You are here

DigiCert initial documentation

0. Notes

This documentation is not an official one coming from DigiCert but a little manual written by Belnet to help our customers to use the new DigiCert's portal. It may contains errors and can be changed at any time without any prior announcement.

The use of the portal from March 2015 is still considered as a beta testing phase.
While it is not the definitive version of the portal, the delivered certificates are effective ones that may be deployed on production's servers, services or for personal use. They will remain valid even after the closing of test period (on 30/06/2015).

In case of instability of the interface, no support will be obtained from DigiCert at the moment as it is still not the production phase.
Bug reports may be done to us; we will then transmit it to the responsible contacts of the project at DigiCert via GĂ©ant Association representative persons.

In the text below, there are some terms written in american english (like organization); this is intended to reflect the content of the current interface of DigiCert.

The DigiCert website is in english, and the local documentation as well.

1. Introduction

There is no automatic transfer of the actual data (institutions names, contact persons, domains...) used by Comodo to DigiCert planned.
Thus, a few intial bootstrap's work needs to be done to make the new service operational.

The management of DigiCert portal is splitted in 2:
- initial work made by Belnet;
- day-to-day management of each institutions settings by the local RA.

2. Initial tasks made by Belnet's operators

The first thing to do is to define the institutions as a "New Division". A division is an entity by its own that will be coupled to a legal organization that will be verified and validated by DigiCert.
This is done by login in the portal with a main administrator login.
Go to "Account->Divisions", then push [+New Division]'s button and fill in the data relative to the new division.
Don't forget to create a person with "administrator" rights for the division.

3. Local RA's operations

The URL to access DigiCert is www.digicert.com.
The direct link for the login is DigiCert login.

3.1. Create your password

An initial administrator (=a person) has been created for your division.
He/She should have received an email from DigiCert with a link to setup the password for the account.

3.2. Prepare to validate your organization

You need to create an organization tied to your division.
Go to "Validation->Organization", then push [+New Organizaton]'s button.
This entity will reflect your legal informations that could be further verified by DigiCert.
DigiCert will validate your organization before you can do anything. It can take a couple of hours.
They will check your organization's legal existence using various sources, directories and so on.
You'll probably receive an email and/or a phone call from DigiCert to confirm you're well working for your organization

Please be carefull when filling in the infos as it will cautiously be verified by DigiCert and, if there is somehow a missmatch, registration will fail!

3.3. Setup your domain names

When using the service of previous certificates delivery (Comodo), Belnet had needed to validate all the domains that your organizations were willing to ask certificates for.
Now this task is transfered to local organizations.
To proceed, after login in the DigiCert portal, go to "Validation -> Domains" and then push the [+New Domain] button.
You need to select if you want to use EV (extended validation) and OV (organization validated) for the domain.
You should select both, there is no matter to not do it.
DigiCert will validate all the domains by performing a whois or by contacting you in case of validation's problem.

3.4. Setup your users

This is also different from the previous DCS system: now, it is not possible anymore to ask anonymously a certificate, because every request needs to be done by a logged in user.
To create users go to Account->Users and press the [+New User] button.
Fill in all the relevant information. The user will also receive a email to ask him/her to setup a password.
You may setup administrator or user.

4. Certificates

4.1. Requests

Go to "Orders->Request a certificate".
You may request several types of certificates, organized as follow :

  • SSL Certificates
  • GRID Certificates
  • Client Certificates
  • Code Signing
  • Document Signing

4.1.1. SSL Certificates

These kind of certificates are for servers.
There are various categories to choose from :

  • EV Multi-Domain
  • EV SSL Plus
  • Multi-Domain (SAN) SSL (previously known as Unified Communications)
  • SSL Plus
  • WildCard Plus

EV are used to secure websites that are visible to people, presenting a high confidence by having the green bar icon in the URL of their browser.
Don't use it for web services that will mainly communicate with other servers, it is not the worth. For this task better use the SSL Plus one.
Multi-domain ones permit, as you can imagine, to ask for multiple domains in the same certificate. The other EV one is for a single domain only.

Multi-Domain (SAN) SSL are used when you need to have a simple (in the sense not EV) certificate for multiple domains.
A typical use are for Windows Exchange systems that interconnect various domains.

SSL Plus are simple (in the sense not EV) certificates for a single domain.

Wildcard Plus are used to ask certificates with a CN (Common Name) of the form *.(sub.)yourdomain.be.

To request one, select the type you want by clicking on the type you want in the left side (it will turn in white on blue font), and then click on the blue button [Order Now].

You are then presented to the request form that you will need to fill in.
Upload your CSR (Certificate Signing Request) (link to "how to generate a CSR"). Some fields will then be automatically filled in by the decoding of the CSR.
You have to choose the validity period (1 or 2, in fact maximum 827 days from 28/02/2018 ), the signature hash (SHA-256 by default) and the server platforms for which the certificate is intended to be used. The last info, while mandatory, doesn't change anything to the type of certificate but it will be used by DigiCert system to include little help text files (in english and spanish for the moment) with some explanations on how to install your certificate after having received it.

