>
    Strata Copilot
    Save Installation Credentials
    Focus
    Focus
    1. Home
    2. Next‑Gen Trust Security
    3. Next-Gen Trust Security
    4. Next-Gen Trust Security Overview
    5. Overview: Certificate Issuance
    6. Distributed Issuer Overview
    7. Save Installation Credentials
    Next‑Gen Trust Security

    Save Installation Credentials

    Table of Contents

    Save Installation Credentials

    To install Distributed Issuer, you need three credentials to authenticate with Next-Gen Trust Security:
    • A private key from a Built-in Account.
    • A client ID from a Built-in Account.
    • A Tenant Service Group ID that identifies your tenant.
    Two of these come from creating a Built-in Account, which connects Distributed Issuer to Next-Gen Trust Security using key pair authentication. Each Built-in Account connects to a single configuration. Multiple Distributed Issuer instances can share a Built-in Account, but they all receive the same settings.
    Collect and store these values before you install Distributed Issuer.

    Create a Built-in Account

    Follow the steps to Create a Distributed Issuer Built-in Account. Select the Distributed Issuer scope. If not supplying your own key pair, save the private key as you can't retrieve it later.

    Collect Your Credentials

    After you create the Built-in Account, collect the remaining values:
    1. On the Built-in Accounts page, copy the client ID for the account, for example d1ee9403-3f04-11f1-9e5d-ce934f0fad3f.
    2. In Next-Gen Trust Security, at bottom left, click your user profile. In top area on the pane that appears, copy your TSG ID, for example 1722931406.

    What's Next?

    Once you have saved your credentials, it's time to create a configuration that connects your Subordinate CA provider, policies, and client settings into a bootstrap that Distributed Issuer uses at startup.

    © 2026 Palo Alto Networks, Inc. All rights reserved.