Enrollment and authentication methods
Every certificate profile in DigiCert® Trust Lifecycle Manager has an associated enrollment method that controls how certificates can be requested from that profile. Most enrollment methods have corresponding authentication methods.
Enrollment methods define the allowed methods for requesting certificates.
Authentication methods define the allowed methods for authenticating those enrollment requests.
Enrollment methods
Trust Lifecycle Manager supports the following enrollment methods for requesting and issuing certificates from a certificate profile. Some enrollment methods require that the Automation feature is enabled for your account.
Enrollment method | Description |
|---|---|
Admin web request | Allows admins to enroll certificates from the Trust Lifecycle Manager web console, with automated delivery to external systems. |
Browser PKCS12 | Enroll PKCS#12 certificates using a web-based form. |
CMP | Enroll using the Certificate Management Protocol (CMP). |
CSR | Enroll standard X.509 certificates by uploading a CSR using a web-based form. |
DigiCert agent | Enroll and automate certificates on servers using DigiCert agents. |
DigiCert sensor | Enroll and automate certificates for network appliances and cloud services using DigiCert sensors. |
DigiCert Trust Assistant | Enroll certificates for end user systems using the DigiCert Trust Assistant application or a web-based form. |
EST | Enroll using the Enrollment over Secure Transport (EST) protocol. |
iOS/iPadOS | Enroll certificates for direct provisioning on iOS/iPadOS devices (without using an MDM/UEM platform) via the Simple Certificate Enrollment Protocol (SCEP) service. |
Microsoft Autoenrollment | Use the DigiCert Autoenrollment Server to automatically enroll and provision certificates for users and systems in an Active Directory (AD) domain. |
mTLS over ACME | Enroll and automate mutual TLS (mTLS) certificates using the ACME protocol. |
REST API | Enroll certificates using the REST API service of Trust Lifecycle Manager. |
SCEP | Enroll using the Simple Certificate Enrollment Protocol (SCEP). |
3rd-party ACME client | Enroll and automate certificates on servers using third-party ACME clients. |
Authentication methods
Trust Lifecycle Manager supports the following authentication methods for validating enrollment requests. Available authentication methods depend on the enrollment method you select in the certificate profile.
Authentication method | Description |
|---|---|
Active Directory | Authenticate against a local Active Directory (AD) domain controller on your network. This is only available for the |
Azure Auth | Authenticate via a Microsoft Entra ID (formerly Azure AD) client secret, using an Intune connector set up in Trust Lifecycle Manager. |
DigiCert ONE Login | Authenticate through a SAML identity provider with corresponding user credentials in DigiCert ONE. This is only available for the |
Enrollment Code | Authenticate using an enrollment code, which functions like a password. Some enrollment methods allow configuration of a single global enrollment code in the certificate profile that all clients can share. For enhanced security, DigiCert recommends enforcing a unique enrollment code for each client. For details, see Prepare enrollment codes for authentication. |
Manual Approval | Require manual approval by a Trust Lifecycle Manager admin to authenticate enrollment requests. For details, see Manage enrollment requests. |
SAML IdP | Authenticate through a SAML identity provider such as Okta or Microsoft Entra ID (formerly Azure AD). |
TLS Certificate Auth | Authenticate using a TLS client authentication certificate. |
3rd Party app | Authenticate via a third-party app. This is only available for the |
Notice
Some enrollment methods do not require selection of a corresponding authentication method in the certificate profile. For example, when automating certificates on a web server, the local DigiCert agent or 3rd-party ACME client handles the authentication process for you.