Import certificates via REST API

To import third-party (external) certificates using the REST API service for DigiCert® Trust Lifecycle Manager:

Review the documentation for the certificate-import API endpoint. For details, see API reference.
Prepare all the certificates you wish to upload into your Trust Lifecycle Manager account. Each certificate must be sent to the certificate-import API endpoint as a request body parameter in a single line, in one of the following formats:
- x509: PEM-encoded X.509 certificate.
- pkcs12: PEM-encoded, password-protected certificate and private key.
If uploading a certificate in PKCS12 format, include an additional password field in your request with the associated password. Trust Lifecycle Manager supports key recovery for certificates uploaded in PKCS12 format.
If any of the certificates being uploaded have been revoked, use the revocation object in the request body to set the revoked flag to true and set the reason and revoke_date properties.
You can optionally assign a tag_name to the imported certificates to help identify them. Each tag can have associated email expiration notification templates, with custom instructions for how to get a new certificate from the DigiCert® Trust Lifecycle Manager application.

Example request and response for valid certificate

Below is an example REST API request and response for uploading a valid certificate/private key in PKCS12 format along with its associated password. Note the valid certificate status issued in the response.

Beispiel 1. cURL

curl -X POST \
  https://one.digicert.com/mpki/api/v1/certificate-import?trap_seat_duplicate_error=true \
  -H 'Content-Type: application/json' \
  -H 'X-API-Key: {{api_key}}' \
  -d '[
    {
      "cert_type": "pkcs12",
      "business_unit_id": "0b54ca3d-c6ba-4ab4-a053-ddc4a030a7b5",
      "notes": "Any note containing no more than 255 characters",
      "tag_name": "Tag to apply to the imported certificate in Trust Lifecycle Manager",
      "cert": "MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ6tZ0djuKkuNDfDxj+7aIrtOaxIuyuweVwj1XGgjygY+mMVoanr1BsQfNf5rvqaifiUGNZo6UABx/GdoTPBPacU9lflKwcPNLuEO1nDz7Pwy7HmIsyAtqB24Yp62eyTmIEH+CdKXSSDVU36i9SS46CoHEpIeZeQ+8KfLTFYWVCCHOwL6NTemq/FrSynb3ygrG2HYFDMtSoMtOnhjYxdNxiu+JgoObu1diKuzsclHFwdb5SjQ+NA/UnVBs4FexnYohm8QnmLi0JdlgWaaXZbpNDe1B+ldjrEPBXq2GRbkSv6kdCnYPXNU9DWtWkJi+Oyi6IhCYngJCQC4Avgmy9s7Q8CAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAogbMdd7eoXJ8PfIdIjeJymIPCPKPVTwVCUkOa81SHKSkv/sBj059IeaNbBMHNjklWyiQd82Yto5VuyvQaw15ev44GGsDhdmmZJgT5rGb/F6pj5WNlN/WlLJMIf7OBim595I5KW93kKiYLoKPfCZN5Uxg+mZGcMmI3kyuSXlAf452ad3XMzgcll/S5uEXwDoshPYWa23Q0JZX7rTXb4oo0iG7+vxhrHy94HLAUcrUvM5OS83HZqbv34nenG+XZEU6HelJ/SS3z5yQBFbO7cennrp2IoquYANs83CwI4cm3OiXDQ4gfApf3htiztM44S7SXmwalLXVJmvSiwa7oV79j",
      "password": "Pa$$w0rd123"
    }
  ]'

Uploading revoked certificates

Revocation reasons

When uploading a revoked certificate, you must provide a revocation reason and revocation date. Supported revocation reasons:

aa_compromise
affiliation_change
cessation_of_operation
key_compromise
privilege_withdrawn
superseded
unspecified

Example request and response for revoked certificate

Below is an example REST API request and response for uploading a revoked certificate in PEM-encoded X.509 format. Note the revocation field in the request, and certificate status revoked in the response.

Beispiel 3. cURL

curl -X POST \
  https://one.digicert.com/mpki/api/v1/certificate-import?trap_seat_duplicate_error=true \
  -H 'Content-Type: application/json' \
  -H 'X-API-Key: {{api_key}}' \
  -d '[
    {
      "cert_type": "x509",
      "business_unit_id": "0b54ca3d-c6ba-4ab4-a053-ddc4a030a7b5",
      "notes": "Any note containing no more than 255 characters",
      "tag_name": "Tag to apply to the imported certificate in Trust Lifecycle Manager",
      "cert": "MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ6tZ0djuKkuNDfDxj+7aIrtOaxIuyuweVwj1XGgjygY+mMVoanr1BsQfNf5rvqaifiUGNZo6UABx/GdoTPBPacU9lflKwcPNLuEO1nDz7Pwy7HmIsyAtqB24Yp62eyTmIEH+CdKXSSDVU36i9SS46CoHEpIeZeQ+8KfLTFYWVCCHOwL6NTemq/FrSynb3ygrG2HYFDMtSoMtOnhjYxdNxiu+JgoObu1diKuzsclHFwdb5SjQ+NA/UnVBs4FexnYohm8QnmLi0JdlgWaaXZbpNDe1B+ldjrEPBXq2GRbkSv6kdCnYPXNU9DWtWkJi+Oyi6IhCYngJCQC4Avgmy9s7Q8CAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAogbMdd7eoXJ8PfIdIjeJymIPCPKPVTwVCUkOa81SHKSkv/sBj059IeaNbBMHNjklWyiQd82Yto5VuyvQaw15ev44GGsDhdmmZJgT5rGb/F6pj5WNlN/WlLJMIf7OBim595I5KW93kKiYLoKPfCZN5Uxg+mZGcMmI3kyuSXlAf452ad3XMzgcll/S5uEXwDoshPYWa23Q0JZX7rTXb4oo0iG7+vxhrHy94HLAUcrUvM5OS83HZqbv34nenG+XZEU6HelJ/SS3z5yQBFbO7cennrp2IoquYANs83CwI4cm3OiXDQ4gfApf3htiztM44S7SXmwalLXVJmvSiwa7oV79j",
      "revocation": {
        "revoked": true,
        "reason": "key_compromise",
        "revoke_date": "2025-02-21T00:00:00Z"
      }
    }
  ]'

Uploading suspended certificates

A certificate can only be uploaded in a suspended state if the issuing CA has been imported into DigiCert® Private CA (see Before you begin). Use the revocation date field to specify when the certificate was suspended. For the revocation reason use:

certificate_hold

Warnung

If you upload a suspended third-party certificate with this revocation reason, and the issuing CA has not been imported into DigiCert Private CA, we will automatically convert the revocation reason to unspecified.

What's next

If the issuing CA was imported into DigiCert Private CA, you can use the inventory tools to manage the certificates including revoke, suspend, or resume.
For all imports, you can monitor the certificates in Trust Lifecycle Manager and set up custom email notifications to track expiration.

In diesem Abschnitt: