Documentation

DigiCert Target

The DigiCert Target enables the use of DigiCert as a public Certificate Authority (CA) with an Akeyless PKI Issuer.

With a public CA, Akeyless cannot access the private key that signs certificates. Akeyless validates certificate issuance requests by connecting to DigiCert through the Akeyless Gateway.

The DigiCert integration uses an ACME Client (v2).

Before You Begin

  • Ensure an Akeyless Gateway is deployed and reachable.
  • Create a DNS provider target before creating the DigiCert target.
  • Confirm that the DNS target has permissions to manage TXT records in the relevant zone.
  • Collect DigiCert external account binding (EAB) values: eab-key-id and eab-hmac-key.

Validation Method

DigiCert public CA integration in Akeyless uses DNS challenge (dns) for domain ownership validation.

Configure the DigiCert Target

Use the CLI

Use one of the following DNS challenge examples by provider.

DNS challenge examples

akeyless target create digicert \
--name <Target Name> \
--digicert-url <us-production / eu-production / us-demo / eu-demo> \
--email <ACME Account Email> \
--eab-key-id <EAB Key ID> \
--eab-hmac-key <EAB HMAC Key> \
--acme-challenge dns \
--dns-target-creds <AWS DNS Target Name> \
--hosted-zone <Route53 Hosted Zone ID>
akeyless target create digicert \
--name <Target Name> \
--digicert-url <us-production / eu-production / us-demo / eu-demo> \
--email <ACME Account Email> \
--eab-key-id <EAB Key ID> \
--eab-hmac-key <EAB HMAC Key> \
--acme-challenge dns \
--dns-target-creds <GCP DNS Target Name> \
--gcp-project <GCP Project ID>
akeyless target create digicert \
--name <Target Name> \
--digicert-url <us-production / eu-production / us-demo / eu-demo> \
--email <ACME Account Email> \
--eab-key-id <EAB Key ID> \
--eab-hmac-key <EAB HMAC Key> \
--acme-challenge dns \
--dns-target-creds <Azure DNS Target Name> \
--resource-group <Azure Resource Group Name>
akeyless target create digicert \
--name <Target Name> \
--digicert-url <us-production / eu-production / us-demo / eu-demo> \
--email <ACME Account Email> \
--eab-key-id <EAB Key ID> \
--eab-hmac-key <EAB HMAC Key> \
--acme-challenge dns \
--dns-target-creds <Cloudflare DNS Target Name> \
--dns-zone <Cloudflare DNS Zone>

Key CLI flags

  • name: A unique name for the target. The name can include a path to a virtual folder by using slash / separators. If the folder does not exist, Akeyless creates it with the target.
  • digicert-url: DigiCert ACME environment selector. Supported values are us-production, eu-production, us-demo, and eu-demo.
  • email: Email address used for ACME account registration.
  • eab-key-id: External account binding key ID from DigiCert.
  • eab-hmac-key: External account binding HMAC key from DigiCert.
  • acme-challenge: Challenge type. Use dns.
  • dns-target-creds: Name of the DNS provider target. Supported target types are AWS, Azure, GCP, and Cloudflare.
  • dns-zone: Use this when --dns-target-creds points to a Cloudflare target.
  • hosted-zone: Use this when --dns-target-creds points to an AWS target.
  • resource-group: Use this when --dns-target-creds points to an Azure target.
  • gcp-project: Use this when --dns-target-creds points to a GCP target and the project ID cannot be derived automatically.
  • timeout: Challenge validation timeout. Default is 5m. Supported range is 1m to 1h.
  • key: Protection key used to encrypt target secret values.

View the complete list of target command parameters.

Use the Console

  1. Log in to the Akeyless Console, and go to Targets, then New, then Certificate Automation (DigiCert).
  2. Define the Name and Location.
  3. Select a Protection key with a Customer Fragment to enable Zero-Knowledge, and click Next. Read more about Zero-Knowledge Encryption.
  4. Define the remaining parameters:

  • Environment: US Production, EU Production, US Demo, or EU Demo.

  • Email: Email address used to register the ACME account.

  • EAB Key ID and EAB HMAC Key: DigiCert external account binding values.

  • DNS Provider: AWS, GCP, Azure, or Cloudflare.

  • Target: DNS provider target that holds credentials.

  • Hosted Zone: Route 53 hosted zone identifier (AWS).

  • Resource Group: Azure DNS resource group name (Azure).

  • GCP Project: Optional GCP Cloud DNS project ID (GCP).

  • DNS Zone: Cloudflare DNS zone name (Cloudflare).

  1. Click Finish.

Configure DNS Provider Authentication (Optional)

For DNS challenge flows, a provider target can use Gateway cloud identity instead of static credentials.

Gateway Cloud Identity Examples

akeyless target create aws \
--name <AWS DNS Target Name> \
--use-gw-cloud-identity \
--region <AWS Region>
akeyless target create azure \
--name <Azure DNS Target Name> \
--connection-type cloud-identity \
--subscription-id <Azure Subscription ID> \
--resource-group-name <Azure DNS Resource Group Name>
akeyless target create gcp \
--name <GCP DNS Target Name> \
--use-gw-cloud-identity

DNS Provider Permissions for DNS-01

When using dns challenge validation, the target referenced by dns-target-creds must have permission to create and update ACME TXT records in the relevant DNS zone.

Troubleshoot DNS Challenge Flows

If certificate issuance fails during DNS challenge validation, validate the following:

  • The dns-target-creds target exists and is configured for the expected provider.
  • The provider-specific parameter is set correctly:
    • AWS: hosted-zone
    • Azure: resource-group
    • GCP: gcp-project (when project ID cannot be derived automatically)
    • Cloudflare: dns-zone
  • The requested domain is hosted in the DNS zone managed by the provider target.
  • The Gateway has network access to provider DNS APIs.
ℹ️

Note (Least Privilege):

Scope permissions to only the DNS zones and record operations required for certificate validation.

Updated 3 days ago

Footer Section