Skip to main content

Access and credential management

Updated

Summary

A feature that enhances security and ensures compliance by providing authentication token management, API key lifecycle control, and TSIG-based DNS transaction security.

Description

DigiCert®​​ DNS provides a centralized interface for managing authentication tokens, API keys, and TSIG keys - enabling secure access control, credential lifecycle management, and authenticated DNS transactions. With a comprehensive set of tools for generating, rotating, and revoking credentials, users can enhance system security, minimize the risk of credential misuse, and ensure compliance with access control policies and DNS security standards.

Related functions

  • API key management: This function allows users to generate and manage API keys for secure, auditable, and compliant access to system resources.
  • Auth token generation: This function allows users to generate authentication tokens for secure API access and system integrations.
  • TSIG management: This function enables users to configure and manage TSIG keys for authenticated and secure DNS zone transfers.

API key management

Overview

This guide provides step-by-step instructions for API key management, covering both targeted and comprehensive actions.

Targeted actions include:

Comprehensive actions include clearing multiple API keys and listing all available API keys.

Benefits

Managing API keys with DigiCert®​​ DNS enhances security by preventing unauthorized access and reducing the risk of credential leakage through key rotation and expiration. Granular access controls ensure compliance with internal policies and external standards, supporting auditability, traceability, and visibility. By simplifying the entire key lifecycle, the platform improves operational efficiency and enables seamless integration with external systems.

Procedures

Clear multiple API keys

Notice

This procedure clears all API keys generated by the user. Follow Path 1 if you are an administrator, or Path 2 if you are a standard user.

To test this function, call this API endpoint: POST /accessmanagement/api-key/bulk/delete

Path 1

  1. Sign in to your DigiCert®​​ DNS account.
  2. From the landing page, go to the left sidebar and select Settings > Access Management.
  3. In the API KEYS tab, select the checkboxes next to the API keys you want to delete.
  4. Go to Actions > Delete API Key.

  5. In the Confirm Deletion dialog, select Confirm.

    A message appears confirming the successful clearance of the API keys.

Path 2

  1. Sign in to your DigiCert®​​ DNS account.
  2. From the landing page, select the user icon in the top right corner and select My API Keys.
  3. From the overflow menu (three vertical dots) at the end of the API key's row, select Delete Key.

  4. In the Confirm Deletion dialog, select Confirm.

    A message appears confirming the successful clearance of the API key.

  5. Repeat Steps 3-4 as needed.

Delete a specific API key

Notice

This procedure deletes a specific API key (apikey1) created in an earlier procedure. Follow Path 1 if you are an administrator, or Path 2 if you are a standard user.

To test this function, call this API endpoint: DELETE /accessmanagement/api-key/{apiKeyId}

Path 1

  1. Sign in to your DigiCert®​​ DNS account.
  2. From the landing page, go to the left sidebar and select Settings > Access Management.
  3. In the API KEYS tab, select the checkbox of the API key you want to delete (for example, apikey1).

  4. Go to Actions > Delete API Key.

    Alternatively, select the overflow menu (three vertical dots) at the end of the API key's row, and select Delete Key.

  5. In the Confirm Deletion dialog, select Confirm.

    A message appears confirming the successful deletion of the API key.

Path 2

  1. Sign in to your DigiCert®​​ DNS account.
  2. From the landing page, select the user icon in the top right corner and select My API Keys.
  3. Locate the API key you want to delete (for example, apikey1).
  4. From the overflow menu (three vertical dots) at the end of the API key's row, select Delete Key.

  5. In the Confirm Deletion dialog, select Confirm.

    A message appears confirming the successful deletion of the API key.

Generate an API key

Notice

This procedure generates two API keys: apikey1 and apikey2. These API keys are referenced in other procedures.

To test this function, call this API endpoint: POST /accessmanagement/api-key

  1. Sign in to your DigiCert®​​ DNS account.
  2. From the landing page, select the user icon in the top right corner and select My API Keys.

  3. Select the Generate API Key button.

    A maximum of two API keys can exist at any given time.

  4. In the Generate API Key dialog:
    1. Enter a name for the key in the Name field (for example, apikey1).

    2. Select an expiration option.

      The default expiration date is set to one year from the current date.

    3. (Optional) Add a note.

      This can be viewed later by selecting the note icon next to the key.

    4. Select Save to generate the API key.
  5. In the API Key Generated - Action Required dialog:
    1. Select Copy to copy the generated key.

    2. Select Done to complete the process.

      A message appears confirming the successful generation of the API key.

  6. Repeat Steps 3-5 to create another API key, apikey2.

List all available API keys

Notice

This procedure displays all API keys generated by the user. Follow Path 1 if you are an administrator, or Path 2 if you are a standard user.

To test this function, call this API endpoint: GET /accessmanagement/api-key

Path 1

  1. Sign in to your DigiCert®​​ DNS account.
  2. From the landing page, go to the left sidebar and select Settings > Access Management.

  3. Select the API KEYS tab.

    The table displays the API keys associated with all accounts.

Path 2

  1. Sign in to your DigiCert®​​ DNS account.
  2. From the landing page, select the user icon in the top right corner and select My API Keys.

Return the details of a specific API key

Notice

This procedure displays the details of a specific API key (apikey1) created in an earlier procedure. Follow Path 1 if you are an administrator, or Path 2 if you are a standard user.

To test this function, call this API endpoint: GET /accessmanagement/api-key/{apiKeyId}

Path 1

  1. Sign in to your DigiCert®​​ DNS account.
  2. From the landing page, go to the left sidebar and select Settings > Access Management.

  3. Select the API KEYS tab.

    The table displays the API keys associated with all accounts.

  4. Locate the API key you want to view (for example, apikey1).

    If needed, use Filters to quickly find a specific API key.

  5. Select Columns at the top of the results table, then select all the checkboxes to ensure that all API key information is displayed.
Path 2

  1. Sign in to your DigiCert®​​ DNS account.
  2. From the landing page, select the user icon in the top right corner and select My API Keys.
  3. Locate the API key you want to view (for example, apikey1).

Rotate a specific API key

Notice

This procedure rotates a specific API key (apikey1) intended for use in testing API endpoints. This key's value will be required to generate an authentication token and must not be shared. DigiCert​​®​​ recommends storing it securely.

Follow Path 1 if you are an administrator, or Path 2 if you are a standard user.

To test this function, call this API endpoint: POST /accessmanagement/api-key/{apiKeyId}/rotate

Path 1

  1. Sign in to your DigiCert®​​ DNS account.
  2. From the landing page, go to the left sidebar and select Settings > Access Management.

  3. Select the API KEYS tab.

    The table displays the API keys associated with all accounts.

  4. Locate the API key you want to rotate (for example, apikey1).

    If needed, use Filters to quickly find a specific API key.

  5. Select the overflow menu (three vertical dots) at the end of the API key's row, and select Rotate Key.
  6. In the Rotate API Key dialog:
    1. (Optional) Modify the expiration option.
    2. (Optional) Modify the note.
    3. Select Save to rotate the API key.
  7. In the API Key Rotated - Action Required dialog:
    1. Select Copy to copy the rotated key.

    2. Select Done to complete the process.

      A message appears confirming the successful rotation of the API key.

Path 2

  1. Sign in to your DigiCert®​​ DNS account.
  2. From the landing page, select the user icon in the top right corner and select My API Keys.
  3. Locate the API key you want to rotate (for example, apikey1).
  4. From the overflow menu (three vertical dots) at the end of the API key's row, select Rotate Key.
  5. In the Rotate API Key dialog:
    1. (Optional) Modify the expiration option.
    2. (Optional) Modify the note.
    3. Select Save to rotate the API key.
  6. In the API Key Rotated - Action Required dialog:
    1. Select Copy to copy the rotated key.

    2. Select Done to complete the process.

      A message appears confirming the successful rotation of the API key.

Update a specific API key

Notice

The current version of DigiCert®​​ DNS does not include a dedicated front-end tab for updating a specific API key. To complete this procedure, use the following endpoint:

PUT /accessmanagement/api-key/{apiKeyId}

For help configuring your testing environment, refer to the API guide.

Auth token generation

Overview

This guide provides detailed instructions for auth token generation, focusing on a single comprehensive action: creating an authentication token for API access.

Benefits

Auth token generation streamlines DNS management by strengthening access control and auditing capabilities. It allows administrators to define who can access or modify DNS records, protecting against unauthorized changes and ensuring complete traceability. With DigiCert®​​ DNS, organizations can mitigate risks related to DNS spoofing, token expiration, and data integrity. Centralized token management increases transparency and accountability, providing secure, scalable access to DNS records and enhancing the overall efficiency of DNS operations.

Procedure

Generate an authentication token

Notice

This procedure uses the API key generated in an earlier procedure to request an authentication token in Postman. The token is valid for one hour and must be refreshed before it expires. If the token is not regenerated in time, API endpoints cannot be tested. If the user no longer has access to their API key when the token expires, a new API key must be generated to obtain a new token.

To test this function, call this API endpoint: POST /auth/login

  1. Log in to Postman.
  2. In the My Workspace sidebar, navigate to DigiCert DNS > auth > login > POST /auth/login:
    1. Go to the Authorization tab, and in the Token field, paste your API key.
    2. Select Send.
    3. In the response window, copy the authentication token.
  3. In the My Workspace sidebar, select DigiCert DNS:
    1. Go to the Auth tab, and paste your authentication token into the Token field.
    2. Under the Add variable to heading, select Collection.

TSIG key management

Overview

This guide provides detailed instructions for TSIG key management, covering both targeted and comprehensive actions.

Targeted actions include:

Comprehensive actions include listing all available TSIG keys.

Benefits

TSIG key management safeguards the integrity and security of DNS communications. By signing each transaction with a unique key, DigiCert®​​ DNS ensures trusted, authenticated interactions that meet regulatory and compliance requirements. The platform enables cryptographic authentication for DNS transactions, allowing only authorized parties to initiate updates or transfers. Support for dynamic DNS updates and secure zone transfers automates critical changes and protects data in transit. Centralized management provides fine-grained access control and full visibility, reducing unauthorized changes, simplifying troubleshooting, and improving system reliability.

Procedures

Create a new TSIG key

Notice

This procedure creates a TSIG key (tsigkey) that will be updated and deleted in subsequent procedures. To apply this TSIG key, follow the procedure for updating the settings of a primary domain or a secondary domain.

To test this function, call this API endpoint: POST /tsig

  1. Sign in to your DigiCert®​​ DNS account.
  2. From the landing page, go to the left sidebar and select DNS > Configurations.
  3. In the TSIG KEYS tab, select the Add TSIG Key button.
  4. In the Add TSIG Key dialog:
    1. Enter a name in the Name field (for example, tsigkey).
    2. From the Algorithm drop-down list, select a type:
      1. HMAC-SHA224: Ideal for environments with strict size constraints or legacy systems requiring shorter digest lengths.
      2. HMAC-SHA224: Ideal for environments with strict size constraints or legacy systems requiring shorter digest lengths.
      3. HMAC-SHA384: Ideal for systems requiring a higher security level than SHA256, with slightly increased computational overhead.
      4. HMAC-SHA512: Ideal for high-security environments where maximum integrity and collision resistance are required, especially in modern systems with sufficient processing capacity.

    3. In the Secret field, enter a secret key manually or select Auto-Generate Key to create one automatically.

      Tip

      Selecting Auto-Generate Key will either populate an empty field or replace an existing secret key. You can auto-generate as often as needed; however, if the algorithm type is changed, a new secret key must be provided.

    4. Select Save to finish.

      A message appears confirming the successful creation of the TSIG key.

Delete a specific TSIG key

Notice

This procedure deletes a specific TSIG key (tsigkey) created in an earlier procedure. You can follow either Path 1 or Path 2 to complete the deletion.

To test this function, call this API endpoint: DELETE /tsig/{tsigId}

Path 1

  1. Sign in to your DigiCert®​​ DNS account.
  2. From the landing page, go to the left sidebar and select DNS > Configurations.
  3. In the TSIG KEYS tab, at the end of the row of the TSIG key you want to delete, select the trash icon.

  4. In the Confirm Deletion dialog, select Confirm.

    A message appears confirming the successful deletion of the TSIG key.

Path 2

  1. Sign in to your DigiCert®​​ DNS account.
  2. From the landing page, go to the left sidebar and select DNS > Configurations.

  3. In the TSIG KEYS tab, select the checkbox of the TSIG key you want to delete.

    Tip

    You can select multiple checkboxes to delete several TSIG keys at once.

  4. Select Delete at the top of the table.

  5. In the Confirm Deletion dialog, select Confirm.

    A message appears confirming the successful deletion of the TSIG key.

List all available TSIG keys

Notice

This procedure displays all TSIG keys created by the user.

To test this function, call this API endpoint: GET /tsig

  1. Sign in to your DigiCert®​​ DNS account.
  2. From the landing page, go to the left sidebar and select DNS > Configurations.

  3. Select the TSIG KEYS tab.

    The table displays all the TSIG keys associated with the account.

    Tip

    Use Columns and Filters to customize your view of the results.

Return the details of a specific TSIG key

Notice

This procedure displays the details of a specific TSIG key (tsigkey) created in an earlier procedure. Follow Path 1 if there are only a few results to review. Follow Path 2 if you prefer to filter results quickly.

To test this function, call this API endpoint: GET /tsig/{tsigId}

Path 1

  1. Sign in to your DigiCert®​​ DNS account.
  2. From the landing page, go to the left sidebar and select DNS > Configurations.

  3. Select the TSIG KEYS tab.

    The table displays all the TSIG keys associated with the account.

  4. Locate the TSIG key you want to view (for example, tsigkey).
  5. Select Columns at the top of the results table, then select all the checkboxes to ensure that all TSIG key information is displayed.
Path 2

  1. Sign in to your DigiCert®​​ DNS account.
  2. From the landing page, go to the left sidebar and select DNS > Configurations.

  3. Select the TSIG KEYS tab.

    The table displays all the TSIG keys associated with the account.

  4. Select Filters at the top of the results table to locate the specific TSIG key quickly.

    Tip

    In this example, the name of the TSIG key is known, so the following filter was applied:

    1. Under Column, select Name.
    2. Under Operator, select contains.

    3. Under Value, enter the TSIG key's name (tsigkey).

      If no results appear, double-check the Filters selections and input values.

  5. Select Columns at the top of the results table, then select all the checkboxes to ensure that all TSIG key information is displayed.

Update a specific TSIG key

Notice

This procedure updates a specific TSIG key (tsigkey) created in an earlier procedure.

To test this function, call this API endpoint: PUT /tsig/{tsigId}

  1. Sign in to your DigiCert®​​ DNS account.
  2. From the landing page, go to the left sidebar and select DNS > Configurations.

  3. Select the TSIG KEYS tab.

    The table displays all the TSIG keys associated with the account.

  4. Locate the TSIG key you want to update - see Path 2 for quick filtering.
  5. Select the name of the TSIG key (for example, tsigkey).
  6. In the Edit TSIG Key dialog:

    1. Edit the TSIG key's details as required.

      Tip

      Selecting Auto-Generate Key will replace the existing secret key. You can auto-generate as often as needed; however, if the algorithm type is changed, a new secret key must be provided.

    2. Select Save to finish.

      A message appears confirming the successful update of the TSIG key.