Certificate profiles
Certificate profiles are mandatory and simplify certificate generation by preconfiguring values for all certificate options in DigiCert® Software Trust Manager. To implement certificate profile controls for groups of users, review our Teams feature.
Create a certificate profile
You require the Manage certificate profile
permission to create a certificate profile.
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Certificates > Certificate profiles.
Select Create certificate profile.
Complete these fields:
Field | Description |
---|---|
Certificate profile alias | Select a name to uniquely identify this certificate profile. |
Enrollment method | Select CertCentral for public trust or CA Manager for private trust. |
Auto-renew | Select Yes if you want all certificates created using this certificate profile to automatically renew before they expire. |
Select No if you do not want any certificates created using this certificate profile to auto-renew. | |
Select Choose during certificate generation if you are unsure or want the option to choose whether or not you want the certificate to auto-renew when you create a certificate using this certificate profile. | |
Organization ID | For public trust, select the organization ID from CertCentral associated with the organization name you need listed on all certificates created using this profile. |
Issuing certificate authority | For private trust, select one of your private ICAs in DigiCert ONE CA Manager. |
Signature hash | For public trust, the signature is SHA256. |
Skip approval | For public trust, Select Yes to issue the certificate immediately or No to require an admin to approve the certificate in the CertCentral portal. |
Validity | For public trust, specify if the certificate should be valid for a specified number of days, 1 year, 2 years, or 3 years. |
Certificate type | For public trust, select Code Signing or EV Code Signing. |
Organizational unit | For public trust, this is an optional field where you can add a team, division, or department name that helps you manage the certificate. |
Organization | For private trust, select the organization name that should be listed on all certificates created using this profile. |
Profile category | Select Production or Test. NoteTest certificates expire after a maximum of 30 days. |
Certificate template | For private trust, select a certificate template in your Software Trust Manager account. |
Once these fields are completed, some optional fields will become available:
Field | Description |
---|---|
Signature algorithm | Choose the signature algorithm of the identity certificate. You can choose "match_issuer," meaning it will match the algorithm of the issuing CA, or you can choose a specific algorithm. |
Organization unit | Enter an organization unit to be displayed in your certificate details. |
Validity duration unit | Can be days or years. This can be limited based on the template you use. |
Validity duration value | The number of duration units the certificates created using this profile will be valid. For example, if you enter "days" for Validity duration units and enter "7" for Validity duration value, certificates using this profile will be valid for 7 days. Again, this can be limited based on the template you use. |
Key usages: additional usages for RSA | Choose whether certificates using this profile can be used for digital signature, non-repudiation, or key encipherment. |
Key usages: additional usages for ECDSA | Choose whether certificates using this profile can be used for digital signature or non-repudiation. |
Key usages: additional usages | Choose whether certificates using this profile can be used for code signing or client authentication. |
Note
You can also set default values for these fields, which will determine the automatic settings for a certificate that uses the profile you create.
Identify a certificate profile ID
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Certificates > Certificate profiles.
Click on the certificate profile alias that you want to use to generate the certificate with.
Identify the Certificate profile ID field.
Enable auto-renewal
This feature allows you to better manage your certificates by allowing the system to automatically renew your certificate before your current certificate expires. This is feature was recently added, which means that you may have existing certificate profiles that do not have auto-renewal enabled.
To enable auto-renewal on an existing certificate profile:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Certificates > Certificate profiles.
Click on the certificate profile alias.
Click edit icon.
Complete these fields:
Field | Description |
---|---|
Auto-renew | Select Yes if you want all certificates created using this certificate profile to automatically renew before they expire. |
Select No if you do not want any certificates created using this certificate profile to auto-renew. | |
Select Choose during certificate generation if you are unsure or want the option to choose when you create a certificate using this certificate profile. | |
Auto-renew scope | Select Apply to new certificates only if you only want the auto-renewal settings you have selected to apply to future certificates. |
Select Apply to new and existing certificates if you want the auto-renewal settings you have selected to apply future certificates and all certificates you have already created using this certificate profile. |