Skip to main content

Create a client authentication certificate

You can generate a client authentication certificate instead of using your API key to securely authenticate API requests. Creating a client authentication certificate may be useful for a service user if:

  • You prefer certificate-based authentication for enhanced security.

  • Your organization’s security policies require certificate authentication.

  • You want to avoid exposing API keys in API requests.

Tip

Specify the file path of your installed authentication certificate in the request header.

Before you begin

It may be useful to you to consider the following before you begin:

  • Store your certificate securely, it cannot be downloaded again after you generate it.

  • The certificate has an expiration date:

    • The date cannot be updated after the certificate is generated.

    • You must replace the certificate before it expires to avoid API failures.

  • Store the certificate password securely, it is shown only once.

To generate a client authentication certificate

  1. Sign in to DigiCert ONE.

  2. In the top-right corner, select the profile icon > View my user details.

  3. Navigate to the Client authentication certificates section

  4. Select Create client authentication certificate.

  5. Provide the following information:

    1. Nickname

      This name is the display name on the Admin details page in the Authentication certificates section. The name must be unique and only include letters, numbers, spaces, dashes, and underscores.

    2. End date

      Enter the certificate expiration date. Make sure that the certificate expiration date does not expire after the API token expiration date.

      If the API token end date does not fit your use case, update or remove the API token end date first. Then come back and generate the authentication certificate.

      Tip

      Note when the authentication certificate expires. You must generate a new certificate and update all API integrations using the certificate before it expires. If you don't, the API token integrations will stop working.

    3. Encryption

      Select an encryption algorithm to use for securing communications. DigiCert recommends AES (Advanced Encryption Standard), which is the default selection.

    4. Signature hash algorithm

      Select a hash function to use for verifying data integrity. DigiCert recommends SHA-256, which is the default selection.

  6. Select Generate certificate.

  7. Copy the certificate's password and store it in a secure location. You will need to use it later when installing the certificate or using it in your certificate request.

    Tip

    This password is required for installation and API requests. You will not be able to retrieve it later.

  8. Select Download certificate.

    Tip

    You cannot download it again. If lost, you must generate a new certificate.

  9. Remember the file path to your client authentication certificate, you will need to reference it later.

  10. Select Close.

© 2025 DigiCert, Inc.
Publication date: