Quick start: Enable discovery and automation features in Trust Lifecycle Manager to match CertCentral
This guide helps you enable the cloud scan, private network scan (sensor scan), and managed automation features in DigiCert® Trust Lifecycle Manager to replicate the corresponding discovery and automation features previously available in CertCentral. For each feature, the guide presents an overview of how it works in Trust Lifecycle Manager with links to detailed instructions.
Before you begin
You need a Trust Lifecycle Manager account with the Advanced subscription plan at minimum. See Licensing and plans.
You need DigiCert login credentials for a user with the Manager role in Trust Lifecycle Manager.
Notice
Contact your DigiCert account representative if you need help setting up or verifying your Trust Lifecycle Manager account.
Note: Although CertCentral will no longer support Discovery and Automation services, your CertCentral account remains active with all your certificates and CA resources in it. Linking to CertCentral allows you to access those same resources from Trust Lifecycle Manager.
To link to your CertCentral account, you need a connector in Trust Lifecycle Manager. The connector:
Imports your existing CertCentral certificates into Trust Lifecycle Manager for centralized monitoring and management.
Enables you to use the automation tools in Trust Lifecycle Manager to request and issue certificates from public DigiCert CAs in CertCentral.
Does not remove any resources from your CertCentral account or affect your ability to manage them there.
Important
If you already have an active CertCentral connector, you don't need another one. Multiple connectors are only recommended when there are multiple teams issuing public DigiCert certificates through Trust Lifecycle Manager. For details, see Plan the integration.
Refer to the following guides to set up a CertCentral connector in Trust Lifecycle Manager.
Note: If you do not plan to automate certificates on web servers in Trust Lifecycle Manager, you can skip this step.
Like in CertCentral, managed automation for web server applications requires a local DigiCert agent installed on each server host. The agent enables you to securely manage certificates on each web server from the Trust Lifecycle Manager web console or REST API.
The DigiCert agent application for Trust Lifecycle Manager is different than CertCentral, but supports the same options you're used to.
To see your active agents in CertCentral, go to the Manage automation page. To avoid service disruptions, replace any active agents with new Trust Lifecycle Manager agents before CertCentral Discovery and Automation reaches end of life.
Important
For existing web servers under management by CertCentral, you must uninstall the CertCentral agent before installing a new Trust Lifecycle Manager agent on the same server. Once the new agent is deployed, you'll have access to the same managed automation features in Trust Lifecycle Manager that you're used to in CertCentral.
The following guides help you uninstall CertCentral agents and deploy new Trust Lifecycle Manager agents.
Documentation | Description |
|---|---|
How to uninstall a CertCentral agent from a web server. You must uninstall the CertCentral agent before installing a new Trust Lifecycle Manager agent on the same server. | |
Detailed information about how to deploy, configure, and manage agents for Trust Lifecycle Manager. | |
How to install multiple Trust Lifecycle Manager agents at once without the need for manual user intervention during each install. |
Note: If you do not plan to run private network scans or automate certificates on network appliances or cloud services, you can skip this step.
Like in CertCentral, private network scans or managed automation for network appliances and cloud services requires at least one DigiCert sensor installed on your network. The sensor enables you to securely scan your network and manage certificates on each target system from the Trust Lifecycle Manager web console or REST API.
Important
Do not install the Trust Lifecycle Manager sensor on the same host as a CertCentral sensor, unless you first uninstall the CertCentral sensor. Uninstalling a CertCentral sensor disables any discovery or automation activities in your CertCentral account that use that sensor.
The following guides help you uninstall a CertCentral sensor and deploy a new Trust Lifecycle Manager sensor.
Note: If you do not plan to automate certificates on network appliances or cloud services, you can skip this step.
In Trust Lifecycle Manager, you need a connector for each network appliance or cloud service to manage.
The connector is a pre-built integration that provides a web form to configure the settings for incorporating each target system into your managed ecosystem.
When you add the connector, it discovers existing certificates on the target system, and then enables you to automate lifecycle management for those certificates on an ongoing basis.
Connectors replicate the addagentless utility in CertCentral. To verify which target systems you currently have under management in CertCentral, go to the Manage automation page. Select each target system by name to see the details for it, which you can then use to configure a corresponding connector in Trust Lifecycle Manager.
There are different connectors available in Trust Lifecycle Manager for each type of appliance or cloud service type to manage. The following guides help you add these connectors.
Documentation | Description |
|---|---|
How to add connectors to enable discovery and automation for dedicated network appliances including A10, Citrix ADC, and F5 BIG-IP LTM. | |
How to add connectors to enable discovery and automation for cloud services including Amazon Web Services (AWS) and Google Cloud Platform (GCP). |
In Trust Lifecycle Manager, you use DNS integrations to automate domain control validation for your public TLS certificates. Trust Lifecycle Manager supports over 150 different DNS providers and includes connectors to help you integrate them into your managed ecosystem.
Documentation | Description |
|---|---|
The complete list of DNS providers that Trust Lifecycle Manager supports for automating domain control validation for public TLS certificates. | |
How to add a connector to one of the above DNS providers to use for automating domain validation of certificates installed on web servers (agent-based) or appliances or cloud services (sensor-based). |
Cloud scan configuration is available from the Discovery & automation tools > Network scans menu in Trust Lifecycle Manager and supports the same settings you're used to in CertCentral. Refer to the following guides to set it up.
Documentation | Description |
|---|---|
Helps you quickly set up a cloud scan in Trust Lifecycle Manager. | |
Provides more detailed information about how to enable and manage cloud scans and view the scan results in Trust Lifecycle Manager. |
Once you've deployed a DigiCert sensor for Trust Lifecycle Manager, you're ready to set up internal scans on your network.
Sensor scan configuration is available from the Discovery & automation tools > Network scans menu in Trust Lifecycle Manager and supports the same settings you're used to in CertCentral. Refer to the following guides to set it up.
Documentation | Description |
|---|---|
Helps you quickly set up a sensor-based network scan in Trust Lifecycle Manager. | |
Provides more detailed information about how to enable and manage sensor-based network scans and view the scan results in Trust Lifecycle Manager. |
Once you've set up the required client tools and connectors for your target systems, as summarized below, you’re ready to use the automation features to manage those systems in Trust Lifecycle Manager.
Web servers: You need a DigiCert agent installed on each server system.
Network appliances and cloud services: You need at least one DigiCert sensor installed on your network and a connector to each appliance or cloud service.
Note: You also need at least one DNS integration to automate domain control validation processes across both agents and sensors.
Trust Lifecycle Manager supports the same managed automation functions you're used to in CertCentral, including the ability to enroll, reissue, and renew certificates with automated installation to the target systems. Like CertCentral, Trust Lifecycle Manager uses automation profiles to define the types of certificates to issue and how to enroll them (agent versus sensor-based).
To see your current automation profiles in CertCentral, go to the Manage profiles page. To avoid service disruptions, create a replacement profile in Trust Lifecycle Manager for each active automation profile in CertCentral.
Use the base templates labeled
CertCentralas the basis for creating the replacement profiles in Trust Lifecycle Manager. For public TLS certificates, use the base template calledCertCentral Public Server Certificate.After creating each replacement profile, delete the original profile in CertCentral to prevent conflicting automation events, such as auto-renewal of the same certificate in both systems.
Refer to the following guides to set up the managed automation solution in Trust Lifecycle Manager.
Documentation | Description |
|---|---|
Overview of the complete workflow for setting up the managed automation solution. | |
How to create profiles for certificate lifecycle automation in Trust Lifecycle Manager. You need a different profile for each certificate type and enrollment method (agent versus sensor-based) to use. To issue certificates from your CertCentral account, use the base templates labeled | |
How to manage certificate lifecycle automation for different target endpoints, individually or in bulk, from the Trust Lifecycle Manager web console. You can also use the REST API service to manage lifecycle automation events for the certificates in your account. |
Do more with Trust Lifecycle Manager
Set up additional discovery tools to build up your inventory, including CT logs monitoring and system scans.
Use the Admin web request feature to enroll certificates with automated delivery to external systems, including custom post-delivery scripts on web servers.
Notice
Some features require additional configuration and may not be available in your current subscription plan. Contact your DigiCert account representative if you need help.