Request a new certificate with automated delivery

Use the Admin web request function on the Inventory page to enroll a new certificate with automated delivery to external systems.

With this feature in DigiCert® Trust Lifecycle Manager, you can enroll certificates from different issuing CAs and deliver the issued certificates simultaneously to one or more:

AWS Certificate Manager (ACM) instances
Azure key vaults
Google Cloud Platform (GCP) Certificate Manager instances or certificate map entries
Server systems (via DigiCert agents)
Custom targets (via certificate delivery plugins or custom post-scripts)

Before you begin

Prerequisities

The Automation feature must be enabled for your Trust Lifecycle Manager account. For help verifying or enabling this feature, contact your DigiCert account representative.
You need one or more certificate profiles for the Admin web request enrollment method.
- When creating certificate profiles for automated delivery, look for base templates that list Admin web request in the Use cases column.
- For CertCentral certificate profiles, only OV/EV certificate products can be requested for delivery. Make sure to select an OV or EV product in the Certificate type dropdown when using the Admin web request enrollment method.
To deliver certificates to:
- AWS Certificate Manager (ACM) instances, you need an AWS unified connector.
- Azure key vaults, you need a vault connector.
- GCP Certificate Manager instances or certificate map entries, you need a GCP unified connector.
- Custom network-based targets using a DigiCert sensor to manage delivery, you need a Certificate delivery plugin.
- Server systems, you need a DigiCert agent installed on each. To run custom post-delivery scripts on servers, you need to set up Agent scripts with script type Admin request post-delivery.
  Notice
  Custom post-delivery scripts for agents enable you to deploy certificates for custom applications. DigiCert provides the following GitHub repository with production-ready reference scripts for integrating different vendors and platforms:
  https://github.com/digicert/product-solutions

Enroll and deliver a certificate

Step 1: Initiate the request and configure basic settings

Start by initiating the request and configuring basic settings for the certificate to enroll and deliver.

In the Trust Lifecycle Manager menu, go to Inventory.
Select the Admin web request button at top.
On the Certificate setup screen, configure the basic certificate options:
1. Profile: Select a certificate profile to enroll from. Only profiles with the Admin web request enrollment method are included in this dropdown menu. Use the Show details link to verify the properties for the selected certificate profile.
2. Certificate information:
  Common Name: Enter a common name (CN) for the new certificate.
  Other hostnames (SANs): Enter subject alternative names to include in the new certificate, one at a time. To instead import the list of SANs from a CSV file, select the Import CSV button. This field is optional and only appears if supported by the selected certificate profile. Depending on the profile configuration, you can enter DNS names, IP addresses, or both.
3. Lifecycle & fulfillment controls:
  Issue duplicate certificate if available: For CertCentral orders, issue a duplicate certificate if the selected profile supports it and the requested common name and SANs match an existing certificate.
  Enable auto-renew schedule: Enable this option to automatically renew the certificate before expiration and deliver the new certificate to the same delivery locations. Select options for when to submit the renewal request (number of days before expiration). Selections you make here override any auto-renewal options in the certificate profile. During an auto-renewal event, the new certificate gets delivered to the same locations as the original one.
4. Certificate-level settings:
  Certificate owners (optional): Select any certificate owners for the certificate. If the selected certificate profile allows it, you can add new owners as part of the request.
  Tags (optional): Apply tags to the issued certificate to help monitor and manage it in Trust Lifecycle Manager.
  Custom attributes (optional): Select any custom attributes for the certificate. This option only appears if the selected certificate profile includes the configured attributes.
5. Additional order options: Enter order handling information, not to be included in the certificate itself. This section is optional and only appears if supported by the selected certificate profile.
Select Next.

Step 2: Configure the delivery targets

On the Delivery integrations screen, select the delivery locations for the issued certificate and configure options for each.

Select the Add button to enable specific target types.
1. In the sidebar that opens, use the checkboxes to enable individual target types or Select all to enable all of them.
2. Select Apply to add the selected delivery targets to your certificate request.

The delivery targets you added appear on the left. Select each one and configure delivery options for it on the right.

To deliver certificates to servers via DigiCert agents installed on each system, configure the following options. You can deliver the certificate to multiple locations per agent, with different options for each delivery location.

DigiCert agents: Select one or more agents to deliver to.

For each agent you selected, configure options for each individual delivery location:

Format: Select one of the supported certificate delivery formats and provide the requested delivery options for it.

Format	Description	Delivery options
`.crt`	Deliver the end-entity certificate as a CRT file.	Target path: Enter the full pathname for the directory to deliver the certificate to.
`.jks (update existing)`	Deliver the certificate and any associated materials to an existing Java KeyStore (JKS).	Target path: Enter the full path for the JKS keystore file to add the certificate to. Key store password: Enter the password for the JSK keystore. Trust store password: Enter the password for the trust store for adding any CA certificates.
`.jks (new)`	Create a new Java KeyStore (JKS) for delivering the certificate.	Target path: Enter the full path where the new JKS keystore file should be created. Key store password: Enter a password for the new JSK keystore. Trust store password: Enter the password for the trust store for adding any CA certificates.
`.pem`	Deliver the certificate and any associated materials in PEM format.	Target path: Enter the full pathname for the directory to deliver the certificate to. Password for certificate files: Enter a password for encrypting the private key.
`.pkcs12`	Deliver the certificate and any associated materials in PKCS#12 (PFX) format.	Target path: Enter the full pathname for the directory to deliver the certificate to. Password for certificate files: Enter a password for protecting the PFX file.
`.p7b`	Deliver the certificate and certificate chain as a PKCS#7 (P7B) file.	Target path: Enter the full pathname for the directory to deliver the certificate to.
`CAPI`	Deliver the certificate and any associated materials to the Windows Certificate Store (CAPI). Note: Available for Windows agents only.	Store location: Select `LocalMachine` (all users) or `CurrentUser` (current user only). Certificate store: Select the name of the store to add the certificate to.
`GSK`	Deliver the certificate and any associated materials to an IBM Global Security Kit (GSK) keystore. Prerequisites: For Windows agents, the GSK executable bin directory must be included in the system `PATH` environment variable on the host system. For Linux agents, specify the full file path to the GSK executable bin directory in the agent configuration, under Admin request delivery location.	Keystore type: Select `KDB` or `PKCS12`. Keystore file path: Enter the full path for the keystore file to add the certificate to. The keystore file will be created if it doesn't already exist. Password for certificate files: Enter the password for the GSK keystore. Certificate label: Enter a unique label for the certificate in the GSK keystore. Delete and replace existing: Select this option to enable deleting and replacing any existing certificate with the same label as this one. Otherwise, the new certificate will not be delivered if there's an existing certificate with the same label.

Run post-delivery scripts (optional): Select this option to run a custom script on the agent host after the certificate gets delivered to this location.
- You must first add the script under Discovery & automation tools > Agents in order to select it here.
- For each agent, select the post-delivery script to run and enter any parameters to pass to the script as command arguments.
- You can enter up to five parameters/arguments to pass to the script. Enter each parameter in the provided input box. Select the Add parameter link to add another one.
- The local DigiCert agent stores certificate delivery-related data in Base64-encoded JSON format in the DC1_POST_SCRIPT_DATA environment variable, so you can reference it in your post-delivery scripts. For details about this environment variable and example scripts, see Agent script types.
(Optional) To configure additional delivery locations on the same agent, select Add destination.

To deliver certificates to AWS Certificate Manager (ACM) in connected AWS accounts, configure the following options.

Connector: Select an AWS unified connector to use.
Delivery options depend on whether the connector your selected includes the Enable ACM reimports option:
- If the connector does not include this option:
  1. AWS regions: Select the AWS regions for the accounts to deliver to.
  2. AWS accounts: Select the AWS accounts to deliver to. The certificate gets added to ACM in these accounts.
- If the connector includes this option, use the table columns to enter AWS accounts, regions, and ACM reimport options:
  1. AWS accounts: Select each AWS account.
  2. AWS regions: For each selected AWS account, select an AWS region. To deliver to multiple regions in the same account, select the account multiple times.
  3. Skip reimport: (Optional) Skip the reimport option for the selected AWS account and region. The system will assign a new ARN to the delivered certificate. For existing certificates, this requires reconfiguring the service bindings in ACM.
  4. ARN unique ID: (Optional) To attempt a reimport, enter an existing ARN to assign to the certificate in ACM. If successful, this preserves ACM service bindings for existing certificates.
    Important
    ACM reimports only work if the new certificate has at least one domain name, matching Key Usage and Extended Key Usage extension values, and the same key type and key size as the original certificate. For more information, refer to the official AWS documentation.
Use the link at the bottom to select additional AWS unified connectors for automated delivery.

To deliver certificates to the certificate manager in connected GCP projects, configure the following options.

Connector: Select a GCP unified connector to use.
Select the Add certificate to certificate manager option.
Regions: Select the GCP regions for the projects to deliver to.
Project ID: Select the GCP projects to deliver to. The certificate gets added to the certificate manager for these projects.

To deliver certificates to a certificate map entry in a connected GCP project, configure the following options.

Connector: Select a GCP unified connector to use.
Select the Add the certificate to certificate map entry option.
Regions: This gets set to global and can’t be changed, as GCP certificate maps only support global certificates.
Project ID: Select the GCP project to deliver to. You can add the certificate to a new or existing certificate map entry in the project you select here.
Attach certificate: Select one of the options for whether to add the certificate to a new or existing certificate map entry.
- Existing certificate map and certificate map entry: Add the certificate to an existing entry in an existing certificate map.
- Existing certificate map with new certificate map entry: Create a new certificate map entry for the certificate in an existing certificate map.
- New certificate map with new certificate map entry: Create both a new certificate map and a new certificate map entry for the certificate.
Certificate map name: Enter the name of the certificate map to add the certificate to.
- For delivery to an existing certificate map, the name you enter must exactly match the existing map.
- For delivery to a new certificate map, the name you enter is used to create the new map.
Certificate map entry name: Enter the name of the specific certificate map entry to add the certificate to.
- For delivery to an existing certificate map entry, the name you enter must exactly match the existing entry.
- For delivery to a new certificate map entry, the name you enter is used to create the new entry.
Important
Notes:
- When adding a new certificate map entry for a delivered certificate, Trust Lifecycle Manager sets the hostname value in the map entry based on the certificate common name.
- When you renew, auto-renew, or reissue a certificate added to a certificate map entry, Trust Lifecycle Manager adds the new certificate to that same map entry, replacing the existing certificate.
- If there’s an error adding a certificate to a certificate map, Trust Lifecycle Manager still delivers the certificate to Certificate Manager in the selected project. Refer to the Reporting > Audit logs page for error details.

After configuring options for each deliver target, it shows as Configured on the left. When all targets are configured, select Next to proceed.

Step 3: Review and submit the request

On the Review & Submit screen, review all the options you selected and submit the request.

What's next

The issued certificate gets delivered to the locations you selected and can be monitored and managed from your centralized inventory in Trust Lifecycle Manager. To check delivery status, see Track progress of certificate automation requests.
If you enabled auto-renewal for the certificate, Trust Lifecycle Manager automatically delivers a new certificate to the same location as the original certificate when it approaches expiration.
When you use the managed automation functions to renew or reissue the certificate from your Inventory, Trust Lifecycle Manager delivers the new certificate to the same location as the original one.

In this section: