Skip to main content

Enrollment and authentication methods

Every certificate profile in DigiCert​​®​​ Trust Lifecycle Manager has an associated enrollment method that controls how certificates can be requested from that profile. Most enrollment methods have corresponding authentication methods.

  • Enrollment methods define the allowed methods for requesting certificates.

  • Authentication methods define the allowed methods for authenticating those enrollment requests.

Enrollment methods

Trust Lifecycle Manager supports the following enrollment methods for requesting and issuing certificates from a certificate profile. Some enrollment methods require that the Automation feature is enabled for your account.

Enrollment method

Description

Admin web request

Allows admins to enroll certificates from the Trust Lifecycle Manager web console, with automated delivery to external systems.

Browser PKCS12

Enroll PKCS#12 certificates using a web-based form.

CMP

Enroll using the Certificate Management Protocol (CMP).

CSR

Enroll standard X.509 certificates by uploading a CSR using a web-based form.

DigiCert agent

Enroll and automate certificates on servers using DigiCert agents.

DigiCert sensor

Enroll and automate certificates for network appliances and cloud services using DigiCert sensors.

DigiCert Trust Assistant

Enroll certificates for end user systems using the DigiCert Trust Assistant application or a web-based form.

EST

Enroll using the Enrollment over Secure Transport (EST) protocol.

iOS/iPadOS

Enroll certificates for direct provisioning on iOS/iPadOS devices (without using an MDM/UEM platform) via the Simple Certificate Enrollment Protocol (SCEP) service.

Microsoft Autoenrollment

Use the DigiCert Autoenrollment Server to automatically enroll and provision certificates for users and systems in an Active Directory (AD) domain.

mTLS over ACME

Enroll and automate mutual TLS (mTLS) certificates using the ACME protocol.

REST API

Enroll certificates using the REST API service of Trust Lifecycle Manager.

SCEP

Enroll using the Simple Certificate Enrollment Protocol (SCEP).

3rd-party ACME client

Enroll and automate certificates on servers using third-party ACME clients.

Authentication methods

Trust Lifecycle Manager supports the following authentication methods for validating enrollment requests. Available authentication methods depend on the enrollment method you select in the certificate profile.

Authentication method

Description

Active Directory

Authenticate against a local Active Directory (AD) domain controller on your network. This is only available for the Microsoft Autoenrollment enrollment method. For details, see Autoenrollment Server.

Azure Auth

Authenticate via a Microsoft Entra ID (formerly Azure AD) client secret, using an Intune connector set up in Trust Lifecycle Manager.

DigiCert ONE Login

Authenticate through a SAML identity provider with corresponding user credentials in DigiCert ONE. This is only available for the DigiCert Trust Assistant enrollment method. It supports automatic creation of the DigiCert ONE user after successful authentication during the single sign-on (SSO) process. For details, see About DigiCert ONE login profile.

Enrollment Code

Authenticate using an enrollment code, which functions like a password. Some enrollment methods allow configuration of a single global enrollment code in the certificate profile that all clients can share. For enhanced security, DigiCert recommends enforcing a unique enrollment code for each client. For details, see Prepare enrollment codes for authentication.

Manual Approval

Require manual approval by a Trust Lifecycle Manager admin to authenticate enrollment requests. For details, see Manage enrollment requests.

SAML IdP

Authenticate through a SAML identity provider such as Okta or Microsoft Entra ID (formerly Azure AD).

TLS Certificate Auth

Authenticate using a TLS client authentication certificate.

3rd Party app

Authenticate via a third-party app. This is only available for the REST API enrollment method. The app that sends the API-based enrollment request is responsible for sending the authentication credentials to the REST API service of Trust Lifecycle Manager.

Avis

Some enrollment methods do not require selection of a corresponding authentication method in the certificate profile. For example, when automating certificates on a web server, the local DigiCert agent or 3rd-party ACME client handles the authentication process for you.