To configure the DigiCert ONE MPKI CA as an external CA, select the DigiCert ONE MPKI option from the CA Type drop down. The following page will be shown to configure the DigiCert ONE MPKI:

The items in the above screen are described below: 

Items

Description

CA  Alias

An operator-defined unique name for easy management of certificate authorities within ADSS Server. This is only for human identification purposes.

Maximum character length: 50

CA Type

ADSS Server can be configured to get the certificates issued from the DigiCert ONE MPKI. The requests that are received at certification service are forwarded to DigiCert ONE MPKI for certificate issuance. The supported request types are: 

  • CREATE
  • RENEW
  • REVOKE
    Revocation reasons can include: 
    • unSpecified
    • keyCompromise
    • affiliationChanged
    • cessationOfOperation
    • certificateHold
    • removeFromCRL
    • privilegeWithdrawn
    • superseded

Maximum character length: 50

CA Certificate

All the CA certificates configured in Trust Manager with the purpose CA (will be used to verify other certificates and CRLs) will be available here for configurations. 

Select the required DigiCert ONE MPKI issuing CA, which will be used to issue the target certificates. 

Maximum character length: 500

Note: It is required to register the complete certificate chain of the DigiCert ONE MPKI CA in Trust Manager

CA Addresses

Specify the URL from where this CA could listen the certificate request messages.

Maximum character length: 200

API Key

The API Key is generated by the operator on the DigiCert ONE MPKI Admin portal.

Specify the generated API Key in the mentioned field which would be used by ADSS Server to create, renew and revoke the certificates from DigiCert ONE MPKI CA. 

Seat ID

Seat ID refers to seat identification of an authorized end user of the service. The operator will specify a unique user Seat ID for creation and management of the required certificate.

Maximum character length: 500

Profile

Specify the Profile configured at DigiCert ONE MPKI Admin Portal by selecting it from drop-down. The operator can get list of all the profiles configured at DigiCert ONE MPKI Admin Portal in the drop-down menu by clicking at Get Profiles button. These Profiles would contains all the content for the certificate to be generated.

Maximum character length: 500

Note: API Key is required for getting the profiles.


DigiCert ONE MPKI supports GUID parameter under otherName SAN attribute. If user will add otherName with given OID ‘1.3.6.1.4.1.311.25.1’, then, the GUID parameter will be sent to DigiCert ONE MPKI.

The value of GUID must be provided as 'UUID' that is a 128-bit long number in hex characters separated by “-“. i.e b4f5dc26-63f3-4157-83f5-729992ab10c0.

A certificate issued by DigiCert ONE MPKI can be revoked either by console or via ADSS Certification Service.


Supported RDNs in Subject DN

Below is the list of supported RDNs in Subject DN: 

  • ST - Street Address
  • C - Country
  • L - Locality
  • SERIALNUMBER - Subject Serial Number
  • O - Organization (organization name in case of DigiCert ONE MPKI)
  • S - State
  • CN - Common Name
  • P - Postal Code
  • OU - Organization Unit
  • UID - Unique Identifier
  • E - Email
  • T - Title
  • G - Given Name
  • SN - Surname
  • unstructured_name - Unstructured Name
  • unstructured_address - Unstructured Address

Limitations for RDN:

Below is the list of RDNs that are supported in DigiCert ONE MPKI but not supported in ADSS Server:

  • domain_component - Domain Component
  • dn_qualifier - DN Qualifier
  • user_identifier - User Identifier


Supported GeneralNames in SAN

Below is the list of supported GeneralNames in SAN:

  • rfc822Name
  • dNSName
  • iPAddress
  • directoryName
  • otherName
  • uniformResourceIdentifier
  • registeredID
  • user_principal_names 

Limitations for GeneralNames in SAN:

There are some GeneralNames in SAN that are supported in DigiCert ONE MPKI but not supported in ADSS Server:

  • raw_other_names


Supported GeneralNames in IAN

Below is the list of supported GeneralNames in IAN:

  • directoryName
    DigiCert ONE MPKI supports the following general names in the directory name for IAN:
    • surname (multiple Values)
    • organizationalUnit (multiple Values)
    • title (multiple Values)
    • givenName (multiple Values)
    • domainComponent (multiple Values)
    • commonName (single value)
    • organization (single value)
    • locality (single value)
    • streetAddress (single value)
    • country (single value)
    • serialNumber (single value)


Known Limitations of DigiCert ONE MPKI

Here are the known limitations of DigiCert ONE MPKI that the operator must consider:

  • Key Sizes RSA (1024, 2048, 3072, 4096) and NIST P-Curves (P-256, P-384, P-521) are supported by DigiCert ONE MPKI while certifying the CSR and it has been tested in ADSS Server.
  • Certificate validity unit is configured in only days, months and years in Certification Profile as DigiCert ONE MPKI only support these validity units.
  • Common Name can be added only once in the Subject DN.
  • DigiCert ONE MPKI accepts Unique Identifier (UID) RDN value in hexa-decimal format only e.g. 1C7D0B579441
  • Business Category and Organisation Identifier are not supported in Subject DN while creating/renewing the certificate from DigiCert ONE MPKI.
  • DigiCert ONE MPKI does not support these revocation reasons while revoking the certificate. i.e cACompromise, aACompromise.
  • Extended Validation Locality (EVL), Extended Validation State (EVS), and Extended Validation Country (EVC) are not supported in Subject DN by the DigiCert ONE MPKI.

See also

ADSS CA Server

Microsoft CA
Symantec MPKI
GlobalSign EPKI
GlobalSign HVCI
EJBCA
QuoVadis CA
Entrust CA

Entrust CA Gateway
Offline External CA
DigiCert PKI

DigiCert ONE MPKI
SPOC Server