Skip to main content

Request new certificates with vault delivery

Use the Request certificate button at the top of the Enrollments page to enroll a new certificate with delivery to an external vault service.

With this feature, you can enroll a certificate from a variety of issuing CAs and deliver the issued certificate to multiple vault accounts and key vaults simultaneously.

Before you begin

The automation feature must be enabled for your DigiCert​​®​​ Trust Lifecycle Manager account. Contact your DigiCert account representative if you have questions or need help with this.

Before you can request certificates with vault delivery, you must set up two things in Trust Lifecycle Manager:

  • Vault connector: You need one or more connectors to the external vault services where Trust Lifecycle Manager will deliver the issued certificates.

  • Certificate profile: You also need one or more certificate profiles for the Admin web request enrollment method. These profiles determine the types of certificates that admins can request via the Request certificate function on the Enrollments page.


When creating certificate profiles for vault delivery, look for certificate templates that list "Vault delivery" in the Use cases column. These templates support the required Admin web request enrollment method.

Enroll and deliver a certificate

  1. On the Manage > Enrollments page, select the Request certificate button at top.

  2. Fill out the form:

    • Profile: Select a certificate profile to use for enrolling the new certificate. Only profiles with the Admin web request enrollment method are included in this dropdown menu. You can use the Show details link to verify the properties for the selected certificate profile.

    • Certificate information:

      • Common Name: Enter a Common Name (CN) for the new certificate.

      • Other hostnames (SANs): Enter a comma-separated list of SANs to include in the new certificate or select Import CSV to import them from a CSV file. This section is optional and only appears if the certificate profile you selected supports it.

    • Additional order options: Enter order handling information, not to be included in the certificate itself. This section is optional and only appears if the certificate profile you selected supports it.

    • Deployment: Select the external key vaults where you want to deliver the issued certificate.

      • First select the Vault connector for the vault account, then check off the individual Vault names under that account where the certificate should be delivered.

      • Use the Add destination link to deliver the certificate to additional accounts/vaults.

    • Auto-renew: To automatically renew this certificate before expiration and deliver the new certificate to your key vaults, check off the Auto-new box. Select options for when to submit the renewal request (number of days before expiration). Selections you make here override any auto-renewal options in the certificate profile.

    • Tags: Optionally apply tags to the issued certificate to help monitor and manage it in Trust Lifecycle Manager. Select from existing tags or type to create new ones.

  3. Select the link to read the Certificate Services Agreement and then check the box to acknowledge/agree to it.

  4. Select Submit request to submit the certificate enrollment request based on the values you filled into the form.

What's next

The issued certificate can be monitored and managed from the Inventory page in Trust Lifecycle Manager and also gets delivered to the external key vaults you selected.