Skip to main content

Create a client authentication certificate for a service user

An API key is automatically generated when a service user is created. However, you can generate a client authentication certificate instead of using your API key to securely authenticate API requests. Creating a client authentication certificate may be useful for a service user if:

  • You prefer certificate-based authentication for enhanced security.

  • Your organization’s security policies require certificate authentication.

  • You want to avoid exposing API keys in API requests.

Tip

Specify the file path of your installed authentication certificate in the request header.

Before you begin

It may be useful to you to consider the following before you begin:

  • The certificate cannot be downloaded again after you generate it. Save it securely.

  • The certificate has an expiration date:

    • The certificate expiry date cannot exceed service user’s end date. If needed, update the service user’s end date before creating the certificate.

    • The date cannot be updated after the certificate is generated.

    • You must replace the certificate before it expires to avoid API failures.

  • Store the certificate password securely, it is shown only once.

To create a client authentication certificate

  1. Sign in to DigiCert ONE.

  2. Navigate to the Manager menu icon (top-right), select Account.

  3. In the left navigation menu, select Access > Service users.

  4. In the Friendly name column, select the service user's friendly name.

  5. Navigate to the Client authentication certificates section.

  6. Select Create client authentication certificate.

  7. Provide the following information:

    1. Nickname

      This is the friendly name shown on the Service user details page. The name must be unique and may only include letters, numbers, spaces, dashes, and underscores.

    2. End date

      Enter an expiry date for the certificate.

      Tip

      Note when the authentication certificate expires. You must generate a new certificate and update all API integrations using the certificate before it expires. If you don't, the API token integrations will stop working.

    3. Encryption

      Select an encryption algorithm to use for securing communications. DigiCert recommends AES (Advanced Encryption Standard), which is the default selection.

    4. Signature hash algorithm

      Select a hash function to use for verifying data integrity. DigiCert recommends SHA-256, which is the default selection.

  8. Select Generate certificate.

  9. Copy the certificate's password and store it in a secure location. You will need to use it later when installing the certificate or using it in your certificate request.

    Tip

    This password is required for installation and API requests. You will not be able to retrieve it later.

  10. Download Download certificate.

    Tip

    You cannot download it again. If lost, you must generate a new certificate.

  11. Remember the file path to your client authentication certificate, you will need to reference it later.

  12. Select Close.

Next steps

  1. Specify the file path of your installed certificate in API request headers.

  2. Keep track of the expiration date and generate a new certificate before it expires.

  3. Ensure the certificate password is correctly configured in the DigiCert ONE API.

© 2025 DigiCert, Inc.
Publication date: