Skip to main content

Create the autoenrollment certificate profile

Once you have configured API access and prepared the configuration utility you need to create a certificate profile for Autoenrollment Server to use.

Aviso

Your administrator account needs to include at least the Certificate profile manager user role to create certificate profiles.

Create a certificate profile

  1. Sign into DigiCert ONE and navigate to DigiCert​​®​​ Trust Lifecycle Manager.

  2. Select Policies > Certificate profiles from the main menu.

  3. Select Create profile from template.

  4. Select the certificate template for the type of certificate you need.

  5. Under the General information section, enter the profile Nickname and choose the Business Unit and issuing CA.

  6. From the Enrollment method dropdown, select Microsoft Autoenrollment.

    Nota

    Note: When Microsoft Autoenrollment is selected as the enrollment method, the Authentication method defaults to Active Directory.

  7. Select the desired Enrollment mode radio button:

    • Silent — Certificate enrollment is fully automatic and is not visible to the user

    • Inform user — Windows prompts the user to initiate a certificate enrollment

  8. Select keystore provider options to set the cryptographic provider that can be used for requests. The available options are:

    • Requests can use any provider available on the subject's computer: Select this if you want to generate the CSR/Keys using any provider available on subject's computer.

    • Requests must use one of the following providers: Select this, if you want to generate the CSR/Keys using specified provider in a selected priority order.

      1. Select providers: This option appears only when Requests must use one of the following providers is selected. Choose the provider from the dropdown list.

        Nota

        The Microsoft Platform Crypto Provider enables secure access to the machine’s Trusted Platform Module (TPM) 2.0 for generating user and device keys and certificates.

  9. Select the Allow private key to be exported checkbox under Other options if you want users to export their certificates and private keys.

    Nota

    Allow private key to be exported is not supported if Microsoft Platform Crypto Provider is selected.

  10. Check Publish certificate to Active Directory to allow certificates to be published to your Active Directory.

    When selecting Yes, you will need to assign a special permission to the Autoenrollment Server to allow certificate publishing. Refer to “Allow Publishing to Active Directory” for more details.

  11. Select Next.

    Enrollment1.PNG

  12. Under Certificate fields, select the validity period unit (Years, Months, or Days) and enter the value in the textbox.

    Nota

    You cannot issue an end entity certificate with a validity period longer than the remaining validity of the issuing CA. The issuing CA expiration date is shown as a reference in this section.

  13. Select the Algorithm from the available algorithms in the dropdown list. Available algorithms are based on the issuing CA selected for the profile.

    image14.png

  14. Select the Key type and attribute from the dropdown lists.

    Key_size_24nov.PNG

    Nota

    Support for larger key and curve sizes depends on the Trusted Platform Module vendor and version.

  15. Select the checkbox to Allow duplicate certificates if multiple certificates are to be issued for the same seat ID.

  16. Under Renewal options, select the Renewal window from the dropdown list. The default (recommended) value is 30 days.

  17. Select Subject DN and SAN fields from the dropdown list. Select as many fields as required for your certificates, then select Add fields.

    Subject_DN_SAN.png

  18. For each selected field, the Source for the field’s value dropdown list on the right defaults to Active Directory attribute, as this is the only currently supported source for autoenrollment certificate profiles.

    Nota

    Note: that some Subject DN fields allow multiple values to be added. Select Add and specify the source and Active Directory attribute field for each additional entry. The example shown below shows the Organization units field.

  19. Specify which certificate fields are mandatory using the Required checkbox.

    SubjectDN_OU.png

  20. Specify the Active Directory attribute with multi-valued strings using the Multiple checkbox.

  21. The SAN fields allow multiple values to be added for each. Select the Add link and specify the source and value for each additional field. This is shown for RFC822 Name (Email) below but also applies for Other Name (UPN) and Other Name (Custom) fields.

    SAN_RFC822.png

  22. Specify the Key usage (KU) extension criticality and values. Note that the KU options shown differ depending on the certificate template being used.

    image19.png

  23. Specify the Extended key usage (EKU) extension criticality and values. Note that the EKU options shown differ depending on the certificate template being used.

    image20.png

  24. Under Certificate delivery format, select the certificate format to use and chain certificates to include when certificates are issued.

  25. Under Email configuration & notifications, specify the template to be used for certificate revocation notification emails.

  26. Under Administrative contact, specify whether to include default or custom administrative contact details in certificate notification emails. Note that including internal support contact details for end users is optional but recommended.

  27. Under Seat ID Mapping, select the certificate field to be used as the seat ID. This uniquely identifies each enrollment entity, for licensing purposes.

  28. Under Service User binding, select the Service user API token to be bound to the certificate profile. If no Service user is selected from the dropdown, then all API tokens in the account will be able to manage this profile.

  29. Select Create. Your newly created certificate profile is now displayed in the certificate profiles list.

Nesta secção: