DigiCert^® Private CA API

Developer documentation

DigiCert® Private CA API lets you automate the management of root and intermediate certificate authorities, configure certificate validation services, and control CA certificate lifecycle operations.

What you can do

Manage CA certificates: Create, import, and recertify root and intermediate CA certificates for your PKI hierarchy.
Configure validation services: Set up and manage CRLs (Certificate Revocation Lists) and OCSP (Online Certificate Status Protocol) responders.
Manage certificate templates: Create and configure custom certificate templates to define certificate profiles.
Control CA lifecycle: Revoke and reinstate CA certificates with approval workflows.
Monitor operations: Query audit logs to track CA certificate operations and configuration changes.

Authentication

Table 1. Primary authentication methods

Method	Best for	How it works
API key (default)	CI/CD pipelines, backend services	Add the service user API token in the `x-api-key` request header.
Mutual TLS (mTLS)	High-assurance, network-restricted, or key-rotation-averse environments	Present a client TLS certificate and call the `clientauth.` hostname.

Base URL and endpoints

DigiCert® provides both production and demo environments across four geographic regions. Each API call starts with a region-specific hostname (base URL), followed by a predictable versioned path.

Environment	Purpose
Demo	Safe testing, proof-of-concepts
Production	Live operations

Table 3. DigiCert Private CA API URL pattern breakdown

Segment	Description	DigiCert Private CA examples
`{hostname}`	DigiCert® ONE hostname	`one.digicert.com` `demo.one.digicert.com` `one.digicert.co.jp`
`{product}`	DigiCert® ONE product-specific path segment	`/certificate-authority` (DigiCert Private CA)
`api/v{n}`	API version	`/api/v1`
`{resource}`	Specific endpoint path	`/ca` `/ca/{id}` `/crl` `/ocsp-responder` `/template`

CA certificate types

DigiCert Private CA supports multiple CA certificate types based on how the CA’s private key is hosted and managed.

Table 4. CA certificate type description and use case

Type	Description	Use case
Online	Private key stored in DigiCert® ONE HSM; certificate operations fully automated	High-volume automated certificate issuance
Offline	Private key stored externally; certificate signing happens outside DigiCert® ONE	Maximum security for root CAs; air-gapped operations
External	CA certificate issued by an external CA but managed in DigiCert® ONE	Integration with existing PKI hierarchies
Third-party	CA certificate from external sources used for validation purposes	Trust store management

When creating a CA certificate, specify the hosted_type to define how the CA’s private key will be managed.

CA certificate lifecycle

CA certificates in DigiCert Private CA can exist in different states that control their operational status.

Table 5. CA certificate lifecycle state details

State	Description	Can issue certificates?
Active	CA is fully operational	Yes
Pending sign	CA CSR created but not yet signed; applies to offline CAs awaiting external signing	No
Disabled	CA temporarily deactivated; certificate issuance blocked	No

Use revocation and reinstatement workflows to permanently revoke or restore previously revoked CA certificates. These operations require approval through request/approval endpoints.

Roles and permissions

Assigned roles determine a user’s permissions. Roles are manager-specific and provide a granular permission structure.

Use the /account/api/v1/role endpoint to see available roles for DigiCert Private CA:

curl -X GET https://demo.one.digicert.com/account/api/v1/role?application_code=certificate_authority \
  -H "x-api-key: USER_API_TOKEN" \
  -H "Content-Type: application/json" | jq '.'

Important considerations

CA hierarchies must be built bottom-up. When creating intermediate CAs, the issuing CA must already exist in DigiCert Private CA. Import or create root CAs first, then create subordinate CAs.
Offline CAs require external signing. For offline CAs, generate the CSR via API, sign it externally, then upload the signed certificate using the blob endpoint.
Revocation is workflow-driven. CA certificate revocation and reinstatement require creating a request, then approving it through separate API calls. This prevents accidental revocation.
Configuration is hierarchical. System-level configuration provides defaults that individual CAs can override. Configure global settings for CRL, OCSP, and AIA, then customize per-CA as needed.
Certificate templates define issuance profiles. Templates specify certificate extensions, key usage, and validity periods. Assign templates to accounts to control what certificates can be issued.

Common operations

Table 6. Common DigiCert Private CA API operations

Method	Endpoint	Description
POST	`/certificate-authority/api/v1/ca`	Create a new root or intermediate CA certificate
GET	`/certificate-authority/api/v1/ca`	List all CA certificates; use query parameters to filter by status `?status=active`
GET	`/certificate-authority/api/v1/ca/{id}`	Get details for the specified CA certificate
GET	`/certificate-authority/api/v1/ca/{id}/download`	Download a CA certificate in PEM or DER format
POST	`/certificate-authority/api/v1/ca/import`	Import an existing CA certificate into DigiCert Private CA
GET	`/certificate-authority/api/v1/ca/{id}/csr`	Retrieve the CSR for an offline CA awaiting signature
POST	`/certificate-authority/api/v1/ca/{id}/blob`	Upload a signed certificate for an offline CA
POST	`/certificate-authority/api/v1/ca/{id}/revocation-request`	Create a request to revoke a CA certificate
POST	`/certificate-authority/api/v1/crl`	Create a CRL configuration for a CA certificate
POST	`/certificate-authority/api/v1/ocsp-responder`	Create an OCSP responder for certificate status checking
GET	`/certificate-authority/api/v1/template`	List certificate templates; defines certificate profiles for issuance
GET	`/certificate-authority/api/v1/audit`	View audit logs; track CA operations and configuration changes

In this section: