Skip to main content

Configure DigiCert Trust Assistant settings via GPO or Device Management solution

Administrators can use Group Policy Object (GPO) or third-party device management solutions to deliver the extra-conf.json file to the DigiCert​​®​​ Trust Assistant directory located in the user’s home directory. This file allows configuration of advanced settings beyond the defaults defined in the config.json file.

Nota

For more information about config.json, refer to Configuration details of DigiCert Trust Assistant.

extra-conf.json requirements

Configure the extra-conf.json file with the following requirements:

  • File name: extra-conf.json

  • Path: ~/.digicert-trust-assistant/extra-conf.json

    • For Windows: C:\Users\<Username>\.digicert-trust-assistant\extra-conf.json

    • For macOS: /Users/&lt;Username&gt;/.digicert-trust-assistant/extra-conf.json

  • File encoding: ASCII or UTF-8

  • Data format: JSON

  • Access control: Read-only

    Atenção

    It is important to set the file as Read-only to prevent the users from editing it.

extra-conf.json parameters

The following table describes the specific configuration parameters available for extra-conf.json.

Parameter

Description

signIn

Defines sign-in settings for profiles using DigiCert ONE Login. Refer to Sign in configuration for more details.

setting.autoUpdate & setting.blockUpdate

Used for settings related to updates through the update server, including enabling or disabling auto-update and completely blocking updates. Refer to Update settings for more details.

setting.proxySettings

Used for configuring proxy settings required for your network environment. It is required when DigiCert​​®​​ Trust Assistant cannot automatically resolve the system proxy setting by default. Refer to Proxy settings for more details.

keystores

Used for enabling and disabling keystores, editing loginSessionValidity, and adding new keystore configurations. Refer to Keystore settings for more details.

Delivering extra-conf.json via GPO

To deliver extra-conf.json to /.digicert-trust-assistant/extra-conf.json using GPO, perform the following steps:

Prerequisites

Ensure that you already have  the following:

  • A target GPO in your domain. If you do not have a GPO, create one.

  • A shared network folder containing extra-conf.json, with proper permissions for user access.

Procedure

  1. Sign in to Group Policy Management Console.

  2. Navigate to your target GPO and right-click > Edit.

  3. Navigate to User Configuration > Preferences > Windows Settings > Files.

  4. Right-click in the right pane and select New > File.

  5. Configure the following properties:

    • Action: Select Update.

    • Source File: Specify the location of the extra-conf.json (for example, \\servername\foldername\extra-conf.json)

    • Destination Folder: Specify %USERPROFILE%\.digicert-trust-assistant\extra-conf.json

    • Attributes: Select Read-only

  6. Select OK to finish.

For more details, refer to Microsoft documentation. For third-party Device Management solution, refer to vendor documentation to create and provision this file in the user’s directory.

Update settings

Configure DigiCert​​®​​ Trust Assistantsettings related to updates through update server, including enabling or disabling auto-update and completely blocking updates.

Use the following template:

{
  "setting": {
    "autoUpdate": true,
    "blockUpdate": false
  }
}

Description of each configuration parameter:

  • autoUpdate: This setting controls whether DigiCert​​®​​ Trust Assistant should automatically check for updates. Set to true to enable auto-update and false to disable auto-update. When this value is set, it will lock the configuration to prevent user configuration.

  • blockUpdate: This setting controls whether to block any updates through the DigiCert update server. Setting this value to true blocks any updates through update server. Even if autoUpdate is set to true, update will be blocked, taking precedence.

Proxy settings

Configure proxy settings required for your network environment using extra-conf.json. This is necessary if DigiCert Trust Assistant cannot automatically resolve the system proxy settings by default. For example, DigiCert Trust Assistant cannot retrieve authentication information, such as the username and password, because this information is concealed within the operating system.

Nota

Since it is not realistic to create extra-conf.json for each user, delivering authentication information is limited to the one that is shareable for all users.

To obtain proxy settings for extra-conf.json, you can use Settings UI to generate the configuration.

  1. Configure Proxy settings in DigiCert Trust Assistant UI. Refer to Settings for details.

  2. Select Export proxy settings at the bottom of the Settings page to generate the extra-conf.json file based on the current configured values.

  3. Save the file to your desired location.

The following shows the JSON composition of the proxy settings.

{
  "setting": {
    "proxySettings": {
      "type": "",          // Possible values: "system" (system proxy) / "custom" (custom proxy configuration)
      "authInfo": {
        "type": "",        // Possible values: "none" (no authentication) / "basic" (basic authentication)
        "userName": "",    // Proxy authentication username (if applicable)
        "password": "",    // Proxy password (encrypted by DigiCert Trust Assistant if using "basic" auth)
        "passKey": ""      // Passkey used for decryption, along with other parameters in DigiCert Trust Assistant
      },
      "customProxy": {
        "type": "",        // Possible values: "http" / "https" / "pac" (for PAC file configuration)
        "server": "",      // The address of the proxy server (e.g., "proxy.example.com","10.100.100.1")
        "port": "",        // The port number the proxy server listens on (e.g., "3128")
        "pacFileURL": ""   // URL to the PAC file if using "pac"
      }
    }
  }
}

Keystore settings

The extra-conf.json file allows administrators to configure DigiCert Trust Assistant keystore settings, where it can:

  • Enable or disable specific keystores

  • Define login session validity for each keystore

  • Add new custom keystores

This flexibility allows you to manage keystore configurations to your security and operational needs.

{
  "keystores": [
    {
      "id": "WINOS",
      "enable": false,  // Set to false to disable this KeyStore
      "loginSessionValidity": 0  // Always 0 for OS KeyStores
    },
    {
      "id": "NEWKEYSTORE",
      "enable": true,  // Enable the new KeyStore
      "icon": "SoftHSM",  // Icon displayed in the UI (SoftHSM, Desktop, HardHSM, CloudHSM)
      "type": "SWToken",  // Type of keystore (e.g., HWToken, Platform ,SWToken,)
      "removable": true,  // True if the keystore can be removed
      "friendlyName": "My New KeyStore",  // User-friendly display name
      "path": "mynewkeystore",  // Path identifier for the keystore
      "name": "My New KeyStore",  // Internal keystore name
      "readWrite": true,  // True to allow read/write operations
      "loginSessionValidity": 300,  // Session validity in seconds (ignored for OS keystores)
      "driver": {
        "win": "C:\\Program Files\\mynewkeystore\\libmynewkey.dll",  // Windows driver path
        "osx": "/usr/local/lib/libmynewkey.dylib",  // macOS driver path
        "lin": "/usr/local/lib/libmynewkey.so"  // Linux driver path
      }
    }
  ]
}
Nesta secção:
© 2025 DigiCert, Inc.
data de publicação: