Configure profiles with the Security Identifier (SID) extension
Configure your certificate profiles in DigiCert® Trust Lifecycle Manager with the Security Identifier (SID) extension to support strong certificate mappings in Microsoft Active Directory environments. You can enable the SID extension for a variety of certificate enrollment/authentication methods and assign the value in different ways.
Available base templates
To include the SID extension in your certificates, create the profile from one of the following base templates. All templates issue private trust certificates from DigiCert® CA Manager. Make sure you have the applicable seat type available in the business unit where you will issue the certificates.
Template name | Seat type |
|---|---|
| User |
| User |
| Device |
| Device |
| Server |
| User |
| User |
| User |
1. For Intune SCEP, add the SID value to a SAN:URI field instead of the SID extension. For details, refer to the Intune SCEP integration guide. | |
Add the SID extension to a certificate profile
When creating or editing the certificate profile in Trust Lifecycle Manager, add the SID extension as follows:
On the Extensions screen of the profile configuration wizard, use the Standard extensions dropdown to add the Security identifier extension.
Select the tab for the new Security identifier extension you added.
Configure the extension details on the right:
Criticality: Whether the SID extension must be understood for the certificate to be considered valid. If unsure, leave this set to False.
Source for the field's value: Select an option for how to assign a value to the SID extension in certificates issued from this profile. Available options depend on the enrollment and authentication method used in the profile. Refer to the Available sources for the SID field's value section for more details.
Hinweis
Some options provide inputs for additional configuration. If applicable, use the Required checkbox to specify whether the SID value must be provided when enrolling a certificate from the profile.
Available sources for the SID field's value
Options for how to assign a value to the SID extension during certificate enrollment depend on the enrollment and authentication methods. Consult the following table for more details.
Source for the value | Enrollment | Authentication | Description |
|---|---|---|---|
AD attribute | | | Get the SID value from an AD attribute. In the certificate profile, select |
Entered by User |
| Any | Users will be prompted to supply a value when confirming an enrollment. To check their current SID, users can make the |
Entered/uploaded by Admin | Any, except | Any | Admins will be prompted to supply a value when submitting an enrollment request via the Trust Lifecycle Manager user interface. |
EST request | | Any | Get the SID value from an EST request attribute. |
Fixed value | Any | Any | Add the same SID value to all certificates issued from the profile. In the certificate profile, enter the SID value in the provided input. Do not enter the OID. |
From CSR | | Any | Get the SID value from the certificate signing request (CSR). |
REST request | | Any | Get the SID value from an API request attribute. When requesting a certificate with the POST certificate endpoint, provide the SID value in the |
SAML assertion |
| | Get the SID value from an AD attribute in the SAML assertion. For the SAML attribute name in the certificate profile, enter |
SCEP request | | Any | Get the SID value from a SCEP request attribute. Note: For Intune SCEP, add the SID value to a SAN:URI field instead of the SID extension. For details, refer to the Intune SCEP integration guide. |