DigiCert ONE MPKI
To configure the DigiCert ONE MPKI CA as an external CA, select the DigiCert ONE MPKI option from the CA Type drop down. The following page will be shown to configure the DigiCert ONE MPKI:
The items in the above screen are described below:
Items |
Description |
CA Alias |
An user-defined unique name for easy management of certificate authorities within ADSS Server. This is only for human identification purposes. Maximum character length: 50 |
CA Type |
ADSS Server can be configured to get the certificates issued from the DigiCert ONE MPKI. The requests that are received at certification service are forwarded to DigiCert ONE MPKI for certificate issuance. The supported request types are:
Maximum character length: 50 |
CA Certificate |
All the CA certificates configured in Trust Manager with the purpose CA (will be used to verify other certificates and CRLs) will be available here for configurations. Select the required DigiCert ONE MPKI issuing CA, which will be used to issue the target certificates. Maximum character length: 500 Note: It is required to register the complete certificate chain of the DigiCert ONE MPKI CA in Trust Manager. |
CA Addresses |
Specify the URL from where this CA could listen the certificate request messages. Maximum character length: 200 |
API Key |
The API Key is generated by the user on the DigiCert ONE MPKI Admin portal. Specify the generated API Key in the mentioned field which would be used by ADSS Server to create, renew and revoke the certificates from DigiCert ONE MPKI CA. |
Seat ID |
Seat ID refers to seat identification of an authorized end user of the service. The user will specify a unique user Seat ID for creation and management of the required certificate. Maximum character length: 500 |
Profile |
Specify the Profile configured at DigiCert ONE MPKI Admin Portal by selecting it from drop-down. The user can get list of all the profiles configured at DigiCert ONE MPKI Admin Portal in the drop-down menu by clicking at Get Profiles button. These Profiles would contains all the content for the certificate to be generated. Maximum character length: 500 Note: API Key is required for getting the profiles. |
The eye icon available in the Profiles field is used to view the selected profile from the drop-down. Clicking on the button will display the following window:
DigiCert ONE MPKI supports GUID parameter under otherName SAN attribute. If user will add otherName with given OID ‘1.3.6.1.4.1.311.25.1’, then, the GUID parameter will be sent to DigiCert ONE MPKI. The value of GUID must be provided as 'UUID' that is a 128-bit long number in hex characters separated by “-“. i.e b4f5dc26-63f3-4157-83f5-729992ab10c0. |
A certificate issued by DigiCert ONE MPKI can be revoked either by console or via ADSS Certification Service. |
Supported RDNs in Subject DN
Below is the list of supported RDNs in Subject DN:
- ST - Street Address
- C - Country
- L - Locality
- SERIALNUMBER - Subject Serial Number
- O - Organization (organization name in case of DigiCert ONE MPKI)
- S - State
- CN - Common Name
- P - Postal Code
- OU - Organization Unit
- UID - Unique Identifier
- E - Email
- T - Title
- G - Given Name
- SN - Surname
- unstructured_name - Unstructured Name
- unstructured_address - Unstructured Address
Limitations for RDN:
Below is the list of RDNs that are supported in DigiCert ONE MPKI but not supported in ADSS Server:
- domain_component - Domain Component
- dn_qualifier - DN Qualifier
- user_identifier - User Identifier
Supported GeneralNames in SAN
Below is the list of supported GeneralNames in SAN:
- rfc822Name
- dNSName
- iPAddress
- directoryName
- otherName
- uniformResourceIdentifier
- registeredID
- user_principal_names
Limitations for GeneralNames in SAN:
There are some GeneralNames in SAN that are supported in DigiCert ONE MPKI but not supported in ADSS Server:
- raw_other_names
Supported GeneralNames in IAN
Below is the list of supported GeneralNames in IAN:
- directoryName
DigiCert ONE MPKI supports the following general names in the directory name for IAN: - surname (multiple Values)
- organizationalUnit (multiple Values)
- title (multiple Values)
- givenName (multiple Values)
- domainComponent (multiple Values)
- commonName (single value)
- organization (single value)
- locality (single value)
- streetAddress (single value)
- country (single value)
- serialNumber (single value)
Known Limitations of DigiCert ONE MPKI
Here are the known limitations of DigiCert ONE MPKI that the user must consider:
- Key Sizes RSA (1024, 2048, 3072, 4096) and NIST P-Curves (P-256, P-384, P-521) are supported by DigiCert ONE MPKI while certifying the CSR and it has been tested in ADSS Server.
- Certificate validity unit is configured in only days, months and years in Certification Profile as DigiCert ONE MPKI only support these validity units.
- Common Name can be added only once in the Subject DN.
- DigiCert ONE MPKI accepts Unique Identifier (UID) RDN value in hexa-decimal format only e.g. 1C7D0B579441
- Business Category and Organisation Identifier are not supported in Subject DN while creating/renewing the certificate from DigiCert ONE MPKI.
- DigiCert ONE MPKI does not support these revocation reasons while revoking the certificate. i.e cACompromise, aACompromise.
- Extended Validation Locality (EVL), Extended Validation State (EVS), and Extended Validation Country (EVC) are not supported in Subject DN by the DigiCert ONE MPKI.
See also
Microsoft CA
Symantec MPKI
GlobalSign EPKI
GlobalSign HVCI
EJBCA
QuoVadis CA
Entrust CA
Entrust CA Gateway
Offline External CA
DigiCert PKI
DigiCert ONE MPKI
Microsoft Active Directory Certificate Services