Skip to main content

Import certificates via REST API

To import third-party (external) certificates using the REST API service for DigiCert​​®​​ Trust Lifecycle Manager:

  • Review the documentation for the certificate-import API endpoint. For details, see API reference.

  • Prepare all the certificates you wish to upload into your Trust Lifecycle Manager account. Each certificate must be sent to the certificate-import API endpoint as a request body parameter in a single line, in one of the following formats:

    • x509: PEM-encoded X.509 certificate.

    • pkcs12: PEM-encoded, password-protected certificate and private key.

  • If uploading a certificate in PKCS12 format, include an additional password field in your request with the associated password. Trust Lifecycle Manager supports key recovery for certificates uploaded in PKCS12 format.

  • If any of the certificates being uploaded have been revoked, use the revocation object in the request body to set the revoked flag to true and set the reason and revoke_date properties.

  • You can optionally assign a tag_name to the imported certificates to help identify them. Each tag can have associated email expiration notification templates, with custom instructions for how to get a new certificate from the DigiCert® Trust Lifecycle Manager application.

Example request and response for valid certificate

Below is an example REST API request and response for uploading a valid certificate/private key in PKCS12 format along with its associated password. Note the valid certificate status issued in the response.

Uploading revoked certificates

Revocation reasons

When uploading a revoked certificate, you must provide a revocation reason and revocation date. Supported revocation reasons:

  • aa_compromise

  • affiliation_change

  • cessation_of_operation

  • key_compromise

  • privilege_withdrawn

  • superseded

  • unspecified

Example request and response for revoked certificate

Below is an example REST API request and response for uploading a revoked certificate in PEM-encoded X.509 format. Note the revocation field in the request, and certificate status revoked in the response.

Uploading suspended certificates

A certificate can only be uploaded in a suspended state if the issuing CA has been imported into DigiCert® Private CA (see Before you begin). Use the revocation date field to specify when the certificate was suspended. For the revocation reason use:

  • certificate_hold

警告

If you upload a suspended third-party certificate with this revocation reason, and the issuing CA has not been imported into DigiCert Private CA, we will automatically convert the revocation reason to unspecified.

What's next