Request new certificates with automated delivery

Use the Admin web request function on the Enrollments page to enroll a new certificate with automated delivery to external systems.

With this feature, you can enroll a certificate from a variety of issuing CAs and deliver the issued certificate simultaneously to one or more:

Server systems (via DigiCert agents).
AWS Certificate Manager (ACM) instances.
Azure key vaults.
Google Certificate Manager instances.

Before you begin

The automation feature must be enabled for your DigiCert® Trust Lifecycle Manager account. Contact your DigiCert account representative to verify or enable this feature.
To deliver certificates to:
- Server systems, you need a DigiCert agent installed on each.
- AWS Certificate Manager (ACM) instances, you need an AWS unified connector.
- Azure key vaults, you need a vault connector.
- Google Certificate Manager instances, you need a GCP unified connector.
You need one or more certificate profiles for the Admin web request enrollment method.
- When creating certificate profiles for automated delivery, look for certificate templates that list "Vault delivery" in the Use cases column. These templates support the required Admin web request enrollment method.
- For CertCentral certificate profiles, only OV/EV certificate products can be requested for delivery. Make sure to select an OV or EV product in the Certificate type dropdown when using the Admin web request enrollment method.

Enroll and deliver a certificate

On the Enrollments page, select the Admin web request button at top.
Fill out the form as described below.
Profile: Select a certificate profile to use for enrolling the new certificate. Only profiles with the Admin web request enrollment method are included in this dropdown menu. Use the Show details link to verify the properties for the selected certificate profile.
Certificate information:
- Common Name: Enter a common name (CN) for the new certificate.
- Other hostnames (SANs): Enter subject alternative names (SANs) to include in the new certificate, one at a time. To instead import the list of SANs from a CSV file, select the Import CSV button.
  This field is optional and only appears if the certificate profile you selected supports it.
  Under the Enrollments details > Subject Alternative Name (SAN) section, IP addresses are allowed for DNS name.
Additional order options: Enter order handling information, not to be included in the certificate itself. This section is optional and only appears if the certificate profile you selected supports it.
Certificate delivery: Use the checkboxes to select the delivery location(s) for the issued certificate, then select options in the sidebar that opens. For detailed instructions per location type, see the below sections:
|
sidebar. Deliver to Agents
To deliver certificates to servers via DigiCert agents installed on each system, select the Agents checkbox and fill out the sidebar as follows:
DigiCert agents: Select one or more agents to deliver to.
Certificate delivery format: Select one of the supported formats.
Some delivery formats require additional configuration:
pkcs12: Enter a password for the new PKCS#12 file.
jks (new): Enter a password for the new Java KeyStore file.
jks (existing): Enter the location and password of the existing Java KeyStore file to add the certificate to.
Run post-delivery scripts (optional): Select this option to run a script on the selected agent(s) after the certificate gets delivered.
You must first add the script under Discovery & automation tools > Agents in order to select it here.
For each agent, select the post-delivery script to run and enter any parameters to pass to the script as command arguments.
You can enter up to five parameters/arguments to pass to the script. Enter each parameter in the provided input box. Select the Add parameter link to add another one.
The local DigiCert agent stores certificate delivery-related data in Base64-encoded JSON format in the DC1_POST_SCRIPT_DATA environment variable, so you can reference it in your post-delivery scripts. For details about this environment variable and example scripts, see Agent script types.
Select the Add button at the bottom of the sidebar to add the configured agent delivery locations to the enrollment request.
Notice
By default, certificates get delivered to the .secrets sub-directory within the agent installation directory on the host system. To deliver certificates to a different directory, edit the agent in Trust Lifecycle Manager and configure the Admin request delivery location setting.
sidebar. Deliver to AWS Certificate Manager
To deliver certificates to AWS Certificate Manager (ACM) in connected AWS accounts, select the AWS Certificate Manager checkbox and fill out the sidebar as follows:
Connector: Select an AWS unified connector to use.
AWS regions: Select the AWS regions for the accounts to deliver to.
AWS accounts: Select the AWS accounts to deliver to. The certificate gets added to ACM in these accounts.
Use the link at the bottom to deliver to additional AWS accounts.
Select the Add button at the bottom of the sidebar to add the configured AWS delivery locations to the enrollment request.
sidebar. Deliver to Azure key vaults
To deliver certificates to key vaults in connected Azure accounts, select the Azure key vaults checkbox and fill out the sidebar as follows:
Vault connector: Select an Azure key vault connector to use.
Key vaults: Select the specific key vaults to deliver to via the selected connector.
Use the link at the bottom to deliver to additional Azure key vaults.
Select the Add button at the bottom of the sidebar to add the configured Azure key vault delivery locations to the enrollment request.
sidebar. Deliver to GCP Certificate Manager
To deliver certificates to Google Certificate Manager in connected GCP projects, select the GCP certificate manager checkbox and fill out the sidebar as follows:
Connector: Select a GCP unified connector to use.
Regions: Select the GCP regions for the projects to deliver to.
Project ID: Select the GCP projects to deliver to. The certificate gets added to Certificate Manager for these projects.
Select the Add button at the bottom of the sidebar to add the configured GCP delivery locations to the enrollment request.
Auto-renew: To automatically renew this certificate before expiration and deliver the new certificate to the same delivery locations, select the Auto-renew schedule checkbox. Select options for when to submit the renewal request (number of days before expiration).
Note: Selections you make here override any auto-renewal options in the certificate profile.
Tags (optional): Apply tags to the issued certificate to help monitor and manage it in Trust Lifecycle Manager.
Custom attributes (optional): Select the required custom attribute.
Note
The custom attributes option is displayed if the selected certificate profile includes the configured custom attributes.
Select the link to read the Certificate Services Agreement and then check the box to acknowledge/agree to it.
Select Submit request to submit the certificate enrollment request based on the values you filled into the form.

What's next

The issued certificate gets delivered to the locations you selected and can be monitored and managed from your Inventory page in Trust Lifecycle Manager.

Request new certificates with automated delivery

Before you begin

Enroll and deliver a certificate

Notice

Note

What's next

Search results

Product

Website