Skip to main content

Certificate profiles

Certificate profiles are mandatory and simplify certificate generation by preconfiguring values for all certificate options in DigiCert​​®​​ Software Trust Manager.

Note

To implement certificate profile controls for groups of users, review our Teams feature.

Create a certificate profile

Note

To perform this action, you must have a user role that contains the Manage certificate profile permission.

  1. In the Software Trust menu, go to Certificates > Certificate profiles.

  2. Select Create certificate profile.

  3. Complete the missing fields.

    • Review the following table to understand how to complete these fields.

    • Based on your Enrollment method and Auto-renew selections, extra fields may appear (or be removed).

  4. Select Create certificate profile.

Field

Description

Certificate profile alias

Enter a descriptive name to identify this certificate profile.

Enrollment method

Select CertCentral for public trust or CA Manager for private trust.

Auto-renew

Select Yes if you want all certificates created using this certificate profile to automatically renew before they expire.

Select No if you don't want any certificates created using this certificate profile to auto-renew.

Select Choose during certificate generation if you are unsure about auto-renewing. This option lets you decide during creation whether the certificate should auto-renew when using this profile.

Organization ID

For public trust, select the organization ID from CertCentral associated with the organization name you need listed on all certificates created using this profile.

Issuing certificate authority

For private trust, select one of your private ICAs in DigiCert ONE CA Manager.

Signature hash

For public trust, the default signature is SHA256.

Skip approval

For public trust, select Yes to issue the certificate immediately or No to require an admin to approve the certificate in the CertCentral portal.

Validity

For public trust, specify if the certificate should be valid for a specified number of days, 1 year, 2 years, or 3 years.

Certificate type

For public trust, select Code Signing or EV Code Signing.

Organizational unit

For public trust, this is an optional field where you can add a team, division, or department name that helps you manage the certificate.

Organization

For private trust, select the organization name that should be listed on all certificates created using this profile.

Profile category

Select Production or Test.

Note

Test certificates expire after a maximum of 30 days.

Certificate template

For private trust, select a certificate template in your Software Trust account.

Once these fields are completed, some optional fields will become available:

Field

Description

Signature algorithm

Choose the signature algorithm of the identity certificate. You can choose "match_issuer," meaning it will match the algorithm of the issuing CA, or you can choose a specific algorithm.

Common name

You can define a Common name (CN) in this field, or if left blank, by default your CN will be extracted from your CSR. Learn more about configuring your Common name.

Organization unit

Select an organization unit to be displayed in your certificate details.

Validity duration unit

Can be days or years. This can be limited based on the template you use.

Validity duration value

The number of duration units the certificates created using this profile will be valid. For example, if you enter "days" for Validity duration units and enter "7" for Validity duration value, certificates using this profile will be valid for 7 days. Again, this can be limited based on the template you use.

Key usages: additional usages for RSA

Choose whether certificates using this profile can be used for digital signature, non-repudiation, or key encipherment.

Key usages: additional usages for ECDSA

Choose whether certificates using this profile can be used for digital signature or non-repudiation.

Key usages: additional usages

Choose whether certificates using this profile can be used for code signing or client authentication.

Note

You can also set default values for these fields, which will determine the automatic settings for a certificate that uses the profile you create.

Identify a certificate profile ID

  1. In the Software Trust menu, go to Certificates > Certificate profiles.

  2. Select the desired certificate profile alias.

  3. In the top menu, review the Certificate profile ID field.

Enable auto-renewal for certificates

This option allows you to manage your certificates more efficiently by automatically renewing them before they expire.

  1. In the Software Trust menu, go to Certificates > Certificate profiles.

  2. Select the desired certificate profile.

  3. Select the edit (blue_edit_pencil_icon.png) icon.

  4. Complete the following fields:

Field

Description

Auto-renew

Select Yes if you want all certificates created using this certificate profile to automatically renew before they expire.

Select No if you don't want any certificates created using this certificate profile to auto-renew.

Select Choose during certificate generation if you're unsure or want the option to choose when you create a certificate using this certificate profile.

Auto-renew scope

Select Apply to new certificates only to apply your selected auto-renewal settings to future certificates.

Select Apply to new and existing certificates to apply your selected auto-renewal settings to future certificates and all existing certificates created with this profile.

Configure a Common Name (CN) in your certificate profile

A certificate profile is dependent on a certificate template that defines which values are present and editable. When creating or editing a certificate profile, the Common Name (CN) configuration depends on the how the allowed_source parameter is defined in the associated certificate template.

The following scenarios outline where your CN will be sourced from based on your certificate template and certificate profile configuration.

Scenario 1: CSR only

Your certificate's CN will match the CN present in your CSR, if your certificate template and certificate profile are configured as follows:

Certificate template:

{
  "type": "common_name",
  "include": "optional",
  "allowed_source": ["csr"]
}

Certificate profile:

{
  "key": "subject.common_name",
  "optional": true,
  "sources": ["csr"],
  "value": "",
  "enabled": true
}

Behavior:

  • The value field should be left empty in your certificate profile.

  • The CN will be extracted from the CSR during certificate issuance.

  • If the CSR does not contain a CN and the field is required (include: "yes"), certificate issuance will fail.

Scenario 2: Fixed value only

Your certificate's CN will match the CN you provided in your certificate profile, if your certificate template and certificate profile are configured as follows:

Certificate template configuration:

{
  "type": "common_name",
  "include": "optional",
  "allowed_source": ["fixed_value"]
}

Certificate profile configuration:

{
  "key": "subject.common_name",
  "optional": false,
  "sources": ["fixed_value"],
  "value": "MyApplication.exe",
  "enabled": true
}

Behavior:

  • The value field must contain a CN.

  • Example CN values: "MyApplication.exe", "company-product", "*.example.com".

  • This CN will be used for all certificates issued with this certificate profile.

  • The CN from the CSR will be ignored.

Scenario 3: CSR and fixed value

You can switch between using the CN present in your CSR or using the CN you provided in your certificate profile, if your certificate template is configured as follows:

Certificate template:

{
  "type": "common_name",
  "include": "optional",
  "allowed_source": ["csr", "fixed_value"]
}

Certificate profile (using fixed value):

Your certificate's CN will match the CN you provided in your certificate profile, if your certificate profile is configured as follows:

{
  "key": "subject.common_name",
  "optional": false,
  "sources": ["fixed_value"],
  "value": "MyApplication.exe",
  "enabled": true
}

Certificate profile configuration (using CSR):

Your certificate's CN will match the CN present in your CSR, if your certificate profile is configured as follows:

{
  "key": "subject.common_name",
  "optional": true,
  "sources": ["csr"],
  "value": "",
  "enabled": true
}

Behavior:

  • Priority logic

    The CN provided in your certificate profile is used, if:

    • sources contains "fixed_value" in your certificate template, and

    • a CN value is provided in your certificate profile.

  • Fallback

    If no fixed value is provided in your certificate profile, the CN from the CSR is used.

Common Name field guidelines

For a certificate with a CN matches the CN in the CSR:

  • Leave the Common Name field blank or enter an empty string.

    Note

    The field may be grayed out or show a placeholder like "From CSR".

  • During certificate issuance, submit a CSR with the CN in the subject field.

For a certificate with a CN that matches the CN provided in the associated certificate profile:

  • Enter the exact CN you want in the Common Name field. This CN is used for all certificates issued using this certificate profile.

  • Common examples:

    • Application names: MyApp.exe, Installer.msi

    • Domain names: example.com, *.example.com

    • Service identifiers: api.service.internal

  • The CN you enter will be used for all certificates issued with this profile.

Certificate template allowed sources

Certificate profile sources setting

Common name in certificate profile

Behavior

["csr"]

["csr"]

Leave empty ("").

Certificate's CN matches CN in CSR.

["fixed_value"]

["fixed_value"]

Enter the desired CN.

Certificate's CN matches CN provided in certificate profile.

["csr","fixed_value"]

["csr"]

Leave empty ("").

Certificate's CN matches CN in CSR.

["csr","fixed_value"]

["fixed_value"]

Enter the desired CN.

Certificate's CN matches CN provided in certificate profile.

Configure custom extensions in your certificate profile

A certificate profile is dependent on a certificate template that defines which values are present and editable. When creating or editing a certificate profile, you'll see an additional Add custom extensions button, if custom_extensions_enabled parameter is defined as true in the associated certificate template.

The custom field in the profile's extensions object should contain an array of custom extension objects.

Add custom extensions

  1. In the Software Trust menu, go to Certificates > Certificate profiles.

  2. Select Create certificate profile.

  3. Complete the missing fields.

    • Review the following table to understand how to complete these fields.

    • Based on your Enrollment method and Auto-renew selections, extra fields may appear (or be removed).

  4. Select Add custom extensions.

    Tip

    If this button is not available to you, contact Technical support to update your associated certificate template.

  5. Enter a maximum of 5 custom extensions in JSON format.

    For more information, refer to Profile request body structure.

  6. Select Create certificate profile.

Profile request body structure

This is an example of a certificate profile request body with custom extensions:

{
  "ca_certificate_profile_request": {
    "body": [],
    "custom": [
      {
        "oid": "1.3.6.1.4.1.55555.1.1",
        "critical": false,
        "template": {
          "type": "UTF8String",
          "value": "Static UTF8 literal"
        }
      },
      {
        "oid": "1.3.6.1.4.1.55555.1.2",
        "critical": true,
        "template": {
          "type": "UTF8String",
          "value": "Provided optional UTF8 value"
        }
      }
    ],
    "certificate_template_id": "3aa97bdb-bcb9-4b42-92b6-39ad85de2a35",
    "organization": {
      "id": "09f8e4a9-c739-4150-a87f-51d041a05948"
    },
    "ica_id": "FA82C7D7316EA3F2547ED6166F295EF3",
    "profile": "PRODUCTION"
  },
  "profile_type": "CA_PROFILE",
  "account": {
    "id": "06ef4889-f2c7-4b28-9789-dba19355dccf"
  },
  "name": "cert_profile_final_014",
  "auto_renewal": "ENABLED",
  "apply_renewal_option_for_existing_cert": false,
  "rekey": "DISABLED"
}

Custom extension parameters

Each object in the custom array defines one custom extension and has the following parameters:

Parameter

Type

Description

oid

String

Required: The Object Identifier (OID) for the extension. It must be a unique, dot-separated string of numbers (e.g., 1.2.3.4).

critical

Boolean

Required: A flag indicating whether the extension is critical. true means the extension is critical, false means it is not.

template

Object

Required: An object that defines the structure and value of the extension. It contains type and value fields.

values_name

String

Optional: A name to group variables for this extension. This is required if the template.value is a template variable (e.g., ${user_id}). It is used to map the variable to a value during certificate issuance. Must be a valid identifier (alphanumeric characters and underscores, starting with a letter or underscore).

The template.type field

The type field specifies the ASN.1 data type of the extension using the format:

[[CLASS] TAG] [MODE] TYPE [OPTIONAL]

Important

CLASS and TAG must be inside the same square brackets when both are present.

  • [CLASS TAG] (Optional)

    • Specifies the ASN.1 class and tag number together in square brackets.

    • Context-Specific (default when TAG is specified without CLASS): [0], [1], [2], etc.

    • APPLICATION class: [APPLICATION 0], [APPLICATION 1], etc.

    • UNIVERSAL class: No tag specified (default)

  • MODE (Optional)

    • Specifies the tagging mode.

    • Supported values: IMPLICIT (default), EXPLICIT.

  • TYPE (Required)

    • The core ASN.1 data type (case-sensitive). See the table below for supported types.

  • OPTIONAL (Optional)

    • A keyword that marks the extension as optional. If an extension is marked as optional and its value is a template variable, it does not need to be provided during certificate issuance.

ASN.1 tagging examples

ASN.1 Notation

Tag Class

Tag No.

Mode

Description

PrintableString

UNIVERSAL

Default

Not applicable

Uses the default UNIVERSAL tag assigned to PrintableString.

[0] PrintableString

Context-Specific

0

IMPLICIT

Replaces the UNIVERSAL tag with Context-Specific tag 0.

[0] EXPLICIT UTF8String

Context-Specific

0

EXPLICIT

Wraps UTF8String in an additional Context-Specific tag 0preserving the original UNIVERSAL tag.

[APPLICATION 0] EXPLICIT INTEGER

APPLICATION

0

EXPLICIT

Encodes an INTEGER wrapped in an APPLICATION-specific tag.

[PRIVATE 5] IMPLICIT AutoString

PRIVATE

5

IMPLICIT

Uses a PRIVATE tag that replaces the original tag of AutoString.

[1] INTEGER OPTIONAL

Context-Specific

1

IMPLICIT

Optional INTEGER field identified by Context-Specific tag 1.

The template.value field

The value field can be either a literal value or a template variable.

  • Literal value

    • A fixed value that will be encoded directly into the extension. The value's data type in the JSON (e.g., String, Number, Boolean) should be compatible with the specified TYPE.

  • Template variable

    • A placeholder that will be replaced with a value provided during certificate issuance.

    • Format: ${variable_name}

    • The variable_name must be a valid identifier (alphanumeric characters and underscores, starting with a letter or underscore).

    • If you use a template variable, you must also provide the values_name parameter for the extension.

Supported ASN.1 data types and value formats

JSON

Type

Description

AutoString

String

Encoded automatically as PrintableString or UTF8String depending on content.

AutoTime

String

Date/time string; prefer ISO-8601 format (e.g., 2025-11- 26T12:34:56Z). Encodes as UTCTime or GeneralizedTime.

BIT STRING

String

Binary data as Base64 (e.g., AQIDBA==) or HEX (e.g., DEADBEEF). Optional bit count: value|[24].

BOOLEAN

Boolean or String

true or false as JSON boolean, or "TRUE" or "FALSE" as string.

IA5String

String

ASCII-only characters (International Alphabet 5).

INTEGER

Number or String

Whole number (unquoted), e.g., 12345, or as string "12345". Supports negative values.

NULL

Any

Value is ignored; null or empty string acceptable.

NumericString

String

Digits and spaces only (0-9, space).

OBJECT IDENTIFIER

String

OID format (e.g., 1.2.840.113549.1.1.1).

OCTET STRING

String

Binary data as Base64 (e.g., ZXhhbXBsZQ==) or HEX (e.g., DEADBEEF).

PrintableString

String

Printable character set (A–Z, a–z, 0–9, space, and '( ) + , - . / : = ?).

UTF8String

String

UTF-8 encoded text, supports Unicode characters.

Important

  • Type names are case-sensitive: Use PrintableString, not printablestring.

  • Multi-word types require exact spacing: BIT STRING, OCTET STRING, OBJECT IDENTIFIER.

  • BIT STRING format: Can include optional bit count as "base64value|[24]" or just "base64value".

Issue certificates with custom extensions

When you issue a certificate using a profile that contains custom extensions with template variables, you must provide the values for those variables in the issuance request. This is done using the custom_values field.

Issuance request body structure

The custom_values field is a map where the keys are the values_name identifiers from the profile, and the values are maps of variable names to their actual values.

This an example of an issuance request:

{
  "profile_id": "profile-with-custom-extensions",
  "common_name": "example.com",
  "custom_values": {
    "user_info": {
      "user_id": 12345
    }
  }
}

Explanation

By following this guide, you can effectively leverage the custom extensions feature to create highly customized certificates that meet your specific needs.

  • The custom_values object contains a key user_info, which matches the values_name in the certificate profile.

  • The value for user_info is another object that maps the variable user_id (from ${user_id} in the profile) to the integer value 12345.

  • The value provided (12345) must be compatible with the TYPE defined in the profile for that extension (INTEGER in this case).

  • Extensions with literal values require no input in the issuance request.

  • If an extension is marked as OPTIONAL in the certificate profile, you are not required to provide a value for its template variable. If you do not provide a value, the extension will be omitted from the certificate.

Examples of custom extensions

Only Optional (templated value, can be omitted at issuance)

Certificate profile

{
  "name": "Profile - Only Optional",
  "certificate_authority_id": "ca-12345",
  "extensions": {
    "custom": [
      {
        "oid": "1.3.6.1.4.1.12345.10.1",
        "critical": false,
        "template": {
          "type": "UTF8String OPTIONAL",
          "value": "${optional_note}"
        },
        "values_name": "opt_group"
      }
    ]
  }
}

Issuance (provide value)

{
  "profile_id": "profile-only-optional",
  "common_name": "opt.example.com",
  "custom_values": {
    "opt_group": {
      "optional_note": "This may be omitted"
    }
  }
}

Issuance (omit value → extension omitted)

