DigiCert Private CA user roles
Assign one or more roles to a DigiCert Private CA user when you add or update the user.
Account roles for standard and service users
The following user roles are available in your account:
The DigiCert® Private CA PKI manager role is usually assigned to an admin responsible for requesting and authorizing key escrow, CA recovery, and has read-only access for managed CAs.
Category | Permission | User can |
|---|---|---|
General | Manage CA accounts | View, select, and manage CAs within DigiCert Private CA accounts. |
Manage AIAs | View, select, and manage Authority Information Access (AIA) and Online Certificate Status Protocol (OCSP). | |
Manage CA CRL | View, select, create, and manage Certificate Revocation List (CRL). | |
Manage domain | View, select, create, and manage domains. | |
View domain | View domains. | |
Manage CA escrow recovery | Escrow CAs and recover them. | |
Manage common CA database | View, select, and manage Common CA Database (CCADB) connections for Public certificates. (DigiCert PKI Staff only) | |
View default configurations | View and manage Roots and ICAs issuing configurations, such as Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) settings. | |
Manage HSM management | View, select, and manage HSMs and partitions within DigiCert Private CA. | |
View HSM partitions | View HSM partitions within DigiCert Private CA. | |
View audit log | Review the actions taken in their DigiCert Private CA account audit logs. | |
CA & certificates | Manage CA | View, select, and manage Roots and Intermediate Certificate Authorities (ICAs) in related workflows. |
Manage revoke CA | User may request and approve/deny CA revocation requests | |
Manage OCSP responder | User may create and manage OCSP responders | |
Manage recover escrow key | Escrow keys and certificates and recover them. | |
View certificate | View end-entity certificates | |
Manage templates | View, select, and manage non-system templates to customize CAs and end-entities. |
The DigiCert® Private CA Key escrow role is usually assigned to an admin responsible for requesting and authorizing key escrow and CA recovery. A user with this role is able to escrow and recover escrowed End-entity keys via other DigiCert ONE managers.
Category | Permission | User can |
|---|---|---|
General | View AIAs | View Authority Information Access (AIA) and Online Certificate Status Protocol (OCSP). |
Manage CA escrow recovery | Escrow CAs and recover them. | |
Manage HSM management | View, select, and manage HSMs and partitions within DigiCert Private CA. | |
View HSM partitions | View HSM partitions within DigiCert Private CA. | |
View audit log | Review the actions taken in their DigiCert Private CA account audit logs. | |
CA & certificates | View CA | View Roots and Intermediate Certificate Authorities (ICAs) in related workflows. |
View certificate | View end-entity certificates | |
View recover escrow key | View escrowed and recovered keys and certificates. | |
Manage recover escrow key | Escrow keys and certificates and recover them. |
The DigiCert® Private CA Read only role provides access limited to read-only permissions for managed CAs.
Category | Permission | User can |
|---|---|---|
General | View AIAs | View Authority Information Access (AIA) and Online Certificate Status Protocol (OCSP). |
View domain | View domains. | |
View common CA database | View Common CA Database (CCADB) connections for public certificates. | |
Manage CA escrow recovery | Escrow CAs and recover them. | |
View HSM partitions | View HSM partitions within DigiCert Private CA. | |
Manage HSM management | View, select, and manage HSMs and partitions within DigiCert Private CA. | |
View audit log | Review the actions taken in their DigiCert Private CA account audit logs. | |
CA & certificates | View CA | View Roots and Intermediate Certificate Authorities (ICAs) in related workflows. |
View certificate | View end-entity certificates | |
View OCSP responder | View OCSP responders. | |
View recover escrow key | View escrowed and recovered keys and certificates. | |
Manage recover escrow key | Escrow keys and certificates and recover them. | |
View templates | View non-system templates to customize CAs and end-entities. |
System roles for on-premises administration
For on-premises customers, these roles are available for system administration.
The DigiCert® Private CA CA Admin role is usually assigned to a PKI operations administrator responsible for configuring their CA Manager accounts.
Category | Permission | User can |
|---|---|---|
General | Manage CA accounts | View, select, and manage CAs within DigiCert Private CA accounts. |
Manage AIAs | View, select, and manage Authority Information Access (AIA) and Online Certificate Status Protocol (OCSP). | |
Manage CA recovery request | Receives escrow recovery requests and approve escrow recovery for an escrowed CA key. | |
Manage CA CRL | View, select, create, and manage Certificate Revocation List (CRL). | |
Manage domain | View, select, create, and manage domains. | |
View audit log | View audit logs. | |
CA & certificates | Manage CA | View, select, and manage Roots and Intermediate Certificate Authorities (ICAs) in related workflows. |
Manage revoke CA | User may request and approve/deny CA revocation requests | |
Manage OCSP responder | User may create and manage OCSP responders | |
Manage escrow master keys | Create and recover an escrowed CA key. | |
Manage import certificate | User may import external roots and ICAs for use in DigiCert ONE. | |
Manage revoke certificate | User may revoke end-entity certificates | |
Manage templates | View, select, and manage non-system templates to customize CAs and end-entities. | |
Ceremonies | Manage ceremony requests | User may create and manage ceremony requests (DIgiCert PKI Staff only) |
Manage ceremony certificate profile | User may manage modify the profile of a ceremony request (DigiCert PKI Staff only) | |
Manage key pools | User may create, manage, and upload externally generated key pools (DigiCert PKI Staff only) | |
Manage approve key pool batch | User may approve or deny an uploaded key pool batch (DigiCert PKI Staff only) | |
Manage operations | User may modify and approve the operations section of a ceremony request (DigiCert PKI Staff only) | |
Manage validation | User may modify and approve the validation section of a ceremony request (DigiCert PKI Staff only) | |
Manage compliance | User may modify and approve the compliance section of a ceremony request (DigiCert PKI Staff only) | |
Manage ceremony executable | User may generate an executable from a ceremony request for an offline key ceremony or key pool batch creation (DigiCert PKI Staff only) | |
Manage common CA database | View, select, and manage Common CA Database (CCADB) connections for Public certificates. (DigiCert PKI Staff only) | |
Configuration | Manage default configurations | View and manage Roots and ICAs issuing configurations, such as Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) settings. |
Manage HSM management | View, select, and manage HSMs and partitions within DigiCert Private CA. | |
View app health | Access the healthcheck endpoint API. |
The DigiCert® Private CA CA operations role is usually assigned to a PKI operations administrator responsible for creating and managing CAs, CRLs, and OCSPs.
Category | Permission | User can |
|---|---|---|
General | Manage CA accounts | View, select, and manage CAs within DigiCert Private CA accounts. |
Manage AIAs | View, select, and manage Authority Information Access (AIA) and Online Certificate Status Protocol (OCSP). | |
Manage CA recovery request | Receives escrow recovery requests and approve escrow recovery for an escrowed CA key. | |
Manage CA CRL | View, select, create, and manage Certificate Revocation List (CRL). | |
Manage domain | View, select, create, and manage domains. | |
View audit log | View audit logs. | |
CA & certificates | Manage CA | View, select, and manage Roots and Intermediate Certificate Authorities (ICAs) in related workflows. |
Manage revoke CA | User may request and approve/deny CA revocation requests | |
Manage OCSP responder | User may create and manage OCSP responders | |
Manage escrow master keys | Create and recover an escrowed CA key. | |
Manage import certificate | User may import external roots and ICAs for use in DigiCert ONE. | |
Manage revoke certificate | User may revoke end-entity certificates | |
Manage templates | View, select, and manage non-system templates to customize CAs and end-entities. | |
Ceremonies | Manage ceremony requests | User may create and manage ceremony requests (DIgiCert PKI Staff only) |
Manage ceremony certificate profile | User may manage modify the profile of a ceremony request (DigiCert PKI Staff only) | |
Manage key pools | User may create, manage, and upload externally generated key pools (DigiCert PKI Staff only) | |
Manage approve key pool batch | User may approve or deny an uploaded key pool batch (DigiCert PKI Staff only) | |
Manage operations | User may modify and approve the operations section of a ceremony request (DigiCert PKI Staff only) | |
Manage ceremony executable | User may generate an executable from a ceremony request for an offline key ceremony or key pool batch creation (DigiCert PKI Staff only) | |
View common CA database | View common CA database. | |
Configuration | Manage default configurations | View and manage Roots and ICAs issuing configurations, such as Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) settings. |
Manage HSM management | View, select, and manage HSMs and partitions within DigiCert Private CA. | |
View app health | Access the healthcheck endpoint API. |
The DigiCert® Private CA PKI operations role is usually assigned to a PKI operations admin who manages and reviews offline CA requests and key pools.
Category | Permission | User can |
|---|---|---|
General | Manage CA accounts | View, select, and manage CAs within DigiCert Private CA accounts. |
Manage AIAs | View, select, and manage Authority Information Access (AIA) and Online Certificate Status Protocol (OCSP). | |
Manage CA recovery request | Receives escrow recovery requests and approve escrow recovery for an escrowed CA key. | |
Manage CA CRL | View, select, create, and manage Certificate Revocation List (CRL). | |
Manage domain | View, select, create, and manage domains. | |
View audit log | View audit logs. | |
CA & certificates | Manage CA | View, select, and manage Roots and Intermediate Certificate Authorities (ICAs) in related workflows. |
Manage revoke CA | User may request and approve/deny CA revocation requests | |
Manage OCSP responder | User may create and manage OCSP responders | |
Manage escrow master keys | Create and recover an escrowed CA key. | |
Manage import certificate | User may import external roots and ICAs for use in DigiCert ONE. | |
Manage revoke certificate | User may revoke end-entity certificates | |
Manage templates | View, select, and manage non-system templates to customize CAs and end-entities. | |
Ceremonies | Manage ceremony requests | User may create and manage ceremony requests (DIgiCert PKI Staff only) |
Manage ceremony certificate profile | User may manage modify the profile of a ceremony request (DigiCert PKI Staff only) | |
Manage key pools | User may create, manage, and upload externally generated key pools (DigiCert PKI Staff only) | |
Manage approve key pool batch | User may approve or deny an uploaded key pool batch (DigiCert PKI Staff only) | |
Manage operations | User may modify and approve the operations section of a ceremony request (DigiCert PKI Staff only) | |
Manage ceremony executable | User may generate an executable from a ceremony request for an offline key ceremony or key pool batch creation (DigiCert PKI Staff only) | |
Manage common CA database | View, select, and manage Common CA Database (CCADB) connections for Public certificates. (DigiCert PKI Staff only) | |
Configuration | Manage default configurations | View and manage Roots and ICAs issuing configurations, such as Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) settings. |
View app health | Access the healthcheck endpoint API. |
The DigiCert® Private CA PKI validation role is usually assigned to a PKI validation administrator who manages and reviews offline CA requests.
Category | Permission | User can |
|---|---|---|
General | Manage CA accounts | View, select, and manage CAs within DigiCert Private CA accounts. |
Manage AIAs | View, select, and manage Authority Information Access (AIA) and Online Certificate Status Protocol (OCSP). | |
Manage CA CRL | View, select, create, and manage Certificate Revocation List (CRL). | |
Manage domain | View, select, create, and manage domains. | |
View audit log | View audit logs. | |
CA & certificates | Manage CA | View, select, and manage Roots and Intermediate Certificate Authorities (ICAs) in related workflows. |
Manage revoke CA | User may request and approve/deny CA revocation requests | |
Manage OCSP responder | User may create and manage OCSP responders | |
Manage escrow master keys | Create and recover an escrowed CA key. | |
Manage import certificate | User may import external roots and ICAs for use in DigiCert ONE. | |
Manage revoke certificate | User may revoke end-entity certificates | |
Ceremonies | Manage ceremony requests | View, select, and manage Common CA Database (CCADB) connections for Public certificates. (DigiCert PKI Staff only) |
Manage ceremony certificate profile | User may manage modify the profile of a ceremony request (DigiCert PKI Staff only) | |
Manage key pools | User may create, manage, and upload externally generated key pools (DigiCert PKI Staff only) | |
Manage approve key pool batch | User may approve or deny an uploaded key pool batch (DigiCert PKI Staff only) | |
Manage validation | User may modify and approve the validation section of a ceremony request (DigiCert PKI Staff only) | |
Manage ceremony executable | User may generate an executable from a ceremony request for an offline key ceremony or key pool batch creation (DigiCert PKI Staff only) | |
Manage common CA database | View, select, and manage Common CA Database (CCADB) connections for Public certificates. (DigiCert PKI Staff only) | |
Configuration | Manage default configurations | View and manage Roots and ICAs issuing configurations, such as Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) settings. |
View app health | Access the healthcheck endpoint API. |
The DigiCert® Private CA PKI compliance role is usually assigned to a PKI compliance admin who manages and reviews offline CA requests.
Category | Permission | User can |
|---|---|---|
General | Manage CA accounts | View, select, and manage CAs within DigiCert Private CA accounts. |
Manage AIAs | View, select, and manage Authority Information Access (AIA) and Online Certificate Status Protocol (OCSP). | |
Manage CA CRL | View, select, create, and manage Certificate Revocation List (CRL). | |
Manage domain | View, select, create, and manage domains. | |
View audit log | View audit logs. | |
CA & certificates | Manage CA | View, select, and manage Roots and Intermediate Certificate Authorities (ICAs) in related workflows. |
Manage revoke CA | User may request and approve/deny CA revocation requests | |
Manage OCSP responder | User may create and manage OCSP responders | |
Manage escrow master keys | Create and recover an escrowed CA key. | |
Manage import certificate | User may import external roots and ICAs for use in DigiCert ONE. | |
Manage revoke certificate | User may revoke end-entity certificates | |
Ceremonies | Manage ceremony requests | View, select, and manage Common CA Database (CCADB) connections for Public certificates. (DigiCert PKI Staff only) |
Manage ceremony certificate profile | User may manage modify the profile of a ceremony request (DigiCert PKI Staff only) | |
Manage key pools | User may create, manage, and upload externally generated key pools (DigiCert PKI Staff only) | |
Manage approve key pool batch | User may approve or deny an uploaded key pool batch (DigiCert PKI Staff only) | |
Manage compliance | User may modify and approve the compliance section of a ceremony request (DigiCert PKI Staff only) | |
Manage ceremony executable | User may generate an executable from a ceremony request for an offline key ceremony or key pool batch creation (DigiCert PKI Staff only) | |
Manage common CA database | View, select, and manage Common CA Database (CCADB) connections for Public certificates. (DigiCert PKI Staff only) | |
Configuration | Manage default configurations | View and manage Roots and ICAs issuing configurations, such as Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) settings. |
View app health | Access the healthcheck endpoint API. |
The DigiCert® Private CA Read only role is usually assigned to a support team and auditor with read-only access.
Category | Permission | User can |
|---|---|---|
General | View AIAs | View Authority Information Access (AIA) and Online Certificate Status Protocol (OCSP). |
View domain | View, select, create, and manage domains. | |
View audit log | Review the actions taken in their DigiCert Private CA account audit logs. | |
CA & certificates | View CA | View Roots and ICAs |
View certificate | View end-entity certificates | |
View escrow master keys | View master escrow keys used in partitions to perform key escrow | |
View OCSP responder | View OCSP responders. | |
View templates | View templates. | |
Ceremonies | View ceremony request | View ceremony request |
View key pools | View key pools. | |
Configuration | View default configurations | View the default configurations for DigiCert Private CA. |
View HSM management | View HSMs and partitions within DigiCert Private CA. | |
View app health (API) | Access app health info |