Skip to main content

Before you begin importing certificates via API

For best results, verify these prerequisites before importing any certificates using the REST API service for DigiCert​​®​​ Trust Lifecycle Manager.

Notice

The DigiCert® Private CA configuration steps are optional, but recommended for enhanced management options. By completing these steps, you can monitor, download, validate, revoke, or suspend/resume the imported certificates from Trust Lifecycle Manager. Without these steps, you can only monitor and download the certificates.

DigiCert® ONE access

In DigiCert® Account Manager, set up API access for a regular or service user with at least the following two user roles:

  • DigiCert Private CA: Read only

  • Trust Lifecycle Manager: Import manager

DigiCert® Private CA configuration

For the best management options, use DigiCert Private CA to import the issuing CA and configure Certificate Revocation List (CRL), Authority Information Access (AIA), and Online Certificate Status Protocol (OSCP) parameters to match what's in the certificates.

When this prerequisite is met, you can monitor, download, validate, revoke, or suspend/resume certificates from Trust Lifecycle Manager after importing them.

Notice

If your account uses the legacy licensing model, this prerequisite enables automatic assignment of uploaded certificates to the Imported seat type, which includes enhanced management features. Without this prerequisite, the certificates are assigned to Discovery seats instead.

Important

Some required steps depend on the certificates to import. For example, if the certificates don’t include the AIA extension, you don’t need to set up an AIA for them in DigiCert Private CA.

Most of these tasks can only be performed by an administrator with sufficient permissions:

  • For hosted DigiCert ONE accounts, contact your DigiCert account representative for help.

  • For on-premises DigiCert ONE deployments, contact your local DigiCert system administrator.

Step 1: Set up the root CA and any intermediate CAs

  1. Gain access to the root CA and any intermediate CAs for the issuing CA

    Either import the root CA and intermediate CAs into DigiCert Private CA or configure DigiCert ONE to access the HSM(s) where the private keys and certificates for the root CA and intermediate CAs are located.

  2. Set up domains in DigiCert Private CA

    Use the DigiCert Private CA Domains function to set up one or more domains to match any CRL, AIA, or OCSP fields in the issuing CA certificate.

    Set the domain type to AIA issuer, CRL, and/or OCSP to match how it's used in the issuing CA certificate.

  3. Create a CRL in DigiCert Private CA

    If the issuing CA certificate has a CRL Distribution Point (CDP) field, create a matching CRL in DigiCert Private CA:

    1. From the CRLs page in DigiCert Private CA, select the Create CRL button.

    2. Select the corresponding root or intermediate CA in the Issuer dropdown.

    3. Configure the File name and File path fields to match the value of the CDP field in the issuing CA certificate.

  4. Create an AIA in DigiCert Private CA

    If the issuing CA certificate has an AIA issuer field, create a matching AIA in DigiCert Private CA:

    1. From the AIAs page in DigiCert Private CA, select the Create AIA button.

    2. Select the corresponding root or intermediate CA in the Issuer dropdown.

    3. Configure the File name and File path fields to match the value of the AIA issuer field in the issuing CA certificate.

Step 2: Set up the issuing CA

  1. Gain access to the issuing CA

    Either import your issuing CA into DigiCert Private CA or configure DigiCert ONE to access the HSM where the private key and certificate for your issuing CA are located.

  2. Set up domains in DigiCert Private CA

    Use the DigiCert Private CA Domains function to set up one or more domains to match any CRL, AIA, or OCSP fields in the end-entity certificates.

    Set the domain type to AIA issuer, CRL, and/or OCSP to match how it's used in the end-entity certificates.

  3. Create a CRL in DigiCert Private CA

    If the end-entity certificates have a CRL Distribution Point (CDP) field, create a matching CRL in DigiCert Private CA:

    1. From the CRLs page in DigiCert Private CA, select the Create CRL button.

    2. Select the issuing CA in the Issuer dropdown.

    3. Configure the File name and File path fields to match the value of the CDP field in the end-entity certificates.

    Note: Do not select the Generation enabled checkbox yet. CRL generation should not be enabled until after all the end-entity certificates have been uploaded.

  4. Create an AIA in DigiCert Private CA

    If the end-entity certificates have an AIA issuer field, create a matching AIA in DigiCert Private CA:

    1. From the AIAs page in DigiCert Private CA, select the Create AIA button.

    2. Select the issuing CA in the Issuer dropdown.

    3. Configure the File name and File path fields to match the value of the AIA issuer field in the end-entity certificates.

Step 3: Upload the end-entity certificates and CRL

  1. Upload the end-entity certificates

    Upload the end-entity certificates from your old system via API or a DigiCert-provided tool.

    For API import, see Import certificates via REST API.

  2. Upload the last CRL from the old system into DigiCert Private CA

    If the end-entity certificates use a CRL, import the last generated CRL from your old system into DigiCert Private CA so it knows which CRL numbers to use and can avoid duplicate numbers:

    1. From the CRLs page in DigiCert Private CA, select the CRL to view the details for it.

    2. Select the Import blob button to import the signed CRL blob.

Step 4: Finalize the configuration

  1. Update your DNS service

    Add DNS records to point to any CDP, AIA, and OCSP fields in the end-entity certificates at your DigiCert ONE instance.

    For hosted DigiCert ONE accounts, point these fields at the corresponding hosts in the one.digicert.com domain. For on-premises deployments, point them at hosts in your local domain.

    For example, if you are a hosted DigiCert ONE customer, and your imported certificates contain a CDP field value of crl.example.com, add a CNAME record that points crl.example.com at crl.one.digicert.com.

    Contact your DigiCert representative or local system administrator for help determining which hosts to use.

  2. Enable CRL generation and publishing in DigiCert Private CA

    If the end-entity certificates use a CRL, enable CRL generation and publishing in DigiCert Private CA:

    1. From the CRLs page in DigiCert Private CA, select the CRL to view the details for it.

    2. In the Base settings section of the CRL details, make sure Publish enabled and Generation enabled are both set to Yes. Select the pencil icon to edit these fields.

Warning

For issuing CAs that use Certificate Revocation Lists (CRLs), failure to follow all of the above steps may result in CRLs not containing all the revoked certificates, or CRLs generated with old (or out of sequence) CRL numbers.

Issuing CAs that use the Online Certificate Status Protocol (OCSP) may require additional configuration of an OCSP Responder to validate imported certificates on an ongoing basis. Contact your DigiCert representative or local System Administrator for help.

What's next

When the prerequisites are in place, you’re ready to Import certificates via REST API.

In this section: