Sectigo Certificate Manager (SCM) 20.5: recent changes to “Certificate Type”

Certificate Profiles
Sectigo Certificate Manager 20.5 introduced a few new concepts, such as certificate profiles, certificate templates and enrolling backends. A certificate profile is the replacement for what was called certificate type in previous releases.

A certificate profile describes how a certificate will be created. In the most basic terms, it gives you control of any attribute that Sectigo has not already defined in a certificate template.

For example: you can choose between a 1- or 2-year term for an SSL certificate (dependant on the terms of your contract with Sectigo.
Note: On September 1, 2020 Apple products will start distrusting public SSL certificates issued for more than 398 days. Click here for more information .

A certificate template is the customization done by Sectigo to control how the certificate is created. A certificate profile always inherits its attributes from a template.

An enrolling backend is the system creates the certificate. In the past, Sectigo used a single system, the Sectigo Public CA backend. SCM 20.5 introduced a new backend for private CAs.
Note: Existing customer private CAs will appear as being in the Sectigo Public CA backend.

Why the Change?
The term certificate type was overloaded. For example, it was used to describe:

  • SSL vs Client certificates
  • And the configuration of a certificate.

To clarify these contradictions, certificate type was left to mean:

  • SSL, code signing, client or device.
  • The term certificate profile was chosen to mean the configuration of a certificate.

The benefit is more flexibility in how certificates are managed across an organization. The old certificate type (configuration) could only be customized once for a given organization or department but not multiple times or easily shared. While currently the amount of customization that can be done to a certificate profile is limited, upcoming SCM releases will add additional capabilities.

For example, customization of fields in a Subject would be done at the certificate profile level so that all enrollment methods would support the same capabilities.

Sharing a certificate profile between organizations or departments is another capability introduced with SCM 20.5. Certificate profiles are delegated to organization/departments using the same mechanism as domains.

What happens to my automation using the old cert type ID?
Sectigo supports several automation interfaces, REST/SOAP APIs, SCEP URLs, ACME, etc. Some of these methods contain a field called certType or certTypeID. These fields have not been renamed to ensure compatibility.

In SCM 20.4 they would have accepted the ID value of the certificate type (configuration), which is a global value. Those values can still be used. If SCM receives a request for the old global IDs, it will look up the new certificate profile that matches and internally use that certificate profile. This mapping is a permanent; existing automation setups do not need to switch to the new certificate profile IDs.

Note: There is one restriction though, if the REST/SOAP API to list "cert type IDs" is called, only the new certificate profile IDs are returned.

Should I switch to the new profile IDs?
It depends. The mapping of old certificate type IDs to new certificate profile IDs works for organizations and departments that had access at time of migration. That means, if an existing certificate profile is delegated to a new organization/department, the old certificate type ID cannot be used to enroll for that organization/department. The old cert type IDs will not be deprecated; they can continue to be used for as long as needed.

Why do I have so many certificate profiles now?
A certificate profile uniquely identifies a configuration and the delegated organizations/departments that can enroll for it. In SCM 20.4 the certificate types enabled for a customer were automatically available to each organization. An organization could select Customized to determine what certificate types (configuration) were available in the UI (and thus in the REST API). A department could further customize separately from the organization. If this has been done for past configurations, the organization or department will get unique certificate profiles created during migration.

SCM 20.5.3 will enable the ability filter certificate profiles by organization and department.

Do I need all these certificate profiles?
It depends. The delegation model of certificate profiles allows for a single certificate profile to be shared between multiple organizations/departments. So, a single certificate profile can be used instead of creating unique certificate profiles for each organization/department. However, delegating a certificate profile to a new organization or department will not allow that organization/department to use the old cert type ID in enrollment protocols such as REST/SOAP or SCEP.

Can I delete a certificate profile?
Yes, but only if a certificate is not linked to it.

How do I customize what certificate profiles appear on self-enrollment form?
This functionality was not included in SCM 20.5. It will be enabled in the next major SCM release.

Additional Resources:
View the Sectigo Certificate Manager (SCM) Release Notes for a complete list of current and previous new features, enhancements, and resolved defects within Sectigo Certificate Manager (SCM)