Skip to main content

Concept

Infisical can issue OV and EV TLS certificates directly from DigiCert CertCentral using the CertCentral Services API.

Prerequisites

  • A DigiCert App Connection with a validated CertCentral API key.
  • A CertCentral Organization that has been pre-validated by DigiCert
  • Entitlement to either the OV or EV SSL product on your CertCentral account.

Create a DigiCert Certificate Authority

1

Create a DigiCert App Connection

Follow the DigiCert App Connection guide to store your CertCentral API key in Infisical.
2

Create the External CA

In your Certificate Manager project, navigate to Certificate Authorities, click Create CA in the External Certificate Authorities section, choose DigiCert CertCentral as the type, and fill out the form:
  • App Connection — the DigiCert connection you created
  • Organization — the CertCentral organization that should appear on issued certificates
  • Product — the CertCentral entitlement this CA will issue under DigiCert External CA Form

Issue a certificate

After creating the CA and a Certificate Profile, request a certificate as you normally would. The request will move through the following states:
  1. Pending Validation: DigiCert has accepted the order. Complete the domain control validation directly in DigiCert CertCentral.
  2. Your team completes validation on the CertCentral side.
  3. Infisical re-checks DigiCert. If you don’t want to wait, click Trigger Validation on the request row to force an immediate check. When DigiCert confirms the order, Infisical downloads the certificate and chain and moves the request to Issued.
  4. If DigiCert does not issue within 24 hours the request transitions to Failed. Complete validation on CertCentral and submit a new request.

FAQ

Revoking the certificate in Infisical immediately marks it Revoked in the local inventory and submits a revocation request to DigiCert CertCentral against the underlying order. Depending on your CertCentral account’s revocation policy, DigiCert may queue that request for administrator approval before the certificate is actually revoked on their side.