Public trust issuance with DigiCert CertCentral
Trust Architecture Playbook: Issuance pillar
CertCentral is the primary DigiCert path for public trust issuance. Trust Lifecycle Manager links to CertCentral using a connector so teams can issue, import, and manage public DigiCert certificates within a unified lifecycle management model.
DigiCert root and intermediate CA certificates
CertCentral issues public trust certificates from DigiCert-operated CA hierarchies. DigiCert maintains a public reference page for trusted root, intermediate, and cross-signed CA certificates used across DigiCert public trust services. Use this page when you need to identify or download DigiCert public CA certificates, confirm certificate fingerprints, or review available root and intermediate certificate options:
DigiCert Trusted Root Authority Certificates
For certificates issued through CertCentral, you can also download the applicable CA certificates directly from your DigiCert account. Contact your account representative or DigiCert Support for help identifying the CA chain.
CA chains for public TLS certificates
By default, CertCentral issues public TLS certificates from DigiCert-managed RSA certificate chains. These chains can issue both RSA and ECC end-entity certificates and are designed for broad compatibility across relying parties.
For organizations that require a full ECC or SHA-256 chain, or a specific root for application compatibility or policy reasons, CertCentral offers an ICA chain selection feature that enables administrators to:
Set the default ICA chain for each supported DV, OV, and EV product.
Control which ICA chains certificate requesters can select when ordering.
Custom chain selection considerations
Use ICA chain selection only when relying-party compatibility, algorithm requirements, root preference, or customer requirements justify it. Keep these constraints in mind:
The feature must be enabled for the CertCentral account and only applies to supported public TLS products.
After enabling the feature, admins can set the default ICA chain and other available ICA chains per CertCentral product.
Changing the default chain affects future certificate issuance, not existing certificates.
Requesters may see available intermediate chains during the certificate request process depending on account and role settings.
Documenting exceptions to default chains
Treat custom ICA chain selection as an exception that requires ownership. Use the default chain unless there is a clear technical, policy, compatibility, or customer requirement for a different chain.
If your organization modifies the default ICA chain for a CertCentral product, document the reason for the change. ICA chain selection can affect compatibility, relying-party trust behavior, audit expectations, and administrator assumptions about how public certificates are issued. Without internal documentation, future administrators may modify ICA chain settings without understanding the compatibility or policy dependencies they support.
Custom ICA chain documentation checklist
Applicable CertCentral certificate product
Reason for the custom ICA chain
Approving owner and date approved
Expected consumers
Compatibility or policy drivers
Rollback criteria
Connecting CertCentral to Trust Lifecycle Manager
Plan your CertCentral connector setup before creating certificate profiles for issuing public DigiCert certificates through Trust Lifecycle Manager:
If your organization only has a single team that issues public DigiCert certificates, you can use a single connector to both import and issue certificates from CertCentral.
If your organization has multiple teams that issue public certificates from CertCentral:
After adding the connector(s), create certificate profiles in Trust Lifecycle Manager for each CertCentral certificate product you will issue and manage. To help you create profiles, Trust Lifecycle Manager provides base templates for different public issuance use cases.