# Enrolment API Consumption Guide

### **1. Purpose** 

This guide is intended for client technical teams who have been onboarded to CERTInext. It explains how to consume the enrolment API endpoints that have been configured in your CERTInext instance.

The CERTInext platform documentation describes how administrators create and configure enrollment endpoints. This document bridges the gap by explaining what to do with those endpoints once they have been provisioned — specifically, how your systems, devices, or applications connect to and use them to automate certificate issuance, renewal, and lifecycle management.

**Scope:**\
This guide covers six enrolment protocols:

* ACME
* SCEP
* EST
* REST API
* CMP
* WAEP

Each section is self-contained. You only need to read the section(s) relevant to your integration.

### **2. Prerequisites**

Before consuming any endpoint, your CERTInext Primary Administrator must have completed the following setup in the portal:

1. Navigated to **Integrations → APIs → + New API Credentials**
2. Selected the [relevant API Type](/documentation/automation-and-devops/supported-protocols-acme-scep-est-etc.md) (ACME, SCEP, EST, CMP, REST, or WAEP)
3. Associated the credential with a User, Group, and Product (certificate profile / CA template)
4. Clicked **Generate API Credentials**

Once generated, your administrator will provide you with:

* Endpoint URL
* Authentication credentials

⚠️ **Important:**\
Each set of API credentials is scoped to a specific certificate profile and CA. Ensure you are using the correct credentials.

## **3. ACME — Automated Certificate Management Environment**

**ACME (RFC 8555)**\
**Best for:** Web servers, Kubernetes ingress controllers, cloud workloads, CI/CD pipelines\
**Admin provides:** ACME Directory URL, API Access Key / Secret

### **3.1 What You Receive from Your Administrator**

| Item               | Description                                       |
| ------------------ | ------------------------------------------------- |
| ACME Directory URL | e.g., <https://acme.certinext.io/acme/>/directory |
| API Credentials    | Access Key and Secret                             |

***

### **3.2 How to Consume the ACME Endpoint**

ACME is consumed using an ACME client.

#### **Step 1 — Install an ACME Client**

| Client       | Platform       | Use Case       |
| ------------ | -------------- | -------------- |
| Certbot      | Linux / Unix   | Apache, Nginx  |
| win-acme     | Windows        | IIS            |
| Cert-Manager | Kubernetes     | TLS automation |
| acme.sh      | Cross-platform | DevOps         |
| Caddy        | Cross-platform | Built-in ACME  |

#### **Step 2 — Configure Directory URL**

```bash
acme.sh --register-account \
  --server https://acme.certinext.io/acme/<profile-id>/directory \
  --accountemail your@email.com
```

#### **Step 3 — Domain Control Validation (DCV)**

| Type    | Description                   |
| ------- | ----------------------------- |
| HTTP-01 | Token placed in web server    |
| DNS-01  | TXT record (\_acme-challenge) |

#### **Step 4 — Automatic Renewal**

* Renewal triggered \~30 days before expiry
* Supports **ACME ARI (Renewal Information)**

## **4. SCEP — Simple Certificate Enrollment Protocol**

**SCEP (RFC 8894)**\
**Best for:** MDM devices, routers, firewalls

### **4.1 What You Receive**

| Item          | Description                       |
| ------------- | --------------------------------- |
| SCEP URL      | <https://scep.certinext.io/scep/> |
| Shared Secret | Challenge password                |

### **4.2 How to Consume**

#### **MDM Flow**

* Create SCEP profile
* Enter URL + Secret
* Assign to devices

#### **Cisco Example**

```bash
crypto pki trustpoint CERTINEXT
 enrollment url https://scep.certinext.io/scep/<profile-id>
 password <SharedSecret>
```

***

#### **Windows Validation**

```bash
certutil -config "https://scep.certinext.io/scep/<profile-id>" -ping
```

***

⚠️ SCEP renewal = re-enrollment via MDM.

## **5. EST — Enrollment over Secure Transport**

**EST (RFC 7030)**\
**Best for:** Enterprise devices, IoT

### **5.1 What You Receive**

| Item     | Description                                 |
| -------- | ------------------------------------------- |
| Base URL | <https://est.certinext.io/.well-known/est/> |
| Username | Basic Auth                                  |
| Password | Basic Auth                                  |

### **5.2 Endpoints**

| Operation     | Path            |
| ------------- | --------------- |
| Fetch CA Cert | /cacerts        |
| Enroll        | /simpleenroll   |
| Renew         | /simplereenroll |

### **5.3 Usage**

```bash
curl --user username:password \
https://est.certinext.io/.well-known/est/<profile-id>/cacerts
```

## **6. REST API**

**Best for:** DevOps, ITSM, custom integrations

### **6.1 Authentication**

```http
Authorization: Bearer <access-key>
Content-Type: application/json
```

### **6.2 Core Operations**

* Create Order
* Submit CSR
* Submit DCV
* Track Status
* Download Certificate
* Revoke Certificate
* Generate Reports

### **6.3 Example: Create Order**

```json
POST /api/v1/orders
{
  "product": "<product-id>",
  "csr": "<base64>",
  "domains": ["yourdomain.com"],
  "validity": 365
}
```

## **7. CMP — Certificate Management Protocol**

**CMP (RFC 4210)**\
**Best for:** Telecom, large-scale PKI

### **Example**

```bash
openssl cmp -cmd ir \
-server https://cmp.certinext.io/cmp/<profile-id>
```

## **8. WAEP — Windows Auto Enrollment Protocol**

**Best for:** Active Directory environments

### **Automatic Enrollment**

* Enable Group Policy
* Auto enrollment runs automatically

### **Manual Trigger**

```bash
gpupdate /force
certutil -pulse
```

## **9. Security Best Practices**

| Practice           | Guidance                    |
| ------------------ | --------------------------- |
| Secure Storage     | Use Vault / Secrets Manager |
| Least Privilege    | Restrict access             |
| Rotate Credentials | Periodically                |
| Audit Logs         | Monitor regularly           |
| TLS                | Always use HTTPS            |
| Renewal            | Automate before expiry      |

## **10. Credential Management**

**Navigation:**\
`Integrations → APIs`

| Action     | Description        |
| ---------- | ------------------ |
| View       | List credentials   |
| Export     | Download list      |
| Revoke     | Disable credential |
| Regenerate | Create new         |
| Audit Logs | View usage         |

⚠️ Regeneration invalidates old credentials immediately.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.certinext.io/documentation/automation-and-devops/enrolment-api-consumption-guide.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.