To configure the DigiCert PKI v8.0 CA as an external CA, select the DigiCert PKI option from the CA Type drop down. The following page will be shown to configure the DigiCert PKI:



The items in the above screen are described below: 


Items

Description

CA  Alias

It is a user defined unique name for easy management of certificate authorities within ADSS Server. This is only for human identification purposes.

CA Type

ADSS Server can be configured to get the certificates issued from the DigiCert PKI. The requests that are received at certification service are forwarded to DigiCert PKI for certificate issuance. The supported request types are: 

  • CREATE
  • RENEW
  • REVOKE
    Revocation reasons can include: 
    • cACompromise
    • keyCompromise
    • affiliationChanged
    • sessationOfOperation
    • privilegeWithdrawn
    • aACompromise
    • superseded

CA Certificate

All the CA certificates configured in Trust Manager with the purpose CA (will be used to verify other certificates and CRLs) will be available here for configurations. 

Select the required DigiCert PKI issuing CA, which will be used to issue the target certificates. 

Note: It is required to register the complete certificate chain of the DigiCert PKI CA in Trust Manager

CA Addresses

Specify the URL from where this CA could listen the certificate request messages.

API Key

The API Key is generated by the user on the DigiCert PKI Admin portal.

Specify the generated API Key in the mentioned field which would be used by ADSS Server to create, renew and revoke the certificates from DigiCert PKI CA. 

Profile

Specify the Profile configured at DigiCert PKI Admin Portal by selecting it from drop-down. The user can get list of all the profiles configured at DigiCert PKI Admin Portal in the drop-down menu by clicking at Get Profiles button. These Profiles would contains all the content for the certificate to be generated.

Note: API Key is required for getting the profiles.


Known Limitations of DigiCert PKI
Here are the known limitations of DigiCert PKI that the user must consider:

  • Key Sizes RSA (2048, 4096) are supported by DigiCert PKI while certifying the CSR and it has been tested in ADSS Server.
  • Key Sizes EC (256, 384, 521) with NIST P-Curves (P-256, P-384, P-521) are supported by DigiCert PKI while certifying the CSR. It has only been tested for key size EC 256 in ADSS Server.
  • Certificate validity unit is configured in only days, months and years in Certification Profile as DigiCert only support these validity units.
  • Special characters are not supported in Subject RDN e.g. ~ ! @ # $ % ^ & * ( ) - _ = + , < > ? / \ { } [ ]  . ; : ' " -
  • Special characters[%] is not supported for all RDNs.
  • Common Name can be added only once in the in Subject DN.
  • DigiCert does not support these revocation reasons while revoking the certificate. i.e unspecified, certificateHold, removeFromCRL.
  • Business Category and Organisation Identifier are not supported in Subject DN while creating/renewing the certificate from DigiCert.
  • Extended Validation Locality (EVL), Extended Validation State (EVS), and Extended Validation Country (EVC) are not supported in Subject DN by the DigiCert.
  • Certificate suspension/resumption can only be performed via DigiCert PKI Admin Portal.

See also

ADSS CA Server

Microsoft CA
Symantec MPKI
GlobalSign EPKI
GlobalSign HVCI
EJBCA
QuoVadis CA
Entrust CA

Entrust CA Gateway
Offline External CA
DigiCert PKI

DigiCert ONE MPKI
Microsoft Active Directory Certificate Services