Enroll using cURL
The following examples show how to use the curl
command-line client to enroll certificates from DigiCert® Trust Lifecycle Manager, authenticating with either an enrollment code or client certificate.
Avviso
The authentication method you use must match what's configured in the EST-enabled profile you are enrolling the certificate from in Trust Lifecycle Manager.
Authenticate with enrollment code
To enroll using an enrollment code for authentication, you must provide:
A valid enrollment code for an available seat that was pre-configured in Trust Lifecycle Manager.
The enrollment code must be sent as an authorization header in Base64-encoded format. For example:
Authorization: Basic <Base64-encoded-enrollment-code>
A CSR containing matching values for the certificate fields in the EST-enabled profile you are enrolling from in Trust Lifecycle Manager.
The CSR must be provided within the
data-raw
parameter as a PEM-encoded value. You can submit CSRs with without the Begin/End tags.The EST Enrollment URL for your certificate profile. This is provided at the time of profile creation and can be retrieved again at any time as follows:
Select Policies > Certificate profiles from the Trust Lifecycle Manager main menu.
Select your EST-enabled profile by name to view the details for it.
Use the dropdown at the top of the profile details screen to copy the EST Enrollment URL (simpleenroll). For example:
https://one.digicert.com/mpki/api/v1/.well-known/est/201bf186-fe8e-4444-b8b8-233f794fb6f7/simpleenroll
cURL request
The following example shows a complete curl
command to enroll a certificate via EST, authenticating with a Base64-encoded enrollment code:
curl --location \ --request POST 'https://one.digicert.com/mpki/api/v1/.well-known/est/201bf186-fe8e-4444-b8b8-233f794fb6f7/simpleenroll' \ --header 'Authorization: Basic NUNVQUNRVVZI' \ --header 'Content-Type: text/plain' \ --data-raw '-----BEGIN CERTIFICATE REQUEST----- MIIE5DCCA8wCAQAwggHDMR0wGwYDVQQDDBR1c2VyIG11bHRpcGxlIHRlc3QgMjEb MBkGA1UECwwSSGFpciBSZXNlYXJjaCBEZXB0MQ0wCwYDVQQLDARPVSAyMR0wGwYD VQQKDBRMJkggRG9ncyBHcm9vbWluZyBSSTETMBEGA1UEBwwKUHJvdmlkZW5jZTEV MBMGA1UECAwMUmhvZGUgSXNsYW5kMQswCQYDVQQGEwJVUzEOMAwGA1UEEQwFMDI4 NjAxEDAOBgNVBAkMB3N0cmVldDExEDAOBgNVBAkMB3N0cmVldDIxGzAZBgNVBAUT EnNlcmlhbG51bWJlcnNlYXQwMjEfMB0GCSqGSIb3DQEJARYQbWFpbEBzdWJqZWN0 LmNvbTEnMCUGCSqGSIb3DQEJAgwYdGVzdFUgdW5zdHJ1Y3R1cmVkTmFtZSAxMScw JQYJKoZIhvcNAQkCDBh0ZXN0VSB1bnN0cnVjdHVyZWROYW1lIDIxGzAZBgkqhkiG 9w0BCQgMDHVuc3RyIGFkZHIgMTEbMBkGCSqGSIb3DQEJCAwMdW5zdHIgYWRkciAy MQ8wDQYDVQQNDAZkZXNjcjExDzANBgNVBA0MBmRlc2NyMjCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAPS61hrGb0X80qpTf0dE2DD+IGPeXe5okkA72tE8 SO6qdpE8HJ7/JAq5E0ubuxaNDXbTtm84CEzmp//DqYBpweIlMupFNgRb/+CVeA2J jRmcHx8ZZ5uMhcUbuQQPxgyGIbgsjbsW4LE81rG+YKkZ+yQ/lezkMiQD6tAVx1ci r4M+g4gudUP1t6rQvnUPHVJMvFZjCurlNPBwlzm2gHmSviwplwfPWpw0Tbw4lj60 aQakvOlrSEGvqfp4QGDjS+DWsTFLfJ5NlnTfefs6z/6C+qK2xnzK7TiLz31YHs/M KKxLyh1XnJqnbs1FT9OsA0SO3xP2pOMLcgBqLMYVcm5jCMsCAwEAAaCB2TAZBgkq hkiG9w0BCQcxDAwKVUc2QlVCWU5NWDCBuwYJKoZIhvcNAQkOMYGtMIGqMIGnBgNV HREEgZ8wgZyHBAoAAAqHBAoAAAuGFmh0dHA6Ly93d3cuZ29vZ2xlLmNvbS+GFmh0 dHA6Ly93d3cuY29vZ2xlLmNvbS+ICSqGSIb3EgECAogJKoZIhvcSAQIDgRJmaXJz dG9uZUBlbWFpbC5jb22BEHNlY29uZEBlbWFpbC5jb22CESouZmlyc3QxLmxoZGcu Y29tgg9zZWNvbmQubGhkZy5jb20wDQYJKoZIhvcNAQELBQADggEBAOs6t+gy4XKP n9ksNmUsXdaJouvcl/2brntdAflZ415InpBYY1UO2Zg0qMmdUrwW8zcwB6MENGJm wwIaj6ELKy1tQkIMCyP6RQxULk/5oMdmdXS54ys2Zr1Ddl2pAsS/FYQC3vSpKniq hn1agXAygFO/WY7sk5bwFsnhMtd8HKsbvQRQOvUDStYmFiFHkerSl3jMG/zN5991 2PKofBQVovwWcRfz5mqRBwKghcskjhOPi+Vhzew++dbY1c1Pt65Bl2McWbYKRpQ4 Cpu9NWdqq1rAT+bpe2/RYP1p8N5iSODy9CQZXMxCLcoBJeBIiduIDb3IwR5CcFrD kRm5LTlDxqo= -----END CERTIFICATE REQUEST-----'
cURL response
In response to the curl
command, Trust Lifecycle Manager sends back the new PEM-encoded certificate issued by the issuing CA configured in your certificate profile.
The following example shows a complete curl
request and the response from it:
curl --location \ --request POST 'https://one.digicert.com/mpki/api/v1/.well-known/est/201bf186-fe8e-4444-b8b8-233f794fb6f7/simpleenroll' \ --header 'Authorization: Basic NUNVQUNRVVZI' \ --header 'Content-Type: text/plain' \ --data-raw '-----BEGIN CERTIFICATE REQUEST----- MIIE5DCCA8wCAQAwggHDMR0wGwYDVQQDDBR1c2VyIG11bHRpcGxlIHRlc3QgMjEb MBkGA1UECwwSSGFpciBSZXNlYXJjaCBEZXB0MQ0wCwYDVQQLDARPVSAyMR0wGwYD VQQKDBRMJkggRG9ncyBHcm9vbWluZyBSSTETMBEGA1UEBwwKUHJvdmlkZW5jZTEV MBMGA1UECAwMUmhvZGUgSXNsYW5kMQswCQYDVQQGEwJVUzEOMAwGA1UEEQwFMDI4 NjAxEDAOBgNVBAkMB3N0cmVldDExEDAOBgNVBAkMB3N0cmVldDIxGzAZBgNVBAUT EnNlcmlhbG51bWJlcnNlYXQwMjEfMB0GCSqGSIb3DQEJARYQbWFpbEBzdWJqZWN0 LmNvbTEnMCUGCSqGSIb3DQEJAgwYdGVzdFUgdW5zdHJ1Y3R1cmVkTmFtZSAxMScw JQYJKoZIhvcNAQkCDBh0ZXN0VSB1bnN0cnVjdHVyZWROYW1lIDIxGzAZBgkqhkiG 9w0BCQgMDHVuc3RyIGFkZHIgMTEbMBkGCSqGSIb3DQEJCAwMdW5zdHIgYWRkciAy MQ8wDQYDVQQNDAZkZXNjcjExDzANBgNVBA0MBmRlc2NyMjCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAPS61hrGb0X80qpTf0dE2DD+IGPeXe5okkA72tE8 SO6qdpE8HJ7/JAq5E0ubuxaNDXbTtm84CEzmp//DqYBpweIlMupFNgRb/+CVeA2J jRmcHx8ZZ5uMhcUbuQQPxgyGIbgsjbsW4LE81rG+YKkZ+yQ/lezkMiQD6tAVx1ci r4M+g4gudUP1t6rQvnUPHVJMvFZjCurlNPBwlzm2gHmSviwplwfPWpw0Tbw4lj60 aQakvOlrSEGvqfp4QGDjS+DWsTFLfJ5NlnTfefs6z/6C+qK2xnzK7TiLz31YHs/M KKxLyh1XnJqnbs1FT9OsA0SO3xP2pOMLcgBqLMYVcm5jCMsCAwEAAaCB2TAZBgkq hkiG9w0BCQcxDAwKVUc2QlVCWU5NWDCBuwYJKoZIhvcNAQkOMYGtMIGqMIGnBgNV HREEgZ8wgZyHBAoAAAqHBAoAAAuGFmh0dHA6Ly93d3cuZ29vZ2xlLmNvbS+GFmh0 dHA6Ly93d3cuY29vZ2xlLmNvbS+ICSqGSIb3EgECAogJKoZIhvcSAQIDgRJmaXJz dG9uZUBlbWFpbC5jb22BEHNlY29uZEBlbWFpbC5jb22CESouZmlyc3QxLmxoZGcu