Request a TLS certificate
Automating TLS certificate issuance reduces manual effort, accelerates deployment cycles, and ensures consistent security posture across your infrastructure. This tutorial walks you through the complete certificate request workflow using DigiCert® Trust Lifecycle Manager API.
What you’ll learn
In this tutorial, you will:
Retrieve available certificate profiles from your account.
Generate a certificate signing request (CSR).
Submit a certificate request and receive the issued certificate
Verify certificate status and retrieve it in different formats.
Troubleshoot common errors during the certificate request process.
Before you begin
Before starting this tutorial, make sure you have:
Completed or understand Making your first API call.
A service user with the
EM_EPKI_USER_&_CERT_MANAGERrole assigned. This role includes the Manage create permission required to enroll certificates. (Use/account/api/v1/user/meto verify assigned roles).A certificate profile with
enrollment_methodset torest_api.OpenSSL installed on your system (use
openssl versionto verify).If using
curl,jqshould be installed (jq --version).
Endpoint overview
The following endpoints are used in this tutorial.
Primary endpoints
Purpose | Method | Endpoint |
|---|---|---|
Retrieve certificate profiles |
|
|
Submit certificate request |
|
|
Check certificate status |
|
|
Get additional certificate formats |
|
|
Supporting endpoints
Purpose | Method | Endpoint |
|---|---|---|
Certificate pickup (Microsoft CA templates) |
|
|
Step 1: List available certificate profiles
Certificate profiles define the characteristics of the certificates you’ll issue, such as certificate type, validity period, key parameters, and enrollment methods. Before you can request a certificate, you need to identify which profile matches your requirements.
You can retrieve all available profiles in your account using the /mpki/api/v2/profile endpoint. The limit parameter controls how many profiles are returned per response (default: 20), and you can use offset for pagination if you have many profiles.
Important
If you’re using Public S/MIME Secure Email (DigiCert CertCentral®-based) templates, use the /api/v2 version of this endpoint for proper compatibility.
Successful response:
[
{
"id": "d6743d9a-fb67-4a64-a33e-8a3229d28cc4",
"name": "Profile name",
"status": "Active",
"signature_algorithm": "SHA256_WITH_RSA",
"publish_to_public_directory": false,
"renewal_period_days": 30,
"duplicate_cert_policy": false,
"override_cert_validity_via_api": true,
"certificate_delivery_format": "pkcs7",
"account_id": "3ff33f88-5717-4542-b3fc-3f312f44afa4",
"business_unit_id": "e5bf49f0-a77b-4301-85e9-c15eb12df70f",
"enrollment_method": "rest_api",
"authentication_method": "third_party_app",
"days_till_enrollment_expires": 10,
"automated_renewal": true,
"renewal_window_days": 30,
"custom_extended_key_usages": [
"1.2.840.113583.1.1.7"
],
"private_key_attributes": {
"key_size": "2048"
},
"key_escrow_policy": {
"key_escrow_enabled": true,
"key_escrow_deployment_mode": "CLOUD",
"dual_admin_recovery": true
},
"api_token_binding_enabled": true,
"api_token_ids": [
"8517a493-ef6a-405e-85f1-eecd538e7692",
"8517a493-ef6a-405e-85f1-eecd538e7693"
],
"enable_dual_admin_approval": true,
"certificate": {
"subject": {
"attributes": [
{
"type": "common_name",
"mandatory": true,
"multiple": false,
"sources": [
{
"mandatory": true,
"source": "ENTERED_BY_USER_DURING_ENROLLMENT",
"ad_attribute_key": "cn"
}
]
},
{
"type": "domain_component",
"mandatory": true
},
{
"type": "organization_name",
"mandatory": true,
"multiple": false,
"source": [
{
"mandatory": false,
"source": "UPLOADED_BY_ADMIN"
}
]
},
{
"type": "street_address",
"mandatory": true,
"multiple": false,
"source": [
{
"mandatory": false,
"source": "AD_ATTRIBUTE",
"ad_attribute_key": "streetAddress"
},
{
"mandatory": true,
"source": "FIXED_VALUE",
"value": "20 Cooper Square"
}
]
},
{
"type": "country",
"mandatory": true
},
{
"type": "locality",
"mandatory": true
},
{
"type": "state",
"mandatory": true
},
{
"type": "postal_code",
"mandatory": true
}
]
},
"validity": {
"unit": "days",
"duration": 365
},
"extensions": {
"san": {
"critical": false,
"attributes": [
{
"type": "emails",
"mandatory": true,
"multiple": false,
"sources": [
{
"mandatory": true,
"source": "entered_by_user_during_enrollment"
}
]
},
{
"type": "user_principal_names",
"mandatory": false,
"multiple": false,
"sources": [
{
"mandatory": false,
"source": "uploaded_by_admin"
}
]
}
]
},
"security_identifier": {
"attributes": [
{
"type": "critical",
"mandatory": false,
"multiple": false,
"sources": [
{
"mandatory": false,
"source": "entered_by_user_during_enrollment"
}
]
},
{
"type": "additional_values",
"mandatory": false,
"multiple": false,
"sources": [
{
"mandatory": false,
"source": "entered_by_user_during_enrollment"
}
]
}
]
}
},
"issuer": {
"serial_number": "254554466396905590377942608199604315083804010285",
"subject_dn": "CN=USCSS Nostromo, O=Weyland-Yutani, C=US",
"certificate": "-----BEGIN CERTIFICATE-----\n•••\n•••\n•••\n-----END CERTIFICATE-----\n",
"root": false,
"chain": [
{
"serial_number": "254554466396905590377942608199604315083804010285",
"subject_dn": "CN=The Company, O=Weyland-Yutani, C=US",
"certificate": "-----BEGIN CERTIFICATE-----\n•••\n•••\n•••\n-----END CERTIFICATE-----\n",
"root": true
}
]
}
},
"enable_ldap_search": false,
"useCustomContact": false,
"cert_delivery_format": "x509",
"template": {
"id": "99bfc12d-6732-e6c6-3f6d-a8c30e7833c1",
"name": "Domain Controller",
"trust_type": "private"
},
"connector_id": "914bfbc2-b2e2-11ef-a370-fe7b3e6ed6dd",
"fields": {
"optional": false,
"multiple": false,
"key": "subject_common_name",
"type": "string",
"input": "text",
"sources": {
"source": "entered_by_user_during_enrollment",
"optional": false,
"multi_value": false,
"labels": []
},
"labels": [],
"max": 64,
"default_value": null
},
"business_unit": {
"id": "e5bf49f0-a77b-4301-85e9-c15eb12df70f",
"name": "Test BU"
},
"account": {
"id": "3ff33f88-5717-4542-b3fc-3f312f44afa4"
}
}
]
From the returned list of profiles, identify the profile you want to use and save its id value. You’ll need this when submitting your certificate request in Step 3. Pay attention to the enrollment_method field. It must be set to rest_api for API-based certificate requests.
Step 2: Generate a certificate signing request (CSR)
Before submitting a certificate request, generate a private key and CSR. The CSR contains the public key and subject information for your certificate.
Important
Keep your private key secure and never share it. An exposed private key allows attackers to decrypt traffic and forge your identity.
Generate the private key and CSR
# Generate a 2048-bit RSA private key openssl genrsa -out private.key 2048 # Generate the CSR openssl req -new -key private.key -out request.csr \ -subj "/C=US/ST=Utah/L=Lehi/O=DigiCert Inc/CN=example.com" # Secure the private.key file chmod 400 private.key # Verify the CSR (optional) openssl req -in request.csr -noout -text
Understanding CSR subject fields
Your CSR must include the subject fields required by your certificate profile. The most common fields include:
CN(Common Name): The fully qualified domain name for your certificate.O(Organization): Your legal organization nameOU(Organizational Unit): Department or division within your organization (optional)L(Locality): City nameST(State): State or province nameC(Country): Two-letter ISO country code
Note
Subject field requirements vary by certificate profile configuration. Review your profile details from Step 1 to determine which fields are mandatory.
Step 3: Submit certificate request
With your CSR generated, you’re ready to submit your certificate request. The /mpki/api/v1/certificate endpoint requires three essential pieces of information:
profile.id: The certificate profile ID from Step 1profile.seat.id: The identifier for the seat (typically an email address) that will own this certificateprofile.csr: The CSR content you generated in Step 2
Note
For certificate profiles configured with immediate issuance, the endpoint returns the signed certificate directly in the response. Profiles requiring approval or using Microsoft CA templates return a request_id instead, which you’ll use to retrieve the certificate once it’s been issued.
Successful response:
{
"serial_number": "4099ABF9C1BB7C02BBE1CDC7836CA9D58A71C2A5",
"delivery_format": "x509",
"certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
}
Save the serial_number. You need it to check the request status or retrieve the certificate later. For profiles with immediate issuance, you can extract and use the certificate in PEM format directly from the certificate field.
Note
If the response includes a request_id instead of a certificate, the profile requires manual approval or delayed processing. Use the /mpki/api/v1/certificate-pickup/{request_id} endpoint to retrieve the certificate once it becomes available.
Step 4: Check certificate status
After submitting your certificate request, you can verify the issuance status and retrieve detailed certificate information using the serial number returned in Step 3. This endpoint is also useful for tracking certificate lifecycle events, confirming successful issuance, or troubleshooting requests that require manual approval.
Successful response:
{
"profile": {
"id": "7f606454-e011-4cfb-af90-5a13232bbd8f",
"name": "Example Certificate Profile"
},
"seat": {
"seat_id": "some-seat-id@example.com"
},
"business_unit": {
"id": "12d3c45e-d3e6-46fc-7f48-91030fa5cac6",
"name": "Example-BU1"
},
"account": {
"id": "f3f99122-1234-567a-919b-5f692216ff85"
},
"certificate": "...(Base64-encoded certificate)...",
"ica": {
"id": "444FFF3A03C12BCEF463B5D2EF01985F"
},
"common_name": "host1.example.com",
"status": "issued",
"serial_number": "0F6F55555658A989F0F463A4DA0D807F",
"thumbprint": "FE0EFDC64AA55565556152850D2B84B46EF433444A28970F6A2A7F510A7A8880",
"valid_from": "<YYYY-MM-DD>T<HH:MM:SS>Z",
"valid_to": "<YYYY-MM-DD>T<HH:MM:SS>Z",
"notes": "Some example notes about the valid certificate",
"template_name": "Template Name",
"issuing_ca_name": "Issuing CA Name",
"key_size": 2048,
"signature_algorithm": "RSA",
"subject": {
"common_name": "host1.example.com",
"organization_name": "Example Org",
"organization_units": "Example Org Unit",
"description": "Some example description",
"serial_number": "0F6F55555658A989F0F463A4DA0D807F",
"pseudonym": "Some example pseudonym",
"unique_identifier": "3a3aeb976040eed5c5d3bfb6143b7814",
"user_identifier": "Some example user identifier",
"domain_component": "Some example domain component",
"dn_qualifier": "Some example DN qualifier",
"unstructured_name": "Some example unstructured name",
"unstructured_address": "Some example unstructured address",
"street_address": "Some example street address",
"postal_code": 89714,
"locality": "Carson city",
"state": "NV",
"country": "US",
"email": "some@mail",
"title": "Some example title",
"given_name": "Some example given name",
"surname": "Some example surname",
"organization_identifier": "1.3.6.1.4.1.311.60.2.1.3"
},
"cert_security_rating": "Secure",
"security_rating_info": {
"security_rating": {
"encryption": [
{
"category_name": "Encryption",
"criteria_name": "AES256",
"value": "Strong",
"rating": {
"value": true,
"issue": "None"
},
"data": {
"key_size": 256,
"mode": "CBC"
}
}
]
},
"handshake_protocols": [
{
"cipher_algorithm": "ECDHE-RSA-AES256-GCM-SHA384",
"key_size": 256,
"protocol": "TLSv1.2"
}
],
"security_headers": {
"X-Content-Type-Options": "nosniff"
},
"http_response_headers": {
"Content-Security-Policy": "default-src 'self'"
},
"certificate_chain": {
"cert_chain_details": [
{
"cert_chain_id": 1,
"overall_status": "Valid",
"is_additional_cert_chain": false,
"is_valid_chain": true,
"cert_details": [
{
"status": "Active",
"expiration_date": 1672531199000,
"key_algorithm": "RSA",
"algorithm_type": "SHA256",
"issue_date": 1609459200000,
"issuer_DN": "CN=Example CA, O=Example Inc., C=US",
"subject": "CN=example.com, O=Example Inc., C=US",
"errors": []
}
]
}
]
},
"security_rating_score": "Secure",
"certificate_chain_score": "Secure",
"handshake_protocol_score": [
"Secure"
],
"security_headers_score": "Secure",
"http_response_headers_score": 10,
"protocol_ciphers": [
{
"protocol": "TLSv1.2",
"insecure_iphers": [
{
"code": 1,
"forward_secrecy": false,
"kex_info": "RSA",
"name": "RC4",
"unsafe": 1
}
],
"weak_ciphers": [],
"safe_ciphers": [
{
"code": 156,
"forward_secrecy": true,
"kex_info": "ECDHE-RSA",
"name": "AES256-GCM-SHA384",
"unsafe": 0
}
],
"compressors": "DEFLATE",
"cipher_pref_order": "client",
"warnings": ""
}
],
"protocol_cipher_score": {
"protocols": [
"TLSv1.2",
"TLSv1.3"
],
"score": "Secure"
}
}
}
The response provides comprehensive certificate details, including profile information, validity periods, and security ratings. Key fields to review:
status: Current certificate state (issued,pending,revoked)valid_from/valid_to: Certificate validity periodcertificate: The PEM-encoded certificate (if issued)thumbprint: Certificate fingerprint for verificationcert_security_rating: Overall security assessment
If the status field shows issued, your certificate is ready to use. For other status values like pending, the certificate may be awaiting approval or additional processing.
Step 5: Download additional certificate formats
The initial certificate issuance returns your certificate in X.509 (PEM) format. For deployments requiring bundled certificate chains or alternative formats, retrieve additional options using the certificate’s serial number.
Successful response:
{
"pkcs7": "-----BEGIN PKCS7-----\n...\n-----END PKCS7-----",
"x509_cert_chain": [
{
"common_name": "example.com",
"cert_blob": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
},
{
"common_name": "Intermediate CA",
"cert_blob": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
},
{
"common_name": "Root CA",
"cert_blob": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----"
}
]
}
The response provides your certificate and chain in two formats:
pkcs7: Certificate and complete trust chain bundled in PKCS#7 formatx509_cert_chain: Array containing your certificate and all chain certificates as individual PEM-encoded entries, ordered from end-entity certificate to root CA
Each certificate in the x509_cert_chain array includes the certificate’s common_name and the PEM-encoded certificate in cert_blob.