Issue S/MIME certificates using DigiCert® Trust Lifecycle Manager and PKI Platform 8
This article details the steps required to configure DigiCert® Trust Lifecycle Manager to issue public S/MIME certificates from the PKI Platform 8 service using REST API and an API key for authentication.
Before you begin
Contact your DigiCert representative to create a validated DigiCert PKI Platform 8 account.
Sign in to your DigiCert PKI Platform 8 account.
Submit the email domains you want DigiCert to validate as part of your certificate requests, and wait for them to be approved.
Create an API key in your DigiCert PKI Platform 8 account.
Upload the API KEY to your DigiCert® Trust Lifecycle Manager account, under Settings > Link PKI Platform 8.
If you have not already assigned user seats to your business unit in DigiCert® Trust Lifecycle Manager, do that now.
Nota
The links in steps 2-4 assume you are using a Production account. If you are instead making use of a Partner Lab account, please substitute the appropriate domain name.
Create a certificate profile for REST API
In DigiCert® Trust Lifecycle Manager, go to Policies > Base templates and select the Public S/MIME Secure Email (via PKI Platform 8) certificate template.
Under Primary certificate options:
Select a business unit and a Public Issuing CA.
Nota
The list of Public Issuing CAs includes only the CAs available on your PKI Platform 8 account.
Enter a profile name.
Select the REST API enrollment method.
Select the Third-party app authentication method.
Select Next and follow the prompts to configure the required certificate fields and additional profile information.
Under Certificate fields, select REST request or Fixed value as the source for these values.
On the API key step, select the PKI Platform 8 API key you previously uploaded to link both accounts.
Select Create to save the profile configuration.
Nota
The Public S/MIME solution supports other enrollment methods, including Browser PKCS12 and DigiCert Desktop Client.
Configure Postman for API key authentication
Under Collections, select + to create a new collection and give it a name.
Select the new collection. Under the Authorization tab, select API key from the Type dropdown list. Enter
x-api-key
as the key value. Enter the PKI Platform 8 API key you configured on your profile.Select Save at top right.
Test API requests in Postman
Submit a request to the “hello” endpoint
Right-click your collection (or folder) and select Add Request.
Under the Authorization tab, select Inherit auth from parent in the dropdown list.
Select the GET HTTP method from the dropdown list.
Enter the “hello” endpoint URL for the platform being tested. Select Send.
Submit a request to the “certificate” endpoint
Right-click your collection (or folder) and select Add Request.
Under the Authorization tab, select Inherit auth from parent in the dropdown list.
Select the POST HTTP method from the dropdown list.
Enter the “certificate” endpoint URL for the platform being tested.
Enter the appropriate JSON request in the Body panel. Select Send.
Supported certificate lifecycle operations
Issuance:
Cloud Escrow: a PKCS#12 file and its associated password is delivered to the requesting client
No Escrow: a PKCS#7 file or X.509 certificate is delivered to the requesting client
Revocation:
Supported revocation reasons:
key_compromise, affiliation_changed, superseded, cessation_of_operation
(default reason, if none is specified)
Key recovery (for profiles configured with the Cloud Escrow option)
Supported configurations
Enrollment method | Authentication method |
---|---|
|
|
|
|