Self-service portal

With the DigiCert® Trust Lifecycle Manager self-service portal, end users can search, download, or manage their own certificates.

Enable the self-service portal to empower your users to become more self-sufficient and lessen the burden on your administrators and support staff.

Certificate types

The following certificate types can be accessed from the self-service portal:

Certificates issued through Trust Lifecycle Manager from a certificate profile with the Enable self-service portal option enabled and an issuing CA in DigiCert® CA Manager or CertCentral.
Certificates discovered or imported into Trust Lifecycle Manager from external sources. You can use the self-service portal settings to control whether to expose these certificates to end users.

Portal types

Trust Lifecycle Manager provides two different portal types that end users can use to search/download or manage their certificates. You can enable one or both of these in the self-service portal settings:

Open portal: Does not authenticate users and only supports a limited set of self-service actions.
Authenticated portal: Authenticates users via SAML and supports more extensive self-service management actions after verifying the user's identity.

After enabling one of these portal types, the system generates a unique portal URL and QR code to share with end users who need access to it.

Available self-service actions

Available self-service actions depend on the portal type. When you configure the portal, you select which actions to allow.

Note

You can allow different self-service management operations for discovered/imported certificates versus those issued through Trust Lifecycle Manager. For certificates issued through Trust Lifecycle Manager, you can allow different management operations per certificate profile.

Open portal

The open portal does not authenticate users and only supports the following self-service actions:

Action	Description
Search	Search for an existing certificate. The user must know the exact common name, email address, or serial number.
Download	Download a certificate after a successful search or a new enrollment.
Revocation	Request revocation of an existing certificate. The request gets sent to the email address in the certificate's `SubjectDN:email` or `SAN:rfc822Name` field, with a link to verify and complete the revocation process. Note: Enable this feature with caution, understanding the risk of being able to revoke someone else’s certificate if you have access to their email account.

Action

Description

Search

Search for an existing certificate. The user must know the exact common name, email address, or serial number.

Download

Download a certificate after a successful search or a new enrollment.

Revocation

Request revocation of an existing certificate. The request gets sent to the email address in the certificate's SubjectDN:email or SAN:rfc822Name field, with a link to verify and complete the revocation process.

Note: Enable this feature with caution, understanding the risk of being able to revoke someone else’s certificate if you have access to their email account.

Authenticated portal

The authenticated portal verifies users' identities via SAML. Once authenticated, users can access and manage certificates that meet any of the following criteria:

Issued from a certificate profile that uses the SAML IdP authentication method and is configured to allow access from the user's SAML NameID.
The certificate requester field in Trust Lifecycle Manager matches the user's SAML NameID.
The certificate’s SubjectDN:email or SAN:rfc822Name field includes the user's SAML NameID.

Authenticated users can perform the following self-service actions to request and manage new certificate enrollments:

Action	Description
Enrollment	Enroll new certificates from a certificate profile with the self-service portal option enabled and the following criteria: Issuing CA in DigiCert® CA Manager or CertCentral. Web-based enrollment method (`Browser PKCS12`, `CSR`, or `DigiCert Trust Assistant`). Authentication method is `Manual Approval` or `SAML IdP`.
Pick up	Pick up a new certificate after administrator approval.
Cancel	Cancel pickup of an approved certificate request.

To manage their existing certificates, authenticated users can perform the following self-service actions:

Action	Description
Renewal	Renew certificates that are approaching expiration and within the renewal window.
Revocation	Permanently revoke certificates.
Suspend/Resume	Temporarily suspend certificates or resume suspended ones.
Key recovery	Recover certificates and keys with escrowing enabled: For discovered or imported certificates, key recovery only works if the certificate was uploaded in PKCS12 format. For certificates issued through Trust Lifecycle Manager, key recovery only works for S/MIME certificates issued from a certificate profile with the `DigiCert cloud key escrow` option enabled.

Enable self-service portal access

Follow these steps to enable the open and/or authenticated self-service portals.

Before you begin

The Trust Lifecycle Manager Self-service portal feature must be enabled for your account. Contact your DigiCert account representative to verify or enable this feature.
To configure the self-service portal settings, you need the SSP Manager user role for Trust Lifecycle Manager or a custom user role that includes the SSP Portal config permission. To learn more, see Users and access.

Enable the open portal

From the Trust Lifecycle Manager main menu, select Account > Settings > Self-service portal.
If the self-service portal has not previously been enabled for your account, you see a basic overview page about this feature. Select the Start configuring button to proceed with configuring the self-service portal.
If one of the portals was previously enabled, you see the details page instead. Select the edit (pencil) icon to update the configuration.
In the Open portal tab, make sure the Enable open portal option is selected.
Under Discovery/Imported certificates, select whether to include visibility of certificates that were discovered or imported into Trust Lifecycle Manager. If you enable this option, also select whether to allow users to request revocation of these certificates from the open portal.
The Portal-enabled certificate profiles section lists applicable certificate profiles with the Enable self-service portal option enabled. Certificates issued from these profiles are always visible from the open portal.
- The Allowed operations column shows which operations are allowed for each certificate profile from the open portal. You can manage the allowed operations from either the self-service portal settings or the profile configuration wizard.
- Use the edit (pencil) icon to update the allowed operations for certificates issued from a particular profile. To allow users to request revocation of certificates from the open portal, enable the Revocation operation for that certificate profile.
Select the Save button at the bottom of the screen to save your changes.
On the details page, copy the Portal URL and/or QR code for the open portal. Provide these to end users so they can access the open portal with the options you configured.

Enable the authenticated portal

From the Trust Lifecycle Manager main menu, select Account > Settings > Self-service portal.
If the self-service portal has not previously been enabled for your account, you see a basic overview page about this feature. Select the Start configuring button to proceed with configuring the self-service portal.
If one of the portals was previously enabled, you see the details page instead. Select the edit (pencil) icon to update the configuration.
In the Authenticated portal tab, make sure the Enable authenticated portal option is selected.
Add the details about your SAML identity provider (IdP) in the SAML authentication section. Trust Lifecycle Manager uses these parameters to authenticate users who attempt to access the self-service portal.
You can configure your SAML IdP details in one of two ways:
- Dynamic configuration (recommended): Download the XML metadata file from your SAML IdP and use it to dynamically configure the self-service portal by uploading the XML file into the designated area, verifying the parsed values, and making changes if needed.
- Manual configuration: Manually enter the IdP parameters including the single sign-on authentication URL, Issuer field identifier, and IdP certificate.
Signing options: Select the types of SAML messages Trust Lifecycle Manager should sign with its own certificate when communicating with the SAML IdP.
Note
Trust Lifecycle Manager acts as the SAML service provider (SP) when authenticating self-service portal users. Refer to your IdP's documentation to determine which signing options your IdP supports and expects from the SP.
Discovery/Imported certificates: Select whether to include visibility of certificates that were discovered or imported into Trust Lifecycle Manager. If you enable this option, also select which self-service operations users are allowed to perform on these certificates from the authenticated portal.
Manage tab visibility: Select whether or not to include the following tabs/sections in the authenticated portal:
- Certificate requests: Allows end users to enroll new certificates from profiles enabled for self-service access.
- Manage requests: Allows end users to manage enrollments and download new certificates requested through the self-service portal.
  Note
  You can safely disable these tabs if none of your certificate profiles have the Enable self-service portal option enabled, or if you want to prevent users from enrolling new certificates from the self-service portal.
The Portal-enabled certificate profiles section lists applicable certificate profiles with the Enable self-service portal option enabled. Certificates issued from these profiles are always visible from the authenticated portal.
- The Allowed operations column shows which operations are allowed for each certificate profile from the authenticated portal. You can manage the allowed operations from either the self-service portal settings or the profile configuration wizard.
- Use the edit (pencil) icon to update the allowed operations for certificates issued from a particular profile.
Select the Save button at the bottom of the screen to save your changes.
On the details page, copy the Portal URL and/or QR code for the authenticated portal. Provide these to end users so they can access the authenticated portal with the options you configured.

Disable or re-enable portal access

Edit the self-service portal settings to disable or re-enable access to either the open or authenticated portal:

From the Trust Lifecycle Manager main menu, select Account > Settings > Self-service portal.
Select the edit (pencil) icon on the right.
Deselect the Enable open portal or Enable authenticated portal option to disable it, or select this option to re-enable access.
Select the Save button to apply the changes.

Verify the self-service portal configuration

To verify the portal details, select Account > Settings > Self-service portal from the Trust Lifecycle Manager main menu.

Use the Open portal and Authentication portal tabs to check the current settings for the two portal types:

The Enabled field shows whether each portal type is enabled or not.
If enabled, the display shows the Portal URL and QR code used to access that portal, along with the current configuration options for it.
The profiles table at bottom lists applicable certificate profiles with the self-service portal enabled. For the authenticated portal, the Enrollment URL column shows the URL for enrolling new certificates from the profile (if the enrollment operation is allowed). The enrollment URL is also shown on the profile details page.

Apply branding to the self-service portal

Use the Account > Settings > Branding function to customize public-facing pages including the self-service portal.

To learn more, see Branding.