Y29tgg9zZWNvbmQubGhkZy5jb20wDQYJKoZIhvcNAQELBQADggEBAOs6t+gy4XKP n9ksNmUsXdaJouvcl/2brntdAflZ415InpBYY1UO2Zg0qMmdUrwW8zcwB6MENGJm wwIaj6ELKy1tQkIMCyP6RQxULk/5oMdmdXS54ys2Zr1Ddl2pAsS/FYQC3vSpKniq hn1agXAygFO/WY7sk5bwFsnhMtd8HKsbvQRQOvUDStYmFiFHkerSl3jMG/zN5991 2PKofBQVovwWcRfz5mqRBwKghcskjhOPi+Vhzew++dbY1c1Pt65Bl2McWbYKRpQ4 Cpu9NWdqq1rAT+bpe2/RYP1p8N5iSODy9CQZXMxCLcoBJeBIiduIDb3IwR5CcFrD kRm5LTlDxqo= -----END CERTIFICATE REQUEST-----' MIIDsAYJKoZIhvcNAQcCoIIDoTCCA50CAQExADALBgkqhkiG9w0BBwGgggOFMIID gTCCAyegAwIBAgIUKWcGWx95U+bVmEMhs4bC00sXyZgwCgYIKoZIzj0EAwIwbjEL MAkGA1UEBhMCVVMxCzAJBgNVBAgTAlRYMRIwEAYDVQQHEwlHYWx2ZXN0b24xDjAM BgNVBAkTBUdyZWVuMQ8wDQYDVQQREwY1NTU0MzIxDTALBgNVBAoTBDEzQWMxDjAM BgNVBAMTBTEzSWNhMB4XDTIyMDUwNDE0NTEwOVoXDTIzMDUwNDE0NTEwOVowEjEQ MA4GA1UEAwwHRVNUMkRjMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AKCbYowFi0EhyWmRuvAuKkAlKeMlA9l/a5iI3KhE8eyhSc2WS1cK2on9vQ06P2nt ZIPhaWxOuGKe4ItlxliYkFX1QnAJDGQ59oqo6LLOAADYq7iXPJdHJddGxE8NAWLw fjnI+pJaq6R9iVy2CQ4TlHYcB2MymDQ0IZ6P8ep7rqXvwt2A7lkhbC8FXVYOlStv kC+YcHF7Q1nW2xoluPlgBytj85OHkccP2dv5mrJaeMmo/20dpfoKsQ6W2CiZ5/P7 q0LYrfjj4KhcDWSIFnvYj7v3J+tWsiFVbCw0LcCzmF2sXijORmPwhN/Gq8MCkXss yoX5XvQblD0KvG2RIlo1bP8CAwEAAaOCATIwggEuMAwGA1UdEwEB/wQCMAAwHQYD VR0OBBYEFBX/yz9BIXWSejnrcuDaTvrhKW57MB8GA1UdIwQYMBaAFPngxw4SQbIc NOf8SEJhnjH0w9EMMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcD AjB7BggrBgEFBQcBAQRvMG0wLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLnN0YWdl Lm9uZS5kaWdpY2VydC5jb20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9jYWNlcnRzLnN0 YWdlLm9uZS5kaWdpY2VydC5jb20vMTNJY2EuY3J0MDwGA1UdHwQ1MDMwMaAvoC2G K2h0dHA6Ly9jcmwuc3RhZ2Uub25lLmRpZ2ljZXJ0LmNvbS8xM0ljYS5jcmwwCgYI KoZIzj0EAwIDSAAwRQIgY1z2I53iGMTCubqb3R2pRd3o3TzNQV+/LkTQ1PQkQ/oC IQCTL6XM71JHnIWNt0iYJBCoAbHQDsJ1yQY6Cl+crN+hyDEA%
Authenticate with client certificate
To enroll using a client certificate for authentication, you must have access to the client authentication certificate and its private key on the system where you run the curl
command:
The client certificate must be issued from one of the trusted CAs configured in the Authentication method section of the certificate profile in Trust Lifecycle Manager. If the profile includes IP address restrictions in the Advanced settings > Valid list of IP addresses section, the client must connect from of the allowed IP addresses configured there.
Precede the EST Enrollment URL with
clientauth
, so it looks like:clientauth.one.digicert.com
.Use the
cert
parameter to specify the location of the authentication certificate file on the client.Use the
key
parameter to specify the location of the private key for the authentication certificate.All other
curl
command parameters work the same way as when using enrollment codes for authentication.
