Change log | docs.digicert.com

Upcoming changes

compliance enhancement new fix

October 10, 2022

PKI Platform 8 CA certificates IP addresses TLS CRL PKI client download Dedicated IP addresses New IP address changes PKI Platfom 8 CRLs TLS OCSP

New Dedicated IP addresses for DigiCert Services

On October 10 at 8:00 AM MDT (2:00 PM UTC), DigiCert will assign new dedicated IP addresses to several DigiCert services.

Why is DigiCert adding new IP addresses?

DigiCert is moving to a new service platform. This new platform improves DigiCert's service and platform performances, enabling us to support our customers’ expanding needs.

What do I need to do?

Does your company use allowlists?

If not, no action is required. DigiCert services will continue to work as before the addition of the new IP addresses.
If yes, you need to update your allowlists to include the new IP addresses by October 10, 2022, to keep your DigiCert services running as before the addition of the new IP addresses.

New dedicated IP Addresses

192.229.211.108
192.229.221.9
152.195.38.76
192.16.49.85

Affected services

TLS OCSP
TLS CRL
PKI Platform 8 CRLs
PKI Platform 8 Certificate Authority (CA) certificates
PKI client download

For more details about these IP addresses, see our New Dedicated IP Addresses knowledge base article.

If you have questions or need help, contact your account manager or DigiCert Support.

November 15, 2022

code signing OV code signing FIPS 140 Level 2 CA/B Forum private key storage hardware token Common Criteria EAL 4+ industry changes

OV code signing certificates requirements are changing

Starting on November 15, 2022, at 00:00 UTC, industry standards will require private keys for OV code signing certificates to be stored on hardware certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. This change strengthens private key protection for code signing certificates and aligns it with EV (Extended Validation) code signing certificate private key protection. See Code Signing Baseline Requirements, current version.

How do these new requirements affect my code signing certificate process?

The new private storage key requirement affects code signing certificates issued from November 15, 2022, and impacts the following parts of your code signing process:

Private key storage and certificate installation
Certificate Authorities (CAs) can no longer support browser-based key generation and certificate installation or any other process that includes creating a CSR (Certificate Signing Request) and installing your certificate on a laptop or server. Private keys and certificates must be stored and installed on tokens or HSMs (hardware security modules) certified as at least FIPS 140-2 Level 2 or Common Criteria EAL 4+.
Signing code
To use a token-based code signing certificate, you need access to the token or HSM and the credentials to use the certificate stored on it.
Ordering and renewing certificates
When ordering and renewing an OV code signing certificate, you must select the hardware you want to store the private key on: a DigiCert-provided hardware token, your own supported hardware token, or a hardware security module (HSM).
Reissuing certificates
When reissuing code signing certificates, you must install the certificate on a supported hardware token or HSM. If you do not have a token, you can purchase a token from DigiCert at that time.

Want to eliminate the need for individual tokens?

Transition to DigiCert® Secure Software Manager to improve your software security with code-signing workflow automation that reduces points of vulnerability with end-to-end company-wide security and control in the code signing process—all without slowing down your process.

Key capabilities:

HSM key storage—industry compliant
Policy enforcement
Centralized management
Integration with CI/CD pipelines
And more

To learn more about how DigiCert Secure Software Manager has helped other organizations, see our case study Automated Signing Speeds Build Times While Improving the User Experience.

December 31, 2022

CIS 2022 api certificate issuance DigiCert One CertCentral PKI Platform 8 validation Direct Cert Portal QuoVadis PKI Platfom 8 API ACME scheduled maintenance SCEP ACME agent automation Discovery API Services API ACME agent automation API discovery

DIGICERT 2022 MAINTENANCE SCHEDULE

To make it easier to plan your certificate-related tasks, we scheduled our 2022 maintenance windows in advance. See DigiCert 2022 scheduled maintenance—this page is updated with all current maintenance schedule information.

With customers worldwide, we understand there is not a "best time" for everyone. However, after reviewing the data on customer usage, we selected times that would impact the fewest amount of our customers.

About our maintenance schedule

Maintenance is scheduled for the first weekend of each month unless otherwise noted.
Each maintenance window is scheduled for 2 hours.
Although we have redundancies to protect your service, some DigiCert services may be unavailable.
All normal operations will resume once maintenance is completed.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance begins and when it ends.

If you need more information regarding these maintenance windows, contact your account manager or DigiCert support team.

Recent changes

compliance enhancement new fix

June 21, 2022

dcv methods DNS TXT bulk domain revalidation DNS CNAME CertCentral domain control validation domain prevalidation

CertCentral: Bulk domain validation support for DNS TXT and DNS CNAME DCV methods

DigiCert is happy to announce that CertCentral bulk domain validation now supports two more domain control validation (DCV) methods: DNS TXT and DNS CNAME.

Remember, domain validation is only valid for 397 days. To maintain seamless certificate issuance, DigiCert recommends completing DCV before the domain's validation expires.

Don't spend extra time submitting one domain at a time for revalidation. Use our bulk domain revalidation feature to submit 2 to 25 domains at a time for revalidation.

See for yourself

In your CertCentral account, in the left main menu, go to Certificates > Domains.
On the Domains page, select the domains you want to submit for revalidation.
In the Submit domains for revalidation dropdown, select the DCV method you want to use to validate the selected domains.

See Domain prevalidation: Bulk domain revalidation.

June 6, 2022

subaccounts Report Library Report library API Delete scheduled report suspend report reports

CertCentral Report Library API enhancements

DigiCert is happy to announce the following enhancements to the CertCentral Report Library API:

Suspend report runs by deleting scheduled reports

We added a new endpoint for deleting scheduled reports. Deleting a scheduled report suspends future report runs. Completed report runs with the same report ID remain available for download after you delete the scheduled report.

Note: Before, you could only edit a report’s schedule, or delete a scheduled report and all completed report runs.

Generate reports with subaccount data only

For the Create report and Edit report endpoints, we added a new option to the list of allowed division_filter_type values: EXCLUDE_ALL_DIVISIONS. Use this value to exclude all parent account data from the report. Reports using this option only include data from the chosen subaccounts (sub_account_filter_type).

Note: Before, you could not generate subaccount reports without including data from one or more divisions in the parent account.

Learn more:

June 4, 2022

CIS 2022 api DigiCert One PKI Platform 8 Direct Cert Portal TrustLink certificate issuance ACME scheduled maintenance SCEP ACME agent automation certificate issuing service (CIS) CertCentral discovery

Upcoming Scheduled Maintenance

DigiCert will perform scheduled maintenance on June 4, 2022, 22:00 –24:00 MDT (June 5, 2022, 04:00 – 06:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

Plan accordingly:

Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance begins and when it ends.
See DigiCert 2022 scheduled maintenance for scheduled maintenance dates and times.

Services will be restored as soon as the maintenance is completed.

May 31, 2022

order info endpoint Services API certcentral requests

CertCentral Services API: Improved Order info API response

Update: To give API consumers more time to evaluate the impact of the Order info API response changes on their integrations, we are postponing this update until May 31, 2022. We originally planned to release the changes described below on April 25, 2022.

On May 31, 2022, DigiCert will make the following improvements to the Order info API. These changes remove unused values and update the data structure of the order details object to be more consistent for orders in different states across product types.

For more information and response examples for public TLS, code signing, document signing, and Class 1 S/MIME certificates, see the reference documentation for the Order info endpoint.

If you have questions or need help with these changes, contact your account representative or DigiCert Support.

Need to test your API integration?

To help CertCentral Services API consumers evaluate the impact of these changes, DigiCert is providing a beta server for API consumers to test their integrations prior to the May 31, 2022 release. To learn more, see our knowledge base article: DigiCert CertCentral Services API beta server.

General enhancements

The following changes apply to orders for various certificate types irrespective of order status.

Removed parameters:

public_id (string)
For all orders, the API will stop returning the public_id parameter. DigiCert no longer supports the Express Install workflow that required a public_id value.
certificate.ca_cert_id (string)
For DV certificate orders, the API will stop returning the ca_cert_id parameter. The value of this parameter is an internal ID for the issuing ICA certificate and cannot be used externally. The API already excludes the ca_cert_id parameter from the order details for other product types.

To get the name and public ID of the issuing ICA certificate associated with the order, use the ca_cert object instead.
verified_contacts (array of objects)
For document signing certificate orders, the API will stop returning the verified_contacts array. The API already excludes the verified_contacts array from the order details for other product types.
certificate.dns_names (array of strings)
If there are no DNS names associated with the order (for example, if the order is for a code signing, document signing, or Class 1 S/MIME certificate), the API will stop returning the dns_names array.

Before, the API returned a dns_names array with an empty string: [" "]
certificate.organization_units (array of strings)
If there are no organization units associated with the order, the API will stop returning an organization_units array.

Before, for some product types, the API returned an organization_units array with an empty string: [" "]
certificate.cert_validity
In the cert_validity object, the API will only return a key/value pair for the unit used to set the certificate validity period when the order was created. For example, if the validity period of the certificate is for 1 year, the cert_validity object will return a years parameter with a value of 1.

Before, the cert_validity object sometimes returned values for both days and years.

Added parameters:

order_validity (object)
For code signing, document signing, and client certificate orders, the API will start returning an order_validity object.

The order_validity object returns the days, years, or custom_expiration_date for the order validity period. The API already includes an order_validity object in the order details for public SSL/TLS products.
payment_profile (object)
For DV certificate orders, if the order is associated with a saved credit card, the API will start returning a payment_profile object. The API already includes a payment_profile object in the order details for other product types.
server_licensesFor DV certificate orders, the API will start returning the server_licenses parameter. The API already includes the server_licenses parameter in the order details for other product types.

Unapproved order requests

The following changes apply only to certificate order requests that are pending approval or that have been rejected. These changes bring the data structure of the response closer to what the API returns after the request is approved and the order is submitted to DigiCert for validation and issuance.

To manage unapproved and rejected requests, we recommend using the Request endpoints (/request) instead of retrieving the order details. We designed the /request endpoints to manage pending and rejected certificate order requests, and these endpoints remain unchanged.

Note: For quicker certificate issuance, we recommend using a workflow that skips or omits the request approval step for new certificate orders. If your API workflow already skips or omits the approval step, you can safely ignore the changes below. Learn more about removing the approval step:

Added parameters:

disable_ct (boolean)
allow_duplicates (boolean)
cs_provisioning_method (string)

Removed parameters:

server_licenses (integer)
For unapproved order requests, the API will stop returning the server_licenses parameter. The API will continue including the server_licenses parameter in order details for approved order requests.

Improved organization object
To provide a consistent data structure in the order details for unapproved and approved order requests, the API will return a modified organization object on unapproved order requests for some product types.

The API will stop returning the following unexpected properties on unapproved order requests for all product types:

organization.status (string)
organization.is_hidden (boolean)
organization.organization_contact (object)
organization.technical_contact (object)
organization.contacts (array of objects)

The API will start returning the following expected properties, if existing, on unapproved order requests for all product types:

organization.name (string)
organization.display_name (string)
organization.assumed_name (string)
organization.city (string)
organization.country (string)

To get organization details not included in the Order info response, use the Organization info API endpoint.

May 24, 2022

reissued certificates new certificates ICAs DV SSL certificates intermediate CA certificates compliance New GeoTrust RapidSSL

CertCentral to issue GeoTrust and RapidSSL DV certificates from new intermediate CA certificates

On May 24, 2022, between 9:00 am and 11:00 am MDT (3:00 pm and 5:00 pm UTC), DigiCert will replace the GeoTrust and RapidSSL intermediate CA (ICA) certificates listed below. We can no longer issue maximum validity (397-day) DV certificates from these intermediates.

Old ICA certificates

GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1
GeoTrust TLS DV RSA Mixed SHA256 2021 CA-1
RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1
RapidSSL TLS DV RSA Mixed SHA256 2021 CA-1

New ICA certificates

GeoTrust Global TLS RSA4096 SHA256 2022 CA1
RapidSSL Global TLS RSA4096 SHA256 2022 CA1

See the DigiCert ICA Update KB article.

How does this affect me?

Rolling out new ICA certificates does not affect your existing DV certificates. Active certificates issued from the replaced ICA certificates will remain trusted until they expire.

However, all new certificates, including certificate reissues, will be issued from the new ICA certificates. To ensure ICA certificate replacements go unnoticed, always include the provided ICA certificate with every TLS certificate you install.

No action is required unless you do any of the following:

Pin the old versions of the intermediate CA certificates
Hard code the acceptance of the old versions of the intermediate CA certificates
Operate a trust store that includes the old versions of the intermediate CA certificates

Action required

If you practice pinning, hard code acceptance, or operate a trust store, update your environment as soon as possible. You should stop pinning and hard coding ICA certificates or make the necessary changes to ensure your GeoTrust DV and RapidSSL DV certificates issued from the new ICA certificates are trusted. In other words, make sure they can chain up to their new ICA certificate and trusted root.

See the DigiCert Trusted Root Authority Certificates page to download copies of the new Intermediate CA certificates.

What if I need more time?

If you need more time to update your environment, you can continue to use the old 2020 ICA certificates until they expire. Contact DigiCert Support, and they can set that up for your account. However, after May 31, 2022, RapidSSL DV and GeoTrust DV certificates issued from the 2020 ICA certificates will be truncated to less than one year.

May 19, 2022

api manage contacts Organization details page organization contact new endpoints technical contact New Services API

CertCentral: Update organization and technical contacts from the organization's details page

We are happy to announce you can now manage your organization and technical contacts from your organization's details page. This new feature allows you to replace incorrect contacts anytime.

Note: Before, you could only view the existing organization and technical contacts when visiting the organization's details page. The only way to replace an organization or technical contact was when requesting a TLS certificate.

The next time you visit an organization's details page, you can update the organization contact and technical contact for the organization. After editing a contact, you will see the new contact information the next time you order a certificate that includes organization and technical contacts.

Items to note when replacing contacts:

Replacing a contact is not retroactive and does not affect existing certificate orders, issued or pending.
Replacing the organization contact does not affect the organization validation. However, we will contact the organization directly to verify the new organization contact.

See for yourself

In your CertCentral account, in the left main menu, go to Certificates > Organizations.
On the Organizations page, select the name of the organization.
On the organization's details page, you can now replace the organization contact and add, delete, and replace the technical contact.

Learn more:

CertCentral Services API: Update organization and technical contacts

To help you manage the organization and technical contacts for your organizations in your API integrations, we added the following endpoints to the CertCentral Services API:

Organization and technical contact info
Get details about the organization contact and technical contact associated with an organization.
Update organization and technical contact
Update or replace the organization contact and technical contact associated with an organization.

May 18, 2022

key generation KeyGen tool code signing certificates OV code signing client certificates Keygen

CertCentral: DigiCert KeyGen, our new key generation service

DigiCert is happy to announce our new key generation service—KeyGen. Use KeyGen to generate and install your client and code signing certificates from your browser. KeyGen can be used on macOS and Windows and is supported by all major browsers.

With KeyGen, you don't need to generate a CSR to order your client and code signing certificates. Place your order without a CSR. Then after we process the order and your certificate is ready, DigiCert sends a "Generate your Certificate" email with instructions on using KeyGen to get your certificate.

How does KeyGen work?

KeyGen generates a keypair and then uses the public key to create a certificate signing request (CSR). KeyGen sends the CSR to DigiCert, and DigiCert sends the certificate back to KeyGen. Then KeyGen downloads a PKCS12 (.p12) file to your desktop that contains the certificate and the private key. The password you create during the certificate generation process protects the PKCS12 file. When you use the password to open the certificate file, the certificate gets installed in your personal certificate store.

To learn more about generating client and code signing certificates from your browser, see the following instructions:

May 9, 2022

order info endpoint user CertCentral Services API

CertCentral Services API: Fixed data type for empty user value in Order info API response

We fixed an issue where the Order info API (GET https://www.digicert.com/services/v2/order/certificate/{{order_id}}) returned the wrong data type for the user field when no user is associated with the order. Now, for orders without user data, the Order info endpoint returns an empty user object ("user": {}) instead of returning an empty array ("user": []).

May 7, 2022

CIS 2022 DigiCert One CertCentral PKI Platform 8 domain validation Direct Cert Portal TrustLink certificate issuance downtime ACME certificate issuing service (CIS) Direct Cert Portal API ACME agent automation tls certificates Services API TLS certificate issuance TrustLink organization validation ACME agent automation API

Upcoming Schedule Maintenance

Update: There is no planned downtime during maintenance on May 7, MDT (May 8, UTC).

DigiCert will perform scheduled maintenance on May 7, 2022, between 22:00 – 24:00 MDT (May 8, 2022, between 04:00 – 06:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

Plan accordingly:

Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance begins and when it ends.
See the DigiCert 2022 maintenance schedule for maintenance dates and times.

Services will be restored as soon as we complete the maintenance.

April 18, 2022

order-vmc endpoint VMC lifecycle VMC Verified Mark Certificates CertCentral Services API CertCentral Multi-year plan MyP

CertCentral: Multi-year Plans are now available for Verified Mark Certificates

We are happy to announce that Multi-year Plans are now available for Verified Mark Certificates (VMCs) in CertCentral and CertCentral Services API.

DigiCert® Multi-year Plans allow you to pay a single discounted price for up to six years of Verified Mark Certificate coverage. With a Multi-year Plan, you pick the duration of coverage you want (up to six years). Until the plan expires, you reissue your certificate at no cost each time it reaches the end of its validity period.

Note: Depending on the length of your plan, you may need to revalidate your domain and organization multiple times during your Multi-year Plan.

Multi-year Plans for VMC in the Services API

In the Services API, when you submit an order request for a VMC, use the order_validity object to set the duration of coverage for your Multi-year Plan (1-6 years). For more information, see:

What is a Verified Mark Certificate?

Verified Mark Certificates (VMCs) are a new type of certificate that allows companies to place a certified brand logo next to the “sender” field in customer inboxes.

Your logo is visible before the message is opened.
Your logo acts as confirmation of your domain’s DMARC status and your organization’s authenticated identity.

Learn more about VMC certificates

April 11, 2022

domain lock Services API CertCentral caa domains CAA resource record

CertCentral Services API: Domain locking API endpoints

DigiCert is happy to announce our domain locking feature is now available in the CertCentral Services API.

Note: Before you can use the domain locking endpoints, you must first enable domain locking for your CertCentral account. See Domain locking – Enable domain locking for your account.

New API endpoints

Activate domain locking
Activate domain locking for a given domain.
Deactivate domain locking
Deactivate domain locking for a given domain.
Check CAA (domain lock)
Check a given domain's DNS CAA resource record for a domain lock account token.

Updated API endpoints

We updated the response for the Domain info and List domains endpoints to include the following parameters with domain lock details:

domain_locking_status (string)
Domain lock status. Only returned if domain locking is enabled for the account.
account_token (string)
Domain lock account token. Only returned if domain locking is enabled for the account, and if domain locking has been activated for the domain at least once.

To learn more, see:

April 5, 2022

symantec domains CertCentral upgrade Thawte GeoTrust legacy console upgrades RapidSSL Migration CAA resource record

CertCentral: Domain locking is now available

DigiCert is happy to announce our domain locking feature is now available.

Does your company have more than one CertCentral account? Do you need to control which of your accounts can order certificates for specific company domains?

Domain locking allows you to control which of your CertCentral accounts can order certificates for your domains.

How does domain locking work?

DNS Certification Authority Authorization (CAA) resource records allow you to control which certificate authorities can issue certificates for your domains.

With domain locking, you can use this same CAA resource record to control which of your company's CertCentral accounts can order certificates for your domains.

How do I lock a domain?

To lock a domain:

Enable domain locking for your account.
Set up domain locking for a domain.
Add the domain's unique verification token to the domain's DNS CAA resource record.
Check the CAA record for the unique verification token.

To learn more, see:

End of life for account upgrades from Symantec, GeoTrust, Thawte or RapidSSL to CertCentral™

From April 5, 2022, MDT, you can no longer upgrade your Symantec, GeoTrust, Thawte, or RapidSSL account to CertCentral™.

If you haven't already moved to DigiCert CertCentral, upgrade now to maintain website security and have continued access to your certificates.

Note: During 2020, DigiCert discontinued all Symantec, GeoTrust, Thawte, RapidSSL admin consoles, enrollment services, and API services.

How do I upgrade my account?

To upgrade your account, contact DigiCert Support immediately. For more information about the account upgrade process, see Upgrade from Symantec, GeoTrust, Thawte, or RapidSSL.

What happens if I don't upgrade my account to CertCentral?

After April 5, 2022, you must get a new CertCentral account and manually add all account information, such as domains and organizations. In addition, you won't be able to migrate any of your active certificates to your new account.

For help setting up your new CertCentral account after April 5, 2022, contact DigiCert Support.

April 2, 2022

2022 PKI Platform 8 certificate issuing service (CIS) tls certificates downtime TLS certificate issuance ACME agent automation API User Authorization Agent (UAA) services DigiCert One ACME CertCentral domain validation TrustLink organization validation CIS Services API Direct Cert Portal scheduled maintenance SCEP Direct Cert Portal API ACME agent automation TrustLink certificate issuance

Upcoming Schedule Maintenance

DigiCert will perform scheduled maintenance on April 2, 2022, between 22:00 – 24:00 MDT (April 3, 2022, between 04:00 – 06:00 UTC). During this time, some services may be down for up to two hours.

Note: Maintenance will be one hour earlier for those who don't observe daylight savings.

Infrastructure-related maintenance downtime

We will start this infrastructure-related maintenance at 22:00 MDT (04:00 UTC). Then the services listed below may be down for up to two hours.

CertCentral® TLS certificate issuance:

TLS certificate requests submitted during this time will fail
Failed requests should be resubmitted after services are restored

CIS and CertCentral® SCEP:

Certificate Issuing Service (CIS) will be down
CertCentral Simple Certificate Enrollment Protocol (SCEP) will be down
Requests submitted during this time will fail
CIS APIs will return a "503 Service is unavailable" error
Failed requests should be resubmitted after services are restored

Direct Cert Portal new domain and organization validation:

New domains submitted for validation during this time will fail
New organizations submitted for validation during this time will fail
Failed requests should be resubmitted after services are restored

QuoVadis® TrustLink® certificate issuance:

TrustLink certificate requests submitted during this time will be delayed
Requests will be added to a queue for processing later
Queued-up requests will be processed after services are restored

PKI Platform 8 new domain and organization validation:

New domains submitted for validation during this time will fail
New organizations submitted for validation during this time will fail
Requests will be added to a queue for processing later
Queued-up requests will be processed after services are restored
Access to User Authorization Agent (UAA) services will be disabled: both the UAA Admin and User web portals

What can I do?

Plan accordingly:

Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance begins and when it ends.
For scheduled maintenance dates and times, see DigiCert 2022 scheduled maintenance.

Services will be restored as soon as we complete the maintenance.

March 30, 2022

CertCentral domain prevalidation bulk domain revalidation DCV email method

CertCentral: Bulk domain revalidation is now available

DigiCert is happy to announce our bulk domain validation feature is now available. Don't spend extra time submitting one domain at a time for revalidation. Use our bulk domain revalidation feature to submit 2 to 25 domains at a time for revalidation.

Remember, domain validation is only valid for 397 days. To maintain seamless certificate issuance, DigiCert recommends completing domain control validation (DCV) ahead of time before the domain's validation expires.

Note: Currently, the bulk domain feature only supports the email DCV method. To use a different DCV method, you'll need to submit each domain individually.

See for yourself

In your CertCentral account, in the left main menu, go to Certificates > Domains.
On the Domains page, select the domains you want to submit for revalidation.
In the Submit domains for revalidation dropdown, select Submit domains for email-based validation.

See Domain prevalidation: Bulk domain revalidation.

March 28, 2022

Email Certificates CertCentral S/MIME

Starting March 28, 2022, all public S/MIME certificates will have a maximum validity period of 1,185 days. This change is to align with Apple policy updates and only applies to publicly trusted S/MIME certificates newly issued from CertCentral. Certificates issued before March 28 are not affected.

March 24, 2022

SSL Tools End of life SSL Installation Diagnostic Tool

End of life for SSL Tools

From March 24, 2022, when you visit SSL Tools, you will see a pop-up message that lets you know SSL Tools is no longer available. We encourage you to use the DigiCert® SSL Installation Diagnostics Tool.

Note: If you visit other SSL Tools features/pages, we will guide you to other site pages on digicert.com that offer identical or similar services.

What is the DigiCert® SSL Installation Diagnostics Tool?

The SSL Installation Diagnostic Tool is a free, publicly available tool that checks:

Certificate installations
Web server configurations

What do I need to do?

Start using the DigiCert® SSL Installation Diagnostics Tool.

You will want to do the following too:

In your browser, replace SSL Tools bookmarks with DigiCert® SSL Installation Diagnostics Tool.
If you have links to SSL Tools on your website, replace them with links to the SSL Installation Diagnostics Tool.

March 21, 2022

basic ev Site Seals basic ov Basic TLS certificates

DigiCert site seal now available for Basic OV and EV certificate orders

DigiCert Basic OV and EV certificate orders include the DigiCert site seal. Now, you can install the DigiCert site seal on the same site your Basic SSL certificate protects. Site seals provide your customers with the assurance your website is secured by DigiCert—one of the most recognized names in TLS/SSL security.

When you click the site seal, you see additional details about the domain, the organization, the TLS/SSL certificate, and the validation.

Learn how to configure and install your DigiCert site seal

DigiCert Smart Seal

DigiCert also offers a more innovative type of site seal—the DigiCert Smart Seal. This advanced seal is more interactive and engaging than the DigiCert site seal. We added a hover-over effect, animation, and the ability to display your company logo in the hover-over effect and animation feature.

Learn more about the DigiCert Smart Seal

March 10, 2022

Services API DCV CertCentral New CNAME DV Certificates domain control validation

CertCentral: DNS CNAME DCV method now available for DV certificate orders

In CertCentral and the CertCentral Services API, you can now use the DNS CNAME domain control validation (DCV) method to validate the domains on your DV certificate order.

Note: Before, you could only use the DNS CNAME DCV method to validate the domains on OV and EV certificate orders and when prevalidating domains.

To use the DNS CNAME DCV method on your DV certificate order:

In CertCentral:
- When ordering a DV TLS certificate, you can select DNS CNAME as the DCV method.
- On the DV TLS certificate's order details page, you can change the DCV method to DNS CNAME Record.
In the Services API:
- When requesting a DV TLS certificate, set the value of the dcv_method request parameter to dns‑cname‑token.

Note: The AuthKey process for generating request tokens for immediate DV certificate issuance does not support the DNS CNAME DCV method. However, you can use the File Auth (http‑token) and DNS TXT (dns‑txt‑token) DCV methods. To learn more, visit DV certificate immediate issuance.

To learn more about using the DNS CNAME DCV method:

For CertCentral:
For the Services API:
- Order DV GeoTrust SSL
- DV certificate lifecycle

March 8, 2022

domains Services API DCV pre-validation

CertCentral Services API: Improved List domains endpoint response

To make it easier to find information about the domain control validation (DCV) status for domains in your CertCentral account, we added these response parameters to domain objects in the List domains API response:

dcv_approval_datetime: Completion date and time of the most recent DCV check for the domain.
last_submitted_datetime: Date and time the domain was last submitted for validation.

For more information, see the reference documentation for the List domains endpoint.

March 5, 2022

2022 PKI Platform 8 certificate issuing service (CIS) tls certificates downtime TLS certificate issuance ACME agent automation API DigiCert One ACME CertCentral domain validation TrustLink organization validation CIS Services API Direct Cert Portal scheduled maintenance SCEP Direct Cert Portal API ACME agent automation TrustLink certificate issuance

Upcoming Schedule Maintenance

DigiCert will perform scheduled maintenance on March 5, 2022, between 22:00 – 24:00 MST (March 6, 2022, between 05:00 – 07:00 UTC). During this time, some services may be down for up to two hours.

Infrastructure-related maintenance downtime

We will start this infrastructure-related maintenance at 22:00 MST (05:00 UTC). Then the services listed below may be down for up to two hours.

CertCentral™ TLS certificate issuance:

TLS certificate requests submitted during this time will fail
Failed requests should be resubmitted after services are restored

CIS and CertCentral™ SCEP:

Certificate Issuing Service (CIS) will be down
CertCentral Simple Certificate Enrollment Protocol (SCEP) will be down
Requests submitted during this time will fail
CIS APIs will return a "503 Service is unavailable" error
Failed requests should be resubmitted after services are restored

Direct Cert Portal new domain and organization validation:

New domains submitted for validation during this time will fail
New organizations submitted for validation during this time will fail
Failed requests should be resubmitted after services are restored

QuoVadis™ TrustLink™ certificate issuance:

TrustLink certificate requests submitted during this time will be delayed
Requests will be added to a queue for processing later
Queued-up requests will be processed after services are restored

PKI Platform 8 new domain and organization validation:

New domains submitted for validation during this time will fail
New organizations submitted for validation during this time will fail
Requests will be added to a queue for processing later
Queued-up requests will be processed after services are restored

What can I do?

Plan accordingly:

Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance begins and when it ends.
For scheduled maintenance dates and times, see DigiCert 2022 scheduled maintenance.

Services will be restored as soon as we complete the maintenance.

February 17, 2022

bug fix CertCentral verified contact Services API EV TLS certificates

CertCentral: Improved verified contact EV TLS certificate request approval process

In CertCentral and the CertCentral Services API, we updated the EV TLS certificate request process to only send the EV TLS request approval emails to the verified contacts you include on the certificate request.

Note: Before, when you requested an EV TLS certificate, we sent the EV order approval email to all the verified contacts for the organization.

Add verified contacts to an EV TLS certificate request:

CertCentral
When requesting an EV TLS certificate, you can:
- Keep the existing verified contacts assigned to the organization
- Remove contacts (at least one is required)
- Add new contacts (we must validate each new contact, which may delay certificate issuance).
Services API
When requesting an EV TLS certificate, include the verified contacts in the organization.contacts array of the JSON request. For verified contacts, the value of the contact_type field is ev_approver.

To learn more about EV TLS certificate requests:

For CertCentral, see Order an EV SSL/TLS certificate.
For Services API, see Order Basic EV, Order Secure Site EV, and Order Secure Site Pro EV.

February 12, 2022

Document Signing Manager Enterprise PKI Manager CA Manager Automation Manager Discovery sensor firewall settings Secure Software Manager PKI Platform 8 IoT Device Manager certcentral QuoVadis validation services Account Manager 216.168.240.0/20 ACME agent automation API DigiCert One ACME New TrustLink discovery CIS Direct Cert Portal scheduled maintenance SCEP API access URL Direct Cert Portal API ACME agent automation IP address changes Discovery API Services API

Upcoming Scheduled Maintenance

DigiCert will perform scheduled maintenance on February 12, 2022, between 22:00 – 24:00 MST (February 13, 2022, between 05:00 – 07:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

Plan accordingly:

Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
If you use the APIs for immediate certificate issuance and automated tasks, expect interruptions.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance begins and when it ends.
For scheduled maintenance dates and times, see DigiCert 2022 scheduled maintenance.

Services will be restored as soon as we complete the maintenance.

Expanding Range of IP Addresses Used for DigiCert Services

As part of our scheduled maintenance on February 12, 2022, 22:00 – 24:00 MST (February 13, 2022, 05:00 - 07:00 UTC), DigiCert is expanding the range of IP addresses we use for our services. These additional IP addresses are part of our efforts to increase service uptime and reduce the need for service downtime during scheduled maintenance.

What do I need to do?

If your company uses allowlists*, update them to include the block of IP addresses listed below by February 12, 2022, to keep your DigiCert services and API integrations running as expected.

*Note: Allowlists are lists for firewalls that only allow specified IP addresses to perform certain tasks or connect to your system.

New range of IP addresses

Add this range of IP addresses to your allowlist: 216.168.240.0/20

Note: We are not replacing or removing any IP addresses. We are only expanding the range of IP Addresses we use to deliver our services.

Affected services:

CertCentral/Services API
ACME
Discovery/API
Discovery sensor firewall settings
ACME Automation/API
Certificate Issuing Service (CIS)
Simple Certificate Enrollment Protocol (SCEP)
API access URL
Direct Cert Portal/API
DigiCert website
Validation services
PKI Platform 8
PKI Platform 7 (Japan and Australia)
QuoVadis TrustLink
DigiCert ONE
- Account Manager
- CA Manager
- IoT Device Manager
- Document Signing Manager
- Secure Software Manager
- Enterprise PKI Manager
- Automation Manager

For easy reference, see our knowledgebase article, Expanding Range of IP Addresses for DigiCert Services. If you have questions, please contact your account manager or DigiCert Support.

February 9, 2022

CertCentral API DCV tokens expiration dates Services API Domain info

CertCentral Services API: Domain info enhancement

We updated the Domain info API response to include the expiration_date parameter for the DCV token associated with the domain. Now, when you call the Domain info API and set the value of the include_dcv query parameter to true, the dcv_token object in the response includes the expiration_date of the DCV token for the domain.

February 8, 2022

CertCentral user emails email domains allowed emails

Account Security Feature: Approved User Email Domains

CertCentral Administrators can now specify what email domains users can create a CertCentral account for. This helps prevent emails from being sent to non-approved, generic email domains (@gmail.com, @yahoo.com), or domains owned by third parties. If a user attempts to set or change a user email address to a non-approved domain, they receive an error.

Find this setting in Settings > Preferences. Expand Advanced Settings, and look for the Approved email domains section.

Note: This does not affect existing users with non-approved email addresses. It only impacts new users and email changes made after configuring this setting.

February 1, 2022

bug fix csr code signing certificates VMC Verified Mark Certificates trademark offices CertCentral Keygen

Verified Mark Certificates (VMC): Three new approved trademark offices

We are happy to announce that DigiCert now recognizes three more intellectual property offices for verifying the logo for your VMC certificate. These new offices are in Korea, Brazil, and India.

New approved trademark offices:

Other approved trademark offices:

What is a Verified Mark Certificate?

Verified Mark Certificates (VMCs) are a new type of certificate that allows companies to place a certified brand logo next to the “sender” field in customer inboxes.

Your logo is visible before the message is opened.
Your logo acts as confirmation of your domain’s DMARC status and your organization’s authenticated identity.

Learn more about VMC certificates.

Bugfix: Code Signing (CS) certificate generation email sent only to CS verified contact

We fixed a bug in the Code Signing (CS) certificate issuance process where we were sending the certificate generation email to only the CS verified contact. This bug only happened when the requestor did not include a CSR with the code signing certificate request.

Now, for orders submitted without a CSR, we send the code signing certificate generation email to:

Certificate requestor
CS verified contact
Additional emails included with the order

Note: DigiCert recommends submitting a CSR with your Code Signing certificate request. Currently, Internet Explorer is the only browser that supports keypair generation. See our knowledgebase article: Keygen support dropped with Firefox 69.

January 25, 2022

OV SSL certificates certificate profiles Basic Constraint extension noncritical EV SSL certificates

Updates to OV and EV TLS certificate profiles

As we work to align our DV, OV, and EV TLS certificate profiles, we are making a minor change to our OV and EV TLS certificate profiles. Starting January 25, 2022, we will set the Basic Constraints extension to noncritical in our OV and EV TLS certificate profiles.

Note: DV TLS certificates are already issued with the Basic Constraints extension set to noncritical.

What do I need to do?

No action is required on your part. You shouldn't notice any difference in your certificate issuance process.

However, if your TLS certificate process requires the Basic Constraints extension to bet set to critical, contact your account manager or DigiCert Support immediately.

January 24, 2022

Domains page CertCentral completed-validated filter List domains endpoint enhancement Services API

Improved Domains page, Validation status filter—Completed / Validated

On the Domains page, in the Validation status dropdown, we updated the Completed / Validated filter to make it easier to find domains with completed and active domain control validation (DCV).

Note: Before, when you searched for domains with Completed / Validated DCV, we returned all domains with completed DCV even if the domain validation had expired.

Now, when you search for domains with Completed / Validated DCV, we only return domains with completed and active DCV in your search results. To find domains with expired DCV, use the Expired filter in the Validation status dropdown.

Find domains with completed and active DCV

In CertCentral, in the left main menu, go to Certificates > Domains.
On the Domains page, in the Validation status dropdown, select Completed / Validated.

CertCentral Services API: List domains enhancement

For the List domains API, we updated the filters[validation]=completed filter to make it easier to find domains validated for OV or EV certificate issuance.

Before, this filter returned all domains with completed DCV checks, even if the domain validation had expired. Now, the filter only returns domains with an active OV or EV domain validation status

January 10, 2022

Domain details page Domains page domain validation domain validation management CertCentral

CertCentral Domains and Domain details pages: Improved domain validation tracking

We updated the Domains and Domain details pages to make it easier to track and keep your domains' validation up to date. These updates coincide with last year's industry changes to the domain validation reuse period*. Keeping your domain validation current reduces certificate issuance times: new, reissue, duplicate issues, and renewals.

*Note: On October 1, 2021, the industry reduced all domain validation reuse periods to 398 days. DigiCert implemented a 397-day domain validation reuse period to ensure certificates aren't issued using expired domain validation. For more information about this change, see our knowledge base article, Domain validation policy changes in 2021.

Domains page improvements

When you visit the Domains page (in the left main menu, select Certificates > Domains), you will see three new columns: DCV method, Validation status, and Validation expiration. Now you can view the domain control validation (DCV) method used to demonstrate control over the domain, the status of the domain's validation (pending, validated, expires soon, and expired), and when the domain validation will expire.

Because OV and EV validation reuse periods are the same, we streamlined the Validation status sorting feature. Instead of showing separate filters for OV validation and EV validation, we only show one set of filters:

Completed / Validated
Pending validation
Expires in 0 - 7 days
Expires in 0 - 30 days
Expires in 31 - 60 days
Expires in 61 - 90 days
Expired

Domain details page improvements

When you visit a domain's details page (on the Domains page, select a domain), you will now see a status bar at the top of the page. This status bar lets you view the domain's validation status, when the domain's validation expires, when the domain's validation was most recently completed, and the DCV method used to demonstrate control over the domain.

We also updated the Domain validation status section of the page. We replaced the separate entries for OV and EV domain validation statuses with one entry: domain validation status.

January 8, 2022

CIS DigiCert One CertCentral PKI Platform 8 Direct Cert Portal ACME scheduled maintenance SCEP ACME agent automation certificate issuing service (CIS) Services API TrustLink discovery

Upcoming Scheduled Maintenance

DigiCert will perform scheduled maintenance on January 8, 2022, between 22:00 – 24:00 MST (January 9, 2022, between 05:00 – 07:00 UTC). Although we have redundancies to protect your service, some DigiCert services may be unavailable during this time.

What can I do?

Plan accordingly:

Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
If you use the APIs for immediate certificate issuance and automated tasks, expect interruptions.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance begins and when it ends.
For scheduled maintenance dates and times, see DigiCert 2022 scheduled maintenance.

Services will be restored as soon as we complete the maintenance.

January 5, 2022

CertCentral Services API: List orders bugfix

On January 5, 2022, we will fix a bug in the List orders (GET https://www.digicert.com/services/v2/order/certificate) API where, when no organization is present for an order, the order details object returns the organization parameter as an empty array ("organization": []) instead of omitting the parameter from the response. After the fix, if no organization is present for an order, the organization parameter will not appear in the order details object.

December 31, 2021

PKI Platform 7 QuoVadis ACME scheduled maintenance Direct Cert Portal API SCEP CIS api certificate issuance DigiCert One 2021 PKI Platform 8 validation certcentral Direct Cert Portal ACME agent automation Discovery API Services API ACME agent automation API discovery

To make it easier to plan your certificate related tasks, we scheduled our 2021 maintenance windows in advance. See DigiCert 2021 scheduled maintenance—this page is kept up to date with all maintenance schedule information.

With customers all over the world, we understand there is not a best time for everyone. However, after reviewing the data on customer usage, we selected times that would impact the fewest amount of our customers.

About our maintenance schedule

Maintenance is scheduled for the first weekend of each month, unless otherwise noted.
Each maintenance window is scheduled for 2 hours.
Although we have redundancies in place to protect your service, some DigiCert services may be unavailable.
All normal operations will resume once maintenance is completed.

If you need more information regarding these maintenance windows, contact your account manager or DigiCert support team. To get live updates, subscribe to the DigiCert Status page.

December 7, 2021

organization name doing business as name client certicate api bug fix create organization DBA Services API Report Library SSL certificate request Assumed name intermediate CA certificates compliance New tls certificates New feature organization validation partner account enterprise account

CertCentral Report Library now available

We are happy to announce the CertCentral Report Library is now available for CertCentral Enterprise and CertCentral Partner.* The Report Library is a powerful reporting tool that allows you to download more than 1000 records at a time. Use the Report Library to build, schedule, organize, and export reports to share and reuse.

The Report Library includes six customizable reports: Orders, Organizations, Balance history, Audit log, Domains, and Fully qualified domain names (FQDN). When building reports, you control the details and information that appear in the report, configure the columns and column order, schedule how often you want the report to run (once, weekly, or monthly), and choose the report format (CSV, JSON, or Excel). In addition, you receive notices when the report is ready for download in your account.

To build your first report:

In your CertCentral account, in the main menu, select Reports*.
Note: To use the Report Library, you must be a CertCentral administrator. CertCentral Managers, Finance Managers, Standard Users, and Limited Users do not have access to Reports in their accounts.
On the Report library page, select Build a report.

To learn more about building reports:

*Note: Don't see the Report Library in your account? Contact your account manager or our support team for help.

CertCentral Report Library API also available

We're pleased to announce the release of the CertCentral Report Library API! This new API service makes it possible to leverage key features of the Report Library in your CertCentral API integrations, including building reports and downloading report results*.

See our Report Library API documentation to learn more about including the Report Library in your API integrations.

*Note: To use the CertCentral Report Library API, Report Library must be enabled for your CertCentral account. For help activating the Report Library, contact your account manager or our support team.

Bugfix: Unique organization name check did not include assumed name

We updated our unique organization name check to include the assumed name (doing business as name) when creating an organization.

Before, in CertCentral and the CertCentral Services API, when you tried to create an organization with the same name as an existing organization, we returned an error and would not let you create the organization, even if the assumed name (DBA) was different.

Now, when you create an organization, we include the assumed name in the unique organization check. Therefore, you can create organizations with the same name, as long as each organization has a unique assumed name.

For example:

First organization: No assumed name
- Name: YourOrganization
- Assumed name:
Second organization: Name plus unique assumed name
- Name: YourOrganization
- Assumed name: OrganizationAssumedName

Creating organizations

In CertCentral and the CertCentral Services API, you can create an organization to submit for prevalidation or when you order a TLS/SSL certificate. This change applies to both processes.

CertCentral: DigiCert now issues client certificates from the DigiCert Assured ID Client CA G2 intermediate CA certificate

To remain compliant with industry standards, DigiCert had to replace the intermediate CA (ICA) certificate used to issue CertCentral client certificates.

CertCentral client certificate profiles that used the DigiCert SHA2 Assured ID CA intermediate CA certificate now use the DigiCert Assured ID Client CA G2 intermediate CA certificate. This change also changes the root certificate from DigiCert Assured ID Root CA to DigiCert Assured ID Root G2.

Old ICA and root certificates

(ICA) DigiCert SHA2 Assured ID CA
(Root) DigiCert Assured ID Root CA

New ICA and root certificates

(ICA) DigiCert Assured ID Client CA G2
(Root) DigiCert Assured ID Root G2

For more information, see DigiCert ICA Update. To download a copy of the new intermediate CA certificate, see DigiCert Trusted Root Authority Certificates.

Do you still need your client certificate to chain to the DigiCert Assured ID Root CA certificate? Contact your account representative or DigiCert Support.

December 4, 2021

CIS DigiCert One CertCentral PKI Platform 8 Direct Cert Portal PKI Platfom 8 API ACME scheduled maintenance SCEP Direct Cert Portal API ACME agent automation Discovery API Services API TrustLink ACME agent automation API discovery

Upcoming Scheduled Maintenance

DigiCert will perform scheduled maintenance on December 4, 2021, between 22:00 – 24:00 MST (December 5, 2021, between 05:00 – 07:00 UTC). Although we have redundancies to protect your service, some DigiCert services may be unavailable during this time.

What can I do?

Plan accordingly:

Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance begins and when it ends.
For scheduled maintenance dates and times, see DigiCert 2021 scheduled maintenance.

Services will be restored as soon as we complete the maintenance.

November 16, 2021

File api OV SSL certificates DCV CertCentral domain validation DV SSL certificates http token HTTP Practical Demonstration EV SSL certificates tls certificates FileAuth Services API SSL certificates domain control validation wildcard domains http auth SC45 domain prevalidation file-based DCV

Industry changes to file-based DCV (HTTP Practical Demonstration, file auth, file, HTTP token, and HTTP auth)

To comply with new industry standards for the file-based domain control validation (DCV) method, you can only use the file-based DCV to demonstrate control over fully qualified domain names (FQDNs), exactly as named.

To learn more about the industry change, see Domain validation policy changes in 2021.

How does this affect me?

As of November 16, 2021, you must use one of the other supported DCV methods, such as Email, DNS TXT, and CNAME, to:

Validate wildcard domains (*.example.com)
To include subdomains in the domain validation when validating the higher-level domain. For example, if you want to cover www.example.com, when you validate the higher-level domain, example.com.
Prevalidate entire domains and subdomains.

To learn more about the supported DCV method for DV, OV, and EV certificate requests:

CertCentral: Pending certificate requests and domain prevalidation using file-based DCV

Pending certificate request

If you have a pending certificate request with incomplete file-based DCV checks, you may need to switch DCV methods* or use the file-based DCV method to demonstrate control over every fully qualified domain name, exactly as named, on the request.

*Note: For certificate requests with incomplete file-based DCV checks for wildcard domains, you must use a different DCV method.

To learn more about the supported DCV methods for DV, OV, and EV certificate requests:

Domain prevalidation

If you plan to use the file-based DCV method to prevalidate an entire domain or entire subdomain, you must use a different DCV method.

To learn more about the supported DCV methods for domain prevalidation, see Supported domain control validation (DCV) methods for domain prevalidation.

CertCentral Services API

If you use the CertCentral Services API to order certificates or submit domains for prevalidation using file-based DCV (http-token), this change may affect your API integrations. To learn more, visit File-based domain control validation (http-token).

November 6, 2021

CIS DigiCert One CertCentral PKI Platform 8 Direct Cert Portal TrustLink certificate issuance ACME DV SSL certificates scheduled maintenance SCEP Direct Cert Portal API ACME agent automation Discovery API Services API DV certificate issuance TrustLink ACME agent automation API discovery

Upcoming Schedule Maintenance

DigiCert will perform scheduled maintenance on November 6, 2021, between 22:00 – 24:00 MDT (November 7, 2021, between 04:00 – 06:00 UTC).

CertCentral infrastructure-related maintenance downtime

We will start this infrastructure-related maintenance between 22:00 and 22:10 MDT (04:00 and 04:10 UTC). Then, for approximately 30 minutes, the following services will be down:

DV certificate issuance for CertCentral, ACME, and ACME agent automation

DV certificate requests submitted during this time will fail
APIs will return a "cannot connect" error
Failed requests should be resubmitted after services are restored

CIS and SCEP

Certificate Issuing Service (CIS) will be down
Simple Certificate Enrollment Protocol (SCEP) will be down
DigiCert will be unable to issue certificates for CIS and SCEP
APIs will return a "cannot connect" error
Requests that return "cannot connect" errors should be resubmitted after services are restore

QuoVadis TrustLink certificate issuance

TrustLink certificate requests submitted during this time will fail
However, failed requests will be added to a queue for processing later
Queued-up requests will be processed after services are restored, as required

This maintenance only affects DV certificate issuance, CIS, SCEP, and TrustLink certificate issuance. It does not affect any other DigiCert platforms or services .

PKI Platform 8 maintenance

We will start the PKI Platform 8 maintenance at 22:00 MDT (04:00 UTC). Then, for approximately 30 minutes, the PKI Platform 8 will experience service delays and performance degradation that affect:

Signing in and using your PKI Platform 8 to perform in-console certificate lifecycle tasks.
Using any of your PKI Platform 8 corresponding APIs or protocols (for example, SOAP, REST, SCEP, and EST) to perform certificate lifecycle operations.
Performing certificate lifecycle tasks/operations:
- Enrolling certificates: new, renew, or reissues
- Adding domains and organizations
- Submitting validation requests
- Viewing reports, revoking certificates, and creating profiles
- Adding users, viewing certificates, and downloading certificates
Certificate issuance for PKI Platform 8 and its corresponding API.

Additionally:

APIs will return a "cannot connect" error.
Certificate enrollments that receive "cannot connect" errors must be resubmitted after DigiCert restores services.

The PKI Platform 8 maintenance only affects PKI Platform 8. It does not affect any other DigiCert platforms or services.

Plan accordingly:

Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance begins and when it ends.
For scheduled maintenance dates and times, see DigiCert 2021 scheduled maintenance.

Services will be restored as soon as we complete the maintenance.

October 2, 2021

CIS DigiCert One CertCentral PKI Platform 8 Direct Cert Portal PKI Platform 8 certificate issuance PKI Platform 8 validation ACME scheduled maintenance SCEP Direct Cert Portal API ACME agent automation Discovery API Services API ACME agent automation API discovery

Upcoming Schedule Maintenance

On October 2, 2021, between 22:00 – 24:00 MDT (October 3, 2021, between 04:00 – 06:00 UTC), DigiCert will perform scheduled maintenance.

CertCentral, CIS, SCEP, Direct Cert Portal, and DigiCert ONE maintenance

DigiCert will perform scheduled maintenance. Although we have redundancies to protect your service, some DigiCert services may be unavailable during this time.

What can I do?

Plan accordingly:

Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance begins and when it ends.
For scheduled maintenance dates and times, see DigiCert 2021 scheduled maintenance.

Services will be restored as soon as we complete the maintenance.

PKI Platform 8 maintenance and downtime:

DigiCert will perform scheduled maintenance on PKI Platform 8. During this time, the PKI Platform 8 and its corresponding APIs will be down for approximately 20 minutes.

We will start the PKI Platform 8 maintenance at 22:00 MDT (04:00 UTC).

Then, for approximately 20 minutes:

You will be unable to sign in and use your PKI Platform 8 to perform in-console certificate lifecycle tasks.
You will be unable to use any of your PKI Platform 8 corresponding APIs or protocols (for example, SOAP, REST, SCEP, and EST) to perform certificate lifecycle operations.
You will be unable to:
- Enroll certificates: new, renew, or reissues
- Add domains and organizations
- Submit validation requests
- View reports, revoke certificates, and create profiles
- Add users, view certificates, and download certificates
DigiCert will be unable to issue certificates for PKI Platform 8 and its corresponding API.
APIs will return a "cannot connect" error.
Certificate enrollments that receive "cannot connect" errors must be resubmitted after DigiCert restores services.

The PKI Platform 8 maintenance only affects PKI Platform 8. It does not affect any other DigiCert platforms or services.

What can I do?

Plan accordingly:

Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance begins and when it ends.
For scheduled maintenance dates and times, see DigiCert 2021 scheduled maintenance.

Services will be restored as soon as we complete the maintenance.

September 11, 2021

CIS DigiCert One CertCentral PKI Platform 8 Direct Cert Portal PKI Platform 8 certificate issuance PKI Platform 8 validation PKI Platfom 8 API ACME scheduled maintenance SCEP Direct Cert Portal API ACME agent automation Discovery API Services API ACME agent automation API discovery

Upcoming Schedule Maintenance

On September 11, 2021, between 22:00 – 24:00 MDT (September 12, 2021, between 04:00 – 06:00 UTC), DigiCert will perform scheduled maintenance.

CertCentral, CIS, SCEP, Direct Cert Portal, and DigiCert ONE maintenance

DigiCert will perform scheduled maintenance. Although we have redundancies to protect your service, some DigiCert services may be unavailable during this time.

What can I do?

Plan accordingly:

Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance begins and when it ends.
For scheduled maintenance dates and times, see DigiCert 2021 scheduled maintenance.

Services will be restored as soon as we complete the maintenance.

PKI Platform 8 maintenance and downtime:

DigiCert will perform scheduled maintenance on PKI Platform 8. During this time, the PKI Platform 8 and its corresponding APIs will be down for approximately 60 minutes.

We will start the PKI Platform 8 maintenance at 22:00 MDT (04:00 UTC).

Then, for approximately 60 minutes:

You will be unable to sign in and use your PKI Platform 8 to perform in-console certificate lifecycle tasks.
You will be unable to use any of your PKI Platform 8 corresponding APIs or protocols (for example, SOAP, REST, SCEP, and EST) to perform certificate lifecycle operations.
You will be unable to:
- Enroll certificates: new, renew, or reissues
- Add domains and organizations
- Submit validation requests
- View reports, revoke certificates, and create profiles
- Add users, view certificates, and download certificates
DigiCert will be unable to issue certificates for PKI Platform 8 and its corresponding API.
APIs will return a "cannot connect" error.
Certificate enrollments that receive "cannot connect" errors must be resubmitted after DigiCert restores services.

The PKI Platform 8 maintenance only affects PKI Platform 8. It does not affect any other DigiCert platforms or services.

What can I do?

Plan accordingly:

Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance begins and when it ends.
For scheduled maintenance dates and times, see DigiCert 2021 scheduled maintenance.

Services will be restored as soon as we complete our maintenance.

September 8, 2021

DCV expiration dates OV validation list domains domain info DCV CertCentral domain validation API filters list subaccount domains expiring domains count Services API

CertCentral Services API: Domain management enhancements

To make it easier to maintain active validation for domains in your account, we added new filters, response fields, and a new endpoint to our domain management APIs. With these updates, you can:

Find domains with OV and EV validation reuse periods that are expired or expiring soon.
Find domains affected by the September 27, 2021 policy change to shorten OV domain validation reuse periods.*

Enhanced APIs: List domains and List subaccount domains

We made the following enhancements to the List domains and List subaccount domains endpoints:

Added validation filter values
On September 27, 2021*, existing OV domain validation reuse periods will shorten to 397 days from the date validation was completed. For some domains, the reduced validation period will have already expired, or will expire before the end of 2021.

To help you find these domains so you can resubmit them for validation, we added a new value for the validation filter: shortened_by_industry_changes. We also added filter values to help you find domains with OV or EV domain validation periods that expire in different timeframes. The new validation filter values include:
- shortened_by_industry_changes
- ov_expired_in_last_7_days
- ov_expiring_within_7_days
- ov_expiring_within_30_days
- ov_expiring_from_31_to_60_days
- ov_expiring_from_61_to_90_days
- ev_expired_in_last_7_days
- ev_expiring_within_7_days
- ev_expiring_within_30_days
- ev_expiring_from_31_to_60_days
- ev_expiring_from_61_to_90_days
Added fields to the dcv_expiration object
You can now submit a request that returns the following fields in the dcv_expiration object: ov_shortened, ov_status, ev_status, and dcv_approval_date. These fields only return if your request includes the newly added query string filters[include_validation_reuse_status]=true.
Added dcv_method filter
We added the option to filter domains by domain control validation (DCV) method. To use this filter, append the query string filters[dcv_method]={{value}} to the request URL. Possible values are email, dns-cname-token, dns-txt-token, http-token, and http-token-static.

Enhanced API: Domain info
You can now submit a request to the Domain info endpoint that returns the following fields in the dcv_expiration object: ov_shortened, ov_status, ev_status, and dcv_approval_date. These fields only return if your request includes the newly added query string include_validation_reuse_status=true.

New API: Expiring domains count

We added a new endpoint that returns the number of domains in your account with expired or expiring OV or EV domain validations. For more information, see Expiring domains count.

*On September 27, 2021, the expiration date for existing OV domain validations will shorten to 397 days from the date validation was completed. Learn more about this policy change: Domain validation changes in 2021.

September 7, 2021

Services API CertCentral order details alternative order id

CertCentral Services API: Get orders by alternative order ID

We created a new endpoint to make it easier to get certificate order details using alternative order IDs: Get orders by alternative order ID. This endpoint returns the order ID, certificate ID, and order status of certificate orders with the alternative_order_id you provide in the URL path.

August 23, 2021

DV Certificates Revoke reissued certificates

We fixed a bug that changes the reissue workflow for DV certificates. After August 24, 2021, when you reissue a DV certificate and change or remove SANs, the original certificate and any previously reissued or duplicate certificates are revoked after a 72-hour delay.

August 20, 2021

domains Wildard SANs feature update

We updated the behavior for products that can use wildcard domain names and fully qualified domain names (FQDNs) in a certificate. After August 23, 2021 certificates including the wildcard domain name will only secure the FQDN and all of its same-level domain names without charge.

Subject Alternative Names (SANs) that are not at the same level as the wildcard domain name will be considered additional to the wildcard coverage. For example, a wildcard certificate for *.digicert.com will only allow FQDNs like one.digicert.com, two.digicert.com, and three.digicert.com to be included as SANs in the certificate without charge.

August 7, 2021

CIS api DigiCert One Direct Cert Portal ACME scheduled maintenance SCEP ACME agent automation CertCentral DigiCert ONE Managers discovery

Upcoming Schedule Maintenance

On August 7, 2021, between 22:00 – 24:00 MDT (August 8, 2021, between 04:00 – 06:00 UTC), DigiCert will perform scheduled maintenance. Although we have redundancies to protect your service, some DigiCert services may be unavailable during this time.

What can I do?

Plan accordingly:

Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.
For scheduled maintenance dates and times, see DigiCert 2021 scheduled maintenance.

Services will be restored as soon as we complete the maintenance.

July 12, 2021

CertCentral VMC Verified Mark Certificates new endpoints updated endpoints Services API

Verified Mark Certificates available now.

Verified Mark Certificates (VMCs) are a new type of certificate that allow companies to place a certified brand logo next to the “sender” field in customer inboxes—visible before the message is opened—acting as confirmation of your domain’s DMARC status and your organization’s authenticated identity. Learn more about VMC certificates.

To disable or change availability of VMC in your account, visit the Product Settings page.

Note: If you do not see VMCs in your account, it may be because we are not offering the product to all account types yet. It is also possible that the product is available, but one of your CertCentral account’s administrators turned the product off in Product Settings.

CertCentral Services API: Verified Mark Certificate enhancements

To help you manage your Verified Mark Certificate (VMC) orders in your API integrations, we’ve made the following updates to the CertCentral Services API.

New endpoints:

Order Verified Mark Certificate
We added a new endpoint—Order Verified Mark Certificate—you can use to create or renew a VMC order.
Update VMC order
We added a new endpoint—Update VMC order—you can use to update the trademark country code or registration number for a pending VMC order.
Validate VMC logo format (SVG or encoded)
We added two new endpoints—Validate logo format (SVG) and Validate logo format (encoded)—you can use to check if the format of an SVG file is compatible with the requirements for VMC.
Upload VMC logo (SVG or encoded)
We added two new endpoints—Upload VMC logo (SVG) and Upload VMC logo (encoded)—you can use to upload a logo for a pending VMC order.
Get VMC logo
We added a new endpoint—Get VMC logo—you can use to download the logo for a VMC order.

Updated endpoints:

Order info
We updated the Order info endpoint to return a vmc object with the trademark country code, registration number, and logo information for VMC orders.
Email certificate
We updated the Email certificate endpoint to support emailing a copy of your issued VMC.

To learn more about managing VMC certificates from your API integrations, visit Verified Mark Certificate workflow.

July 10, 2021

CIS api DigiCert One CertCentral Direct Cert Portal ACME scheduled maintenance SCEP Direct Cert Portal API ACME agent automation Discovery API Services API ACME agent automation API discovery DigiCert ONE Managers

Upcoming schedule maintenance

On July 10, 2021, between 22:00 – 24:00 MDT (July 11, 2021, between 04:00 – 06:00 UTC), DigiCert will perform scheduled maintenance.

During maintenance, for approximately 60 minutes, the services specified below under Service downtime will be down. Due to the scope of the maintenance, the services specified below under Service interruptions may experience brief interruptions during a 10-minute window.

Service downtime

From 22:00 – 23:00 MDT (04:00 – 05:00 UTC), while we perform database-related maintenance, the following services will be down for up to 60 minutes:

CertCentral / Services API
Direct Cert Portal / API
ACME
Discovery / API
ACME agent automation / API

API Note: Affected APIs will return “cannot connect” errors. Certificate-related API requests that return a “cannot connect” error message during this window will need to be placed again after services are restored.

Service interruptions

During a 10-minute window, while we perform infrastructure maintenance, the following DigiCert service may experience brief service interruptions:

Certificate Issuing Service (CIS)
Simple Certificate Enrollment Protocol (SCEP)
DigiCert ONE
Automation service
CT Log monitoring
Vulnerability assessment
PCI compliance scans

Services not affected

These services are not affected by the maintenance activities:

PKI Platform 8
PKI Platform 7
QuoVadis TrustLink

What can I do?

Plan accordingly:

Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.
For scheduled maintenance dates and times, see DigiCert 2021 scheduled maintenance.

Services will be restored as soon as the maintenance is completed.

June 5, 2021

CIS api DigiCert One CertCentral PKI Platform 8 Direct Cert Portal PKI Platform 7 QuoVadis scheduled maintenance SCEP Services API

Upcoming scheduled maintenance

On June 5, 2021, between 22:00 – 24:00 MDT (June 6, 2021, between 04:00 – 06:00 UTC), DigiCert will perform scheduled maintenance. Although we have redundancies to protect your service, some DigiCert services may be unavailable during this time.

What can I do?

Plan accordingly:

Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.
For scheduled maintenance dates and times, see DigiCert 2021 scheduled maintenance.

Services will be restored as soon as we complete the maintenance.

June 3, 2021

OV SSL certificates domain validation EV SSL certificates Services API order endpoints

CertCentral Services API: Improved domains array in OV/EV order response

To make it easier to see how the Services API groups the domains on your OV/EV TLS certificate orders for validation, we added a new response parameter to the endpoints for submitting certificate order requests: domains[].dns_name.*

The dns_name parameter returns the common name or SAN of the domain on the order. To prove you control this domain, you must have an active validation for the domain associated with the domains[].name and domains[].id key/value pairs.

Example OV certificate order

JSON payload:

JSON response:

The Services API returns the domains[].dns_name parameter in the JSON response for the following endpoints:

*Note: Only order requests for OV/EV TLS certificates return a domains array.

May 27, 2021

industry standards root certificates certificate signing request reissued certificates new certificates 3072-bit eToken ECC renewed certificates HSM code signing certificates RSA intermediate CA certificates ev code signing certificates industry changes

Industry moves to 3072-bit key minimum RSA code signing certificates

Starting May 27, 2021, to comply with new industry standards for code signing certificates, DigiCert will make the following changes to our code signing certificate process.

Stop issuing 2048-bit key code signing certificates
Only issue 3072-bit key or stronger code signing certificates
Use 4096-bit key intermediate CA and root certificates to issue our code signing certificates.

See Appendix A in the Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates to learn more about these industry changes,

How do these changes affect my existing 2048-bit key certificates?

All existing 2048-bit key size code signing certificates issued before May 27, 2021, will remain active. You can continue to use these certificates to sign code until they expire.

What if I need 2048-bit key code signing certificates?

Take these actions, as needed, before May 27, 2021:

Order new 2048-bit key certificates
Renew expiring 2048-bit key certificates
Reissue 2048-bit key certificates

How do these changes affect my code signing certificate process starting May 27, 2021?

Reissues for code signing certificate

Starting May 27, 2021, all reissued code signing certificates will be:

3072-bit key or stronger. See eTokens for EV code signing certificates and HSMs for EV code signing certificates below.
Automatically issued from new intermediate CA and root certificates. See New ICA and root certificates below.

New and renewed code signing certificates

Starting May 27, 2021, all new and renewed code signing certificates will be:

3072-bit key or stronger. See eTokens for EV code signing certificates and HSMs for EV code signing certificates below.
Automatically issued from new intermediate CA and root certificates. See New ICA and root certificates below.

CSRs for code signing certificates

Starting May 27, 2021, you must use a 3072-bit RSA key or larger to generate all certificate signing requests (CSR). We will no longer accept 2048-bit key CSRs for code signing certificate requests.

eTokens for EV code signing certificates

Starting May 27, 2021, you must use an eToken that supports 3072-bit keys when you reissue, order, or renew an EV code signing certificate.

When you order or renew an EV code signing certificate, DigiCert includes a 3072-bit eToken with your purchase. DigiCert provides an eToken with the Preconfigured Hardware Token provisioning option.
When your reissue your EV code signing certificate reissues, you must provide your own 3072-bit eToken. If you don't have one, you will be unable to install your reissued certificate on your eToken.
You must have a FIPS 140-2 Level 2 or Common Criteria EAL4+ compliant device.

HSMs for EV code signing certificates

Starting May 27, 2021, you must use an HSM that supports 3072-bit keys. Contact your HSM vendor for more information.

New ICA and root certificates

Starting May 27, 2021, DigiCert will issue all new code signing certificates from our new RSA and ECC intermediate CA and root certificates (new, renewed, and reissued).

RSA ICA and root certificates:

DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
DigiCert Trusted Root G4

ECC ICA and root certificates:

DigiCert Global G3 Code Signing ECC SHA384 2021 CA1
DigiCert Global Root G3

No action is required unless you practice certificate pinning, hard code certificate acceptance, or operate a trust store.

If you do any of these things, we recommend updating your environment as soon as possible. Stop pinning and hard coding ICAs or make the necessary changes to ensure certificates issued from the new ICA certificates are trusted (in other words, they can chain up to their issuing ICA and trusted root certificates).

References

To learn more about the Code Signing certificate changes, see Code signing changes in 2021.
To get a copy of the new intermediate CA and root certificates, see DigiCert Trusted Root Authority Certificates

If you have questions or concerns, please contact your account manager or our support team.

May 12, 2021

Site Seals bug fix site seal code

We fixed a bug that allowed site seals to display on fully-qualified domain names (FQDN) that were not included in the certificate.

Now, seals only display when there is an exact FQDN match.

May 1, 2021

CIS api DigiCert One CertCentral PKI Platform 8 Direct Cert Portal PKI Platform 7 QuoVadis ACME scheduled maintenance SCEP Direct Cert Portal API ACME agent automation Discovery API Services API TrustLink ACME agent automation API DigiCert ONE Managers

Upcoming scheduled maintenance

On May 1, 2021, between 22:00 – 24:00 MDT (May 2, 2021, between 04:00 – 06:00 UTC), DigiCert will perform scheduled maintenance.

For up to 10 minutes total during the 2-hour window, we will be unable to issue certificates for the DigiCert platforms, their corresponding APIs, immediate certificate issuance, and those using the APIs for other automated tasks.

Affected services:

CertCentral / Service API
ACME
ACME agent automation / API
Direct Cert Portal / API
Certificate Issuing Service (CIS)
Simple Certificate Enrollment Protocol (SCEP)
QuoVadis TrustLink

Services not affected

PKI Platform 8
PKI Platform 7
DigiCert ONE managers

API note:

APIs will return "cannot connect" errors.
Certificate requests submitted during this window that receive a "cannot connect" error message will need to be placed again after services are restored.

What can I do?

Plan accordingly:

Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.
For scheduled maintenance dates and times, see DigiCert 2021 scheduled maintenance.

Services will be restored as soon as we complete the maintenance.

April 29, 2021

deprecated parameter validation status domain validation Services API Domain info

CertCentral Services API: Domain validation status in Domain info response

To make it easier to get a comprehensive validation status for your domains, DigiCert is deprecating the status parameter in the Domain info response. To ensure you are getting complete and accurate status information for each different validation type on your domains, you should use the validations array when you call the Domain info endpoint from your API integrations instead.

Note: The Domain info endpoint will continue to return a status parameter value.

Background

In the Domain info response, the status parameter is designed to return a single string value. When DigiCert offered fewer products, a single value in the API was enough to represent the validation status for your domains.

Now, DigiCert offers certificate products that use many different types of validation. Different validation types have different requirements, and these requirements change as industry standards evolve. As DigiCert validates your domains for different types of certificate issuance, each type of validation that you request can be in a different state.

For example:

The OV validation for a domain may be completed.
The EV validation for the same domain may be expired.

As a result, DigiCert can no longer use a single value to return comprehensive information about the validation status for a domain.

Instead of relying on a single value, use the Domain info endpoint to request a validations array – a list of objects with status information for each type of validation on the domain. To get this data, include the query parameter include_validation=true when you submit your request.

For example:

Example validations array in domain info response data

Learn more about using the Domain info endpoint

April 28, 2021

Smart Seal Site Seals Services API CertCentral Site seal information page secure site Secure Site Pro

CertCentral Services API: Site seal enhancements

To help you manage your site seals in your API integrations, we’ve made the following updates to the CertCentral Services API:

New endpoint: Upload site seal logo
We added a new endpoint – Upload site seal logo – you can use to upload your company logo for use with a DigiCert Smart Seal. This logo appears in the site seal on your website. Note: Only Secure Site and Secure Site Pro SSL/TLS certificates support the option to display your company logo in the site seal.
New endpoint: Update site seal settings
We added a new endpoint – Update site seal settings – you can use to change the appearance of your site seal and the information that displays on the site seal information page.
Updated endpoint: Get site seal settings
We updated the Site seal settings endpoint to return information about each property you can customize with the Update site seal settings endpoint.

Related topics:

April 26, 2021

certificate id serial number revoke certificate endpoint enhancement Services API

CertCentral Services API: Revoke certificate by serial number

To make it easier to manage certificates from your API integrations, we updated the Revoke certificate endpoint path to accept the certificate ID or the serial number of the certificate to revoke. Previously, the Revoke certificate endpoint path only accepted the certificate ID.

Example Revoke certificate path using the certificate ID:

https://www.digicert.com/services/v2/certificate/{{certificate_id}}/revoke

Example Revoke certificate path using the certificate serial number:

https://www.digicert.com/services/v2/certificate/{{serial_number}}/revoke

Learn more about using the Revoke certificate endpoint

April 20, 2021

Smart Seal DigiCert Smart Seal secure site pro certificates New secure site certificates site seal popup Site seal information page

DigiCert Smart Seal now available with Secure Site Pro and Secure Site TLS/SSL certificates

We are happy to announce the release of our new site seal, the DigiCert Smart Seal. The new Smart Seal works with your Secure Site Pro and Secure Site TLS certificates to provide your customers with the assurance that your website is secured by DigiCert—one of the most recognized names in TLS/SSL security.

To make the Smart Seal more interactive and engaging, we added a hover-over effect, animation, and the ability to display your company logo in the hover-over effect and animation feature.

Hover-over effect
When visitors hover on the seal, it magnifies and displays additional data.
Animation
When visitors come to your site, the seal slowly evolves between the seal and the additional details.
Logo*
Add your logo to the hover-over effect and the site seal animation. Your logo appears with additional details.
*DigiCert must approve your logo before it appears in the Smart Seal on your website.

Note: You must install the new site seal code on your website to use the Smart Seal image, the hover-over effect, the animation, and add your logo to the site seal.

Improved site seal information page

Secure Site and Secure Site Pro certificates allow you to add information to the site seal information page. This additional information enables site visitors to see the steps you are taking to ensure your website is secure.

Malware scan
Site visitors can see that you monitor your website for viruses and malware.
CT log monitoring*
Site visitors can see that you monitor the certificate transparency (CT) logs, allowing you to act quickly if a bad actor issues a fraudulent certificate for your domain
Blocklist
Site visitors can see your business is clear from government and country-specific blocklists.
PCI compliance scan*
Site visitors can see that you monitor your website to ensure it is compliant with PCI DDS Standards.
Verified customer
Site visitors can see how long you've been using one of the most trusted names in TLS/SSL certificates to protect your websites.

*Note: CT log monitoring is only available with Secure Site Pro certificates. PCI compliance scan is only available with Secure Site Pro and Secure Site EV certificates.

Learn how to configure and install your Smart Seal and site seal information page

April 3, 2021

CIS api DigiCert One CertCentral PKI Platform 8 Direct Cert Portal PKI Platform 7 QuoVadis ACME scheduled maintenance Direct Cert Portal API ACME agent automation Discovery API Services API TrustLink ACME agent automation API discovery DigiCert ONE Managers

Upcoming scheduled maintenance

On April 3, 2021, between 22:00 – 24:00 MDT (April 4, 2021, between 04:00 – 06:00 UTC), DigiCert will perform scheduled maintenance.

During maintenance, for up to 10 minutes, we will be unable to issue certificates for the DigiCert platforms, their corresponding APIs, immediate certificate issuance, and those using the APIs for other automated tasks.

Affected services

For approximately 10 minutes, DigiCert will be unable to issue certificates for these services and APIs:

CertCentral / Service API
ACME
ACME agent automation / API
Direct Cert Portal / API
Certificate Issuing Service (CIS)
Simple Certificate Enrollment Protocol (SCEP)
QuoVadis TrustLink

Services not affected

These services are not affected by the maintenance activities:

PKI Platform 8 / API
PKI Platform 8 SCEP
PKI Platform 7 / API
PKI Platform 7 SCEP
DigiCert ONE managers

API note:

APIs will return "cannot connect" errors.
Certificate requests submitted during this window that receive a "cannot connect" error message will need to be placed again after services are restored.

What can I do?

Plan accordingly:

Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.
For scheduled maintenance dates and times, see DigiCert 2021 scheduled maintenance.

Services will be restored as soon as we complete the maintenance.

March 20, 2021

APIs critical maintenance Protocols PKI Platform 8

PKI Platform 8 Critical Maintenance

On March 20, 2021, between 18:00 – 24:00 MST (March 21, 2021, between 00:00 – 06:00 UTC), DigiCert will perform critical maintenance on PKI Platform 8. During maintenance, the PKI Platform 8 and its corresponding API will be down for approximately six hours.

How does this affect me?

For approximately six hours:

You will be unable to sign in to your PKI Platform 8 to perform in-console certificate lifecycle tasks.
You will be unable to use any of your PKI Platform 8 corresponding APIs or protocols (for example, SOAP, REST, SCEP, Intune SCEP, and EST) to perform certificate lifecycle operations.
You will be unable to:
- Enroll certificates: new, renew, or reissues
- Add domains and organizations
- Submit validation requests
- View reports, revoke certificates, and create profiles
- Add users, view certificates, and download certificates
DigiCert will be unable to issue certificates for PKI Platform 8 and its corresponding API.
APIs will return a "cannot connect" error.
Certificate enrollments that receive "cannot connect" errors must be resubmitted after DigiCert restores services.

Service not affected:

Critical maintenance will not affect these services:

PKI Platform 7
DigiCert ONE
CertCentral / Service API
Direct Cert Portal / API
Certificate Issuing Service (CIS)
CertCentral Simple Certificate Enrollment Protocol (SCEP)
QuoVadis TrustLink
Discovery / API
ACME
ACME agent automation / API

What can I do?

Plan accordingly:

Schedule your high-priority orders, renewals, and reissues issues around the critical maintenance.
Expect interruptions if you use APIs and protocols for immediate certificate issuance and other automated tasks.
To get live maintenance updates, subscribe to the DigiCert Status page. This includes emails for when maintenance starts and when maintenance ends.
For critical and scheduled maintenance dates and times, see DigiCert 2021 scheduled maintenance.

Services will be restored as soon as we complete the maintenance.

March 17, 2021

Pay invoice page request parameter CertCentral pay invoice Purchase order and invoice page New enhancement Services API purchase orders View. balance endpoint

CertCentral: New purchase order and invoice system

We are happy to announce that we are using a new purchase order and invoice system in CertCentral. We've made several changes to make it easier for you to manage your purchase orders and invoices.

The next time you sign in to CertCentral, you will see two new menu options under Finances: Pay Invoice and Purchase Orders and Invoices. Additionally, we now send all invoice emails from our new invoice system.

Pay invoices page

When you open the Pay invoice page, all invoices are preselected by default. You can choose to pay them all or select those you want to pay.

Note: If you use divisions with separate funds, when you open the Pay invoice page, all invoices for the top-level division are selected by default. Use the For dropdown to view the unpaid invoices by division in your account.

Purchase orders and invoices page

On the new Purchase orders and invoices page, you can create a purchase order (PO). In the Purchaseorders table, you can view pending and rejected POs. After we approve a PO, it becomes an invoice and moves to the Invoices table.

Note: If you use divisions with separate funds, you see the Purchase order and invoice summary page. When you click a division name, it opens the Purchase order and invoices page, where you can view the POs and invoices for that division.

In the Invoices column of the Invoices table, you can see the invoice number and the PO from which we generated it. You can download a copy of the invoice or pay the invoice. When you click Pay invoice, we take you to the Pay invoice page to pay the invoice and make the funds available in your account.

Existing PO and Invoice migration

Autogenerated invoices
When we migrated our billing system, we did not migrate your autogenerated invoices. At the end of March, we will autogenerate a new invoice for your total amount owed. However, you can make a payment on your account at any time on the Deposit Funds page (in the left main menu, go to Finances > Deposit Funds).
Invoices generated from approved purchase orders
When we migrated your invoices to the new system, we gave them new invoice numbers. However, the associated purchase order number remains the same. If you have questions or trouble finding an invoice, please contact your account manager or DigiCert Accounts Receivable. Make sure to include your PO number and the original invoice number in the email.

CertCentral Services API: View balance enhancements

To help you track financial data in your API integrations, we updated the View balance endpoint to return the following data:

unpaid_invoice_balance
Unpaid invoice balance
negative_balance_limit
Amount the balance can go into the negative
used_credit_from_other_containers
Amount owed by other divisions in the account (for accounts with separate division funds enabled)
total_available_funds
Total funds available for future purchases

Example response:

For more information, see the documentation for the View balance endpoint.

March 12, 2021

reissues flexible certificates new endpoints DV SSL certificates intermediate CA certificates updated endpoints ICA selection New auto-reissue Services API Multi-year plan

CertCentral Services API: Auto-reissue support for Multi-year Plans

We are happy to announce that the CertCentral Services API now supports automatic certificate reissue requests (auto-reissue) for Multi-year Plans. The auto-reissue feature makes it easier to maintain SSL/TLS coverage on your Multi-year Plans.

You can enable auto-reissue for individual orders in your CertCentral account. When auto-reissue is enabled, we automatically create and submit a certificate reissue request 30 days before the most recently issued certificate on the order expires.

Enable auto-reissue for a new order

To give you control over the auto-reissue setting for new Multi-year Plans, we added a new request parameter to the endpoints for ordering DV, OV, and EV TLS/SSL certificates: auto_reissue.

By default, auto-reissue is disabled for all orders. To enable auto-reissue when you request a new Multi-year Plan, set the value of the auto_reissue parameter to 1 in the body of your request.

Example request body:

Example order request body with auto reissue enabled

Note: In new order requests, we ignore the auto_reissue parameter if:

The product does not support Multi-year Plans.
Multi-year Plans are disabled for the account.

Update auto-reissue setting for existing orders

To give you control over the auto-reissue setting for existing Multi-year Plans, we added a new endpoint: Update auto-reissue settings. Use this endpoint to enable or disable the auto-reissue setting for an order.

Get auto-reissue setting for an existing order

To help you track the auto-reissue setting for existing certificate orders, we added a new response parameter to the Order info endpoint: auto_reissue. The auto_reissue parameter returns the current auto-reissue setting for the order.

ICA certificate chain selection for public DV flex certificates

We are happy to announce that select public DV certificates now support Intermediate CA certificate chain selection:

GeoTrust DV SSL
Thawte SSL 123 DV
RapidSSL Standard DV
RapidSSL Wildcard DV
Encryption Everywhere DV

You can add a feature to your CertCentral account that enables you to control which DigiCert ICA certificate chain issues the end-entity certificate when you order these public DV products.

This feature allows you to:

Set the default ICA certificate chain for each supported public DV certificate.
Control which ICA certificate chains certificate requestors can use to issue their DV certificate.

Configure ICA certificate chain selection

To enable ICA selection for your account:

Contact your account manager or our Support team.
Then, in your CertCentral account, in the left main menu, go to Settings > Product Settings.
On the Product Settings page, configure the default and allowed intermediates for each supported and available DV certificate.

For more information and step-by-step instructions, see the Configure the ICA certificate chain feature for your public TLS certificates.

DigiCert Services API: DV certificate support for ICA certificate chain selection

In the DigiCert Services API, we made the following updates to support ICA selection in your DV certificate order requests:

Updated the Product list endpoint
After adding the ICA certificate selection chain feature to your account, the Product list endpoint returns each ICA certificate's name and ID available to issue end-entity certificates for the supported DV products (see allowed_ca_certs).
Updated the Product limits endpoint
After you configure the allowed and default ICA certificates for a DV product, the Product limits endpoint returns the default issuing ICA (default_intermediate) and allowed issuing ICAs (allowed_intermediates) that certificate requestor with a given container and user role assignment can select.
Updated the Product info endpoint
The Product list endpoint now returns the name, ID, and certificate chain information for the issuing ICAs you can select when you request a given product (see allowed_ca_certs).
Added support for ICA chain selection to these DV certificate order requests:

Pass in the issuing ICA certificate's ID as the value for the ca_cert_id parameter in your order request's body.

Example DV certificate request:

For more information about using ICA selection in your API integrations, see DV certificate lifecycle – Optional ICA selection.

March 6, 2021

Upcoming scheduled maintenance

On March 6, 2021, between 22:00 – 24:00 MST (March 7, 2021, between 05:00 – 07:00 UTC), DigiCert will perform scheduled maintenance.

Although we have redundancies in place to protect your service, some DigiCert services may be unavailable during this time.

What can you do?

Please plan accordingly.

Schedule your high-priority orders, renewals, and reissues around the maintenance window.
To get live maintenance updates, subscribe to the DigiCert Status page. The subscription includes emails to let you know when maintenance starts and ends.
For scheduled maintenance dates and times, see DigiCert 2021 scheduled maintenance.

Services will be restored as soon as the maintenance is completed.

February 24, 2021

orders page Assumed name address organization ID Order details page New Domain page new division page client certificate request forms edit division page enhancement

CertCentral: Improved Organizations search on Orders page

To make it easier to find the certificates ordered for a specific organization in your account, we updated the Organizations search on the Orders page.

We now display three new pieces of information about each organization. This information is helpful when you have organizations with similar or identical names:

Assumed name (if used)
Organization ID
Address

See for yourself

In the left main menu, go to Certificates > Orders. On the Orders page, expand Show advanced search. In the Organizations dropdown, search for an organization. You will now see the following organization information: name, assumed name (if used), organization ID, and address.

Note: You can also type the organization name.

CertCentral: Improved Order details page

To make it easier to identify the organization a certificate was ordered for in your account, we updated the Organization section on the Order details page.

We now display two new pieces of information about each organization:

Assumed name (if used)
Organization ID

This information is helpful when you have organizations with similar or identical names.

See for yourself

In the left main menu, go to Certificates > Orders. On the Orders page, click the certificate's order number. On the Order details page, in the Organization section, you will now see the organization name, organization ID, and assumed name, if used.

CertCentral: Improved organization option on New Domain page

To make it easier to associate a new domain with an organization in your account, we updated the Organization option on the New Domain page.

We now display three new pieces of information about each organization. This information is helpful when you have organizations with similar or identical names:

Assumed name (if used)
Organization ID
Address

We also added the ability to type the name of the organization you are searching for.

See for yourself

In the left main menu, go to Certificates > Domains. On the Domains page, click New Domain. On the New Domain page, in the Organization dropdown, search for an organization. You will now see the following organization information: name, assumed name (if used), and organization ID. You can also type the organization name.

For more information about managing domains in CertCentral, see Manage domains.

CertCentral: Improved Specified organizations option on New and Edit Division pages

To make it easier to specify the organizations a division can order certificates for in your account, we updated the Specific organizations option on the New Division and Edit Division pages.

We now display three new pieces of information about each organization. This information is helpful when you have organizations with similar or identical names:

Assumed name (if used)
Organization ID
Address

We also added the ability to type the name of the organization you are searching for.

See for yourself

In the left main menu, go to Account > Divisions. On the Divisions page, click New Division. On the New Division page under Certificates can be ordered for, select Specific organizations. When you search for an organization in the dropdown, you will see the following organization information: name, assumed name (if used), organization ID, and address. You can also type the organization name.

For more information about divisions in CertCentral, see Division management.

CertCentral: Improved add organization option on client certificate request forms

To make it easier to order a client certificate for an organization in your account, we updated the Organization option in the client certificate request forms.

We now display three new pieces of information about each organization. This information is helpful when you have organizations with similar or identical names:

Assumed name (if used)
Organization ID
Address

We also added the ability to type the name of the organization you are searching for.

See for yourself

The next time you request a client certificate, click Organization. In the Organization dropdown, you will see the following organization information: name, assumed name (if used), ID, and address. You can also type the organization name.

February 19, 2021

domains Services API subaccounts organizations

CertCentral Services API: New subaccount endpoints

To make it easier to manage your subaccounts, we added two new endpoints to the CertCentral Services API: List subaccount domains and List subaccount organizations.

List subaccount domains – Use this endpoint to get information about the domains in a subaccount.
List subaccount organizations – Use this endpoint to get information about the organizations in a subaccount.

February 17, 2021

Services API subaccounts Multi-year plan certcentral

CertCentral Services API: Improved Create subaccount endpoint

To give you more control over your subaccounts, we added two new request parameters to the Create subaccount endpoint: child_name and max_allowed_multi_year_plan_length.

child_name – Use this parameter to set a custom display name for the subaccount.
max_allowed_multi_year_plan_length – Use this parameter to customize the maximum length of Multi-year Plan orders for the subaccount.

Example JSON request:

After creating a subaccount, use the Subaccount info endpoint to view a subaccount's "display" name and allowed Multi-year Plan order length.

February 16, 2021

Partner Lab critical maintenance PKI Platform 8

PKI Platform 8 Partner Lab Critical Maintenance

On February 16, 2021, between 18:00 – 22:00 MST (February 17, 2021, between 01:00 – 05:00 UTC), DigiCert will perform critical maintenance on the PKI Platform 8 Partner Lab.

How does this affect me?

For approximately four hours,

You will be unable to access the Partner Lab and its corresponding API.
You will be unable to submit certificate requests.
You will be unable to access the DigiCert PKI Platform 8 portals through Partner Lab.
DigiCert will be unable to issue test certificates for Partner Lab via the API.

This does not affect:

PKI Platform 8 – Production
PKI Platform 7
DigiCert ONE

What can I do?

Plan accordingly.

Schedule your Partner Lab testing around the critical maintenance, including ordering, renewing, and reissuing test certificates.
Expect interruptions if you use the Partner Lab API for testing immediate certificate issuance and automated tasks.
For critical and scheduled maintenance dates and times, see DigiCert 2021 scheduled maintenance.

Services will be restored as soon as we complete the maintenance.

February 8, 2021

PKI Platform 8 Partner Lab critical maintenance

PKI Platform 8 Partner Lab Critical Maintenance

On February 8, 2021, between 18:00 – 24:00 MST (February 9, 2021, between 01:00 – 07:00 UTC), DigiCert will perform critical maintenance on the PKI Platform 8 Partner Labs.

How does this affect me?

For approximately six hours,

You will be unable to access the Partner Lab and its corresponding API.
You will be unable to submit certificate requests or access any of the DigiCert PKI Platform 8 portals through Partner Lab.
DigiCert will be unable to issue test certificates for the Partner Lab platform via any API.

This does not affect:

PKI Platform 8 – Production
PKI Platform 7
DigiCert ONE

What can I do?

Plan accordingly.

Schedule your Partner Lab testing around the critical maintenance, including ordering, renewing, and reissuing test certificates.
Expect interruptions if you use the Partner Lab API for testing immediate certificate issuance and automated tasks.
For critical and scheduled maintenance dates and times, see DigiCert 2021 scheduled maintenance.

Services will be restored as soon as we complete the maintenance.

February 6, 2021

certificate issuance DigiCert One CertCentral validation Direct Cert Portal QuoVadis QV Trust Link ACME SCEP Direct Cert Portal API ACME agent automation Discovery API Services API ACME agent automation API discovery MSSL CIS CWS

Upcoming scheduled maintenance

On February 6, 2021 between 22:00 – 24:00 MST (February 7, 2021 between 05:00 – 07:00 UTC), DigiCert will perform critical maintenance.

During maintenance, the services listed below will be down approximately 60 minutes. However, due to the scope work happening, there may be additional service interruptions during the two-hour maintenance window.

You will be unable to sign in to these platforms and access these services and APIs:

CertCentral / Service API
Direct Cert Portal / Direct Cert Portal API
Certificate Issuing Service (CIS)
Simple Certificate Enrollment Protocol (SCEP)
Discovery / API
ACME
ACME agent automation / API

DigiCert will be unable to issue certificates for these services and APIs:

CertCentral / Services API
Direct Cert Portal / Direct Cert Portal API
Certificate Issuing Service (CIS)
Simple Certificate Enrollment Protocol (SCEP)
Complete Website Security (CWS) / API
Managed PKI for SSL (MSSL) / API
QV Trust Link

These services will not be affected by the maintenance activities:

PKI Platform 8
PKI Platform 7
DigiCert ONE managers

API note:

Services to process certificate-related transactions will be unavailable, such as, requesting certificates, adding domains, and validation requests.
APIs will return “cannot connect” errors.
Certificate requests placed during this window that receive a "cannot connect" error message will need to be placed again after services are restored.

What can I do?

Plan accordingly:

Schedule high-priority orders, renewals, and reissues around the maintenance window.
Expect interruptions if you use APIs for immediate certificate issuance and automated tasks.
Subscribe to the DigiCert Status page to get live updates, .
See the DigiCert 2021 scheduled maintenance for scheduled maintenance dates and times.

Services will be restored as soon as the maintenance is completed.

February 5, 2021

organizations page OV/EV request forms Assumed name address organization ID OV SSL certificaates EV SSL certificates enhancement CertCentral

CertCentral: Improved Organizations page

To make it easier to find your organizations on the Organization page, we now display three new pieces of information about each organization. This additional information is helpful when you have organizations with similar or identical names:

ID
Assumed name (if used)
Address

On the Organizations page, you will now see an Org # column with the organization's ID. You will also see the organization addresses displayed below the names. And, if you use the organization's assumed name, you will see it in parentheses next to the organization name.

Note: Previously, the only way to view this information was to click the organization name and open the organization's details page.

For more information about organizations in CertCentral, see Manage organizations.

CertCentral: Improved add organization option on OV/EV certificate request forms

To make it easier to order a TLS/SSL certificate for an organization in your account, we updated the Add organization option in the OV and EV certificate request forms.

For accounts that issue certificates for 10 or more organizations, we now display three new pieces of organization information. This information is helpful when you have organizations with similar or identical names:

Assumed name (if used)
Organization ID
Address

We also added the ability to type the name of the organization you are searching for.

See for yourself

The next time you request an OV or EV TLS/SSL certificate, click Add organization. In the Organization dropdown, you will see the following organization information: name, assumed name (if used), ID, and address. You can also type the organization name.

January 29, 2021

orders page serial number search options additional emails enhancement CertCentral

CertCentral Orders page: New search options

On the Orders page, we added two new search options:

Certificate serial number
Additional email addresses*

The next time you search for an order, use the certificate's serial number or an additional email address to locate the certificate order.

*Note: When requesting a certificate or after submitting the request, you can add email addresses to a certificate order. This allows others to receive the certificate notification emails for the order, such as the certificate issued email.

To use the new search filters

In the left main menu, go to Certificates > Orders.
On the Orders page, in the Search box, enter a certificate's serial number or an additional email address on the order.
Click Go.

January 25, 2021

OV SSL certificates DV SSL certificates EV SSL certificates New Services API email to dns txt contact prevalidation DCV email method

CertCentral Services API: Improved Domain emails endpoint

To make it easier to find the DNS TXT email addresses that receive validation emails from DigiCert for email-based domain control validation (DCV), we added a new response parameter to the Domain emails endpoint: dns_txt_emails.

The dns_txt_emails parameter returns a list of email addresses found in the DNS TXT record for the domain. These are the email addresses we find in the DNS TXT record on the _validation-contactemail subdomain of the domain being validated.

Example response with new parameter:

To learn more about the newly supported email to DNS TXT contact DCV method:

Change log – January 13, 2021

For information about validating the domains on DV certificate orders:

Domain Control Validation (DCV) methods

For information about validating the domains on OV/EV certificate orders:

January 20, 2021

subaccounts order validity Units CertCentral product settings Services API Multi-year plan

CertCentral Services API: New Unit order details and Cancel unit order endpoints

We are happy to announce we added two new endpoints to the CertCentral Services API: Unit order details and Cancel unit order.

These endpoints allow you to get information about a unit order and to cancel a unit order.

Canceling unit orders:

You can only cancel an order within thirty days of placing it.
You cannot cancel a unit order if the subaccount on the order has spent any of the units.

If you manage a subaccount that uses units as its payment method, you can now use the Services API to do the following tasks:

CertCentral Services API: Improved Product list, Product limits, and Product info endpoints

To make it easier to find the available order validity periods for the digital certificate products in your account, we added new response parameters to the Product list, Product limits, and Product info endpoints.

These new response parameters allow you to view the default and customized order validity limits for each product in your account.

Product list endpoint

The allowed_order_validity_years parameter returns a list of the supported order validity periods for each product in your account.

Product limits endpoint

The allowed_order_lifetimes parameter returns a list of the customized order validity limits for users with different division and user role assignments in your account.

Product info endpoint

The allowed_order_validity_years parameter returns a list of the order validity periods that are available when you request the certificate product.
The custom_order_expiration_date_allowed parameter returns a boolean value that describes whether you can set a custom order expiration date when you request the certificate product.

CertCentral Services API: Improved Subaccount order info endpoint

To make it easier to find information about the validity periods for subaccount orders, we added new response parameters to the Subaccount order info endpoint. These new response parameters allow you to see the order start date, the order end date, and whether the order is a Multi-year Plan.

The is_multi_year_plan parameter returns "1" if the order is a Multi-year Plan.
The order_valid_from parameter returns the start date of the order validity period.
The order_valid_till parameter returns the end date of the order validity period.

Example response with new parameters

January 13, 2021

OV SSL certificates DV SSL certificates EV SSL certificates New email to dns txt contact prevalidation DCV email method

CertCentral: Email to DNS TXT contact DCV method

We are happy to announce that DigiCert now supports sending an email to a DNS TXT contact for email-based domain control validation (DCV). This means you can add email addresses to the DNS TXT record for your domain. DigiCert automatically searches the DNS TXT records and sends the DCV email to those addresses. An email recipient needs to follow the instructions in the email to demonstrate control over the domain.

Note: Previously, DigiCert only sent DCV emails to WHOIS-based and constructed email addresses.

Industry changes

Contact information is becoming increasingly inaccessible in WHOIS records due to privacy policies and other constraints. With the passing of Ballot SC13, the Certificate Authority/Browser (CA/B) forum added Email to DNS TXT contact to the list of supported DCV methods.

DNS TXT record email contacts

To use email to Email to DNS TXT contact DCV method, you must place the DNS TXT record on the _validation-contactemail subdomain of the domain you want to validate. DigiCert automatically searches WHOIS and DNS TXT records and sends the DCV email to the addresses found in those records.

_validation-contactemail.example.com | Default | validatedomain@digicerttest.com

The RDATA value of this text record must be a valid email address. See section B.2.1 DNS TXT Record Email Contact in the Appendix of the baseline requirements.

For more information about Ballot SC13, the CA/Browser forum, and the email to DNS TXT contact DCV method:

January 9, 2021

CIS CWS certificate issuance validation certcentral discovery MSSL Direct Cert Portal QuoVadis QV Trust Link ACME SCEP Direct Cert Portal API ACME agent automation Discovery API Services API ACME agent automation API

Upcoming scheduled maintenance

On January 9, 2021 between 22:00 – 24:00 MST (January 10, 2021 between 05:00 – 07:00 UTC), DigiCert will perform scheduled maintenance.

Although we have redundancies in place to protect your service, some DigiCert services may be unavailable during this time.

What can you do?
Please plan accordingly.

Schedule high-priority orders, renewals, reissues, and duplicate issues outside of the maintenance window.
To get live updates, subscribe to the DigiCert Status page.
For scheduled maintenance dates and times, see DigiCert 2021 scheduled maintenance.

Services will be restored as soon as maintenance is completed.

December 22, 2020

renewal CertCentral email settings API Documentation Services API renewal notifications

CertCentral Services API: Update renewal notification settings

We added a new endpoint to the CertCentral Services API contract: Update renewal notification settings. Use this endpoint to enable or disable renewal notifications for a certificate order.

For more information, visit the reference topic for this endpoint in the Services API documentation:

Update renewal notification settings

December 17, 2020

MyP dcv methods Domains page certcentral product settings customer order lengths public ssl certificates domains.csv report domain expirations enhancement Services API Multi-year plan

Customize the lifetime of your DigiCert Multi-year Plan

We are happy to announce you can now configure a custom lifetime for your Multi-year Plan (MyP) when requesting a TLS certificate in CertCentral. On the TLS certificate request forms, use the new Custom order validity option to customize the length of your TLS certificate order.

Note: Maximum TLS certificate validity is 397 days per industry best practices. See End of 2-Year public SSL/TLS certificates.

Custom Multi-year Plan order lengths can be set in days or by expiration date. Maximum order length is 2190 days (6 years). Minimum order length is 7 days.

Note: Custom orders start on the day we issue the certificate for the order. Order pricing is prorated to match the certificate selected and your custom order length.

To customize your MyP coverage

On the Request certificate form, click Select coverage length.
In the How long do you need to protect your site pop-up window, select Custom order validity.
Under Select your customer order length, configure the lifetime for your Multi-year Plan:
1. Custom order length
  Specify the length of your plan in days.
2. Custom order expiration date
  Select the day you want your plan to expire on.
Click Save.

Updated product settings for public TLS certificates

To provide more control over your certificate order process, we updated the product settings for public TLS certificates. Now, you can determine the allowed Multi-year Plan order lengths users can select from when ordering a public TLS certificate.

On the TLS certificate's product settings page, use the Allowed validity periods option to determine what MyP order lengths appear on a TLS certificate request form: 1 Year, 2 Years, 3 Years, 4 Years, 5 Years, and 6 Years. Note that changes made to product settings apply to requests placed through CertCentral and the Services API.

Note: Previously, the Allowed validity periods option was used to determine the maximum certificate lifetime a user could select when ordering a public TLS certificate. However, with the industry move to 1-year certificate this option is no longer needed for certificate lengths. See End of 2-Year public SSL/TLS certificates.

To configure the allowed MyP order lengths for a TLS certificate

In the left main menu, go to Settings > Product Settings.
On the Product Settings page, select a public TLS certificate. For example, select Secure Site OV.
Under Secure Site OV, in the Allowed validity periods dropdown, select the validity periods.
Click Save Settings.

The next time a user orders a Secure Site OV certificate, they will only see the validity period lengths you selected on the request form.

Note: Setting limits on Multi-year Plan order lengths removes the custom validity option from your TLS certificate request forms.

CertCentral Domains page: Improved domains.csv report

On the Domains page, we improved the CSV report to make it easier to track OV and EV domain validation expiration dates and to view the previously used domain control validation (DCV) method.

The next time you download the CSV file, you will see we three new columns in the report:

OV Expiration
EV Expiration
DCV Method

To download the domains.csv report

In the left main menu, go to Certificates > Domains.
On the Domains page, in the Download CSV dropdown, select Download All Records.

When you open the domains.csv, you should see the new columns and information in your report.

December 9, 2020

New feature Guest access certcentral

CertCentral Guest access feature

We are happy to announce Guest access is now available for CertCentral Enterprise and CertCentral Partner. This feature allows users to manage a certificate order without you having to add them to your CertCentral account.

Guest access provides your account with a unique URL that can be shared with non-account users so they can access a certificate order. This is a quick, easy, and secure way to share access to a certificate order with someone who you doesn't need account access, only the ability to download, reissue, renew, or revoke the certificate.

Note: Guest access allows you to manage a single order at a time and does not provide the user with access to any other CertCentral information or features.

To use Guest access, first enable it for your account; in the left menu, go to Account > Guest Access. For more information about Guest access and how to configure it for your account, see Guest access.

To access an order via Guest access:

Use the unique URL to go to the Welcome to the guest portal page.
Enter your email address and the certificate order id or a domain included on the order (common name or subject alternative name (SAN)) and click Continue.
Wait for CertCentral to send you an email with a unique authentication code.
On the Enter authentication code sent to page, enter the authentication code included in the email, and click Sign in.

Now, you can view the certificate order and download, reissue, renew, or revoke the certificate.

December 6, 2020

discovery MSSL CIS CWS certificate issuance PKI Platform 8 Direct Cert Portal certcentral PKI Platform 7 QuoVadis QV Trust Link ACME Direct Cert Portal API ACME agent automation CertCentral Services API Discovery API ACME agent automation API

Scheduled maintenance

On December 6, 2020 between 08:00 – 10:00 UTC, DigiCert will perform scheduled maintenance.

How does this affect me?

During maintenance, access to these services and APIs may be affected:

CertCentral / Services API
Direct Cert Portal / Direct Cert Portal API
Certificate Issuing Service (CIS)
Simple Certificate Enrollment Protocol (SCEP)
Discovery / API
ACME
ACME agent automation / API

Additionally, certificate issuance for these services and APIs may be affected:

CertCentral / Services API
Direct Cert Portal / Direct Cert Portal API
Certificate Issuing Service (CIS)
Simple Certificate Enrollment Protocol (SCEP)
Complete Website Security (CWS) / API
Managed PKI for SSL (MSSL) / API
PKI Platform 7 / PKI Platform 8
QV Trust Link

What can I do?

Plan accordingly.

Schedule high-priority orders, renewals, reissues, and duplicate issues outside of the maintenance window.
If you use the APIs for immediate certificate issuance and automated tasks, expect interruptions during this time.

Services will be restored as soon as the maintenance is completed.

For scheduled maintenance dates and times, see DigiCert 2020 scheduled maintenance.
To get live updates, subscribe to the DigiCert Status page.

December 3, 2020

orders page Units certcentral New enhancement Services API API documentation

CertCentral Orders page: Improved load times

In CertCentral, we updated the Orders page to improve load times for those managing high volumes of certificate orders. The next time you visit the Orders page, it will open much quicker (in the left main menu go to Certificates > Orders).

To improve load times, we changed the way we filter your certificate orders upon initial page view. Previously, we filtered the page to show only Active certificate orders. However, this was problematic for those with high volumes of certificate orders. The more orders you have in your account, the longer the Orders page took to open.

Now, when you visit the page, we return all your certificates, unfiltered, in descending order with the most recently created certificate orders appearing first in the list. To see only your active certificates, in the Status dropdown, select Active and click Go.

CertCentral Services API: Purchase units for subaccounts and view unit orders

In the CertCentral Services API, we've added new endpoints for purchasing units and viewing unit orders. Now, if you manage subaccounts that use units as the payment method for certificate requests, you can use the Services API to buy more units for a subaccount and to get information about your unit order history.

For more information, see the reference documentation for the new endpoints:

December 2, 2020

Product info Vouchers emergency contacts ICA selection Services API API documentation organization validation

CertCentral Services API: Documentation updates

We're pleased to announce the following updates to the documentation for the CertCentral Services API:

New Voucher price estimate API
We published a new reference topic for the Voucher price estimate endpoint. Customers who use vouchers can use this endpoint to estimate the cost (including tax) of an order for specific voucher configurations.
Updated API Glossary
We updated the Glossary with a new table to define the different organization validation status values. See Glossary – Organization validation statuses.
Added request parameter to Update account emails documentation
We added the emergency_emails request parameter to the documentation for the Update account emails endpoint. Use this parameter to update the email addresses that receive emergency notifications from DigiCert.

Example Update account emails request body:

Added response parameters to the Product info documentation
We added the validation_type, allowed_ca_certs, and default_intermediate response parameters to the documentation for the Product info endpoint.
- Use the validation_type parameter to get the validation type for a given product.
- Use the allowed_ca_certs parameter to get information about the ICA certificates you can select when you order a given product. *
- Use the default_intermediate parameter to get the ID of the default ICA for a given product. *

Example Product info response data:

* Note: The Product info endpoint only returns the allowed_ca_certs and default_intermediates parameters for products that support ICA selection. For public SSL certificates that support ICA selection (OV and EV flex certificates), these parameters are only returned if ICA selection is enabled for the account. Additionally, the default_intermediates parameter is only returned if an administrator has customized a product setting for a division or user role in the account. For more information, see ICA certificate chain option for public OV and EV flex certificates.

December 1, 2020

industry changes reissued certificates renewal code signing certificates intermediate CA certificates ev code signing certificates compliance SHA-1 SHA-2

DigiCert to stop issuing SHA-1 code signing certificates

On Tuesday, December 1, 2020 MST, DigiCert will stop issuing SHA-1 code signing and SHA-1 EV code signing certificates.

Note: All existing SHA-1 code signing/EV code signing certificates will remain active until they expire.

Why is DigiCert making these changes?

To comply with the new industry standards, certificate authorities (CAs) must make the following changes by January 1, 2021:

Stop issuing SHA-1 code signing certificates
Stop using SHA-1 intermediate CA and SHA-1 root certificates to issue SHA-256 algorithm code signing and timestamping certificates

See Appendix A in the Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates.

How do the SHA-1 code signing certificate changes affect me?

If you rely on SHA-1 code signing certificates, take these actions as needed before December 1, 2020:

Get your new SHA-1 certificates
Renew your SHA-1 certificates
Reissue and get needed SHA-1 certificates

For more information about the December 1, 2020 changes, see our knowledgebase article DigiCert to Stop Issuing SHA-1 Code Signing Certificates.

If you have additional questions, please contact your account manager or our support team.

November 8, 2020

ACME Direct Cert Portal API ACME agent automation CertCentral Services API Discovery API ACME agent automation API MSSL PKI Platform 8 Direct Cert Portal certcentral PKI Platform 7 QuoVadis QV Trust Link CIS CWS certificate issuance

Scheduled maintenance

On November 8, 2020 between 08:00 – 10:00 UTC, DigiCert will perform scheduled maintenance.

How does this affect me?

During maintenance, access to these services and APIs may be affected:

CertCentral / Services API
Direct Cert Portal / Direct Cert Portal API
Certificate Issuing Service (CIS)
Simple Certificate Enrollment Protocol (SCEP)
Discovery / API
ACME
ACME agent automation / API

Additionally, certificate issuance for these services and APIs may be affected:

CertCentral / Services API
Direct Cert Portal / Direct Cert Portal API
Certificate Issuing Service (CIS)
Simple Certificate Enrollment Protocol (SCEP)
Complete Website Security (CWS) / API
Managed PKI for SSL (MSSL) / API
PKI Platform 7 / PKI Platform 8
QV Trust Link

What can I do?

Plan accordingly.

Schedule high-priority orders, renewals, reissues, and duplicate issues outside of the maintenance window.
If you use the APIs for immediate certificate issuance and automated tasks, expect interruptions during this time.

Services will be restored as soon as the maintenance is completed.

For scheduled maintenance dates and times, see DigiCert 2020 scheduled maintenance.
To get live updates, subscribe to the DigiCert Status page.

November 3, 2020

CertCentral API DCV tokens OV SSL certificates domain validation EV SSL certificates Services API

CertCentral Services API: Added DCV tokens for new domains to response data for OV and EV certificate orders

We've updated the endpoints for ordering public OV and EV SSL certificates to return the domain control validation (DCV) request tokens for new domains on the order.

Now, when you request an OV or EV certificate, you no longer have to issue separate requests to get the DCV request tokens for the new domains on the order. Instead, you can get the tokens directly from the response data for the order request.

Example response data:

Example response for an OV order with a new domain

Note: The dcv_token object is not returned for domains that will be validated under the scope of another domain on the order, for domains that already exist in your account, or for subdomains of existing domains.

This update applies to the following endpoints:

November 2, 2020

ICAs intermediate CA certificates New

DigiCert replacing multiple intermediate CA certificates

On November 2, 2020, DigiCert is replacing another set of intermediate CA certificates (ICAs). For a list of the ICA certificates being replaced, see our DigiCert ICA Update KB article.

How does this affect me?

Rolling out new ICAs does not affect existing certificates. We don't remove an old ICA from certificate stores until all the certificates issued from it have expired. This means active certificates issued from the replaced ICA will continue to be trusted.

However, it will affect existing certificates if you reissue them as they will be issued from the new ICA. We advise you to always include the provided ICA with every certificate you install. This has always been the recommended best practice to ensure ICA replacements go unnoticed.

No action is required unless you do any of the following:

Pin the old versions of the intermediate CA certificates
Hard code the acceptance of the old versions of the intermediate CA certificates
Operate a trust store that includes the old versions of the intermediate CA certificates

If you do any of the above, we recommend updating your environment as soon as possible. Stop pinning and hard coding ICAs or make the necessary changes to ensure certificates issued from the new ICAs are trusted (in other words, can chain up to their updated ICA and trusted root).

Intermediate CA certificate replacements

Make sure to monitor the pages listed below. These are active pages and are updated regularly with ICA certificate replacement information and copies of the new DigiCert intermediate CA certificates.

Why is DigiCert replacing intermediate CA certificates?

We are replacing ICAs to:

Promote customer agility with ICA replacement
Reduce the scope of certificate issuance from any given ICA to mitigate the impact of changes in industry standards and CA/Browser Forum guidelines to intermediate and end-entity certificates
Improve the security of the Internet by ensuring all ICAs operate using the latest improvements

If you have questions or concerns, please contact your account manager or our support team.

October 22, 2020

DV SSL certificates AuthKey API documentation

CertCentral Services API: Documentation updates

We added a new request parameter to the CertCentral Services API documentation for DV certificate orders: use_auth_key. In accounts with an existing AuthKey, this parameter allows you to choose whether to check your DNS records for an AuthKey request token when you place a DV certificate order.

By default, if an AuthKey exists for your account, you must add an AuthKey request token to your DNS records before ordering a DV certificate. AuthKey request tokens enable immediate certificate issuance, decreasing the time you spend on certificate lifecycle management. However, there may be times you need to verify control over domains using email validation or a DigiCert generated token. In these cases, the use_auth_key parameter allows you to disable the check for an AuthKey request token at the order level, so you can use another method to prove control over the domain. For more information about domain control validation (DCV), see Domain control validation (DCV) methods.

To disable the AuthKey verification method for a DV certificate order, include the use_auth_key parameter in the JSON payload of the request. For example:

The following endpoints support the use_auth_key parameter:

Order Multi-year Plan (for DV SSL certificates)
Order GeoTrust DV SSL
Order DV SSL

For information about using an AuthKey for immediate DV certificate issuance, see DV certificate immediate issuance.

Note: The use_auth_key parameter is ignored in requests for Encryption Everywhere DV certificates. All requests for Encryption Everywhere DV certificates require an AuthKey request token for DCV. Additionally, OV and EV SSL products do not support the use_auth_key request parameter.

October 16, 2020

CertCentral Enterprise flat fee contracts ELA Multi-year plan MyP

CertCentral Enterprise: Multi-year Plans now available

We are happy to announce that Multi-year Plans are now available in CertCentral Enterprise.

DigiCert® Multi-year Plans allow you to pay a single discounted price for up to six years of SSL/TLS certificate coverage. With Multi-year Plans, you pick the SSL/TLS certificate, the duration of coverage you want (up to six years), and the certificate validity. Until the plan expires, you reissue your certificate at no cost each time it reaches the end of its validity period.

Note: Enterprise License Agreement (ELA) and Flat Fee contracts only support 1 and 2-year Multi-year Plans.

As of September 1, 2020, the maximum validity of an SSL/TLS certificate is 397 days. When the active certificate for a Multi-year Plan is about to expire, you reissue the certificate to maintain your SSL/TLS coverage.

For more information, see Multi-year Plans.
For API integrations, see Order Multi-year Plan.

October 13, 2020

OV/EV order forms product settings public ssl certificates ICAs EV SSL certificates OV SSL certificaates New intermediate CA certificates new endpoint updated endpoints ICA selection api Services API flexible certificates

ICA certificate chain selection for public OV and EV flex certificates

We are happy to announce that public OV and EV certificates with flex capabilities now support Intermediate CA certificate chain selection.

You can add an option to your CertCentral account that enables you to control which DigiCert ICA certificate chain issues your public OV and EV "flex" certificates.

This option allows you to:

Set the default ICA certificate chain for each public OV and EV flex certificate.
Control which ICA certificate chains certificate requestors can use to issue their flex certificate.

Configure ICA certificate chain selection

To enable ICA selection for your account, contact your account manager or our Support team. Then, in your CertCentral account, on the Product Settings page (in the left main menu, go to Settings > Product Settings), configure the default and allowed intermediates for each type of OV and EV flex certificate.

For more information and step-by-step instructions, see ICA certificate chain option for public OV and EV flex certificates.

DigiCert Services API support for ICA certificate chain selection

In the DigiCert Services API, we made the following updates to support ICA selection in your API integrations:

Created new Product limits endpoint
Use this endpoint to get information about the limits and settings for the products enabled for each division in your account. This includes ID values for each product's default and allowed ICA certificate chains.
Added support for ICA selection to public TLS OV and EV flex certificate order requests
After you configure allowed intermediates for a product, you can select the ICA certificate chain that should issue your certificate when you use the API to submit an order request.
Pass in the ID of the issuing ICA certificate as the value for the ca_cert_id parameter in the body of your order request

Example flex certificate request:

For more information about using ICA selection in your API integrations, see OV/EV certificate lifecycle – (Optional) ICA selection.

October 6, 2020

emergency contacts New Notifications page

CertCentral: Add emergency contacts for your account

We are happy to announce we added a new emergency contact option to CertCentral. These email addresses receive all emergency communications, such as urgent security concerns, required certificate revocations, and changes to industry guidelines.

By default, CertCentral sends emergency notifications to the organization contact for the primary organization on your account. Until you update your emergency contacts, we also send these notifications to the email addresses assigned to receive all account notifications.

We recommend verifying and updating the emergency contacts for your account. It should only take a few minutes.

To verify and update the emergency contacts for your account:

Sign in to your CertCentral account.
In the left main menu, go to Settings > Notifications.
On the Notifications page, in the Send all emergency notifications to box, enter the email addresses you want to receive all emergency communications.
When you are finished, check Verify emergency contacts.

See Add emergency contact email addresses for your account.

October 4, 2020

certificate issuance PKI Platform 8 Direct Cert Portal certcentral PKI Platform 7 QuoVadis 2020 QV Trust Link Services access CIS CWS Direct Cert Portal API CertCentral Services API Partner Portals MSSL

Schedule Maintenance

On Sunday October 4 between 07:00 – 09:00 UTC, DigiCert will perform scheduled maintenance.

How does this affect me?

Although we have redundancies in place to protect your services, some DigiCert services may be unavailable during this time.

During maintenance access to these services and APIs may be affected:

CertCentral / Service API
Direct Cert Portal / API
Certificate Issuing Service (CIS)
Simple Certificate Enrollment Protocol (SCEP)
Discovery API
ACME
ACME agent automation

Additionally, certificate issuance for these services and APIs may be affected:

CertCentral / Service API
Direct Cert Portal / API
Certificate Issuing Service (CIS)
Simple Certificate Enrollment Protocol (SCEP)
Complete Website Security (CWS) / API
Managed PKI for SSL (MSSL) / API
Symantec, GeoTrust, and Thawte Partner Portals / APIs
PKI Platform 7 / PKI Platform 8
QV Trust Link

What can I do?

Please plan accordingly. Schedule high-priority orders, renewals, reissues, and duplicate issues outside of the maintenance window. If you use the APIs for immediate certificate issuance and automated tasks, expect interruptions during this time.

Services will be restored as soon as the maintenance is completed.

For scheduled maintenance dates and times, see DigiCert 2020 scheduled maintenance.
For live updates, subscribe to the DigiCert Status page.

September 13, 2020

Direct Cert Portal certcentral 2020 ACME scheduled maintenance SCEP CIS Discovery API CertCentral emails Direct Cert Portal API ACME agent automation CertCentral Services API IP address changes

Upcoming scheduled maintenance

On Sunday September 13, 2020 from 07:00 to 09:00 UTC, DigiCert will perform scheduled maintenance.

How does this affect me?

During maintenance, we will assign new dedicated IP addresses to our CertCentral mail server, some of our services, and some of our APIs.

Affected services:

CertCentral emails
CertCentral
CertCentral Services API
Certificate Issuing Service (CIS)
Simple Certificate Enrollment Protocol (SCEP)
API access URL
Direct Cert Portal
Direct Cert Portal API
Discovery sensor firewall settings
Discovery API
ACME
ACME agent automation
DigiCert website

For more details and easy reference, see our IP address changes knowledgebase article.

Although we have redundancies in place to protect your service, some DigiCert services may be unavailable during this time.

DigiCert services will be restored as soon as maintenance is completed.

What can I do?

Update allowlists and email filters
By September 13, 2020, update IP address allowlists and email filters to ensure you don't miss important emails and to keep your DigiCert services and API integrations running as expected.
Schedule tasks around maintenance
Please plan accordingly and schedule high-priority orders, renewals, reissues, and duplicate issues outside of the maintenance window.
References
- For live updates, subscribe to the DigiCert Status page.
- For scheduled maintenance dates and times, see DigiCert 2020 scheduled maintenance

August 27, 2020

product public ssl certificates compliance industry changes

DigiCert will stop issuing 2-year public SSL/TLS certificates

On August 27, 2020 5:59 pm MDT (23:59 UTC), DigiCert will stop issuing 2-year public SSL/TLS certificates to prepare for the industry changes to the maximum allowed validity for public SSL/TLS certificates.

After the August 27 deadline, you can only purchase 1-year public SSL/TLS certificates.

What do I need to do?

To ensure you get needed 2-year public SSL/TLS certificates before the August 27 deadline:

Take inventory of needed 2-year certificates—new and renewals.
Order any 2-year certificates that you need before August 13.
Respond to any domain and organization validation requests in a timely manner.

To learn how this change will affect pending certificate orders, reissues, and duplicates, see End of 2-Year DV, OV, and EV public SSL/TLS certificates.

DigiCert Services API

For those using the DigiCert Services API, you'll need to update your API workflows to account for the new maximum certificate validity of 397 days for requests placed after the August 27 deadline. See Services API.

After August 27, 2020

After August 27, you can only purchase 1-year public SSL/TLS certificates. However, to maximize your SSL/TLS coverage, purchase your new certificates with a DigiCert® Multi-year Plan. See Multi-year Plans.

Why is DigiCert making this change?

On September 1, 2020, the industry says good-bye to 2-year certificates. Going forward Certificate Authorities (CA) can only issue public DV, OV, and EV SSL/TLS certificates with a maximum validity of 398 days (approximately 13 months).

DigiCert will implement a 397-day maximum validity for all public SSL/TLS certificates as a safeguard to account for time zone differences and to avoid issuing a public SSL/TLS certificate that exceeds the new 398-day maximum validity requirement.

Check out our blog to learn more about the transition to 1-year public SSL/TLS certificates: One-Year Public-Trust SSL Certificates: DigiCert’s Here to Help.

August 26, 2020

certcentral public ssl certificates Services API Multi-year plan MyP

DigiCert® Multi-year Plans available for all DigiCert public SSL/TLS certificates

We are happy to announce that Multi-year Plans are now available for all public SSL/TLS certificates in CertCentral. These plans allow you to pay a single discounted price for up to six years of SSL/TLS certificate coverage.

Note: Enterprise License Agreement (ELA) contracts support only 1 and 2-year Multi-year Plans. Flat Fee contracts do not support Multi-year Plans. If you have a Flat Fee contract, please contact your account manager to find a solution that works with your contract.

With Multi-year Plans, you pick the SSL/TLS certificate, the duration of coverage you want (up to six years), and the certificate validity. Until the plan expires, you reissue your certificate at no cost each time it reaches the end of its validity period. For more information, see Multi-year Plans.

DigiCert Services API changes to support Multi-year Plans

In our Services API, we updated our public SSL/TLS certificate endpoints to support ordering a certificate with a Multi-year Plan.

To each endpoint for ordering a public SSL/TLS certificate, we added new optional* request parameters. Additionally, we've updated these endpoints such that the validity period of your order no longer must match the validity period of your certificate.

New optional cert_validity parameter
Use this parameter to define the validity period of the first certificate issued for the order. If you omit the cert_validity parameter from your request, your certificate validity defaults to the maximum validity that DigiCert and industry standards allow, or the validity period of the order, whichever is sooner.
New optional order_validity parameter*
Use this parameter to define the validity period for the order. Order validity determines the length of a Multi-year Plan.
Updated top-level validity_years, validity_days, custom_expiration_date parameters*
For existing API integrations, you can still use these existing parameters to define the validity period of the order. However, we recommend updating your integrations to use the new parameters instead. Remember, with Multi-year Plans, your order can have a different validity period than your certificate.

*Note: Requests must include a value for either the order_validity object or for one of the top-level order validity parameters: validity_years, validity_days, or custom_expiration_date. The values provided in the order_validity object override the top-level validity parameters.

These changes should not affect your current integrations. However, to maximize your SSL/TLS coverage, you may want to start purchasing your public SSL/TLS certificates with a Multi-year Plan. For API integrations, see Order Multi-year Plan.

Example certificate request with new parameters

Example SSL certificate request with new certificate and order valdity parameters

August 21, 2020

delete certificate data delete endpoint data new setting New discovery

Discovery: Delete all certificates and endpoints from scan results

We added a new Delete all certificates and endpoints option that enables you to delete certificate and endpoint information from your Discovery scan records in your CertCentral account.

To Delete all certificates and endpoints from scan results:

In your CertCentral account, go to Discovery > Manage Discovery.
On the Manage scans page, in the More actions dropdown, click Delete all certificates and endpoints.
In the Delete all certificates and endpoints window, click Delete.

Permanently delete certificates and endpoint records

To permanently delete certificate and endpoint information from your scan results, you also need to remove the associated FQDNs and IP addresses from you scans. See Edit a scan.

August 11, 2020

CertCentral Services API enhancement validity expiration dates code signing

CertCentral Services API: Order code signing certificates with a custom expiration date

In the CertCentral Services API, we updated the Order code signing certificate endpoint to support custom expiration dates. Now, when you order a code signing certificate, you can use the custom_expiration_date request parameter to set the exact date the certificate will expire.

Example request body:

Code signing custom expiration date parameter

August 9, 2020

CertCentral Services API Partner Portals MSSL scheduled maintenance CIS access Direct Cert Portal API CIS CWS CertCentral access certificate issuance Direct Cert Portal 2020

Upcoming schedule maintenance

On Sunday August 9, 2020 from 07:00 to 09:00 UTC DigiCert will perform scheduled maintenance.

How does this affect me?

During maintenance:

CertCentral, the CertCentral Service API, Direct Cert Portal, Direct API, and the Certificate Issuing Service will be down.
DigiCert will be unable to issue certificates for DigiCert platforms and their corresponding APIs and legacy Symantec consoles and their corresponding APIs.
PKI Platforms may also experience service interruptions.

Services that will be affected

Access to:

CertCentral
CertCentral Service API
Direct Cert Portal
Direct API
Certificate Issuing Service CIS

Certificate issuance for:

CertCentral / Service API
Certificate Issuing Service (CIS)
Complete Website Security (CWS) / API
Direct Cert Portal / API
Managed PKI for SSL (MSSL) / API
Symantec, GeoTrust, and Thawte Partner Portals

Possible service interruptions for:

PKI Platform 7
PKI Platform 8

Services will be restored as soon as maintenance is completed.

What can you do?

Please plan accordingly. Schedule high-priority orders, renewals, reissues, and duplicate issues outside of the maintenance window.

If you use the API for immediate certificate issuance and automated tasks, expect interruptions during this time.

DigiCert 2020 scheduled maintenance
This page is kept up to date with all our maintenance schedule information.
DigiCert Status
To get live updates, subscribe to the DigiCert Status page.

August 7, 2020

certificate revocation settings api revoke certificate endpoint CertCentral Services API enhancement

CertCentral Services API: More versatile revoke certificate endpoint

In CertCentral, we added new Certificate Revocations (API Only) settings that allow you to determine how the revoke certificate endpoint works for your API integration:

Revoke an individual certificate (default configuration)
- Allows you to use this endpoint to revoke a single certificate on an order.
- Leaves the order active so you can continue issuing certificates on the order.
- No refunds provided.
Revoke order when all certificates are revoked
- Allows you to use this endpoint to revoke a single certificate on an order.
- Additionally, if all certificates on the order have been revoked, it will also revoke the order.
- If eligible, refunds are provided.

To revoke an order and all the certificates on the order, use the revoke order certificates endpoint.

Certificate Revocations (API Only) in CertCentral

To use these new revoke certificate endpoint API settings:

In your CertCentral account, in the left main menu, go to Settings > Preferences.
On the Division Preferences page, expand Advanced Settings.
The new settings are in the Certificate Requests section, under Certificate Revocations (API Only).

August 5, 2020

banking changes Bank of America certcentral

CertCentral: DigiCert changes payment remittance bank account

To improve order processing and our customer service, we changed our payment remittance bank account.

What do I need to do?

Update your accounts payable processes to make sure all future payments are credited to our Bank of America account. For more information, see our Payment Information knowledgebase article.

Note: For customers with Symantec, GeoTrust, Thawte, and RapidSSL certificates, this is the same bank account you previously used.

July 27, 2020

email filters email infrastucture allowlists blocklists IP addresses renewal notifications

CertCentral changing mail server IP addresses for expiring certificate renewal notifications

DigiCert is upgrading the renewal email communication's infrastructure. This upgrade includes changes to the mail server IP addresses we send expiring certificate renewal notifications from.

If your company uses allowlists and email filters, your expiring certificate renewal emails are at risk of being blocked or sent to spam directories.

What do I need to do?

To ensure you don't miss a renewal communication, update allowlists and email filters to allow emails from the new IP addresses.

For more information, see the DigiCert Renewal Email source IP change knowledgebase article. If you have questions, please contact your account manager or our support team.

July 22, 2020

documentation api TLS 1.0 TLS 1.1 browsers DCV certcentral compliance Services API DV certificate issuance error messages CertCentral Partners Multi-year plan MyP

Multi-year Plans now available

We are happy to announce that Multi-year Plans are now available in CertCentral and CertCentral Partners.

The maximum validity of an SSL/TLS certificate will go from 825 days to 397 days on September 1, 2020. When the active certificate for a Multi-year Plan is about to expire, you reissue the certificate to maintain your SSL/TLS coverage.

For more information, see Multi-year Plans.
For API integrations, see Order Multi-year Plan.

Browser support for TLS 1.0 and 1.1 has ended

The four major browsers no longer support Transport Layer Security (TLS) 1.0 and 1.1.

What you need to know

This change doesn't affect your DigiCert certificates. Your certificates continue to work as they always have.

This change affects browser-dependent services and applications relying on TLS 1.0 or 1.1. Now that browser support for TLS 1.0 and 1.1 has ended, any out-of-date systems will be unable to make HTTPS connections.

What you need to do

If you are affected by this change and your system supports more recent versions of the TLS protocol, upgrade your server configuration as soon as you can to TLS 1.2 or TLS 1.3.

If you do not upgrade to TLS 1.2 or 1.3, your webserver, system, or agent will not be able to use HTTPS to securely communicate with the certificate.

Browser TLS 1.0/1.1 deprecation information

Firefox 78, released June 30, 2020

Safari 13.1, released March 24, 2020

https://developer.apple.com/documentation/safari-release-notes/safari-13_1-release_notes

Chrome 84, released July 21, 2020

Edge v84, released 7/16/2020

Helpful resources

With so many unique systems relying on TLS, we can't cover all upgrade paths, but here are a few references that may help:

To upgrade your Linux OpenSSL library, see https://blog.midtrans.com/time-to-upgrade-to-tls-version-1-2/.
To enable TLS 1.2 with OpenSSL and Apache, see https://serverfault.com/questions/314858/how-to-enable-tls-1-1-and-1-2-with-openssl-and-apache.
To enable TLS 1.2 in WinHTTP in Windows (Windows Server 2012, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1), see https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi.
To disable support for TLS 1.0 and 1.1 in Windows Server 2019 IIS, see https://medium.com/@rootsecdev/configuring-secure-cipher-suites-in-windows-server-2019-iis-7d1ff1ffe5ea.

CertCentral Services API: Updated error message documentation

In the Services API documentation, we've updated the Errors page to include descriptions for error messages related to:

Immediate DV certificate issuance
Domain control validation (DCV)
Certificate Authority Authorization (CAA) resource record checks

Earlier this year, we improved the APIs for DV certificate orders and DCV requests to provide more detailed error messages when DCV, file authorization, DNS lookups, or CAA resource record checks fail. Now, when you receive one of these error messages, check the Errors page for additional troubleshooting information.

For more information:

July 19, 2020

Service API access critical maintenance CIS access MSSL Direct Cert Portal CIS api CertCentral access CWS certificate issuance

Upcoming critical maintenance

On Sunday July 19, 2020 from 07:00 to 09:00 UTC DigiCert will perform critical maintenance.

Although we have redundancies in place to protect your service, some DigiCert services may be unavailable during this time.

DigiCert services will be restored as soon as maintenance is completed.

What can you do?

Please plan accordingly. Schedule high-priority orders, renewals, reissues, and duplicate issues outside of the maintenance window.

DigiCert 2020 scheduled maintenance
This page is kept up to date with all our maintenance schedule information.
DigiCert Status
To get live updates, subscribe to the DigiCert Status page.

July 12, 2020

2020 scheduled maintenance API access CertCentral access

Scheduled Maintenance

On July 12, 2020 from 07:00 to 09:00 UTC, DigiCert will perform scheduled maintenance.

Although we have redundancies in place to protect your service, some DigiCert services may be unavailable during this time.

DigiCert services will be restored as soon as maintenance is completed.

What can you do?

Please plan accordingly. Schedule high-priority orders, renewals, reissues, and duplicate issues outside of the maintenance window.

DigiCert 2020 scheduled maintenance
This page is kept up to date with all our maintenance schedule information.
DigiCert Status
To get live updates, subscribe to the DigiCert Status page.

July 8, 2020

api request parameter create organization endpoint enhancement order endpoints

CertCentral Services API: Improved endpoints

In the DigiCert Services API, we updated the endpoints listed below, enabling you to skip the duplicate organization check to create a new organization.

Default behavior

By default, when you create a new organization (without providing an organization ID), we check the organizations that already exist in your account to avoid creating a duplicate organization. If the details you provide in the request match the details of an existing organization, we associate the order with the existing organization instead of creating a new one.

New organization.skip_duplicate_org_check request parameter

We added a new organization.skip_duplicate_org_check request parameter to the endpoints listed below so that you can override the behavior and force the creation of a new organization.

Example request with new organization.skip_duplicate_org_check request parameter

Example API request with the skip_duplicate_org_check parameter

Updated endpoints:

June 28, 2020

api CWS certificate issuance certcentral MSSL CIS Direct emergency maintenance

Upcoming Emergency Maintenance

On Sunday June 28, 2020 from 07:00 to 08:00 UTC DigiCert will perform emergency maintenance.

How does this affect me?

During this time, DigiCert will be unable to issue certificates for DigiCert platforms and their corresponding APIs, legacy Symantec consoles and their corresponding APIs, for immediate certificate issuance, and for those using the APIs for automated tasks.

Emergency maintenance affects:

CertCentral / Service API
Certificate Issuing Service (CIS)
Complete Website Security (CWS) / API
Direct Cert Portal / API
Managed PKI for SSL (MSSL) / API

Services will be restored as soon as maintenance is completed.

What can you do?

Please plan accordingly. Schedule high-priority orders, renewals, reissues, and duplicate issues outside of the maintenance window.

If you use the API for automated tasks, expect interruptions during this time.

DigiCert 2020 scheduled maintenance
This page is kept up to date with all our maintenance schedule information.
DigiCert Status
To get live updates, subscribe to the DigiCert Status page.

June 24, 2020

GA general availability automation tools managed automation

CertCentral: Managed automation general availability

We are happy to announce the general availability of another of our Automation Tools—Managed automation. Its beta period has ended, and it is now ready for production environments.

CertCentral-managed automation allows you to automate your SSL/TLS certificate lifecycle management process. Remove time spent completing manual SSL/TLS certificate requests and installations.

Managed automation features:

Scalable and centralized SSL/TLS certificate management in CertCentral
Integrated with the CertCentral SSL/TLS certificate issuance process
Automate end-to-end SSL/TLS certificate provisioning: new, reissue, and renew
OV and EV SSL/TLS 1-year, 2-year, and custom validity certificate deployments.
Private SSL/TLS certificate deployments

Managed automation in CertCentral

To get started with CertCentral-managed automation, in your CertCentral account, go to the Manage automation page (in the left main menu, go to Automation > Manage automation).

For more information:

June 23, 2020

ACME general availability automation tools GA acme directory url

CertCentral ACME protocol support general availability

We are happy to announce the general availability of one of our Automation Tools—ACME protocol support. Its open beta period has ended, and it is now ready for production environments.

With ACME + CertCentral, use your preferred ACME client to automate your SSL/TLS certificate deployments and remove time spent completing manual certificate installations.

CertCentral ACME protocol support allows you to automate OV and EV SSL/TLS 1-year, 2-year, and custom validity certificate deployments. Our ACME protocol also supports the Signed HTTP Exchange certificate profile option, enabling you to automate your Signed HTTP Exchange certificate deployments.

ACME in CertCentral

To access ACME in your CertCentral account, go to the ACME Directory URLs page (in the left main menu, go to Automation > ACME Directory URLs).

For more information:

June 15, 2020

customer order fields ACME acme directory url

DigiCert ACME integration now supports the use of custom fields

We are happy to announce that DigiCert ACME protocol now supports custom fields in the request forms used to create your ACME directory URLs.

For more information:

June 11, 2020

renewed filter enhancement orders page

CertCentral: Improved Orders page

We updated the Orders page making it easier to see your active certificates. Now, we no longer show the renewed certificates (certificates with a Renewed status) in the list of active certificates.

To make sure you don't lose sight of your renewed certificates, we added a new filter to the Status dropdown—Renewed—that enables you to see your "renewed" certificates.

To see the improved Orders page, in the left main menu, go to Certificates > Orders.

June 10, 2020

api certcentral migrated certificate orders mark renewed Update order status endpoint legacy console upgrades

Legacy account upgrades to CertCentral: Mark migrated certificate orders as renewed

When you migrate a certificate order from your legacy console and then renew it in CertCentral, the original order may not get updated automatically to reflect the renewal. To make it easier to manage these migrated certificates, we added a new option—Mark renewed.

The Mark renewed option allows you to change the certificate order's status to Renewed. In addition, the original migrated certificate no longer appears in expiring or expired certificate lists, in the expiring or expired certificate banners, or on the Expired Certificates page in CertCentral.

Mark a migrated order as renewed

In CertCentral, in the left main menu, go to Certificates > Orders. On the Orders page, in the certificate order's Expires column, click Mark renewed.

Renewed filter

To make it easier to see the migrated certificate orders that have been marked renewed, we added a new filter—Renewed. On the Orders page, in the Status filter dropdown, select Renewed and click Go.

To learn more, see Mark a migrated certificate order as renewed.

Legacy API upgrades to CertCentral Services API: Update order status endpoint improvements

When you migrate an order from your legacy console and then renew it in CertCentral, the original order may not get updated automatically to reflect the renewal.

To prevent these "renewed" orders from appearing alongside orders that still need to be renewed, we added a new value—renewed—to the status parameter on the Update order status endpoint.

Now, when you know a migrated certificate order has been renewed, you can manually change the status of the original order to renewed.

Example request with new status parameter

Update order status-endpoint example-request

To learn more, see Update order status.

June 7, 2020

2020 scheduled maintenance API access CertCentral access

Scheduled Maintenance

On June 7, 2020 from 07:00 to 09:00 UTC, DigiCert will perform scheduled maintenance.

Although we have redundancies in place to protect your service, some DigiCert services may be unavailable during this time.

DigiCert services will be restored as soon as maintenance is completed.

What can you do?

Please plan accordingly. Schedule high-priority orders, renewals, reissues, and duplicate issues outside of the maintenance window.

DigiCert 2020 scheduled maintenance
This page is kept up to date with all our maintenance schedule information.
DigiCert Status
To get live updates, subscribe to the DigiCert Status page.

June 3, 2020

DNS CNAME dcv methods File DNS TXT FileAuth DV SSL certificates public ssl certificates HTTP Practical Demonstration EV SSL certificates DCV polling OV SSL certificaates Automatic checks

CertCentral: Automatic DCV checks – DCV polling

We are happy to announce we've improved the domain control validation (DCV) process and added automatic checks for DNS TXT, DNS CNAME, and HTTP practical demonstration (FileAuth) DCV methods.

This means, once you've placed the fileauth.txt file on your domain or added the random value to your DNS TXT or DNS CNAME records, you don't need to worry about signing in to CertCentral to run the check yourself. We will run the DCV check automatically. Although, you can still run a manual check, when needed.

DCV polling cadence

After submitting your public SSL/TLS certificate order, submitting a domain for prevalidation, or changing the DCV method for a domain, DCV polling begins immediately and runs for one week.

Interval 1—Every minute for the first 15 minutes
Interval 2—Every five minutes for an hour
Interval 3—Every fifteen minutes for four hours
Interval 4—Every hour for a day
Interval 5—Every four hours for a week*

*After Interval 5, we stop checking. If you have not placed the fileauth.txt file on your domain or added the random value to your DNS TXT or DNS CNAME records by the end of the first week, you will need to run the check yourself.

For more information about the supported DCV methods:

May 27, 2020

secure site ov basic ov allow wildcard secure site ev basic ev max number of sans product settings

New product settings for flexible certificates

To provide more control over your certificate ordering process, we added two new product settings to our flexible certificate offerings:

Maximum number of SANs allowed (can't exceed 250)
Allow wildcards.

Now, you can limit the number of SANs included on a flexible OV or EV certificate order. Additionally, you can prevent users from including wildcard domains in their flexible OV certificate orders.

To configure flexible certificate product settings, in the left main menu, go to Settings > Product Settings.

Flexible OV and EV certificates

These more flexible SSL/TLS certificates make it easier to get the certificate to fit your needs: Basic OV, Basic EV, Secure Site OV, and Secure Site EV. They will replace the old Basic and Secure Site products.

To activate any of these new certificates for your CertCentral account, contact your account manager or our Support team.

May 20, 2020

documentation api dev portal New feature

New addition to DigiCert Developers portal

We are happy to announce a new addition to the DigiCert Developers portal—CT log monitoring API. For DigiCert API integrations, use these endpoints to manage the CT log monitoring service that is included with your Secure Site Pro certificate order. See CT log monitoring API.

CT Log Monitoring services

CT log monitoring allows you to monitor the public CT logs for SSL/TLS certificates issued for the domains on your Secure Site Pro certificate order, in near real time.

CT log monitoring is a cloud service so there is nothing to install or manage. After we've issued your Secure Site Pro, and you've turned CT Log monitoring for the order, you can start using the service immediately to monitor the domains on the Secure Site Pro certificate order.

To learn more about the CT log monitoring service, see CT log monitoring service.
To learn more about what's included with each Secure Site Pro certificate, see Pro TLS/SSL Certificates.

May 18, 2020

api response parameter enhancement order endpoints

CertCentral Services API: Improved order endpoints:

In the DigiCert Services API, we added a "domain ID" response parameter to the endpoints listed below. Now, when you add domains--new or existing--in your certificate request, we return the domain IDs in the response.

This reduces the number of API calls needed to get the domain IDs for the domains on the certificate order. It also allows you to perform domain-related task immediately, such as change the DCV method for one of the domains on the order or resend the WHOIS emails.

Note: Previously, after adding new or existing domains in your certificate request, you had to make an additional call to get the domain IDs: List domains or Domain info.

Updated order endpoints

Example response with new domain ID parameter

Order endpoints' example reponse with new domains parameter

May 12, 2020

api bug fix certificate format settings skip_approval parameter revoke certificate endpoint certificate notification revoke order certificate endpoint enhancement DV Certificates

CertCentral Services API: Improved Revoke order certificates and Revoke certificate endpoints

In the DigiCert Services API, we updated the Revoke order certificates and Revoke certificate endpoints, enabling you to skip the approval step when revoking a certificate.

Note: Previously, the approval step was required and could not be skipped.

We added a new optional parameter, "skip_approval": true, that allows you to skip the approval step when submitting a request to revoke one certificate or all certificates on an order.

Note: For skip approvals to work for certificate revoke requests, the API key must have admin privileges. See Authentication.

Now, on your revoke certificate and revoke order certificate requests, you can skip the approval step and immediately submit the request to DigiCert for certificate revocation.

Example request for the revoke certificate and revoke order certificates endpoints

Example revoke certificate request with skip_approval parameter

Bug fix: DV certificate issuance emails did not respect certificate format settings

We fixed a bug in the DV certificate issuance process where the Your certificate for your-domain email notification did not deliver the certificate in the format specified in your account settings.

Note: Previously, we included a certificate download link in all DV certificate issued email notifications.

Now, when we issue your DV certificate order, the email delivers the certificate in the format specified in your account's Certificate Format settings.

Configure certificate format for certificate issuance emails

In the left main menu, go to Settings > Preferences. On the Division Preferences page, expand Advance Settings. In the Certificate Format section, select the certificate format: attachment, plain text, or download link. Click Save Settings.

May 7, 2020

account balance negative account limit subaccounts spending limits bill-to-parent New feature

We are happy to announce that bill-to-parent type subaccounts now support (Negative) Account Limits as well as Account Balances!

We updated the bill-to-parent subaccount certificate issuance workflow, providing parent accounts more control over their bill-to-parent subaccounts' certificate spending.

To control a subaccount's spending, the parent account can use one of these options when configuring the bill-to-parent subaccount:

Set up a negative account limit for the subaccount
Subaccount can continue to buy certificates until they hit the negative account limit. Once the limit is reached, they need pay off the negative limit to continue buying certificates.
Note: Negative account limits in bill-to-parent subaccounts do not reflect an account balance against DigiCert, but against the parent account.
Set up an account balance workflow for the subaccount
Subaccount must deposit funds to their account before they can begin buying certificates. To continue buying certificates, they must maintain a positive account balance.
Note: This is a two-step process: set the bill-to-parent subaccount account limit to zero and then, add funds to the account.
Set up unlimited spending for the subaccount
Subaccount has unlimited spending and can order as many certificates as needed. For unlimited spending, you now need to use the Unlimited – do not limit spending for this subaccount option.
Note: Previously, this was how all bill-to-parent subaccounts worked.

Where are these subaccount spending limit settings?

You can configure the negative account limit or set up the account balance workflow when creating the bill-to-parent subaccount. You can also edit an existing bill-to-parent subaccount and configure the negative account limit or set up the account balance workflow.

Managing account balance funds or negative account limit

For the account balance workflow, you can add funds to the account balance on the subaccount details page. Click Add account balance. In the Add balance to subaccount window, add funds to the bill-to-parent subaccount. In the bill-to-parent subaccount, this displays an account balance to track spending. These are not real funds.

For the negative account limit, you can adjust the limit from the Edit subaccount details page. Go to the subaccount details page and click Edit.

For more information, see Configure bill-to-parent subaccount spending limits.

May 6, 2020

api new parameter domain validation scope enhancement DV Certificates DCV email method DV SSL resend email

DV certificate orders: Domain validation scope settings for DCV emails

We improved the DCV email validation process for DV certificate orders, allowing you to set the domain validation scope when resending the DCV emails.

Note: Previously, when using the DCV email method to validate subdomains on your DV order, you had to validate the exact subdomain name.

Now, on your DV certificate order, you can validate a subdomain ( sub.example.com) at a higher level (example.com) by resending the DCV email to a higher-level domain email address (admin@example.com).

To learn more about the Email DCV method:

CertCentral Services API: Improved DV SSL: Resend emails endpoint

In the DigiCert Services API, we updated the DV SSL: Resend emails endpoint, enabling you to set the domain validation scope when resending the DCV emails for your DV certificate orders. We added a new optional parameter, "email_domain": "{{domain}}", that allows you to specify the domain where the email entry can be found by WHOIS.

Note: Previously, when using the DCV email method to validate subdomains on your DV order, you had to validate the exact subdomain name.

Now, on your DV certificate order, you can validate a subdomain (e.g., sub.example.com) at a higher level (e.g., example.com). Add the new parameter, "email_domain": "{{domain}}", to the resend DCV email request and send the DCV email to a higher-level domain email address (e.g., admin@example.com).

Example request for the DV SSL: Resend emails endpoint

New email_domain parameter in DV SSL: Resend email endpoint

May 3, 2020

2020 scheduled maintenance API access CertCentral access

Scheduled Maintenance

On May 3, 2020 from 07:00 to 09:00 UTC, DigiCert will perform scheduled maintenance.

Although we have redundancies in place to protect your service, some DigiCert services may be unavailable during this time.

DigiCert services will be restored as soon as maintenance is completed.

What can you do?

Please plan accordingly. Schedule high-priority orders, renewals, reissues, and duplicate issues outside of the maintenance window.

DigiCert 2020 scheduled maintenance
This page is kept up to date with all our maintenance schedule information.
DigiCert Status
To get live updates, subscribe to the DigiCert Status page.

April 28, 2020

email settings certificate lifecycle emails localization New

Account setting for certificate lifecycle email language preference

We've added an account language setting for the certificate lifecycle emails sent from CertCentral. Now, on the Notifications page, you can set the language preference for the certificate lifecycle emails for the entire account.

Currently, we support these 11 languages for certificate lifecycle specific emails:

English
Chinese (Simplified)
Chinese (Traditional)
French
German
Italian
Japanese
Korean
Portuguese
Russian
Spanish

How does certificate lifecycle email language support work?

When you go to the Notifications page in CertCentral, use the Email Language dropdown to set the certificate lifecycle email language for the entire account.

For example, if you set the email language to Italian, all certificate lifecycle emails will be in Italian regardless of the individual account language setting.

Note: The Email Language option only changes the language used in the certificate lifecycle emails. It does not change the language used in an individual account. On the Profile Settings page, use the Language dropdown to set the language for your account. See CertCentral language preferences.

Where are these certificate life cycle settings?

To access the Certificate Lifecycle email defaults settings, in the left main menu, go to Settings > Notifications. To learn more, see Configure certificate lifecycle email settings.

New certificate lifecycle email setting

We added another notification setting to the Certificate lifecycle email settings—Send organization approval emails to the user placing order. This setting allows you to control if the organization approval email is sent to the certificate requestor.

What is the organization approval email?

When the requestor is an admin or organization contact, we send them an email letting them know DigiCert has validated the organization, and they can now issue certificates for it.

Note: This new setting only applies to orders where a new, yet to be validated organization is included in the request.

Where are these certificate life cycle settings?

To access the Certificate Lifecycle email defaults settings, in the left main menu, go to Settings > Notifications. To learn more, see Configure certificate lifecycle email recipients.

April 23, 2020

bug fix general availability domain validation audit logs localization New domain validation scope DV Certificates submit base domains discovery

Discovery now available in all CertCentral accounts

We are happy to announce that all existing CertCentral accounts now include Discovery, our newest and most robust certificate discovery tool.

Note: For those who were using Certificate Inspector, Discovery replaces our long time DigiCert tool, Certificate Inspector.

By default, Discovery includes Cloud scan and a Sensor scan trial with a 100-certificate limit.

Cloud scan

Cloud scan uses a cloud-based sensor, so there is nothing to install or manage. You can start scanning immediately to find all your public facing SSL/TLS certificates regardless of issuing Certificate Authority (CA). Cloud-scan runs once every 24 hours.

To learn more, see Discovery Cloud-scan service.
To run your first cloud scan, in the left main menu, go to Discovery > Manage Discovery. On the Manage scans page, click Single cloud scan.

Sensor scan

Sensor scan is our most robust version of Discovery. It uses sensors to scan your network to quickly find all your internal and public facing SSL/TLS certificates regardless of the issuing Certificate Authority (CA). Discovery also identifies problems in certificate configurations and implementations along with certificate-related vulnerabilities or problems in your endpoint configurations.

Scans are centrally configured and managed from inside your CertCentral account. Scan results are displayed in an intuitive and interactive dashboard inside CertCentral. Configure scans to run once or multiple times on a set schedule.

To learn how to install a sensor and start scanning your SSL/TLS certificate landscape, see Discovery user guide.
To continue to use Sensor scan after the trial period is over, please contact your account manager or our Support team.

Discovery audit logs

Discovery has added a new feature—Discovery Audit Logs—allowing you to track Discovery-related activities in your CertCentral account. These audit logs provide insight into user activity enabling you to see areas where training may be required, reconstruct events to troubleshoot problems, detect misuse, and discover problem areas.

To make it easier to sort through the information in the Discover audit logs, we've include several filters:

Date range
Division
User
IP Address
Actions
(e.g., void sensor, delete scan, etc.)

To access the Discovery Audit Log, in your CertCentral account, in the left main menu, go to Account > Audit Logs. On the Audit Logs page, click Discovery Audit Logs.

Discovery language support

As we work to globalize our product offerings and make our websites, platforms, and documentation more accessible, we are happy to announce that we've added language support to Discovery in CertCentral.

Now, when configuring your language preference in CertCentral, Discovery is included in the configuration.

To configure your language preference

In your account, in the top right corner, in the "your name" drop-down list, select My Profile. On the Profile Settings page, in the Language dropdown, select a language and click Save Changes.

See CertCentral language preferences.

Bug fix: DV certificate orders did not honor Submit base domains for validation account setting

We fixed a bug in the DV certificate domain control validation (DCV) process where DV certificate orders did not adhere to the Submit base domains for validation account setting.

Note: For DV certificate orders, you were required to validate the domain exactly as named in the order.

Now, DV certificate orders honor the Submit base domains for validation account setting, allowing you to validate your subdomains at the base domain level on your DV certificate orders.

To view the Domain Validation Scope settings in your account, go to Settings > Preferences. On the Division preferences page, expand +Advanced Settings. The Domain Validation Scope settings are in the Domain Control Validation (DCV) section.

April 15, 2020

bug fix download link certificate notification upgrade tls certificates GeoTrust DV Certificates digicert order ID

Bug fix: DV certificate not attached to email notification

We fixed a bug in the DV certificate issuance process where we weren't attaching a copy of the DV certificate to the Your certificate for your-domain email notification. As a temporary fix to this issue, we now include a certificate download link in the DV certificate email notification.

Note: After DigiCert issues a certificate, it is immediately available in your CertCentral account.

To use the download link in the email, you must have access to the CertCentral account and have permissions to access the certificate order.

If an email recipient doesn't have access to the account or to the certificate order, you can email them a copy of the DV certificate from your CertCentral account. See our instructions for how to email a DV certificate from your CertCentral account.

Legacy partner account upgrades to CertCentral

In the DigiCert Service API, we updated the—DigiCert order ID—to make it easier to find the corresponding DigiCert order IDs for your migrated legacy GeoTrust TLS/SSL certificate orders.

Now, you can use the GeoTrust order ID* to access the DigiCert order ID for your GeoTrust certificate orders. Additionally, when using the GeoTrust order ID, we return the most current DigiCert certificate order ID.

*Note: In the legacy partner accounts, you only have access to the GeoTrust order ID for your GeoTrust TLS/SSL certificate orders.

Background

After you migrate your active, public SSL/TLS certificate orders to your new account, we assign a unique DigiCert order ID to each migrated legacy SSL/TLS certificate order.

For more information:

April 7, 2020

Domain details page DCV expiration dates Domains page domain validation management submit for revalidation

Improved Domains page: DCV expiration dates and more

We improved the Domains page enabling you to see when the domain control validations (DCVs) for your domains expire—OV and EV validations.

Note: Previously, to find out when a domain's validation was going to expire, you had to go to the domain's details page.

Now when you go to the Domains page (in the left main menu, go to Certificates > Domains), you'll see these new additions:

Two new sortable columns: OV Expiration and EV Expiration
After you complete the DCV for your domain, these columns show the expiration dates for the domain validations.If domain validations are not renewed, the expiration dates disappear after one year.
These expiration dates are calculated from when the Domain Control Verification (DCV) was completed (OV: +825 days, EV: +13 months).
Four new filters in the Validation Status dropdown
- OV Expired
- EV Expired
- OV Expiring*
- EV Expiring*
Warning icon
If a validation has expired, you'll see a warning icon next to the "expiration" date.

*Note: These filters show domain validations that expire in the next 30 days.

Improved Domain details page: DCV expiration dates and more

We improved the Domain details page, enabling you to see when the domain control validations (DCVs) for your domain expires—OV and EV validations.

Now when you go to a domain's details page, under Domain Validation, you'll see a new subsection, Validation Status, that lets you see when the domain's OV and EV certificate domain validations will expire*. We also added a warning icon to make it easier to identify when a validation has expired.

*Note: These expiration dates are calculated from when the Domain Control Verification (DCV) was completed (OV: +825 days, EV: +13 months).

New feature: Submit domains for revalidation at any time

On the Domain details page, we added a new feature, enabling you to submit a domain for revalidation before the domain control validation (DCV) for it expires. Now, you can submit a domain for revalidation at any time, enabling you to complete the domain’s validation early to maintain seamless certificate issuance for the domain.

When you go to a domain's details page, under Domain Validation, you'll see a new subsection, Submit for validation. Before a domain's validation expires, you can resubmit it for validation and select the DCV method you want to use to demonstrate control over your domain. See Domain prevalidation: Revalidate your domain before validation expires.

For a domain with current validation, you still see a green check mark indicating the validation for the domain is still valid and can be used when ordering certificates for it. However, you will also see a message letting you know the domain is pending revalidation. When you've completed the DCV, the expiration date changes, and the pending revalidation message disappears.

April 5, 2020

API access symantec CertCentral access 2020 scheduled maintenance Service provider maintenance Thawte GeoTrust RapidSSL Console access

Scheduled Maintenance

On April 5, 2020 from 07:00 to 09:00 UTC, DigiCert will perform scheduled maintenance.

Although we have redundancies in place to protect your service, some DigiCert services may be unavailable during this time.

DigiCert services will be restored as soon as maintenance is completed.

What can you do?

Please plan accordingly. Schedule high-priority orders, renewals, reissues, and duplicate issues outside of the maintenance window.

DigiCert 2020 scheduled maintenance
This page is kept up to date with all our maintenance schedule information.
DigiCert Status
To get live updates, subscribe to the DigiCert Status page.

High-priority service provider maintenance April 5 from 06:00 - 08:00 UTC

On Friday April 3, DigiCert was notified by our data center service provider that they are going to perform some high-priority maintenance on Sunday April 5 from 06:00 – 08:00 UTC.

How does this affect me?

This maintenance window only affects legacy Symantec Website Security, Thawte, GeoTrust, and RapidSSL customers.

During this time, Symantec, GeoTrust, Thawte and RapidSSL consoles, associated APIs, and certificate issuance may be affected.

Services will be restored as soon as maintenance is completed.

What can you do?

Please plan accordingly. Schedule high-priority orders, renewals, reissues, and duplicate issues outside of the maintenance window.

DigiCert 2020 scheduled maintenance
This page is kept up to date with all our maintenance schedule information.
DigiCert Status
To get live updates, subscribe to the DigiCert Status page.

March 31, 2020

browsers compliance TLS 1.0 TLS 1.1

Browser support ending for TLS 1.0 and 1.1

In 2020, the four major browsers are ending support for Transport Layer Security (TLS) 1.0 and 1.1.

Firefox – March 2020
https://blog.mozilla.org/security/2018/10/15/removing-old-versions-of-tls/
Safari – March 2020
https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/
Chrome – Chrome 81
https://security.googleblog.com/2018/10/modernizing-transport-security.html
Edge – First half of 2020
https://blogs.windows.com/msedgedev/2018/10/15/modernizing-tls-edge-ie11/

This change doesn't affect your DigiCert certificates. Your certificates will continue to work as they always have.

What you need to know

This change affects browser-dependent services and applications relying on TLS 1.0 or 1.1. Once browser support for TLS 1.0 or 1.1 ends, these out-of-date systems will be unable to make HTTPS connections.

What you need to do

If you are affected by this change, plan to enable or upgrade to TLS 1.2 or TLS 1.3 now. Give yourself lead time to deal with any problems. Before you start, make sure to identify all systems that might use TLS 1.0 or 1.1.

Remember to check web servers like Apache or Microsoft IIS, .NET Framework, server monitoring agents, and other commerce applications that might use it.

Helpful resources

With so many different types of systems relying on TLS, we can't cover all available upgrade paths, but here are a few references that may help:

To upgrade your Linux OpenSSL library, see https://blog.midtrans.com/time-to-upgrade-to-tls-version-1-2/.
To enable TLS 1.2 with OpenSSL and Apache, see https://serverfault.com/questions/314858/how-to-enable-tls-1-1-and-1-2-with-openssl-and-apache.
To enable TLS 1.2 in WinHTTP in Windows (Windows Server 2012, Windows 7 Service Pack 1 (SP1), and Windows Server 2008 R2 SP1), see https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-wi.
To disable support for TLS 1.0 and 1.1 in Windows Server 2019 IIS, see https://medium.com/@rootsecdev/configuring-secure-cipher-suites-in-windows-server-2019-iis-7d1ff1ffe5ea.

March 31, 2020

code signing certificates Microsoft driver packages kernel-mode Policy changes compliance

Microsoft is sunsetting support for third-party kernel-mode driver package digital signatures

The process for signing your kernel-mode driver packages is changing. Starting in 2021, Microsoft will be the sole provider of production kernel-mode code signatures. You will need to start following Microsoft’s updated instructions to sign any new kernel-mode driver packages going forward. See Partner Center for Windows Hardware.

What is DigiCert doing about this?

As a first step in this sunsetting process, DigiCert has removed the Microsoft Kernel-Mode Code platform option from Code Signing certificate request forms: new, reissue, and renew.

This means going forward, you can no longer order, reissue, or renew a code signing certificate for the kernel-mode platform.

How does this affect my existing kernel-mode Code Signing certificate?

You can continue to use your existing certificates to sign Kernel-Mode driver packages until the cross-signed root it is chained to expires. DigiCert brand cross-signed root certificates expire in 2021.

For more details, see our knowledgeable article, Microsoft sunsetting support for cross-signed root certificates with kernel-mode signing capabilities.

March 16, 2020

cancel order bug fix resend certificate generation email code signing certificates domain validation management Edit organization details division preferences domain validation scope enhancement New feature

CertCentral: Domain validation management for all account types

We are happy to announce all CertCentral accounts now come with domain validation management by default. Now, all account types have access to these domain management features:

Add domains directly to your account
Submit your domains for prevalidation*
Manage each domains' validations: EV and OV certificates
Activate and deactivate domains

To use the new domain validation management features, go to the Domains page (in the left main menu, go to Certificates > Domains).

*For more information about submitting domains for prevalidation, see Domain prevalidation.

Note: Previously, only Enterprise and Partner accounts had the ability to submit domains for prevalidation and manage their domains' validations (domain control validation).

CertCentral: Domain Validation Scope settings apply to TLS orders only

On the Division Preferences page, under Domain Control Validation (DCV), we updated the Domain Validation Scope settings: Submit exact domain for validation and Submit base domains for validation. These updated settings allow you to define the default domain validation behavior when submitting new domains through the TLS certificate order process: EV, OV, and DV. These settings no longer apply to the domain prevalidation process.*

Submit exact domain names for validation
When validating new domains through the order process, domains and subdomains are submitted for validation exactly as named. A domain validation request for sub2.sub1.example.com is submitted for validation as sub2.sub1.example.com.
Submit base domains for validation
When validating new domains through the order process, domains and subdomains are submitted for validation at the base domain level. A domain validation request for sub2.sub1.example.com is submitted for validation as example.com. Remember, validating a base domain also validates all subdomains for that base domain.

*How do these changes affect the domain prevalidation process?

When submitting domains for prevalidation, you can validate a domain at any level, base or any of the lower level subdomains: example.com, sub1.example.com, sub2.sub1.example.com, etc. See Domain prevalidation.

"Resend create certificate email" option for browser generated Code Signing certificate orders

We added a Resend create certificate email option to our Code Signing certificate process for orders where the certificate is generated in a supported browser: IE 11, Safari, Firefox 68, and portable Firefox.

Now, when a code signing certificate order has the status Emailed to Recipient, you can resend the certificate generation email.

For more information, see Resend "Create Your DigiCert Code Signing Certificate" email.

We fixed a bug preventing the Cancel Order option from appearing for Code Signing (CS) certificate orders with a status of Emailed to Recipient. On the Order details, page the Cancel Order option was missing from the Certificate Actions dropdown.

Note: To cancel the order, you had to contact our support team.

Now, to cancel a Code Signing (CS) certificate order with the status Emailed to Recipient, go to Order details page for the certificate and cancel the order.

For more information, Cancel a certificate order.

CertCentral: Edit organization details

We added a new feature to the organization management process in CertCentral—Edit organization details. Now, to update organization information, go to the Organization details page for that organization and click Edit Organization.

What you need to do before you edit an organization's details

Changing organization details for a validated organization negates all existing validation for the organization. This cannot be undone. This means DigiCert will need to validate the "updated/new" organization before we can issue certificates for it. Before you begin, make sure you understand and accept what happens when you change an organization's details.

For more information, see Edit organization details.

March 12, 2020

Domain details page api bug fix list domains Domains page expiration dates domain info domain validation enhancement

Updates to the Domain details page

We simplified the Domain Validation section on the Domain details page to display only two validation types with their expiration dates: OV and EV. We also updated the page to show the domain validation expiration dates calculated from when the Domain Control Verification (DCV) was completed (OV: +825 days, EV: +13 months).

Note: Previously, you could see up to two other validation types: Grid and Private. Grid certificates have the same validity period as OV: 825 days. Domain validation is not required for private certificates as these certificates are not publicly trusted.

To view a domain's validation expiration dates, in the left main menu, go to Certificates > Domains. On the Domains page, locate the domain and click its Domain Name link. On the Domain details page, under Domain Validation, view your domain validations and when they expire.

CertCentral Services API: Improved List domains and Domain info endpoints

In the DigiCert Services API, we updated the List domains and Domain info endpoints, enabling you to see when the domain control validations (DCV) for the domain expire: OV and EV validations. This new information is only returned in the response if you include the URL query string include_validation=true.

Now, when you get a list of all domains or information about a specific domain and you include the URL query string include_validation=true, you can see when the DCVs for the domain expire.

Example requests with the URL query string:

Domain info
https://www.digicert.com/services/v2/domain/{{domain_id}}? include_validation=true
List domains
https://www.digicert.com/services/v2/domain?include_validation=true

Example response – domain control validation (DCV) expiration dates

Example response with DCV expiration dates

Removed "Pending" column from Domains page

We found a bug on the Domains page preventing us from providing accurate information about a domain's pending validations. As a temporary solution, we are removing the Pending column from the page until a permanent fix can be deployed.

To view if a domain has pending validations, in the left main menu, go to Certificates > Domains. On the Domains page, locate the domain and click its Domain Name link. On the Domain details page, under Domain Validation, check to see if the domain has pending validations: OV and EV.

March 8, 2020

2020 scheduled maintenance API access CertCentral access

Scheduled Maintenance

On March 8, 2020 from 08:00 to 10:00 UTC, DigiCert will perform scheduled maintenance. Although we have redundancies in place to protect your service, some DigiCert services may be unavailable during this time. DigiCert services will be restored as soon as maintenance is completed.

What can you do?

Please plan accordingly. Schedule high-priority orders, renewals, reissues, and duplicate issues outside of the maintenance window.

DigiCert 2020 scheduled maintenance
This page is kept up to date with all our maintenance schedule information.
DigiCert Status
To get live updates, subscribe to the DigiCert Status page.

March 2, 2020

reissues SHA1 ev code signing certificates sha256 hash algorithm

Signature Hash option on EV Code Signing certificate reissues

We updated our Extended Validation (EV) Code Signing reissue process. Now, when reissuing an EV Code Signing certificate, you can select the signature hash for the certificate: SHA-256 or SHA-1.

For more information, see our Reissue or re-key an EV Code Signing certificate instructions.

February 28, 2020

api rate limits

CertCentral Services API: Improved rate limits

In the DigiCert Services API, we improved our requests rate limits. Now, we enforce a rate limit of 1000 requests per 5 minutes, along with a short-term rate limit of 100 requests per 5 seconds to protect against burst requests and prevent abuse*.

*Note: If the number of requests exceeds either rate limit, API access is temporarily blocked, and all requests return a 429 HTTP status code (request_limit_exceeded) with a "Service unavailable, please limit request volume" message.

For more information, see Rate limits.

February 20, 2020

api bug fix cc-api upgrade tls certificates hidden organizations digicert order ID

We fixed a bug in CertCentral where "hidden" organizations prevented certificate request forms from opening. To fix this issue, we no longer include hidden organizations in the list of available organizations on the certificate request forms.

What if I want to add a "hidden" organization to a certificate request?

To include a "hidden" organization in the list of available organizations on your certificate request forms, simply unhide it.

In the left main menu, go to Certificates > Organizations.
On the Organizations page, in the Hidden Organizations dropdown, select Show and then click Go.
Click the organization, you want to unhide.
On the Organization's detail page, click Unhide.

The next time you order a certificate, the organization will appear in the list of available organizations on the certificate request form.

Note: This change only affects the CertCentral user interface (UI). The API supports adding "hidden" organizations to your requests; you don’t need to unhide an organization to add it to a certificate request.

Legacy account upgrades to CertCentral

In the DigiCert Service API, we added a new endpoint—DigiCert order ID—to make it easier to find the corresponding DigiCert order IDs for your migrated legacy Symantec orders.

After you migrate your active, public SSL/TLS certificate orders to your new account, we assign a unique DigiCert order ID to each migrated legacy Symantec SSL/TLS certificate order.

Example request

GET https://www.digicert.com/services/v2/oem-migration/{{symc_order_id}}/order-id

Example response
200 OK

Example response for Digicert order ID endpoint

For more information:

February 13, 2020

upgrade organizations legacy consoles tls certificates data migration domains

Legacy account upgrades 2.0

We are happy to announce that validated domains and active, public SSL/TLS certificates are now included in the data migration when upgrading your legacy console to CertCentral. See What you need to know about account data migration.

With this release, we start a phased upgrade of our legacy consoles to CertCentral. Upgrade criteria is dependent on company size, currency preference, and feature usage.

Note: CertCentral upgrades are free. If you are interested in upgrading now, please contact your account manager or our Support team.

If your legacy account meets the phase one criteria, when you sign in to your console, you'll see an option to upgrade to CertCentral. Upon upgrade, we migrate your organizations and and validated domains to your CertCentral account. Then, when ready, you can import your active, public SSL/TLS certificates.

For more information about the upgrade to CertCentral and data migration, see our Upgrade to CertCentral guide.

Other types of certificates

Private SSL, code signing, S/Mime and other types of certificates cannot be imported at this time. Private SSL/TLS and non-SSL/TLS certificate will be part of a separate migration effort.

February 9, 2020

2020 scheduled maintenance

Scheduled maintenance

On February 9, 2020 from 08:00 to 10:00 UTC, DigiCert will perform scheduled maintenance.

Although we have redundancies in place to protect your service, some DigiCert services may be unavailable during this time. DigiCert services will be restored as soon as maintenance is completed.

Please plan accordingly. Schedule high-priority orders, renewals, reissues, and duplicate issues outside of the maintenance window.

For more information, see DigiCert 2020 scheduled maintenance; this page is kept up to date with all maintenance schedule information.

February 7, 2020

api cc-api secure site ov basic ov secure site ev basic ev new endpoints

In the DigiCert Services API, we added four new endpoints for ordering the new more flexible Basic and Secure Site SSL/TLS certificates. These more flexible SSL/TLS certificates make it easier to get the certificate to fit your needs and will replace the old Basic and Secure Site products.

Use these endpoints to place new orders and renewal orders only. They cannot be used to convert existing Basic or Secure Site certificate orders.

To activate any of these new certificates for your CertCentral account, contact your account manager or our Support team.

Order Basic OV
POST https://www.digicert.com/services/v2/order/certificate/ssl_basic
Order Basic EV
POST https://www.digicert.com/services/v2/order/certificate/ssl_ev_basic
Order Secure Site OV
POST https://www.digicert.com/services/v2/order/certificate/ssl_securesite_flex
Order Secure Site EV
POST https://www.digicert.com/services/v2/order/certificate/ssl_ev_securesite_flex

Flexible OV and EV certificates

These certificates provide the encryption and authentication you've come to expect from DigiCert SSL/TLS certificates, while allowing you to build an OV or EV certificate with a mix of whatever domains and wildcard domains* are needed to fit your needs.

*Note: Industry standards support wildcard domains in OV SSL/TLS certificates only. EV SSL/TLS certificates don't support the use of wildcard domains.

January 30, 2020

secure site ov certcentral secure site ev basic ov new products basic ev

We are happy to announce four new products are now available in CertCentral:

Basic OV
Basic EV
Secure Site OV
Secure Site EV

These more flexible SSL/TLS certificates make it easier to get the certificate to fit your needs and will replace the old Basic and Secure Site products. To activate any of these new certificates for your CertCentral account, contact your account manager or our Support team.

Flexible Basic OV and EV certificates

*Note: You can only include wildcard domains in an OV SSL/TLS certificate. EV SSL/TLS certificates don't support the use of wildcard domains.

Flexible Secure Site OV and EV certificates

These certificates include all the same features as Basic OV and EV certificates. Plus, they come with the benefits included with all Secure Site certificates.

Priority validation
Priority support
Two premium site seals
Malware check
Industry-leading warranties

January 29, 2020

api revoke certificate endpoint bug fix

CertCentral Services API: Fixed Revoke certificate endpoint bug

In the DigiCert Services API, we fixed a bug in the Revoke certificate endpoint where the request to revoke a single certificate on an order was being submitted for all certificates on the order.

Note: After submitting your "single certificate" revocation request, we returned a 201 Created response with the request details to revoke all certificates on the order.

Now, when using the Revoke certificate endpoint to submit a request to revoke a single certificate on an order, we return a 201 Created response with the request details to revoke just that certificate on the order.

30-day money back guarantee

The Revoke certificate endpoint revokes a certificate on the order and not the order itself. Our 30-day money back guarantee is tied to an order and not a "certificate" on the order. To get the 30-day money back guarantee, you need to revoke the order within the first 30 days; see Revoke order certificates.

Certificate revocation process

All revocation requests, including those made via the Services API, must be approved by an administrator before DigiCert will revoke the certificate. This approval step is required and cannot be skipped or removed from the certificate revocation process.

Revoke certificate: use this endpoint to revoke a single certificate on an order*.
Revoke order certificates: use this endpoint to revoke all certificates on an order.
Update request status: use this endpoint to approve a certificate revocation request.

*What you need to know about the revoke certificate endpoint

This endpoint is designed to revoke a certificate on an order; it doesn't revoke a certificate order.

If you revoke a certificate on an order with only a single certificate:

The order is still active
No refund is provided for the revoked certificate
You can still reissue a certificate on that order

If you don't plan to reissue a certificate for the order, use the Revoke order certificates endpoint to revoke the order.

January 22, 2020

preferences renewal notifications discovery new setting

Discovery: Account setting for discovered certificate renewal notifications

In Discovery, we added a new account setting, Turn on discovered certificate renewal notifications, enabling you to receive renewal notifications for your expiring "discovered" SSL/TLS certificates. These renewal notifications include the option to renew your SSL/TLS certificate with us. When renewing a "discovered" SSL/TLS certificate in CertCentral, we'll replace it with an equivalent DigiCert certificate.

By default, renewal notices for discovered certificates are turned off for a CertCentral account*. To start receiving renewal notices for your expiring discovered certificates, go to Settings > Preferences. In the Certificate Renewal Settings section, check Turn on discovered certificate renewal notifications.

*Note: With the roll out of this new setting, you may need to turn Discovery renewal notifications back on for your account.

To learn more, see Discovery renewal notices.

January 17, 2020

endpoints new parameter enhancement api Submit for validation request parameter

CertCentral Services API: Improved Submit for validation endpoint

In the DigiCert Services API, we updated the Submit for validation endpoint, enabling you to submit a domain for revalidation before it expires. Now, you can submit a domain for revalidation at any time, enabling you to complete the domain’s validation early and maintain seamless certificate issuance for the domain.

Note: If you order a certificate for the domain while the domain's revalidation is in a pending state, we use the domain's current validation to issue the certificate.

New request parameter: dcv_method

We also added a new request parameter, dcv_method*. Now, when you submit a domain for validation, you can change the DCV method used to prove control over the domain.

*Note: This new parameter is optional. If you leave the new parameter out of your request, we return a 204 response with no content. You will need to use the same DCV method used before to prove control over the domain.

Example request with new parameter
POST https://www.digicert.com/services/v2/domain/{{domain_id}}/validation

Submit for validation endpoint example request

Example response when new parameter is included in the request
201 Created

Submit for validation endpoint example response

January 14, 2020

order endpoints api enhancement

CertCentral Services API: Improved order endpoints:

In the DigiCert Services API, we added an "organization ID" response parameter to the endpoints listed below. Now, when you add a new organization in your certificate request, we return the organization's ID in the response, enabling you to use the organization immediately in your certificate requests.

Previously, after adding a new organization in your certificate request, you had to make an additional call to get the new organization's organization ID: Order info.

Updated order endpoints:

Example response with new organization ID parameter

January 9, 2020

documentation api localization enhancement

11 SUPPORTED LANGUAGES IN THE DOC AND DEVELOPERS PORTALS

As we work to globalize our product offerings and make our websites, platforms, and documentation more accessible, we are happy to announce that we've added language support to the Document and Developers portals.

We now support these 11 languages:

English
Chinese (Simplified)
Chinese (Traditional)
French
German
Italian
Japanese
Korean
Portuguese
Russian
Spanish

How does language support work?

When you visit the portals, use the language selector (globe icon) to change the portal display language. We save your language selection for 30 days so you don't need to reselect it every time you visit our documentation site.

TIPS AND TRICKS

Access Doc and Developer portals

You can access the Document and Developers portals from the DigiCert website and CertCentral.

From digicert.com
In the top menu, hover over Support. Under Resources, you can find Documentation and API Documentation links.
From CertCentral
In the Help menu, select Getting Started.
On the API Keys page, click API Documentation. (In the left main menu, go to Automation > API Keys).

Create links within documentation

You can link to sections within the documentation.

On the documentation page, hover on the subheader you want to link to and click the hashtag icon (#). This creates a URL in the browser's address bar.

Use this feature to bookmark or link to specific sections in the instructions.

January 7, 2020

api order-document-signing-certificate endpoints new parameter enhancement

CertCentral Services API: Improved order Document Signing - Organization (2000) and (5000) endpoints:

In the DigiCert Services API, we updated the Order document signing certificate endpoints for ordering Document Signing - Organization (2000) and (5000) certificates. We added a new parameter, "use_org_as_common_name": true, enabling you to use the organization name as the common name on the certificate.

Note: Previously, your only option was to use the person's full name as the common name on your document signing organization certificates.

Now, if you want to use the organization name as the common name on your document signing organization certificate, add the "use_org_as_common_name": true parameter to your certificate request. When we issue your certificate, the organization name will be the common name on the certificate.

Document Signing - Organization (2000) endpoint: https://www.digicert.com/services/v2/order/certificate/document_signing_org_1
Document Signing - Organization (5000) endpoint: https://www.digicert.com/services/v2/order/certificate/document_signing_org_2

Example request for Order document signing certificate endpoint

Example Document Signing Organization certificate request

January 6, 2020

order forms certificate profiles data encipherment key usage extension New feature SSL certificates

New certificate profile option

We've added a new certificate profile option, Data Encipherment, which allows you to include the Data Encipherment key usage extension in OV and EV SSL/TLS certificates. Once enabled for your account, the Include the Data Encipherment key usage extension in the certificate option appears on your SSL/TLS certificate request forms under Additional Certificate Options.

To enable a certificate profile for your account, reach out to your account manager or contact our Support team.

Other available certificate profile options

Intel vPro EKU
KDC/SmartCardLogon EKU
HTTP Signed Exchange
Delegated Credentials
OCSP Must-Staple

To learn more about these supported certificate profile options, see Certificate profile options.

December 19, 2019

New feature email settings certificate lifecycle emails

New certificate order email settings

We added some new account notification settings—Certificate Lifecycle email defaults.

Send emails to organization contact
Send emails to technical contact
Send emails to user placing order*

These new settings allow you to modify the default account settings for certificate order emails. Now, you can send certificate order emails to the organization and technical contact. You can also remove the certificate requestor from the flow.

Note*: By default, the user placing the order receives the certificate order emails.

CertCentral sends the following emails for each order:

Certificate issued for new, renew, reissue, and duplicate orders.
Renewal notifications

To access the Certificate Lifecycle email defaults settings, in the left main menu, go to Settings > Notifications. To learn more, see Configure certificate lifecycle email recipients.

December 5, 2019

New feature CT log monitoring service Secure Site Pro

CT Log monitoring

We are happy to announce that Secure Site Pro certificates now come with access to a CT Log monitoring service. CT Log monitoring allows you to monitor the public CT logs for SSL/TLS certificates issued for the domains on your Secure Site Pro certificate order, in real time.

CT Log monitoring is a cloud service so there is nothing to install or manage. After we've issued your Secure Site Pro certificate and turned CT Log monitoring on for the order, you can start using the service immediately to monitor the domains on the certificate order.

The CT Log monitoring benefit for Secure Site Pro certificates is retroactive. To access your CT Log monitoring for your issued and active Secure Site Pro certificate order, contact your account manager or our support team.

CT Log monitoring helps you:

Gain visibility of the SSL/TLS certificates issued for your domains with global monitoring and tracking against the public CT logs.
Cut down on time and effort needed to monitor the logs by providing automated checks for DigiCert and non-DigiCert issued certificates.
Ensure every certificate issued for your domains is trusted while gaining full oversight of which certificate authority issued each certificate.

The service pulls the discovered SSL/TLS certificates into your CertCentral account, where you can view details about the certificates to quickly identify any misissued certificates for your domains. You can also download copies of the non-DigiCert certificates right from your CertCentral account.

Email notifications

After you've enabled CT Log monitoring for a Secure Site Pro certificate order, you'll receive two types of email notifications: Daily CT log digest and if needed, Urgent notifications. Email notifications are sent to account admins and allow them to check the CT logs for their domains without signing in to their CertCentral account every day.

Daily CT log digest
Scheduled to occur once a day, this digest includes a daily rundown of new DigiCert issued SSL/TLS certificates found in public CT logs. The daily digest is only sent if new DigiCert issued certificates are discovered.
Urgent CT log notification
This urgent notification is sent within minutes any time a non-DigiCert SSL/TLS certificate is issued for a domain on the Secure Site Pro certificate order.

To learn more about what's included with each Secure Site Pro certificate, see Pro TLS/SSL Certificates. To learn more about enabling CT log monitoring for a Secure Site Pro certificate order. see Enable CT log monitoring.

December 4, 2019

Pending api cancel orders enhancement client certificates Emailed to Recipient

Improved client certificate process

We improved the client certificate process, enabling you to cancel client certificate orders in an Emailed to Recipient state—orders that are waiting for the email recipient to generate and install the client certificate in one of the supported browsers.

Note: Previously, when a client certificate was in an Emailed to Recipient state, you had to contact support to cancel the order.

Now, if you need to cancel a client certificate order in the Emailed to Recipient state, go to the client certificate's Order details page and in the Certificate Actions dropdown list, select Cancel Order. See Cancel pending client certificate orders.

CertCentral Services API: Improved client certificate process
In the DigiCert Services API, we updated the Update order status endpoint enabling you to cancel client certificate orders in a waiting_pickup state—orders that are waiting for the email recipient to generate and install the client certificate in one of the supported browsers.

Note: Previously, when a client certificate was in a waiting_pickup state, you received a forbidden error and had to contact support to cancel the order.

Now, you can use the Update order status endpoint to cancel a client certificate order in the waiting_pickup state.

December 3, 2019

New feature organization units default behavior change

CertCentral: Default behavior change

By default, we will no longer use organization unit information included in a CSR to autopopulate the Organization Unit value in OV/EV SSL certificate request forms. When ordering these certificates, you can still manually add organization unit information.

Note: Organization unit (OU) information is not required to purchase an OV/EV SSL certificate. Furthermore, when you include OU information in a certificate request, we are required to perform additional validation. This may delay certificate issuance, including for requests where the organization and domains have been prevalidated.

CertCentral: New account setting (Enterprise and Partner)

For CertCentral Enterprise and Partner accounts, we added a new account setting—Autopopolate OU Field. This option allows you to use organization unit information included in a CSR to autopopulate the Organization Unit value in OV/EV SSL certificate request forms.

Note: Enterprise and Partner accounts have a logo identifying the account type: Enterprise logo or Partner logo.

In the left main menu, go to Settings > Preferences. On the Division Preferences page, the new setting is in the Advanced Settings section under Certificate Requests. See our Autopopulate Organization Unit field instructions.

November 21, 2019

renewal notifications discovery

Discovery: Renewal notifications for non-DigiCert SSL/TLS certificates

In Discovery, we added renewal notifications for non-DigiCert certificates, making it easier to manage all your SSL/TLS certificates in one place—CertCentral. Now, when Discovery finds non-DigiCert certificates, we'll send renewal notifications for these certificates regardless of issuing Certificate Authority (CA).

Note: When renewing a non-DigiCert SSL/TLS certificate in CertCentral, we'll replace it with the equivalent DigiCert certificate. For example, we'll replace a non-DigiCert single-domain SSL certificate with a DigiCert single-domain SSL certificate.

Who receives these renewal notifications?

By default, Discovery sends renewal notifications for non-DigiCert SSL/TLS certificates to the primary CertCentral administrator—the individual who created the account and receives all account notifications.

We also send renewal notifications to any additional email addresses assigned to receive account notifications. See Set up account email notifications and Certificate renewal notifications.

When are these renewal notifications sent?

Discovery uses your CertCentral renewal notification settings to determine when to send renewal notifications for non-DigiCert certificates. By default CertCentral sends renewal notifications 90, 60, 30, 7, and 3 days before a certificate expires and 7 days after a certificate expires.

To customize your renewal notifications schedule, see Certificate renewal notifications.

Discovery: Customize non-DigiCert SSL/TLS certificate renewal notification process

In Discovery, on the Certificates page, we added three new certificate renewal actions to the Actions column dropdown for non-DigiCert certificates: Disable renewal notices, Enable renewal notices, and Renewal notifications. Renewal notifications allows you to add email addresses to receive renewal notifications for a certificate.

On the Certificates page, you can now update your non-DigiCert certificate renewal process to fit your certificate needs. (In the left main menu, go to Discovery > View Results.)

Note: By default, Discovery sends renewal notifications for all discovered non-DigiCert SSL/TLS certificates.

To customize renewal notifications for non-DigiCert SSL/TLS certificates, see Discovery renewal notices.

November 20, 2019

New feature document signing bug fix renewal

New feature: Document Signing certificate renewals

We fixed a bug on the Expiring Certificates page where we provided a Renew Now link for expiring Document Signing (DS) certificate orders. When you clicked Renew Now, it opened an SSL certificate renewal form where you were unable to complete your DS certificate renewal.

Note: To renew your DS certificate, you were required to order a new certificate.

Now, on the Expiring Certificate page when you click Renew Now for an expiring DS certificate order, it opens a DS certificate renewal form where you are able renew your certificate.

To learn more about renewing a DS certificate, see Renew a document signing certificate.

We updated the Document Signing (DS) certificate's Order details page and Order details panel adding a new Renew Certificate option making it easier to renew your DS certificate before it expires. Note that the Renew Certificate option doesn't appear on the Order details panel and page until 90 days before it expires.

Order details panel

In the left main menu, click Certificates > Orders. On the Orders page, click the DS certificate order's Quick View link. In the Order details panel, you'll see the new Renew Certificate option.

Order details page

In the left main menu, click Certificates > Orders. On the Orders page, click the DS certificate's order number link. On the Order details page, in the Order Actions dropdown, you'll see the new Renew Certificate option.

November 13, 2019

new endpoint additional emails endpoint api

In the DigiCert Services API, we added a new endpoint – Additional emails. This endpoint allows you to update the email addresses that receive certificate notification emails for the order (e.g., certificate renewals, reissues, and duplicate orders).

Note: These people can't manage the order. They only receive certificate related emails.

For more information on the Services API, see our Developers portal.

November 12, 2019

New feature Change log RSS feed

We are happy to announce we've implemented an RSS Feed for the CertCentral Change Log. You can see the new change log feed here: https://docs.digicert.com/change-log/feed/.

The RSS feed returns the 15 most recent change log entries. To make upcoming changes easier to identify, we labeled them Upcoming changes.

The change log RSS feed follows RSS 2.0 specifications and is compatible with RSS 2.0 compliant feed aggregators.

RSS feed reader tip

All major browsers have RSS feed extensions to automatically access your selected RSS feeds and organize the results for you. For example, the Chrome extension RSS Feed Reader was used for the screenshots included in this post.

November 9, 2019

API access CertCentral access maintenance

Updated maintenance schedule

We rescheduled our maintenance window. On November 9, 2019 from 09:00 to 12:00 UTC, DigiCert will be performing some planned maintenance.

During this time, DigiCert services may be unavailable:

CertCentral
DigiCert website (digicert.com)
Certificate validation
Certificate issuance

DigiCert services will be restored as soon a maintenance is completed.

Please plan accordingly. Schedule high priority orders, renewals, reissues, and duplicate issues outside of the maintenance window.

DigiCert Services API integrations

During maintenance, access to the DigiCert Services APIs will be spotty or non-existent. If you use the API for automated tasks, expect interruptions during this time.

November 8, 2019

New feature api discovery

We are happy to announce a new addition to the DigiCert Developers portal—Discovery API. We just published our first set of Discovery API endpoints. More will follow as we continue to build out the Discovery API documentation.

Why use it?

Access Discovery features without signing into your CertCentral account.
Customize the Discovery experience to meet the needs of your organization.
Integrate with your existing tools.

Sample of endpoints you can start using now:

List endpoints
View endpoint rating
List certificates
View certificate details
View certificate rating
Download certificate

Tips and Tricks

Discovery API uses this base URL: https://daas.digicert.com/apicontroller/v1/
Discovery API requires admin or manager level permissions.

November 5, 2019

OV/EV order forms DCV method option domain pre-validtion enhancement

We updated the OV and EV SSL/TLS certificate order forms, adding a new DCV verification method dropdown. Now, when ordering OV and EV certificates, you can select the DCV method you want to use to validate the new domains on the order. See our Order your SSL/TLS certificates instructions.

Note: The selected DCV method applies to all unvalidated domains on the order. After submitting the order, you can change the DCV method per domain on the certificate's Order details page. See our Demonstrate control over domains on a pending certificate order instructions.

We updated the domain pre-validation forms, consolidating the OV and EV certificate validation options. Now, when pre-validating a domain, use the new unified domain validation option—OV/EV Domain Validation*. See our Domain pre-validation: Domain control validation (DCV) methods instructions.

Note*: The domain control validation (DCV) methods for OV and EV certificates are the same (verification email, DNS TXT, etc.). The only difference between them is how long the domain validation is valid for. For OV SSL certificates, domains will need to be revalidated every 825 days (approximately 27 months). For EV SSL certificates, domains will need to be revalidated every 13 months.

October 28, 2019

upload roots blacklist domains upload ICAs New feature discovery

In Discovery, we added a new feature—Add root and intermediate CAs—that lets you upload public and private root and intermediate CAs. Use this feature to get more accurate security ratings for certificates chained to them.

If Discovery is unable to locate the root and intermediate CAs for a certificate, it down grades the certificate's security rating. By uploading a copy of the certificate's intermediate and root CAs, the next time Discovery runs a scan that includes that certificate, you'll get a more accurate rating.

Note: Supported certificate formats: .der and .cer

In CertCentral, in the left main menu, click Discovery > Manage Discovery. On the Manage scans page, in the More actions dropdown, click Manage root and intermediate CAs. See Add public and private root and intermediate CAs in our Discovery user guide.

In Discovery, we added a new Blacklist feature that lets you exclude specific IP addresses and FQDNs from your scan results. For example, you may want to blacklist a domain in your CDN network.

Note: When you blacklist an IP address or FQDN, its information is excluded from all future account Discovery scans. This feature does not remove information from existing scan results.

In CertCentral, the left main menu, click Discovery > Manage Discovery. On the Manage scans page, in the More actions dropdown, click Manage blacklist. See Blacklist IP addresses and FQDNs in our Discovery user guide.

October 23, 2019

subaccounts enterprise partners resellers New feature

Subaccount management for partners, resellers, and enterprises

Many subaccount features have been available in previous beta releases. With this release, all subaccount management functionality is now fully available in CertCentral.

Partners, resellers, and enterprises with tiered organizational structure can:

Create and manage all subaccount details for their retail or enterprise customers or their own autonomous sub-resellers.
Specify their own account manager for a subaccount.
View subaccount orders and reports through CertCentral console or APIs.
Bill orders directly to the subaccount or back to the parent account/subaccount.
Customize available products and pricing.
Manage commission-based finances, now updated and enhanced in CertCentral.

Where are subaccounts?

Go to the SUBACCOUNTS menu in the left navigation in CertCentral.
If Subaccounts isn’t visible in your account, contact your account manager or customer support.

October 21, 2019

New feature Custom Reports API api GraphQL

In our CertCentral API, we added a new Custom Reports API that leverages the powerful GraphQL query language, enabling you to generate comprehensive and customizable data sets for more robust reporting.

Custom Reports API consolidates multiple REST endpoints into a single one, so you can better define the types and fields in your queries so they return only the information needed. Additionally, use it to create reusable query templates for generating and scheduling reports.

To learn more, see Custom Reports API in our Developers portal.

October 8, 2019

Automation menu option API Keys menu option ACME Directory URLs menu option New

New location for API Keys and ACME Directory URLs

With more and more organizations working to automate SSL/TLS certificate deployment, we added a new left main menu option—Automation—and placed the two primary tools for automating certificate deployment under the new menu option: API Keys and ACME Directory URLs.

Previously, you accessed these features from the Account Access page. Now, we've conveniently added them to the left main menu (in the main menu, click Automation > API Keys and Automation > ACME Directory URLs).

Note: Only account administrators and managers can see the Automation menu options in their left main menu.

October 1, 2019

security requirements private ssl certificates compliance Apple policy changes

Apple's new compliance requirements for Private SSL certificates

Apple recently announced some new security requirements for SSL/TLS certificate that will go into effect with the release of iOS 13 and macOS 10.15. These requirements affect private certificates issued after July 1, 2019.

For your public DigiCert SSL/TLS certificates, no action is required.

DigiCert public SSL/TLS certificates already meet all these security requirements. Your public SSL/TLS certificates aren't affected by these new requirements and will be trusted in iOS 13 and macOS 10.15.

What's new?

Apple is implementing additional security requirements for all SSL/TLS certificates that by design impact private SSL/TLS certificates. See Requirements for trusted certificates in iOS 13 and macOS 10.15.

DigiCert private SSL/TLS certificates meet these requirements, if issued by account administrators according to public certificate requirements.

We've provided a list of the requirements below that may affect your private SSL/TLS certificates. These versions of Apple's OS are slated to be released during the fall of this year. This means, you need to prepare now.

New private SSL/TLS certificate requirements:

Must use an algorithm from the SHA-2 family in the signature algorithm. SHA-1 signed SSL/TLS certificates are no longer trusted.
Must have a validity period of 825 days or fewer. SSL/TLS certificates with a validity greater than 825 days are no longer trusted.

What can you do?

If Apple iOS and macOS trust are required for your private SSL/TLS certificates, verify any private SSL/TLS certificates issued after July 1, 2019 meet their new requirements. If you find certificate that don't meet these requirements, you'll want to take these actions soon:

Reissue affected private TLS/SSL certificates prior to general availability of iOS 13 and macOS 10.15. See Reissue an SSL/TLS certificate.
Adjust your processes so that newly issued private TLS/SSL certificates meet the new requirements automatically. See Configure Private SSL certificate products.

September 25, 2019

bug fix EV CS organization validation EV CS verified contact Status Expiring organization validations New Expired organization validations New feature organization validation

We added two new statuses to the Organizations and Organization details pages: validation expires soon, and validation expired. These new statuses make it easier to proactively track your organization validations and make sure they stay up to date.

Now, when you visit the Organizations page (in the sidebar menu click Certificates > Organizations), you can quickly identify organizations with validation that is expiring soon or has already expired. For more details about the expiring or expired organization validation, click the organization name.

We fixed a bug where some accounts were unable to submit organizations for EV CS – Code Signing Organization Extended Validation. The affected accounts only contained EV Code Signing and Code Signing products.

As part of the fix, we split up the EV and EV CS verified contact options. Now, when submitting an organization for EV CS – Code Signing Organization Extended Validation, you can submit the organization's verified contact for EV CS order approvals only. Similarly, when submitting an organization for EV – Extended Organization Validation (EV), you can submit the organization's verified contact for EV SSL certificate order approvals only.

Note: For EV code signing certificate orders, organizations and the organization's verified contacts need to be pre-validated. For more information about organization pre-validation, see our Submit an organization for pre-validation instructions.

September 22, 2019

API access CertCentral access server maintenance

Routine server maintenance

On September 22, 2019 from 06:30 to 08:30 UTC, DigiCert will be performing some routine server maintenance. During this time, you may get logged out of your CertCentral account and experience issues logging in. Additionally, certificate validation and issuance services may not work.

Please plan accordingly. For example, submit any high priority renewal, reissue, or new certificate orders outside of the maintenance window.

Note: Access will be restored as soon as possible.

DigiCert Services API integrations

During server maintenance, access to the DigiCert Services APIs will be spotty or non-existent. If you use the API for automated tasks, expect interruptions during this time.

September 18, 2019

View Only permission API access Edit API endpoint Create API key endpoint

We added a new permission to the API key generation process, enabling you to restrict an API key to "View Only" permissions.

When linking an API key to a user, you're linking the user's permissions to the key. Now, you can restrict the permissions of the user's API key to GET requests only.

For more information, see Generate an API key.

In the DigiCert Services API, we updated the Create key and Edit key endpoints, adding a new access role restriction—View Only.

Now, when using the API to create or edit an API key, add the restricted_to_role_id parameter to your request and include the new 102 value to limit the API key to GET requests only.

Example request for Create key endpoint

September 9, 2019

List keys endpoint enable renewal noticies organization name api disable renewal notices ACME enhancement New feature Get key info endpoint Expiring Certificates

We added two new features to the Expiring Certificates page (in the sidebar, click Certificates > Expiring Certificates), making it easier to manage renewal notifications for your expiring certificates.

First, we added a Renewal Notices column with an interactive check box. Use this check box to enable or disable renewal notices for an expiring certificate.

Second, we added two Renewal Notices filters: Disabled and Enabled. These filters allow you to see only the certificate orders with renewal notices enabled or disabled.

In the DigiCert Services API, we updated the List keys and Get key info endpoints response parameters, enabling you to see the organization associated with your ACME certificate orders.

Now, when you call the List keys and Get key info endpoints, we return the name of the organization (organization_name) associated with the ACME certificate order in the response.

Get key info: example reponse with new parameter

September 3, 2019

code signing certificates compliance client certificates Keygen Firefox Emailed to Recipient Expiring Certificates

Firefox ending key generation support

With the release of Firefox 69, Firefox will finally drop support for Keygen. Firefox uses Keygen to facilitate generating key material for submitting the public key when generating Code Signing, Client, and SMIME certificates in their browser.

Note: Chrome already dropped support for key generation, and Edge and Opera never supported it.

How does this affect you?

After DigiCert issues your Code Signing, Client, or SMIME certificates, we send you an email with a link to create and install your certificate.

Once Firefox 69 is released, you can only use two browsers to generate these certificates: Internet Explorer and Safari. If company policy requires the use of Firefox, you can use Firefox ESR or a portable copy of Firefox.

For more information, see Keygen support to be dropped with Firefox 69.

Tips and tricks

You can still use Firefox 69 for client authentication. First, generate the SMIME certificate in IE 11 or Safari. Then, import the SMIME certificate to Firefox.
To bypass generating Code Signing, Client, or SMIME certificates in your browser, generate and submit a CSR with your order. Instead of a link, DigiCert will send you an email with your certificate attached.

We added a new status, Emailed to Recipient, to the Orders and Order Details pages, for Code Signing and Client certificate orders, making it easier to identify where these orders are in the issuance process.

This new status indicates the DigiCert has validated the order, and the certificate is waiting for the user/email recipient to generate it in one of the supported browsers: IE 11, Safari, Firefox 68, and portable Firefox.

(In the sidebar menu, click Certificates > Orders. Then, on the Orders page, click the order number for the Code Signing or Client certificate order.)

We updated our Extended Validation (EV) Code Signing (CS) and Document Signing (DS) certificate reissue processes, enabling you to reissue these certificates without automatically revoking the current certificate (original or previously reissued certificate).

Note: If you don't need the current certificate (original or previously reissued certificate), you'll need to contact support so they can revoke it for you.

Now, the next time you reissue an EV CS or DS certificate, you can keep the previously issued certificate active to its current validity period (or for as long as you need it).

August 29, 2019

City/Locality bug fix compliance domain validation scope State/Province New feature Wildard SANs

Industry standards compliance reminder

For public and private certificates, Certificate Authorities (CAs) don't accept abbreviations for these parts of an address in your certificate orders or organization pre-validation requests:

State or Province*
City or Locality*

*This applies to organization and jurisdiction addresses.

We made it easier to define the domain validation scope for your account when submitting your domains for validation (pre-validation or via certificate orders).

On the Division Preferences page, we added two domain validation scope options:

Submit exact domain names for validation
With this option, requests for new domains are submitted for validation exactly as named (i.e., request for sub.example.com is submitted for validation exactly as sub.example.com). Validation for the “higher level” domain (e.g., example.com) also works. This is the default behavior for CertCentral.
Restrict validation to base domain only
This option allows you to restrict domain validation to the base domain (e.g., example.com). For request that include new subdomains (e.g., sub.example.com), we only accept domain validation for the base domain (e.g., example.com). Validation for the subdomain (e.g., sub.example.com) won’t work.

To configure the domain validation scope for your account, in the sidebar menu, click Settings > Preferences. On the Division Preference page, expand Advanced Settings. In the Domain Control Validation (DCV) section, under Domain Validation Scope, you'll see the new settings.

We fixed a bug where we were limiting the maximum allowed number of SANS to 10 on Wildcard SSL certificate reissue and new certificate orders.

Now, when reissuing or ordering a new Wildcard SSL certificate, you can add up to 250 SANs.

August 27, 2019

api upgrade shims retail api PQC dockerized toolkit New feature Post Quantum Cryptography PQC Secure Site Pro

In the DigiCert Services API, we added two new Order info endpoints. Now, you can use the order ID, the certificate's serial number, or the certificate's thumbprint to view the details for a certificate order.

GET https://www.digicert.com/services/v2/order/certificate/{{thumbprint}}
GET https://www.digicert.com/services/v2/order/certificate/{{serial_number}}

Currently, these new endpoints only retrieve data for the primary certificate. For more information on the Services API, see our Developers portal.

PQC dockerized toolkit guide available now

Secure Site Pro Secure Site Pro certificates come with access to the DigiCert post-quantum cryptographic (PQC) toolkit. To create your own PQC test environment, use one of these options:

Download the ISARA PQC toolkit and build your own OpenSSL test environment. See our PQC toolkit setup guide.
Download the Docker support files and quickly spin up a Docker test environment. See our PQC dockerized toolkit guide.

Our toolkits contain what you need to create a hybrid SSL/TLS certificate. The hybrid certificate in the toolkits uses a PQC algorithm paired with an ECC algorithm allowing you to test the feasibility of hosting a post-quantum, backwards compatible hybrid certificate on your website.

Note: To access your PQC toolkit, go to your Secure Site Pro Certificate's Order # details page. (In the sidebar menu, click Certificates > Orders. On the Orders page, click the order number link for your Secure Site Pro certificate. On the certificate's order details page, click PQC toolkit.)

To learn more about post-quantum cryptography, see Post-Quantum Cryptography. To learn more about what's included with each Secure Site Pro certificate, see Pro TLS/SSL Certificates.

DigiCert is happy to announce we made it easier for DigiCert Accounts using the Retail API to upgrade to our new Certificate Management Platform, DigiCert CertCentral—For free!

To make the upgrade as seamless as possible, we shimmed these Retail API endpoints:

POST /order/ssl -> POST /services/v2/order/certificate/ssl
REISSUE /order/{order_id} -> POST /services/v2/order/certificate/{order_id}/reissue
POST /order/code -> POST /services/v2/order/certificate/code_signing

Now, you can upgrade your DigiCert Account without any interruptions to your API integrations. Once you're upgraded, make plans to build new integrations with CertCentral.

For more information on the CertCentral Services API, see our Developers portal.

For information about the DigiCert Retail API, see Documentation for the DigiCert Retail API.

August 13, 2019

bug fix edit user account details upgrade view user account details New

We fixed a bug where some account admins were unable to view or edit the details of their CertCentral user accounts. Now, all account admins can once again view and edit user account details (email address, role, etc.).

DigiCert is happy to announce that DigiCert Accounts are now eligible to upgrade to our new Certificate Management Platform, DigiCert CertCentral—For free!

Upgrade happens in seconds.
Seamless certificate and account migration.
Additional benefits include improved certificate management, better pricing options, advanced features, and more.

To learn more about CertCentral, check out our short video How to Manage Your Entire Certificate Lifecycle in 60 Seconds—or Less.

August 12, 2019

scans api replace certificate Secure Site Pro endpoints widgets New discovery enhancement dashboard

In Discovery, we updated the Certificates page, adding a new action—Replace certificate—to the Actions dropdown. Now, from the Certificates page, you can replace any certificate with a DigiCert certificate regardless of issuing CA.

(In the sidebar menu, click Discovery > View Results. On the Certificates page, locate the Actions dropdown for the certificate you want to replace. Click Actions > Replace certificate.)

In Discovery, we updated the Certificates by rating widget on the Discovery dashboard, making it easier to see the security ratings for your public SSL/TLS certificates (in the sidebar menu, click Discovery > Discovery Dashboard).

As part of the update, we renamed the widget: Certificates analyzed by security rating. Then, we split the chart on the widget into two charts: Public and Others. Now, you can use the Public | Others toggle switch on the widget to select the chart you want to see.

The Certificates analyzed by security rating - Public chart displays the ratings for your public SSL/TLS certificates only. The Certificates analyzed by security rating - Other chart displays the rating for all your other SSL/TLS certificates (e.g., private SSL certificates).

In Discovery, we updated the Endpoints and Server details pages making it easier to see the correlation between the IP address and the hostname/FQDN scan it resulted from.

Now, when you configure a scan for a hostname/FQDN, and the scan's endpoint results return IP addresses, we include the hostname/FQDN from the scan with the IP address.

Update note: The hostname update is available in the latest sensor version – 3.7.10. After the sensors updates are completed, rerun scans to see the hostname/IP address correlation on your scan results.

In the DigiCert Services API, we added two new endpoints for ordering your Secure Site Pro certificates: Order Secure Site Pro SSL and Order Secure Site Pro EV SSL.

POST https://www.digicert.com/services/v2/order/certificate/ssl_securesite_pro
POST https://www.digicert.com/services/v2/order/certificate/ssl_ev_securesite_pro

Benefits included with each Secure Site Pro certificate

Each Secure Site Pro certificate includes – at no extra cost – first access to premium feature such as the Post Quantum Cryptographic (PQC) toolkit.

Other benefits include:

Priority validation
Priority support
Two premium site seals
Malware check
Industry-leading warranties – protection for you and your customer!

To learn more about our Secure Site Pro certificates, see DigiCert Secure Site Pro.

To activate Secure Site Pro certificates for your CertCentral account, contact your account manager or our support team.

August 8, 2019

SAML SSO SAML certificate requests certcentral-ui SAML Single Sign-on

We improved the SAML Single Sign-on and SAML Certificate Requests workflows, allowing you to turn off SAML Single Sign-on (SSO) and SAML Certificate Requests. Previously, after configuring SAML SSO or SAML Certificate Requests for your account, the only way to turn either of these off was to remove both SAML features from your account.

Now, on the Federation Settings pages, you can turn off SAML SSO and SAML Certificate Requests for your account by deleting the federation settings.

SAML SSO
In the sidebar menu, click Settings > Single Sign-On. On the Single Sign-on (SSO) page, click Edit Federation Settings. See Turn off SAML Single Sign-on.
SAML Certificate Requests
In the sidebar menu, click Settings > SAML Certificate Request. On the SAML Certificate Request page, click Edit Federation Settings. See Turn off SAML Certificate Requests.

Note: The Turn off SSO and Turn off SAML Certificate Request buttons only appear after you've configured the federation settings (turned the feature on).

For more information about SAML Single Sign-on and SAML certificate request integration with CertCentral:

August 1, 2019

New feature PQC toolkit Post Quantum Cryptography PQC Secure Site Pro

Secure Site Pro certificates now come with access to the DigiCert post-quantum cryptographic (PQC) toolkit. Our toolkit contains what you need to create a hybrid SSL/TLS certificate. The hybrid certificate in the toolkit uses a PQC algorithm paired with an ECC algorithm allowing you to test the feasibility of hosting a post-quantum, backwards compatible hybrid certificate on your website.

Note: The PQC benefit for Secure Site Pro certificates is retroactive. To access your PQC toolkit, go to your Secure Site Pro Certificate's Order # details page. (In the sidebar menu, click Certificates > Orders. On the Orders page, click the order number link for your Secure Site Pro certificate. On the certificate's order details page, click PQC toolkit.)

To learn more about post-quantum cryptography and our PQC toolkit:

To learn more about what's included with each Secure Site Pro certificate, see Pro TLS/SSL Certificates.

July 31, 2019

DCV IPv4 IP addresses HTTP Practical Demonstration IPv6 compliance

Industry standards change

As ofJuly 31, 2019 (19:30 UTC), you must use the HTTP Practical Demonstration DCV method to demonstrate control over IP addresses on your certificate orders.

For more information about the HTTP Practical Demonstration DCV method, see these instructions:

Currently, industry standards used to allow you to use other DCV methods to demonstrate control over your IP address. However, with the passing of Ballot SC7, the regulations for IP address validation changed.

Ballot SC7: Update IP Address Validation Methods

This ballot redefines the permitted processes and procedures for validating the customer's control of an IP Address listed in a certificate. Compliance changes for Ballot SC7 go into effect on July 31, 2019 (19:30 UTC).

To remain compliant, as of July 31, 2019 (19:30 UTC), DigiCert only allows customers to use the HTTP Practical Demonstration DCV method to validate their IP addresses.

Removing Support for IPv6

As of July 31, 2019 (19:30 UTC), DigiCert has removed support for certificates for IPv6 addresses. Due to server limitations, DigiCert is unable to reach out to IPv6 address to verify the file placed on the customer's website for the HTTP Practical Demonstration DCV method.

July 30, 2019

api certificate profiles Get key info response parameters acme directory url Signed HTTP Exchanges enhancement Account Access page List keys ACME CanSignHttpExchanges information icons

We improved our ACME protocol, adding support for the Signed HTTP Exchange certificate profile option. Now, you can use your ACME client to order OV and EV SSL/TLS certificate with the CanSignHttpExchanges extension included.

First create the ACME Directory URL for your Signed HTTP Exchanges certificate. Then use your ACME client to issue and install the certificate with the CanSignHttpExchanges extension.

See ACME Directory URLs for Signed HTTP Exchange certificates and ACME user guide.

Background

The Signed HTTP Exchange certificate profile option is used to address the AMP URL display issue where your brand isn’t displayed in the address bar. See Display better AMP URLs with Signed Exchanges and Get your Signed HTTP Exchanges certificate.

This profile option allows you to include the CanSignHTTPExchanges extension in OV and EV SSL/TLS certificates. Once enabled for your account, the Include the CanSignHttpExchanges extension in the certificate option appears on your Add ACME Directory URL forms.

To enable this certificate profile for your account, please contact your account manager or contact our Support team.

We updated the information icons in the list of ACME Directory URLs on the Account Access page to help you quickly identify certificates that include a certificate profile option (for example, Signed HTTP Exchanges).

In the sidebar menu, click Account > Account Access. On the Account Access page, in the ACME Directory URLs section, click an information icon to see details about the certificate that can be ordered via the ACME Directory URL.

In the DigiCert Services API, we improved the List keys endpoint response parameters, enabling you to see ACME Directory URLs. Now, when you call the List keys endpoint, we return ACME URL (acme_urls) as well as API key (api_keys) information in the response.

Example response from the List keys endpoint

In the DigiCert Services API, we improved the Get key info endpoint, enabling you to get details about ACME Directory URLs.

Include the ACME Directory URL ID in the call to the Get key info endpoint (/key/{{key_id}} where key_id is the ACME Directory URL ID) to get information about an ACME Directory URL.

Example of a Get key info response for ACME Directory URL

July 17, 2019

New feature scan for configured cipher suites discovery

In Discovery, we added a Scan for configured cipher suites option to the scan settings that lets you see the cipher suites enabled on a server. When adding or editing a scan, this option is located in the Settings section when you select Choose what to scan. See Set up and run a scan or Edit a scan.

Once your scan completes, the cipher suite information is listed on the Server details page, in the Server details section. (In the sidebar menu, click Discovery > View Results. On the Certificates page, click View endpoints. On the Endpoints page, click the endpoint's IP address /FQDN link. Then, on the Server details page, in the Server details section, click the Ciphers View link.)

Update note: The new Scan for configured cipher suites option is available in the latest sensor version – 3.7.7. After sensor updates are complete, edit the scan Settings, select Choose what to scan, check Scan for configured cipher suites, and then rerun the scan.

July 16, 2019

Strict-Transport-Security headers STS discovery enhancement

In Discovery, we updated the rating system for Strict-Transport-Security (STS) security headers. Now, we only check STS for HTTP 200 requests and ignore it for HTTP 301 requests. We only penalize the server when the website is missing the Strict-Transport-Security (STS) security header or the setting is wrong. In these cases, we rate the server as "At risk".

Previously, we checked STS for HTTP 301 requests and penalized the server if it was missing the Strict-Transport-Security (STS) security header. In these cases, we rated the server as "Not secure".

To view Security headers results, go to the endpoint's Server details page. In the sidebar menu, click Discovery > View Results. On the Certificates page, click View endpoints. On the Endpoints page, click the endpoint's IP address / FQDN link.

Update note: The updated STS rating system is available in the latest sensor version – 3.7.7. After sensor update is complete, rerun your scans to see your updated STS ratings.

July 15, 2019

api transaction summary reissued certificates days_remaining parameter certcentral-ui enhancement

We improved the Transaction Summary on the Reissue Certificate for Order pages, allowing you to see how many days remain until the certificate expires. Now, when you reissue a certificate, the Transaction Summary shows the certificate validity along with days until it expires (e.g., 1 year (expires in 43 days).

In the DigiCert Services API, we updated the List orders, Order info, List reissues, and List duplicates endpoints enabling you to see how many days remain until the certificate expires. For these endpoints, we return a days_remaining parameter in their responses.

Example of the days_remaining response parameter.png

July 11, 2019

SAML Single Sign-on API access SSO only users enhancement

We improved the SAML SSO-only users' integration with the CertCentral Services API, adding an account setting that allows you to grant SSO-only users API access. On the SAML Sign-on (SSO) page, under Configure SSO Settings for users, you'll now see the Enable API access for SSO-only users check box (in the sidebar menu, click Settings > Single Sign-On). See Configure SAML Single Sign-On.

Note: This setting allows SSO-only users with API keys to bypass Single Sign-on. Disabling API access for SSO-only users doesn't revoke existing API keys. It only blocks the creation of new API keys.

July 10, 2019

api enhancement last login date Users page User info endpoint User's detaisl page

We improved the Users page, adding a Last Login column that lets you see when a user last signed in to their account (in the sidebar menu, click Account > Users).

We also added the last login information to the User's details page directly under their name (on the Users pages, in the Name column, click the username link).

Note: Previously, this information was only found in the Audit Logs (in the sidebar menu, click Account > Audit Logs).

In the DigiCert Services API, we updated the User info endpoint enabling you to see when a user last logged in to their account. Now, when viewing user details, we return a last_login_date parameter in the response.

July 9, 2019

custom validity guest urls

To improve how custom validity works with Guest URLs, we need to temporarily remove access to the feature. Now, when creating new Guest URLs, you'll only have the 1-year, 2-year, and 3-year validity options.

This change doesn't affect existing Guest URLs. Existing Guest URLs that include the custom validity option will continue to work as they did before.

Note: The 3-year validity option only applies to private SSL and client certificates. As of February 20, 2018, DigiCert no longer offers 3-year public SSL/TLS certificates. For more information about this change, click here.

To create a Guest URL
In the sidebar menu, click Account > Account Access. On the Account Access page, in the Guest URLs section, click Add Guest URL. See Manage Guest URLs.

July 8, 2019

order forms bug fix Order details page customer order fields skip approval step additional emails cancel renewals certificate renewals

We fixed a bug where removing the approval step from the certificate order process blocked custom form field values from being recorded on the certificate's Order details page.

Now, if you create custom fields for your certificate order forms and enable the Skip approval step for your account, the custom order values are recorded on the certificate's Order details page.

Custom order from fields

In the sidebar menu, click Settings > Custom Order Fields. On the Custom Order Form Fields page, click Add Custom Order Form field. See Manage custom order form fields.

Skip approval step

In the sidebar menu, click Settings > Preferences. On the Division Preferences page, expand Advanced Settings. In the Certificate Request section, under Approval Steps, select Skip approval step: remove the approval step from your certificate order processes. See Remove the approval step from the certificate order process.

We fixed a certificate order form bug where Additional Emails added to the order weren’t being recorded on the certificate's Order details page.

Now, if you add additional email address to the order for those you want to receive the certificate notification emails, the email addresses are recorded on the certificate's Order details page.

We fixed a cancel order bug where cancelling a certificate renewal removed the renewal option from the order.

Note: To renew these certificates, you had to contact our Support team.

Now, if you cancel a certificate renewal, the renew option remains for the order, allowing you to renew the certificate later when ready.

July 3, 2019

certcentral-ui order details panel Order details page order requested via order requested by enhancement

We improved the certificate's Order # details page and Order # details panel, adding a new Order requested via entry that lets you see where the order was requested: via the API, via an ACME Directory URL, or from inside CertCentral. If the order was requested via the API or an ACME Directory URL, we also include the API key name or ACME Directory URL name.

Note: We also made it easier to see who requested the certificate, adding a new Order requested by entry to the Order Details section. Previously, we included the requested by information in the Requested on details.

Order # details panel

In the sidebar menu, click Certificates > Orders. On the Orders page, click the certificate order's Quick View link. In the Order # detail panel, expand Show More Certificate Info. In the Order Details section, you'll see the new Order requested via entry.

Order # details page

In the sidebar menu, click Certificates > Orders. On the Orders page, click the certificate's order number link. On the Order # details page, in the Order Details section, you'll see the new Order requested via entry.

July 2, 2019

SAML SSO api New feature discovery enhancement SSO only users orders page order info endpoint api_key invite new users api keys response parameter

We improved the user invitation workflow for SAML Single Sign-On (SSO) integrations with CertCentral, enabling you to designate invitees as SSO only users before sending your account user invitations. Now, in the Invite New Users popup window, use the SAML Single Sign-on (SSO) only option to restrict invitees to SAML SSO only.

Note: This option disables all other authentication methods for these users. Additionally, this option only appears if you have SAML enabled for your CertCentral account.

(In the sidebar menu, click Account > User Invitations. On the User Invitations page, click Invite New Users. See SAML SSO: Invite users to join your account.)

Simplified enrollment form

We also simplified the SSO only user enrollment form, removing the password and security question requirements. Now, SSO only invitees need to add only their personal information.

We made it easier to see your Discovery certificate scan results from the CertCentral Dashboard in your account, adding the Expiring Certificates Discovered, Certificate Issuers, and Certificates Analyzed By Rating widgets.

Each widget contains an interactive chart that allows you drill down to easily find more information about expiring certificates (e.g., which certificates are expiring in 8-15 days), certificates per issuing CA (e.g., DigiCert), and certificates per security rating (e.g., not secure).

More about Discovery

Discovery uses sensors to scan your network. Scans are centrally configured and managed from inside your CertCentral account.

To activate Discovery for your CertCentral account, contact your account manager or our support team.
For information about getting Discovery up and running, see Discovery: Install a sensor and run a scan.

In the DigiCert Services API, we updated the Order info endpoint enabling you to see how the certificate was requested. For certificates requested via the Services API or an ACME Directory URL, we return a new response parameter: api_key. This parameter includes the key name along with key type: API or ACME.

Note: For orders requested via another method (e.g., CertCentral account, Guest Request URL, etc.), the api_key parameter is omitted from the response.

Now, when viewing order details, you'll see the new api_key parameter in the response for orders requested via the API or an ACME Directory URL:

GET https://dev.digicert.com/services-api/order/certificate/{order_id}

Response:

We added a new search filter – Requested via – to the Orders page that allows you to search for certificate orders requested via a specific API key or ACME Directory URL.

Now, on the Orders page, use the Requested via filter to find active, expired, revoked, rejected, pending reissue, pending, and duplicate certificates requested via a specific API key or ACME Directory URL.

(In the sidebar menu, click Certificates > Orders. On the Orders page, click Show Advanced Search. Then, in the Requested via dropdown select the API Key or ACME Directory URL name or type its name in the box.)

July 1, 2019

reissue endpoint duplicate certificates duplicate endpoint api order forms enhancement SSL certificates order endpoints reissued certificates

We improved our Basic and Secure Site single domain certificate offerings (Standard SSL, EV SSL, Secure Site SSL, and Secure Site EV SSL), adding the Include both [your-domain].com and www. [your-domain].com in the certificate option to these certificates' order, reissue, and duplicate forms. This option allows you to choose whether to include both versions of the common name (FQDN) in these single domain certificates for free.

To secure both versions of the common name (FQDN), check Include both [your-domain].com and www. [your-domain].com in the certificate.
To secure only the common name (FQDN), uncheck Include both [your-domain].com and www. [your-domain].com in the certificate.

See Order your SSL/TLS certificates.

Works for subdomains too

The new option allows you to get both versions of base and subdomains. Now, to secure both versions of a subdomain, add the subdomain to the Common Name box (sub.domain.com) and check Include both [your-domain].com and www. [your-domain].com in the certificate. When DigiCert issues your certificate, it will include both versions of the subdomain on the certificate: [sub.domain].com and www.[sub.doman].com.

Removed Use Plus Feature for Subdomains

The Include both [your-domain].com and www. [your-domain].com in the certificate option makes the Plus Feature -- Use Plus Feature for Subdomains obsolete. So, we removed the option from the Division Preferences page (in the sidebar menu, click Settings > Preferences).

In the DigiCert Services API, we updated the Order OV/EV SSL, Order SSL (type_hint), Order Secure Site SSL, Order Private SSL, Reissue certificate, and Duplicate certificate endpoints listed below. These changes provide more control when requesting, reissuing, and duplicating your single domain certificates, allowing you choose whether to include a specific additional SAN on these single domain certificates for free.

/ssl_plus
/ssl_ev_plus
/ssl_securesite
/ssl_ev_securesite
/private_ssl_plus
/ssl*
/reissue
/duplicate

*Note: For the Order SSL (type_hint) endpoint, only use the dns_names[] parameter as described below to add the free SAN.

To secure both versions of your domain ([your-domain].com and www. [your-domain].com), in your request, use the common_name parameter to add the domain ([your-domain].com) and the dns_names[] parameter to add the other version of the domain (www. [your-domain].com).

When DigiCert issues your certificate, it will secure both versions of your domain.

To secure only the common name (FQDN), omit the dns_names[] parameter from your request.

June 27, 2019

SAML SSO SSO only users bug fix

We fixed a SAML Single Sign-on (SSO) bug where some Single Sign-on only users were being prompted to reset their expired non-existent CertCentral password.

Note: This prompt appeared only after they had signed in to their account. These SSO only users could still access all account features and perform all relevant tasks.

June 19, 2019

Order details page certificate profiles enhancement

We've improved the Order # details page, allowing you to see the certificate profile option added to your certificate. Now, when you go to a certificate's Order # details page, in the Order Details section, you can see the Profile Option included in that certificate order.

Certificate profile options

When a certificate profile is enabled for your account, the profile option appears on your SSL/TLS certificate request forms under Additional Certificate Options. When ordering an SSL/TLS certificate, you can add a profile to your certificate.

To learn more about the supported certificate profile options, see Certificate profile options. To enable a certificate profile for your account, reach out to your account manager or contact our Support team.

June 13, 2019

generate api keys edit api keys api keys enhancement New feature permissions

We improved the API key generation process, adding the ability to restrict the permissions of an API key to a specific set of actions.

When linking a key to a user, you're linking that user's permissions to the key. Now, you can restrict the permissions of that key to subset of actions within that user's role.

Orders
This option limits the key to these actions: Orders, Requests, and Certificates.
Orders, Domains, Organizations
This option limits the key to these actions: Orders, Requests, Certificates, Organizations, and Domains.

For more information, see Generate an API key.

We added a new information icon to the API key list on the Account Access page to help you quickly identify API keys with restricted permissions (in the sidebar menu, click Account > Account Access). Clicking the icon allows you to see what integrations the key can be used for.

We've added a new Edit API key feature that allows you to edit the description and permissions of an active API key.

To edit an API key, in the sidebar menu, click Account > Account Access. On the Account Access page, under API Keys, click the API Key Name link.

For more information, see Edit an API key.

June 12, 2019

duplicate certificates api enhancement

In the DigiCert Services API, we improved the Duplicate certificate endpoint workflow. Now, if the duplicate certificate can be immediately issued, we return the duplicate certificate in the response body.

For more information, see Duplicate certificate.

We improved the duplicate certificate order process in CertCentral. Now, if the duplicate certificate can be immediately issued, we take you directly to the Duplicates page where you can immediately download the certificate.

June 11, 2019

certificate requests skip approval step enhancement

We improved the Skip approval step account setting, applying the setting to certificate requests placed through the online portal as well as through the API.

To access the skip approval setting in your account, in the sidebar menu, click Settings > Preferences. On the Division Preferences page, expand Advanced Settings and scroll down to the Certificate Request section. See Remove the approval step from the certificate order process.

June 5, 2019

bug fix auto-renew user ACME guest urls New feature enhancement

We fixed a bug on the Guest URL Request a Certificate page, where clicking Order Now redirected you to the DigiCert account sign in page.

Now, when you order a certificate from a Guest URL and click Order Now, your request is submitted to your account administrator for approval. For more information about guest URLs, see Managing Guest URLs.

We added the Auto-Renewal User feature to the New Division page that optionally allows you to set a default user for the division's auto-renewal orders when creating a new division. If set, this user replaces the original requester on all division auto-renewal certificate orders and helps prevent auto-renewal interruptions.

In your account, in the sidebar menu, click Account > Divisions. On the Divisions page, click New Division. On the New Division page, in the Auto-Renewal User dropdown, set a default user for all division auto-renewal orders.

We are adding a new tool to the CertCentral portfolio—ACME protocol support—that allows you to integrate your ACME client with CertCentral to order OV and EV TLS/SSL certificates.

Note: This is the open beta period for ACME protocol support in CertCentral. To report errors or for help connecting your ACME client to CertCentral, contact our support team.

To access ACME in your CertCentral account, go to the Account Access page (in the sidebar menu, click Account > Account Access) and you'll see a new ACME Directory URLs section.

For information about connecting your ACME client with your CertCentral account, see our ACME user guide.

To turn ACME off for your account, contact your account manager or our support team.

Known issues

For a list of current known issues, see ACME Beta: Known issues.

June 4, 2019

certcentral-ui certificate authority page certificate-details-panel enhancement

We improved the Certificate Authority page, adding a certificate details panel for pending and issued Private CA intermediate and root certificate orders. This panel includes additional certificate details (signature hash, serial number, etc.) along with an option to download the issued Private CA certificates.

To access the certificate details panel, on the Certificate Authority page (in the sidebar menu, click Certificates > Certificate Authority), click the Private CA root or intermediate certificate link.

May 29, 2019

New feature edit division auto-renew-disabled-email certcentral-ui auto-renew-user enhancement

We've added a new Auto-Renewal User feature to the Edit division page that optionally allows you to set a default user for the division's auto-renewal orders. If set, this user replaces the original requester on all division auto-renewal certificate orders and helps prevent auto-renewal interruptions.

(In your account, in the sidebar menu, click Account > Divisions. On the Divisions page, select the division (or click My Division). Edit the division and in the Auto-Renewal User dropdown, set a default user for all division auto-renewal orders.)

We improved the automatic certificate renewal feature, adding an "Auto-renewal disabled" notification to the process. If something happens that prevents us from automatically renewing a certificate, we now send an "Auto-renew disabled" email notification, letting you know auto-renewal has been disabled for the order, what will happen now, and how to re-enable auto-renewal for the order.

Note: Automatic certificate renewals are tied to a specific user (order specific or division specific). If that user ever loses permissions to place orders, the automatic certificate renewal process is disabled.

May 24, 2019

discovery general availability New

We've added a new tool to our CertCentral portfolio—Discovery—that provides real-time analysis of your entire SSL/TLS certificate landscape.

Designed to quickly find all your internal and public facing SSL/TLS certificates regardless of the issuing Certificate Authority (CA), Discovery identifies problems in certificate configurations and implementations along with certificate-related vulnerabilities or problems in your endpoint configurations.

Note: Discovery uses sensors to scan your network. Sensors are small software applications that you install in strategic locations. Each scan is linked to a sensor.

To activate Discovery for your CertCentral account, contact your account manager or our support team.
For information about getting Discovery up and running, see Discovery: Install a sensor and run a scan.

May 13, 2019

Secure Site Pro

Secure Site Pro TLS/SSL certificates are now included in all CertCentral accounts. For everything you need to know about these certificates, see DigiCert Secure Site Pro.

In your account, in the sidebar menu, hover over Request a Certificate. Under Business SSL Certificates, you’ll find the new Secure Site Pro certificates.

May 10, 2019

Site Seals bug fix

We fixed a bug where you could display our DigiCert and Norton site seals on internal domain names.

Now, our site seals will no longer resolve to internal domain names.

May 1, 2019

underscores New enhancement SAML SSO SAML certificate requests Secure Site Pro certificate compliance federation name idp selection page

We've updated the CertCentral SAML Federation Settings, enabling you to keep your Federation Name from appearing in the list of IdPs on the SAML Single Sign-On IdP Selection and SAML certificate requests IdP Selection pages.

Now, on the Federation Settings page, under Your IDP's Metadata, we added the Include Federation Name option. If you want to keep your Federation Name from appearing in the list of IdPs on the IdP Selection page, uncheck Add my Federation Name to the list of IdPs.

Secure Site Pro TLS/SSL certificates are available in CertCentral. With Secure Site Pro, you're charged per domain; no base certificate cost. Add one domain, get charged for one. Need nine domains, get charged for nine. Secure up to 250 domains on one certificate.

We offer two types of Secure Site Pro certificates, one for OV certificates and one for EV certificates.

Secure Site Pro SSL
Get the OV certificate that fits your needs. Provide encryption and authentication for one domain, one wildcard domain and all its subdomains, or use Subject Alternative Names (SANs) to secure multiple domains and wildcard domains with one certificate.
Secure Site Pro EV SSL
Get the extended validation certificate that fits your needs. Provide encryption and authentication to secure one domain or use Subject Alternative Names (SANs) to secure multiple sites (fully qualified domain names) with one certificate.

Benefits included with each Secure Site Pro certificate

Each Secure Site Pro certificate includes – at no extra cost – first access to future premium feature additions to CertCentral (e.g., CT log monitoring and validation management).

Other benefits include:

Priority validation
Priority support
Two premium site seals
Malware check
Industry-leading warranties

To activate Secure Site Pro certificates for your CertCentral account, contact your account manager or our support team.

To learn more about our Secure Site Pro certificates, see DigiCert Secure Site Pro.

Public SSL certificates can no longer secure domain names with underscores ("_"). All previously issued certificates with underscores in domain names must expire prior to this date.

Note: The preferred underscore solution is to rename the hostnames (FQDNs) that contain underscores and replace the certificates. However, for those situations where renaming is not possible, you can use private certificates and, in some cases, you can use a wildcard certificate that secures the entire domain.

For more details, see Retiring Underscores in Domain Names.

April 30, 2019

compliance CanSignHttpExchanges certificate requests ECC SSL certificates 90-day max validity CAA resource record

Industry standard requirements for including the CanSignHttpExchanges extension in an ECC SSL/TLS certificate:

CAA resource record for the domain that includes the "cansignhttpexchanges=yes" parameter*
Elliptic Curve Cryptography (ECC) keypair
CanSignHttpExchanges extension
Maximum 90-day validity*
Only used for the Signed HTTP Exchange

*Note: These requirements took effect as of May 1, 2019. The Signed HTTP Exchanges extension is under active development. There may be additional changes to the requirements as industry development continues.

The 90-day maximum certificate validity requirement doesn't affect certificates issued prior to May 1, 2019. Note that reissued certificate will be truncated to 90-days from the time of reissue. However, you can continue reissuing the certificate for the full purchased validity period.

CanSignHttpExchanges extension

Recently, we added a new certificate profile, HTTP Signed Exchanges to help address the AMP URL display issue where your brand isn’t displayed in the address bar. See, Display better AMP URLs with Signed Exchanges.

This new profile allows you to include the CanSignHttpExchanges extension in OV and EV SSL/TLS certificates. Once enabled for your account, the Include the CanSignHttpExchanges extension in the certificate option appears on your OV and EV SSL/TLS certificate order forms under Additional Certificate Options. See Get your Signed HTTP Exchanges certificate.

To enable this certificate profile for your account, please contact your account manager or contact our Support team.

April 24, 2019

landing page certcentral-ui customize experience

We added a new feature that lets you customize your CertCentral experience – Customize My Experience. With the initial rollout of this feature, we added the ability to customize your account's landing page. (In the top right corner of your account, in your name dropdown, select Customize My Experience.)

For example, each time you sign in, your first action item is to manage expiring certificates. To simplify this workflow, set the Expiring Certificates page as your landing page. Whenever you sign in, you'll be taken directly to your expiring certificates. (On the Customize my experience page, in the Landing page dropdown, select Expiring Orders and Save.)

April 18, 2019

SHA1 certcentral-ui code signing certificates enhancement

DigiCert will continue to support the SHA1 signature for Code Signing certificates. We are removing the max expiration restriction of December 30, 2019.

April 17, 2019

guest urls certcentral-ui bug fix enhancement

We added DV certificates to the available products for Guest URLs. Now, you can add GeoTrust and RapidSSL DV certificates to your Guest URLs.

We fixed a bug where adding Secure Site certificates to a Guest URL prevented you from editing the Guest URL. Now, when you add Secure Site certificates to a Guest URL, you can edit the Guest URL as needed.

We fixed a bug where adding Private SSL certificates to a Guest URL prevented you from editing the Guest URL. Now, when you add Private SSL certificates to a Guest URL, you can edit the Guest URL as needed.

April 16, 2019

certcentral-ui documentation api

We've updated the documentation links in the CertCentral help menu and on the Account Access page to point to our new documentation portals.

Now, in the CertCentral help menu, when you click Getting Started, we take you to our new DigiCert Documentation Portal. Similarly, when you click Change Log, we take you to our improved Change log page. And now, on the Account Access page (in the sidebar menu, click Account > Account Access), when you click API Documentation, we take you to our new DigiCert Developers Portal.

April 9, 2019

bug fix certcentral-ui audit logs organization enhancement request forms

We fixed a bug where new organizations added during the SSL/TLS certificate request process weren't listed on the Organizations page (in the sidebar menu, click Certificates > Organizations).

With this fix, new organizations added during the SSL/TLS certificate request process will now be automatically listed on the Organizations page in your account.

Retroactive fix: All Organizations will be listed

The fix for this bug is retroactive too. If you've enabled users to add new organizations during the request process, the next time you go to the Organizations page in your account, these organizations will be added to the list.

Note: This bug didn't affect your ability to request additional SSL/TLS certificates for these organizations, as they appeared in the list of existing organizations on the certificate request forms where you could add them to the certificate. This bug also didn't affect organizations added from the New Organizations page (on the Organizations page, click New Organization).

We improved the CertCentral audit logs, making it easier to track API key creations. Now, the audit logs will contain information about who created the API key, when it was created, name of API, etc.

(To access the audit logs in your account, in the sidebar menu, click Account > Audit Logs.)

April 2, 2019

documentation api certcentral

We are happy to announce the new DigiCert Documentation Portal. The new site has a modern look and feel and contains streamlined, task-based help documentation, product news, the change log, and API developer documentation.

We are also happy to announce the new DigiCert Developers Portal is out of beta. The developer site has a modern look and feel and contains information about the available endpoints, uses cases, and workflows.

Tips and tricks

You can access the documentation portal at www.digicert.com in the top menu under Support (click Support > Documentation).
In our documentation, hover on a subheader and click the hashtag icon. This creates a URL in the browser's address bar so you can bookmark or link to specific sections in the instructions.

Coming soon

Get started will contain information to help you get acquainted with the features in your account.

April 1, 2019

certificate compliance underscores

CAs can no longer issue 30-day public SSL certificate containing underscores in domain names (common names and subject alternative names).

For more details, see Retiring Underscores in Domain Names.

March 31, 2019

certificate compliance underscores

Final day you can order 30-day public SSL certificates containing underscores in domain names (common names and subject alternative names) from any CA.

For more details, see Retiring Underscores in Domain Names.

March 27, 2019

certificate profiles ocsp must-staple request forms EV SSL certificates SSL certificates

We've added a new certificate profile option, OCSP Must-Staple, that allows you to include the OCSP Must-Staple extension in OV and EV SSL/TLS certificates. Once enabled for your account, the Include the OCSP Must-Staple extension in the certificate option appears on your SSL/TLS certificate request forms under Additional Certificate Options.

Note: Browsers with support for OCSP must-staple may display a blocking interstitial to users accessing your site. Ensure that your site is configured to properly and robustly serve stapled OCSP Responses before installing the certificate.

To enable a certificate profile for your account, reach out to your account representative or contact our Support team.

Other available certificate profile options

If enabled for your account, these profile options appear on your SSL/TLS certificate request forms under Additional Certificate Options.

Intel vPro EKU
Allows you to include the Intel vPro EKU field in OV SSL/TLS certificates.
KDC/SmartCardLogon EKU
Allows you to include the KDC/SmartCardLogon EKU (Extended Key Usage) field in OV SSL/TLS certificates.
HTTP Signed Exchange
Allows you to include the CanSignHTTPExchanges extension in OV and EV SSL/TLS certificate (see Improve your AMP URLs with Signed HTTP Exchange).
Delegated Credentials
Allows you to include the DelegationUsage extension in OV and EV SSL/TLS certificates.

March 26, 2019

certificate profiles delegated credentials certcentral-ui request forms EV SSL certificates SSL certificates

We've added a new certificate profile option, Delegated Credentials, that allows you to include the DelegationUsage extension in OV and EV SSL/TLS certificates. Once enabled for your account, the Include the DelegationUsage extension in the certificate option appears on your SSL/TLS certificate request forms under Additional Certificate Options.

To enable a certificate profile for your account, reach out to your account representative or contact our Support team.

Background

The Delegated Credentials for TLS extension is under active development within the Internet Engineering Task Force (IETF). In order to support interoperability testing, we’ve added the ability to issue certificates compliant with the current draft specification. Note that there may be multiple changes to the draft as industry development continues.

Other available certificate profile options

If enabled for your account, these profile options appear on your SSL/TLS certificate request forms under Additional Certificate Options.

Intel vPro EKU
Allows you to include the Intel vPro EKU field in an OV SSL/TLS certificate.
KDC/SmartCardLogon EKU
Allows you to include the KDC/SmartCardLogon EKU (Extended Key Usage) field in an OV SSL/TLS certificate.
HTTP Signed Exchange
Allows you to include the CanSignHTTPExchanges extension in an OV and EV SSL/TLS certificate (see Improve your AMP URLs with Signed HTTP Exchange).
OCSP Must-Staple
Allows you to include the OCSP Must-Staple extension in OV and EV SSL/TLS certificates.

March 22, 2019

request forms certcentral-ui transaction summary enhancement

We improved the Transaction Summary on the certificate request pages, making it easier to track the cost of the certificate. For example, you request a Multi-Domain certificate and add 5 domains. In the Transaction Summary, we show the base price (which includes 4 SANs) plus the price of the additional SAN added to the order.

Previously, the Transaction Summary only tracked the total cost of the certificate without the itemized cost.

March 21, 2019

secure site certificates New feature malware checker

Secure Site certificates now come with convenient access to a VirusTotal malware check. Quickly analyze your public domains with 70 plus antivirus scanners and URL/domain blacklist services. Use scan results to identify malware threats so you can take actions to keep your site off blacklists that can cripple site availability and online revenue.

Note: This benefit is retroactive. Go to your Secure Site certificate's Order # detail page to use your new VirusTotal malware check. (In the sidebar menu, click Certificates > Orders. On the Orders page, click the order number link for your Secure Site certificate.)

See Secure Site now with all the benefits of DigiCert to learn more about what's included with each Secure Site certificate.

March 19, 2019

reissues duplicate certificates bug fix

We fixed a pending certificate reissue bug where we listed domains dropped from the original or previously issued certificate in the You Need To section on the pending reissue's Order # details page.

This issue only affected domains with expired domain validation. If you removed a domain with up-to-date domain validation, we didn't include it in the You Need To section.

Note: You were only required to complete the DCV for the domains you included in your reissue request. You could ignore the domains you had removed. Additionally, when we reissued your certificate, we didn't include the domains dropped from the original or previously issued certificate in the reissue.

Now, when you reissue a certificate and remove domains included in the original or previously issued certificate, we only show the domains included in the reissue request with pending domain validation in the You Need To section on the pending reissue's Order # details page.

We fixed a duplicate certificate orders bug where we added the original certificate requestor as the requestor on all duplicate certificate orders, regardless of who requested the duplicate.

Now, on duplicate certificate orders, we add the name of the user who requested the duplicate.

Note: This fix is not retroactive and doesn't affect issued duplicate certificate orders.

In the DigiCert Services API, we fixed a bug in the List duplicates endpoint where we weren’t returning the name of the requestor on duplicate certificate orders.

Now, when you use the List duplicates endpoint, we return the name of the user requesting the duplicate certificate.

To fix this issue, we added some new response parameters enabling us to return the name of the requestor in the response:

…user_id= Requestor's user ID…firstname= Requestor's first name…lastname= Requestor's last name

Example List duplicates endpoint response

March 18, 2019

api bug fix

In the DigiCert Services API, we fixed a bug in the Order info endpoint where it wasn’t returning the email addresses for an issued client certificate order (Authentication Plus, Email Security Plus, etc.).

Note: When using the List orders endpoint to retrieve information for all issued certificates, the email addresses for client certificate orders were returned.

Now, when you use the Order info endpoint to view the details of an issued an issued client certificate order, the email addresses are returned in the response.

Example Order info response for an Authentication Plus

We fixed an organization unit (OU) entry character limit bug where we were applying the 64 character limit collectively instead of individually to the OU entries on SSL/TLS certificate requests with multiple OUs. When an admin tried to approve the request, they incorrectly received the "Organization units must be less than 64 characters in order to be compliant with industry standards" error message.

Note: This bug only affected requests requiring admin approval.

Now, when an admin approves an SSL/TLS certificate request with multiple OUs (where each entry is within the 64 character limit standard), the request gets submitted to DigiCert as expected.

Compliance Note: Industry standards set a 64 character limit for individual organization unit entries. However, when you add multiple OUs to an order, each one is to be counted individually and not combined. See Publicly Trusted Certificates – Data Entries that Violate Industry Standards.

We fixed a bug on certificate requests where you were unable to edit the division that the request/certificate was assigned to.

Note: Once the certificate was issued, you could go to its Order # details page and edit the division the certificate was assigned to.

Now, when you edit a certificate request, you can change the division the request/certificate is assigned to.

March 12, 2019

certcentral-ui Revoke api bug fix

We fixed a certificate reissue bug where it appeared that you could revoke a certificate with a pending reissue. To fix this bug, we improved the reissue certificate workflow removing the Revoke Certificate option from certificates with a pending reissue.

Previously, when a certificate had a pending reissue, you could submit a request to revoke the original or previously issued certificate. When the administrator approved the request, the certificate was incorrectly marked as being revoked on the Requests page. However, when you went to the Orders page, the certificate was correctly marked as issued and was still active.

When a certificate has a reissue pending, you can't revoke the certificate as it is tied to the certificate reissue process. If something happens where you need to revoke a certificate with a pending reissue on it, you have two options:

Cancel the certificate reissue and then revoke the original or previously issued certificate.
Wait for DigiCert to reissue the certificate and then revoke the certificate.

We fixed a DigiCert Services API certificate reissue bug where it appeared that you could submit a request to revoke a certificate with a pending reissue. When you use the revoke certificate endpoint, we returned a 201 Created response with the request details.

Now, when you use the revoke certificate endpoint to revoke a certificate with a pending reissue, we return an error with a message letting you know that you can’t revoke an order with a pending reissue along with information on what to do if you need to revoke the certificate.

"An order cannot be revoked while pending reissue. You can cancel the reissue then revoke the certificate, or revoke the certificate once the reissue is complete."

March 5, 2019

api bug fix certcentral-ui requests enhancement Reissue DV Certificates

We fixed a DV certificate reissue bug where we weren't honoring the valid until date on the original order for certificates with more than a year remaining until they expired.

Now, when you reissue a DV certificate with more than a year remaining until it expires, the reissued certificate will retain the valid until date of the original certificate.

In the DigiCert Services API, we improved the DV certificate request endpoints allowing you to use the new email_domain field along with the existing email field to more precisely set the desired recipients of the domain control validation (DCV) emails.

For example, when ordering a certificate for my.example.com, you can have a domain owner for the base domain (example.com) validate the subdomain. To change the email recipient for the DCV email, in your DV certificate request, add the dcv_emails parameter. Then, add the email_domain field specifying the base domain (example.com) and the email field specifying the email address of the desired DCV email recipient (admin@example.com).

Example request for a GeoTrust Standard DV Certificate

DV certificate endpoints:

GeoTrust Standard DV -- https://www.digicert.com/services/v2/order/certificate/ssl_dv_geotrust
GeoTrust Wildcard DV -- https://www.digicert.com/services/v2/order/certificate/wildcard_dv_geotrust
RapidSSL Standard DV -- https://www.digicert.com/services/v2/order/certificate/ssl_dv_rapidssl
RapidSSL Wildcard DV -- https://www.digicert.com/services/v2/order/certificate/wildcard_dv_rapidssl

February 28, 2019

bug fix certcentral-ui Order details page emails signature hash Reissue

We fixed a bug on the certificate reissue Order # details page where it wasn’t displaying the signature hash for the certificate correctly. This only happened on reissues when you changed the signature hash (i.e., in the original certificate, you used SHA256 but in the reissue, you used SHA384).

Note: The reissued certificate was issued with the correct signature hash.

Now when you reissue a certificate with a different signature hash, the hash is displayed correctly on the certificate's Order # details page.

We fixed a code signing certificate reissue bug where we weren't sending the email letting you know your certificate was issued.

Note: When you checked on the order in your account, the reissued code signing certificate was available to download from its Order # details page.

Now when we reissue your code signing certificate, we send the email letting you know your code signing certificate was issued.

February 26, 2019

api certcentral-ui EV SSL certificates enhancement SSL certificates

We enhanced the DigiCert Services API request endpoints enabling you to get faster responses to your certificate requests.

We made it easier to Add Contacts for OV certificate orders (Standard SSL, Secure Site SSL, etc.). Now when you order an OV certificate, we populate the Organization Contact card for you. If needed, you can add a technical contact.

When adding a CSR that includes an existing organization in your account, we populate the Organization Contact card with the contact assigned to that organization.
When you manually add an existing organization, we populate the Organization Contact card with the contact assigned to that organization.
When you add a new organization, we populate the Organization Contact card with your contact information.

To use a different organization contact, delete the one populated automatically and manually add one.

We made it easier to Add Contacts for EV certificate orders (EV SSL, Secure Site EV SSL, etc.). Now when you order an EV certificate, we will populate the Verified Contact cards for you if EV verified contact information is available in your account. If needed, you can add organization and technical contacts.

When adding a CSR that includes an existing organization in your account, we populate the Verified Contact card with the EV verified contacts assigned to that organization.
When you manually add an existing organization, we populate the Verified Contact card with the EV verified contacts assigned to that organization.

Assigning Verified Contacts to an organization is not a prerequisite for adding an organization. There may be instances were verified contact information won't be available for an organization. In this case, manually add the Verified Contacts.

February 25, 2019

forms certcentral-ui bug fix

We fixed a bug on the Orders page (in the sidebar menu, click Certificates > Order) where using the Product column header to sort the orders by certificate type didn't show any results.

Note: When this happened, to see your full list of orders, you had to click a different column header (e.g., Order #) or leave the page and come back.

Now, on the Orders page, you can use the Product column header to sort your list of orders by certificate type.

We fixed a bug where on some of the forms the state field appeared twice or was required for countries that don't require that information.

Now, on the Edit Billing Contact, New Purchase Order, and EV Code Signing Certificate order, reissue, and renewal forms, the state field only appears once and for countries that don't require that information, the State / Province / Region field is listed as optional.

Edit Billing Contact form

To change the billing contact for your account, in the sidebar menu, click Finances > Settings. On the Finance Settings page, under Billing Contact click the Edit link. If you haven't set up a billing contact for your account, click the Change Billing Contact link.

February 22, 2019

ECDSA keys compliance ECC certificates mozilla

No action is required on your part.

As of February 13, 2019, DigiCert no longer issues ECC TLS/SSL certificates (i.e., certificates with ECDSA keys) with the curve-hash pair P-384 with SHA-2 512 (SHA-512). This curve-hash pair is not compliant with Mozilla's root store policy.

Mozilla's root store policy supports these curve-hash pairs only:

P‐256 with SHA-256
P‐384 with SHA-384

Note: Do you have a certificate with a P-384 with SHA-512 curve-hash pair? Don't worry. When it’s time to renew the certificate, it will automatically be issued using a supported curve-hash pair.

February 13, 2019

New feature download api order_id

We added two new endpoints that allow you to use the order_id to download the current, active certificate for the order.

These endpoints can only be used to get the most recent reissue certificate for an order. These endpoints won't work for downloading duplicate certificates.

Duplicate Certificates Note

To download a duplicate certificate for an order, first use the List order duplicates endpoint to get the duplicate certificate's certificate_id – GET https://www.digicert.com/services/v2/order/certificate/{{order_id}}/duplicate.

Then use the Get certificate endpoint to download the duplicate certificate – GET https://www.digicert.com/services/v2/certificate/{{certificate_id}}/download/platform .

Reissue Certificates Note

To download a past reissue certificate (one that is not the current reissue), first use the List order reissues endpoint to get the reissue certificate's certificate_id -- GET https://www.digicert.com/services/v2/order/certificate/{{order_id}}/reissue.

Then use the Get certificate endpoint to download the reissue certificate – GET https://www.digicert.com/services/v2/certificate/{{certificate_id}}/download/platform.

API Documentation Note

For more information about these and other endpoints available in the DigiCert Services API, see CertCentral API.

February 12, 2019

DV Certificates certcentral-ui enhancement

We enhanced our DV certificate offering. You can now renew your DV certificate orders, allowing you to keep the original order ID.

Previously, when a DV certificate order neared its expiration date, you had to order a new certificate for the domains on the expiring order.

Note: DV certificates don't support domain pre-validation. When you renew a DV certificate, you must demonstrate control over the domains on the renewal order.

In the DV Certificate Enrollment guide, see Renewing DV Certificates.

February 8, 2019

SSL certificates certcentral-ui certificate profiles

We've added a new certificate profile option, KDC/SmartCardLogon EKU, that allows you to include the KDC and SmartCardLogon EKUs (Extended Key Usage) in an OV SSL/TLS certificate. Once enabled for your account, the Include the KDC/SmartCardLogon EKU (Extended Key Usage) field in the certificate option appears on your SSL/TLS certificate request forms under Additional Certificate Options.

To enable a certificate profile for your account, reach out to your account representative or contact our Support team.

Note: Previously, this feature was only available through the DigiCert Services API (see CertCentral API).

Other available certificate profile options

If enabled for your account, these profile options appear on your SSL/TLS certificate request forms under Additional Certificate Options.

Intel vPro EKU
Allows you to include the Intel vPro EKU field in an OV SSL/TLS certificate.
HTTP Signed Exchange
Allows you to include the CanSignHTTPExchanges extension in an OV and EV SSL/TLS certificate (see Improve your AMP URLs with Signed HTTP Exchange).

February 5, 2019

New feature intermediate certificates root certificates certcentral-ui

We added a new Certificate Authority page that replaces the Intermediates page. To access this new page, in the sidebar menu, click Certificates > Certificate Authority.

Note: This page is where we list all intermediate and root certificates available for your account: Public and Private.

We also made some enhancements to the page. Now when you click the certificate name link, it opens the certificate details panel where you can download the certificate and view more details about it, such as the certificate's signature hash, serial number, and thumbprint.

January 31, 2019

Order details page organization validation bug fix enhancement

We enhanced the Order # details page for pending OV SSL and EV SSL certificate orders. In the DigiCert Needs To section, under Verify Organization Details, we now list the steps that need to be completed to validate the organization (e.g., complete Place of Business Verification) along with the status for each step: complete or pending.

Previously, we provided only a high-level overview of the organization validation process – Verify Organization Details – without offering any details as to what steps needed to be completed before the organization was fully validated.

We fixed a bug on the forms in CertCentral where the state/province/territory field appeared as being required when the country selected didn't require that information (for example when adding a new organization or a credit card).

Note: This bug didn't prevent you from completing these transactions. For example, you were still able to add an organization or a credit card with or without filling in the state/province/territory field.

Now, in the forms, the state/province/territory field is labeled as optional for countries that don't require this information as part of their transactions.

Note: US and Canada are the only countries that require you to add a state or province/territory.

January 28, 2019

certcentral-ui organization contact technical contact EV SSL certificates enhancement New feature SSL certificates

We added a new Add contact feature to the OV SSL/TLS certificate request forms allowing you to add a single technical contact and a single organization contact during the request process.

Previously, you were unable to add contacts when ordering OV SSL/TLS certificates (such as Secure Site SSL and Multi-Domain SSL certificates).

Note: A technical contact is someone we can contact should problems arise while processing your order. An organization contact is someone we can contact when completing the organization validation for your certificate.

We enhanced the Add contact feature on the EV SSL/TLS certificate request forms allowing you to add a single technical contact and a single organization contact during the request process.

Previously, you could only add Verified Contacts (for EV) when ordering EV SSL/TLS certificates (such as Secure Site EV and EV Multi-Domain SSL).

Note: A technical contact is someone we can contact should problems arise while processing your order. An organization contact is someone we can contact when completing the organization validation for your certificate.

January 17, 2019

New feature certcentral-ui cancel reissues bug fix

We added a new Cancel Reissue feature enabling you to cancel a pending reissue on a certificate.

On the Orders page (in the sidebar menu, click Certificate > Orders), locate the Reissue Pending certificate request and click its order number link. On the Order # details page, in the Certificate Details section, in the Certificate Actions drop-down list, select Cancel Reissue.

Note: For reissue requests awaiting approval, the approver can just reject the reissue request. For certificate reissues that have already been issued, the administrator must revoke the certificate.

We fixed a bug where standard users were unable to access the domain control validation (DCV) features on their SSL/TLS certificate's Order # details page.

Note: Account administrators and managers were able to access the DCV features on the Order # details pages and complete the DCV for the orders.

Now, when standard users order a certificate for a new domain, they can access the DCV features on the Order # details page.

(In the sidebar menu, click Certificate > Orders. On the orders page locate the pending certificate order and click the order number link. On the Order # details page, click the domain link.)

January 16, 2019

Email documentation File DNS TXT enhancement DV Certificates dcv methods

We moved the CertCentral DV Certificate Enrollment guide to https://docs.digicert.com/certcentral/documentation/dv-certificate-enrollment/.

A pdf version of the guide is still available (see link at the bottom of the Introduction page).

Additionally, we updated and added instructions to cover the supported DCV methods for DV certificates in CertCentral.

Added new Domain Control Validation (DCV) instructions
- Use the Email DCV method
- Use the DNS TXT DCV method
- Use the File DCV method
- File DCV method common mistakes
Updated the order DV certificate instructions
- Order a RapidSSL Standard DV Certificate
- Order a RapidSSL Wildcard DV Certificate
- Order a GeoTrust Standard DV Certificate
- Order a GeoTrust Wildcard DV Certificate
- Order a GeoTrust Cloud DV Certificate
Updated the reissue DV certificate instructions
- Reissue a RapidSSL Standard DV Certificate
- Reissue a RapidSSL Wildcard DV Certificate
- Reissue a GeoTrust Standard DV Certificate
- Reissue a GeoTrust Wildcard DV Certificate
- Reissue a GeoTrust Cloud DV Certificate

January 15, 2019

dcv methods certcentral-ui enhancement DV Certificates New feature

We added two more Domain Control Validation (DCV) methods to the DV certificate Order and Reissue pages: DNS TXT and File.

Note: Previously (unless you are using the DigiCert Services API), you could only use the Email DCV method to prove control over the domains on your DV certificate orders.

Now, when ordering or reissuing a DV certificate, you can choose DNS TXT, File, or Email as the DCV method to complete domain validation for the order.

We added new Prove control over domains features to the DV certificates' Order # details page.

Previously, you were unable to take any actions to complete your domain validation on the DV certificates' Order # details page.

Now, you can take more actions to complete the domain validation for the order:

Use the DNS TXT, Email, and File DCV methods
Resend/send the DCV Emails and choose which email address to send it to
Verify your domain's DNS TXT record
Verify your domain's fileauth.txt file
Choose a different DCV method than the one selected when ordering the certificate

(In the sidebar menu, click Certificates > Orders. On the Orders page, in the Order # column of the DV certificate order, click the order number.)

We enhanced the Certificate Details section of the DV certificates' Order # details page adding additional DV certificate information: Serial Number and Thumbprint.

Note: This enhancement is not retroactive. This new information only appears for orders placed after 17:00 UTC time January 15, 2019.

(In the sidebar menu, click Certificates > Orders. On the Orders page, in the Order # column of the DV certificate order, click the order number.)

We enhanced the Get order details endpoint enabling the DV certificate's thumbprint and serial number to be returned in the response.

{ "id": "12345", "certificate":{ "id":123456, "thumbprint":"{{thumbprint}}", "serial_number":"{{serial_number}} ... }

Note: This enhancement is not retroactive. The thumbprint and serial number are only returned for orders placed after 17:00 UTC time January 15, 2019.

For more information, see the Get order details endpoint in the DigiCert Services CertCentral API documentation.

January 14, 2019

certificate compliance underscores

Certificate Authorities (CAs) revoked all public SSL certificates containing underscores (in the common name and subject alternative names) with a maximum validity of more than 30 days by end of day (UTC time).

If you had an SSL certificate with a total validity of 31 days or more (which includes all 1-year, 2-year, and 3-year certificates) that expired after January 14, 2019, the CA who issued your certificate was required to revoke it.

For more details, see Retiring Underscores in Domain Names.

January 10, 2019

certificate DCV certcentral-ui bug fix

We fixed a bug where the SSL/TLS certificate Order# details page and Order details panel weren't showing domain control validation as being completed after you finished validating the domains on your certificate order.

Note: This bug didn't stop your certificate orders from being issued after you completed the domain control validation.

Now, when you complete the domain control validation for the domains on your order, the Order# details page and Order details panel for the order show the domain validation as being completed.

(In the sidebar menu, click Certificates > Orders. On the Orders page, in the Order # column of the certificate order, click the order number or Quick View link.)

January 7, 2019

certcentral enhancement

We improved the look and feel of our DigiCert account sign in page (www.digicert.com/account/), bringing it up to date with the design of our certificate management platform, CertCentral.

See Redesigned DigiCert Account Sign In Page.

January 3, 2019

certificate certcentral-ui bug fix renewal message

We fixed a bug where the Order Specific Renewal Message added when ordering a certificate wasn't being transferred to the Order # details page.

Note: You were able to see the renewal messages in the order's Quick View panel.

Now, when you add an Order Specific Renewal Message while ordering a certificate, you can see the renewal message in the Order Details section on the certificate's Order # details page.

(In the sidebar menu, click Certificates > Orders. On the Orders page, in the Order # column of the certificate order, click the order number link.)

December 20, 2018

bug fix certcentral-ui pending validation order notes enhancement

We enhanced the order Notes feature, enabling the order notes from the previous order to carry over to the renewed certificate order.

Previously, if you wanted any of the notes to carry over, you had to manually add the notes to the renewed order yourself.

Now, notes from the previous order are automatically carried over to the renewal order. These notes are timestamped with author's name (for example, 18 Dec 2018 8:22 PM John Smith).

These notes are on the renewed Order # details page (in the sidebar menu, click Certificates > Orders and then click the order number link). They are also in the Order # details panel (click the Quick View link).

We enhanced the DV certificates Order # details page, enabling you to see which domains on the order are pending validation (i.e., domains that you still need to demonstrate control over).

Previously, domains pending validation weren't listed on the Order # details page.

Now, when you visit a DV certificate's Order # details page, domains pending validation will be shown. (In the sidebar menu, click Certificate > Orders and then on the Orders page, click the order number link).

We fixed a bug on the Orders page (in the sidebar menu, click Certificates > Orders) where the Organization Contact information was missing in the Order # details panel.

Now, when you visit the Orders page and use the Quick View link to view order details, you will see the Organization Contact information in the Order # details panel. (Expand Show More Certificate Info and in the Order Details section, expand Show Org Contact).

December 18, 2018

New feature enhancement bug fix underscores certcentral-ui certificate compliance

DigiCert began issuing public SSL certificates containing underscores for a limited time.

Maximum 30-day validity for public SSL certificates containing underscores in domain names.
Underscores must not be in the base domain ("example_domain.com" is not allowed).
Underscores must not be in the left most domain label ("_example.domain.com" and "example_domain.example.com" are not allowed).

For more details, see Retiring Underscores in Domain Names.

In the top menu, we added two new contact support options (phone and chat icons) making it easier to contact support from within CertCentral (via email, chat, or phone).

The phone icon provides you with email and phone options. The chat icon provides you with a chat window where you can start a chat with one of our dedicated support team members.

We enhanced the sidebar menu, making it easier to see the menu option for the pages you are visiting. Now, when you visit a page in CertCentral, the menu option for that page will have a horizontal blue bar next to it.

We fixed a bug in the Add Organization feature on the SSL/TLS certificate request forms where the validation status (EV and OV validated) was not included for new organizations added and validated as part of the certificate order.

Now, new organizations added when ordering an SSL certificate will show a Validated status.

Note: The organization's validation status doesn't appear until we've fully validated the organization.

December 17, 2018

api certcentral-ui New document signing enhancement DV Certificates RapidSSL

We enhanced our RapidSSL DV certificate offerings enabling you to include a second, very specific domain, in these single domain certificates.

RapidSSL Standard DV
By default now, when ordering a RapidSSL Standard DV Certificate, you get both versions of the common name in the certificate – [your-domain].com and www.[your-domain].com.
After entering the common name, make sure the Include both www.[your-domain].com and [your-domain].com in the certificate box is checked.
Previously, you had to order separate certificates for [your-domain].com and www.[your-domain].com.
RapidSSL Wildcard DV
By default now, when ordering a RapidSSL Wildcard DV Certificate, you get the wildcard domain and the base domain in the certificate – *.[your-domain].com and [your-domain].com.
After entering the common name, make sure the Include both *.[your-domain].com and [your-domain].com in the certificate box is checked.
Previously, you had to order separate certificates for *.[your-domain].com and [your-domain].com.

See the CertCentral: DV Certificate Enrollment Guide.

We enhanced the RapidSSL certificate endpoints to include the dns_names parameter, enabling you to include a second, very specific domain, in these single domain certificates.

RapidSSL Standard DV
When ordering a RapidSSL Standard DV Certificate, you may include both version of your domain in the certificate — [your-domain].com and www.[your-domain].com.
"common_name": "[your-domain].com", "dns_names": ["www.[your-domain].com"],
Previously, you had to order separate certificates for [your-domain].com and www.[your-domain].com.
RapidSSL Wildcard DV
When ordering a RapidSSL Wildcard DV Certificate, you may include the base domain in the certificate — *.[your-domain].com and [your-domain].com).
"common_name": "*.your-domain.com", "dns_names": ["[your-domain].com"],
Previously, you had to order separate certificates for *.[your-domain].com and [your-domain].com.

For DigiCert Services API documentation, see CertCentral API.

Individual Document Signing certificates are available in CertCentral:

Document Signing – Individual (500)
Document Signing – Individual (2000)

To activate Individual Document Signing certificates for your CertCentral account, contact your Sales representative.

Previously, only Organization Document Signing certificates were available.

Document Signing – Organization (2000)
Document Signing – Organization (5000)

To learn more about these certificates, see Document Signing Certificate.

December 14, 2018

DV Certificates certcentral-ui reports enhancement

We enhanced the Orders Report feature on the Orders page (in the sidebar menu, click Certificates > Orders). Now when you run a report (click Orders Report), it will include your DV SSL certificate orders.

December 13, 2018

certcentral-ui ev certificate enhancement ev verified contact

We enhanced the Add Verified Contacts process on the organization details pages making it easier to add existing and new verified contacts when submitting an organization for pre-validation (in the sidebar menu, click Certificates > Organizations. Then in the Name column, click the organization name link).

To make adding a verified contact easier, we removed the separate links (Add New Contact and Add from Existing Contacts) each with their own window. Now, we provide a single Add Contact link and a single Add Contact window where you can add a new or existing contact.

Add New Contact Note

By default, the Allow non-CertCentral account users to be used as verified contacts feature is disabled for a CertCentral account.

You can enable this feature on the Division Preferences page (in the sidebar menu, click Settings > Preferences). In the Advance Settings section, under Verified Contacts, you can allow non-CertCentral account users to be used as verified contacts (check Allow non-DigiCert users to be used as verified contacts).

December 11, 2018

New feature certificate id orders page

We added a new search filter Certificate ID to the Orders page that allows you to search for a certificate order using the Certificate ID.

You can now use the Certificate ID to find active, expired, revoked, rejected, pending reissue, pending, and duplicate certificates.

On the Orders page (in the sidebar menu, click Certificates > Orders), click Show Advanced Search. Then, in the Certificate ID search box, add the Certificate ID and click Go.

December 7, 2018

New feature certcentral New GeoTrust DV Certificates RapidSSL

RapidSSL and GeoTrust DV certificates are available in CertCentral:

RapidSSL Standard DV
RapidSSL Wildcard DV
GeoTrust Standard DV
GeoTrust Wildcard DV

Documentation

CertCentral: DV Certificate Enrollment Guide – https://docs.digicert.com/certcentral/documentation/dv-certificate-enrollment/
CertCentral API: DV Certificate Enrollment Guide – https://www.digicert.com/certcentral-support/api-dv-certificate-workflow-endpoints-guide.pdf

December 6, 2018

certcentral-ui request forms enhancement New feature organization ev verified contact preferences

We added a new feature Allow users to add new contacts when requesting TLS certificates that provides you with the flexibility to choose whether standard users, finance managers, and limited users can add a new non-CertCentral account user as a Verified Contact (for EV) when ordering an EV TLS/SSL certificate from inside their account or when using a guest URL.

Previously, the only way to prevent these user roles from adding a new non-CertCentral account user as a verified contact during the order process was to edit the request and select an existing contact for the order or reject the certificate request.

Now, you can control whether the User, Finance Manager, and Limited User roles can add a new non-CertCentral account user as a verified contact from the EV SSL/TLS certificate request pages. This feature doesn't remove the option from the EV SSL/TLS certificate order pages for the Administrator and Manager roles.

On the Division Preferences page (Settings > Preferences). In the Certificate Request section (expand Advanced Settings), under Add New Contacts, uncheck Allow users to add new contacts when requesting TLS certificates and then click Save Settings.

Note: This change does not remove the ability to add an existing contact (CertCentral account users or non-CertCentral account users) as the verified contact to an order as this is required for all EV SSL/TLS certificate orders.

We enhanced the Allow users to add new organizations when requesting TLS certificate feature providing you with the flexibility to choose whether standard users, finance managers, and limited users can add a new organization when ordering a TLS certificate (OV and EV) from inside their account or when using a guest URL.

Previously, the feature removed the ability to add a new organization for all user roles: Administrator, Manager, Standard User, Finance Manager, and Limited User.

Now, the Allow users to add new organizations when requesting TLS certificate feature only affects the User, Finance Manager, and Limited User roles ability to add new organizations from the certificate request pages. Administrator and Manager roles retain the ability to add new organizations whether this feature is enabled or disabled.

On the Division Preferences page (Settings > Preferences). In the Certificate Request section (expand Advanced Settings), under Add New Organization, uncheck Allow users to add new organizations when requesting TLS certificates and then click Save Settings.

Note: This change does not remove the ability to add an existing, pre-validated organization to an order as this is required for all OV and EV TLS certificate orders.

December 5, 2018

bug fix certcentral-ui ev verified contact ev certificate enhancement organization

We enhanced the add existing organization feature for the EV SSL/TLS certificates order process making it easier to include the EV verified contacts for an organization in your certificate order.

Previously, information about who the EV verified contacts are for an organization didn't appear on the EV certificate request pages.

Now, when you add an existing organization that already has EV verified contacts assigned to it, the Verified Contact (for EV) cards are populated with the verified contacts' information.

Note: If your CSR includes an organization currently used in your account, the Organization card is populated with the organization's information contained in your account. If this same organization already has assigned EV verified contacts, the Verified Contact (for EV) cards are populated with their information (name, title, email, and phone number).

We fixed a bug on the User Invitations page preventing the Invited By filter from showing the administrators who sent the user invite requests.

Now, when you go to the User Invitations page (in the sidebar menu, click Account > User Invitations), the Invited By filter shows the admins who sent user invitations.

December 3, 2018

client certificate validity api cc-api enhancement New feature certcentral-ui request forms

We enhanced our SSL/TLS and client certificate product offerings, enabling you to set a custom validity period (in days) when ordering one of these certificates. Previously, you could only choose a custom expiration date.

Custom validity periods start on the day we issue the certificate. Certificate pricing is prorated to match the custom certificate length.

Note: Custom certificate lengths can't exceed the industry allowed maximum lifecycle period for the certificate. For example, you can't set a 900-day validity period for an SSL/TLS certificate.

We enhanced the SSL/TLS and Client certificate endpoints to include a new validity_days parameter that allows you to set the number of days that the certificate is valid for.

Parameter Priority Note: If you include more than one certificate validity parameter in your request, we prioritize the certificate validity parameters in this order: custom_expiration_date > validity_days > validity_years.

For DigiCert Services API documentation, see CertCentral API.

We added a new Order Management - List Order Reissues API endpoint that allows you to view all the reissue certificates for a certificate order. See the List order reissues endpoint.

November 30, 2018

Order details page certcentral-ui domain validation bug fix

We fixed a bug on the pending SSL certificate's order details page where the link for a pending domain that provides you with actions to prove control over a domain was broken.

Now, when you go to a pending certificate's order details page and click the link for a pending domain, the Prove Control Over Domain window opens where you can choose a DCV method to prove control over that domain.

November 29, 2018

organization enhancement SSL certificates bug fix customer order fields ou organization units ev certificate

We enhanced the add existing organization feature of the SSL/TLS certificate order process, enabling you to filter the existing organization list to see only organizations that are fully validated.

Note: If your CSR includes an organization currently used in your account, the Organization card auto populates with the organization's information contained in your account.

To manually add an existing organization when ordering your SSL/TLS certificate, click Add Organization. In the Add Organization window, check Hide non-validated organizations to filter the organizations so only the fully validated ones are shown.

Note: If you have more than nine active organizations in your account, the filter also works for the Organization drop-down list.

We enhanced the Organization Unit(s) feature of the SSL/TLS certificate order process, enabling you to add multiple organization units. Previously, you could only add one organization unit.

Note: The Organization Unit(s) field on the request form will be auto populated with the values from your CSR.

To manually add organization units when ordering your SSL/TLS certificate, expand Additional Certificate Options and in the Organization Unit(s) field, you can now add one or more organization units.

Note: Adding organization units is optional. You can leave this field blank. However, if you do include organization units in your order, DigiCert will need to validate them before we can issue your certificate.

We fixed a Custom Order Fields* bug preventing the feature from working properly when deactivating, activating, changing a field from required to optional, and changing a field from optional to required.

*Custom Order Fields is disabled by default. To enable this feature for your CertCentral account, please contact your DigiCert account representative. See Managing Custom Order Form Fields in the Advanced CertCentral Getting Started Guide.

November 28, 2018

Order details page certcentral-ui enhancement

We enhanced the order details page for issued certificates, making it easier to find the certificate details on page. (In the sidebar menu, click Certificates > Orders and then on the Orders page click the order number.)

To make finding the certificate details easier, we moved that information so it's the first thing you see on the order details page. Additionally, we moved all certificate actions, such as Reissue Certificate and Revoke Certificate, to the Certificate Actions drop-down list.

November 26, 2018

Order details page certcentral-ui domain validation bug fix

We fixed a domain validation display bug on the order details pages where domains with expired validations were showing a completed status with no actions for completing the domain validation.

Now, when you go to an order's details page, we show a pending validation status symbol next to the domain along with actions for completing the domain validation. (In the sidebar menu, click Certificates > Orders and then on the Orders page click the order number.)

November 12, 2018

Email dcv methods cc-api certcentral enhancement

We enhanced the functionality of the Domain management – Get domain control emails API endpoint. You can now use the domain name to retrieve the Domain Control Validation (DCV) email addresses (WHOIS-based and constructed) for any domain.

Previously, you had to have the domain ID to retrieve the DCV email addresses. However, for a domain to have an ID, you had to submit it for pre-validation.

Now, you can use either the domain name or the domain ID with the Domain management – Get domain control emails endpoint to retrieve the DCV email addresses (WHOIS-based and constructed) for a domain. See the Get domain emails endpoint.

November 7, 2018

bug fix csr certcentral-ui enhancement SSL certificates

We fixed a bug on the TLS/SSL certificate order forms where adding a CSR only auto populated the Common Name field. While fixing this bug, we enhanced the CSR upload feature to also auto populate the Organization field.

We now use information from your CSR to auto populate these order form fields: Common Name, Other Hostnames (SANs), Organization Unit (OU), and Organization.

You can still change the information in these fields as needed (for example, you can add or remove SANs).

Organization field note

When you include an organization currently used in your account, the Organization card auto populates with the organization's information contained in your account.

November 5, 2018

Order details page client certificate bug fix Reissue

We fixed a bug where you were unable to cancel a pending Client certificate order (Premium, Authentication Plus, Grid Premium, Grid Robot Email, and so on).

Now, you can go to the Orders page (in the sidebar menu, click Certificates > Orders) and find the Client certificate order that needs to be canceled. Then on the certificate's Order# details page, in the Certificate Actions drop-down list, select Cancel Order.

We fixed a bug where email recipients were sent a link to a Service Not Found page, preventing them from being able to download a reissued certificate.

Now, when you send someone a link to download a reissued certificate, the link works. The recipient is able to download the certificate.

November 1, 2018

bug fix duplicates page csv files certcentral-ui

We fixed a download csv file bug on the Duplicates page. Previously, when you downloaded a csv file, you got a file without the .csv extension. To get it to work, you had to add .csv extension to the end of the file.

Now, when you download a csv file from the Duplicates page, you receive a working csv file: duplicates.csv.

October 31, 2018

New feature certcentral-ui document signing Reissue

We added a new feature that allows you to reissue Document Signing certificates [Document Signing – Organization (2000) and Document Signing – Organization (5000)].

Note: Previously, you couldn't reissue a Document Signing certificate. The only workaround was to revoke and replace your Document Signing certificate.

Now, you can go to Orders page (in the sidebar menu, click Certificates > Orders), find your Document Signing certificate, and on its Order# details page, reissue your certificate as needed.

October 25, 2018

request forms organization validation status enhancement

We enhanced the add existing organization feature of the TLS/SSL certificate order process, enabling you to see the organization's address and phone number, along with its validation status (EV Validated, Pending OV Validated, etc.). Note that organizations not yet submitted for validation won't have any validation status listed.

Previously, you were unable to see any information about the organization from the Request Certificate pages. To view organization details and validation status, you had to visit the Organizations page (in the sidebar menu, click Certificates > Organizations).

Note: If you have more than nine active organizations in your account, you will still use the Organization drop-down list, and you will still need to visit the Organizations page to view details about an organization. However, you will now see the top two most used organizations at the top of the list under Recently Used.

October 17, 2018

New feature cc-api certcentral

We added a new Order Management - Revoke Certificate API endpoint that allows you to use the order ID to revoke all certificates associated with a single order, making it easier to use the API to revoke an issued certificate. This assures that any duplicates or reissues associated with the order are revoked all at once.

Note: After you submit the certificate revocation request, an administrator will need to approve the request before DigiCert can revoke the certificates associated with the order. See the Update Request Status API endpoint.

For more information about the new endpoint and other publicly available endpoints, see the Revoke Certificate API endpoint in our CertCentral API documention.

October 16, 2018

client certicate request forms validity certcentral-ui

Enhancements made to client certificates. When ordering a client certificate (Premium, Email Security Plus, Digital Plus, and Authentication Plus), you may now include a Custom Expiration Date for your client certificates.

Previously when ordering a client certificate, you were only able to select 1, 2, or 3 years for the certificate's validity period.

October 12, 2018

ev verfied contact ev certificate enhancement

We enhanced the Add Contact feature of the EV TLS/SSL certificate order process, enabling you to see if the existing contact listed is a CertCentral account user or a contact (non-CertCentral account user).

Previously, when adding an existing contact as a Verified Contact for your EV TLS certificate order, you were presented with a list of contacts to select from without a way to distinguish account users from non-account users.

With this improvement, the contacts listed are now categorized as Users (CertCentral account users) and Contacts (non-CertCentral account users).

Note: By default, the Allow non-CertCentral account users to be used as verified contacts feature is disabled for a CertCentral account.

How to enable the Allow non-CertCentral account users to be used as verified contacts feature

With the non-CertCentral user feature enabled, when adding verified contacts as part of the EV certificate request process, you will see two options: Existing Contact and New Contact. The Existing Contact option lets you assign a CertCenrtal user as the verified EV contact. The New Contact option lets you enter information for a non-CertCentral account user.

October 11, 2018

enhancement SSL certificates organization

We enhanced the add new organization feature of the TLS/SSL certificate order process, enabling you to edit the details of a newly added organization.

Previously, after adding a new organization on the Certificate Request page, you were unable to go back and edit the organization's details. To edit the organization's details, you had to delete the organization and re-add it with the correct information.

With this improvement, you may now edit the newly added organization details. Click the edit icon (pencil), and you can modify the organization's details before submitting your order.

October 5, 2018

New feature organization certcentral-ui permissions

We added a new feature that provides the flexibility to choose whether users can add a new organization when ordering a TLS certificate (OV and EV) from inside their account or when using a guest URL.

Note: Previously, the only way you could prevent users from adding a new organization during the order process was to edit the request and select an existing organization for the order or reject the certificate request.

With this new feature, you can disable or enable the ability for users to add new organizations from the certificate request pages.

Note: This change does not remove a user's ability to add an existing, pre-validated organization to an order as this is required for all OV and EV TLS certificate orders.

October 1, 2018

compliance SSL certificates underscores

Industry standards compliance change. For publicly trusted certificates, underscores ( _ ) can no longer be included in subdomains. RFC 5280 now enforced for subdomains as well.

See Publicly Trusted Certificates – Data Entries that Violate Industry Standards.

September 27, 2018

bug fix certcentral certificate ev certificate New feature secure site

Secure Site TLS/SSL certificates are available in CertCentral:

Secure Site SSL
Secure Site EV SSL
Secure Site Multi-Domain SSL
Secure Site EV Multi-Domain SSL
Secure Site Wildcard SSL

To activate Secure Site certificates for your CertCentral account, contact your Sales representative.

Benefits included with each Secure Site certificate:

Priority validation
Priority support
Two premium site seals
Industry-leading warranties

To learn more about our Secure Site certificates, see DigiCert Secure Site Overview.
Additional Resources:

Updates to the full SHA256 EV hierarchy certificate profile

On September 27, 2018, we removed the Symantec policy OID from EV TLS certificates issued from the full SHA256 EV hierarchy [DigiCert Global G2 Root => DigiCert Global G2 Intermediate => EV TLS/SSL certificate].

Problem: Chrome bug on macOS

July 2018, we discovered a bug in Chrome on macOS where it wasn't showing the EV indicator for EV TLS certificate with more than two policy OIDs – https://bugs.chromium.org/p/chromium/issues/detail?id=867944.

Solution

We removed the Symantec policy OID from the full SHA256 EV hierarchy certificate profile. With this change, Chrome on macOS again showed the EV indicator for the EV TLS certificates issued from the full SHA256 EV hierarchy.

Affected EV TLS certificates

EV TLS certificates (from the full SHA256 EV hierarchy) issued after January 31, 2018 and prior to September 27, 2018 contain these three policy OIDs in the Certificate Extension - Certificate Policies:

2.16.840.1.114412.2.1 (DigiCert OID)
2.16.840.1.113733.1.7.23.6 (Symantec OID)
2.23.140.1.1 (CAB/F OID)

What do I need to do?

Do you have an EV TLS certificate that is not showing the EV indicator in Chrome on macOS?
Please replace (reissue) your EV TLS certificate to show the EV indicator in Chrome on macOS.
Full SHA256 EV TLS certificates issued as of September 27, 2018 contain only two policy OIDs in the Certificate Extension - Certificate Policies:
- 2.16.840.1.114412.2.1 (DigiCert OID)
- 2.23.140.1.1 (CAB/F OID)
What about other types of certificates?
For all other types of certificates, no action is required.

September 18, 2018

product certificate New feature

We added support for IPv6 addresses (abbreviated and full).

You can now order public and private OV TLS/SSL certificates (SSL, Multi-Domain SSL, and Wildcard SSL, Private SSL, etc.) and include an IPv6 address as the common name or a SAN.

Note: IPv6 addresses aren't supported for EV TLS/SSL certificates (EV SSL and EV Multi-Domain SSL).

September 17, 2018

bug fix certcentral

We fixed an Order details page bug where information not relevant to a certificate order was being displayed on the page.

Now, when you visit your TLS/SSL, Code Signing, EV Code Signing, Client, and Document Signing certificate Order details pages, only information relevant to that order will be displayed.

September 13, 2018

New feature certcentral enhancement

We enhanced the Add Organization step of the TLS/SSL certificate ordering process.

Previously, you were required to add a new organization before requesting your certificate (Certificates > Organizations). Additionally, the new organization was not available on the Certificate Request page until we completed its organization validation.

With this improvement, you can add a new organization as part of the request process. Note that because the organization is not pre-validated, DigiCert will need to validate the new organization before we can issue your certificate.

Note: When adding a new organization from a Certificate Request page, the requestor (person ordering the certificate) becomes the contact for the new organization.

When ordering a TLS/SSL certificate, you can still choose to use an existing, pre-validated organization.

Editing a Request

Before a TLS/SSL certificate request is approved, you can Edit the request and add a new organization. The person who adds the new organization becomes the contact for the new organization.

We added a new Add Contacts feature to the EV TLS/SSL certificate request process that lets you assign an existing CertCentral user (admin, manager, finance manager, or user) as the verified EV contact for the organization as part of the request process.

Previously, you were required to assign a verified EV contact to an organization before requesting your certificate (Certificates > Organizations).

Allow non-CertCentral account users to be used as verified contacts enabled

On the Division Preferences page (Settings > Preferences), in the Advance Settings section, under Verified Contacts, you can allow non-CertCentral account users to be used as verified contacts (check Allow non-DigiCert users to be used as verified contacts).
With the non-CertCentral user feature enabled, when adding verified contacts as part of the EV certificate request process, you will see two options: Existing Contact and New Contact. The Existing Contact option lets you assign a CertCenrtal user as the verified EV contact. The New Contact option lets you enter information for a non-CertCentral account user.

September 11, 2018

certcentral enhancement

We added a Skip Approval Step feature that lets you remove the approval step from your SSL, Code Signing, and Document Signing certificate order processes.

Note: Admin approvals are still required for certificate revocations, Guest URL certificate requests, and Finance Manager, Standard User, and Limited User certificate requests.

You can activate this feature on the Division Preferences page (Settings > Preferences). In the Certificate Request section (expand Advanced Settings), under Approval Steps, select Skip approval step: remove the approval step from your certificate order processes and then click Save Settings.

Note: These orders don't require an approval, so they won't be listed on the Requests page (Certificates > Requests). Instead, these orders will only appear on the Orders page (Certificate > Orders).

September 6, 2018

certcentral ct-log

We added a new Get Order Status Changes endpoint that allows those using the DigiCert Services API to check on the status of all certificate orders within a specified time range up to a week.

For more information about this new endpoint, see Order Management – Get Order Status Changes in our Documentation for the DigiCert Services API.

We fixed a CT log messaging bug where we indicated that Private or other non-public SSL/TLS certificates were logged to CT logs when in fact they hadn’t been.

Note: DigiCert doesn't log Private SSL/TLS and non-SSL/TLS certificates to CT logs. The industry only uses the CT logs for public SSL/TLS certificates.

Now when you review the certificate details for your Private SSL/TLS or non-SSL/TLS certificates (for example, Client certificates), you won’t see any CT logging information.

We fixed a search feature bug on the Orders page (Certificates > Orders) where you were unable to use the common name to search for a client certificate.

Now, when you use a common name to Search for a specific client certificate, your results will be returned when a match exists.

September 5, 2018

bug fix certcentral

We fixed a Certificate Service Agreement UI bug where certain characters and symbols were being displayed with improper encoding.

Now when you read through the Certificate Service Agreement, each character and symbol will have the proper coding.

August 31, 2018

bug fix certcentral

We fixed a Limited User role bug. When an administrator assigned a Limited User to a certificate order, the limited user didn't receive the necessary permissions to renew, reissue, or revoke the certificate.

Now, when a Limited User is assigned to a certificate order, they can renew, reissue, or revoke the certificate.

August 30, 2018

validation bug fix codesigning

We fixed an Additional Emails bug where additional emails added to a certificate order weren't being saved.

Now, when you go to a certificate's Order details page and add and save additional email addresses to the order, the additional email addresses are saved and will be there when you return to the page.

We fixed a Code Signing (CS) certificate approval email bug where the CS approval email was sent when the CS requestor was also a CS verified contact.

Now, when the code signing certificate requestor is also the verified CS contact for the organization, we don't send a CS approver email.

August 29, 2018

bug fix certcentral

We fixed a Search feature bug and a Division filter bug on the Requests page (Certificates > Requests).

Now, when you use a Request ID, Order ID, common name, etc. to Search for a specific request, your results will be returned when a match exists. Also, the Division filter will return the requests for the selected division.

We fixed a Pending Cert Request widget bug on the CertCentral Dashboard.

Now, the number of pending certificate requests (new and revoke requests) in the Pending Cert Requestwidget will match the number of pending certificate requests on the Requests page (Certificates > Requests).

August 28, 2018

New feature certcentral

New Change CSR feature added. This feature allows you to change the CSR on pending certificate orders (after they've been approved and before they've been issued).

On the Orders page (Certificates > Orders), locate the pending certificate order and click its Order number link. On the Order details page, in the Validation in Progress section under You Need To, click the Change CSR link to change the CSR.

Note: For certificate request awaiting approval, you can change the CSR before it's been approved. On the Requests page (Certificates > Requests), locate the pending certificate request and click its Order number link. In the Request details pane on the right, click the Edit link to change the CSR.

CertCentral API: New Change CSR Endpoint

We've also added a Change CSR endpoint that allows those using the DigiCert Services API to change the CSR on a pending SSL/TLS certificate. For more information about this new endpoint, see Order Management – Add CSR in our Documentation for the DigiCert Services API.

August 27, 2018

product certificate enhancement

Enhancements made to Wildcard certificates. You can secure multiple wildcard domains on a single wildcard certificate.

When you order a Wildcard certificate in CertCentral, you can secure multiple wildcard domains in one wildcard certificate (*.example.com, *.yourdomain.com, and *.mydomain.com). You can still secure a single wildcard domain (*.example.com) with your Wildcard certificate.

Items to note:

For each wildcard domain, the base domain is also secured for free (for example, *.yourdomain.com secures yourdomain.com).
Other Hostnames (SANs) must be a wildcard domain (for example, *.yourdomain.com) or based off your listed wildcard domains. For example, if one of your wildcard domains is *.yourdomain.com, then you can add the SANs www.yourdomain.com or www.app.yourdomain.com to your certificate order.
Adding wildcards SANs to a certificate order may incur additional cost.

August 1, 2018

validation compliance

Industry standards changed and removed two Domain Control Validation (DCV) methods from the Baseline Requirements (BRs).

Starting August 1, 2018, Certificate Authorities can no longer use the following domain control validation (DCV) methods:

3.2.2.4.1 Validating the Applicant as a Domain Contact
This method allowed a CA to validate the certificate requestor's control over a domain on an SSL/TLS certificate order by verifying that the requestor is the Domain Contact directly with the Domain Name Registrar.
3.2.2.4.5 Domain Authorization Document
This method allowed a CA to validate the certificate requestor's control over a domain on an SSL/TLS certificate order using the confirmation to the authority of the requestor to order a certificate for said domain as contained in a Domain Authorization Document.
See Ballot 218: Remove validation methods 1 and 5.

To learn more about some of the available DCV methods, see Domain Control Validation (DCV) Methods.

July 31, 2018

New feature localization certcentral

Beta roll out of language support in CertCentral.

Language support allows you to change and save your CertCentral platform language preference.

CertCentral Platform Languages:

Deutsch
Español
Français
Italiano
日本語
한국어
Português
Русский
简体中文
繁體中文
English

Want to try out the language support coming to CertCentral?

In your account, in the top right corner, in the "your name" drop-down list, select My Profile. On the Profile Settings page, in the Language drop-down list, select one of the languages and then click Save Changes.

See CertCentral: Change and Save Your Language Preference.

July 23, 2018

New feature certcentral

New Cancel Order feature added. This feature enables you to cancel pending certificate orders (after they have been approved and before they have been issued).

On the Orders page (in the sidebar menu, click Certificate > Orders), locate the pending certificate order. Then on the Order details page, in the Certificate Actions section, you can cancel it.

Note: For certificate requests awaiting approval, an approver must reject the request. For certificates that have been issued, an administrator must revoke the certificate.

July 6, 2018

New feature certcentral

New advanced search filter added to the Orders page (in the sidebar menu, click Certificate > Orders and then on the Orders page, click the Show Advanced Search link).

This feature enables you to search for client certificates by the recipient’s email address.

May 25, 2018

compliance validation gdpr

DigiCert Compliance with GDPR

The General Data Protection Regulation (GDPR) is a European Union law on data protection and privacy for all individuals within the EU. The primary aim is to give citizens and residents of the EU more control over their personal data and to simplify the regulatory environment for international business by unifying the regulations within the EU. The GDPR went into effect on May 25, 2018. More Details »

DigiCert Statement

DigiCert worked to understand and comply with GDPR. We were aligned with GDPR when it went into effect on May 25, 2018. See Meeting the General Data Protection Regulation (GDPR).

GDPR Impact on WHOIS-based Email Domain Control Validation (DCV)

The European Union’s General Data Protection Regulation (GDPR) went into effect on May 25th, 2018. The GDPR requires data protection for natural persons (not corporate entities) residing within the European Union (EU).

DigiCert worked with ICANN to keep WHOIS information available. ICANN announced that it continues to require registries and registrars to submit information to WHOIS, with a few changes to address GDPR. See A Note on WHOIS, GDPR and Domain Validation.

Do you rely on WHOIS-based Email domain validation?

Check with your domain registrar to find out if they are using an anonymized email or a web form as a way for CAs to access WHOIS data as part of their GDPR compliance.

For the most efficient validation process, let your registrar know that you want them to either continue using your full published records or use an anonymized email address for your domains. Using these options will ensure minimal-to-no-impact on our validation processes.

Does your registrar use an anonymized email or a web form as a way for CAs to access WHOIS data? If so, we can send the DCV email to the addresses listed in their WHOIS record.

Does your registrar mask or remove email addresses? If so, you will need to use one of the other methods to prove control over your domains:

Constructed Email
DNS TXT
DNS CNAME
HTTP Practical Demonstration

For more information about constructed email addresses and other alternative DCV methods, see Domain Control Validation (DCV) Methods.

May 16, 2018

bug fix certcentral

Fixed Single Sign-on bug. When an SSO only user request a CertCentral password reset, they will no longer receive the password reset email.

Now, they will receive an email that directs them to log in using SSO and asks them to contact their CertCentral account manager if a different type of account access is required.

May 10, 2018

caa validation compliance

Industry standards allow a Certificate Authority (CA) to issue an SSL/TLS certificate for a domain that only has CAA records containing no "issue"/"issuewild" property tags.

When a CA queries a domain's CAA RRs and finds records with no "issue" or "issuewild" property tags in them, a CA can interpret this as permission to issue the SSL/TLS certificate for that domain. See Ballot 219: Clarify handling of CAA Record Sets with no "issue"/"issuewild" property tag.

To learn more about the CAA RR check process, see our DNS CAA Resource Record Check page.

April 16, 2018

New feature certcentral

New feature added to pending orders' details page (click Certificates > Orders and then click a pending order's number link). This feature enables you to complete the domain control validation (DCV) for domains on pending orders.

When you see an order is waiting on domain validation to be completed before it can be issued, click on the pending domain link to open the Prove Control Over Domain popup window. In this window, you can select or change your DCV method and complete that domain's validation (send or resend emails, check DNS TXT record, etc.). See Domain Validation (Pending Order): Domain Control Validation (DCV) Methods.

April 1, 2018

eol compliance

As part of the industry-wide move away from of TLS 1.0/1.1 and to maintain our PCI compliance, DigiCert disabled TLS 1.0/1.1 on April 1, 2018. DigiCert only supports TLS 1.2 and higher going forward. See Deprecating TLS 1.0 & 1.1.