Concept
Infisical can issue certificates directly from DigiCert CertCentral using the CertCentral Services API. A single DigiCert CA in Infisical is configured for one purpose:- SSL/TLS — issues OV and EV TLS server certificates under an SSL product entitlement on your account (for example
ssl_plus). - Code Signing — issues OV (
code_signing) and EV (code_signing_ev) code-signing certificates against a CSR. The signing key must live on an HSM.
Prerequisites
- A DigiCert App Connection with a validated CertCentral API key.
- A CertCentral Organization. For code signing, DigiCert validates the organization the first time it is used for a code-signing order, which can take up to 3 business days.
- Entitlement to the product you intend to use (
ssl_plus,code_signing,code_signing_ev, …) on your CertCentral account.
Configuring a DigiCert CA requires a CertCentral account with administrator-level access (or a role with permission to manage organizations, products, and API keys). The API key used for the App Connection inherits the permissions of the CertCentral user that created it.
Create a DigiCert Certificate Authority
- Infisical UI
- API
1
Create a DigiCert App Connection
Follow the DigiCert App Connection guide to store your CertCentral API key in Infisical.
2
Create the External CA
In Certificate Manager, go to Certificate Authorities, click Create CA in the External Certificate Authorities section, choose DigiCert CertCentral as the type, and fill out the form:
- App Connection — the DigiCert connection you created
- Organization — the CertCentral organization that should appear on issued certificates
- Purpose —
SSL / TLSorCode Signing. The product list filters accordingly. - Product — the CertCentral entitlement this CA will issue under
- Verified Contact (Code Signing only) — full contact info for the person DigiCert emails to approve first-time code-signing orders for this organization. All five fields required: First Name, Last Name, Email, Job Title, Telephone (E.164, e.g.
+15551234567). DigiCert requiresjob_titleandtelephoneon every verified contact for CS orders; referencing an existing CertCentral user by id alone is not enough. Once the organization has an active CS validation on file, DigiCert ignores this field.
Using a DigiCert Code Signing CA
A CA configured for code signing is used from the Code Signing product, not the TLS issuance flow. For creating signers, reusing orders, HSM requirements, reissue, renewal, and deletion behavior, see the dedicated guide:Code Signing with DigiCert
Issue code-signing certificates from this CA with an HSM-backed key.
DigiCert Validation Workflow
When you request a certificate through a DigiCert CertCentral CA, the request moves through these states:OV and EV certificates require manual domain validation on the DigiCert CertCentral side before issuance.
FAQ
What happens when I revoke a DigiCert-issued certificate in Infisical?
What happens when I revoke a DigiCert-issued certificate in Infisical?
Revoking the certificate in Infisical immediately marks it
Revoked in the local inventory
and submits a revocation request to DigiCert CertCentral against the underlying order.
Depending on your CertCentral account’s revocation policy, DigiCert may queue that request for
administrator approval before the certificate is actually revoked on their side.What’s Next
Now that your DigiCert CA is configured, set up the infrastructure to issue certificates:Certificate Profiles
Create a profile that references your DigiCert CA.
Applications
Create an Application, attach a profile, and configure enrollment.
Enrollment Methods
Choose how certificates are requested — API, ACME, EST, or SCEP.
Quick Start
Issue your first certificate end-to-end.