Skip to main content

Create an EST profile

The EST profile generates the URLs required to connect your EST client to DigiCert® Private CA. It also binds incoming requests to a specific issuing CA, certificate template, authentication method, and lifecycle rules.

重要

Make sure you have an end entity certificate template in DigiCert Private CA that fits your certificate requirements before you start creating a profile.

To create an EST profile in DigiCert Private CA:

  1. In the main menu, select Profiles.

  2. Select Create profile.

  3. Select EST under Protocols.

  4. Enter a Profile name.

  5. [Optional] Add a Description for your profile.

  6. Select the Protocol version you prefer, from the available options.

  7. In Issuer CA, select the private intermediate certificate authority that you use for your certificate requests.

  8. Select a Certificate template ID. You can only use one template in a profile. Create multiple profiles for different templates or certificate settings.

  9. Select the Certificate validity details, like how many days, months, or years the issued certificates are valid for.

  10. Enter a value in days for your preferred Renewal window. Your private CA rejects any renewal requests outside this window.

  11. Select your Authentication method. You also need to set up this method in your certificate requesting client or registration authority.

  12. Select the Signature algorithm used by the profile.

  13. Select Submit.

Your EST profile is saved.

Select Profiles in the main menu to see your saved profiles.

CMP URL

When you're ready to set up your EST client, go to the EST profile in DigiCert Private CA and copy the URLs. Each EST profile generates three URLs, each used for a specific EST operation defined in RFC 7030.

EST URLs are structured as follows:

https://<your-ca-domain>/.well-known/est/CA_<ProfileID>/cacerts

https://<your-ca-domain>/.well-known/est/CA_<ProfileID>/simpleenroll

https://<your-ca-domain>/.well-known/est/CA_<ProfileID>/simplereenroll

Where:

  • https://<your-ca-domain> is the base domain of your DigiCert Private CA instance.

  • /.well-known/est/ is the standard EST path segment defined by RFC 7030. It identifies the request as an EST transaction over HTTPS.

  • <CA_profile ID> is the unique identifier for the EST issuance profile. The CA prefix distinguishes DigiCert Private CA EST routes from other DigiCert services (such as Trust Lifecycle Manager). The profile ID maps directly to the profile you created.

  • /cacerts is the endpoint used by EST clients to download the CA certificate chain. It helps the client establish trust before enrollment.

  • /simpleenroll is the endpoint used for initial certificate enrollment requests (new certificates).

  • /simplereenroll is the endpoint used for re-enrollment or renewal requests. Clients authenticate using their existing certificate.

本节内容如下: