Upcoming changes
March 1, 2020
Browser support ending for TLS 1.0 and 1.1
In 2020, the four major browsers are ending support for Transport Layer Security (TLS) 1.0 and 1.1.
- Firefox – March 2020
https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/ - Safari – March 2020
https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/ - Chrome – Chrome 81
https://security.googleblog.com/2018/10/modernizing-transport-security.html - Edge – First half of 2020
https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/
This change doesn't affect your DigiCert certificates. Your certificates will continue to work as they always have.
What you need to know
This change affects browser-dependent services and applications relying on TLS 1.0 or 1.1. Once browser support for TLS 1.0 or 1.1 ends, these out-of-date systems will be unable to make HTTPS connections.
What you need to do
If you are affected by this change, plan to enable or upgrade to TLS 1.2 or TLS 1.3 now. Give yourself lead time to deal with any problems. Before you start, make sure to identify all systems that might use TLS 1.0 or 1.1.
Remember to check web servers like Apache or Microsoft IIS, .NET Framework, server monitoring agents, and other commerce applications that might use it.
Helpful resources
With so many different types of systems relying on TLS, we can't cover all available upgrade paths, but here are a few references that may help:
- To upgrade your Linux OpenSSL library, see https://blog.midtrans.com/time-to-upgrade-to-tls-version-1-2/.
- To enable TLS 1.2 with OpenSSL and Apache, see https://serverfault.com/questions/314858/how-to-enable-tls-1-1-and-1-2-with-openssl-and-apache.
- To enable TLS 1.2 in WinHTTP in Windows (Windows Server 2012, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1), see https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi.
- To disable support for TLS 1.0 and 1.1 in Windows Server 2019 IIS, see https://medium.com/@rootsecdev/configuring-secure-cipher-suites-in-windows-server-2019-iis-7d1ff1ffe5ea.
Recent changes
December 5, 2019
CT Log monitoring
We are happy to announce that Secure Site Pro certificates now come with access to a CT Log monitoring service. CT Log monitoring allows you to monitor the public CT logs for SSL/TLS certificates issued for the domains on your Secure Site Pro certificate order, in real time.
CT Log monitoring is a cloud service so there is nothing to install or manage. After we've issued your Secure Site Pro certificate and turned CT Log monitoring on for the order, you can start using the service immediately to monitor the domains on the certificate order.
The CT Log monitoring benefit for Secure Site Pro certificates is retroactive. To access your CT Log monitoring for your issued and active Secure Site Pro certificate order, contact your account manager or our support team.
CT Log monitoring helps you:
- Gain visibility of the SSL/TLS certificates issued for your domains with global monitoring and tracking against the public CT logs.
- Cut down on time and effort needed to monitor the logs by providing automated checks for DigiCert and non-DigiCert issued certificates.
- Ensure every certificate issued for your domains is trusted while gaining full oversight of which certificate authority issued each certificate.
The service pulls the discovered SSL/TLS certificates into your CertCentral account, where you can view details about the certificates to quickly identify any misissued certificates for your domains. You can also download copies of the non-DigiCert certificates right from your CertCentral account.
Email notifications
After you've enabled CT Log monitoring for a Secure Site Pro certificate order, you'll receive two types of email notifications: Daily CT log digest and if needed, Urgent notifications. Email notifications are sent to account admins and allow them to check the CT logs for their domains without signing in to their CertCentral account every day.
- Daily CT log digest
Scheduled to occur once a day, this digest includes a daily rundown of new DigiCert issued SSL/TLS certificates found in public CT logs. The daily digest is only sent if new DigiCert issued certificates are discovered. - Urgent CT log notification
This urgent notification is sent within minutes any time a non-DigiCert SSL/TLS certificate is issued for a domain on the Secure Site Pro certificate order.
To learn more about what's included with each Secure Site Pro certificate, see Pro TLS/SSL Certificates. To learn more about enabling CT log monitoring for a Secure Site Pro certificate order. see Enable CT log monitoring.
December 4, 2019
Improved client certificate process
We improved the client certificate process, enabling you to cancel client certificate orders in an Emailed to Recipient state—orders that are waiting for the email recipient to generate and install the client certificate in one of the supported browsers.
Note: Previously, when a client certificate was in an Emailed to Recipient state, you had to contact support to cancel the order.
Now, if you need to cancel a client certificate order in the Emailed to Recipient state, go to the client certificate's Order details page and in the Certificate Actions dropdown list, select Cancel Order. See Cancel pending client certificate orders.
CertCentral Services API: Improved client certificate process
In the DigiCert Services API, we updated the Update order status endpoint enabling you to cancel client certificate orders in a waiting_pickup state—orders that are waiting for the email recipient to generate and install the client certificate in one of the supported browsers.
Note: Previously, when a client certificate was in a waiting_pickup state, you received a forbidden error and had to contact support to cancel the order.
Now, you can use the Update order status endpoint to cancel a client certificate order in the waiting_pickup state.
December 3, 2019
CertCentral: Default behavior change
By default, we will no longer use organization unit information included in a CSR to autopopulate the Organization Unit value in OV/EV SSL certificate request forms. When ordering these certificates, you can still manually add organization unit information.
Note: Organization unit (OU) information is not required to purchase an OV/EV SSL certificate. Furthermore, when you include OU information in a certificate request, we are required to perform additional validation. This may delay certificate issuance, including for requests where the organization and domains have been prevalidated.
CertCentral: New account setting (Enterprise and Partner)
For CertCentral Enterprise and Partner accounts, we added a new account setting—Autopopolate OU Field. This option allows you to use organization unit information included in a CSR to autopopulate the Organization Unit value in OV/EV SSL certificate request forms.
Note: Enterprise and Partner accounts have a logo identifying the account type: Enterprise logo or Partner logo.
In the left main menu, go to Settings > Preferences. On the Division Preferences page, the new setting is in the Advanced Settings section under Certificate Requests. See our Autopopulate Organization Unit field instructions.
November 21, 2019
Discovery: Renewal notifications for non-DigiCert SSL/TLS certificates
In Discovery, we added renewal notifications for non-DigiCert certificates, making it easier to manage all your SSL/TLS certificates in one place—CertCentral. Now, when Discovery finds non-DigiCert certificates, we'll send renewal notifications for these certificates regardless of issuing Certificate Authority (CA).
Note: When renewing a non-DigiCert SSL/TLS certificate in CertCentral, we'll replace it with the equivalent DigiCert certificate. For example, we'll replace a non-DigiCert single-domain SSL certificate with a DigiCert single-domain SSL certificate.
Who receives these renewal notifications?
By default, Discovery sends renewal notifications for non-DigiCert SSL/TLS certificates to the primary CertCentral administrator—the individual who created the account and receives all account notifications.
We also send renewal notifications to any additional email addresses assigned to receive account notifications. See Set up account email notifications and Certificate renewal notifications.
When are these renewal notifications sent?
Discovery uses your CertCentral renewal notification settings to determine when to send renewal notifications for non-DigiCert certificates. By default CertCentral sends renewal notifications 90, 60, 30, 7, and 3 days before a certificate expires and 7 days after a certificate expires.
To customize your renewal notifications schedule, see Certificate renewal notifications.
Discovery: Customize non-DigiCert SSL/TLS certificate renewal notification process
In Discovery, on the Certificates page, we added three new certificate renewal actions to the Actions column dropdown for non-DigiCert certificates: Disable renewal notices, Enable renewal notices, and Renewal notifications. Renewal notifications allows you to add email addresses to receive renewal notifications for a certificate.
On the Certificates page, you can now update your non-DigiCert certificate renewal process to fit your certificate needs. (In the left main menu, go to Discovery > View Results.)
Note: By default, Discovery sends renewal notifications for all discovered non-DigiCert SSL/TLS certificates.
To customize renewal notifications for non-DigiCert SSL/TLS certificates, see Discovery renewal notices.
November 20, 2019
New feature: Document Signing certificate renewals
We fixed a bug on the Expiring Certificates page where we provided a Renew Now link for expiring Document Signing (DS) certificate orders. When you clicked Renew Now, it opened an SSL certificate renewal form where you were unable to complete your DS certificate renewal.
Note: To renew your DS certificate, you were required to order a new certificate.
Now, on the Expiring Certificate page when you click Renew Now for an expiring DS certificate order, it opens a DS certificate renewal form where you are able renew your certificate.
To learn more about renewing a DS certificate, see Renew a document signing certificate.
We updated the Document Signing (DS) certificate's Order details page and Order details panel adding a new Renew Certificate option making it easier to renew your DS certificate before it expires. Note that the Renew Certificate option doesn't appear on the Order details panel and page until 90 days before it expires.
Order details panel
In the left main menu, click Certificates > Orders. On the Orders page, click the DS certificate order's Quick View link. In the Order details panel, you'll see the new Renew Certificate option.
Order details page
In the left main menu, click Certificates > Orders. On the Orders page, click the DS certificate's order number link. On the Order details page, in the Order Actions dropdown, you'll see the new Renew Certificate option.
November 13, 2019
In the DigiCert Services API, we added a new endpoint – Additional emails. This endpoint allows you to update the email addresses that receive certificate notification emails for the order (e.g., certificate renewals, reissues, and duplicate orders).
Note: These people can't manage the order. They only receive certificate related emails.
For more information on the Services API, see our Developers portal.
November 12, 2019
We are happy to announce we've implemented an RSS Feed for the CertCentral Change Log. You can see the new change log feed here: https://docs.digicert.com/change-log/feed/.
The RSS feed returns the 15 most recent change log entries. To make upcoming changes easier to identify, we labeled them Upcoming changes.
The change log RSS feed follows RSS 2.0 specifications and is compatible with RSS 2.0 compliant feed aggregators.
RSS feed reader tip
All major browsers have RSS feed extensions to automatically access your selected RSS feeds and organize the results for you. For example, the Chrome extension RSS Feed Reader was used for the screenshots included in this post.
November 9, 2019
Updated maintenance schedule
We rescheduled our maintenance window. On November 9, 2019 from 09:00 to 12:00 UTC, DigiCert will be performing some planned maintenance.
During this time, DigiCert services may be unavailable:
- CertCentral
- DigiCert website (digicert.com)
- Certificate validation
- Certificate issuance
DigiCert services will be restored as soon a maintenance is completed.
Please plan accordingly. Schedule high priority orders, renewals, reissues, and duplicate issues outside of the maintenance window.
DigiCert Services API integrations
During maintenance, access to the DigiCert Services APIs will be spotty or non-existent. If you use the API for automated tasks, expect interruptions during this time.
November 8, 2019
We are happy to announce a new addition to the DigiCert Developers portal—Discovery API. We just published our first set of Discovery API endpoints. More will follow as we continue to build out the Discovery API documentation.
Why use it?
- Access Discovery features without signing into your CertCentral account.
- Customize the Discovery experience to meet the needs of your organization.
- Integrate with your existing tools.
Sample of endpoints you can start using now:
- List endpoints
- View endpoint rating
- List certificates
- View certificate details
- View certificate rating
- Download certificate
Tips and Tricks
- Discovery API uses this base URL:
https://daas.digicert.com/apicontroller/v1/ - Discovery API requires admin or manager level permissions.
November 5, 2019
We updated the OV and EV SSL/TLS certificate order forms, adding a new DCV verification method dropdown. Now, when ordering OV and EV certificates, you can select the DCV method you want to use to validate the new domains on the order. See our Order your SSL/TLS certificates instructions.
Note: The selected DCV method applies to all unvalidated domains on the order. After submitting the order, you can change the DCV method per domain on the certificate's Order details page. See our Demonstrate control over domains on a pending certificate order instructions.
We updated the domain pre-validation forms, consolidating the OV and EV certificate validation options. Now, when pre-validating a domain, use the new unified domain validation option—OV/EV Domain Validation*. See our Domain pre-validation: Domain control validation (DCV) methods instructions.
Note*: The domain control validation (DCV) methods for OV and EV certificates are the same (verification email, DNS TXT, etc.). The only difference between them is how long the domain validation is valid for. For OV SSL certificates, domains will need to be revalidated every 825 days (approximately 27 months). For EV SSL certificates, domains will need to be revalidated every 13 months.
October 28, 2019
In Discovery, we added a new feature—Add root and intermediate CAs—that lets you upload public and private root and intermediate CAs. Use this feature to get more accurate security ratings for certificates chained to them.
If Discovery is unable to locate the root and intermediate CAs for a certificate, it down grades the certificate's security rating. By uploading a copy of the certificate's intermediate and root CAs, the next time Discovery runs a scan that includes that certificate, you'll get a more accurate rating.
Note: Supported certificate formats: .der and .cer
In CertCentral, in the left main menu, click Discovery > Manage Discovery. On the Manage scans page, in the More actions dropdown, click Manage root and intermediate CAs. See Add public and private root and intermediate CAs in our Discovery user guide.
In Discovery, we added a new Blacklist feature that lets you exclude specific IP addresses and FQDNs from your scan results. For example, you may want to blacklist a domain in your CDN network.
Note: When you blacklist an IP address or FQDN, its information is excluded from all future account Discovery scans. This feature does not remove information from existing scan results.
In CertCentral, the left main menu, click Discovery > Manage Discovery. On the Manage scans page, in the More actions dropdown, click Manage blacklist. See Blacklist IP addresses and FQDNs in our Discovery user guide.
October 23, 2019
Subaccount management for partners, resellers, and enterprises
Many subaccount features have been available in previous beta releases. With this release, all subaccount management functionality is now fully available in CertCentral.
Partners, resellers, and enterprises with tiered organizational structure can:
- Create and manage all subaccount details for their retail or enterprise customers or their own autonomous sub-resellers.
- Specify their own account manager for a subaccount.
- View subaccount orders and reports through CertCentral console or APIs.
- Bill orders directly to the subaccount or back to the parent account/subaccount.
- Customize available products and pricing.
- Manage commission-based finances, now updated and enhanced in CertCentral.
Where are subaccounts?
- Go to the SUBACCOUNTS menu in the left navigation in CertCentral.
- If Subaccounts isn’t visible in your account, contact your account manager or customer support.
October 21, 2019
In our CertCentral API, we added a new Custom Reports API that leverages the powerful GraphQL query language, enabling you to generate comprehensive and customizable data sets for more robust reporting.
Custom Reports API consolidates multiple REST endpoints into a single one, so you can better define the types and fields in your queries so they return only the information needed. Additionally, use it to create reusable query templates for generating and scheduling reports.
To learn more, see Custom Reports API in our Developers portal.
October 1, 2019
Apple's new compliance requirements for Private SSL certificates
Apple recently announced some new security requirements for SSL/TLS certificate that will go into effect with the release of iOS 13 and macOS 10.15. These requirements affect private certificates issued after July 1, 2019.
For your public DigiCert SSL/TLS certificates, no action is required.
DigiCert public SSL/TLS certificates already meet all these security requirements. Your public SSL/TLS certificates aren't affected by these new requirements and will be trusted in iOS 13 and macOS 10.15.
What's new?
Apple is implementing additional security requirements for all SSL/TLS certificates that by design impact private SSL/TLS certificates. See Requirements for trusted certificates in iOS 13 and macOS 10.15.
DigiCert private SSL/TLS certificates meet these requirements, if issued by account administrators according to public certificate requirements.
We've provided a list of the requirements below that may affect your private SSL/TLS certificates. These versions of Apple's OS are slated to be released during the fall of this year. This means, you need to prepare now.
New private SSL/TLS certificate requirements:
- Must use an algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed SSL/TLS certificates are no longer trusted.
- Must have a validity period of 825 days or fewer. SSL/TLS certificates with a validity greater than 825 days are no longer trusted.
What can you do?
If Apple iOS and macOS trust are required for your private SSL/TLS certificates, verify any private SSL/TLS certificates issued after July 1, 2019 meet their new requirements. If you find certificate that don't meet these requirements, you'll want to take these actions soon:
- Reissue affected private TLS/SSL certificates prior to general availability of iOS 13 and macOS 10.15. See Reissue an SSL/TLS certificate.
- Adjust your processes so that newly issued private TLS/SSL certificates meet the new requirements automatically. See Configure Private SSL certificate products.
September 25, 2019
We added two new statuses to the Organizations and Organization details pages: validation expires soon, and validation expired. These new statuses make it easier to proactively track your organization validations and make sure they stay up to date.
Now, when you visit the Organizations page (in the sidebar menu click Certificates > Organizations), you can quickly identify organizations with validation that is expiring soon or has already expired. For more details about the expiring or expired organization validation, click the organization name.
We fixed a bug where some accounts were unable to submit organizations for EV CS – Code Signing Organization Extended Validation. The affected accounts only contained EV Code Signing and Code Signing products.
As part of the fix, we split up the EV and EV CS verified contact options. Now, when submitting an organization for EV CS – Code Signing Organization Extended Validation, you can submit the organization's verified contact for EV CS order approvals only. Similarly, when submitting an organization for EV – Extended Organization Validation (EV), you can submit the organization's verified contact for EV SSL certificate order approvals only.
Note: For EV code signing certificate orders, organizations and the organization's verified contacts need to be pre-validated. For more information about organization pre-validation, see our Submit an organization for pre-validation instructions.
September 22, 2019
Routine server maintenance
On September 22, 2019 from 06:30 to 08:30 UTC, DigiCert will be performing some routine server maintenance. During this time, you may get logged out of your CertCentral account and experience issues logging in. Additionally, certificate validation and issuance services may not work.
Please plan accordingly. For example, submit any high priority renewal, reissue, or new certificate orders outside of the maintenance window.
Note: Access will be restored as soon as possible.
DigiCert Services API integrations
During server maintenance, access to the DigiCert Services APIs will be spotty or non-existent. If you use the API for automated tasks, expect interruptions during this time.
September 18, 2019
We added a new permission to the API key generation process, enabling you to restrict an API key to "View Only" permissions.
When linking an API key to a user, you're linking the user's permissions to the key. Now, you can restrict the permissions of the user's API key to GET requests only.
For more information, see Generate an API key.
In the DigiCert Services API, we updated the Create key and Edit key endpoints, adding a new access role restriction—View Only.
Now, when using the API to create or edit an API key, add the restricted_to_role_id parameter to your request and include the new 102 value to limit the API key to GET requests only.
Example request for Create key endpoint
September 9, 2019
We added two new features to the Expiring Certificates page (in the sidebar, click Certificates > Expiring Certificates), making it easier to manage renewal notifications for your expiring certificates.
First, we added a Renewal Notices column with an interactive check box. Use this check box to enable or disable renewal notices for an expiring certificate.
Second, we added two Renewal Notices filters: Disabled and Enabled. These filters allow you to see only the certificate orders with renewal notices enabled or disabled.
In the DigiCert Services API, we updated the List keys and Get key info endpoints response parameters, enabling you to see the organization associated with your ACME certificate orders.
Now, when you call the List keys and Get key info endpoints, we return the name of the organization (organization_name) associated with the ACME certificate order in the response.
September 3, 2019
Firefox ending key generation support
With the release of Firefox 69, Firefox will finally drop support for Keygen. Firefox uses Keygen to facilitate generating key material for submitting the public key when generating Code Signing, Client, and SMIME certificates in their browser.
Note: Chrome already dropped support for key generation, and Edge and Opera never supported it.
How does this affect you?
After DigiCert issues your Code Signing, Client, or SMIME certificates, we send you an email with a link to create and install your certificate.
Once Firefox 69 is released, you can only use two browsers to generate these certificates: Internet Explorer and Safari. If company policy requires the use of Firefox, you can use Firefox ESR or a portable copy of Firefox.
For more information, see Keygen support to be dropped with Firefox 69.
Tips and tricks
- You can still use Firefox 69 for client authentication. First, generate the SMIME certificate in IE 11 or Safari. Then, import the SMIME certificate to Firefox.
- To bypass generating Code Signing, Client, or SMIME certificates in your browser, generate and submit a CSR with your order. Instead of a link, DigiCert will send you an email with your certificate attached.
We added a new status, Emailed to Recipient, to the Orders and Order Details pages, for Code Signing and Client certificate orders, making it easier to identify where these orders are in the issuance process.
This new status indicates the DigiCert has validated the order, and the certificate is waiting for the user/email recipient to generate it in one of the supported browsers: IE 11, Safari, Firefox 68, and portable Firefox.
(In the sidebar menu, click Certificates > Orders. Then, on the Orders page, click the order number for the Code Signing or Client certificate order.)
We updated our Extended Validation (EV) Code Signing (CS) and Document Signing (DS) certificate reissue processes, enabling you to reissue these certificates without automatically revoking the current certificate (original or previously reissued certificate).
Note: If you don't need the current certificate (original or previously reissued certificate), you'll need to contact support so they can revoke it for you.
Now, the next time you reissue an EV CS or DS certificate, you can keep the previously issued certificate active to its current validity period (or for as long as you need it).
August 29, 2019
Industry standards compliance reminder
For public and private certificates, Certificate Authorities (CAs) don't accept abbreviations for these parts of an address in your certificate orders or organization pre-validation requests:
- State or Province*
- City or Locality*
*This applies to organization and jurisdiction addresses.
We made it easier to define the domain validation scope for your account when submitting your domains for validation (pre-validation or via certificate orders).
On the Division Preferences page, we added two domain validation scope options:
- Submit exact domain names for validation
With this option, requests for new domains are submitted for validation exactly as named (i.e., request for sub.example.com is submitted for validation exactly as sub.example.com). Validation for the “higher level” domain (e.g., example.com) also works. This is the default behavior for CertCentral. - Restrict validation to base domain only
This option allows you to restrict domain validation to the base domain (e.g., example.com). For request that include new subdomains (e.g., sub.example.com), we only accept domain validation for the base domain (e.g., example.com). Validation for the subdomain (e.g., sub.example.com) won’t work.
To configure the domain validation scope for your account, in the sidebar menu, click Settings > Preferences. On the Division Preference page, expand Advanced Settings. In the Domain Control Validation (DCV) section, under Domain Validation Scope, you'll see the new settings.
We fixed a bug where we were limiting the maximum allowed number of SANS to 10 on Wildcard SSL certificate reissue and new certificate orders.
Now, when reissuing or ordering a new Wildcard SSL certificate, you can add up to 250 SANs.
August 27, 2019
In the DigiCert Services API, we added two new Order info endpoints. Now, you can use the order ID, the certificate's serial number, or the certificate's thumbprint to view the details for a certificate order.
- GET https://www.digicert.com/services/v2/order/certificate/{{thumbprint}}
- GET https://www.digicert.com/services/v2/order/certificate/{{serial_number}}
Currently, these new endpoints only retrieve data for the primary certificate. For more information on the Services API, see our Developers portal.
PQC dockerized toolkit guide available now
Secure Site Pro Secure Site Pro certificates come with access to the DigiCert post-quantum cryptographic (PQC) toolkit. To create your own PQC test environment, use one of these options:
- Download the ISARA PQC toolkit and build your own OpenSSL test environment. See our PQC toolkit setup guide.
- Download the Docker support files and quickly spin up a Docker test environment. See our PQC dockerized toolkit guide.
Our toolkits contain what you need to create a hybrid SSL/TLS certificate. The hybrid certificate in the toolkits uses a PQC algorithm paired with an ECC algorithm allowing you to test the feasibility of hosting a post-quantum, backwards compatible hybrid certificate on your website.
Note: To access your PQC toolkit, go to your Secure Site Pro Certificate's Order # details page. (In the sidebar menu, click Certificates > Orders. On the Orders page, click the order number link for your Secure Site Pro certificate. On the certificate's order details page, click PQC toolkit.)
To learn more about post-quantum cryptography, see Post-Quantum Cryptography. To learn more about what's included with each Secure Site Pro certificate, see Pro TLS/SSL Certificates.
DigiCert is happy to announce we made it easier for DigiCert Accounts using the Retail API to upgrade to our new Certificate Management Platform, DigiCert CertCentral—For free!
To make the upgrade as seamless as possible, we shimmed these Retail API endpoints:
- POST /order/ssl -> POST /services/v2/order/certificate/ssl
- REISSUE /order/{order_id} -> POST /services/v2/order/certificate/{order_id}/reissue
- POST /order/code -> POST /services/v2/order/certificate/code_signing
Now, you can upgrade your DigiCert Account without any interruptions to your API integrations. Once you're upgraded, make plans to build new integrations with CertCentral.
- For more information on the CertCentral Services API, see our Developers portal.
For information about the DigiCert Retail API, see Documentation for the DigiCert Retail API.
August 13, 2019
We fixed a bug where some account admins were unable to view or edit the details of their CertCentral user accounts. Now, all account admins can once again view and edit user account details (email address, role, etc.).
DigiCert is happy to announce that DigiCert Accounts are now eligible to upgrade to our new Certificate Management Platform, DigiCert CertCentral—For free!
- Upgrade happens in seconds.
- Seamless certificate and account migration.
- Additional benefits include improved certificate management, better pricing options, advanced features, and more.
To learn more about CertCentral, check out our short video How to Manage Your Entire Certificate Lifecycle in 60 Seconds—or Less.
August 8, 2019
We improved the SAML Single Sign-on and SAML Certificate Requests workflows, allowing you to turn off SAML Single Sign-on (SSO) and SAML Certificate Requests. Previously, after configuring SAML SSO or SAML Certificate Requests for your account, the only way to turn either of these off was to remove both SAML features from your account.
Now, on the Federation Settings pages, you can turn off SAML SSO and SAML Certificate Requests for your account by deleting the federation settings.
- SAML SSO
In the sidebar menu, click Settings > Single Sign-On. On the Single Sign-on (SSO) page, click Edit Federation Settings. See Turn off SAML Single Sign-on. - SAML Certificate Requests
In the sidebar menu, click Settings > SAML Certificate Request. On the SAML Certificate Request page, click Edit Federation Settings. See Turn off SAML Certificate Requests.
Note: The Turn off SSO and Turn off SAML Certificate Request buttons only appear after you've configured the federation settings (turned the feature on).
For more information about SAML Single Sign-on and SAML certificate request integration with CertCentral:
August 1, 2019
Secure Site Pro certificates now come with access to the DigiCert post-quantum cryptographic (PQC) toolkit. Our toolkit contains what you need to create a hybrid SSL/TLS certificate. The hybrid certificate in the toolkit uses a PQC algorithm paired with an ECC algorithm allowing you to test the feasibility of hosting a post-quantum, backwards compatible hybrid certificate on your website.
Note: The PQC benefit for Secure Site Pro certificates is retroactive. To access your PQC toolkit, go to your Secure Site Pro Certificate's Order # details page. (In the sidebar menu, click Certificates > Orders. On the Orders page, click the order number link for your Secure Site Pro certificate. On the certificate's order details page, click PQC toolkit.)
To learn more about post-quantum cryptography and our PQC toolkit:
To learn more about what's included with each Secure Site Pro certificate, see Pro TLS/SSL Certificates.
July 31, 2019
Industry standards change
As ofJuly 31, 2019 (19:30 UTC), you must use the HTTP Practical Demonstration DCV method to demonstrate control over IP addresses on your certificate orders.
For more information about the HTTP Practical Demonstration DCV method, see these instructions:
- Domain Validation for Pending Order: HTTP Practical Demonstration DCV Method
- Domain Prevalidation: HTTP Practical Demonstration DCV Method
Currently, industry standards used to allow you to use other DCV methods to demonstrate control over your IP address. However, with the passing of Ballot SC7, the regulations for IP address validation changed.
Ballot SC7: Update IP Address Validation Methods
This ballot redefines the permitted processes and procedures for validating the customer's control of an IP Address listed in a certificate. Compliance changes for Ballot SC7 go into effect on July 31, 2019 (19:30 UTC).
To remain compliant, as of July 31, 2019 (19:30 UTC), DigiCert only allows customers to use the HTTP Practical Demonstration DCV method to validate their IP addresses.
Removing Support for IPv6
As of July 31, 2019 (19:30 UTC), DigiCert has removed support for certificates for IPv6 addresses. Due to server limitations, DigiCert is unable to reach out to IPv6 address to verify the file placed on the customer's website for the HTTP Practical Demonstration DCV method.
July 30, 2019
We improved our ACME protocol, adding support for the Signed HTTP Exchange certificate profile option. Now, you can use your ACME client to order OV and EV SSL/TLS certificate with the CanSignHttpExchanges extension included.
First create the ACME Directory URL for your Signed HTTP Exchanges certificate. Then use your ACME client to issue and install the certificate with the CanSignHttpExchanges extension.
See ACME Directory URLs for Signed HTTP Exchange certificates and ACME user guide.
Background
The Signed HTTP Exchange certificate profile option is used to address the AMP URL display issue where your brand isn’t displayed in the address bar. See Display better AMP URLs with Signed Exchanges and Get your Signed HTTP Exchanges certificate.
This profile option allows you to include the CanSignHTTPExchanges extension in OV and EV SSL/TLS certificates. Once enabled for your account, the Include the CanSignHttpExchanges extension in the certificate option appears on your Add ACME Directory URL forms.
To enable this certificate profile for your account, please contact your account manager or contact our Support team.
We updated the information icons in the list of ACME Directory URLs on the Account Access page to help you quickly identify certificates that include a certificate profile option (for example, Signed HTTP Exchanges).
In the sidebar menu, click Account > Account Access. On the Account Access page, in the ACME Directory URLs section, click an information icon to see details about the certificate that can be ordered via the ACME Directory URL.
In the DigiCert Services API, we improved the List keys endpoint response parameters, enabling you to see ACME Directory URLs. Now, when you call the List keys endpoint, we return ACME URL (acme_urls) as well as API key (api_keys) information in the response.
In the DigiCert Services API, we improved the Get key info endpoint, enabling you to get details about ACME Directory URLs.
Include the ACME Directory URL ID in the call to the Get key info endpoint (/key/{{key_id}} where key_id is the ACME Directory URL ID) to get information about an ACME Directory URL.
July 18, 2019
In the DigiCert Service API, we updated the List reissues endpoint response parameters, enabling you to see the receipt id, how many purchased domains, and how many purchased wildcard domains on the reissued order.
Now, we will return these response parameters, when applicable, in your reissued certificate's order details:
- receipt_id
- purchased_dns_names
- purchased_wildcard_names
July 17, 2019
In Discovery, we added a Scan for configured cipher suites option to the scan settings that lets you see the cipher suites enabled on a server. When adding or editing a scan, this option is located in the Settings section when you select Choose what to scan. See Set up and run a scan or Edit a scan.
Once your scan completes, the cipher suite information is listed on the Server details page, in the Server details section. (In the sidebar menu, click Discovery > View Results. On the Certificates page, click View endpoints. On the Endpoints page, click the endpoint's IP address /FQDN link. Then, on the Server details page, in the Server details section, click the Ciphers View link.)
Update note: The new Scan for configured cipher suites option is available in the latest sensor version – 3.7.7. After sensor updates are complete, edit the scan Settings, select Choose what to scan, check Scan for configured cipher suites, and then rerun the scan.
July 16, 2019
In Discovery, we updated the rating system for Strict-Transport-Security (STS) security headers. Now, we only check STS for HTTP 200 requests and ignore it for HTTP 301 requests. We only penalize the server when the website is missing the Strict-Transport-Security (STS) security header or the setting is wrong. In these cases, we rate the server as "At risk".
Previously, we checked STS for HTTP 301 requests and penalized the server if it was missing the Strict-Transport-Security (STS) security header. In these cases, we rated the server as "Not secure".
To view Security headers results, go to the endpoint's Server details page. In the sidebar menu, click Discovery > View Results. On the Certificates page, click View endpoints. On the Endpoints page, click the endpoint's IP address / FQDN link.
Update note: The updated STS rating system is available in the latest sensor version – 3.7.7. After sensor update is complete, rerun your scans to see your updated STS ratings.
July 15, 2019
We improved the Transaction Summary on the Reissue Certificate for Order pages, allowing you to see how many days remain until the certificate expires. Now, when you reissue a certificate, the Transaction Summary shows the certificate validity along with days until it expires (e.g., 1 year (expires in 43 days).
In the DigiCert Services API, we updated the List orders, Order info, List reissues, and List duplicates endpoints enabling you to see how many days remain until the certificate expires. For these endpoints, we return a days_remaining parameter in their responses.
July 11, 2019
We improved the SAML SSO-only users' integration with the CertCentral Services API, adding an account setting that allows you to grant SSO-only users API access. On the SAML Sign-on (SSO) page, under Configure SSO Settings for users, you'll now see the Enable API access for SSO-only users check box (in the sidebar menu, click Settings > Single Sign-On). See Configure SAML Single Sign-On.
Note: This setting allows SSO-only users with API keys to bypass Single Sign-on. Disabling API access for SSO-only users doesn't revoke existing API keys. It only blocks the creation of new API keys.
July 10, 2019
We improved the Users page, adding a Last Login column that lets you see when a user last signed in to their account (in the sidebar menu, click Account > Users).
We also added the last login information to the User's details page directly under their name (on the Users pages, in the Name column, click the username link).
Note: Previously, this information was only found in the Audit Logs (in the sidebar menu, click Account > Audit Logs).
In the DigiCert Services API, we updated the User info endpoint enabling you to see when a user last logged in to their account. Now, when viewing user details, we return a last_login_date parameter in the response.
July 9, 2019
To improve how custom validity works with Guest URLs, we need to temporarily remove access to the feature. Now, when creating new Guest URLs, you'll only have the 1-year, 2-year, and 3-year validity options.
This change doesn't affect existing Guest URLs. Existing Guest URLs that include the custom validity option will continue to work as they did before.
Note: The 3-year validity option only applies to private SSL and client certificates. As of February 20, 2018, DigiCert no longer offers 3-year public SSL/TLS certificates. For more information about this change, click here.
To create a Guest URL
In the sidebar menu, click Account > Account Access. On the Account Access page, in the Guest URLs section, click Add Guest URL. See Manage Guest URLs.
July 8, 2019
We fixed a bug where removing the approval step from the certificate order process blocked custom form field values from being recorded on the certificate's Order details page.
Now, if you create custom fields for your certificate order forms and enable the Skip approval step for your account, the custom order values are recorded on the certificate's Order details page.
Custom order from fields
In the sidebar menu, click Settings > Custom Order Fields. On the Custom Order Form Fields page, click Add Custom Order Form field. See Manage custom order form fields.
Skip approval step
In the sidebar menu, click Settings > Preferences. On the Division Preferences page, expand Advanced Settings. In the Certificate Request section, under Approval Steps, select Skip approval step: remove the approval step from your certificate order processes. See Remove the approval step from the certificate order process.
We fixed a certificate order form bug where Additional Emails added to the order weren’t being recorded on the certificate's Order details page.
Now, if you add additional email address to the order for those you want to receive the certificate notification emails, the email addresses are recorded on the certificate's Order details page.
We fixed a cancel order bug where cancelling a certificate renewal removed the renewal option from the order.
Note: To renew these certificates, you had to contact our Support team.
Now, if you cancel a certificate renewal, the renew option remains for the order, allowing you to renew the certificate later when ready.
July 3, 2019
We improved the certificate's Order # details page and Order # details panel, adding a new Order requested via entry that lets you see where the order was requested: via the API, via an ACME Directory URL, or from inside CertCentral. If the order was requested via the API or an ACME Directory URL, we also include the API key name or ACME Directory URL name.
Note: We also made it easier to see who requested the certificate, adding a new Order requested by entry to the Order Details section. Previously, we included the requested by information in the Requested on details.
Order # details panel
In the sidebar menu, click Certificates > Orders. On the Orders page, click the certificate order's Quick View link. In the Order # detail panel, expand Show More Certificate Info. In the Order Details section, you'll see the new Order requested via entry.
Order # details page
In the sidebar menu, click Certificates > Orders. On the Orders page, click the certificate's order number link. On the Order # details page, in the Order Details section, you'll see the new Order requested via entry.
July 2, 2019
We improved the user invitation workflow for SAML Single Sign-On (SSO) integrations with CertCentral, enabling you to designate invitees as SSO only users before sending your account user invitations. Now, in the Invite New Users popup window, use the SAML Single Sign-on (SSO) only option to restrict invitees to SAML SSO only.
Note: This option disables all other authentication methods for these users. Additionally, this option only appears if you have SAML enabled for your CertCentral account.
(In the sidebar menu, click Account > User Invitations. On the User Invitations page, click Invite New Users. See SAML SSO: Invite users to join your account.)
Simplified enrollment form
We also simplified the SSO only user enrollment form, removing the password and security question requirements. Now, SSO only invitees need to add only their personal information.
We made it easier to see your Discovery certificate scan results from the CertCentral Dashboard in your account, adding the Expiring Certificates Discovered, Certificate Issuers, and Certificates Analyzed By Rating widgets.
Each widget contains an interactive chart that allows you drill down to easily find more information about expiring certificates (e.g., which certificates are expiring in 8-15 days), certificates per issuing CA (e.g., DigiCert), and certificates per security rating (e.g., not secure).
More about Discovery
Discovery uses sensors to scan your network. Scans are centrally configured and managed from inside your CertCentral account.
- To activate Discovery for your CertCentral account, contact your account manager or our support team.
- For information about getting Discovery up and running, see Discovery: Install a sensor and run a scan.
In the DigiCert Services API, we updated the Order info endpoint enabling you to see how the certificate was requested. For certificates requested via the Services API or an ACME Directory URL, we return a new response parameter: api_key. This parameter includes the key name along with key type: API or ACME.
Note: For orders requested via another method (e.g., CertCentral account, Guest Request URL, etc.), the api_key parameter is omitted from the response.
Now, when viewing order details, you'll see the new api_key parameter in the response for orders requested via the API or an ACME Directory URL:
GET https://dev.digicert.com/services-api/order/certificate/{order_id}
Response:
We added a new search filter – Requested via – to the Orders page that allows you to search for certificate orders requested via a specific API key or ACME Directory URL.
Now, on the Orders page, use the Requested via filter to find active, expired, revoked, rejected, pending reissue, pending, and duplicate certificates requested via a specific API key or ACME Directory URL.
(In the sidebar menu, click Certificates > Orders. On the Orders page, click Show Advanced Search. Then, in the Requested via dropdown select the API Key or ACME Directory URL name or type its name in the box.)
July 1, 2019
We improved our Basic and Secure Site single domain certificate offerings (Standard SSL, EV SSL, Secure Site SSL, and Secure Site EV SSL), adding the Include both [your-domain].com and www. [your-domain].com in the certificate option to these certificates' order, reissue, and duplicate forms. This option allows you to choose whether to include both versions of the common name (FQDN) in these single domain certificates for free.
![Include both [your-domain].com and www. [your-domain].com in the certificate](https://docs.digicert.com/media/images/opt-out-plus-feature-check-box-1.original.png){kind=link}
- To secure both versions of the common name (FQDN), check Include both [your-domain].com and www. [your-domain].com in the certificate.
- To secure only the common name (FQDN), uncheck Include both [your-domain].com and www. [your-domain].com in the certificate.
See Order your SSL/TLS certificates.
Works for subdomains too
The new option allows you to get both versions of base and subdomains. Now, to secure both versions of a subdomain, add the subdomain to the Common Name box (sub.domain.com) and check Include both [your-domain].com and www. [your-domain].com in the certificate. When DigiCert issues your certificate, it will include both versions of the subdomain on the certificate: [sub.domain].com and www.[sub.doman].com.
Removed Use Plus Feature for Subdomains
The Include both [your-domain].com and www. [your-domain].com in the certificate option makes the Plus Feature -- Use Plus Feature for Subdomains obsolete. So, we removed the option from the Division Preferences page (in the sidebar menu, click Settings > Preferences).
In the DigiCert Services API, we updated the Order OV/EV SSL, Order SSL (type_hint), Order Secure Site SSL, Order Private SSL, Reissue certificate, and Duplicate certificate endpoints listed below. These changes provide more control when requesting, reissuing, and duplicating your single domain certificates, allowing you choose whether to include a specific additional SAN on these single domain certificates for free.
- /ssl_plus
- /ssl_ev_plus
- /ssl_securesite
- /ssl_ev_securesite
- /private_ssl_plus
- /ssl*
- /reissue
- /duplicate
*Note: For the Order SSL (type_hint) endpoint, only use the dns_names[] parameter as described below to add the free SAN.
To secure both versions of your domain ([your-domain].com and www. [your-domain].com), in your request, use the common_name parameter to add the domain ([your-domain].com) and the dns_names[] parameter to add the other version of the domain (www. [your-domain].com).
When DigiCert issues your certificate, it will secure both versions of your domain.
To secure only the common name (FQDN), omit the dns_names[] parameter from your request.
June 27, 2019
We fixed a SAML Single Sign-on (SSO) bug where some Single Sign-on only users were being prompted to reset their expired non-existent CertCentral password.
Note: This prompt appeared only after they had signed in to their account. These SSO only users could still access all account features and perform all relevant tasks.
June 19, 2019
We've improved the Order # details page, allowing you to see the certificate profile option added to your certificate. Now, when you go to a certificate's Order # details page, in the Order Details section, you can see the Profile Option included in that certificate order.
Certificate profile options
When a certificate profile is enabled for your account, the profile option appears on your SSL/TLS certificate request forms under Additional Certificate Options. When ordering an SSL/TLS certificate, you can add a profile to your certificate.
To learn more about the supported certificate profile options, see Certificate profile options. To enable a certificate profile for your account, reach out to your account manager or contact our Support team.
June 12, 2019
In the DigiCert Services API, we improved the Duplicate certificate endpoint workflow. Now, if the duplicate certificate can be immediately issued, we return the duplicate certificate in the response body.
For more information, see Duplicate certificate.
We improved the duplicate certificate order process in CertCentral. Now, if the duplicate certificate can be immediately issued, we take you directly to the Duplicates page where you can immediately download the certificate.
June 11, 2019
We improved the Skip approval step account setting, applying the setting to certificate requests placed through the online portal as well as through the API.
To access the skip approval setting in your account, in the sidebar menu, click Settings > Preferences. On the Division Preferences page, expand Advanced Settings and scroll down to the Certificate Request section. See Remove the approval step from the certificate order process.
June 5, 2019
We fixed a bug on the Guest URL Request a Certificate page, where clicking Order Now redirected you to the DigiCert account sign in page.
Now, when you order a certificate from a Guest URL and click Order Now, your request is submitted to your account administrator for approval. For more information about guest URLs, see Managing Guest URLs.
We added the Auto-Renewal User feature to the New Division page that optionally allows you to set a default user for the division's auto-renewal orders when creating a new division. If set, this user replaces the original requester on all division auto-renewal certificate orders and helps prevent auto-renewal interruptions.
In your account, in the sidebar menu, click Account > Divisions. On the Divisions page, click New Division. On the New Division page, in the Auto-Renewal User dropdown, set a default user for all division auto-renewal orders.
We are adding a new tool to the CertCentral portfolio—ACME protocol support—that allows you to integrate your ACME client with CertCentral to order OV and EV TLS/SSL certificates.
Note: This is the open beta period for ACME protocol support in CertCentral. To report errors or for help connecting your ACME client to CertCentral, contact our support team.
To access ACME in your CertCentral account, go to the Account Access page (in the sidebar menu, click Account > Account Access) and you'll see a new ACME Directory URLs section.
For information about connecting your ACME client with your CertCentral account, see our ACME user guide.
To turn ACME off for your account, contact your account manager or our support team.
Known issues
For a list of current known issues, see ACME Beta: Known issues.
May 29, 2019
We've added a new Auto-Renewal User feature to the Edit division page that optionally allows you to set a default user for the division's auto-renewal orders. If set, this user replaces the original requester on all division auto-renewal certificate orders and helps prevent auto-renewal interruptions.
(In your account, in the sidebar menu, click Account > Divisions. On the Divisions page, select the division (or click My Division). Edit the division and in the Auto-Renewal User dropdown, set a default user for all division auto-renewal orders.)
We improved the automatic certificate renewal feature, adding an "Auto-renewal disabled" notification to the process. If something happens that prevents us from automatically renewing a certificate, we now send an "Auto-renew disabled" email notification, letting you know auto-renewal has been disabled for the order, what will happen now, and how to re-enable auto-renewal for the order.
Note: Automatic certificate renewals are tied to a specific user (order specific or division specific). If that user ever loses permissions to place orders, the automatic certificate renewal process is disabled.
May 24, 2019
We've added a new tool to our CertCentral portfolio—Discovery—that provides real-time analysis of your entire SSL/TLS certificate landscape.
Designed to quickly find all your internal and public facing SSL/TLS certificates regardless of the issuing Certificate Authority (CA), Discovery identifies problems in certificate configurations and implementations along with certificate-related vulnerabilities or problems in your endpoint configurations.
Note: Discovery uses sensors to scan your network. Sensors are small software applications that you install in strategic locations. Each scan is linked to a sensor.
Scans are centrally configured and managed from inside your CertCentral account. Scan results are displayed in an intuitive and interactive dashboard inside CertCentral. Configure scans to run once or multiple times on a set schedule.
- To activate Discovery for your CertCentral account, contact your account manager or our support team.
- For information about getting Discovery up and running, see Discovery: Install a sensor and run a scan.
May 13, 2019
Secure Site Pro TLS/SSL certificates are now included in all CertCentral accounts. For everything you need to know about these certificates, see DigiCert Secure Site Pro.
In your account, in the sidebar menu, hover over Request a Certificate. Under Business SSL Certificates, you’ll find the new Secure Site Pro certificates.
May 10, 2019
We fixed a bug where you could display our DigiCert and Norton site seals on internal domain names.
Now, our site seals will no longer resolve to internal domain names.
May 1, 2019
We've updated the CertCentral SAML Federation Settings, enabling you to keep your Federation Name from appearing in the list of IdPs on the SAML Single Sign-On IdP Selection and SAML certificate requests IdP Selection pages.
Now, on the Federation Settings page, under Your IDP's Metadata, we added the Include Federation Name option. If you want to keep your Federation Name from appearing in the list of IdPs on the IdP Selection page, uncheck Add my Federation Name to the list of IdPs.
Secure Site Pro TLS/SSL certificates are available in CertCentral. With Secure Site Pro, you're charged per domain; no base certificate cost. Add one domain, get charged for one. Need nine domains, get charged for nine. Secure up to 250 domains on one certificate.
We offer two types of Secure Site Pro certificates, one for OV certificates and one for EV certificates.
- Secure Site Pro SSL
Get the OV certificate that fits your needs. Provide encryption and authentication for one domain, one wildcard domain and all its subdomains, or use Subject Alternative Names (SANs) to secure multiple domains and wildcard domains with one certificate. - Secure Site Pro EV SSL
Get the extended validation certificate that fits your needs. Provide encryption and authentication to secure one domain or use Subject Alternative Names (SANs) to secure multiple sites (fully qualified domain names) with one certificate.
Benefits included with each Secure Site Pro certificate
Each Secure Site Pro certificate includes – at no extra cost – first access to future premium feature additions to CertCentral (e.g., CT log monitoring and validation management).
Other benefits include:
- Priority validation
- Priority support
- Two premium site seals
- Malware check
- Industry-leading warranties
To activate Secure Site Pro certificates for your CertCentral account, contact your account manager or our support team.
To learn more about our Secure Site Pro certificates, see DigiCert Secure Site Pro.
Public SSL certificates can no longer secure domain names with underscores ("_"). All previously issued certificates with underscores in domain names must expire prior to this date.
Note: The preferred underscore solution is to rename the hostnames (FQDNs) that contain underscores and replace the certificates. However, for those situations where renaming is not possible, you can use private certificates and, in some cases, you can use a wildcard certificate that secures the entire domain.
For more details, see Retiring Underscores in Domain Names.
April 30, 2019
Industry standard requirements for including the CanSignHttpExchanges extension in an ECC SSL/TLS certificate:
- CAA resource record for the domain that includes the "cansignhttpexchanges=yes" parameter*
- Elliptic Curve Cryptography (ECC) keypair
- CanSignHttpExchanges extension
- Maximum 90-day validity*
- Only used for the Signed HTTP Exchange
*Note: These requirements took effect as of May 1, 2019. The Signed HTTP Exchanges extension is under active development. There may be additional changes to the requirements as industry development continues.
The 90-day maximum certificate validity requirement doesn't affect certificates issued prior to May 1, 2019. Note that reissued certificate will be truncated to 90-days from the time of reissue. However, you can continue reissuing the certificate for the full purchased validity period.
CanSignHttpExchanges extension
Recently, we added a new certificate profile, HTTP Signed Exchanges to help address the AMP URL display issue where your brand isn’t displayed in the address bar. See, Display better AMP URLs with Signed Exchanges.
This new profile allows you to include the CanSignHttpExchanges extension in OV and EV SSL/TLS certificates. Once enabled for your account, the Include the CanSignHttpExchanges extension in the certificate option appears on your OV and EV SSL/TLS certificate order forms under Additional Certificate Options. See Get your Signed HTTP Exchanges certificate.
To enable this certificate profile for your account, please contact your account manager or contact our Support team.
April 24, 2019
We added a new feature that lets you customize your CertCentral experience – Customize My Experience. With the initial rollout of this feature, we added the ability to customize your account's landing page. (In the top right corner of your account, in your name dropdown, select Customize My Experience.)
For example, each time you sign in, your first action item is to manage expiring certificates. To simplify this workflow, set the Expiring Certificates page as your landing page. Whenever you sign in, you'll be taken directly to your expiring certificates. (On the Customize my experience page, in the Landing page dropdown, select Expiring Orders and Save.)
April 18, 2019
DigiCert will continue to support the SHA1 signature for Code Signing certificates. We are removing the max expiration restriction of December 30, 2019.
April 17, 2019
We added DV certificates to the available products for Guest URLs. Now, you can add GeoTrust and RapidSSL DV certificates to your Guest URLs.
We fixed a bug where adding Secure Site certificates to a Guest URL prevented you from editing the Guest URL. Now, when you add Secure Site certificates to a Guest URL, you can edit the Guest URL as needed.
We fixed a bug where adding Private SSL certificates to a Guest URL prevented you from editing the Guest URL. Now, when you add Private SSL certificates to a Guest URL, you can edit the Guest URL as needed.
April 16, 2019
We've updated the documentation links in the CertCentral help menu and on the Account Access page to point to our new documentation portals.
Now, in the CertCentral help menu, when you click Getting Started, we take you to our new DigiCert Documentation Portal. Similarly, when you click Change Log, we take you to our improved Change log page. And now, on the Account Access page (in the sidebar menu, click Account > Account Access), when you click API Documentation, we take you to our new DigiCert Developers Portal.
April 9, 2019
We fixed a bug where new organizations added during the SSL/TLS certificate request process weren't listed on the Organizations page (in the sidebar menu, click Certificates > Organizations).
With this fix, new organizations added during the SSL/TLS certificate request process will now be automatically listed on the Organizations page in your account.
Retroactive fix: All Organizations will be listed
The fix for this bug is retroactive too. If you've enabled users to add new organizations during the request process, the next time you go to the Organizations page in your account, these organizations will be added to the list.
Note: This bug didn't affect your ability to request additional SSL/TLS certificates for these organizations, as they appeared in the list of existing organizations on the certificate request forms where you could add them to the certificate. This bug also didn't affect organizations added from the New Organizations page (on the Organizations page, click New Organization).
We improved the CertCentral audit logs, making it easier to track API key creations. Now, the audit logs will contain information about who created the API key, when it was created, name of API, etc.
(To access the audit logs in your account, in the sidebar menu, click Account > Audit Logs.)
April 2, 2019
We are happy to announce the new DigiCert Documentation Portal. The new site has a modern look and feel and contains streamlined, task-based help documentation, product news, the change log, and API developer documentation.
We are also happy to announce the new DigiCert Developers Portal is out of beta. The developer site has a modern look and feel and contains information about the available endpoints, uses cases, and workflows.
Tips and tricks
- You can access the documentation portal at www.digicert.com in the top menu under Support (click Support > Documentation).
- In our documentation, hover on a subheader and click the hashtag icon. This creates a URL in the browser's address bar so you can bookmark or link to specific sections in the instructions.
Coming soon
Get started will contain information to help you get acquainted with the features in your account.
April 1, 2019
CAs can no longer issue 30-day public SSL certificate containing underscores in domain names (common names and subject alternative names).
Note: The preferred underscore solution is to rename the hostnames (FQDNs) that contain underscores and replace the certificates. However, for those situations where renaming is not possible, you can use private certificates and, in some cases, you can use a wildcard certificate that secures the entire domain.
For more details, see Retiring Underscores in Domain Names.
March 31, 2019
Final day you can order 30-day public SSL certificates containing underscores in domain names (common names and subject alternative names) from any CA.
Note: The preferred underscore solution is to rename the hostnames (FQDNs) that contain underscores and replace the certificates. However, for those situations where renaming is not possible, you can use private certificates and, in some cases, you can use a wildcard certificate that secures the entire domain.
For more details, see Retiring Underscores in Domain Names.
March 27, 2019
We've added a new certificate profile option, OCSP Must-Staple, that allows you to include the OCSP Must-Staple extension in OV and EV SSL/TLS certificates. Once enabled for your account, the Include the OCSP Must-Staple extension in the certificate option appears on your SSL/TLS certificate request forms under Additional Certificate Options.
Note: Browsers with support for OCSP must-staple may display a blocking interstitial to users accessing your site. Ensure that your site is configured to properly and robustly serve stapled OCSP Responses before installing the certificate.
To enable a certificate profile for your account, reach out to your account representative or contact our Support team.
Other available certificate profile options
If enabled for your account, these profile options appear on your SSL/TLS certificate request forms under Additional Certificate Options.
- Intel vPro EKU
Allows you to include the Intel vPro EKU field in OV SSL/TLS certificates. - KDC/SmartCardLogon EKU
Allows you to include the KDC/SmartCardLogon EKU (Extended Key Usage) field in OV SSL/TLS certificates. - HTTP Signed Exchange
Allows you to include the CanSignHTTPExchanges extension in OV and EV SSL/TLS certificate (see Improve your AMP URLs with Signed HTTP Exchange). - Delegated Credentials
Allows you to include the DelegationUsage extension in OV and EV SSL/TLS certificates.
March 26, 2019
We've added a new certificate profile option, Delegated Credentials, that allows you to include the DelegationUsage extension in OV and EV SSL/TLS certificates. Once enabled for your account, the Include the DelegationUsage extension in the certificate option appears on your SSL/TLS certificate request forms under Additional Certificate Options.
To enable a certificate profile for your account, reach out to your account representative or contact our Support team.
Background
The Delegated Credentials for TLS extension is under active development within the Internet Engineering Task Force (IETF). In order to support interoperability testing, we’ve added the ability to issue certificates compliant with the current draft specification. Note that there may be multiple changes to the draft as industry development continues.
Other available certificate profile options
If enabled for your account, these profile options appear on your SSL/TLS certificate request forms under Additional Certificate Options.
- Intel vPro EKU
Allows you to include the Intel vPro EKU field in an OV SSL/TLS certificate. - KDC/SmartCardLogon EKU
Allows you to include the KDC/SmartCardLogon EKU (Extended Key Usage) field in an OV SSL/TLS certificate. - HTTP Signed Exchange
Allows you to include the CanSignHTTPExchanges extension in an OV and EV SSL/TLS certificate (see Improve your AMP URLs with Signed HTTP Exchange). - OCSP Must-Staple
Allows you to include the OCSP Must-Staple extension in OV and EV SSL/TLS certificates.
March 22, 2019
We improved the Transaction Summary on the certificate request pages, making it easier to track the cost of the certificate. For example, you request a Multi-Domain certificate and add 5 domains. In the Transaction Summary, we show the base price (which includes 4 SANs) plus the price of the additional SAN added to the order.
Previously, the Transaction Summary only tracked the total cost of the certificate without the itemized cost.
March 21, 2019
Secure Site certificates now come with convenient access to a VirusTotal malware check. Quickly analyze your public domains with 70 plus antivirus scanners and URL/domain blacklist services. Use scan results to identify malware threats so you can take actions to keep your site off blacklists that can cripple site availability and online revenue.
Note: This benefit is retroactive. Go to your Secure Site certificate's Order # detail page to use your new VirusTotal malware check. (In the sidebar menu, click Certificates > Orders. On the Orders page, click the order number link for your Secure Site certificate.)
See Secure Site now with all the benefits of DigiCert to learn more about what's included with each Secure Site certificate.
March 19, 2019
We fixed a pending certificate reissue bug where we listed domains dropped from the original or previously issued certificate in the You Need To section on the pending reissue's Order # details page.
This issue only affected domains with expired domain validation. If you removed a domain with up-to-date domain validation, we didn't include it in the You Need To section.
Note: You were only required to complete the DCV for the domains you included in your reissue request. You could ignore the domains you had removed. Additionally, when we reissued your certificate, we didn't include the domains dropped from the original or previously issued certificate in the reissue.
Now, when you reissue a certificate and remove domains included in the original or previously issued certificate, we only show the domains included in the reissue request with pending domain validation in the You Need To section on the pending reissue's Order # details page.
We fixed a duplicate certificate orders bug where we added the original certificate requestor as the requestor on all duplicate certificate orders, regardless of who requested the duplicate.
Now, on duplicate certificate orders, we add the name of the user who requested the duplicate.
Note: This fix is not retroactive and doesn't affect issued duplicate certificate orders.
In the DigiCert Services API, we fixed a bug in the List duplicates endpoint where we weren’t returning the name of the requestor on duplicate certificate orders.
Now, when you use the List duplicates endpoint, we return the name of the user requesting the duplicate certificate.
To fix this issue, we added some new response parameters enabling us to return the name of the requestor in the response:
…user_id= Requestor's user ID…firstname= Requestor's first name…lastname= Requestor's last name
March 18, 2019
In the DigiCert Services API, we fixed a bug in the Order info endpoint where it wasn’t returning the email addresses for an issued client certificate order (Authentication Plus, Email Security Plus, etc.).
Note: When using the List orders endpoint to retrieve information for all issued certificates, the email addresses for client certificate orders were returned.
Now, when you use the Order info endpoint to view the details of an issued an issued client certificate order, the email addresses are returned in the response.
We fixed an organization unit (OU) entry character limit bug where we were applying the 64 character limit collectively instead of individually to the OU entries on SSL/TLS certificate requests with multiple OUs. When an admin tried to approve the request, they incorrectly received the "Organization units must be less than 64 characters in order to be compliant with industry standards" error message.
Note: This bug only affected requests requiring admin approval.
Now, when an admin approves an SSL/TLS certificate request with multiple OUs (where each entry is within the 64 character limit standard), the request gets submitted to DigiCert as expected.
Compliance Note: Industry standards set a 64 character limit for individual organization unit entries. However, when you add multiple OUs to an order, each one is to be counted individually and not combined. See Publicly Trusted Certificates – Data Entries that Violate Industry Standards.
We fixed a bug on certificate requests where you were unable to edit the division that the request/certificate was assigned to.
Note: Once the certificate was issued, you could go to its Order # details page and edit the division the certificate was assigned to.
Now, when you edit a certificate request, you can change the division the request/certificate is assigned to.
March 12, 2019
We fixed a certificate reissue bug where it appeared that you could revoke a certificate with a pending reissue. To fix this bug, we improved the reissue certificate workflow removing the Revoke Certificate option from certificates with a pending reissue.
Previously, when a certificate had a pending reissue, you could submit a request to revoke the original or previously issued certificate. When the administrator approved the request, the certificate was incorrectly marked as being revoked on the Requests page. However, when you went to the Orders page, the certificate was correctly marked as issued and was still active.
When a certificate has a reissue pending, you can't revoke the certificate as it is tied to the certificate reissue process. If something happens where you need to revoke a certificate with a pending reissue on it, you have two options:
- Cancel the certificate reissue and then revoke the original or previously issued certificate.
- Wait for DigiCert to reissue the certificate and then revoke the certificate.
We fixed a DigiCert Services API certificate reissue bug where it appeared that you could submit a request to revoke a certificate with a pending reissue. When you use the revoke certificate endpoint, we returned a 201 Created response with the request details.
Now, when you use the revoke certificate endpoint to revoke a certificate with a pending reissue, we return an error with a message letting you know that you can’t revoke an order with a pending reissue along with information on what to do if you need to revoke the certificate.
"An order cannot be revoked while pending reissue. You can cancel the reissue then revoke the certificate, or revoke the certificate once the reissue is complete."
March 5, 2019
We fixed a DV certificate reissue bug where we weren't honoring the valid until date on the original order for certificates with more than a year remaining until they expired.
Now, when you reissue a DV certificate with more than a year remaining until it expires, the reissued certificate will retain the valid until date of the original certificate.
In the DigiCert Services API, we improved the DV certificate request endpoints allowing you to use the new email_domain field along with the existing email field to more precisely set the desired recipients of the domain control validation (DCV) emails.
For example, when ordering a certificate for my.example.com, you can have a domain owner for the base domain (example.com) validate the subdomain. To change the email recipient for the DCV email, in your DV certificate request, add the dcv_emails parameter. Then, add the email_domain field specifying the base domain (example.com) and the email field specifying the email address of the desired DCV email recipient (admin@example.com).
Example request for a GeoTrust Standard DV Certificate
DV certificate endpoints:
- GeoTrust Standard DV -- https://www.digicert.com/services/v2/order/certificate/ssl_dv_geotrust
- GeoTrust Wildcard DV -- https://www.digicert.com/services/v2/order/certificate/wildcard_dv_geotrust
- RapidSSL Standard DV -- https://www.digicert.com/services/v2/order/certificate/ssl_dv_rapidssl
- RapidSSL Wildcard DV -- https://www.digicert.com/services/v2/order/certificate/wildcard_dv_rapidssl
February 28, 2019
We fixed a bug on the certificate reissue Order # details page where it wasn’t displaying the signature hash for the certificate correctly. This only happened on reissues when you changed the signature hash (i.e., in the original certificate, you used SHA256 but in the reissue, you used SHA384).
Note: The reissued certificate was issued with the correct signature hash.
Now when you reissue a certificate with a different signature hash, the hash is displayed correctly on the certificate's Order # details page.
We fixed a code signing certificate reissue bug where we weren't sending the email letting you know your certificate was issued.
Note: When you checked on the order in your account, the reissued code signing certificate was available to download from its Order # details page.
Now when we reissue your code signing certificate, we send the email letting you know your code signing certificate was issued.
February 26, 2019
We enhanced the DigiCert Services API request endpoints enabling you to get faster responses to your certificate requests.
We made it easier to Add Contacts for OV certificate orders (Standard SSL, Secure Site SSL, etc.). Now when you order an OV certificate, we populate the Organization Contact card for you. If needed, you can add a technical contact.
- When adding a CSR that includes an existing organization in your account, we populate the Organization Contact card with the contact assigned to that organization.
- When you manually add an existing organization, we populate the Organization Contact card with the contact assigned to that organization.
- When you add a new organization, we populate the Organization Contact card with your contact information.
To use a different organization contact, delete the one populated automatically and manually add one.
We made it easier to Add Contacts for EV certificate orders (EV SSL, Secure Site EV SSL, etc.). Now when you order an EV certificate, we will populate the Verified Contact cards for you if EV verified contact information is available in your account. If needed, you can add organization and technical contacts.
- When adding a CSR that includes an existing organization in your account, we populate the Verified Contact card with the EV verified contacts assigned to that organization.
- When you manually add an existing organization, we populate the Verified Contact card with the EV verified contacts assigned to that organization.
Assigning Verified Contacts to an organization is not a prerequisite for adding an organization. There may be instances were verified contact information won't be available for an organization. In this case, manually add the Verified Contacts.
February 25, 2019
We fixed a bug on the Orders page (in the sidebar menu, click Certificates > Order) where using the Product column header to sort the orders by certificate type didn't show any results.
Note: When this happened, to see your full list of orders, you had to click a different column header (e.g., Order #) or leave the page and come back.
Now, on the Orders page, you can use the Product column header to sort your list of orders by certificate type.
We fixed a bug where on some of the forms the state field appeared twice or was required for countries that don't require that information.
Now, on the Edit Billing Contact, New Purchase Order, and EV Code Signing Certificate order, reissue, and renewal forms, the state field only appears once and for countries that don't require that information, the State / Province / Region field is listed as optional.
Edit Billing Contact form
To change the billing contact for your account, in the sidebar menu, click Finances > Settings. On the Finance Settings page, under Billing Contact click the Edit link. If you haven't set up a billing contact for your account, click the Change Billing Contact link.
February 22, 2019
No action is required on your part.
As of February 13, 2019, DigiCert no longer issues ECC TLS/SSL certificates (i.e., certificates with ECDSA keys) with the curve-hash pair P-384 with SHA-2 512 (SHA-512). This curve-hash pair is not compliant with Mozilla's root store policy.
Mozilla's root store policy supports these curve-hash pairs only:
- P‐256 with SHA-256
- P‐384 with SHA-384
Note: Do you have a certificate with a P-384 with SHA-512 curve-hash pair? Don't worry. When it’s time to renew the certificate, it will automatically be issued using a supported curve-hash pair.
February 13, 2019
We added two new endpoints that allow you to use the order_id to download the current, active certificate for the order.
These endpoints can only be used to get the most recent reissue certificate for an order. These endpoints won't work for downloading duplicate certificates.
- GET https://www.digicert.com/services/v2/certificate/download/order/{{order_id}}
- GET https://www.digicert.com/services/v2/certificate/download/order/{{order_id}}/format/{{format_type}}
Duplicate Certificates Note
To download a duplicate certificate for an order, first use the List order duplicates endpoint to get the duplicate certificate's certificate_id – GET https://www.digicert.com/services/v2/order/certificate/{{order_id}}/duplicate.
Then use the Get certificate endpoint to download the duplicate certificate – GET https://www.digicert.com/services/v2/certificate/{{certificate_id}}/download/platform .
Reissue Certificates Note
To download a past reissue certificate (one that is not the current reissue), first use the List order reissues endpoint to get the reissue certificate's certificate_id -- GET https://www.digicert.com/services/v2/order/certificate/{{order_id}}/reissue.
Then use the Get certificate endpoint to download the reissue certificate – GET https://www.digicert.com/services/v2/certificate/{{certificate_id}}/download/platform.
API Documentation Note
For more information about these and other endpoints available in the DigiCert Services API, see CertCentral API.
February 12, 2019
We enhanced our DV certificate offering. You can now renew your DV certificate orders, allowing you to keep the original order ID.
Previously, when a DV certificate order neared its expiration date, you had to order a new certificate for the domains on the expiring order.
Note: DV certificates don't support domain pre-validation. When you renew a DV certificate, you must demonstrate control over the domains on the renewal order.
In the DV Certificate Enrollment guide, see Renewing DV Certificates.
February 8, 2019
We've added a new certificate profile option, KDC/SmartCardLogon EKU, that allows you to include the KDC and SmartCardLogon EKUs (Extended Key Usage) in an OV SSL/TLS certificate. Once enabled for your account, the Include the KDC/SmartCardLogon EKU (Extended Key Usage) field in the certificate option appears on your SSL/TLS certificate request forms under Additional Certificate Options.
To enable a certificate profile for your account, reach out to your account representative or contact our Support team.
Note: Previously, this feature was only available through the DigiCert Services API (see CertCentral API).
Other available certificate profile options
If enabled for your account, these profile options appear on your SSL/TLS certificate request forms under Additional Certificate Options.
- Intel vPro EKU
Allows you to include the Intel vPro EKU field in an OV SSL/TLS certificate. - HTTP Signed Exchange
Allows you to include the CanSignHTTPExchanges extension in an OV and EV SSL/TLS certificate (see Improve your AMP URLs with Signed HTTP Exchange).
February 5, 2019
We added a new Certificate Authority page that replaces the Intermediates page. To access this new page, in the sidebar menu, click Certificates > Certificate Authority.
Note: This page is where we list all intermediate and root certificates available for your account: Public and Private.
We also made some enhancements to the page. Now when you click the certificate name link, it opens the certificate details panel where you can download the certificate and view more details about it, such as the certificate's signature hash, serial number, and thumbprint.
January 31, 2019
We enhanced the Order # details page for pending OV SSL and EV SSL certificate orders. In the DigiCert Needs To section, under Verify Organization Details, we now list the steps that need to be completed to validate the organization (e.g., complete Place of Business Verification) along with the status for each step: complete or pending.
Previously, we provided only a high-level overview of the organization validation process – Verify Organization Details – without offering any details as to what steps needed to be completed before the organization was fully validated.
We fixed a bug on the forms in CertCentral where the state/province/territory field appeared as being required when the country selected didn't require that information (for example when adding a new organization or a credit card).
Note: This bug didn't prevent you from completing these transactions. For example, you were still able to add an organization or a credit card with or without filling in the state/province/territory field.
Now, in the forms, the state/province/territory field is labeled as optional for countries that don't require this information as part of their transactions.
Note: US and Canada are the only countries that require you to add a state or province/territory.
January 28, 2019
We added a new Add contact feature to the OV SSL/TLS certificate request forms allowing you to add a single technical contact and a single organization contact during the request process.
Previously, you were unable to add contacts when ordering OV SSL/TLS certificates (such as Secure Site SSL and Multi-Domain SSL certificates).
Note: A technical contact is someone we can contact should problems arise while processing your order. An organization contact is someone we can contact when completing the organization validation for your certificate.
We enhanced the Add contact feature on the EV SSL/TLS certificate request forms allowing you to add a single technical contact and a single organization contact during the request process.
Previously, you could only add Verified Contacts (for EV) when ordering EV SSL/TLS certificates (such as Secure Site EV and EV Multi-Domain SSL).
Note: A technical contact is someone we can contact should problems arise while processing your order. An organization contact is someone we can contact when completing the organization validation for your certificate.
January 17, 2019
We added a new Cancel Reissue feature enabling you to cancel a pending reissue on a certificate.
On the Orders page (in the sidebar menu, click Certificate > Orders), locate the Reissue Pending certificate request and click its order number link. On the Order # details page, in the Certificate Details section, in the Certificate Actions drop-down list, select Cancel Reissue.
Note: For reissue requests awaiting approval, the approver can just reject the reissue request. For certificate reissues that have already been issued, the administrator must revoke the certificate.
We fixed a bug where standard users were unable to access the domain control validation (DCV) features on their SSL/TLS certificate's Order # details page.
Note: Account administrators and managers were able to access the DCV features on the Order # details pages and complete the DCV for the orders.
Now, when standard users order a certificate for a new domain, they can access the DCV features on the Order # details page.
(In the sidebar menu, click Certificate > Orders. On the orders page locate the pending certificate order and click the order number link. On the Order # details page, click the domain link.)
January 16, 2019
We moved the CertCentral DV Certificate Enrollment guide to https://docs.digicert.com/certcentral/documentation/dv-certificate-enrollment/.
A pdf version of the guide is still available (see link at the bottom of the Introduction page).
Additionally, we updated and added instructions to cover the supported DCV methods for DV certificates in CertCentral.
