Authentication
DigiCert CertCentral® APIs use API keys for both authentication and authorization. Authenticating to the service should be relatively straightforward if you've ever worked with header-based authentication before.
Header-based authentication
Each request to the service must include an API key. This is done using the custom HTTP header X‑DC‑DEVKEY. Here's a simple API request to the Services API List users endpoint using cURL.
Notice
Be sure to replace {{api_key}} with your actual API key.
curl -X GET \
'https://www.digicert.com/services/v2/user' \
-H 'Content-Type: application/xml' \
-H 'X-DC-DEVKEY: {{api_key}}'Generate an API key
When generating API keys, you can generate a single or multiple APK keys for an individual in CertCentral or for a service user. More details below.
Danger
After you generate a key, we display it only once. There is no way to retrieve a lost API key. If you lose a key, you should revoke it and generate a new one.
To generate a new key, sign in to CertCentral.
API keys are generated and managed in your CertCentral account.
In CertCentral, in the left menu, go to Automation > API Keys.
On the API Keys page, select Add API Key.
In the Add API Key window, enter a Description for the API key and select Add (for example, enter the name of the app or user you are linking the key to).
Repeat this process for each API key you want to generate, enter a description, and select Add—you can create a maximum of 30 API keys per session.
In the User menu, do one of the following:
Link the API key to a CertCentral user
In the User menu, select the user you want to link the key to.
When linking a key to a user, you link the user's permissions to the key. By default, the key is authorized to perform any actions the user can.
Link the API key to a service user
A service user has API-only access to your CertCentral account.
Link the API key to an existing service user
In the User menu, select the service user you want to link the key to.
Create a service user to link the API key to
Only administrators can create servicer users. When creating a service user, you link the administrator's permissions to the key. By default, the service user is authorized to perform any actions the administrator can.
Service user creation is tracked in your CertCentral audit logs: Date & Time, User, Activity, Source, IP Address, Division, and Country.
In the User menu, select Create new service user.
Email address
Add the email address you want to link to this service user. Some of our processes require the user associated with the API key to have an email address.
Division restrictions (optional)
Select the divisions to which you want to restrict the service user. This option only appears if you are using divisions in your CertCentral account.
If you leave this field empty, the services user has the same division access as the administrator creating the service user.
API key restrictions (optional)
You can restrict the API keys permissions to a specified set of actions. In the menu, select one of these options:
Orders
Limits key to these actions: Orders, Requests, and Certificates.
Orders, Domains, Organizations
Limits key to these actions: Orders, Requests, Certificates, Organizations, and Domains.
View Only
Limits key to GET requests only. POST, PUT, or DELETE requests are disabled.
User Management
Limits key to these actions: Users.
Select Add API Key.
In the New API Key window, select the generated key to copy, or if you created multiple API keys, select Download CSV to get a CSV file containing all the API keys.
Save the AKI key (or keys) in a secure location.
Note: API keys are only displayed one time.
After saving the API key (or keys), select I understand I will not see this again.
What's next
You're ready to use DigiCert CertCentral APIs. Your new API key (or keys) is added to the list of keys on the API Keys page. Return to this page to track or revoke API keys.
Edit an API key
As needed, you can edit an API key to update the description or to modify the keys permissions.
In your CertCentral account, in the left main menu, go to Automation > API Keys.
On the API Keys page, click the API Key Name link.
In the Update API Key window, modify the Description or update the API Key permissions.
To remove API keys restrictions, in the API key restrictions (optional) field, select the X at the end of the entry. The field will now read None.
To update the API keys permissions, in the API key restrictions (optional) menu, select one of these options:
Orders
Limits key to these actions: Orders, Requests, and Certificates.
Orders, Domains, Organizations
Limits key to these actions: Orders, Requests, Certificates, Organizations, and Domains.
View Only
Limits key to GET requests only. POST, PUT, or DELETE requests are disabled.
User Management
Limits key to these actions: Users.
Warning
When adding permission restrictions to an active API key, you’ll break any integrations using that key if expanded permissions are required. To fix these broken integrations, you’ll need to edit the key and remove the restrictions.
When ready, select Update API Key.
Edit a service user
As needed, you can edit a service user and update the email address and division restrictions.
In your CertCentral account, in the left main menu, go to Account > Service Users.
On the Services Users page, select the service user you want to update.
On the Service User's details page, update the following information as needed:
Email address
Update the email address you want to link to this service user. Some of our processes require an email address.
Division restrictions
Update the divisions to which you want to restrict the service user. This option only appears if you are using divisions in your CertCentral account.
Warning
Removing division access affects the service user's active API key. If division permissions are required, any integrations using that key will be broken. To fix these broken integrations, you'll need to edit the service user and restore the division access.
When ready, select Update user.