Upload certificates with REST API
To upload third-party (external) certificates with the DigiCert® Trust Lifecycle Manager API:
Review the documentation for the
certificate-import
API endpoint. You can view the API documentation by selecting Resources > API Reference from the Trust Lifecycle Manager main menu.Prepare all the certificates you wish to upload into your Trust Lifecycle Manager account. Each certificate must be sent to the
certificate-import
API endpoint as a request body parameter in a single line, in one of the following formats:x509
: PEM-encoded X.509 certificate.pkcs12
: PEM-encoded, password-protected certificate and private key.
If uploading a certificate in PKCS12 format, include an additional
password
field in your request with the associated password. Trust Lifecycle Manager supports key recovery for certificates uploaded in PKCS12 format.If any of the certificates being uploaded have been revoked, use the
revocation
object in the request body to set therevoked
flag to true and set thereason
andrevoke_date
properties.You can optionally assign a
tag_name
to the imported certificates to help identify them. Each tag can have associated email expiration notification templates, with custom instructions for how to get a new certificate from the DigiCert® Trust Lifecycle Manager application.
Example request and response for valid certificate
Below is an example REST API request and response for uploading a valid certificate/private key in PKCS12 format along with its associated password. In this example, the issuing CA has already been imported into the DigiCert ONE account. Note the seat type of IMPORTED_SEAT
and certificate status issued
in the response.
Uploading revoked certificates
When uploading a revoked certificate, you must provide a revocation reason and revocation date. Supported revocation reasons:
aa_compromise
affiliation_change
cessation_of_operation
key_compromise
privilege_withdrawn
superseded
unspecified
Uploading suspended certificates
A certificate can only be uploaded in a suspended state when bound to an Imported seat (see Assigned seat types). Use the revocation date field to specify when the certificate was suspended. For the revocation reason use:
certificate_hold
Warnung
Third-party certificates bound to the Discovery seat type do not support the above reason code. If you upload a suspended third-party certificate to a Discovery seat with this revocation reason, we will automatically convert the revocation reason to unspecified
.
Example request and response for revoked certificate
Below is an example REST API request and response for uploading a revoked certificate in PEM-encoded X.509 format. In this example, the issuing CA has already been imported into the DigiCert ONE account. Note the revocation
field in the request, and the seat type of IMPORTED_SEAT
and certificate status revoked
in the response.