DigiCert Private CA API
4 minute read
DigiCert® Private CA API lets you automate the management of root and intermediate certificate authorities, configure certificate validation services, and control CA certificate lifecycle operations.
What you can do
- Manage CA certificates: Create, import, and recertify root and intermediate CA certificates for your PKI hierarchy.
- Configure validation services: Set up and manage CRLs (Certificate Revocation Lists) and OCSP (Online Certificate Status Protocol) responders.
- Manage certificate templates: Create and configure custom certificate templates to define certificate profiles.
- Control CA lifecycle: Revoke and reinstate CA certificates with approval workflows.
- Monitor operations: Query audit logs to track CA certificate operations and configuration changes.
Authentication
| Method | Best for | How it works |
|---|---|---|
| API key (default) | CI/CD pipelines, backend services | Add the service user API token in the x-api-key request header. |
| Mutual TLS (mTLS) | High-assurance, network-restricted, or key-rotation-averse environments | Present a client TLS certificate and call the clientauth. hostname. |
Base URL and endpoints
DigiCert® provides both production and demo environments across four geographic regions. Each API call starts with a region-specific hostname (base URL), followed by a predictable versioned path.
| Environment | Purpose |
|---|---|
| Demo | Safe testing, proof-of-concepts |
| Production | Live operations |
| Segment | Description | examples |
|---|---|---|
{hostname} | DigiCert® ONE hostname | one.digicert.comdemo.one.digicert.comone.digicert.co.jp |
{product} | DigiCert® ONE product-specific path segment | /certificate-authority (DigiCert Private CA) |
api/v{n} | API version | /api/v1 |
{resource} | Specific endpoint path | /ca/ca/{id}/crl/ocsp-responder/template |
CA certificate types
DigiCert Private CA supports multiple CA certificate types based on how the CA’s private key is hosted and managed.
| Type | Description | Use case |
|---|---|---|
| Online | Private key stored in DigiCert® ONE HSM; certificate operations fully automated | High-volume automated certificate issuance |
| Offline | Private key stored externally; certificate signing happens outside DigiCert® ONE | Maximum security for root CAs; air-gapped operations |
| External | CA certificate issued by an external CA but managed in DigiCert® ONE | Integration with existing PKI hierarchies |
| Third-party | CA certificate from external sources used for validation purposes | Trust store management |
When creating a CA certificate, specify the hosted_type to define how the CA’s private key will be managed.
CA certificate lifecycle
CA certificates in DigiCert Private CA can exist in different states that control their operational status.
| State | Description | Can issue certificates? |
|---|---|---|
| Active | CA is fully operational | Yes |
| Pending sign | CA CSR created but not yet signed; applies to offline CAs awaiting external signing | No |
| Disabled | CA temporarily deactivated; certificate issuance blocked | No |
Use revocation and reinstatement workflows to permanently revoke or restore previously revoked CA certificates. These operations require approval through request/approval endpoints.
Roles and permissions
Assigned roles determine a user’s permissions. Roles are manager-specific and provide a granular permission structure.
Use the /account/api/v1/role endpoint to see available roles for DigiCert Private CA:
curl -X GET https://demo.one.digicert.com/account/api/v1/role?application_code=certificate_authority \
-H "x-api-key: USER_API_TOKEN" \
-H "Content-Type: application/json" | jq '.'
Important considerations
- CA hierarchies must be built bottom-up. When creating intermediate CAs, the issuing CA must already exist in DigiCert Private CA. Import or create root CAs first, then create subordinate CAs.
- Offline CAs require external signing. For offline CAs, generate the CSR via API, sign it externally, then upload the signed certificate using the blob endpoint.
- Revocation is workflow-driven. CA certificate revocation and reinstatement require creating a request, then approving it through separate API calls. This prevents accidental revocation.
- Configuration is hierarchical. System-level configuration provides defaults that individual CAs can override. Configure global settings for CRL, OCSP, and AIA, then customize per-CA as needed.
- Certificate templates define issuance profiles. Templates specify certificate extensions, key usage, and validity periods. Assign templates to accounts to control what certificates can be issued.
Common operations
| Method | Endpoint | Description |
|---|---|---|
| POST | /certificate-authority/api/v1/ca | Create a new root or intermediate CA certificate |
| GET | /certificate-authority/api/v1/ca | List all CA certificates; use query parameters to filter by status ?status=active |
| GET | /certificate-authority/api/v1/ca/{id} | Get details for the specified CA certificate |
| GET | /certificate-authority/api/v1/ca/{id}/download | Download a CA certificate in PEM or DER format |
| POST | /certificate-authority/api/v1/ca/import | Import an existing CA certificate into DigiCert Private CA |
| GET | /certificate-authority/api/v1/ca/{id}/csr | Retrieve the CSR for an offline CA awaiting signature |
| POST | /certificate-authority/api/v1/ca/{id}/blob | Upload a signed certificate for an offline CA |
| POST | /certificate-authority/api/v1/ca/{id}/revocation-request | Create a request to revoke a CA certificate |
| POST | /certificate-authority/api/v1/crl | Create a CRL configuration for a CA certificate |
| POST | /certificate-authority/api/v1/ocsp-responder | Create an OCSP responder for certificate status checking |
| GET | /certificate-authority/api/v1/template | List certificate templates; defines certificate profiles for issuance |
| GET | /certificate-authority/api/v1/audit | View audit logs; track CA operations and configuration changes |
API reference
OpenAPI reference documentation for DigiCert® Private CA
Was this page helpful?
Provide feedback