- DigiCert product docs
- Trust Lifecycle Manager
- How-to guides
- Configure and test EST
- Renew certificates via EST
Renew certificates via EST
To renew a certificate from an EST-enabled profile in DigiCert® Trust Lifecycle Manager:
The certificate must be within the renewal window configured in the certificate profile.
The CSR must have same Subject DN values as the original certificate. You can reuse the original CSR or create a new CSR with the same Subject DN values.
Send the CSR to the EST Renewal URL (
simplereenroll
operation) for the certificate profile. This is provided at the time of profile creation and can be retrieved again at any time as follows:Select Policies > Certificate profiles from the Trust Lifecycle Manager main menu.
Select your EST-enabled profile by name to view the details for it.
Use the dropdown at the top of the profile details screen to copy the EST Renewal URL (simplereenroll). For example:
https://clientauth.one.digicert.com/mpki/api/v1/.well-known/est/201bf186-fe8e-4444-b8b8-233f794fb6f7/simplereenroll
Avviso
See Enroll using cURL for additional information about how to create a CSR and set up cURL or Postman to work with EST-based certificate requests.
Renew using cURL
Authenticate with enrollment code
If the original enrollment used an enrollment code for authentication:
Send the original certificate and its private key as proof of possession. Use the
cert
parameter to specify the filename of the certificate being renewed and thekey
parameter to specify the location of its corresponding private key. You do not need to send an authorization header in the renewal request.The CSR you send for renewal must have the same Subject DN values and be signed with the same private key as the original certificate.
The following example shows a complete curl
command to renew a certificate via EST when the original enrollment used an enrollment code for authentication:
curl --location \ --request POST 'https://clientauth.one.digicert.com/mpki/api/v1/.well-known/est/201bf186-fe8e-4444-b8b8-233f794fb6f7/simplereenroll' \ --header 'Content-Type: text/plain' \ --cert device.crt \ --key device.pem.key \ --data-raw '-----BEGIN CERTIFICATE REQUEST----- MIIE5DCCA8wCAQAwggHDMR0wGwYDVQQDDBR1c2VyIG11bHRpcGxlIHRlc3QgMjEb MBkGA1UECwwSSGFpciBSZXNlYXJjaCBEZXB0MQ0wCwYDVQQLDARPVSAyMR0wGwYD VQQKDBRMJkggRG9ncyBHcm9vbWluZyBSSTETMBEGA1UEBwwKUHJvdmlkZW5jZTEV MBMGA1UECAwMUmhvZGUgSXNsYW5kMQswCQYDVQQGEwJVUzEOMAwGA1UEEQwFMDI4 NjAxEDAOBgNVBAkMB3N0cmVldDExEDAOBgNVBAkMB3N0cmVldDIxGzAZBgNVBAUT EnNlcmlhbG51bWJlcnNlYXQwMjEfMB0GCSqGSIb3DQEJARYQbWFpbEBzdWJqZWN0 LmNvbTEnMCUGCSqGSIb3DQEJAgwYdGVzdFUgdW5zdHJ1Y3R1cmVkTmFtZSAxMScw JQYJKoZIhvcNAQkCDBh0ZXN0VSB1bnN0cnVjdHVyZWROYW1lIDIxGzAZBgkqhkiG 9w0BCQgMDHVuc3RyIGFkZHIgMTEbMBkGCSqGSIb3DQEJCAwMdW5zdHIgYWRkciAy MQ8wDQYDVQQNDAZkZXNjcjExDzANBgNVBA0MBmRlc2NyMjCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAPS61hrGb0X80qpTf0dE2DD+IGPeXe5okkA72tE8 SO6qdpE8HJ7/JAq5E0ubuxaNDXbTtm84CEzmp//DqYBpweIlMupFNgRb/+CVeA2J jRmcHx8ZZ5uMhcUbuQQPxgyGIbgsjbsW4LE81rG+YKkZ+yQ/lezkMiQD6tAVx1ci r4M+g4gudUP1t6rQvnUPHVJMvFZjCurlNPBwlzm2gHmSviwplwfPWpw0Tbw4lj60 aQakvOlrSEGvqfp4QGDjS+DWsTFLfJ5NlnTfefs6z/6C+qK2xnzK7TiLz31YHs/M KKxLyh1XnJqnbs1FT9OsA0SO3xP2pOMLcgBqLMYVcm5jCMsCAwEAAaCB2TAZBgkq