Partner Subscriptions API
4 minute read
The Partner Subscriptions API lets you manage partner subscriptions accounts, API keys, ACME contracts, emergency contact emails, account reporting, and billing account links.
What you can do
- Manage API keys: List API keys, get API key details, create API keys for subaccounts, and activate or deactivate API keys.
- Manage ACME contracts: Create, retrieve, update, partially update, cancel, manage SANs, and manage ACME credentials for automated SSL/TLS certificate provisioning.
- Manage accounts: Create subaccounts, manage emergency contact email addresses, and configure account settings.
- View reporting: Retrieve ACME contract reporting grouped by subaccount.
- Link billing: Link a CertCentral billing account to a partner subscriptions account.
Authentication
All Partner Subscriptions API endpoints require authentication with a partner subscriptions API key.
A Partner Subscriptions API key is separate from a CertCentral API key. Partner Subscriptions API requests use the X-PARTNER-APIKEY header. CertCentral API requests use the X-DC-DEVKEY header.
To request access to the Partner Subscriptions API, contact your DigiCert Partner Account Manager.
Include this header in each request:
X-PARTNER-APIKEY: {your_api_key}
Some endpoints require additional authentication:
| API or endpoint type | Required header |
|---|---|
| Partner Subscriptions API endpoints | X-PARTNER-APIKEY |
| Finance account-link endpoint | X-PARTNER-APIKEY and X-DC-DEVKEY |
Base URL and resource paths
To construct API requests, the Partner Subscriptions API uses a single base URL and resource-specific endpoint paths.
Base URL
https://www.digicert.com/partner-subscription/api/v1
| Segment | Description | Example |
|---|---|---|
{base_url} | Partner Subscriptions API base URL. | https://www.digicert.com/partner-subscription/api/v1 |
{resource} | Resource-specific endpoint path. | /api-key/acme/account/subaccount/finance/account-link |
Partner Subscriptions API accounts and API keys
The Partner Subscriptions API supports parent accounts and subaccounts. API keys are scoped to the account that owns them, and some endpoints require a parent account API key while others require a subaccount API key.
| Type | Capabilities / usage |
|---|---|
| Parent account | Can view, create, and update the status of its own API keys and all subaccount API keys. Can also create subaccounts and access account reporting. |
| Subaccount | Can manage only its own API keys and cannot create subaccounts. |
| Parent account API key | Used to manage partner-level resources, such as subaccounts, subaccount API keys, and account reporting. |
| Subaccount API key | Used to manage subaccount-owned resources, such as ACME contracts. |
Using the wrong Partner Subscriptions API key type can result in a
403 Forbidden response.Include this header to use the parent Partner Subscriptions API key in the API request:
X-PARTNER-APIKEY: {{partner_api_key}}
Include this header to use the subaccount Partner Subscriptions API key in the API request:
X-PARTNER-APIKEY: {{subaccount_partner_api_key}}
Some API tasks may require a parent Partner Subscriptions API key. If a request made with a subaccount API key returns an error, retry with the parent account API key.
Important considerations
- Only parent accounts can create subaccounts. Subaccounts cannot create their own subaccounts.
- Only parent accounts can access account reporting. Subaccounts receive a
403 Forbiddenresponse for/account/reporting. PUT /acme/{acme_contract_id}is a full replacement. For OV and EV contracts,organizationis required. Ifauto_renewis omitted, it resets tofalse.PATCH /acme/{acme_contract_id}is a partial update. Only the fields included in the request body are updated. Omitted fields retain their current values.- Changing organization information affects validation. For OV and EV ACME contracts, changing organization details rejects existing validation for that organization and can affect multiple ACME contracts that use the same organization details.
- Emergency contact emails must remain configured. You cannot remove all emergency contact email addresses from an account.
- Billing fallback applies. If a subaccount does not have a linked DigiCert CertCentral® billing account, it uses the parent account billing account.
- Review the endpoint authorization requirements before making a request. Some endpoints require a parent account API key, while others require a subaccount API key.
- ACME contract endpoints require a subaccount Partner Subscriptions API key. Parent account API keys are not accepted for ACME contract operations.
Common operations
| Method | Endpoint | Description |
|---|---|---|
| GET | /partner-subscription/api/v1/api-key | List all API keys accessible to the authenticated account. |
| GET | /partner-subscription/api/v1/api-key/{apiKeyId} | Get details for a specific API key. |
| POST | /partner-subscription/api/v1/api-key/account/{accountId} | Create an API key for an existing subaccount. |
| PUT | /partner-subscription/api/v1/api-key/{apiKeyId}/status | Update an API key status. |
| POST | /partner-subscription/api/v1/acme | Create an ACME contract. |
| GET | /partner-subscription/api/v1/acme/{acme_contract_id} | Get ACME contract details. |
| PUT | /partner-subscription/api/v1/acme/{acme_contract_id} | Replace an ACME contract. |
| PATCH | /partner-subscription/api/v1/acme/{acme_contract_id} | Partially update an ACME contract. |
| DELETE | /partner-subscription/api/v1/acme/{acme_contract_id} | Cancel an ACME contract. |
| PUT | /partner-subscription/api/v1/acme/{acme_contract_id}/sans | Add SANs to a contract. |
| DELETE | /partner-subscription/api/v1/acme/{acme_contract_id}/sans | Remove SANs from a contract. |
| POST | /partner-subscription/api/v1/account/subaccount | Create a subaccount with an API key. |
| GET | /partner-subscription/api/v1/account/emergency-emails | Get emergency contact emails. |
| PUT | /partner-subscription/api/v1/account/emergency-emails | Add emergency contact emails. |
| DELETE | /partner-subscription/api/v1/account/emergency-emails | Remove emergency contact emails. |
| GET | /partner-subscription/api/v1/account/reporting | Get ACME contract reporting for all subaccounts. |
| PUT | /partner-subscription/api/v1/finance/account-link | Link a CertCentral billing account. |
| GET | /partner-subscription/api/v1/account/settings | List account settings. |
| PATCH | /partner-subscription/api/v1/account/settings | Update an account setting. |
| GET | /partner-subscription/api/v1/acme/{acme_contract_id}/certificates | Retrieve certificates for an ACME contract. |
| GET | /partner-subscription/api/v1/acme/{acme_contract_id}/credentials | List ACME credentials. |
| POST | /partner-subscription/api/v1/acme/{acme_contract_id}/credentials/revoke | Revoke all active ACME credentials. |
| POST | /partner-subscription/api/v1/acme/{acme_contract_id}/credentials/revoke/{credential_id} | Revoke an ACME credential. |
| POST | /partner-subscription/api/v1/acme/{acme_contract_id}/credentials/regenerate | Regenerate ACME credentials. |
Error responses
The API uses standard HTTP status codes to indicate success or failure. Error responses include a JSON body with additional details.
| Error Code | Denotes |
|---|---|
400 | Bad request |
401 | Unauthorized request |
403 | Forbidden request |
404 | URL query parameter or request parameter not found |
500 | Internal server error |
Was this page helpful?
Provide feedback