Self-service portal
With the DigiCert® Trust Lifecycle Manager self-service portal, end users can search, download, or manage their own certificates.
Enable the self-service portal to empower your users to become more self-sufficient and lessen the burden on your administrators and support staff.
Certificate types
The following certificate types can be accessed from the self-service portal:
Certificates issued through Trust Lifecycle Manager from a certificate profile with the Enable self-service portal option enabled and an issuing CA in DigiCert® CA Manager or CertCentral.
Certificates discovered or imported into Trust Lifecycle Manager from external sources. You can use the self-service portal settings to control whether to expose these certificates to end users.
Portal types
Trust Lifecycle Manager provides two different portal types that end users can use to search/download or manage their certificates. You can enable one or both of these in the self-service portal settings:
Open portal: Does not authenticate users and only supports a limited set of self-service actions.
Authenticated portal: Authenticates users via SAML and supports more extensive self-service management actions after verifying the user's identity.
After enabling one of these portal types, the system generates a unique portal URL and QR code to share with end users who need access to it.
Available self-service actions
Available self-service actions depend on the portal type. When you configure the portal, you select which actions to allow.
注記
You can allow different self-service management operations for discovered/imported certificates versus those issued through Trust Lifecycle Manager. For certificates issued through Trust Lifecycle Manager, you can allow different management operations per certificate profile.
Open portal
The open portal does not authenticate users and only supports the following self-service actions:
Action | Description |
---|---|
Search | Search for an existing certificate. The user must know the exact common name, email address, or serial number. |
Download | Download a certificate after a successful search or a new enrollment. |
Revocation | Request revocation of an existing certificate. The request gets sent to the email address in the certificate's Note: Enable this feature with caution, understanding the risk of being able to revoke someone else’s certificate if you have access to their email account. |
Authenticated portal
The authenticated portal verifies users' identities via SAML. Once authenticated, users can access and manage certificates that meet any of the following criteria:
Issued from a certificate profile that uses the
SAML IdP
authentication method and is configured to allow access from the user's SAML NameID.The certificate requester field in Trust Lifecycle Manager matches the user's SAML NameID.
The certificate’s
SubjectDN:email
orSAN:rfc822Name
field includes the user's SAML NameID.
Authenticated users can perform the following self-service actions to request and manage new certificate enrollments:
Action | Description |
---|---|
Enrollment | Enroll new certificates from a certificate profile with the self-service portal option enabled and the following criteria:
|
Pick up | Pick up a new certificate after administrator approval. |
Cancel | Cancel pickup of an approved certificate request. |
To manage their existing certificates, authenticated users can perform the following self-service actions:
Action | Description |
---|---|
Renewal | Renew certificates that are approaching expiration and within the renewal window. |
Revocation | Permanently revoke certificates. |
Suspend/Resume | Temporarily suspend certificates or resume suspended ones. |
Key recovery | Recover certificates and keys with escrowing enabled:
|
Enable self-service portal access
Follow these steps to enable the open and/or authenticated self-service portals.
Before you begin
The Trust Lifecycle Manager Self-service portal feature must be enabled for your account. Contact your DigiCert account representative to verify or enable this feature.
To configure the self-service portal settings, you need the SSP Manager user role for Trust Lifecycle Manager or a custom user role that includes the
SSP Portal config
permission. To learn more, see Users and access.
From the Trust Lifecycle Manager main menu, select Account > Settings > Self-service portal.
If the self-service portal has not previously been enabled for your account, you see a basic overview page about this feature. Select the Start configuring button to proceed with configuring the self-service portal.
If one of the portals was previously enabled, you see the details page instead. Select the edit (pencil) icon to update the configuration.
In the Open portal tab, make sure the Enable open portal option is selected.
Under Discovery/Imported certificates, select whether to include visibility of certificates that were discovered or imported into Trust Lifecycle Manager. If you enable this option, also select whether to allow users to request revocation of these certificates from the open portal.
The Portal-enabled certificate profiles section lists applicable certificate profiles with the Enable self-service portal option enabled. Certificates issued from these profiles are always visible from the open portal.
The Allowed operations column shows which operations are allowed for each certificate profile from the open portal. You can manage the allowed operations from either the self-service portal settings or the profile configuration wizard.
Use the edit (pencil) icon to update the allowed operations for certificates issued from a particular profile. To allow users to request revocation of certificates from the open portal, enable the Revocation operation for that certificate profile.
Select the Save button at the bottom of the screen to save your changes.
On the details page, copy the Portal URL and/or QR code for the open portal. Provide these to end users so they can access the open portal with the options you configured.
From the Trust Lifecycle Manager main menu, select Account > Settings > Self-service portal.
If the self-service portal has not previously been enabled for your account, you see a basic overview page about this feature. Select the Start configuring button to proceed with configuring the self-service portal.
If one of the portals was previously enabled, you see the details page instead. Select the edit (pencil) icon to update the configuration.
In the Authenticated portal tab, make sure the Enable authenticated portal option is selected.
Add the details about your SAML identity provider (IdP) in the SAML authentication section. Trust Lifecycle Manager uses these parameters to authenticate users who attempt to access the self-service portal.
You can configure your SAML IdP details in one of two ways:
Dynamic configuration (recommended): Download the XML metadata file from your SAML IdP and use it to dynamically configure the self-service portal by uploading the XML file into the designated area, verifying the parsed values, and making changes if needed.
Manual configuration: Manually enter the IdP parameters including the single sign-on authentication URL,
Issuer
field identifier, and IdP certificate.
Signing options: Select the types of SAML messages Trust Lifecycle Manager should sign with its own certificate when communicating with the SAML IdP.
注記
Trust Lifecycle Manager acts as the SAML service provider (SP) when authenticating self-service portal users. Refer to your IdP's documentation to determine which signing options your IdP supports and expects from the SP.
Discovery/Imported certificates: Select whether to include visibility of certificates that were discovered or imported into Trust Lifecycle Manager. If you enable this option, also select which self-service operations users are allowed to perform on these certificates from the authenticated portal.
Manage tab visibility: Select whether or not to include the following tabs/sections in the authenticated portal:
Certificate requests: Allows end users to enroll new certificates from profiles enabled for self-service access.
Manage requests: Allows end users to manage enrollments and download new certificates requested through the self-service portal.
注記
You can safely disable these tabs if none of your certificate profiles have the Enable self-service portal option enabled, or if you want to prevent users from enrolling new certificates from the self-service portal.
The Portal-enabled certificate profiles section lists applicable certificate profiles with the Enable self-service portal option enabled. Certificates issued from these profiles are always visible from the authenticated portal.
The Allowed operations column shows which operations are allowed for each certificate profile from the authenticated portal. You can manage the allowed operations from either the self-service portal settings or the profile configuration wizard.
Use the edit (pencil) icon to update the allowed operations for certificates issued from a particular profile.
Select the Save button at the bottom of the screen to save your changes.
On the details page, copy the Portal URL and/or QR code for the authenticated portal. Provide these to end users so they can access the authenticated portal with the options you configured.
Disable or re-enable portal access
Edit the self-service portal settings to disable or re-enable access to either the open or authenticated portal:
From the Trust Lifecycle Manager main menu, select Account > Settings > Self-service portal.
Select the edit (pencil) icon on the right.
Deselect the Enable open portal or Enable authenticated portal option to disable it, or select this option to re-enable access.
Select the Save button to apply the changes.
Verify the self-service portal configuration
To verify the portal details, select Account > Settings > Self-service portal from the Trust Lifecycle Manager main menu.
Use the Open portal and Authentication portal tabs to check the current settings for the two portal types:
The Enabled field shows whether each portal type is enabled or not.
If enabled, the display shows the Portal URL and QR code used to access that portal, along with the current configuration options for it.
The profiles table at bottom lists applicable certificate profiles with the self-service portal enabled. For the authenticated portal, the Enrollment URL column shows the URL for enrolling new certificates from the profile (if the enrollment operation is allowed). The enrollment URL is also shown on the profile details page.
Apply branding to the self-service portal
Use the Account > Settings > Branding function to customize public-facing pages including the self-service portal.
To learn more, see Branding.