Skip to main content

Renew certificates via EST

To renew a certificate from an EST-enabled profile in DigiCert​​®​​ Trust Lifecycle Manager:

  • The certificate must be within the renewal window configured in the certificate profile.

  • The CSR must have same Subject DN values as the original certificate. You can reuse the original CSR or create a new CSR with the same Subject DN values.

  • Send the CSR to the EST Renewal URL (simplereenroll operation) for the certificate profile. This is provided at the time of profile creation and can be retrieved again at any time as follows:

    1. Select Manage > Profiles from the Trust Lifecycle Manager main menu.

    2. Select your EST-enabled profile by name to view the details for it.

    3. Use the dropdown at the top of the profile details screen to copy the EST Renewal URL (simplereenroll). For example:

      https://clientauth.one.digicert.com/mpki/api/v1/.well-known/est/201bf186-fe8e-4444-b8b8-233f794fb6f7/simplereenroll

Note

See Enroll using cURL for additional information about how to create a CSR and set up cURL or Postman to work with EST-based certificate requests.

Renew using cURL

Authenticate with enrollment code

If the original enrollment used an enrollment code for authentication:

  • Send the original certificate and its private key as proof of possession. Use the cert parameter to specify the filename of the certificate being renewed and the key parameter to specify the location of its corresponding private key. You do not need to send an authorization header in the renewal request.

  • The CSR you send for renewal must have the same Subject DN values and be signed with the same private key as the original certificate.

The following example shows a complete curl command to renew a certificate via EST when the original enrollment used an enrollment code for authentication:

curl --location \
--request POST 'https://clientauth.one.digicert.com/mpki/api/v1/.well-known/est/201bf186-fe8e-4444-b8b8-233f794fb6f7/simplereenroll' \
--header 'Content-Type: text/plain' \
--cert device.crt \
--key device.pem.key \
--data-raw '-----BEGIN CERTIFICATE REQUEST-----
MIIE5DCCA8wCAQAwggHDMR0wGwYDVQQDDBR1c2VyIG11bHRpcGxlIHRlc3QgMjEb
MBkGA1UECwwSSGFpciBSZXNlYXJjaCBEZXB0MQ0wCwYDVQQLDARPVSAyMR0wGwYD
VQQKDBRMJkggRG9ncyBHcm9vbWluZyBSSTETMBEGA1UEBwwKUHJvdmlkZW5jZTEV
MBMGA1UECAwMUmhvZGUgSXNsYW5kMQswCQYDVQQGEwJVUzEOMAwGA1UEEQwFMDI4
NjAxEDAOBgNVBAkMB3N0cmVldDExEDAOBgNVBAkMB3N0cmVldDIxGzAZBgNVBAUT
EnNlcmlhbG51bWJlcnNlYXQwMjEfMB0GCSqGSIb3DQEJARYQbWFpbEBzdWJqZWN0
LmNvbTEnMCUGCSqGSIb3DQEJAgwYdGVzdFUgdW5zdHJ1Y3R1cmVkTmFtZSAxMScw
JQYJKoZIhvcNAQkCDBh0ZXN0VSB1bnN0cnVjdHVyZWROYW1lIDIxGzAZBgkqhkiG
9w0BCQgMDHVuc3RyIGFkZHIgMTEbMBkGCSqGSIb3DQEJCAwMdW5zdHIgYWRkciAy
MQ8wDQYDVQQNDAZkZXNjcjExDzANBgNVBA0MBmRlc2NyMjCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAPS61hrGb0X80qpTf0dE2DD+IGPeXe5okkA72tE8
SO6qdpE8HJ7/JAq5E0ubuxaNDXbTtm84CEzmp//DqYBpweIlMupFNgRb/+CVeA2J
jRmcHx8ZZ5uMhcUbuQQPxgyGIbgsjbsW4LE81rG+YKkZ+yQ/lezkMiQD6tAVx1ci
r4M+g4gudUP1t6rQvnUPHVJMvFZjCurlNPBwlzm2gHmSviwplwfPWpw0Tbw4lj60
aQakvOlrSEGvqfp4QGDjS+DWsTFLfJ5NlnTfefs6z/6C+qK2xnzK7TiLz31YHs/M
KKxLyh1XnJqnbs1FT9OsA0SO3xP2pOMLcgBqLMYVcm5jCMsCAwEAAaCB2TAZBgkq
hkiG9w0BCQcxDAwKVUc2QlVCWU5NWDCBuwYJKoZIhvcNAQkOMYGtMIGqMIGnBgNV
HREEgZ8wgZyHBAoAAAqHBAoAAAuGFmh0dHA6Ly93d3cuZ29vZ2xlLmNvbS+GFmh0
dHA6Ly93d3cuY29vZ2xlLmNvbS+ICSqGSIb3EgECAogJKoZIhvcSAQIDgRJmaXJz
dG9uZUBlbWFpbC5jb22BEHNlY29uZEBlbWFpbC5jb22CESouZmlyc3QxLmxoZGcu
Y29tgg9zZWNvbmQubGhkZy5jb20wDQYJKoZIhvcNAQELBQADggEBAOs6t+gy4XKP
n9ksNmUsXdaJouvcl/2brntdAflZ415InpBYY1UO2Zg0qMmdUrwW8zcwB6MENGJm
wwIaj6ELKy1tQkIMCyP6RQxULk/5oMdmdXS54ys2Zr1Ddl2pAsS/FYQC3vSpKniq
hn1agXAygFO/WY7sk5bwFsnhMtd8HKsbvQRQOvUDStYmFiFHkerSl3jMG/zN5991
2PKofBQVovwWcRfz5mqRBwKghcskjhOPi+Vhzew++dbY1c1Pt65Bl2McWbYKRpQ4
Cpu9NWdqq1rAT+bpe2/RYP1p8N5iSODy9CQZXMxCLcoBJeBIiduIDb3IwR5CcFrD
kRm5LTlDxqo=
-----END CERTIFICATE REQUEST-----'

Authenticate with client certificate

If the original enrollment used a client certificate for authentication:

  • The client authentication certificate used for renewal must be issued by one of the trusted CAs configured in the Authentication method section of the certificate profile in Trust Lifecycle Manager. Use the cert parameter to specify the filename of the client authentication certificate and the key parameter to specify the location of its corresponding private key.

  • The CSR you send for renewal must have the same Subject DN values as the original certificate. Sign it with the private key you want to use for the new certificate, which can be different than the original private key.

The following example shows a complete curl command to renew a certificate via EST when the original enrollment used a client certificate for authentication:

curl --location \
--request POST 'https://clientauth.one.digicert.com/mpki/api/v1/.well-known/est/201bf186-fe8e-4444-b8b8-233f794fb6f7/simplereenroll' \
--header 'Content-Type: text/plain' \
--cert client.crt \
--key client.key \
--data-raw '-----BEGIN CERTIFICATE REQUEST-----
MIIE5DCCA8wCAQAwggHDMR0wGwYDVQQDDBR1c2VyIG11bHRpcGxlIHRlc3QgMjEb
MBkGA1UECwwSSGFpciBSZXNlYXJjaCBEZXB0MQ0wCwYDVQQLDARPVSAyMR0wGwYD
VQQKDBRMJkggRG9ncyBHcm9vbWluZyBSSTETMBEGA1UEBwwKUHJvdmlkZW5jZTEV
MBMGA1UECAwMUmhvZGUgSXNsYW5kMQswCQYDVQQGEwJVUzEOMAwGA1UEEQwFMDI4
NjAxEDAOBgNVBAkMB3N0cmVldDExEDAOBgNVBAkMB3N0cmVldDIxGzAZBgNVBAUT
EnNlcmlhbG51bWJlcnNlYXQwMjEfMB0GCSqGSIb3DQEJARYQbWFpbEBzdWJqZWN0
LmNvbTEnMCUGCSqGSIb3DQEJAgwYdGVzdFUgdW5zdHJ1Y3R1cmVkTmFtZSAxMScw
JQYJKoZIhvcNAQkCDBh0ZXN0VSB1bnN0cnVjdHVyZWROYW1lIDIxGzAZBgkqhkiG
9w0BCQgMDHVuc3RyIGFkZHIgMTEbMBkGCSqGSIb3DQEJCAwMdW5zdHIgYWRkciAy
MQ8wDQYDVQQNDAZkZXNjcjExDzANBgNVBA0MBmRlc2NyMjCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAPS61hrGb0X80qpTf0dE2DD+IGPeXe5okkA72tE8
SO6qdpE8HJ7/JAq5E0ubuxaNDXbTtm84CEzmp//DqYBpweIlMupFNgRb/+CVeA2J
jRmcHx8ZZ5uMhcUbuQQPxgyGIbgsjbsW4LE81rG+YKkZ+yQ/lezkMiQD6tAVx1ci
r4M+g4gudUP1t6rQvnUPHVJMvFZjCurlNPBwlzm2gHmSviwplwfPWpw0Tbw4lj60
aQakvOlrSEGvqfp4QGDjS+DWsTFLfJ5NlnTfefs6z/6C+qK2xnzK7TiLz31YHs/M
KKxLyh1XnJqnbs1FT9OsA0SO3xP2pOMLcgBqLMYVcm5jCMsCAwEAAaCB2TAZBgkq
hkiG9w0BCQcxDAwKVUc2QlVCWU5NWDCBuwYJKoZIhvcNAQkOMYGtMIGqMIGnBgNV
HREEgZ8wgZyHBAoAAAqHBAoAAAuGFmh0dHA6Ly93d3cuZ29vZ2xlLmNvbS+GFmh0
dHA6Ly93d3cuY29vZ2xlLmNvbS+ICSqGSIb3EgECAogJKoZIhvcSAQIDgRJmaXJz
dG9uZUBlbWFpbC5jb22BEHNlY29uZEBlbWFpbC5jb22CESouZmlyc3QxLmxoZGcu
Y29tgg9zZWNvbmQubGhkZy5jb20wDQYJKoZIhvcNAQELBQADggEBAOs6t+gy4XKP
n9ksNmUsXdaJouvcl/2brntdAflZ415InpBYY1UO2Zg0qMmdUrwW8zcwB6MENGJm
wwIaj6ELKy1tQkIMCyP6RQxULk/5oMdmdXS54ys2Zr1Ddl2pAsS/FYQC3vSpKniq
hn1agXAygFO/WY7sk5bwFsnhMtd8HKsbvQRQOvUDStYmFiFHkerSl3jMG/zN5991
2PKofBQVovwWcRfz5mqRBwKghcskjhOPi+Vhzew++dbY1c1Pt65Bl2McWbYKRpQ4
Cpu9NWdqq1rAT+bpe2/RYP1p8N5iSODy9CQZXMxCLcoBJeBIiduIDb3IwR5CcFrD
kRm5LTlDxqo=
-----END CERTIFICATE REQUEST-----'

Renew using Postman

Authenticate with enrollment code

If the original enrollment used an enrollment code for authentication, authenticate the renewal by sending the original certificate and its private key as proof of possession:

  1. Select Settings from the top-right of the Postman window.

  2. Select the Certificates tab.

  3. In the Client certificates section, select Add certificate and specify values for the following:

    • Host: The base URL from the EST Renewal URL of your certificate profile in Trust Lifecycle Manager.

    • CRT file: Select the file for the PEM-encoded certificate being renewed.

    • KEY file: Select the file with the private key for the certificate being renewed.

    When filled out, this screen should look similar to:

    postman_client_auth_certificate_settings.png

    Note

    As an alternative option, you can add a PFX file and its corresponding Passphrase for the certificate being renewed.

To send the Postman request for EST-based certificate renewal:

  1. Create a new Postman request that uses the POST HTTP method and the EST Renewal URL (simplereenroll). You do not need an Authorization HTTP header, since the request will be authorized via the original certificate and its private key you configured above.

  2. Paste your PEM-encoded CSR into the Body of the request. The CSR must be signed with the same private key as the original certificate.

  3. Select Send to submit the certificate enrollment request. If successful, you receive a 200 response message and the issued certificate.

Authenticate with client certificate

If the original enrollment used a client certificate for authentication, authenticate the renewal by sending a valid client certificate from one of the trusted CAs configured in the Authentication method section of the certificate profile. You can use the same client authentication certificate from the enrollment or add a new one in Postman as follows:

  1. Select Settings from the top-right of the Postman window.

  2. Select the Certificates tab.

  3. In the Client certificates section, select Add certificate and specify values for the following:

    • Host: The base URL from the EST Renewal URL of your certificate profile in Trust Lifecycle Manager.

    • CRT file: Select the file for the PEM-encoded client authentication certificate.

    • KEY file: Select the file with the private key for the client authentication certificate.

    When filled out, this screen should look similar to:

    postman_client_auth_certificate_settings.png

    Note

    As an alternative option, you can add a PFX file and its corresponding Passphrase for the client authentication certificate.

To send the Postman request for EST-based certificate renewal:

  1. Create a new Postman request that uses the POST HTTP method and the EST Renewal URL (simplereenroll).

  2. Paste your PEM-encoded CSR into the Body of the request. Sign the CSR with the private key you want to use for the new certificate, which can be different than the original private key.

    postman_clientauth_renew.png

  3. Select Send to submit the certificate enrollment request. If successful, you receive a 200 response message and the issued certificate.

: