Obtain an API token
You can use an API token to authenticate Autoenrollment Server requests to DigiCert ONE. DigiCert recommends that you create a dedicated service user for API access as this helps manage access permissions and track the API requests in your account audit logs.
Note
You need either an API token or an authentication certificate for Autoenrollment Server to be able to authenticate requests to DigiCert ONE. If you will integrate with Windows Hello for Business, choose the authentication certificate method instead.
Create the service user and API token
Navigate to Account Manager.
Select Access from the left navigation menu, then Service User.
Select Create Service user.
On the service user details page, enter the following details:
Friendly name: Nickname for the service user.
Description (optional): Description of the service user's purpose.
End date (optional): Expiration date for the service user.
Email: To send notifications regarding the service user.
Accounts that can use this service user: Account access for the service user.
DigiCert ONE Manager access: Select CA and Trust Lifecycle.
Select Next.
On the Roles and permissions page, assign the following user roles:
For CA Manager: Read only
For Trust Lifecycle Manager: User and certificate manager and Certificate profile manager
Notice
Alternatively, you can create and assign custom user roles that include the following permissions at minimum:
For CA Manager:
View CA
andView CA configuration
. For Trust Lifecycle Manager:Certificate management: Manage create
plusProfiles & templates: Manage enrollment
andManage profile
.Select Add user.
The token ID is displayed in a popup box. Copy the token ID value and store in a safe location—this value will be shown only once.