Skip to main content

Enroll using Postman

The following examples show how to use the Postman API client to enroll certificates from DigiCert​​®​​ Trust Lifecycle Manager, authenticating with either an enrollment code or client certificate.

Avviso

The authentication method you use must match what's configured in the EST-enabled profile you are enrolling the certificate from in Trust Lifecycle Manager.

Authenticate with enrollment code

To enroll using an enrollment code for authentication, you must provide:

  • A valid enrollment code for an available seat that was pre-configured in Trust Lifecycle Manager.

    The enrollment code must be sent as an authorization header in Base64-encoded format. For example:

    Authorization: Basic <Base64-encoded-enrollment-code>

  • A CSR containing matching values for the certificate fields in the EST-enabled profile you are enrolling from in Trust Lifecycle Manager.

    The CSR must be provided within the data-raw parameter as a PEM-encoded value. You can submit CSRs with without the Begin/End tags.

  • The EST Enrollment URL for your certificate profile. This is provided at the time of profile creation and can be retrieved again at any time as follows:

    1. Select Policies > Certificate profiles from the Trust Lifecycle Manager main menu.

    2. Select your EST-enabled profile by name to view the details for it.

    3. Use the dropdown at the top of the profile details screen to copy the EST Enrollment URL (simpleenroll). For example:

      https://one.digicert.com/mpki/api/v1/.well-known/est/201bf186-fe8e-4444-b8b8-233f794fb6f7/simpleenroll

Postman request and response

To send a Postman request for EST-based certificate enrollment using an enrollment code for authentication:

  1. Create a new Postman request that uses the POST HTTP method and the EST Enrollment URL (simpleenroll).

  2. Add an Authorization HTTP header under the Headers section, as follows:

    Authorization: Basic <Base64-encoded-enrollment-code>

    postman_authentication_code.png
  3. Paste your PEM-encoded CSR into the Body of the request.

    postman_est_enrollment_request.png
  4. Select Send to submit the certificate enrollment request. If successful, you receive a 200 response message and the issued certificate.

    postman_est_enrollment_response.png

Authenticate with client certificate

To enroll using a client certificate for authentication, you must have access to the client authentication certificate and its private key on the system where you run Postman.

  • The client certificate must be issued from one of the trusted CAs configured in the Authentication method section of the certificate profile in Trust Lifecycle Manager.

  • If the profile includes IP address restrictions in the Advanced settings > Valid list of IP addresses section, the client must connect from of the allowed IP addresses configured there.

Add the client authentication certificate

To add the client authentication certificate in Postman:

  1. Select Settings from the top-right of the Postman window.

  2. Select the Certificates tab.

  3. In the Client certificates section, select Add certificate and specify values for the following:

    • Host: The base URL from the EST Enrollment URL of your certificate profile in Trust Lifecycle Manager. Precede the URL with clientauth, so it looks like: clientauth.stage.one.digicert.com.

    • CRT file: Select the file for the PEM-encoded client authentication certificate.

    • KEY file: Select the file with the private key for the client authentication certificate.

    When filled out, this screen should look similar to:

    postman_client_auth_certificate_settings.png

    Avviso

    As an alternative option, you can add a PFX file and its corresponding Passphrase for the client authentication certificate. As usual, the certificate must be issued from one of the trusted CAs configured in the Authentication method section of the certificate profile in Trust Lifecycle Manager.

Postman request and response

After adding the client authentication certificate in Postman, request EST-based certificate enrollment as follows:

  1. Create a new Postman request that uses the POST HTTP method and the EST Enrollment URL (simpleenroll). Precede the URL with clientauth, so it looks like: clientauth.one.digicert.com.

  2. Paste your PEM-encoded CSR into the Body of the request.

    postman_clientauth_enroll.png
  3. Select Send to submit the certificate enrollment request. If successful, you receive a 200 response message and the issued certificate.

What's next

When the time comes, you can use Postman to renew your certificate via EST.