Trust Lifecycle API
4 minute read
DigiCert® Trust Lifecycle Manager API lets you automate certificate enrollment, manage certificate lifecycles, deploy discovery tools, and orchestrate certificate automation across your enterprise infrastructure.
What you can do
- Manage certificate enrollments: Create and redeem enrollment codes for users and devices to request certificates.
- Automate certificate operations: Schedule and execute certificate issuance, renewal, and revocation with automated distribution.
- Discover certificates: Deploy sensors and agents to scan networks and systems for certificate inventory.
- Manage seats and profiles: Control licensing through seats and define certificate profiles for different use cases.
- Organize with business units: Structure your PKI operations using business units for delegation and reporting.
- Monitor operations: Query audit logs and generate reports on certificate and enrollment activities.
Tip
See Get started for complete details on making your first API call to DigiCert® ONE APIs.Authentication
| Method | Best for | How it works |
|---|---|---|
| API key (default) | CI/CD pipelines, backend services | Add the service user API token in the x-api-key request header. |
| Mutual TLS (mTLS) | High-assurance, network-restricted, or key-rotation-averse environments | Present a client TLS certificate and call the clientauth. hostname. |
Base URL and endpoints
DigiCert® provides both production and demo environments across four geographic regions. Each API call starts with a region-specific hostname (base URL), followed by a predictable versioned path.
| Environment | Purpose |
|---|---|
| Demo | Safe testing, proof-of-concepts |
| Production | Live operations |
| Segment | Description | examples |
|---|---|---|
{hostname} | DigiCert ONE hostname | one.digicert.comdemo.one.digicert.comone.digicert.co.jp |
{product} | DigiCert ONE product-specific path segment | /mpki (Trust Lifecycle Manager) |
api/v{n} | API version | /api/v1/api/v2/api/v3 |
{resource} | Specific endpoint path | /enrollment/certificate/seat |
User types: Standard vs. service users
Make sure you understand the difference between a standard user (your primary user account) and service users.
| Standard user | Service user | |
|---|---|---|
| Purpose | UI access via web browser and user administration | API integration and automation |
| Authentication | Username/password; API token; client authentication certificate | API token; client authentication certificate |
| Can create API tokens? | Yes, with inherited permissions (assumes exact roles as the user creating the token) | No, service users are the token (roles are explicitly assigned at creation) |
| Can manage users? | Yes, depending on assigned roles | Yes, depending on assigned roles |
| Best for | Manual administration; one-off tasks | CI/CD pipelines; integrations |
Roles and permissions
Assigned roles determine a user’s permissions. Roles are manager-specific and provide a granular permission structure.
Use the /account/api/v1/role endpoint to see available roles for Trust Lifecycle Manager:
curl -X GET https://demo.one.digicert.com/account/api/v1/role?application_code=enterprise_manager \
-H "x-api-key: USER_API_TOKEN" \
-H "Content-Type: application/json" | jq '.'
Important considerations
- Seats must be available before enrollment. Certificate issuance consumes a seat. Ensure sufficient seats exist in the target business unit before creating enrollments. Use
/mpki/api/v1/seat-typesto view available seat types. - Profiles define certificate characteristics. Before creating enrollments, configure profiles that specify certificate templates, validity periods, and CA assignments. Profiles are immutable during enrollment.
- Business units provide organizational structure. Seats, profiles, and enrollments belong to business units. Assign users to business units to delegate management responsibilities.
- Enrollment codes are single-use. Each enrollment code can be redeemed only once. Generate new codes for additional certificate requests.
- Certificate automation requires discovery. Before automating certificate operations, deploy sensors or agents to discover certificates in your infrastructure. Use
/mpki/api/v1/scanendpoints to initiate discovery scans. - EST protocol support. Trust Lifecycle Manager supports EST (Enrollment over Secure Transport) for standards-based automated enrollment. Use
/.well-known/est/TLM-{profileId}/endpoints for EST operations.
Common operations
| Method | Endpoint | Description |
|---|---|---|
| POST | /mpki/api/v1/enrollment | Create an enrollment; generates enrollment code for certificate request |
| POST | /mpki/api/v1/enrollment/redeem | Redeem enrollment code; submits CSR and consumes seat |
| GET | /mpki/api/v1/enrollment-details | List all enrollments; use query parameters to filter by status |
| POST | /mpki/api/v1/certificate | Issue certificate; direct issuance without enrollment workflow |
| POST | /mpki/api/v1/certificate/{serial_number}/renew | Renew certificate by serial number |
| PUT | /mpki/api/v1/certificate/{serial_number}/revoke | Revoke certificate by serial number |
| POST | /mpki/api/v1/automation | Create certificate automation event; schedules automated renewal and distribution |
| GET | /mpki/api/v1/seat | List seats; view available and consumed seats by business unit |
| POST | /mpki/api/v1/seat | Create seat; adds licensed capacity to business unit |
| GET | /mpki/api/v1/profile | List certificate profiles; shows available profiles for enrollment |
| POST | /mpki/api/v1/sensor/allocate | Allocate sensor; provisions new sensor for network discovery |
| GET | /mpki/api/v1/audit-log | View audit logs; track certificate operations and user actions |
API reference
OpenAPI reference documentation for Trust Lifecycle
Was this page helpful?
Provide feedback