Skip to main content

Enroll using cURL

The following examples show how to use the curl command-line client to enroll certificates from DigiCert​​®​​ Trust Lifecycle Manager, authenticating with either an enrollment code or client certificate.

Avis

The authentication method you use must match what's configured in the EST-enabled profile you are enrolling the certificate from in Trust Lifecycle Manager.

Authenticate with enrollment code

To enroll using an enrollment code for authentication, you must provide:

  • A valid enrollment code for an available seat that was pre-configured in Trust Lifecycle Manager.

    The enrollment code must be sent as an authorization header in Base64-encoded format. For example:

    Authorization: Basic <Base64-encoded-enrollment-code>

  • A CSR containing matching values for the certificate fields in the EST-enabled profile you are enrolling from in Trust Lifecycle Manager.

    The CSR must be provided within the data-raw parameter as a PEM-encoded value. You can submit CSRs with without the Begin/End tags.

  • The EST Enrollment URL for your certificate profile. This is provided at the time of profile creation and can be retrieved again at any time as follows:

    1. Select Policies > Certificate profiles from the Trust Lifecycle Manager main menu.

    2. Select your EST-enabled profile by name to view the details for it.

    3. Use the dropdown at the top of the profile details screen to copy the EST Enrollment URL (simpleenroll). For example:

      https://one.digicert.com/mpki/api/v1/.well-known/est/201bf186-fe8e-4444-b8b8-233f794fb6f7/simpleenroll

cURL request

The following example shows a complete curl command to enroll a certificate via EST, authenticating with a Base64-encoded enrollment code:

curl --location \
--request POST 'https://one.digicert.com/mpki/api/v1/.well-known/est/201bf186-fe8e-4444-b8b8-233f794fb6f7/simpleenroll' \
--header 'Authorization: Basic NUNVQUNRVVZI' \
--header 'Content-Type: text/plain' \
--data-raw '-----BEGIN CERTIFICATE REQUEST-----
MIIE5DCCA8wCAQAwggHDMR0wGwYDVQQDDBR1c2VyIG11bHRpcGxlIHRlc3QgMjEb
MBkGA1UECwwSSGFpciBSZXNlYXJjaCBEZXB0MQ0wCwYDVQQLDARPVSAyMR0wGwYD
VQQKDBRMJkggRG9ncyBHcm9vbWluZyBSSTETMBEGA1UEBwwKUHJvdmlkZW5jZTEV
MBMGA1UECAwMUmhvZGUgSXNsYW5kMQswCQYDVQQGEwJVUzEOMAwGA1UEEQwFMDI4
NjAxEDAOBgNVBAkMB3N0cmVldDExEDAOBgNVBAkMB3N0cmVldDIxGzAZBgNVBAUT
EnNlcmlhbG51bWJlcnNlYXQwMjEfMB0GCSqGSIb3DQEJARYQbWFpbEBzdWJqZWN0
LmNvbTEnMCUGCSqGSIb3DQEJAgwYdGVzdFUgdW5zdHJ1Y3R1cmVkTmFtZSAxMScw
JQYJKoZIhvcNAQkCDBh0ZXN0VSB1bnN0cnVjdHVyZWROYW1lIDIxGzAZBgkqhkiG
9w0BCQgMDHVuc3RyIGFkZHIgMTEbMBkGCSqGSIb3DQEJCAwMdW5zdHIgYWRkciAy
MQ8wDQYDVQQNDAZkZXNjcjExDzANBgNVBA0MBmRlc2NyMjCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAPS61hrGb0X80qpTf0dE2DD+IGPeXe5okkA72tE8
SO6qdpE8HJ7/JAq5E0ubuxaNDXbTtm84CEzmp//DqYBpweIlMupFNgRb/+CVeA2J
jRmcHx8ZZ5uMhcUbuQQPxgyGIbgsjbsW4LE81rG+YKkZ+yQ/lezkMiQD6tAVx1ci
r4M+g4gudUP1t6rQvnUPHVJMvFZjCurlNPBwlzm2gHmSviwplwfPWpw0Tbw4lj60
aQakvOlrSEGvqfp4QGDjS+DWsTFLfJ5NlnTfefs6z/6C+qK2xnzK7TiLz31YHs/M
KKxLyh1XnJqnbs1FT9OsA0SO3xP2pOMLcgBqLMYVcm5jCMsCAwEAAaCB2TAZBgkq
hkiG9w0BCQcxDAwKVUc2QlVCWU5NWDCBuwYJKoZIhvcNAQkOMYGtMIGqMIGnBgNV
HREEgZ8wgZyHBAoAAAqHBAoAAAuGFmh0dHA6Ly93d3cuZ29vZ2xlLmNvbS+GFmh0
dHA6Ly93d3cuY29vZ2xlLmNvbS+ICSqGSIb3EgECAogJKoZIhvcSAQIDgRJmaXJz
dG9uZUBlbWFpbC5jb22BEHNlY29uZEBlbWFpbC5jb22CESouZmlyc3QxLmxoZGcu
Y29tgg9zZWNvbmQubGhkZy5jb20wDQYJKoZIhvcNAQELBQADggEBAOs6t+gy4XKP
n9ksNmUsXdaJouvcl/2brntdAflZ415InpBYY1UO2Zg0qMmdUrwW8zcwB6MENGJm
wwIaj6ELKy1tQkIMCyP6RQxULk/5oMdmdXS54ys2Zr1Ddl2pAsS/FYQC3vSpKniq
hn1agXAygFO/WY7sk5bwFsnhMtd8HKsbvQRQOvUDStYmFiFHkerSl3jMG/zN5991
2PKofBQVovwWcRfz5mqRBwKghcskjhOPi+Vhzew++dbY1c1Pt65Bl2McWbYKRpQ4
Cpu9NWdqq1rAT+bpe2/RYP1p8N5iSODy9CQZXMxCLcoBJeBIiduIDb3IwR5CcFrD
kRm5LTlDxqo=
-----END CERTIFICATE REQUEST-----'

cURL response

In response to the curl command, Trust Lifecycle Manager sends back the new PEM-encoded certificate issued by the issuing CA configured in your certificate profile.

The following example shows a complete curl request and the response from it:

curl --location \
--request POST 'https://one.digicert.com/mpki/api/v1/.well-known/est/201bf186-fe8e-4444-b8b8-233f794fb6f7/simpleenroll' \
--header 'Authorization: Basic NUNVQUNRVVZI' \
--header 'Content-Type: text/plain' \
--data-raw '-----BEGIN CERTIFICATE REQUEST-----
MIIE5DCCA8wCAQAwggHDMR0wGwYDVQQDDBR1c2VyIG11bHRpcGxlIHRlc3QgMjEb
MBkGA1UECwwSSGFpciBSZXNlYXJjaCBEZXB0MQ0wCwYDVQQLDARPVSAyMR0wGwYD
VQQKDBRMJkggRG9ncyBHcm9vbWluZyBSSTETMBEGA1UEBwwKUHJvdmlkZW5jZTEV
MBMGA1UECAwMUmhvZGUgSXNsYW5kMQswCQYDVQQGEwJVUzEOMAwGA1UEEQwFMDI4
NjAxEDAOBgNVBAkMB3N0cmVldDExEDAOBgNVBAkMB3N0cmVldDIxGzAZBgNVBAUT
EnNlcmlhbG51bWJlcnNlYXQwMjEfMB0GCSqGSIb3DQEJARYQbWFpbEBzdWJqZWN0
LmNvbTEnMCUGCSqGSIb3DQEJAgwYdGVzdFUgdW5zdHJ1Y3R1cmVkTmFtZSAxMScw
JQYJKoZIhvcNAQkCDBh0ZXN0VSB1bnN0cnVjdHVyZWROYW1lIDIxGzAZBgkqhkiG
9w0BCQgMDHVuc3RyIGFkZHIgMTEbMBkGCSqGSIb3DQEJCAwMdW5zdHIgYWRkciAy
MQ8wDQYDVQQNDAZkZXNjcjExDzANBgNVBA0MBmRlc2NyMjCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAPS61hrGb0X80qpTf0dE2DD+IGPeXe5okkA72tE8
SO6qdpE8HJ7/JAq5E0ubuxaNDXbTtm84CEzmp//DqYBpweIlMupFNgRb/+CVeA2J
jRmcHx8ZZ5uMhcUbuQQPxgyGIbgsjbsW4LE81rG+YKkZ+yQ/lezkMiQD6tAVx1ci
r4M+g4gudUP1t6rQvnUPHVJMvFZjCurlNPBwlzm2gHmSviwplwfPWpw0Tbw4lj60
aQakvOlrSEGvqfp4QGDjS+DWsTFLfJ5NlnTfefs6z/6C+qK2xnzK7TiLz31YHs/M
KKxLyh1XnJqnbs1FT9OsA0SO3xP2pOMLcgBqLMYVcm5jCMsCAwEAAaCB2TAZBgkq
hkiG9w0BCQcxDAwKVUc2QlVCWU5NWDCBuwYJKoZIhvcNAQkOMYGtMIGqMIGnBgNV
HREEgZ8wgZyHBAoAAAqHBAoAAAuGFmh0dHA6Ly93d3cuZ29vZ2xlLmNvbS+GFmh0
dHA6Ly93d3cuY29vZ2xlLmNvbS+ICSqGSIb3EgECAogJKoZIhvcSAQIDgRJmaXJz
dG9uZUBlbWFpbC5jb22BEHNlY29uZEBlbWFpbC5jb22CESouZmlyc3QxLmxoZGcu
Y29tgg9zZWNvbmQubGhkZy5jb20wDQYJKoZIhvcNAQELBQADggEBAOs6t+gy4XKP
n9ksNmUsXdaJouvcl/2brntdAflZ415InpBYY1UO2Zg0qMmdUrwW8zcwB6MENGJm
wwIaj6ELKy1tQkIMCyP6RQxULk/5oMdmdXS54ys2Zr1Ddl2pAsS/FYQC3vSpKniq
hn1agXAygFO/WY7sk5bwFsnhMtd8HKsbvQRQOvUDStYmFiFHkerSl3jMG/zN5991
2PKofBQVovwWcRfz5mqRBwKghcskjhOPi+Vhzew++dbY1c1Pt65Bl2McWbYKRpQ4
Cpu9NWdqq1rAT+bpe2/RYP1p8N5iSODy9CQZXMxCLcoBJeBIiduIDb3IwR5CcFrD
kRm5LTlDxqo=
-----END CERTIFICATE REQUEST-----'
MIIDsAYJKoZIhvcNAQcCoIIDoTCCA50CAQExADALBgkqhkiG9w0BBwGgggOFMIID
gTCCAyegAwIBAgIUKWcGWx95U+bVmEMhs4bC00sXyZgwCgYIKoZIzj0EAwIwbjEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMRIwEAYDVQQHEwlHYWx2ZXN0b24xDjAM
BgNVBAkTBUdyZWVuMQ8wDQYDVQQREwY1NTU0MzIxDTALBgNVBAoTBDEzQWMxDjAM
BgNVBAMTBTEzSWNhMB4XDTIyMDUwNDE0NTEwOVoXDTIzMDUwNDE0NTEwOVowEjEQ
MA4GA1UEAwwHRVNUMkRjMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AKCbYowFi0EhyWmRuvAuKkAlKeMlA9l/a5iI3KhE8eyhSc2WS1cK2on9vQ06P2nt
ZIPhaWxOuGKe4ItlxliYkFX1QnAJDGQ59oqo6LLOAADYq7iXPJdHJddGxE8NAWLw
fjnI+pJaq6R9iVy2CQ4TlHYcB2MymDQ0IZ6P8ep7rqXvwt2A7lkhbC8FXVYOlStv
kC+YcHF7Q1nW2xoluPlgBytj85OHkccP2dv5mrJaeMmo/20dpfoKsQ6W2CiZ5/P7
q0LYrfjj4KhcDWSIFnvYj7v3J+tWsiFVbCw0LcCzmF2sXijORmPwhN/Gq8MCkXss
yoX5XvQblD0KvG2RIlo1bP8CAwEAAaOCATIwggEuMAwGA1UdEwEB/wQCMAAwHQYD
VR0OBBYEFBX/yz9BIXWSejnrcuDaTvrhKW57MB8GA1UdIwQYMBaAFPngxw4SQbIc
NOf8SEJhnjH0w9EMMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcD
AjB7BggrBgEFBQcBAQRvMG0wLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLnN0YWdl
Lm9uZS5kaWdpY2VydC5jb20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jYWNlcnRzLnN0
YWdlLm9uZS5kaWdpY2VydC5jb20vMTNJY2EuY3J0MDwGA1UdHwQ1MDMwMaAvoC2G
K2h0dHA6Ly9jcmwuc3RhZ2Uub25lLmRpZ2ljZXJ0LmNvbS8xM0ljYS5jcmwwCgYI
KoZIzj0EAwIDSAAwRQIgY1z2I53iGMTCubqb3R2pRd3o3TzNQV+/LkTQ1PQkQ/oC
IQCTL6XM71JHnIWNt0iYJBCoAbHQDsJ1yQY6Cl+crN+hyDEA%

Authenticate with client certificate

To enroll using a client certificate for authentication, you must have access to the client authentication certificate and its private key on the system where you run the curl command:

  • The client certificate must be issued from one of the trusted CAs configured in the Authentication method section of the certificate profile in Trust Lifecycle Manager. If the profile includes IP address restrictions in the Advanced settings > Valid list of IP addresses section, the client must connect from of the allowed IP addresses configured there.

  • Precede the EST Enrollment URL with clientauth, so it looks like: clientauth.one.digicert.com.

  • Use the cert parameter to specify the location of the authentication certificate file on the client.

  • Use the key parameter to specify the location of the private key for the authentication certificate.

  • All other curl command parameters work the same way as when using enrollment codes for authentication.

The following example shows a complete curl command to enroll a certificate using a client certificate for authentication when the client certificate is stored in a local file called `client.crt` and its key is stored in a file called `client.key`:

curl --location \
--request POST 'https://clientauth.one.digicert.com/mpki/api/v1/.well-known/est/201bf186-fe8e-4444-b8b8-233f794fb6f7/simpleenroll' \
--cert client.crt \
--key client.key \
--data-raw '-----BEGIN CERTIFICATE REQUEST-----
MIIE5DCCA8wCAQAwggHDMR0wGwYDVQQDDBR1c2VyIG11bHRpcGxlIHRlc3QgMjEb
MBkGA1UECwwSSGFpciBSZXNlYXJjaCBEZXB0MQ0wCwYDVQQLDARPVSAyMR0wGwYD
VQQKDBRMJkggRG9ncyBHcm9vbWluZyBSSTETMBEGA1UEBwwKUHJvdmlkZW5jZTEV
MBMGA1UECAwMUmhvZGUgSXNsYW5kMQswCQYDVQQGEwJVUzEOMAwGA1UEEQwFMDI4
NjAxEDAOBgNVBAkMB3N0cmVldDExEDAOBgNVBAkMB3N0cmVldDIxGzAZBgNVBAUT
EnNlcmlhbG51bWJlcnNlYXQwMjEfMB0GCSqGSIb3DQEJARYQbWFpbEBzdWJqZWN0
LmNvbTEnMCUGCSqGSIb3DQEJAgwYdGVzdFUgdW5zdHJ1Y3R1cmVkTmFtZSAxMScw
JQYJKoZIhvcNAQkCDBh0ZXN0VSB1bnN0cnVjdHVyZWROYW1lIDIxGzAZBgkqhkiG
9w0BCQgMDHVuc3RyIGFkZHIgMTEbMBkGCSqGSIb3DQEJCAwMdW5zdHIgYWRkciAy
MQ8wDQYDVQQNDAZkZXNjcjExDzANBgNVBA0MBmRlc2NyMjCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAPS61hrGb0X80qpTf0dE2DD+IGPeXe5okkA72tE8
SO6qdpE8HJ7/JAq5E0ubuxaNDXbTtm84CEzmp//DqYBpweIlMupFNgRb/+CVeA2J
jRmcHx8ZZ5uMhcUbuQQPxgyGIbgsjbsW4LE81rG+YKkZ+yQ/lezkMiQD6tAVx1ci
r4M+g4gudUP1t6rQvnUPHVJMvFZjCurlNPBwlzm2gHmSviwplwfPWpw0Tbw4lj60
aQakvOlrSEGvqfp4QGDjS+DWsTFLfJ5NlnTfefs6z/6C+qK2xnzK7TiLz31YHs/M
KKxLyh1XnJqnbs1FT9OsA0SO3xP2pOMLcgBqLMYVcm5jCMsCAwEAAaCB2TAZBgkq
hkiG9w0BCQcxDAwKVUc2QlVCWU5NWDCBuwYJKoZIhvcNAQkOMYGtMIGqMIGnBgNV
HREEgZ8wgZyHBAoAAAqHBAoAAAuGFmh0dHA6Ly93d3cuZ29vZ2xlLmNvbS+GFmh0
dHA6Ly93d3cuY29vZ2xlLmNvbS+ICSqGSIb3EgECAogJKoZIhvcSAQIDgRJmaXJz
dG9uZUBlbWFpbC5jb22BEHNlY29uZEBlbWFpbC5jb22CESouZmlyc3QxLmxoZGcu
Y29tgg9zZWNvbmQubGhkZy5jb20wDQYJKoZIhvcNAQELBQADggEBAOs6t+gy4XKP
n9ksNmUsXdaJouvcl/2brntdAflZ415InpBYY1UO2Zg0qMmdUrwW8zcwB6MENGJm
wwIaj6ELKy1tQkIMCyP6RQxULk/5oMdmdXS54ys2Zr1Ddl2pAsS/FYQC3vSpKniq
hn1agXAygFO/WY7sk5bwFsnhMtd8HKsbvQRQOvUDStYmFiFHkerSl3jMG/zN5991
2PKofBQVovwWcRfz5mqRBwKghcskjhOPi+Vhzew++dbY1c1Pt65Bl2McWbYKRpQ4
Cpu9NWdqq1rAT+bpe2/RYP1p8N5iSODy9CQZXMxCLcoBJeBIiduIDb3IwR5CcFrD
kRm5LTlDxqo=
-----END CERTIFICATE REQUEST-----'

What's next

When the time comes, you can use curl to renew your certificate via EST.