Obtain an API token

You can use an API token to authenticate Autoenrollment Server requests to DigiCert ONE. DigiCert recommends that you create a dedicated service user for API access as this helps manage access permissions and track the API requests in your account audit logs.

Note

You need either an API token or an authentication certificate for Autoenrollment Server to be able to authenticate requests to DigiCert ONE. If you will integrate with Windows Hello for Business, choose the authentication certificate method instead.

Create the service user and API token

Navigate to Account Manager.
Select Access from the left navigation menu, then Service User.
Select Create Service user.
On the service user details page, enter the following details:
- Friendly name: Nickname for the service user.
- Description (optional): Description of the service user's purpose.
- End date (optional): Expiration date for the service user.
- Email: To send notifications regarding the service user.
- Accounts that can use this service user: Account access for the service user.
- DigiCert ONE Manager access: Select CA and Trust Lifecycle.
Select Next.

On the Roles and permissions page, assign the following user roles:

For Private CA: Read only
For Trust Lifecycle Manager: User and certificate manager and Certificate profile manager

Note

Alternatively, you can create and assign custom user roles that include the following permissions at minimum:

Manager	Role	Permission
CA	CA & certificates: CA	`Read-only`
	General: Common CA database	`Read-only`
Trust Lifecycle	Certificate management: Create	`Manage`
	Profiles & templates: Enrollment	`Manage`
	Profiles & templates: Profile	`Manage`

Select Add user.
The token ID is displayed in a popup box. Copy the token ID value and store in a safe location—this value will be shown only once.