ContextQMD
Back to Infisical

DigiCert (CertCentral Services API)

docs/documentation/platform/pki/ca/digicert-direct.mdx

0.160.14.0 KB
Original Source

Concept

Infisical can issue OV and EV TLS certificates directly from DigiCert CertCentral using the CertCentral Services API.

Prerequisites

  • A DigiCert App Connection with a validated CertCentral API key.
  • A CertCentral Organization that has been pre-validated by DigiCert
  • Entitlement to either the OV or EV SSL product on your CertCentral account.

Create a DigiCert Certificate Authority

<Tabs> <Tab title="Infisical UI"> <Steps> <Step title="Create a DigiCert App Connection"> Follow the [DigiCert App Connection guide](/integrations/app-connections/digicert) to store your CertCentral API key in Infisical. </Step> <Step title="Create the External CA"> In **Certificate Manager**, go to **Settings → Certificate Authorities**, click **Create CA** in the External Certificate Authorities section, choose **DigiCert CertCentral** as the type, and fill out the form: 
    - **App Connection** — the DigiCert connection you created
    - **Organization** — the CertCentral organization that should appear on issued certificates
    - **Product** — the CertCentral entitlement this CA will issue under
  </Step>
</Steps>
</Tab> <Tab title="API"> To create a DigiCert Certificate Authority, make an API request to the [Create DigiCert CA](/api-reference/endpoints/certificate-authorities/digicert/create) API endpoint. 
```bash Create a DigiCert CA
curl --request POST \
  --url https://app.infisical.com/api/v1/pki/ca/digicert \
  --header 'Content-Type: application/json' \
  --data '{
    "name": "digicert-ov",
    "status": "active",
    "configuration": {
      "appConnectionId": "<digicert-app-connection-id>",
      "organizationId": 112236,
      "productNameId": "ssl_plus"
    }
  }'
```
</Tab> </Tabs>

DigiCert Validation Workflow

When you request a certificate through a DigiCert CertCentral CA, the request moves through these states:

StateDescription
Pending ValidationDigiCert has accepted the order. Complete domain control validation in DigiCert CertCentral.
IssuedInfisical polls DigiCert and downloads the certificate once validation completes. Click Trigger Validation to force an immediate check.
FailedIf DigiCert does not issue within 24 hours. Complete validation on CertCentral and submit a new request.
<Note> OV and EV certificates require manual domain validation on the DigiCert CertCentral side before issuance. </Note>

FAQ

<AccordionGroup> <Accordion title="What happens when I revoke a DigiCert-issued certificate in Infisical?"> Revoking the certificate in Infisical immediately marks it `Revoked` in the local inventory **and** submits a revocation request to DigiCert CertCentral against the underlying order. Depending on your CertCentral account's revocation policy, DigiCert may queue that request for administrator approval before the certificate is actually revoked on their side. </Accordion> </AccordionGroup>

What's Next

Now that your DigiCert CA is configured, set up the infrastructure to issue certificates:

<CardGroup cols={2}> <Card title="Certificate Profiles" icon="file-certificate" href="/documentation/platform/pki/settings/profiles"> Create a profile that references your DigiCert CA. </Card> <Card title="Applications" icon="grid-2" href="/documentation/platform/pki/applications/overview"> Create an Application, attach a profile, and configure enrollment. </Card> <Card title="Enrollment Methods" icon="arrow-right-to-arc" href="/documentation/platform/pki/applications/enrollment-methods/overview"> Choose how certificates are requested — API, ACME, EST, or SCEP. </Card> <Card title="Quick Start" icon="rocket" href="/documentation/platform/pki/quick-starts/issue-first-certificate"> Issue your first certificate end-to-end. </Card> </CardGroup>