Request a new certificate with automated delivery

Use the Admin web request function on the Inventory page to enroll a new certificate with automated delivery to external systems.

With this feature in DigiCert® Trust Lifecycle Manager, you can enroll certificates from different issuing CAs and deliver the issued certificates simultaneously to one or more:

AWS Certificate Manager (ACM) instances
Azure key vaults
Google Cloud Platform (GCP) Certificate Manager instances or certificate map entries
Server systems (via DigiCert agents)

Before you begin

The Automation feature must be enabled for your Trust Lifecycle Manager account. For help verifying or enabling this feature, contact your DigiCert account representative.
To deliver certificates to:
- AWS Certificate Manager (ACM) instances, you need an AWS unified connector.
- Azure key vaults, you need a vault connector.
- GCP Certificate Manager instances or certificate map entries, you need a GCP unified connector.
- Server systems, you need a DigiCert agent installed on each. To run custom post-delivery scripts on servers, you need to set up Agent scripts with script type Admin request post-delivery.
  Notice
  Custom post-delivery scripts for agents enable you to deploy certificates for custom applications. DigiCert provides the following GitHub repository with production-ready reference scripts for integrating different vendors and platforms:
  https://github.com/digicert/product-solutions
You need one or more certificate profiles for the Admin web request enrollment method.
- When creating certificate profiles for automated delivery, look for base templates that list Admin web request in the Use cases column.
- For CertCentral certificate profiles, only OV/EV certificate products can be requested for delivery. Make sure to select an OV or EV product in the Certificate type dropdown when using the Admin web request enrollment method.

Enroll and deliver a certificate

On the Inventory page, select the Admin web request button at top.
Fill out the form as described in the following steps.
Profile: Select a certificate profile to use for enrolling the new certificate. Only profiles with the Admin web request enrollment method are included in this dropdown menu. Use the Show details link to verify the properties for the selected certificate profile.
Certificate information:
- Common Name: Enter a common name (CN) for the new certificate.
- Other hostnames (SANs): Enter subject alternative names (SANs) to include in the new certificate, one at a time. To instead import the list of SANs from a CSV file, select the Import CSV button.
  This field is optional and only appears if the certificate profile you selected supports it.
  Under the Enrollments details > Subject Alternative Name (SAN) section, IP addresses are allowed for DNS name.
Additional order options: Enter order handling information, not to be included in the certificate itself. This section is optional and only appears if the certificate profile you selected supports it.

Certificate delivery: Use the checkboxes to select the delivery locations for the issued certificate, then select options in the sidebar that opens. For detailed instructions per location type, see the following sections:

To deliver the certificate to servers via DigiCert agents installed on each system, select the Agents checkbox and fill out the sidebar as follows. You can deliver the certificate to multiple locations per agent, with different options for each delivery location.

DigiCert agents: Select one or more agents to deliver to.

For each agent you selected, configure options for each individual delivery location:

Format: Select one of the supported certificate delivery formats and provide the requested delivery options for it.

Format	Description	Delivery options
`.crt`	Deliver the end-entity certificate as a CRT file.	Target path: Enter the full pathname for the directory to deliver the certificate to.
`.jks (update existing)`	Deliver the certificate and any associated materials to an existing Java KeyStore (JKS).	Target path: Enter the full path for the JKS keystore file to add the certificate to. Key store password: Enter the password for the JSK keystore. Trust store password: Enter the password for the trust store for adding any CA certificates.
`.jks (new)`	Create a new Java KeyStore (JKS) for delivering the certificate.	Target path: Enter the full path where the new JKS keystore file should be created. Key store password: Enter a password for the new JSK keystore. Trust store password: Enter the password for the trust store for adding any CA certificates.
`.pem`	Deliver the certificate and any associated materials in PEM format.	Target path: Enter the full pathname for the directory to deliver the certificate to. Password for certificate files: Enter a password for encrypting the private key.
`.pkcs12`	Deliver the certificate and any associated materials in PKCS#12 (PFX) format.	Target path: Enter the full pathname for the directory to deliver the certificate to. Password for certificate files: Enter a password for protecting the PFX file.
`.p7b`	Deliver the certificate and certificate chain as a PKCS#7 (P7B) file.	Target path: Enter the full pathname for the directory to deliver the certificate to.
`CAPI`	Deliver the certificate and any associated materials to the Windows Certificate Store (CAPI). Note: Available for Windows agents only.	Store location: Select `LocalMachine` (all users) or `CurrentUser` (current user only). Certificate store: Select the name of the store to add the certificate to.
`GSK`	Deliver the certificate and any associated materials to an IBM Global Security Kit (GSK) keystore. Prerequisites: For Windows agents, the GSK executable bin directory must be included in the system `PATH` environment variable on the host system. For Linux agents, specify the full file path to the GSK executable bin directory in the agent configuration, under Admin request delivery location.	Keystore type: Select `KDB` or `PKCS12`. Keystore file path: Enter the full path for the keystore file to add the certificate to. The keystore file will be created if it doesn't already exist. Password for certificate files: Enter the password for the GSK keystore. Certificate label: Enter a unique label for the certificate in the GSK keystore. Delete and replace existing: Select this option to enable deleting and replacing any existing certificate with the same label as this one. Otherwise, the new certificate will not be delivered if there's an existing certificate with the same label.

Run post-delivery scripts (optional): Select this option to run a custom script on the agent host after the certificate gets delivered to this location.
- You must first add the script under Discovery & automation tools > Agents in order to select it here.
- For each agent, select the post-delivery script to run and enter any parameters to pass to the script as command arguments.
- You can enter up to five parameters/arguments to pass to the script. Enter each parameter in the provided input box. Select the Add parameter link to add another one.
- The local DigiCert agent stores certificate delivery-related data in Base64-encoded JSON format in the DC1_POST_SCRIPT_DATA environment variable, so you can reference it in your post-delivery scripts. For details about this environment variable and example scripts, see Agent script types.
(Optional) To configure additional delivery locations on the same agent, select Add destination.

Select the Add button at the bottom of the sidebar to add all the configured agents and delivery locations to the enrollment request.

To deliver the certificate to AWS Certificate Manager (ACM) in connected AWS accounts, select the AWS Certificate Manager checkbox and fill out the sidebar as follows:

Connector: Select an AWS unified connector to use.
Delivery options depend on whether the connector your selected includes the Enable ACM reimports option:
- If the connector does not include this option:
  1. AWS regions: Select the AWS regions for the accounts to deliver to.
  2. AWS accounts: Select the AWS accounts to deliver to. The certificate gets added to ACM in these accounts.
- If the connector includes this option, use the table columns to enter AWS accounts, regions, and ACM reimport options:
  1. AWS accounts: Select each AWS account.
  2. AWS regions: For each selected AWS account, select an AWS region. To deliver to multiple regions in the same account, select the account multiple times.
  3. Skip reimport: (Optional) Skip the reimport option for the selected AWS account and region. The system will assign a new ARN to the delivered certificate. For existing certificates, this requires reconfiguring the service bindings in ACM.
  4. ARN unique ID: (Optional) To attempt a reimport, enter an existing ARN to assign to the certificate in ACM. If successful, this preserves ACM service bindings for existing certificates.
    Important
    ACM reimports only work if the new certificate has at least one domain name, matching Key Usage and Extended Key Usage extension values, and the same key type and key size as the original certificate. For more information, refer to the official AWS documentation.
Use the link at the bottom to select additional AWS unified connectors for automated delivery.
Select the Add button at the bottom of the sidebar to add the configured AWS delivery locations and options to the enrollment request.

To deliver the certificate to key vaults in connected Azure accounts, select the Azure key vaults checkbox and fill out the sidebar as follows:

Vault connector: Select an Azure key vault connector to use.
Key vaults: Select the specific key vaults to deliver to via the selected connector.
Use the link at the bottom to deliver to additional Azure key vaults.
Select the Add button at the bottom of the sidebar to add the configured Azure key vault delivery locations to the enrollment request.

To deliver the certificate to Google Certificate Manager in connected GCP projects, select the GCP certificate manager checkbox and fill out the sidebar as follows:

Connector: Select a GCP unified connector to use.
Select Add certificate to certificate manager.
Regions: Select the GCP regions for the projects to deliver to.
Project ID: Select the GCP projects to deliver to. The certificate gets added to Certificate Manager for these projects.
Select the Add button at the bottom of the sidebar to add the configured GCP delivery locations to the enrollment request.

To deliver the certificate to a certificate map entry in a connected GCP project, select the GCP certificate manager checkbox and fill out the sidebar as follows:

Connector: Select a GCP unified connector to use.
Select Add the certificate to certificate map entry.
Regions: This gets set to global and cannot be changed, as GCP certificate maps only support global certificates.
Project ID: Select the GCP project to deliver to. You can add the certificate to a new or existing certificate map entry in the project you select here.
Attach certificate: Select one of the options for whether to add the certificate to a new or existing certificate map entry.
- Existing certificate map and certificate map entry: Add the certificate to an existing entry in an existing certificate map.
- Existing certificate map with new certificate map entry: Create a new certificate map entry for the certificate in an existing certificate map.
- New certificate map with new certificate map entry: Create both a new certificate map and a new certificate map entry for the certificate.
Certificate map name: Enter the name of the certificate map to add the certificate to.
- For delivery to an existing certificate map, the name you enter must exactly match the existing map.
- For delivery to a new certificate map, the name you enter is used to create the new map.
Certificate map entry name: Enter the name of the specific certificate map entry to add the certificate to.
- For delivery to an existing certificate map entry, the name you enter must exactly match the existing entry.
- For delivery to a new certificate map entry, the name you enter is used to create the new entry.
Select the Add button at the bottom of the sidebar to add the configured GCP delivery locations to the enrollment request.
Important
Notes:
- When adding a new certificate map entry for a delivered certificate, Trust Lifecycle Manager sets the hostname value in the map entry based on the certificate common name.
- When you renew, auto-renew, or reissue a certificate added to a certificate map entry, Trust Lifecycle Manager adds the new certificate to that same map entry, replacing the existing certificate.
- If there’s an error adding a certificate to a certificate map, Trust Lifecycle Manager still delivers the certificate to Certificate Manager in the selected project. Refer to the Reporting > Audit logs page for error details.

Auto-renew: To automatically renew this certificate before expiration and deliver the new certificate to the same delivery locations, select the Auto-renew schedule checkbox. Select options for when to submit the renewal request (number of days before expiration).
Note: Selections you make here override any auto-renewal options in the certificate profile. During an auto-renewal event, the new certificate gets delivered to the same location as the original one.
Certificate owners (optional): Select any certificate owners for the certificate. If the selected certificate profile allows it, you can add new owners as part of the request.
Tags (optional): Apply tags to the issued certificate to help monitor and manage it in Trust Lifecycle Manager.
Custom attributes (optional): Select any custom attributes for the certificate. This option only displays if the selected certificate profile includes the configured attributes.
Select the link to read the Certificate Services Agreement and then check the box to acknowledge/agree to it.
Select Submit request to submit the certificate enrollment request based on the values you filled into the form.

What's next

The issued certificate gets delivered to the locations you selected and can be monitored and managed from your centralized inventory in Trust Lifecycle Manager. To check delivery status, see Track progress of certificate automation requests.
If you enabled auto-renewal for the certificate, Trust Lifecycle Manager automatically delivers a new certificate to the same location as the original certificate when it approaches expiration.
When you use the managed automation functions to renew or reissue the certificate from your Inventory, Trust Lifecycle Manager delivers the new certificate to the same location as the original one.

In this section: