Knowledge Base

All new Shared CAs will chain up to the “DigiCert Assured ID Root G2” CA:

WHAT PROCESS TO FOLLOW?

There are 3 main process flows you can follow in order to start making use of the new DigiCert Public CA hierarchy (whether Public Shared CAs or Public Co-Branded):

USE THE "MIGRATE PROFILE" FUNCTIONALITY

1. Login to PKI Manager
2. Click on Manage certificate profiles
3. Click on a profile that is bound to an existing Symantec Shared CA
4. You will now see a new link named “Migrate profile”
   (ONLY if the new Shared ICA has been added by PKI Ops following the Re-key process)
   
5. Click on Migrate profile
6. On the Migrate profile page, you will be given the option to change the Friendly name of the profile, the Signature algorithm, Key size, and Validity period of the new profile:
   
   
   Note: the name of the new DigiCert Shared ICA that will be bound to this new profile is also displayed.
7. Click Save
   
8. If successful, the following message will be displayed:
   
   
   
   
   Can’t add and modify fields to the Subject DN:
   
   
   Can’t modify Seat ID:
   
   
   
   Can’t modify email notifications:
   
   
   
   …but can enable/disable sending of email notifications (see “Send email notifications” radio button, to the chosen Recipient:
   
   
   
   Can’t modify languages and enrolment field names:
   
   
9. Test the new certificate profile. Note the following rules:
   • You cannot enroll or renew against the old migrated profile.
   • You cannot modify any of the fields in the new profile, with the exception of specifying the recipient of email notifications (either “Certificate user” or “Other recipient”).
10. If you are migrating a profile configured for PKI Client Autoenrollment use-case (using AD as the Authentication method), you must disable email notifications to end users, in case you choose to eventually Delete the profile and automatically revoke all issued certs from it – see details in next section.
11. Once successful, you must complete the migration by clicking on the “Complete migrate profile” link:
    

CREATE NEW PROFILE FOR "NON-PKI CLIENT AUTOENROLLMENT" USE-CASE

1. Login to PKI Manager
2. Create a NEW certificate profile, based on the same BCT, bind it to the new DigiCert Public CA and configure it in the same way as the original one – you may choose to have two browser windows side-by-side showing the PKI Manager portal, to facilitate the task
3. Test issuance of a certificate via the appropriate Enrollment method (OS/Browser, CSR, PKI Client, SCEP, iOS, PKI Web Services) and appropriate certificate lifecycle operations</li>
4. If end-to-end testing is successful, SUSPEND the OLD cert profile so that no more certs are issued from it:
   
5. Click on the Suspend button:
   
6.  If configured, modify the Email notification setting for Revoked certificates to NOT send email notifications to Users – this is in case the Admin decides to also DELETE the profile and choose to automatically Revoke all certificates issued from it.
   
   Click on the OLD certificate profile -> under Customize certificate notifications, click Edit -> under Recipients, uncheck the Certificate user check box:
   
7. [OPTIONAL] DELETE the OLD profile by clicking on the Delete profile link and check the “I want to delete this profile and revoke all certificates assigned to it”:
   
8. Click on the Delete Profile button. If successful, you will be presented with a success message showing the Job ID for the bulk revocation asynchronous task, which will run in the background. Once completed, the account Administrator will be notified via email:
   

CREATE NEW PROFILE FOR "PKI CLIENT AUTOENROLLMENT" USE-CASE

1. Login to PKI Manager
2. [AD Admin] Create new Test AD Group
3. [AD Admin] Add test users to the new Test AD Group
4. [PKI Admin] Configure new Authorized User list for new cert profile to use the new Test AD Group. Visit Tasks -> Manage authorized user lists
   
5. [PKI Admin] Click on the Add authorized user list link at the top of the window, enter a friendly name for the list and the TEST AD Group value:}
   
   
6. [PKI Admin] Click the Save button. If successful, you will see a new authorized list created:
   
7. [PKI Admin] Click on Manage certificate profiles and create a NEW certificate profile by clicking on the Add certificate profiles link at the top of the window, select the Production radio button and the appropriate template.
8. [PKI Admin] Enter a new Certificate friendly name and select the NEW CA from the Certificate authority drop-down list (the new DigiCert Public Shared CA or Public Co-branded CA):
   
9. [PKI Admin] Click on the Authentication method and select the newly created authorized user list from the drop-down list:
   
10. [PKI Admin] Set ALL remaining cert profile options as per your OLD profile and click on the Save button once finished.
11. [PKI Admin] If you have any Post-Processing scripts set against the OLD profile, check that it has been automatically set against your NEW profile, by locating the Custom scripts for post processing pane on the right-hand side:
    
12. [PKI Admin] Click on the Edit button -> Assign -> Save
    
    
13.   [PKI Admin] If a new script is required, you can upload a new post-processing script by downloading the required script by clicking on the Manage custom scripts located on the top of the window:
    
14. [PKI Admin] Download the required script, change the name and upload it back to the PKI Manager portal.
15. [PKI Admin] Click on your NEW profile -> click on Edit, under the Custom scripts for post processing pane on the right-hand side -> Assign -> Save
16. [PKI Admin] Check the attribute mapped to Seat ID on the OLD profile matches the one set on the NEW profile, e.g.
    
17. [PKI Admin] If on the OLD profile you customized any of the Email notification templates, replicate the process on the NEW profile:
    
18. [PKI Admin] Check the Administrator contact preference details on the OLD profile match the details on the NEW profile:
    
19. [Test User] Test issuance of certs via PKI Client using test users belonging to the dedicated Test AD Group. Detailed process steps are available upon request, which include Deleting the test cert from within the PKI Client agent, by launching PKI Client -> clicking on Delete certificate:
    
    
    
20. [Test User] Ensure you select the “Yes, delete this certificate” checkbox, and you uncheck the “Allow this certificate to be automatically re-enrolled”, so that PKI Client does not renew the test certificates:
    
21. [Test User] Click the Delete button. If successful, you should get a success message, as follows:
    
22. [PKI Admin] Once tests are successful, SUSPEND the OLD cert profile so that no more certs are issued from it:
    
23. [PKI Admin] Click on the Suspend button:
    
24. [PKI Admin] Modify the Email notification setting for Revoked certificates to NOT send email notifications to Users. (this is in case the Admin decides to also DELETE the profile and choose to Revoke all certs). Click on the OLD certificate profile -> under Customize certificate notifications, click Edit -> under Recipients, and uncheck the Certificate user check box:
    
25. [PKI Admin – OPTIONAL] DELETE the OLD profile by clicking on the Delete profile link and check the “I want to delete this profile and revoke all certificates assigned to it”:
    
26. Click on the Delete Profile button. If successful, you will be presented with a success message showing the Job ID for the bulk revocation asynchronous task, which will run in the background. Once completed, you will be notified via email:
    
27. [PKI Admin] Go live with the NEW cert profile, i.e. associate the full Prod AD User Group to the NEW cert profile (simply copy details from OLD authorized user list)