The administrators of the organization will then receive an email from DigiCert with a link to approve the certificate.

The request can also be found and accepted by looking for the certificate in the list of pending ones on "Orders->Requests".

The procedure for EV will imply a phone call (for the first request of an EV certificate for a domain) from DigiCert to the requestor for the approval to be completed. It is only done once per domain, and the verification will remain valid for up to 3 years (according to what I know).

4.1.2. GRID Certificates

The category groups 3 types of certificates : for people, for servers and for "Grid Robot Services".

The procedures are the same than in 4.1.1. (for servers/robots at least)

4.1.3. Client Certificates

These certificates are personal ones, used to digitally sign emails or documents and/or encrypts it.

3 different types :

  • Digital Signature Plus
  • Email Security Plus
  • Premium

The first one permits to digitally sign emails and documents, but cannot be used for encryption.
The second one is a bit special as the private key is generated and kept encrypted by DigiCert (hmm, would you like to have that ?!?!); it permits to have encryption available and recovery of the private key is possible.
Premium is, imho, the best choice as it permits to have signature and encryption available for emails and documents (and private stuff that is kept by the user!).

Procedure to get one is easy: select the type you want and press [Order Now] button. Fill in the different fields (validity period, use SHA-2 as signature hash, your Name and your email address). The CSR is optional because it can be generated on the fly in the next step.

Next step is done when requestor receives an email from DigiCert; click on the link that is in it and you'll be redirected to the generation page. The certificate is then available in your browser's certificates and can be saved and reinstalled on other applications like your mail client.

4.1.4. Code Signing Certificates

You have the choice to 2 variants :

  • -simple- Code Signing
  • EV Code Signing

After filling the fields, a mail is sent to the requestor to inform the request has been passed.
A mail will be sent to all RA (=Administrators) to redirect them to a page to approve the request.
The adminstrator that has approved the resquest will receive another mail in which there is a link to click on to permit him to digitally sign the request. After that step, an email will be sent to the requestor with a link to click on to be directed to the page to create his/her request. It will then be automatically installed in the certificates manager of his/her browser.

4.1.5. Document Signing

There are 2 categories, one to sign up to 2000 documents/year and the other up to 5000 documents/year.

[procedures need to be written as there is a request of shipping an hardware token; will be done when I get my order]

5. FAQ, tips and tricks
5.1. My university has 20.000 student, do I need to register all my users ?
No, don't worry! The trick is to create what DigiCert called a guest URL that will redirect to a bunch of selected products (either server certificates, EV, personal ...) but with an guest (anonymous) user; you'll only communicate/publish this URL to your users community. Go to "Account -> Guest URLs" and then press the [New Guest URL]. You will then check all the boxes of the products you want to make your users accessible to. Simply fill in a description and push [Save guest URL]. Afterwards, the URL will be displayed. You may always check whenever you want in the list of guest URLs to retrieve it. Publish the URL where you want (web site for your users, send by emails...) and your users will be able to ask for any of the selected products.
Later on, DigiCert will include an access via the federation's system as well.

5.2. Is it possible to ask for a multi wildcards certificate ?
No. It was possible with our previous publisher, but it is not possible anymore. A wildcard certificate contains only 1 * as a CN.

5.3. Is a SAML access available ?
Yes. It is still not fully completed (as on 12/05/2015), but can be setup to ask personal certificates.
The condition is that you need to have an IdP in the Belnet Federation and published in eduGAIN's federation as well.
To setup, an administrator user should have the SAML admin rights checked (go to Accounts -> Manage Users -> select the admin you want, click on the checkbox SAML Admin and save the user).
The admin user now needs to setup the SAML IDP mapping. Go to SAML Organization mapping, the click on [New Mapping]; select your IdP from the dropdown list, the Organization dropdown list only contains "Le reseau telematique belge de la recherche", leave it as is, and then put something in the attribute value. It will be used as AttributeRequesterString to create a filter on your IdP to release attributes to DigiCert (typically for Shibboleth in the config file attribute-filter.xml; here is an example :


<AttributeFilterPolicy id="TCSportal">
<PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="https://www.digicert.com/sso" />

<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>

<AttributeRule attributeID="eduPersonEntitlement">
<PermitValueRule xsi:type="basic:OR">
<basic:Rule xsi:type="basic:AttributeValueString" value="urn:mace:terena.org:tcs:personal-user" />
<basic:Rule xsi:type="basic:AttributeValueString" value="urn:mace:terena.org:tcs:personal-admin" />
</PermitValueRule>
</AttributeRule>

<AttributeRule attributeID="schacHomeOrg">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>

<AttributeRule attributeID="displayName">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>

<AttributeRule attributeID="email">
<PermitValueRule xsi:type="basic:ANY" />
</AttributeRule>

</AttributeFilterPolicy>

The value that I put here in the attribute is https://www.digicert.com/sso.

If you look, you have the list of needed attributes to be released to DigiCert. Notice the shacHomeOrg is used instead of the Organization. It is a best practice to release this attribute in the eduGAIN community.