You can generate a client authentication certificate instead of using your API key to securely authenticate API requests. Creating a client authentication certificate may be useful for a service user if:
You prefer certificate-based authentication for enhanced security.
Your organization’s security policies require certificate authentication.
You want to avoid exposing API keys in API requests.
Tip
Specify the file path of your installed authentication certificate in the request header.
It may be useful to you to consider the following before you begin:
Store your certificate securely, it cannot be downloaded again after you generate it.
The certificate has an expiration date:
The date cannot be updated after the certificate is generated.
You must replace the certificate before it expires to avoid API failures.
Store the certificate password securely, it is shown only once.
Sign in to DigiCert ONE.
In the top-right corner, select the profile icon > Admin Profile.
On the Admin page, in the Authentication certificates section, select Create authentication certificate.
On the Generate authentication certificate page, provide the following information:
Nickname
This name is the display name on the Admin details page in the Authentication certificates section. The name must be unique and only include letters, numbers, spaces, dashes, and underscores.
End date
Enter the certificate expiration date. Make sure that the certificate expiration date does not expire after the API token expiration date.
If the API token end date does not fit your use case, update or remove the API token end date first. Then come back and generate the authentication certificate.
Makes sure to note when the authentication certificate expires. You must generate a new certificate and update all API integrations using the certificate before it expires. If you don't, the API token integrations will stop working.
Encryption
Select an encryption algorithm to use for securing communications. DigiCert recommends AES (Advanced Encryption Standard), which is the default selection.
Signature hash algorithm
Select a hash function to use for verifying data integrity. DigiCert recommends SHA-256, which is the default selection.
When ready, select Generate certificate.
After you generate the authentication certificate, you cannot change the end date. To get a new end date, you must generate a new authentication certificate.
In the Generate authentication certificate popup window, copy the certificate's password that protects the certificate and save it in a secure location. You will need to use it later when installing the certificate or using it in your certificate request.
For example, if using a web API client, such as postman, you must include the location where your certificate is hosted and the certificate's password.
The certificate's password is only displayed only once. You cannot access it after you select Download certificate. If you ever lose the password, you'll need to generate a new authentication certificate.
After you save the authentication certificate's password, select Download certificate.
Save the authentication certificate to your computer.
You cannot download the certificate again. If you don't download the certificate or lose it, you'll need to generate a new authentication certificate.
When ready, select Close.