[Digicert] Configure automated certificate management for TLS certificatesOverview This article guides you through configuring routing policies and credentials required for the Digicert Automated certificate management in Certificate Inventory and Management. Before you begin You should have the Certificate Inventory Management plugin activated.You should have the MID Server set up correctly.Role required: pki_admin or admin. Note: From Version 2.1.0, CIM supports seamless automatic fulfillment flows for Digicert. Step 1: Create Credentials This credential will be used to authenticate with the CA. A. Navigate to Credentials Go to Connection & Credentials > Credentials.Click New.Choose the appropriate type: Certificate Management Credentials B. Fill in Credential Details Select CA type as Digicert from the drop-down.Provide the appropriate name for your credential.Provide the API key of your Digicert account. (Follow part C)Select or create a credential alias for your credential. This should be unique across all your credentials. Later will be used by mid to make a connection with the CA (need to provide the same in the routing policy) To create a new credential alias, follow the steps below: Click on the search icon next to the credential alias field.Click New.Select type as Credential. Provide the appropriate name to your credential alias and submit. C. Create an API key with appropriate permission Log in to your DigiCert accountAfter login, navigate to Services > CertCentral > Automation > API Keys Click on Add API Key and create a new API key with API Key restrictions: Orders. Step 2: Create Routing Policy This routing policy will be used to route the certificate requests to the right CA account. A. Navigate to Certificate Routing Policy Go to Certificate Management > Certificate Automate Flows > Certificate Routing PoliciesClick New. B. Fill in the routing policy details Certificate Authority: Choose Certificate Authority as DigiCert. Check the base URL of the selected CA. You can modify this by navigating to Certificate Management > Certificate Automate Flows > Certificate Authorities. Note: We have not yet qualified the Digicert flow for ACME support. Name: Provide a name to your routing policy.Certificate Authority API URL: Digicert supports a variety of certificates with multiple validation options. You need to select the correct CA API URL from the provided list or add a new CA API URL according to the certificate or validation you want to choose. If you're unsure which DigiCert URL to select for your specific use case, the official DigiCert documentation provides comprehensive guidance to help you make the right choice.Here is the list of API URL ServiceNow supports out-of-box (OOB). Assignment Group: Choose a group to which any manual task, like renewal tasks, etc, should be assigned related to the certificates requested through this routing policy.Maximum validity period: This takes the maximum allowed validity for the certificates in days. You can restrict the maximum allowed validity period using this field.Organization ID: This is only required for OV & EV certificate requests. An organization should be pre-validated. Follow the steps below to get the organization ID from the DigiCert portal: Log in to your DigiCert accountAfter logging in, navigate to Services > CertCentral > Certificates > OrganizationsIf an organization is already added, you can copy the organization ID directly from this page, or you need to create a new organization and validate it. Credential Alias: This should be the same with which you added credentials for Digicert in Step 1.Allow Duplicate Request: If enabled, duplicate requests with the same CSR are allowed.Approval Required & Task Approval Group: When requesting new certificates or renewing certificates, many PKI teams prefer human validation before fulfillment. If so, select the Approval required check box and select the group to which the task should be assigned for approvals.Mid Server: You can select a specific mid server to which all the requests matching this routing policy should go.The following fields are used to match the routing policy. Subject common name and Subject alternative name are supported with RegEx. The RegEx format has the following restrictions: It should not contain commas.It should not start and end with a forward slash (/). * matches any. Organization, Organizational Unit, Locality, State, Country, and Email are CSR attributes and accept comma-separated values. * will be considered as any. Environment: It is just metadata that can be used to route certificate requests to different CAs or CA's accounts.Certificate Purpose (internal/external): Similar to Environment, can be used to route certificate requests. Troubleshooting Guide We have a scheduled job "DigiCert – Track Certificate Order Status" which runs every 30 minutes and tracks the order status on the DigiCert side. The certificate task will remain in Work In Progress until the order is marked as failed or complete on Digicert. To check order status, navigate to Services > CertCentral > Certificates > Orders on the Digicert portal and search the order using order ID or certificate ID. To restrict the API keys permissions to a specified set of actions, in the API key restrictions (optional) menu, select one of these options: Orders: Limits key to these actions: Orders, Requests, and Certificates.Orders, Domains, Organizations: Limits key to these actions: Orders, Requests, Certificates, Organizations, and Domains.View Only: Limits key to GET requests only. POST, PUT, or DELETE requests are disabled.User Management: Limits key to these actions: Users.However, to request certificates, we need only Order-level permissions. The following options may occur while requesting a certificate. OptionDescriptionIf a single routing policy matchesVerify the following conditions: Validate the subject common name using the RegEx pattern provided in the Routing Policy table, domain name, or *.Check for certificate request validity period not greater than the maximum validity period in the Routing Policy table.Check for the duplicate Certificate Request is allowed flag in the Routing Policy table. If multiple routing policies are eligibleThe task is assigned to the default approver group.If there is no routing policy foundThe task is assigned to the default approver group.If a single policy matches and the approval needed flag is trueThe task is assigned to the task approval group defined in the routing policy. Note: The default approval group can be set using the system property 'sn_disco_certmgmt.cert_task_default_approval_group' The approval group name is the default group used if the certificate request is moved into manual mode, for instance, when there is no matching policy or more than two matching policies. You can add more than one approval group, separated by commas. The first group on the list, which belongs to the task domain, is used for approval. If no domain-specific group is found, the first name in the global domain list is used as the default.