Skip to main content

Create an ACME-based profile for public CertCentral certificates

Before you begin

You need a connector that links DigiCert​​®​​ Trust Lifecycle Manager to your CertCentral account.

Create the certificate profile

  1. From the DigiCert​​®​​ Trust Lifecycle Manager main menu, select Manage > Profiles.

  2. Select the Create profile from template button at top.

  3. Select the CertCentral Public Server Certificate template as the basis for creating the profile.

  4. Fill in the Primary options for your new certificate profile:

    • Profile name: Enter a friendly name for this profile.

    • Business unit: Select the business unit (BU) for certificates issued from this profile. The business unit needs certificate management seats allocated to it before certificates can be issued (see Prerequisites).

    • Certificate type: Select the type of public certificates (CertCentral product type) to issue.

    • Issuing CA: Optionally, select which public DigiCert certificate authority will issue the certificates. This is only available if configured in CertCentral.

    • Enrollment method: Select 3rd-party ACME client.

  5. Select the Certificate options for certificates issued from this profile:

    • Multi-year plan: Select the button to Select a plan. In the resulting popup dialog:

      • Select one of the standard order coverage periods on the left or select Custom order validity to enter a custom value.

      • Select Save selection to save your selection and exit the dialog.

    • Certificate fields: Enter the certificate validity period length and units.

      • The default certificate validity period is 397 days for orders of 397 days or more.

      • For orders of less than 397 days, the default certificate validity is equal to the order validity period.

      • For order lengths of 2 years or more, the certificate validity period can be specified in units of either days or years.

  6. Select any Additional options for:

    • Email configuration and notifications: Email communications settings for certificate lifecycle event notifications.

    • Signed HTTP Exchange extension: Whether to include the CanSignHttpExchanges extension in certificates.

    • Organization and contact details: Select an organization and enter any contact details specific to certificates issued with this profile.

      • Tip: Select the Hide non-validated organizations option to list only prevalidated organizations.

    • Tags: Enter custom tags to apply to all certificates issued from this profile. Tags help identify the certificates for tracking and management purposes.

  7. Select Create to create the certificate profile and generate the ACME credentials for it. The ACME URL and EAB credentials popup window launches, showing the following fields:

    • ACME Directory URL: Base URL to use when requesting certificate automations. For hosted DigiCert ONE accounts, this should be https://one.digicert.com/mpki/api/v1/acme/v2/directory

    • KID: Key identifier for your new certificate profile.

    • HMAC key: Used to encrypt and authenticate your account key during automation events.

  8. Copy your unique external account binding (EAB) credentials and store them somewhere safe. You can use the "copy" icon next to each field to copy it into your clipboard or select the Copy all button to copy them all at once.

  9. After copying the new ACME credentials, Close the popup window.

注意

When you create an ACME-based certificate profile, the ACME credentials for it are displayed only once. There is no way to retrieve this information once you have navigated away from it. If you ever lose your ACME credentials, you will need to regenerate the ACME credentials for that profile.

本节内容如下: