Self-service portal

With the DigiCert® Trust Lifecycle Manager self-service portal, end users can download, manage, or enroll their own certificates from their web browser.

注記

To learn how to enable the self-service portal, refer to the documentation under Set up your account. This page focuses on available self-service actions for end users once the portal is enabled.

Certificate types

The following certificate types can be accessed from the self-service portal:

Certificates issued through Trust Lifecycle Manager from a certificate profile with the Enable self-service portal option enabled and an issuing CA in DigiCert® Private CA or CertCentral.
Certificates discovered or imported into Trust Lifecycle Manager from external sources. You can use the self-service portal settings to control whether to expose these certificates to end users.

Portal types

Trust Lifecycle Manager provides two different portal types. You can enable one or both of these in the self-service portal settings:

Open portal: Does not authenticate users and only supports a limited set of self-service actions.
Authenticated portal: Authenticates users via SAML and supports more extensive self-service management actions after verifying the user's identity.

After enabling one of these portal types, the system generates a unique portal URL and QR code to share with end users who need access to it.

Get the portal URLs and QR codes

Go to your account settings to get the URLs for the open or authenticated portals or QR codes for scanning the URLs. Provide these to users so they can access the portals from their web browsers and use the self-service actions.

To get the URLs or QR codes for the self-service portal:

From the Trust Lifecycle Manager menu, go to Account > Settings > Self-service portal.
Select the tab for either the Open portal or Authenticated portal.
Copy the QR code or Portal URL to provide to users. Scanning the QR code opens the corresponding URL.
重要
If the QR code and portal URL show "—", that portal type is not enabled. For details, see Enable self-service portal access.

Available self-service actions

Users can download, manage, and enroll certificates from the self-service portal, depending on the portal type and how it's configured. The following tables list the supported actions by portal type.

Open portal

The open portal does not authenticate users and only supports the following self-service actions:

Action	Description
Search	Search for an existing certificate. The user must know the exact common name, email address, or serial number.
Download	Download a certificate after a successful search or a new enrollment.
Revocation	Request revocation of an existing certificate. The request gets sent to the email address in the certificate's `SubjectDN:email` or `SAN:rfc822Name` field, with a link to verify and complete the revocation process. Note: Enable this feature with caution, understanding the risk of being able to revoke someone else’s certificate if you have access to their email account.

Action

Description

Search

Search for an existing certificate. The user must know the exact common name, email address, or serial number.

Download

Download a certificate after a successful search or a new enrollment.

Revocation

Request revocation of an existing certificate. The request gets sent to the email address in the certificate's SubjectDN:email or SAN:rfc822Name field, with a link to verify and complete the revocation process.

Note: Enable this feature with caution, understanding the risk of being able to revoke someone else’s certificate if you have access to their email account.

Authenticated portal

The authenticated portal verifies users' identities via SAML. Once authenticated, users can access and manage certificates that meet any of the following criteria:

Certificate matching criteria	How to search
Issued from a certificate profile that uses the `SAML IdP` authentication method and is configured to allow access from the user's SAML NameID.	These certificates get automatically loaded when the user logs into the authenticated portal. They can be searched using the User ID input on the portal page.
The certificate requester field in Trust Lifecycle Manager matches the user's SAML NameID.	Use the Email input on the portal page to search for matching certificates.
The certificate’s `SubjectDN:email` or `SAN:rfc822Name` field includes the user's SAML NameID.	Use the Email input on the portal page to search for matching certificates.

After displaying an accessible certificate, authenticated users can manage the certificate with the following self-service actions:

Action	Description
Renewal	Renew certificates that are approaching expiration and within the renewal window.
Revocation	Permanently revoke certificates.
Suspend/Resume	Temporarily suspend certificates or resume suspended ones.
Key recovery	Recover certificates and keys with escrowing enabled: For discovered or imported certificates, key recovery only works if the certificate was uploaded in PKCS12 format. For certificates issued through Trust Lifecycle Manager, key recovery only works for S/MIME certificates issued from a certificate profile with the `DigiCert cloud key escrow` option enabled.
Manage certificate owners	Update the list of assigned certificate owners who receive email notifications about a certificate.

Authenticated users can also use the following self-service actions to request new certificates:

Action	Description
Enrollment	Enroll new certificates from a certificate profile with the self-service portal option enabled and the following criteria: Issuing CA in DigiCert® Private CA or CertCentral. Web-based enrollment method (`Browser PKCS12`, `CSR`, or `DigiCert Trust Assistant`). Authentication method is `Manual Approval` or `SAML IdP`.
Pick up	Pick up a new certificate after admin approval.
Cancel	Cancel pickup of an approved certificate request.

このセクションの内容: