Enrolment API Consumption Guide

1. Purpose

This guide is intended for client technical teams who have been onboarded to CERTInext. It explains how to consume the enrolment API endpoints that have been configured in your CERTInext instance.

The CERTInext platform documentation describes how administrators create and configure enrollment endpoints. This document bridges the gap by explaining what to do with those endpoints once they have been provisioned — specifically, how your systems, devices, or applications connect to and use them to automate certificate issuance, renewal, and lifecycle management.

Scope: This guide covers six enrolment protocols:

• ACME

• SCEP

• EST

• REST API

• CMP

• WAEP

Each section is self-contained. You only need to read the section(s) relevant to your integration.

2. Prerequisites

Before consuming any endpoint, your CERTInext Primary Administrator must have completed the following setup in the portal:

1. Navigated to Integrations → APIs → + New API Credentials

2. Selected the relevant API Type (ACME, SCEP, EST, CMP, REST, or WAEP)

3. Associated the credential with a User, Group, and Product (certificate profile / CA template)

4. Clicked Generate API Credentials

Once generated, your administrator will provide you with:

• Endpoint URL

• Authentication credentials

⚠️ Important: Each set of API credentials is scoped to a specific certificate profile and CA. Ensure you are using the correct credentials.

3. ACME — Automated Certificate Management Environment

ACME (RFC 8555) Best for: Web servers, Kubernetes ingress controllers, cloud workloads, CI/CD pipelines Admin provides: ACME Directory URL, API Access Key / Secret

3.1 What You Receive from Your Administrator

3.2 How to Consume the ACME Endpoint

ACME is consumed using an ACME client.

Step 1 — Install an ACME Client

Step 2 — Configure Directory URL

Step 3 — Domain Control Validation (DCV)

Step 4 — Automatic Renewal

• Renewal triggered ~30 days before expiry

• Supports ACME ARI (Renewal Information)

4. SCEP — Simple Certificate Enrollment Protocol

SCEP (RFC 8894) Best for: MDM devices, routers, firewalls

4.1 What You Receive

4.2 How to Consume

MDM Flow

• Create SCEP profile

• Enter URL + Secret

• Assign to devices

Cisco Example

Windows Validation

⚠️ SCEP renewal = re-enrollment via MDM.

5. EST — Enrollment over Secure Transport

EST (RFC 7030) Best for: Enterprise devices, IoT

5.1 What You Receive

5.2 Endpoints

5.3 Usage

6. REST API

Best for: DevOps, ITSM, custom integrations

6.1 Authentication

6.2 Core Operations

• Create Order

• Submit CSR

• Submit DCV

• Track Status

• Download Certificate

• Revoke Certificate

• Generate Reports

6.3 Example: Create Order

7. CMP — Certificate Management Protocol

CMP (RFC 4210) Best for: Telecom, large-scale PKI

Example

8. WAEP — Windows Auto Enrollment Protocol

Best for: Active Directory environments

Automatic Enrollment

• Enable Group Policy

• Auto enrollment runs automatically

Manual Trigger

9. Security Best Practices

10. Credential Management

Navigation: Integrations → APIs

⚠️ Regeneration invalidates old credentials immediately.