypair.

You can generate a keypair from Software Trust Manager or SMCTL.

Generate a certificate

You require the View keypair and Generate certificate permission to create a keypair.

You can generate a certificate from Software Trust Manager or SMCTL.

Update keypair

You require the View keypair and Manage keypair permission to update a keypair.

You can update a keypair from Software Trust Manager or SMCTL.

Identify keypair alias

Retrieve the keypair alias via DigiCert​​®​​ Software Trust Manager or Signing Manager Controller (SMCTL).

Identify keypair ID

You can retrieve the keypair ID from Software Trust Manager or SMCTL.

Download public key

You can download the public key for your certificate from Software Trust Manager or SMCTL.

Specify a default certificate for a keypair

You can set the default certificate for a keypair from Software Trust Manager or SMCTL.

Generate CSR

If the Generate CSR option is not visible in your account, CSR generation may be disabled on your account.

Nota

If your account is hosted by DigiCert, contact your account manager to enable CSR generation.

If your account is self-hosted, your DigiCert ONE system administrator can enable CSR generation by following the steps below.

To enable CSR generation:

  1. Sign in to DigiCert ONE.

  2. Navigate to the Manager menu (top right) > Software Trust.

  3. Select Account > Account settings.

  4. Click the edit icon next to System.

  5. Check the box next to CSR generation API/UI.

  6. Click Update settings.

To generate a CSR:

  1. Sign in to DigiCert ONE.

  2. Navigate to the Manager menu (top right) > Software Trust.

  3. Select Keypairs.

  4. In the keypair alias column, identify the keypair you want to use to generate the CSR.

  5. Hover over the specific keypair alias until icons appear to the right.

  6. Select the more actions (⁝) icon.

  7. Select Generate CSR.

  8. The following information will be displayed and cannot be changed:

    Field

    Description

    Keypair alias

    Displays the name of the keypair used to generate the CSR.

    Algorithm type

    This field displays the algorithm associated with the keypair used to generate the CSR.

    Key size/curve

    This field displays the length, in bits, of the cryptographic keys used in the algorithm.

  9. Complete the following fields:

    Field

    Description

    Organization

    Select the organization name associated with this CSR from the drop-down menu. This is an optional field.

    Email

    Provide an email address associated with this CSR. This is an optional field.

    Organizational Unit (OU)

    Provide an organizational unit, often a department or team name associated with this CSR. Use a comma to list multiple OUs. This is an optional field.

  10. Select Generate CSR.

  11. Select one of the following options:

    1. Select the copy icon next to CSR to copy the CSR in plaintext.

    2. Select Download CSR to download the CSR as a file.

Refresh dynamic key

You can refresh a dynamic key from Software Trust Manager or SMCTL.

Rotate key

You can rotate a key rotation from Software Trust Manager or SMCTL.

Import code signing certificate

You require the Import certificate permission to import a code signing certificate.

You can import a code signing certificate from Software Trust Manager or SMCTL.

Import keypair

You require the Import keypair permission to import a certificate.

You can import a keypair from Software Trust Manager or SMCTL.

Nota

You may encounter an error if you attempt to import an ECDSA keypair generated in OpenSSL because these keys are in PKCS1 format.

To bypass this error use one of the following workarounds:

  • Add a passcode to the keypair and provide the passcode when importing the keypair into Software Trust Manager.

  • Convert the PKCS1 keypair to PKCS8 using the command:

    openssl pkey -in myecdsakey.pem -out pkey-ecdsa.pem

Delete keypair

You require the Approve keypair delete permission to delete a keypair.

To delete a keypair:

Set a keypair expiry date

The keypair expiry workflow enhances crypto agility and improves security. Standard keypairs can now be set to expire on a specific date, upon certificate expiration, or remain non-expiring as before. Setting expiry dates help maintain security, ensures compliance with industry standards, and preserves trust in your code's integrity.

To set an expiry date for a keypair:

  1. Sign in to DigiCert ONE.

  2. Navigate to the Manager menu (top right) > Software Trust.

  3. Select Keypairs.

  4. Click the keypair alias you want to update.

  5. Select the edit icon next to Keypair validity.

  6. Select one of the following options:

    1. Match keypair and certificate expiry dates

      Select to set the keypair's expiry date to the same date that your default certificate for the keypair expires.

      Nota

      The keypair will expire at midnight (UTC) of the same day your certificate expires.

    2. Select an expiry date

      Select to set a specific expiry date for your keypair. The keypair will expire at the end of the day you selected, precisely at midnight (UTC).

    3. Never expire

      Select to keep your keypair active until you manually add an expiry date.

  7. Click Update.

Errors and solutions

The following error may occur while importing a certificate.

Error parsing Json object

Error message:

Error parsing Json object. Check is Json object is correct. Json parse error. Unexpected or missing a character.

Description

This error may occur in the following scenarios:

  • Certificate import failed because the entire certificate chain was uploaded during import,

  • The file type you specified during import does not match the certificate type you uploaded.

Solution

  • Root and ICA certificates should be uploaded as Trust anchor certificates.

  • Ensure that the file type you selected during the upload is the same certificate type as the one you uploaded.