Adding and managing DigiCert certificate authorities¶
This topic steps you through adding a DigiCert certificate authority (CA). But before you begin, review the following requirements:
- Make sure you have a billing setup with DigiCert for pre-purchasing certificate units or for post-use billing; TLS Protect Cloud doesn't support purchasing individual certificates with a credit card for each transaction.
- Have your DigiCert authentication credentials on hand.
- Make sure that you have the
Manager
role or higher in DigiCert CertCentral.
Do you want to issue DV certificates?
DV (Domain Validated) certificates are a type of TLS/SSL certificate that verifies ownership or control of the domain through a validation process called Domain Control Validation (DCV).
The DigiCert connector for TLS Protect Cloud is designed to only support OV and EV certificate products.
The ACME protocol was designed to handle the unique steps of the DCV process, so the supported option in TLS Protect Cloud for requesting DV certificates is the ACME CA Connector, which has the ability to automate the DCV process.
Learn more about DigiCert's ACME interface for getting GeoTrust DV certificates on DigiCert's documentation site.
To add a DigiCert certificate authority¶
- Sign in to Venafi Control Plane.
- Click Integrations > Certificate Authorities.
- Click New > DigiCert.
- Enter a Name that this CA should be called in TLS Protect Cloud.
- Enter a Renewal Window in days. This must be between 1 and 397. Learn more about DigiCert certificate renewal and reissuance.
-
Select the DigiCert URL, which controls whether you will use a DigiCert server in the European Union or the United States.
Learn more
When issuing DigiCert certificates, your DigiCert account can be configured using a US-based URL or a European Union-based URL, depending on your data residency and privacy compliance requirements.
Selecting the appropriate URL depends on the URL associated with your DigiCert account settings.
-
Copy and paste your API Key from DigiCert CertCentral.
- Click Validate.
- Click Add Account.
Sync issuing templates with DigiCert CAs¶
This step will update TLS Protect Cloud so it aligns with your currently-validated organizations and domains in your DigiCert account. This is done by syncing the SAN DNS and Common Name regular expression patterns from DigiCert to TLS Protect Cloud.
DNS SANs and Common Names in issuing templates
Syncing the account information to your issuing templates will overwrite any existing SAN DNS and Common Name regular expressions currently used by those issuing templates.
Updating the certificate issuing templates with DigiCert account information is a two step process:
- Refresh TLS Protect Cloud with the organizations currently validated by DigiCert.
- Sync TLS Protect Cloud certificate issuing templates with the domains currently validated by DigiCert.
See the steps below.
Refresh the account information from DigiCert¶
This step pulls the current list of organizations and domains from your DigiCert account into TLS Protect Cloud.
- Sign in to Venafi Control Plane.
-
Click Integrations > Certificate Authorities.
-
Click the DigiCert certificate authority you want to refresh.
-
Click Account Refresh.
A confirmation message appears when the refresh is complete.
Sync issuing templates with DigiCert domains¶
With the updates pulled from DigiCert, you can now sync those updates with your DigiCert issuing templates.
- Sign in to Venafi Control Plane.
-
Click Integrations > Certificate Authorities.
-
Click the DigiCert certificate authority you want to update.
- Click Sync Issuing Templates.
- Choose the issuing templates to sync the policy with.
- Click Sync.
To verify the updates, open the issuing templates you synced and compare the DNS SAN and Common Name values with the domains in your DigiCert account.
What's Next¶
This CA is now ready to be added to one or more certificate issuing templates. To do this, select this CA when creating certificate issuing templates.