Request new certificates with automated delivery
Use the Admin web request function on the Enrollments page to enroll a new certificate with automated delivery to external systems.
With this feature, you can enroll a certificate from a variety of issuing CAs and deliver the issued certificate simultaneously to one or more:
Azure key vaults.
AWS Certificate Manager (ACM) instances.
Server systems (via DigiCert agents).
Before you begin
The automation feature must be enabled for your DigiCert® Trust Lifecycle Manager account. Contact your DigiCert account representative to verify or enable this feature.
To deliver certificates to:
Azure key vaults, you need a vault connector .
ACM instances, you need an AWS unified connector.
Server systems, you need a DigiCert agent installed on each.
You need one or more certificate profiles for the
Admin web request
enrollment method.When creating certificate profiles for automated delivery, look for certificate templates that list "Vault delivery" in the Use cases column. These templates support the required
Admin web request
enrollment method.For CertCentral certificate profiles, only OV/EV certificate products can be requested for delivery. Make sure to select an OV or EV product in the Certificate type dropdown when using the
Admin web request
enrollment method.
Enroll and deliver a certificate
On the Enrollments page, select the Admin web request button at top.
Fill out the form as described below.
Profile: Select a certificate profile to use for enrolling the new certificate. Only profiles with the
Admin web request
enrollment method are included in this dropdown menu. Use the Show details link to verify the properties for the selected certificate profile.Certificate information:
Common Name: Enter a common name (CN) for the new certificate.
Other hostnames (SANs): Enter subject alternative names (SANs) to include in the new certificate, one at a time. To instead import the list of SANs from a CSV file, select the Import CSV button.
This field is optional and only appears if the certificate profile you selected supports it.
Additional order options: Enter order handling information, not to be included in the certificate itself. This section is optional and only appears if the certificate profile you selected supports it.
Certificate delivery: Select the delivery locations for the issued certificate.
To deliver the certificate to server systems running DigiCert agents:
Select the Agents option and fill out the sidebar as described below.
DigiCert agents: Select one or more agents to deliver to.
Certificate delivery format: Select one of the supported formats.
Some delivery formats require additional configuration:
pkcs12
: Enter a password for the new PKCS#12 file.jks (new)
: Enter a password for the new Java KeyStore file.jks (existing)
: Enter the location and password of the existing Java KeyStore file to add the certificate to.
Select the Add button to add the configured agent delivery locations to the enrollment request.
Let op
By default, certificates get delivered to the .secrets sub-directory within the agent installation directory on the host system. To deliver certificates to a different directory, edit the agent in Trust Lifecycle Manager and configure the Admin request delivery location setting.
To deliver the certificate to AWS Certificate Manager (ACM) in connected AWS accounts:
Select the AWS Certificate Manager option and fill out the sidebar as described below.
Connector: Select an AWS unified connector to use.
AWS regions: Select the AWS regions for the accounts to deliver to.
AWS accounts: Select the AWS accounts to deliver to. The certificate gets added to ACM in these accounts.
Use the link at the bottom to deliver to additional AWS accounts.
Select the Add button to add the configured AWS delivery locations to the enrollment request.
To deliver the certificate to key vaults in connected Azure accounts:
Select the Azure key vaults option and fill out the sidebar as described below.
Vault connector: Select an Azure key vault connector to use.
Key vaults: Select the specific key vaults to deliver to via the selected connector.
Use the link at the bottom to deliver to additional Azure key vaults.
Select the Add button to add the configured Azure key vault delivery locations to the enrollment request.
Auto-renew: To automatically renew this certificate before expiration and deliver the new certificate to the same delivery locations, select the Auto-new schedule checkbox. Select options for when to submit the renewal request (number of days before expiration).
Note: Selections you make here override any auto-renewal options in the certificate profile.
Tags (optional): Apply tags to the issued certificate to help monitor and manage it in Trust Lifecycle Manager.
Select the link to read the Certificate Services Agreement and then check the box to acknowledge/agree to it.
Select Submit request to submit the certificate enrollment request based on the values you filled into the form.
What's next
The issued certificate gets delivered to the locations you selected and can be monitored and managed from your Inventory page in Trust Lifecycle Manager.