Prerequisites

DigiCert ONE account
Content Trust Manager credentials (currently available on the demo environment)
User certificate
Client authentication certificate
PIN
Certificate chain
Credential ID

User certificate

Contact the DigiCert team to request an image signing user certificate. Visit Content Trust > Certificates on the demo environment to view your certificate credential details. You are not required to verify your identity to get a user certificate.

Client authentication certificate

Image signing APIs follow Mutual Transport Layer Security (mTLS) protocol. You are required to create a client authentication certificate to complete the mTLS handshake.

Create a client authentication certificate

A client authentication certificate is an X.509 digital certificate that verifies your identity as a DigiCert ONE user when you make requests via the DigiCert ONE API or client tools. It enables secure communication between applications.

Follow the procedure below based on your user type and role:

Example 1. Standard user

Standard users can create their own client authentication certificate because they have access to DigiCert ONE.

To generate a client authentication certificate:

Sign in to DigiCert ONE.Sign in to the platform
In the Managers () menu, select Account.
In the Account menu, go to Access > Users > Client authentication certificates.
Select Create client authentication certificate.
Provide the following information:
1. Nickname
  This name is the display name on the Admin details page in the Authentication certificates section. The name must be unique and only include letters, numbers, spaces, dashes, and underscores.
2. End date
  Enter the certificate expiration date. Make sure that the certificate expiration date does not expire after the API token expiration date.
  If the API token end date does not fit your use case, update or remove the API token end date first. Then come back and generate the authentication certificate.Edit your API key
  Note
  Note when the authentication certificate expires. You must generate a new certificate and update all API integrations using the certificate before it expires. If you don't, the API token integrations will stop working.
3. Encryption
  Select an encryption algorithm to use for securing communications. DigiCert recommends AES (Advanced Encryption Standard), which is the default selection.
4. Signature hash algorithm
  Select a hash function to use for verifying data integrity. DigiCert recommends SHA-256, which is the default selection.
Select Generate certificate.
Copy the certificate's password and store it in a secure location. You will need to use it later when installing the certificate or using it in your certificate request.
Note
The certificate's password is only displayed only once. You cannot access it after you select Download certificate. If you lose the password, you will need to generate a new authentication certificate.
Select Download certificate.
Remember the file path to your client authentication certificate, you will need to reference it later.
Note
You cannot download the certificate again. If you lose your certificate, you will need to generate a new authentication certificate.
Select Close.

Example 2. Service user

Service users do not have access to DigiCert ONE, therefore a standard user will need to generate a client authentication certificate for the service user.

Tip

The DigiCert® Account Manager permission: Manage users is required to create a client authentication certificate for a service user.

To create a client authentication certificate for a service user:

Sign in to DigiCert ONE.Sign in to the platform
In the Managers () menu, select Account.
In the Account menu, go to Access > Service User.
In the Friendly name column, select the service user's friendly name.
Navigate to the Client authentication certificates section.
Select Create client authentication certificate.
Provide the following information:
1. Nickname
  This is the friendly name shown on the Service user details page. The name must be unique and may only include letters, numbers, spaces, dashes, and underscores.
2. End date
  Enter an expiry date for the certificate.
  Tip
  Note when the authentication certificate expires. You must generate a new certificate and update all API integrations using the certificate before it expires. If you don't, the API token integrations will stop working.
3. Encryption
  Select an encryption algorithm to use for securing communications. DigiCert recommends AES (Advanced Encryption Standard), which is the default selection.
4. Signature hash algorithm
  Select a hash function to use for verifying data integrity. DigiCert recommends SHA-256, which is the default selection.
Select Generate certificate.
Copy the certificate's password and store it in a secure location. You will need to use it later when installing the certificate or using it in your certificate request.
Tip
This password is required for installation and API requests. You will not be able to retrieve it later.
Download Download certificate.
Tip
You cannot download it again. If lost, you must generate a new certificate.
Remember the file path to your client authentication certificate, you will need to reference it later.
Select Close.

The Client authentication certificate you create is downloaded as PKCS#12 (.p12) file to your device. It contains both your private key and public certificate. You are required to separate the certificate and extract two PEM files: cert.pem and key.pem for use in this Python SDK.

Note

Ensure you have OpenSSL is installed on your device.

macOS: Usually pre-installed. If not , install Homebrew.

Windows: Install OpenSSL for Windows.

Extract cert.pem (public certificate)

For macOS / Linux, run command:

openssl pkcs12 -in Certificate_pkcs12.p12 -clcerts -nokeys -out cert.pem

For Windows, use Command Prompt or PowerShell to run command:

openssl pkcs12 -in Certificate_pkcs12.p12 -clcerts -nokeys -out cert.pem

Enter the password you saved while generating your Client authentication certificate. If you cannot find your password, create a new Client authentication certificate.

Extract key.pem (private certificate)

For macOS / Linux, run command:

openssl pkcs12 -in Certificate_pkcs12.p12 -clcerts -nokeys -out cert.pem

For Windows, use Command Prompt or PowerShell to run command:

openssl pkcs12 -in Certificate_pkcs12.p12 -nocerts -nodes -out key.pem

Enter the password you saved while generating your Client authentication certificate. If you cannot find your password, create a new Client authentication certificate.

You will receive an email with the subject line of Sign with your digital ID once your user certificate is created. This email includes the PIN associated with your user certificate via email. Make sure you keep this email safe so that you can easily retrieve it for signing images.

Certificate chain

The certificate chain you download contains certificate chain, intermediate certificate, and root values.

To download certificate chain:

In the Content Trust menu, select Certificates > User certificates.
Select the credential nickname with which you want to sign.
In the Credential details page, navigate to Certificate details.
Select Download certificate chain to download certificate chain, intermediate certificate, and root.
Open the downloaded certificate chain (chain.pem file) in a text editor such as Notepad++ and save the file.

Credential ID

Your credential ID is the nickname of User certificate in Content Trust Manager. Copy the user certificate nickname and use it in your request body.

To copy your credential ID:

In the Content Trust menu, select Certificates.
Hover your cursor over certificate nickname.
Select the Copy icon.

In this section: