Skip to main content

Issue S/MIME certificates using DigiCert​​®​​ Trust Lifecycle Manager and PKI Platform 8

This article details the steps required to configure DigiCert​​®​​ Trust Lifecycle Manager to issue public S/MIME certificates from the PKI Platform 8 service using REST API and an API key for authentication.

Before you begin

  1. Contact your DigiCert representative to create a validated DigiCert PKI Platform 8 account.

  2. Sign in to your DigiCert PKI Platform 8 account.

  3. Submit the email domains you want DigiCert to validate as part of your certificate requests, and wait for them to be approved.

  4. Create an API key in your DigiCert PKI Platform 8 account.

  5. Upload the API KEY to your DigiCert​​®​​ Trust Lifecycle Manager account, under Settings > Link PKI Platform 8.

  6. If you have not already assigned user seats to your business unit in DigiCert​​®​​ Trust Lifecycle Manager, do that now.

Note

The links in steps 2-4 assume you are using a Production account. If you are instead making use of a Partner Lab account, please substitute the appropriate domain name.

Create a certificate profile for REST API

  1. In DigiCert​​®​​ Trust Lifecycle Manager, go to Manage > Templates and select the Public S/MIME Secure Email (via PKI Platform 8) certificate template.

  2. Under Primary certificate options:

    1. Select a business unit and a Public Issuing CA.

      Note

      The list of Public Issuing CAs includes only the CAs available on your PKI Platform 8 account.

    2. Enter a profile name.

    3. Select the REST API enrollment method.

    4. Select the Third-party app authentication method.

  3. Select Next and follow the prompts to configure the required certificate fields and additional profile information.

    1. Under Certificate fields, select REST request or Fixed value as the source for these values.

  4. On the API key step, select the PKI Platform 8 API key you previously uploaded to link both accounts.

  5. Select Create to save the profile configuration.

Note

The Public S/MIME solution supports other enrollment methods, including Browser PKCS12 and DigiCert Desktop Client.

Configure Postman for API key authentication

  1. Under Collections, select + to create a new collection and give it a name.

  2. Select the new collection. Under the Authorization tab, select API key from the Type dropdown list. Enter x-api-key as the key value. Enter the PKI Platform 8 API key you configured on your profile.

  3. Select Save at top right.

Test API requests in Postman

Submit a request to the “hello” endpoint

  1. Right-click your collection (or folder) and select Add Request.

  2. Under the Authorization tab, select Inherit auth from parent in the dropdown list.

  3. Select the GET HTTP method from the dropdown list.

  4. Enter the “hello” endpoint URL for the platform being tested. Select Send.

Submit a request to the “certificate” endpoint

  1. Right-click your collection (or folder) and select Add Request.

  2. Under the Authorization tab, select Inherit auth from parent in the dropdown list.

  3. Select the POST HTTP method from the dropdown list.

  4. Enter the “certificate” endpoint URL for the platform being tested.

  5. Enter the appropriate JSON request in the Body panel. Select Send.

Supported certificate lifecycle operations

  • Issuance:

    • Cloud Escrow: a PKCS#12 file and its associated password is delivered to the requesting client

    • No Escrow: a PKCS#7 file or X.509 certificate is delivered to the requesting client

  • Revocation:

    • Supported revocation reasons: key_compromise, affiliation_changed, superseded, cessation_of_operation (default reason, if none is specified)

  • Key recovery (for profiles configured with the Cloud Escrow option)

Supported configurations

Enrollment method

Authentication method

  • REST API

  • Third-party app

  • Enrollment code

  • Browser PKCS12

  • DigiCert Desktop Client

  • [future release] DigiCert Trust Assistant

  • Manual approval

  • Enrollment code

  • SAML IdP

: