DigiCert KnowledgeBase - Technical Support-hero

Knowledge Base

How to Migrate Certificate Profiles to Use New CA | PKI Platform

Solution ID : TL060619224107
Last Modified : 10/21/2023

Description

Introduction

This article describes the actors, pre-requisites and the 2 main options available to account Administrators to ‘migrate’ from an existing certificate profile configured against a Symantec Public CA hierarchy, to a certificate profile configured against a DigiCert Public Issuing CA hierarchy (whether a Shared Public CA or a Co-branded Public CA):

  • Using the “Profile migrate” functionality
    or
  • Creating a New certificate profile and replicating the configuration settings

Process steps for both options, as well as a more complex configuration use-case are outlined in detail in the following article: PKI Client Autoenrollment

 

Actors

  • [SE] DigiCert Systems Engineers & Consultants
  • [PKI Ops] DigiCert PKI Operations – DigiCert team responsible for CA Key Ceremonies
  • [PKI Admin] Customer PKI Admin – Customer PKI Administrator with certificate to access the PKI Manager portal
  • [AD Admin] Customer AD Administrator – Customer Active Directory (AD) Administrator

 

Pre-requisites

  • Account is Active
  • For Customers with their own Public Co-branded CA (chaining up to a Symantec Root CA):
    • A new CA Naming document needs to be completed and signed (using the new “DigiCert Assured ID Root G2” CA as the issuer).
      Liaise with your DigiCert customer representative or Systems Engineer/Consultant for support.
    • The new Public Co-branded CA needs to be created by the DigiCert PKI Operations team.
    • The new Public Co-branded CA must have been loaded onto the Customer’s account.
  • For Customers using certificate profiles (e.g. Secure Email) bound to a Symantec Shared CA, wait for the new DigiCert Shared CA to be loaded against all accounts.

New DigiCert PKI Platform Class 2 and Class 3 Shared Public CAs

The following table shows the new DigiCert Class 2 and Class 3 Shared Public CAs available to customers from the 29th of May 2019, the Base Certificate Templates (BCTs) they will be bound to, the account type they will be available on, as well as how they will be made available (on-demand vs automatically):

Shared CA
Common Name		 Automatically loaded vs
on-demand		 Account Type BCTs to be bound
DigiCert PKI Platform Class C2 Shared SMIME Individual Subscriber CA Automatic Standard Full

Secure Email

SMIME (Signing Only)

S/MIME (Encryption Only)
DigiCert PKI Platform Class C2 Shared SMIME Individual Subscriber TEST CA On-demand

Standard Full

Private Verified

Private Unverified

Secure Email

SMIME (Signing Only)

S/MIME (Encryption Only)
DigiCert PKI Platform Class C2 Shared Individual Subscriber CA On-demand Standard Full Client Authentication
DigiCert PKI Platform Class C2 Shared Individual Subscriber TEST CA On-demand

Standard Full

Private Verified

Private Unverified

 Client Authentication
DigiCert PKI Platform Class C3 Shared SMIME Organization CA Automatic Standard Full Secure Email Gateway BCT
DigiCert PKI Platform Class C3 Shared SMIME Organization TEST CA On-demand

Standard Full

Private Verified

Private Unverified

 Secure Email Gateway BCT

All new Shared CAs will chain up to the “DigiCert Assured ID Root G2” CA:

-----BEGIN CERTIFICATE-----

MIIDljCCAn6gAwIBAgIQC5McOtY5Z+pnI7/Dr5r0SzANBgkqhkiG9w0BAQsFADBl

MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3

d3cuZGlnaWNlcnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJv

b3QgRzIwHhcNMTMwODAxMTIwMDAwWhcNMzgwMTE1MTIwMDAwWjBlMQswCQYDVQQG

EwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNl

cnQuY29tMSQwIgYDVQQDExtEaWdpQ2VydCBBc3N1cmVkIElEIFJvb3QgRzIwggEi

MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZ5ygvUj82ckmIkzTz+GoeMVSA

n61UQbVH35ao1K+ALbkKz3X9iaV9JPrjIgwrvJUXCzO/GU1BBpAAvQxNEP4Htecc

biJVMWWXvdMX0h5i89vqbFCMP4QMls+3ywPgym2hFEwbid3tALBSfK+RbLE4E9Hp

EgjAALAcKxHad3A2m67OeYfcgnDmCXRwVWmvo2ifv922ebPynXApVfSr/5Vh88lA

bx3RvpO704gqu52/clpWcTs/1PPRCv4o76Pu2ZmvA9OPYLfykqGxvYmJHzDNw6Yu

YjOuFgJ3RFrngQo8p0Quebg/BLxcoIfhG69Rjs3sLPr4/m3wOnyqi+RnlTGNAgMB

AAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMB0GA1UdDgQW

BBTOw0q5mVXyuNtgv6l+vVa1lzan1jANBgkqhkiG9w0BAQsFAAOCAQEAyqVVjOPI

QW5pJ6d1Ee88hjZv0p3GeDgdaZaikmkuOGybfQTUiaWxMTeKySHMq2zNixya1r9I

0jJmwYrA8y8678Dj1JGG0VDjA9tzd29KOVPt3ibHtX2vK0LRdWLjSisCx1BL4Gni

lmwORGYQRI+tBev4eaymG+g3NJ1TyWGqolKvSnAWhsI6yLETcDbYz+70CjTVW0z9

B5yiutkBclzzTcHdDrEcDcRjvq30FPuJ7KJBDkzMyFdA0G4Dqs0MjomZmWzwPDCv

ON9vvKO+KSAnq3T/EyJ43pdSVR6DtVQgA+6uwE9W3jfMw3+qBCe703e4YtsXfJwo

IhNzbM8m9Yop5w==

-----END CERTIFICATE-----

What process should I follow?

There are 3 main process flows you can follow in order to start making use of the new DigiCert Public CA hierarchy (whether Public Shared CAs or Public Co-Branded):

1) Use the “Migrate profile” functionality

Pros: Quick process.
Recommended for customers with lots of certificate profile needing to be migrated onto a DigiCert Public CA hierarchy.
Less prone to error.
Cons: The old and new profiles become locked – no further changes can be made to neither certificate profiles.

 

2) Create a New Certificate Profile for non-PKI Client Autoenrollment use-case

Pros: The newly created certificate profile is editable in the same way as the older one.
Cons: The process to create the new certificate profiles is longer than when using the “Migrate profile” process.
More prone to error.

 

3) Create a New Certificate Profile for PKI Client Autoenrollment use-case

Pros: The newly created certificate profile is editable in the same way as the older one.
Cons: The process to create the new certificate profiles is a lot longer than when using the “Migrate profile” process.
More prone to error.
More exhaustive testing required before decommissioning the older certificate profile.

Please follow the below KB articles for "Migrate profile” and “PKI Client Autoenrollment” process flows:

For Migrate Certificate profile use the following KB

https://knowledge.digicert.com/generalinformation/how-to-migrate-a-cert-profile-in-mpki-8.html

For PKI Client Autoenrollment use the following KB

https://knowledge.digicert.com/generalinformation/how-to-create-new-profile-for-pki-client-autoenrollment.html

For Non-PKI Client Autoenrollment use the following KB

https://knowledge.digicert.com/generalinformation/create-new-profile-for-non-pki-client-autoenrollment.html

 

If you have issues performing these steps, please contact PKI Support.

  • DigiCert Logo

    The most-trusted global provider of high-assurance TLS/SSL, PKI, IoT and signing solutions.