hkiG9w0BCQcxDAwKVUc2QlVCWU5NWDCBuwYJKoZIhvcNAQkOMYGtMIGqMIGnBgNV HREEgZ8wgZyHBAoAAAqHBAoAAAuGFmh0dHA6Ly93d3cuZ29vZ2xlLmNvbS+GFmh0 dHA6Ly93d3cuY29vZ2xlLmNvbS+ICSqGSIb3EgECAogJKoZIhvcSAQIDgRJmaXJz dG9uZUBlbWFpbC5jb22BEHNlY29uZEBlbWFpbC5jb22CESouZmlyc3QxLmxoZGcu Y29tgg9zZWNvbmQubGhkZy5jb20wDQYJKoZIhvcNAQELBQADggEBAOs6t+gy4XKP n9ksNmUsXdaJouvcl/2brntdAflZ415InpBYY1UO2Zg0qMmdUrwW8zcwB6MENGJm wwIaj6ELKy1tQkIMCyP6RQxULk/5oMdmdXS54ys2Zr1Ddl2pAsS/FYQC3vSpKniq hn1agXAygFO/WY7sk5bwFsnhMtd8HKsbvQRQOvUDStYmFiFHkerSl3jMG/zN5991 2PKofBQVovwWcRfz5mqRBwKghcskjhOPi+Vhzew++dbY1c1Pt65Bl2McWbYKRpQ4 Cpu9NWdqq1rAT+bpe2/RYP1p8N5iSODy9CQZXMxCLcoBJeBIiduIDb3IwR5CcFrD kRm5LTlDxqo= -----END CERTIFICATE REQUEST-----'
Authenticate with client certificate
If the original enrollment used a client certificate for authentication:
The client authentication certificate used for renewal must be issued by one of the trusted CAs configured in the Authentication method section of the certificate profile in Trust Lifecycle Manager. Use the
cert
parameter to specify the filename of the client authentication certificate and thekey
parameter to specify the location of its corresponding private key.The CSR you send for renewal must have the same Subject DN values as the original certificate. Sign it with the private key you want to use for the new certificate, which can be different than the original private key.
The following example shows a complete curl
command to renew a certificate via EST when the original enrollment used a client certificate for authentication:
curl --location \ --request POST 'https://clientauth.one.digicert.com/mpki/api/v1/.well-known/est/201bf186-fe8e-4444-b8b8-233f794fb6f7/simplereenroll' \ --header 'Content-Type: text/plain' \ --cert client.crt \ --key client.key \ --data-raw '-----BEGIN CERTIFICATE REQUEST----- MIIE5DCCA8wCAQAwggHDMR0wGwYDVQQDDBR1c2VyIG11bHRpcGxlIHRlc3QgMjEb MBkGA1UECwwSSGFpciBSZXNlYXJjaCBEZXB0MQ0wCwYDVQQLDARPVSAyMR0wGwYD VQQKDBRMJkggRG9ncyBHcm9vbWluZyBSSTETMBEGA1UEBwwKUHJvdmlkZW5jZTEV MBMGA1UECAwMUmhvZGUgSXNsYW5kMQswCQYDVQQGEwJVUzEOMAwGA1UEEQwFMDI4 NjAxEDAOBgNVBAkMB3N0cmVldDExEDAOBgNVBAkMB3N0cmVldDIxGzAZBgNVBAUT EnNlcmlhbG51bWJlcnNlYXQwMjEfMB0GCSqGSIb3DQEJARYQbWFpbEBzdWJqZWN0 LmNvbTEnMCUGCSqGSIb3DQEJAgwYdGVzdFUgdW5zdHJ1Y3R1cmVkTmFtZSAxMScw JQYJKoZIhvcNAQkCDBh0ZXN0VSB1bnN0cnVjdHVyZWROYW1lIDIxGzAZBgkqhkiG 9w0BCQgMDHVuc3RyIGFkZHIgMTEbMBkGCSqGSIb3DQEJCAwMdW5zdHIgYWRkciAy MQ8wDQYDVQQNDAZkZXNjcjExDzANBgNVBA0MBmRlc2NyMjCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAPS61hrGb0X80qpTf0dE2DD+IGPeXe5okkA72tE8 SO6qdpE8HJ7/JAq5E0ubuxaNDXbTtm84CEzmp//DqYBpweIlMupFNgRb/+CVeA2J jRmcHx8ZZ5uMhcUbuQQPxgyGIbgsjbsW4LE81rG+YKkZ+yQ/lezkMiQD6tAVx1ci r4M+g4gudUP1t6rQvnUPHVJMvFZjCurlNPBwlzm2gHmSviwplwfPWpw0Tbw4lj60 aQakvOlrSEGvqfp4QGDjS+DWsTFLfJ5NlnTfefs6z/6C+qK2xnzK7TiLz31YHs/M KKxLyh1XnJqnbs1FT9OsA0SO3xP2pOMLcgBqLMYVcm5jCMsCAwEAAaCB2TAZBgkq hkiG9w0BCQcxDAwKVUc2QlVCWU5NWDCBuwYJKoZIhvcNAQkOMYGtMIGqMIGnBgNV HREEgZ8wgZyHBAoAAAqHBAoAAAuGFmh0dHA6Ly93d3cuZ29vZ2xlLmNvbS+GFmh0 dHA6Ly93d3cuY29vZ2xlLmNvbS+ICSqGSIb3EgECAogJKoZIhvcSAQIDgRJmaXJz dG9uZUBlbWFpbC5jb22BEHNlY29uZEBlbWFpbC5jb22CESouZmlyc3QxLmxoZGcu Y29tgg9zZWNvbmQubGhkZy5jb20wDQYJKoZIhvcNAQELBQADggEBAOs6t+gy4XKP n9ksNmUsXdaJouvcl/2brntdAflZ415InpBYY1UO2Zg0qMmdUrwW8zcwB6MENGJm wwIaj6ELKy1tQkIMCyP6RQxULk/5oMdmdXS54ys2Zr1Ddl2pAsS/FYQC3vSpKniq hn1agXAygFO/WY7sk5bwFsnhMtd8HKsbvQRQOvUDStYmFiFHkerSl3jMG/zN5991 2PKofBQVovwWcRfz5mqRBwKghcskjhOPi+Vhzew++dbY1c1Pt65Bl2McWbYKRpQ4 Cpu9NWdqq1rAT+bpe2/RYP1p8N5iSODy9CQZXMxCLcoBJeBIiduIDb3IwR5CcFrD kRm5LTlDxqo= -----END CERTIFICATE REQUEST-----'
Renew using Postman
Authenticate with enrollment code
If the original enrollment used an enrollment code for authentication, authenticate the renewal by sending the original certificate and its private key as proof of possession:
Select Settings from the top-right of the Postman window.
Select the Certificates tab.
In the Client certificates section, select Add certificate and specify values for the following:
Host: The base URL from the EST Renewal URL of your certificate profile in Trust Lifecycle Manager.
CRT file: Select the file for the PEM-encoded certificate being renewed.
KEY file: Select the file with the private key for the certificate being renewed.
When filled out, this screen should look similar to:
Avviso
As an alternative option, you can add a PFX file and its corresponding Passphrase for the certificate being renewed.
To send the Postman request for EST-based certificate renewal:
Create a new Postman request that uses the
POST
HTTP method and the EST Renewal URL (simplereenroll). You do not need an Authorization HTTP header, since the request will be authorized via the original certificate and its private key you configured above.Paste your PEM-encoded CSR into the Body of the request. The CSR must be signed with the same private key as the original certificate.
Select Send to submit the certificate enrollment request. If successful, you receive a 200 response message and the issued certificate.
Authenticate with client certificate
If the original enrollment used a client certificate for authentication, authenticate the renewal by sending a valid client certificate from one of the trusted CAs configured in the Authentication method section of the certificate profile. You can use the same client authentication certificate from the enrollment or add a new one in Postman as follows:
Select Settings from the top-right of the Postman window.
Select the Certificates tab.
In the Client certificates section, select Add certificate and specify values for the following:
Host: The base URL from the EST Renewal URL of your certificate profile in Trust Lifecycle Manager.
CRT file: Select the file for the PEM-encoded client authentication certificate.
KEY file: Select the file with the private key for the client authentication certificate.
When filled out, this screen should look similar to:
Avviso
As an alternative option, you can add a PFX file and its corresponding Passphrase for the client authentication certificate.
To send the Postman request for EST-based certificate renewal:
Create a new Postman request that uses the
POST
HTTP method and the EST Renewal URL (simplereenroll).Paste your PEM-encoded CSR into the Body of the request. Sign the CSR with the private key you want to use for the new certificate, which can be different than the original private key.
Select Send to submit the certificate enrollment request. If successful, you receive a 200 response message and the issued certificate.