Trust Lifecycle Manager API

DigiCert® Trust Lifecycle Manager API lets you automate certificate enrollment, manage certificate lifecycles, deploy discovery tools, and orchestrate certificate automation across your enterprise infrastructure.

What you can do

Manage certificate enrollments: Create and redeem enrollment codes for users and devices to request certificates.
Automate certificate operations: Schedule and execute certificate issuance, renewal, and revocation with automated distribution.
Discover certificates: Deploy sensors and agents to scan networks and systems for certificate inventory.
Manage seats and profiles: Control licensing through seats and define certificate profiles for different use cases.
Organize with business units: Structure your PKI operations using business units for delegation and reporting.
Monitor operations: Query audit logs and generate reports on certificate and enrollment activities.

Tip

See Get started for complete details on making your first API called to DigiCert® ONE APIs.

Authentication

Table 1. Primary authentication methods

Method	Best for	How it works
API key (default)	CI/CD jobs, backend services	Add the key for your service user in the `x-api-key` request header.
Mutual TLS (mTLS)	High-assurance, network-restricted, or key-rotation-averse environments	Present a client TLS certificate and call the `clientauth.` hostname.

Base URL and endpoints

DigiCert® provides both production and demo environments across four geographic regions. Each API call starts with a region-specific hostname (base URL), followed by a predictable versioned path.

Environment	Purpose
Demo	Safe testing, proof-of-concepts
Production	Live operations

Table 3. Trust Lifecycle Manager API URL pattern breakdown

Segment	Description	Trust Lifecycle Manager examples
`{hostname}`	DigiCert ONE hostname	`one.digicert.com` `demo.one.digicert.com` `one.digicert.co.jp`
`{product}`	DigiCert ONE product-specific path segment	`/mpki` (Trust Lifecycle Manager)
`api/v{n}`	API version	`/api/v1` `/api/v2` `/api/v3`
`{resource}`	Specific endpoint path	`/enrollment` `/certificate` `/seat`

User types: Standard vs. service users

Make sure you understand the difference between a standard user (your primary user account) and service users.

Table 4. Standard user vs. service user comparison

	Standard user	Service user
Purpose	UI access via web browser and user administration	API integration and automation
Authentication	Username/password; API token; client authentication certificate	API token; client authentication certificate
Can create API tokens?	Yes, with inherited permissions (assumes exact roles as the user creating the token)	No, service users are the token (roles are explicitly assigned at creation)
Can manage users?	Yes, depending on assigned roles	Yes, depending on assigned roles
Best for	Manual administration; one-off tasks	CI/CD pipelines; integrations

Roles and permissions

Assigned roles determine a user's permissions. Roles are manager-specific and provide a granular permission structure.

Use the /account/api/v1/role endpoint to see available roles for Trust Lifecycle Manager:

curl -X GET https://demo.one.digicert.com/account/api/v1/role?application_code=enterprise_manager \
  -H "x-api-key: USER_API_TOKEN" \
  -H "Content-Type: application/json" | jq '.'

Important considerations

Seats must be available before enrollment. Certificate issuance consumes a seat. Ensure sufficient seats exist in the target business unit before creating enrollments. Use /mpki/api/v1/seat-types to view available seat types.
Profiles define certificate characteristics. Before creating enrollments, configure profiles that specify certificate templates, validity periods, and CA assignments. Profiles are immutable during enrollment.
Business units provide organizational structure. Seats, profiles, and enrollments belong to business units. Assign users to business units to delegate management responsibilities.
Enrollment codes are single-use. Each enrollment code can be redeemed only once. Generate new codes for additional certificate requests.
Certificate automation requires discovery. Before automating certificate operations, deploy sensors or agents to discover certificates in your infrastructure. Use /mpki/api/v1/scan endpoints to initiate discovery scans.
EST protocol support. Trust Lifecycle Manager supports EST (Enrollment over Secure Transport) for standards-based automated enrollment. Use /.well-known/est/TLM-{profileId}/ endpoints for EST operations.

Common operations

Table 5. Common Trust Lifecycle Manager API operations

Method	Endpoint	Description
POST	`/mpki/api/v1/enrollment`	Create an enrollment; generates enrollment code for certificate request
POST	`/mpki/api/v1/enrollment/redeem`	Redeem enrollment code; submits CSR and consumes seat
GET	`/mpki/api/v1/enrollment-details`	List all enrollments; use query parameters to filter by status
POST	`/mpki/api/v1/certificate`	Issue certificate; direct issuance without enrollment workflow
GET	`/mpki/api/v1/certificate-search`	Search certificates; use filters for serial number, common name, expiration dates
POST	`/mpki/api/v1/certificate/{serial_number}/renew`	Renew certificate by serial number
PUT	`/mpki/api/v1/certificate/{serial_number}/revoke`	Revoke certificate by serial number
POST	`/mpki/api/v1/automation`	Create certificate automation event; schedules automated renewal and distribution
GET	`/mpki/api/v1/seat`	List seats; view available and consumed seats by business unit
POST	`/mpki/api/v1/seat`	Create seat; adds licensed capacity to business unit
GET	`/mpki/api/v1/profile`	List certificate profiles; shows available profiles for enrollment
POST	`/mpki/api/v1/sensor/allocate`	Allocate sensor; provisions new sensor for network discovery
GET	`/mpki/api/v1/audit-log`	View audit logs; track certificate operations and user actions

In this section: