Prerequisites
DigiCert ONE account
Content Trust Manager credentials (currently available on the demo environment)
User certificate
Contact the DigiCert team to request an image signing user certificate. Visit Content Trust > Certificates on the demo environment to view your certificate credential details. You are not required to verify your identity to get a user certificate.
Client authentication certificate
Image signing APIs follow Mutual Transport Layer Security (mTLS) protocol. You are required to create a client authentication certificate to complete the mTLS handshake.
To create client authentication certificate:
Sign in to DigiCert ONE.
In the top-right corner, select the profile icon > Admin profile > Client authentication certificates.
Select Create client authentication certificate.
Provide the following information:
Nickname
This name is the display name on the Admin details page in the Authentication certificates section. The name must be unique and only include letters, numbers, spaces, dashes, and underscores.
End date
Enter the certificate expiration date.
Note when the authentication certificate expires. You must generate a new certificate and update all API integrations using the certificate before it expires. If you don't, the API token integration will stop working.
Encryption
Select an encryption algorithm to use for securing communications. DigiCert recommends AES (Advanced Encryption Standard), which is the default selection.
Signature hash algorithm
Select a hash function to use for verifying data integrity. DigiCert recommends SHA-256, which is the default selection.
Select Generate certificate.
Copy the certificate's password and store it in a secure location. You will need to use it later when installing the certificate or using it in your certificate request. This password is required for installation and API requests. You will not be able to retrieve it later.
Select Download certificate. You cannot download it again. If lost, you must generate a new certificate.
Remember the file path to your client authentication certificate, you will need to reference it later.
Select Close.
The Client authentication certificate you create is downloaded as PKCS#12 (.p12) file to your device. It contains both your private key and public certificate. You are required to separate the certificate and extract two PEM files: cert.pem and key.pem for use in this Python SDK.
Note
Ensure you have OpenSSL is installed on your device.
macOS: Usually pre-installed. If not , install Homebrew.
Windows: Install OpenSSL for Windows.
Extract cert.pem (public certificate)
For macOS / Linux, run command:
openssl pkcs12 -in Certificate_pkcs12.p12 -clcerts -nokeys -out cert.pem
For Windows, use Command Prompt or PowerShell to run command:
openssl pkcs12 -in Certificate_pkcs12.p12 -clcerts -nokeys -out cert.pem
Enter the password you saved while generating your Client authentication certificate. If you cannot find your password, create a new Client authentication certificate.
Extract key.pem (private certificate)
For macOS / Linux, run command:
openssl pkcs12 -in Certificate_pkcs12.p12 -clcerts -nokeys -out cert.pem
For Windows, use Command Prompt or PowerShell to run command:
openssl pkcs12 -in Certificate_pkcs12.p12 -nocerts -nodes -out key.pem
Enter the password you saved while generating your Client authentication certificate. If you cannot find your password, create a new Client authentication certificate.
PIN
You will receive an email with the subject line of Sign with your digital ID once your user certificate is created. This email includes the PIN associated with your user certificate via email. Make sure you keep this email safe so that you can easily retrieve it for signing images.
Certificate chain
The certificate chain you download contains certificate chain, intermediate certificate, and root values.
To download certificate chain:
In the Content Trust menu, select Certificates > User certificates.
Select the credential nickname with which you want to sign.
In the Credential details page, navigate to Certificate details.
Select Download certificate chain to download certificate chain, intermediate certificate, and root.
Open the downloaded certificate chain (chain.pem file) in a text editor such as Notepad++ and save the file.
Credential ID
Your credential ID is the nickname of User certificate in Content Trust Manager. Copy the user certificate nickname and use it in your request body.
To copy your credential ID:
In the Content Trust menu, select Certificates.
Hover your cursor over certificate nickname.
Select the Copy icon.