Skip to main content

Create an ACME-based profile for private CA Manager certificates

  1. From the DigiCert​​®​​ Trust Lifecycle Manager main menu, select Policies > Certificate profiles.

  2. Select the Create profile from template button at top.

  3. Select the CA Manager Private Server Certificate template as the basis for creating the profile.

  4. Fill in the Primary options for your new certificate profile:

    • Profile name: Enter a friendly name for this profile.

    • Business unit: Select the business unit (BU) for certificates issued from this profile.

    • Issuing CA: Select which of your certificate authorities (as configured in DigiCert® Private CA) will issue the certificates.

    • Enrollment method: Select 3rd-party ACME client.

  5. Select the Certificate options for certificates issued from this profile:

    • Certificate expires in: Enter the validity period length and select units.

    • Subject DN and SAN fields: Select options for the Distinguished Name (DN) and Subject Alternative Name (SAN) in certificate requests.

      • The Common name and DNS name fields are mandatory and prefilled for you.

      • Select Add DNS name if certificates will secure multiple domain names.

      • Use the Select additional fields dropdown to configure additional fields for the DN or SAN (Country, Locality, etc.). If added here, the Email field is used as the recipient for notifications.

      • Entered by User means the field’s value will be supplied by the user when invoking the ACME client.

      • From CSR means the field’s value will come from a CSR file. The CSR file location must be specified when invoking the ACME client.

  6. Select any Extensions for certificates issued from this profile:

    • Key usage: Allowed security services for the certificate keys.

    • Extended key usage: How certificate public keys can be used.

  7. Select any Additional options for:

    • Administrative contact: Contact info for issued certificates.

    • Email configuration and notifications: Email communications settings for certificate lifecycle event notifications.

    • LDAP search: Whether certificates should be searchable via LDAP.

    • Tags: Enter custom tags to apply to all certificates issued from this profile. Tags help identify the certificates for tracking and management purposes.

  8. Select Create to save the new certificate profile and generate the ACME credentials for it. The ACME URL and EAB credentials popup window launches, showing the following fields:

    • ACME Directory URL: Base URL to use when requesting certificate automations. For hosted DigiCert ONE accounts, this should be https://one.digicert.com/mpki/api/v1/acme/v2/directory

    • KID: Key identifier for your new certificate profile.

    • HMAC key: Used to encrypt and authenticate your account key during automation events.

  9. Copy your unique external account binding (EAB) credentials and store them somewhere safe. You can use the "copy" icon next to each field to copy it into your clipboard or select the Copy all button to copy them all at once.

  10. After copying the new ACME credentials, Close the popup window.

注意

When you create an ACME-based certificate profile, the ACME credentials for it are displayed only once. There is no way to retrieve this information once you have navigated away from it. If you ever lose your ACME credentials, you will need to regenerate the ACME credentials for that profile.