The following example shows a complete curl
command to enroll a certificate using a client certificate for authentication when the client certificate is stored in a local file called `client.crt` and its key is stored in a file called `client.key`:
curl --location \ --request POST 'https://clientauth.one.digicert.com/mpki/api/v1/.well-known/est/201bf186-fe8e-4444-b8b8-233f794fb6f7/simpleenroll' \ --cert client.crt \ --key client.key \ --data-raw '-----BEGIN CERTIFICATE REQUEST----- MIIE5DCCA8wCAQAwggHDMR0wGwYDVQQDDBR1c2VyIG11bHRpcGxlIHRlc3QgMjEb MBkGA1UECwwSSGFpciBSZXNlYXJjaCBEZXB0MQ0wCwYDVQQLDARPVSAyMR0wGwYD VQQKDBRMJkggRG9ncyBHcm9vbWluZyBSSTETMBEGA1UEBwwKUHJvdmlkZW5jZTEV MBMGA1UECAwMUmhvZGUgSXNsYW5kMQswCQYDVQQGEwJVUzEOMAwGA1UEEQwFMDI4 NjAxEDAOBgNVBAkMB3N0cmVldDExEDAOBgNVBAkMB3N0cmVldDIxGzAZBgNVBAUT EnNlcmlhbG51bWJlcnNlYXQwMjEfMB0GCSqGSIb3DQEJARYQbWFpbEBzdWJqZWN0 LmNvbTEnMCUGCSqGSIb3DQEJAgwYdGVzdFUgdW5zdHJ1Y3R1cmVkTmFtZSAxMScw JQYJKoZIhvcNAQkCDBh0ZXN0VSB1bnN0cnVjdHVyZWROYW1lIDIxGzAZBgkqhkiG 9w0BCQgMDHVuc3RyIGFkZHIgMTEbMBkGCSqGSIb3DQEJCAwMdW5zdHIgYWRkciAy MQ8wDQYDVQQNDAZkZXNjcjExDzANBgNVBA0MBmRlc2NyMjCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAPS61hrGb0X80qpTf0dE2DD+IGPeXe5okkA72tE8 SO6qdpE8HJ7/JAq5E0ubuxaNDXbTtm84CEzmp//DqYBpweIlMupFNgRb/+CVeA2J jRmcHx8ZZ5uMhcUbuQQPxgyGIbgsjbsW4LE81rG+YKkZ+yQ/lezkMiQD6tAVx1ci r4M+g4gudUP1t6rQvnUPHVJMvFZjCurlNPBwlzm2gHmSviwplwfPWpw0Tbw4lj60 aQakvOlrSEGvqfp4QGDjS+DWsTFLfJ5NlnTfefs6z/6C+qK2xnzK7TiLz31YHs/M KKxLyh1XnJqnbs1FT9OsA0SO3xP2pOMLcgBqLMYVcm5jCMsCAwEAAaCB2TAZBgkq hkiG9w0BCQcxDAwKVUc2QlVCWU5NWDCBuwYJKoZIhvcNAQkOMYGtMIGqMIGnBgNV HREEgZ8wgZyHBAoAAAqHBAoAAAuGFmh0dHA6Ly93d3cuZ29vZ2xlLmNvbS+GFmh0 dHA6Ly93d3cuY29vZ2xlLmNvbS+ICSqGSIb3EgECAogJKoZIhvcSAQIDgRJmaXJz dG9uZUBlbWFpbC5jb22BEHNlY29uZEBlbWFpbC5jb22CESouZmlyc3QxLmxoZGcu Y29tgg9zZWNvbmQubGhkZy5jb20wDQYJKoZIhvcNAQELBQADggEBAOs6t+gy4XKP n9ksNmUsXdaJouvcl/2brntdAflZ415InpBYY1UO2Zg0qMmdUrwW8zcwB6MENGJm wwIaj6ELKy1tQkIMCyP6RQxULk/5oMdmdXS54ys2Zr1Ddl2pAsS/FYQC3vSpKniq hn1agXAygFO/WY7sk5bwFsnhMtd8HKsbvQRQOvUDStYmFiFHkerSl3jMG/zN5991 2PKofBQVovwWcRfz5mqRBwKghcskjhOPi+Vhzew++dbY1c1Pt65Bl2McWbYKRpQ4 Cpu9NWdqq1rAT+bpe2/RYP1p8N5iSODy9CQZXMxCLcoBJeBIiduIDb3IwR5CcFrD kRm5LTlDxqo= -----END CERTIFICATE REQUEST-----'
What's next
When the time comes, you can use curl
to renew your certificate via EST.