docs/documentation/platform/pki/ca/digicert-direct.mdx
Infisical can issue certificates directly from DigiCert CertCentral using the CertCentral Services API. A single DigiCert CA in Infisical is configured for one purpose:
ssl_plus).code_signing) and EV (code_signing_ev) code-signing certificates against a CSR. The signing key must live on an HSM.ssl_plus, code_signing, code_signing_ev, ...) on your CertCentral account. - **App Connection** — the DigiCert connection you created
- **Organization** — the CertCentral organization that should appear on issued certificates
- **Purpose** — `SSL / TLS` or `Code Signing`. The product list filters accordingly.
- **Product** — the CertCentral entitlement this CA will issue under
- **Verified Contact** (Code Signing only) — full contact info for the person DigiCert emails to approve first-time code-signing orders for this organization. All five fields required: **First Name**, **Last Name**, **Email**, **Job Title**, **Telephone** (E.164, e.g. `+15551234567`). DigiCert requires `job_title` and `telephone` on every verified contact for CS orders; referencing an existing CertCentral user by id alone is not enough. Once the organization has an active CS validation on file, DigiCert ignores this field.
</Step>
</Steps>
```bash Create a DigiCert CA (SSL)
curl --request POST \
--url https://app.infisical.com/api/v1/pki/ca/digicert \
--header 'Content-Type: application/json' \
--data '{
"name": "digicert-ov",
"status": "active",
"configuration": {
"appConnectionId": "<digicert-app-connection-id>",
"organizationId": 112236,
"productNameId": "ssl_plus",
"purpose": "ssl"
}
}'
```
```bash Create a DigiCert CA (Code Signing)
curl --request POST \
--url https://app.infisical.com/api/v1/pki/ca/digicert \
--header 'Content-Type: application/json' \
--data '{
"name": "digicert-cs",
"status": "active",
"configuration": {
"appConnectionId": "<digicert-app-connection-id>",
"organizationId": 112236,
"productNameId": "code_signing",
"purpose": "code_signing",
"verifiedContact": {
"firstName": "John",
"lastName": "Doe",
"email": "[email protected]",
"jobTitle": "Security Engineer",
"telephone": "+15551234567"
}
}
}'
```
A CA configured for code signing is used from the Code Signing product, not the TLS issuance flow. For creating signers, reusing orders, HSM requirements, reissue, renewal, and deletion behavior, see the dedicated guide:
<Card title="Code Signing with DigiCert" icon="signature" href="/documentation/platform/pki/guides/code-signing/digicert-code-signing"> Issue code-signing certificates from this CA with an HSM-backed key. </Card>When you request a certificate through a DigiCert CertCentral CA, the request moves through these states:
| State | Description |
|---|---|
| Pending Validation | DigiCert has accepted the order. Complete domain control validation in DigiCert CertCentral. |
| Issued | Infisical polls DigiCert and downloads the certificate once validation completes. Click Trigger Validation to force an immediate check. |
| Failed | If DigiCert does not issue within 24 hours. Complete validation on CertCentral and submit a new request. |
Now that your DigiCert CA is configured, set up the infrastructure to issue certificates:
<CardGroup cols={2}> <Card title="Certificate Profiles" icon="file-certificate" href="/documentation/platform/pki/settings/profiles"> Create a profile that references your DigiCert CA. </Card> <Card title="Applications" icon="grid-2" href="/documentation/platform/pki/applications/overview"> Create an Application, attach a profile, and configure enrollment. </Card> <Card title="Enrollment Methods" icon="arrow-right-to-arc" href="/documentation/platform/pki/applications/enrollment-methods/overview"> Choose how certificates are requested — API, ACME, EST, or SCEP. </Card> <Card title="Quick Start" icon="rocket" href="/documentation/platform/pki/quick-starts/issue-first-certificate"> Issue your first certificate end-to-end. </Card> </CardGroup>