- Added new Domain Control Validation (DCV) instructions
- Use the Email DCV method
- Use the DNS TXT DCV method
- Use the File DCV method
- File DCV method common mistakes
- Updated the order DV certificate instructions
- Order a RapidSSL Standard DV Certificate
- Order a RapidSSL Wildcard DV Certificate
- Order a GeoTrust Standard DV Certificate
- Order a GeoTrust Wildcard DV Certificate
- Order a GeoTrust Cloud DV Certificate
- Updated the reissue DV certificate instructions
- Reissue a RapidSSL Standard DV Certificate
- Reissue a RapidSSL Wildcard DV Certificate
- Reissue a GeoTrust Standard DV Certificate
- Reissue a GeoTrust Wildcard DV Certificate
- Reissue a GeoTrust Cloud DV Certificate
January 15, 2019
We added two more Domain Control Validation (DCV) methods to the DV certificate Order and Reissue pages: DNS TXT and File.
Note: Previously (unless you are using the DigiCert Services API), you could only use the Email DCV method to prove control over the domains on your DV certificate orders.
Now, when ordering or reissuing a DV certificate, you can choose DNS TXT, File, or Email as the DCV method to complete domain validation for the order.
We added new Prove control over domains features to the DV certificates' Order # details page.
Previously, you were unable to take any actions to complete your domain validation on the DV certificates' Order # details page.
Now, you can take more actions to complete the domain validation for the order:
- Use the DNS TXT, Email, and File DCV methods
- Resend/send the DCV Emails and choose which email address to send it to
- Verify your domain's DNS TXT record
- Verify your domain's fileauth.txt file
- Choose a different DCV method than the one selected when ordering the certificate
(In the sidebar menu, click Certificates > Orders. On the Orders page, in the Order # column of the DV certificate order, click the order number.)
We enhanced the Certificate Details section of the DV certificates' Order # details page adding additional DV certificate information: Serial Number and Thumbprint.
Note: This enhancement is not retroactive. This new information only appears for orders placed after 17:00 UTC time January 15, 2019.
(In the sidebar menu, click Certificates > Orders. On the Orders page, in the Order # column of the DV certificate order, click the order number.)
We enhanced the Get order details endpoint enabling the DV certificate's thumbprint and serial number to be returned in the response.
{
"id": "12345",
"certificate":{
"id":123456,
"thumbprint":"{{thumbprint}}",
"serial_number":"{{serial_number}}
...
}
Note: This enhancement is not retroactive. The thumbprint and serial number are only returned for orders placed after 17:00 UTC time January 15, 2019.
For more information, see the Get order details endpoint in the DigiCert Services CertCentral API documentation.
January 14, 2019
Certificate Authorities (CAs) revoked all public SSL certificates containing underscores (in the common name and subject alternative names) with a maximum validity of more than 30 days by end of day (UTC time).
If you had an SSL certificate with a total validity of 31 days or more (which includes all 1-year, 2-year, and 3-year certificates) that expired after January 14, 2019, the CA who issued your certificate was required to revoke it.
For more details, see Retiring Underscores in Domain Names.
January 10, 2019
We fixed a bug where the SSL/TLS certificate Order# details page and Order details panel weren't showing domain control validation as being completed after you finished validating the domains on your certificate order.
Note: This bug didn't stop your certificate orders from being issued after you completed the domain control validation.
Now, when you complete the domain control validation for the domains on your order, the Order# details page and Order details panel for the order show the domain validation as being completed.
(In the sidebar menu, click Certificates > Orders. On the Orders page, in the Order # column of the certificate order, click the order number or Quick View link.)
January 7, 2019
We improved the look and feel of our DigiCert account sign in page (www.digicert.com/account/), bringing it up to date with the design of our certificate management platform, CertCentral.
December 20, 2018
We enhanced the order Notes feature, enabling the order notes from the previous order to carry over to the renewed certificate order.
Previously, if you wanted any of the notes to carry over, you had to manually add the notes to the renewed order yourself.
Now, notes from the previous order are automatically carried over to the renewal order. These notes are timestamped with author's name (for example, 18 Dec 2018 8:22 PM John Smith).
These notes are on the renewed Order # details page (in the sidebar menu, click Certificates > Orders and then click the order number link). They are also in the Order # details panel (click the Quick View link).
We enhanced the DV certificates Order # details page, enabling you to see which domains on the order are pending validation (i.e., domains that you still need to demonstrate control over).
Previously, domains pending validation weren't listed on the Order # details page.
Now, when you visit a DV certificate's Order # details page, domains pending validation will be shown. (In the sidebar menu, click Certificate > Orders and then on the Orders page, click the order number link).
We fixed a bug on the Orders page (in the sidebar menu, click Certificates > Orders) where the Organization Contact information was missing in the Order # details panel.
Now, when you visit the Orders page and use the Quick View link to view order details, you will see the Organization Contact information in the Order # details panel. (Expand Show More Certificate Info and in the Order Details section, expand Show Org Contact).
December 18, 2018
DigiCert began issuing public SSL certificates containing underscores for a limited time.
- Maximum 30-day validity for public SSL certificates containing underscores in domain names.
- Underscores must not be in the base domain ("example_domain.com" is not allowed).
- Underscores must not be in the left most domain label ("_example.domain.com" and "example_domain.example.com" are not allowed).
For more details, see Retiring Underscores in Domain Names.
In the top menu, we added two new contact support options (phone and chat icons) making it easier to contact support from within CertCentral (via email, chat, or phone).
The phone icon provides you with email and phone options. The chat icon provides you with a chat window where you can start a chat with one of our dedicated support team members.
We enhanced the sidebar menu, making it easier to see the menu option for the pages you are visiting. Now, when you visit a page in CertCentral, the menu option for that page will have a horizontal blue bar next to it.
We fixed a bug in the Add Organization feature on the SSL/TLS certificate request forms where the validation status (EV and OV validated) was not included for new organizations added and validated as part of the certificate order.
Now, new organizations added when ordering an SSL certificate will show a Validated status.
Note: The organization's validation status doesn't appear until we've fully validated the organization.
December 17, 2018
We enhanced our RapidSSL DV certificate offerings enabling you to include a second, very specific domain, in these single domain certificates.
- RapidSSL Standard DV
By default now, when ordering a RapidSSL Standard DV Certificate, you get both versions of the common name in the certificate – [your-domain].com and www.[your-domain].com.
After entering the common name, make sure the Include both www.[your-domain].com and [your-domain].com in the certificate box is checked.
Previously, you had to order separate certificates for [your-domain].com and www.[your-domain].com. - RapidSSL Wildcard DV
By default now, when ordering a RapidSSL Wildcard DV Certificate, you get the wildcard domain and the base domain in the certificate – *.[your-domain].com and [your-domain].com.
After entering the common name, make sure the Include both *.[your-domain].com and [your-domain].com in the certificate box is checked.
Previously, you had to order separate certificates for *.[your-domain].com and [your-domain].com.
We enhanced the RapidSSL certificate endpoints to include the dns_names parameter, enabling you to include a second, very specific domain, in these single domain certificates.
- RapidSSL Standard DV
When ordering a RapidSSL Standard DV Certificate, you may include both version of your domain in the certificate — [your-domain].com and www.[your-domain].com."common_name": "[your-domain].com",
"dns_names": ["www.[your-domain].com"],
Previously, you had to order separate certificates for [your-domain].com and www.[your-domain].com. - RapidSSL Wildcard DV
When ordering a RapidSSL Wildcard DV Certificate, you may include the base domain in the certificate — *.[your-domain].com and [your-domain].com)."common_name": "*.your-domain.com",
"dns_names": ["[your-domain].com"],
Previously, you had to order separate certificates for *.[your-domain].com and [your-domain].com.
For DigiCert Services API documentation, see CertCentral API.
Individual Document Signing certificates are available in CertCentral:
- Document Signing – Individual (500)
- Document Signing – Individual (2000)
To activate Individual Document Signing certificates for your CertCentral account, contact your Sales representative.
Previously, only Organization Document Signing certificates were available.
- Document Signing – Organization (2000)
- Document Signing – Organization (5000)
To learn more about these certificates, see Document Signing Certificate.
December 14, 2018
We enhanced the Orders Report feature on the Orders page (in the sidebar menu, click Certificates > Orders). Now when you run a report (click Orders Report), it will include your DV SSL certificate orders.
December 13, 2018
We enhanced the Add Verified Contacts process on the organization details pages making it easier to add existing and new verified contacts when submitting an organization for pre-validation (in the sidebar menu, click Certificates > Organizations. Then in the Name column, click the organization name link).
To make adding a verified contact easier, we removed the separate links (Add New Contact and Add from Existing Contacts) each with their own window. Now, we provide a single Add Contact link and a single Add Contact window where you can add a new or existing contact.
Add New Contact Note
By default, the Allow non-CertCentral account users to be used as verified contacts feature is disabled for a CertCentral account.
You can enable this feature on the Division Preferences page (in the sidebar menu, click Settings > Preferences). In the Advance Settings section, under Verified Contacts, you can allow non-CertCentral account users to be used as verified contacts (check Allow non-DigiCert users to be used as verified contacts).
December 11, 2018
We added a new search filter Certificate ID to the Orders page that allows you to search for a certificate order using the Certificate ID.
You can now use the Certificate ID to find active, expired, revoked, rejected, pending reissue, pending, and duplicate certificates.
On the Orders page (in the sidebar menu, click Certificates > Orders), click Show Advanced Search. Then, in the Certificate ID search box, add the Certificate ID and click Go.
December 7, 2018
RapidSSL and GeoTrust DV certificates are available in CertCentral:
- RapidSSL Standard DV
- RapidSSL Wildcard DV
- GeoTrust Standard DV
- GeoTrust Wildcard DV
Documentation
- CertCentral: DV Certificate Enrollment Guide – https://docs.digicert.com/certcentral/documentation/dv-certificate-enrollment/
- CertCentral API: DV Certificate Enrollment Guide – https://www.digicert.com/certcentral-support/api-dv-certificate-workflow-endpoints-guide.pdf
December 6, 2018
We added a new feature Allow users to add new contacts when requesting TLS certificates that provides you with the flexibility to choose whether standard users, finance managers, and limited users can add a new non-CertCentral account user as a Verified Contact (for EV) when ordering an EV TLS/SSL certificate from inside their account or when using a guest URL.
Previously, the only way to prevent these user roles from adding a new non-CertCentral account user as a verified contact during the order process was to edit the request and select an existing contact for the order or reject the certificate request.
Now, you can control whether the User, Finance Manager, and Limited User roles can add a new non-CertCentral account user as a verified contact from the EV SSL/TLS certificate request pages. This feature doesn't remove the option from the EV SSL/TLS certificate order pages for the Administrator and Manager roles.
On the Division Preferences page (Settings > Preferences). In the Certificate Request section (expand Advanced Settings), under Add New Contacts, uncheck Allow users to add new contacts when requesting TLS certificates and then click Save Settings.
Note: This change does not remove the ability to add an existing contact (CertCentral account users or non-CertCentral account users) as the verified contact to an order as this is required for all EV SSL/TLS certificate orders.
We enhanced the Allow users to add new organizations when requesting TLS certificate feature providing you with the flexibility to choose whether standard users, finance managers, and limited users can add a new organization when ordering a TLS certificate (OV and EV) from inside their account or when using a guest URL.
Previously, the feature removed the ability to add a new organization for all user roles: Administrator, Manager, Standard User, Finance Manager, and Limited User.
Now, the Allow users to add new organizations when requesting TLS certificate feature only affects the User, Finance Manager, and Limited User roles ability to add new organizations from the certificate request pages. Administrator and Manager roles retain the ability to add new organizations whether this feature is enabled or disabled.
On the Division Preferences page (Settings > Preferences). In the Certificate Request section (expand Advanced Settings), under Add New Organization, uncheck Allow users to add new organizations when requesting TLS certificates and then click Save Settings.
Note: This change does not remove the ability to add an existing, pre-validated organization to an order as this is required for all OV and EV TLS certificate orders.
December 5, 2018
We enhanced the add existing organization feature for the EV SSL/TLS certificates order process making it easier to include the EV verified contacts for an organization in your certificate order.
Previously, information about who the EV verified contacts are for an organization didn't appear on the EV certificate request pages.
Now, when you add an existing organization that already has EV verified contacts assigned to it, the Verified Contact (for EV) cards are populated with the verified contacts' information.
Note: If your CSR includes an organization currently used in your account, the Organization card is populated with the organization's information contained in your account. If this same organization already has assigned EV verified contacts, the Verified Contact (for EV) cards are populated with their information (name, title, email, and phone number).
We fixed a bug on the User Invitations page preventing the Invited By filter from showing the administrators who sent the user invite requests.
Now, when you go to the User Invitations page (in the sidebar menu, click Account > User Invitations), the Invited By filter shows the admins who sent user invitations.
December 3, 2018
We enhanced our SSL/TLS and client certificate product offerings, enabling you to set a custom validity period (in days) when ordering one of these certificates. Previously, you could only choose a custom expiration date.
Custom validity periods start on the day we issue the certificate. Certificate pricing is prorated to match the custom certificate length.
Note: Custom certificate lengths can't exceed the industry allowed maximum lifecycle period for the certificate. For example, you can't set a 900-day validity period for an SSL/TLS certificate.
We enhanced the SSL/TLS and Client certificate endpoints to include a new validity_days parameter that allows you to set the number of days that the certificate is valid for.
Parameter Priority Note: If you include more than one certificate validity parameter in your request, we prioritize the certificate validity parameters in this order: custom_expiration_date > validity_days > validity_years.
For DigiCert Services API documentation, see CertCentral API.
We added a new Order Management - List Order Reissues API endpoint that allows you to view all the reissue certificates for a certificate order. See the List order reissues endpoint.
November 30, 2018
We fixed a bug on the pending SSL certificate's order details page where the link for a pending domain that provides you with actions to prove control over a domain was broken.
Now, when you go to a pending certificate's order details page and click the link for a pending domain, the Prove Control Over Domain window opens where you can choose a DCV method to prove control over that domain.
November 29, 2018
We enhanced the add existing organization feature of the SSL/TLS certificate order process, enabling you to filter the existing organization list to see only organizations that are fully validated.
Note: If your CSR includes an organization currently used in your account, the Organization card auto populates with the organization's information contained in your account.
To manually add an existing organization when ordering your SSL/TLS certificate, click Add Organization. In the Add Organization window, check Hide non-validated organizations to filter the organizations so only the fully validated ones are shown.
Note: If you have more than nine active organizations in your account, the filter also works for the Organization drop-down list.
We enhanced the Organization Unit(s) feature of the SSL/TLS certificate order process, enabling you to add multiple organization units. Previously, you could only add one organization unit.
Note: The Organization Unit(s) field on the request form will be auto populated with the values from your CSR.
To manually add organization units when ordering your SSL/TLS certificate, expand Additional Certificate Options and in the Organization Unit(s) field, you can now add one or more organization units.
Note: Adding organization units is optional. You can leave this field blank. However, if you do include organization units in your order, DigiCert will need to validate them before we can issue your certificate.
We fixed a Custom Order Fields* bug preventing the feature from working properly when deactivating, activating, changing a field from required to optional, and changing a field from optional to required.
*Custom Order Fields is disabled by default. To enable this feature for your CertCentral account, please contact your DigiCert account representative. See Managing Custom Order Form Fields in the Advanced CertCentral Getting Started Guide.
November 28, 2018
We enhanced the order details page for issued certificates, making it easier to find the certificate details on page. (In the sidebar menu, click Certificates > Orders and then on the Orders page click the order number.)
To make finding the certificate details easier, we moved that information so it's the first thing you see on the order details page. Additionally, we moved all certificate actions, such as Reissue Certificate and Revoke Certificate, to the Certificate Actions drop-down list.
November 26, 2018
We fixed a domain validation display bug on the order details pages where domains with expired validations were showing a completed status with no actions for completing the domain validation.
Now, when you go to an order's details page, we show a pending validation status symbol next to the domain along with actions for completing the domain validation. (In the sidebar menu, click Certificates > Orders and then on the Orders page click the order number.)
November 12, 2018
We enhanced the functionality of the Domain management – Get domain control emails API endpoint. You can now use the domain name to retrieve the Domain Control Validation (DCV) email addresses (WHOIS-based and constructed) for any domain.
Previously, you had to have the domain ID to retrieve the DCV email addresses. However, for a domain to have an ID, you had to submit it for pre-validation.
Now, you can use either the domain name or the domain ID with the Domain management – Get domain control emails endpoint to retrieve the DCV email addresses (WHOIS-based and constructed) for a domain. See the Get domain emails endpoint.
November 7, 2018
We fixed a bug on the TLS/SSL certificate order forms where adding a CSR only auto populated the Common Name field. While fixing this bug, we enhanced the CSR upload feature to also auto populate the Organization field.
We now use information from your CSR to auto populate these order form fields: Common Name, Other Hostnames (SANs), Organization Unit (OU), and Organization.
You can still change the information in these fields as needed (for example, you can add or remove SANs).
Organization field note
When you include an organization currently used in your account, the Organization card auto populates with the organization's information contained in your account.
November 5, 2018
We fixed a bug where you were unable to cancel a pending Client certificate order (Premium, Authentication Plus, Grid Premium, Grid Robot Email, and so on).
Now, you can go to the Orders page (in the sidebar menu, click Certificates > Orders) and find the Client certificate order that needs to be canceled. Then on the certificate's Order# details page, in the Certificate Actions drop-down list, select Cancel Order.
We fixed a bug where email recipients were sent a link to a Service Not Found page, preventing them from being able to download a reissued certificate.
Now, when you send someone a link to download a reissued certificate, the link works. The recipient is able to download the certificate.
November 1, 2018
We fixed a download csv file bug on the Duplicates page. Previously, when you downloaded a csv file, you got a file without the .csv extension. To get it to work, you had to add .csv extension to the end of the file.
Now, when you download a csv file from the Duplicates page, you receive a working csv file: duplicates.csv.
October 31, 2018
We added a new feature that allows you to reissue Document Signing certificates [Document Signing – Organization (2000) and Document Signing – Organization (5000)].
Note: Previously, you couldn't reissue a Document Signing certificate. The only workaround was to revoke and replace your Document Signing certificate.
Now, you can go to Orders page (in the sidebar menu, click Certificates > Orders), find your Document Signing certificate, and on its Order# details page, reissue your certificate as needed.
October 25, 2018
We enhanced the add existing organization feature of the TLS/SSL certificate order process, enabling you to see the organization's address and phone number, along with its validation status (EV Validated, Pending OV Validated, etc.). Note that organizations not yet submitted for validation won't have any validation status listed.
Previously, you were unable to see any information about the organization from the Request Certificate pages. To view organization details and validation status, you had to visit the Organizations page (in the sidebar menu, click Certificates > Organizations).
Note: If you have more than nine active organizations in your account, you will still use the Organization drop-down list, and you will still need to visit the Organizations page to view details about an organization. However, you will now see the top two most used organizations at the top of the list under Recently Used.
October 17, 2018
We added a new Order Management - Revoke Certificate API endpoint that allows you to use the order ID to revoke all certificates associated with a single order, making it easier to use the API to revoke an issued certificate. This assures that any duplicates or reissues associated with the order are revoked all at once.
Note: After you submit the certificate revocation request, an administrator will need to approve the request before DigiCert can revoke the certificates associated with the order. See the Update Request Status API endpoint.
For more information about the new endpoint and other publicly available endpoints, see the Revoke Certificate API endpoint in our CertCentral API documention.
October 16, 2018
Enhancements made to client certificates. When ordering a client certificate (Premium, Email Security Plus, Digital Plus, and Authentication Plus), you may now include a Custom Expiration Date for your client certificates.
Previously when ordering a client certificate, you were only able to select 1, 2, or 3 years for the certificate's validity period.
October 12, 2018
We enhanced the Add Contact feature of the EV TLS/SSL certificate order process, enabling you to see if the existing contact listed is a CertCentral account user or a contact (non-CertCentral account user).
Previously, when adding an existing contact as a Verified Contact for your EV TLS certificate order, you were presented with a list of contacts to select from without a way to distinguish account users from non-account users.
With this improvement, the contacts listed are now categorized as Users (CertCentral account users) and Contacts (non-CertCentral account users).
Note: By default, the Allow non-CertCentral account users to be used as verified contacts feature is disabled for a CertCentral account.
How to enable the Allow non-CertCentral account users to be used as verified contacts feature
On the Division Preferences page (Settings > Preferences), in the Advance Settings section, under Verified Contacts, you can allow non-CertCentral account users to be used as verified contacts (check Allow non-DigiCert users to be used as verified contacts).
With the non-CertCentral user feature enabled, when adding verified contacts as part of the EV certificate request process, you will see two options: Existing Contact and New Contact. The Existing Contact option lets you assign a CertCenrtal user as the verified EV contact. The New Contact option lets you enter information for a non-CertCentral account user.
October 11, 2018
We enhanced the add new organization feature of the TLS/SSL certificate order process, enabling you to edit the details of a newly added organization.
Previously, after adding a new organization on the Certificate Request page, you were unable to go back and edit the organization's details. To edit the organization's details, you had to delete the organization and re-add it with the correct information.
With this improvement, you may now edit the newly added organization details. Click the edit icon (pencil), and you can modify the organization's details before submitting your order.
October 1, 2018
Industry standards compliance change. For publicly trusted certificates, underscores ( _ ) can no longer be included in subdomains. RFC 5280 now enforced for subdomains as well.
See Publicly Trusted Certificates – Data Entries that Violate Industry Standards.
September 27, 2018
Secure Site TLS/SSL certificates are available in CertCentral:
- Secure Site SSL
- Secure Site EV SSL
- Secure Site Multi-Domain SSL
- Secure Site EV Multi-Domain SSL
- Secure Site Wildcard SSL
To activate Secure Site certificates for your CertCentral account, contact your Sales representative.
Benefits included with each Secure Site certificate:
- Priority validation
- Priority support
- Two premium site seals
- Industry-leading warranties
To learn more about our Secure Site certificates, see DigiCert Secure Site Overview.
Additional Resources:
Updates to the full SHA256 EV hierarchy certificate profile
On September 27, 2018, we removed the Symantec policy OID from EV TLS certificates issued from the full SHA256 EV hierarchy [DigiCert Global G2 Root => DigiCert Global G2 Intermediate => EV TLS/SSL certificate].
Problem: Chrome bug on macOS
July 2018, we discovered a bug in Chrome on macOS where it wasn't showing the EV indicator for EV TLS certificate with more than two policy OIDs – https://bugs.chromium.org/p/chromium/issues/detail?id=867944.
Solution
We removed the Symantec policy OID from the full SHA256 EV hierarchy certificate profile. With this change, Chrome on macOS again showed the EV indicator for the EV TLS certificates issued from the full SHA256 EV hierarchy.
Affected EV TLS certificates
EV TLS certificates (from the full SHA256 EV hierarchy) issued after January 31, 2018 and prior to September 27, 2018 contain these three policy OIDs in the Certificate Extension - Certificate Policies:
- 2.16.840.1.114412.2.1 (DigiCert OID)
- 2.16.840.1.113733.1.7.23.6 (Symantec OID)
- 2.23.140.1.1 (CAB/F OID)
What do I need to do?
- Do you have an EV TLS certificate that is not showing the EV indicator in Chrome on macOS?
Please replace (reissue) your EV TLS certificate to show the EV indicator in Chrome on macOS.
Full SHA256 EV TLS certificates issued as of September 27, 2018 contain only two policy OIDs in the Certificate Extension - Certificate Policies:- 2.16.840.1.114412.2.1 (DigiCert OID)
- 2.23.140.1.1 (CAB/F OID)
- What about other types of certificates?
For all other types of certificates, no action is required.
September 18, 2018
We added support for IPv6 addresses (abbreviated and full).
You can now order public and private OV TLS/SSL certificates (SSL, Multi-Domain SSL, and Wildcard SSL, Private SSL, etc.) and include an IPv6 address as the common name or a SAN.
Note: IPv6 addresses aren't supported for EV TLS/SSL certificates (EV SSL and EV Multi-Domain SSL).
September 17, 2018
We fixed an Order details page bug where information not relevant to a certificate order was being displayed on the page.
Now, when you visit your TLS/SSL, Code Signing, EV Code Signing, Client, and Document Signing certificate Order details pages, only information relevant to that order will be displayed.
September 13, 2018
We enhanced the Add Organization step of the TLS/SSL certificate ordering process.
Previously, you were required to add a new organization before requesting your certificate (Certificates > Organizations). Additionally, the new organization was not available on the Certificate Request page until we completed its organization validation.
With this improvement, you can add a new organization as part of the request process. Note that because the organization is not pre-validated, DigiCert will need to validate the new organization before we can issue your certificate.
Note: When adding a new organization from a Certificate Request page, the requestor (person ordering the certificate) becomes the contact for the new organization.
When ordering a TLS/SSL certificate, you can still choose to use an existing, pre-validated organization.
Editing a Request
Before a TLS/SSL certificate request is approved, you can Edit the request and add a new organization. The person who adds the new organization becomes the contact for the new organization.
We added a new Add Contacts feature to the EV TLS/SSL certificate request process that lets you assign an existing CertCentral user (admin, manager, finance manager, or user) as the verified EV contact for the organization as part of the request process.
Previously, you were required to assign a verified EV contact to an organization before requesting your certificate (Certificates > Organizations).
Allow non-CertCentral account users to be used as verified contacts enabled
On the Division Preferences page (Settings > Preferences), in the Advance Settings section, under Verified Contacts, you can allow non-CertCentral account users to be used as verified contacts (check Allow non-DigiCert users to be used as verified contacts).
With the non-CertCentral user feature enabled, when adding verified contacts as part of the EV certificate request process, you will see two options: Existing Contact and New Contact. The Existing Contact option lets you assign a CertCenrtal user as the verified EV contact. The New Contact option lets you enter information for a non-CertCentral account user.
September 11, 2018
We added a Skip Approval Step feature that lets you remove the approval step from your SSL, Code Signing, and Document Signing certificate order processes.
Note: Admin approvals are still required for certificate revocations, Guest URL certificate requests, and Finance Manager, Standard User, and Limited User certificate requests.
You can activate this feature on the Division Preferences page (Settings > Preferences). In the Certificate Request section (expand Advanced Settings), under Approval Steps, select Skip approval step: remove the approval step from your certificate order processes and then click Save Settings.
Note: These orders don't require an approval, so they won't be listed on the Requests page (Certificates > Requests). Instead, these orders will only appear on the Orders page (Certificate > Orders).
September 6, 2018
We added a new Get Order Status Changes endpoint that allows those using the DigiCert Services API to check on the status of all certificate orders within a specified time range up to a week.
For more information about this new endpoint, see Order Management – Get Order Status Changes in our Documentation for the DigiCert Services API.
We fixed a CT log messaging bug where we indicated that Private or other non-public SSL/TLS certificates were logged to CT logs when in fact they hadn’t been.
Note: DigiCert doesn't log Private SSL/TLS and non-SSL/TLS certificates to CT logs. The industry only uses the CT logs for public SSL/TLS certificates.
Now when you review the certificate details for your Private SSL/TLS or non-SSL/TLS certificates (for example, Client certificates), you won’t see any CT logging information.
We fixed a search feature bug on the Orders page (Certificates > Orders) where you were unable to use the common name to search for a client certificate.
Now, when you use a common name to Search for a specific client certificate, your results will be returned when a match exists.
September 5, 2018
We fixed a Certificate Service Agreement UI bug where certain characters and symbols were being displayed with improper encoding.
Now when you read through the Certificate Service Agreement, each character and symbol will have the proper coding.
August 31, 2018
We fixed a Limited User role bug. When an administrator assigned a Limited User to a certificate order, the limited user didn't receive the necessary permissions to renew, reissue, or revoke the certificate.
Now, when a Limited User is assigned to a certificate order, they can renew, reissue, or revoke the certificate.
August 30, 2018
We fixed an Additional Emails bug where additional emails added to a certificate order weren't being saved.
Now, when you go to a certificate's Order details page and add and save additional email addresses to the order, the additional email addresses are saved and will be there when you return to the page.
We fixed a Code Signing (CS) certificate approval email bug where the CS approval email was sent when the CS requestor was also a CS verified contact.
Now, when the code signing certificate requestor is also the verified CS contact for the organization, we don't send a CS approver email.
August 29, 2018
We fixed a Search feature bug and a Division filter bug on the Requests page (Certificates > Requests).
Now, when you use a Request ID, Order ID, common name, etc. to Search for a specific request, your results will be returned when a match exists. Also, the Division filter will return the requests for the selected division.
We fixed a Pending Cert Request widget bug on the CertCentral Dashboard.
Now, the number of pending certificate requests (new and revoke requests) in the Pending Cert Requestwidget will match the number of pending certificate requests on the Requests page (Certificates > Requests).
August 28, 2018
New Change CSR feature added. This feature allows you to change the CSR on pending certificate orders (after they've been approved and before they've been issued).
On the Orders page (Certificates > Orders), locate the pending certificate order and click its Order number link. On the Order details page, in the Validation in Progress section under You Need To, click the Change CSR link to change the CSR.
Note: For certificate request awaiting approval, you can change the CSR before it's been approved. On the Requests page (Certificates > Requests), locate the pending certificate request and click its Order number link. In the Request details pane on the right, click the Edit link to change the CSR.
CertCentral API: New Change CSR Endpoint
We've also added a Change CSR endpoint that allows those using the DigiCert Services API to change the CSR on a pending SSL/TLS certificate. For more information about this new endpoint, see Order Management – Add CSR in our Documentation for the DigiCert Services API.
August 27, 2018
Enhancements made to Wildcard certificates. You can secure multiple wildcard domains on a single wildcard certificate.
When you order a Wildcard certificate in CertCentral, you can secure multiple wildcard domains in one wildcard certificate (*.example.com, *.yourdomain.com, and *.mydomain.com). You can still secure a single wildcard domain (*.example.com) with your Wildcard certificate.
Items to note:
- For each wildcard domain, the base domain is also secured for free (for example, *.yourdomain.com secures yourdomain.com).
- Other Hostnames (SANs) must be a wildcard domain (for example, *.yourdomain.com) or based off your listed wildcard domains. For example, if one of your wildcard domains is *.yourdomain.com, then you can add the SANs www.yourdomain.com or www.app.yourdomain.com to your certificate order.
- Adding wildcards SANs to a certificate order may incur additional cost.
August 1, 2018
Industry standards changed and removed two Domain Control Validation (DCV) methods from the Baseline Requirements (BRs).
Starting August 1, 2018, Certificate Authorities can no longer use the following domain control validation (DCV) methods:
- 3.2.2.4.1 Validating the Applicant as a Domain Contact
This method allowed a CA to validate the certificate requestor's control over a domain on an SSL/TLS certificate order by verifying that the requestor is the Domain Contact directly with the Domain Name Registrar. - 3.2.2.4.5 Domain Authorization Document
This method allowed a CA to validate the certificate requestor's control over a domain on an SSL/TLS certificate order using the confirmation to the authority of the requestor to order a certificate for said domain as contained in a Domain Authorization Document.
See Ballot 218: Remove validation methods 1 and 5.
To learn more about some of the available DCV methods, see Domain Control Validation (DCV) Methods.
July 31, 2018
Beta roll out of language support in CertCentral.
Language support allows you to change and save your CertCentral platform language preference.
CertCentral Platform Languages:
- Deutsch
- Español
- Français
- Italiano
- 日本語
- 한국어
- Português
- Русский
- 简体中文
- 繁體中文
- English
Want to try out the language support coming to CertCentral?
In your account, in the top right corner, in the "your name" drop-down list, select My Profile. On the Profile Settings page, in the Language drop-down list, select one of the languages and then click Save Changes.
July 23, 2018
New Cancel Order feature added. This feature enables you to cancel pending certificate orders (after they have been approved and before they have been issued).
On the Orders page (in the sidebar menu, click Certificate > Orders), locate the pending certificate order. Then on the Order details page, in the Certificate Actions section, you can cancel it.
Note: For certificate requests awaiting approval, an approver must reject the request. For certificates that have been issued, an administrator must revoke the certificate.
July 6, 2018
New advanced search filter added to the Orders page (in the sidebar menu, click Certificate > Orders and then on the Orders page, click the Show Advanced Search link).
This feature enables you to search for client certificates by the recipient’s email address.
May 25, 2018
DigiCert Compliance with GDPR
The General Data Protection Regulation (GDPR) is a European Union law on data protection and privacy for all individuals within the EU. The primary aim is to give citizens and residents of the EU more control over their personal data and to simplify the regulatory environment for international business by unifying the regulations within the EU. The GDPR went into effect on May 25, 2018. More Details »
DigiCert Statement
DigiCert worked to understand and comply with GDPR. We were aligned with GDPR when it went into effect on May 25, 2018. See Meeting the General Data Protection Regulation (GDPR).
GDPR Impact on WHOIS-based Email Domain Control Validation (DCV)
The European Union’s General Data Protection Regulation (GDPR) went into effect on May 25th, 2018. The GDPR requires data protection for natural persons (not corporate entities) residing within the European Union (EU).
DigiCert worked with ICANN to keep WHOIS information available. ICANN announced that it continues to require registries and registrars to submit information to WHOIS, with a few changes to address GDPR. See A Note on WHOIS, GDPR and Domain Validation.
Do you rely on WHOIS-based Email domain validation?
Check with your domain registrar to find out if they are using an anonymized email or a web form as a way for CAs to access WHOIS data as part of their GDPR compliance.
For the most efficient validation process, let your registrar know that you want them to either continue using your full published records or use an anonymized email address for your domains. Using these options will ensure minimal-to-no-impact on our validation processes.
Does your registrar use an anonymized email or a web form as a way for CAs to access WHOIS data? If so, we can send the DCV email to the addresses listed in their WHOIS record.
Does your registrar mask or remove email addresses? If so, you will need to use one of the other methods to prove control over your domains:
- Constructed Email
- DNS TXT
- DNS CNAME
- HTTP Practical Demonstration
For more information about constructed email addresses and other alternative DCV methods, see Domain Control Validation (DCV) Methods.
May 16, 2018
Fixed Single Sign-on bug. When an SSO only user request a CertCentral password reset, they will no longer receive the password reset email.
Now, they will receive an email that directs them to log in using SSO and asks them to contact their CertCentral account manager if a different type of account access is required.
May 10, 2018
Industry standards allow a Certificate Authority (CA) to issue an SSL/TLS certificate for a domain that only has CAA records containing no "issue"/"issuewild" property tags.
When a CA queries a domain's CAA RRs and finds records with no "issue" or "issuewild" property tags in them, a CA can interpret this as permission to issue the SSL/TLS certificate for that domain. See Ballot 219: Clarify handling of CAA Record Sets with no "issue"/"issuewild" property tag.
To learn more about the CAA RR check process, see our DNS CAA Resource Record Check page.
April 16, 2018
New feature added to pending orders' details page (click Certificates > Orders and then click a pending order's number link). This feature enables you to complete the domain control validation (DCV) for domains on pending orders.
When you see an order is waiting on domain validation to be completed before it can be issued, click on the pending domain link to open the Prove Control Over Domain popup window. In this window, you can select or change your DCV method and complete that domain's validation (send or resend emails, check DNS TXT record, etc.). See Domain Validation (Pending Order): Domain Control Validation (DCV) Methods.
April 1, 2018
As part of the industry-wide move away from of TLS 1.0/1.1 and to maintain our PCI compliance, DigiCert disabled TLS 1.0/1.1 on April 1, 2018. DigiCert only supports TLS 1.2 and higher going forward. See Deprecating TLS 1.0 & 1.1.
March 15, 2018
Enhancements to Order # pages (click Certificates > Orders and then click an Order # link) and Order # detail panes (click Certificates > Orders and then click Quick View link).
When viewing an order's validation status, you can now see the validation status of each SAN on an order: pending or complete.
Enhancements to the SSL certificate request (Request a Certificate > SSL Certificates) and SSL certificate renewal pages. We've simplified the look and feel of the request and renewal pages, placing specific information in expandable sections. This enables the end user to focus on the most important parts of the order and renewal processes.
We've grouped the following certificate and order options under the section headings below.
- Additional Certificate Options
- Signature Hash
- Server Platform
- Auto-Renew
- Additional Order Options
- Comments to Administrator
- Order Specific Renewal Message
- Additional Emails
- Additional Users Who Can Manage the Order
March 13, 2018
Enhancements to Order # pages (click Certificates > Orders and then click an Order # link) and Order # detail panes (click Certificates > Orders and then click Quick View link).
You can now see an order's validation statuses: pending or completed. You can also see if the order is waiting on domain or organization validation to be completed before it can be issued.
March 2, 2018
DigiCert implements an improved Organization Unit (OU) verification process.
Per Baseline Requirements:
"The CA SHALL implement a process that prevents an OU attribute from including a name, DBA, tradename, trademark, address, location, or other text that refers to a specific natural person or Legal Entity unless the CA has verified this information in accordance with Section 11.2…"
Note: The OU field is an optional field. It is not required to include an organization unit in a certificate request.
March 1, 2018
As of March 1, 2018, 825 days is the maximum allowed length for a reissued (or duplicate issued) public 3-year SSL/TLS certificate.
For a 3-year OV certificate issued after March 1, 2017, be aware that during the first year of the 3-year certificate's lifecycle, all reissued and duplicate certificates may have a shorter lifecycle than the "original" certificate, and these reissued certificates will expire first. See
How does this affect my 3-year certificate reissues and duplicate issues?.
February 21, 2018
As of February 21, 2018, DigiCert only offers 1 and 2-year public SSL/TLS certificates due to changes in industry standards that limit the maximum length of a public SSL certificate to 825 days (approximately 27 months). See February 20, 2018, Last Day for New 3-Year Certificate Orders.
February 1, 2018
This is for informational purposes only, no action is required.
As of February 1, 2018, DigiCert publishes all newly issued public SSL/TLS certificates to public CT logs. This does not affect any OV certificates issued before February 1, 2018. Note that CT logging has been required for EV certificates since 2015. See DigiCert Certificates Will Be Publicly Logged Starting Feb. 1.
New "exclude from CT log when ordering a certificate" feature added to CertCentral. When you activate this feature (Settings > Preferences), you allow account users to keep public SSL/TLS certificates from being logged to public CT logs on a per certificate order basis.
While ordering an SSL certificate, users have an option not to log the SSL/TLS certificate to public CT logs. The feature is available when a user orders a new certificate, reissues a certificate, and renews a certificate. See CertCentral Public SSL/TLS Certificate CT Logging Guide.
New optional CT logging opt out field (disable_ct) added to the SSL certificate request API endpoints. Also, a new CT Log issued certificate opt out endpoint (ct-status) added. See CertCentral API Public SSL /TLS Certificate Transparency Opt Out Guide.
January 12, 2018
DigiCert makes another CT Log (Nessie) publicly available. Nessie is a new, highly scalable, high-performance Certificate Transparency (CT) log.
This CT log is composed of five logs that are sharded in one-year increments based on certificate expiration. Below are the CT log endpoint URLs with their certificate expiration range with their certificate expiration range.
- https://nessie2018.ct.digicert.com/log December 12, 2017
- https://nessie2019.ct.digicert.com/log January 1, 2019
- https://nessie2020.ct.digicert.com/log January 1, 2020
- https://nessie2021.ct.digicert.com/log January 1, 2021
- https://nessie2022.ct.digicert.com/log January 1, 2022
December 19, 2017
DigiCert makes CT Log Yeti publicly available. Yeti is a new, highly scalable, high-performance Certificate Transparency (CT) log.
This CT log is composed of five logs that are sharded in one-year increments based on certificate expiration. Below are the CT log endpoint URLs with their certificate expiration range with their certificate expiration range.
- https://yeti2018.ct.digicert.com/log December 12, 2017
- https://yeti2019.ct.digicert.com/log January 1, 2019
- https://yeti2020.ct.digicert.com/log January 1, 2020
- https://yeti2021.ct.digicert.com/log January 1, 2021
- https://yeti2022.ct.digicert.com/log January 1, 2022
November 3, 2017
Enhancements to the Overview page (click Dashboard). Added the ability to request a certificate from the Dashboard; note the new Request a Certificate button at the top of the page.
Enhancements to the Request a Certificate drop-down list on the Orders page (click Certificates > Orders) and the Requests page (click Certificates > Requests). Added certificate type headers (e.g., CODE SIGNING CERTIFICATES) to the list to make finding certificates by type easier.
Enhancements to the Expiring Certificates page (click Certificates > Expiring Certificates). Added a Quick View link allowing you to see details about each expiring certificate without leaving the page.
October 26, 2017
Enhancements to the Orders page (click Certificates > Orders) and Requests page (click Certificates > Requests). Added the ability to request a certificate from these pages; note the new Request a Certificatebutton at the top of the pages.
October 24, 2017
Industry standards change for CAA Resource Record checks. Modified the process to check CNAME chains containing 8 CNAME records or less, and the search doesn’t include the parent of a target of a CNAME record. See DNS CAA Resource Record Check.
October 18, 2017
Enhancements to the Orders page (click Certificates > Orders); improved page performance.
October 16, 2017
Enhancements to the Order details page (viewed when clicking an order # on the Certificates > Orders page); improved page performance.
October 10, 2017
Enhancements to the order details pane on the Requests page (viewed when clicking an order #); improved page performance.
October 6, 2017
Added a new Retrieve Order Validation endpoint; allows you to view the status of DCV and Organization validations for a specific Order.
/services/v2/order/certificate/{order_id}/validation
October 3, 2017
New immediate certificate issuance feature added to the certificate request API endpoints. See CertCentral Immediate Certificate Issuance Feature.
October 2, 2017
Enhancements to user list queries; improved user search along with page performances (e.g., Orders page).
Enhancements to Request a Certificate pages; improved organization and domain searches along with page performance.
September 26, 2017
New feature included in the "help" (?) menu drop-down; added a link to the new Change Log page.
Fixed API bug for the Order Details endpoint. Response body now returns the two renewal fields for client certificates:
"is_renewal": false"renewed_order_id": 1234567
September 25, 2017
Enhancements to client certificates; added support for multiple organizational units (OUs).
Enhancements to client certificates; added support for multiple organizational units (OUs).
September 21, 2017
Fixed billing contact bug. Changing the billing contact in a division does not change the billing contact in another division (e.g., top level division).
September 8, 2017
Industry standards change for certificate issuance. Modified the certificate issuance process to check DNS CAA Resource Records. See DNS CAA Resource Record Check.
September 5, 2017
Enhancements made to Account Balance and the Purchase Order process. See CertCentral Account Balance and PO Process Changes.
August 4, 2017
New feature included in the "help" (?) menu drop-down; added a link to the DigiCert CertCentral Getting Started Guide.
July 28, 2017
Industry standards compliance changes; improved RFC 5280 violations checks and enforcements. See Publicly Trusted Certificates – Data Entries that Violate Industry Standards.
July 21, 2017
Industry standards change to validation process. Validation information (DCV or organization) older than 825 days must be revalidated before processing a certificate reissue, renewal, or issue. More details »
July 10, 2017
Industry standards compliance changes; added support for additional domain control validation (DCV) methods. See Domain Pre-Validation: Domain Control Validation (DCV) Methods.