{
  "profile_id": "profile-only-optional",
  "common_name": "opt-no-ext.example.com"
}
Optional with static literal

Certificate profile

{
  "name": "Profile - Optional Static Default",
  "certificate_authority_id": "ca-12345",
  "extensions": {
    "custom": [
      {
        "oid": "1.3.6.1.4.1.12345.10.2",
        "critical": false,
        "template": {
          "type": "PrintableString OPTIONAL",
          "value": "Default-Note"
        }
      }
    ]
  }
}

Issuance (no custom values needed)

{
  "profile_id": "profile-optional-static-default",
  "common_name": "opt-static.example.com"
}
Context-Specific Tag 1 with INTEGER (templated)

Certificate profile

{
  "name": "Profile - Context Tag 1 INTEGER",
  "certificate_authority_id": "ca-12345",
  "extensions": {
    "custom": [
      {
        "oid": "1.3.6.1.4.1.12345.10.3",
        "critical": true,
        "template": {
          "type": "[1] INTEGER",
          "value": "${employee_id}"
        },
        "values_name": "hr_values"
      }
    ]
  }
}

Issuance

{
  "profile_id": "profile-context-1-integer",
  "common_name": "emp.example.com",
  "custom_values": {
    "hr_values": {
      "employee_id": 987654
    }
  }
}
EXPLICIT IA5String with Context-Specific Tag

Certificate profile

{
  "name": "Profile - EXPLICIT IA5String",
  "certificate_authority_id": "ca-12345",
  "extensions": {
    "custom": [
      {
        "oid": "1.3.6.1.4.1.12345.10.4",
        "critical": false,
        "template": {
          "type": "[2] EXPLICIT IA5String",
          "value": "${ascii_code}"
        },
        "values_name": "ascii_group"
      }
    ]
  }
}

Issuance

{
  "profile_id": "profile-explicit-ia5",
  "common_name": "ascii.example.com",
  "custom_values": {
    "ascii_group": {
      "ascii_code": "ENG-001"
    }
  }
}
BOOLEAN flag (templated)

Certificate profile

{
  "name": "Profile - BOOLEAN Flag",
  "certificate_authority_id": "ca-12345",
  "extensions": {
    "custom": [
      {
        "oid": "1.3.6.1.4.1.12345.10.5",
        "critical": false,
        "template": {
          "type": "BOOLEAN",
          "value": "${enabled}"
        },
        "values_name": "feature_flags"
      }
    ]
  }
}

Issuance

{
  "profile_id": "profile-boolean-flag",
  "common_name": "feature.example.com",
  "custom_values": {
    "feature_flags": {
      "enabled": true
    }
  }
}
OBJECT IDENTIFIER (literal)

Certificate profile

{
  "name": "Profile - OBJECT IDENTIFIER",
  "certificate_authority_id": "ca-12345",
  "extensions": {
    "custom": [
      {
        "oid": "1.3.6.1.4.1.12345.10.6",
        "critical": false,
        "template": {
          "type": "OBJECT IDENTIFIER",
          "value": "1.3.6.1.4.1.99999.1"
        }
      }
    ]
  }
}

Issuance

{
  "profile_id": "profile-oid-literal",
  "common_name": "oid.example.com"
}
OCTET STRING (hex literal)

Certificate profile

{
  "name": "Profile - OCTET STRING Hex",
  "certificate_authority_id": "ca-12345",
  "extensions": {
    "custom": [
      {
        "oid": "1.3.6.1.4.1.12345.10.7",
        "critical": true,
        "template": {
          "type": "OCTET STRING",
          "value": "DEADBEEFCAFEBABE"
        }
      }
    ]
  }
}

Issuance

{
  "profile_id": "profile-octet-hex",
  "common_name": "hex.example.com"
}
Grouped variables under one values_name

Certificate profile

{
  "name": "Profile - Grouped Variables",
  "certificate_authority_id": "ca-12345",
  "extensions": {
    "custom": [
      {
        "oid": "1.3.6.1.4.1.12345.10.8",
        "critical": false,
        "template": {
          "type": "UTF8String",
          "value": "${department}"
        },
        "values_name": "org_info"
      },
      {
        "oid": "1.3.6.1.4.1.12345.10.9",
        "critical": false,
        "template": {
          "type": "UTF8String",
          "value": "${cost_center}"
        },
        "values_name": "org_info"
      }
    ]
  }
}

Issuance

{
  "profile_id": "profile-grouped-variables",
  "common_name": "org.example.com",
  "custom_values": {
    "org_info": {
      "department": "Engineering",
      "cost_center": "R&D"
    }
  }
}
APPLICATION Class

Certificate profile

{
  "name": "Profile - APPLICATION Class",
  "certificate_authority_id": "ca-12345",
  "extensions": {
    "custom": [
      {
        "oid": "1.3.6.1.4.1.12345.10.10",
        "critical": false,
        "template": {
          "type": "[APPLICATION 0] EXPLICIT UTF8String",
          "value": "${app_name}"
        },
        "values_name": "app_data"
      }
    ]
  }
}

Issuance

{
  "profile_id": "profile-application-class",
  "common_name": "app.example.com",
  "custom_values": {
    "app_data": {
      "app_name": "MyApplication"
    }
  }
}
PRIVATE Class

Certificate profile

{
  "name": "Profile - PRIVATE Class",
  "certificate_authority_id": "ca-12345",
  "extensions": {
    "custom": [
      {
        "oid": "1.3.6.1.4.1.12345.10.11",
        "critical": false,
        "template": {
          "type": "[PRIVATE 5] IMPLICIT AutoString",
          "value": "${private_field}"
        },
        "values_name": "private_data"
      }
    ]
  }
}

Issuance

{
  "profile_id": "profile-private-class",
  "common_name": "private.example.com",
  "custom_values": {
    "private_data": {
      "private_field": "PrivateValue123"
    }
  }
}
BIT STRING with Bit Count

Certificate profile

{
  "name": "Profile - BIT STRING with Bit Count",
  "certificate_authority_id": "ca-12345",
  "extensions": {
    "custom": [
      {
        "oid": "1.3.6.1.4.1.12345.10.12",
        "critical": false,
        "template": {
          "type": "BIT STRING",
          "value": "AQIDBA==|[24]"
        }
      }
    ]
  }
}

Issuance

{
  "profile_id": "profile-bit-string-count",
  "common_name": "bitstring.example.com"
}

Parameter constraints and input format for custom extensions

  • oid: Dot-separated numeric OID (e.g., 1.2.840.113549). Must be unique per extension.

  • critical : Boolean (true or false).

  • template.type: Format is [[CLASS] TAG] [MODE] TYPE [OPTIONAL]

    • Context-Specific[1], [2], [3] , etc.

    • APPLICATION: [APPLICATION 0], [APPLICATION 1], etc.

    • PRIVATE: [PRIVATE 0], [PRIVATE 5], etc.

    • MODE: IMPLICIT (default) or EXPLICIT

    • TYPE: Case-sensitive ASN.1 type name

    • OPTIONAL: Keyword to mark field as optional

  • ·        template.value: Literal value or template variable ${var_name} (letters, digits, underscores, starting with letter/underscore). If templated, you must set values_name.

  • Binary types (OCTET STRING / BIT STRING):

    • HEX format: DEADBEEF

    • Base64 format: ZXhhbXBsZQ==

    • BIT STRING with bit count: base64value|[24]

  • OBJECT IDENTIFIER: Valid OID string (e.g., 1.2.840.113549.1.1.1).

  • OPTIONAL behavior:

    • Templated and omitted at issuance → extension omitted from certificate

    • Literal and optional → typically included with literal value

Rules format summary

Correct formats

  • PrintableString: UNIVERSAL class

  • [0] INTEGER: Context-Specific tag 0, IMPLICIT

  • [1] EXPLICIT UTF8String: Context-Specific tag 1, EXPLICIT

  • [APPLICATION 0] EXPLICIT PrintableString: APPLICATION class

  • [PRIVATE 5] IMPLICIT AutoString: PRIVATE class

  • [2] PrintableString OPTIONAL: Optional field

Incorrect formats

Incorrect

Correct

CONTEXT 0 INTEGER

[0] INTEGER

APPLICATION [0] PrintableString

[APPLICATION 0] EXPLICIT PrintableString

PRIVATE [5] UTF8String

[PRIVATE 5] UTF8String

printablestring

PrintableString

BITSTRING

BIT STRING

: