Obtain a client authentication certificate
You can use a client authentication certificate, referred to as a Registration Authority (RA) certificate, to authenticate Autoenrollment Server requests to DigiCert ONE. Use this method instead of an API token if you will integrate with Windows Hello for Business.
Your RA certificate can be stored on a Hardware Security Module (HSM) or in a software key store in PFX format. The RA certificate storage option you choose determines how the RA certificate must be enrolled.
注意
DigiCert recommends the use of a Hardware Security Module to ensure the security of the RA certificate and its corresponding private key. Anyone who has access to the RA certificate and private key can act on your organization's behalf, so the secure storage of your certificate and key is important.
Obtain an RA certificate to store in an HSM
Refer to the HSM guide for details.
Obtain an RA certificate as a software file
Follow the below steps to create a service user (credential which is not bound to an account user) and bind an authentication certificate to use with Autoenrollment Server.
Create the service user and authentication certificate
Navigate to Account Manager.
Select Access from the left navigation menu, then Service User.
Select Create Service user.
On the service user details page, enter the following details:
Friendly name: Nickname for the service user.
Description (optional): Description of the service user's purpose.
End date (optional): Expiration date for the service user.
Email: To send notifications regarding the service user.
Accounts that can use this service user: Account access for the service user.
DigiCert ONE Manager access: Select CA and Trust Lifecycle.
Select Next.
On the Roles and permissions page, assign the following user roles:
For CA Manager: Read only
For Trust Lifecycle Manager: User and certificate manager and Certificate profile manager
注意
Alternatively, you can create and assign custom user roles that include the following permissions at minimum:
For CA Manager:
View CA
andView CA configuration
. For Trust Lifecycle Manager:Certificate management: Manage create
plusProfiles & templates: Manage enrollment
andManage profile
.Select Add user.
Each service user has an API token associated with it by default. The token ID isdisplayed in a popup box once the service user is created. If you intend to use thisservice user to make API requests, copy the token ID value and store it in a safelocation—this value will be shown only once.
Navigate to the Service User section and select the service user you created in step7.
Under the Authentication Certificates section, select Create Authentication certificate.
On the Generate authentication certificate page, enter the following details:
Nickname
End date
Select Generate certificate.
The password for certificate installation will be displayed on popup box. Copy the password and store it in a safe location – this value will be shown only once.
Select Download certificate.
Move the downloaded certificate to the machine running Autoenrollment Server.