Upload certificates with REST API

To upload third-party (external) certificates with the DigiCert® Trust Lifecycle Manager API:

Review the documentation for the certificate-import API endpoint. You can view the API documentation by selecting Resources > API Reference from the Trust Lifecycle Manager main menu.
Prepare all the certificates you wish to upload into your Trust Lifecycle Manager account. Each certificate must be sent to the certificate-import API endpoint as a request body parameter in a single line, in one of the following formats:
- x509: PEM-encoded X.509 certificate.
- pkcs12: PEM-encoded, password-protected certificate and private key.
If uploading a certificate in PKCS12 format, include an additional password field in your request with the associated password. Trust Lifecycle Manager supports key recovery for certificates uploaded in PKCS12 format.
If any of the certificates being uploaded have been revoked, use the revocation object in the request body to set the revoked flag to true and set the reason and revoke_date properties.
You can optionally assign a tag_name to the imported certificates to help identify them. Each tag can have associated email expiration notification templates, with custom instructions for how to get a new certificate from the DigiCert® Trust Lifecycle Manager application.

Example request and response for valid certificate

Below is an example REST API request and response for uploading a valid certificate/private key in PKCS12 format along with its associated password. In this example, the issuing CA has already been imported into the DigiCert ONE account. Note the seat type of IMPORTED_SEAT and certificate status issued in the response.

Example 1. cURL

curl -X POST \
  https://one.digicert.com/mpki/api/v1/certificate-import?trap_seat_duplicate_error=true \
  -H 'Content-Type: application/json' \
  -H 'X-API-Key: {{api_key}}' \
  -d '[
    {
      "cert_type": "pkcs12",
      "business_unit_id": "0b54ca3d-c6ba-4ab4-a053-ddc4a030a7b5",
      "notes": "Any note containing no more than 255 characters",
      "tag_name": "Tag to apply to the imported certificate in Trust Lifecycle Manager",
      "cert": "MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ6tZ0djuKkuNDfDxj+7aIrtOaxIuyuweVwj1XGgjygY+mMVoanr1BsQfNf5rvqaifiUGNZo6UABx/GdoTPBPacU9lflKwcPNLuEO1nDz7Pwy7HmIsyAtqB24Yp62eyTmIEH+CdKXSSDVU36i9SS46CoHEpIeZeQ+8KfLTFYWVCCHOwL6NTemq/FrSynb3ygrG2HYFDMtSoMtOnhjYxdNxiu+JgoObu1diKuzsclHFwdb5SjQ+NA/UnVBs4FexnYohm8QnmLi0JdlgWaaXZbpNDe1B+ldjrEPBXq2GRbkSv6kdCnYPXNU9DWtWkJi+Oyi6IhCYngJCQC4Avgmy9s7Q8CAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAogbMdd7eoXJ8PfIdIjeJymIPCPKPVTwVCUkOa81SHKSkv/sBj059IeaNbBMHNjklWyiQd82Yto5VuyvQaw15ev44GGsDhdmmZJgT5rGb/F6pj5WNlN/WlLJMIf7OBim595I5KW93kKiYLoKPfCZN5Uxg+mZGcMmI3kyuSXlAf452ad3XMzgcll/S5uEXwDoshPYWa23Q0JZX7rTXb4oo0iG7+vxhrHy94HLAUcrUvM5OS83HZqbv34nenG+XZEU6HelJ/SS3z5yQBFbO7cennrp2IoquYANs83CwI4cm3OiXDQ4gfApf3htiztM44S7SXmwalLXVJmvSiwa7oV79j",
      "password": "Pa$$w0rd123"
    }
  ]'

Uploading revoked certificates

When uploading a revoked certificate, you must provide a revocation reason and revocation date. Supported revocation reasons:

aa_compromise
affiliation_change
cessation_of_operation
key_compromise
privilege_withdrawn
superseded
unspecified

Uploading suspended certificates

A certificate can only be uploaded in a suspended state when bound to an Imported seat (see Assigned seat types). Use the revocation date field to specify when the certificate was suspended. For the revocation reason use:

certificate_hold

Warning

Third-party certificates bound to the Discovery seat type do not support the above reason code. If you upload a suspended third-party certificate to a Discovery seat with this revocation reason, we will automatically convert the revocation reason to unspecified.

Example request and response for revoked certificate

Below is an example REST API request and response for uploading a revoked certificate in PEM-encoded X.509 format. In this example, the issuing CA has already been imported into the DigiCert ONE account. Note the revocation field in the request, and the seat type of IMPORTED_SEAT and certificate status revoked in the response.

Example 3. cURL

curl -X POST \
  https://one.digicert.com/mpki/api/v1/certificate-import?trap_seat_duplicate_error=true \
  -H 'Content-Type: application/json' \
  -H 'X-API-Key: {{api_key}}' \
  -d '[
    {
      "cert_type": "x509",
      "business_unit_id": "0b54ca3d-c6ba-4ab4-a053-ddc4a030a7b5",
      "notes": "Any note containing no more than 255 characters",
      "tag_name": "Tag to apply to the imported certificate in Trust Lifecycle Manager",
      "cert": "MIICijCCAXICAQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ6tZ0djuKkuNDfDxj+7aIrtOaxIuyuweVwj1XGgjygY+mMVoanr1BsQfNf5rvqaifiUGNZo6UABx/GdoTPBPacU9lflKwcPNLuEO1nDz7Pwy7HmIsyAtqB24Yp62eyTmIEH+CdKXSSDVU36i9SS46CoHEpIeZeQ+8KfLTFYWVCCHOwL6NTemq/FrSynb3ygrG2HYFDMtSoMtOnhjYxdNxiu+JgoObu1diKuzsclHFwdb5SjQ+NA/UnVBs4FexnYohm8QnmLi0JdlgWaaXZbpNDe1B+ldjrEPBXq2GRbkSv6kdCnYPXNU9DWtWkJi+Oyi6IhCYngJCQC4Avgmy9s7Q8CAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAogbMdd7eoXJ8PfIdIjeJymIPCPKPVTwVCUkOa81SHKSkv/sBj059IeaNbBMHNjklWyiQd82Yto5VuyvQaw15ev44GGsDhdmmZJgT5rGb/F6pj5WNlN/WlLJMIf7OBim595I5KW93kKiYLoKPfCZN5Uxg+mZGcMmI3kyuSXlAf452ad3XMzgcll/S5uEXwDoshPYWa23Q0JZX7rTXb4oo0iG7+vxhrHy94HLAUcrUvM5OS83HZqbv34nenG+XZEU6HelJ/SS3z5yQBFbO7cennrp2IoquYANs83CwI4cm3OiXDQ4gfApf3htiztM44S7SXmwalLXVJmvSiwa7oV79j",
      "revocation": {
        "revoked": true,
        "reason": "key_compromise",
        "revoke_date": "2023-02-21T00:00:00Z"
      }
    }
  ]'