CertCentral Services API: Domain locking API endpoints
DigiCert is happy to announce our domain locking feature is now available in the CertCentral Services API.
Note: Before you can use the domain locking endpoints, you must first enable domain locking for your CertCentral account. See Domain locking – Enable domain locking for your account.
New API endpoints
Updated API endpoints
To learn more, see:
CertCentral: Domain locking is now available
DigiCert is happy to announce our domain locking feature is now available.
Does your company have more than one CertCentral account? Do you need to control which of your accounts can order certificates for specific company domains?
Domain locking allows you to control which of your CertCentral accounts can order certificates for your domains.
How does domain locking work?
DNS Certification Authority Authorization (CAA) resource records allow you to control which certificate authorities can issue certificates for your domains.
With domain locking, you can use this same CAA resource record to control which of your company's CertCentral accounts can order certificates for your domains.
How do I lock a domain?
To lock a domain:
To learn more, see:
End of life for account upgrades from Symantec, GeoTrust, Thawte or RapidSSL to CertCentral™
From April 5, 2022, MDT, you can no longer upgrade your Symantec, GeoTrust, Thawte, or RapidSSL account to CertCentral™.
If you haven't already moved to DigiCert CertCentral, upgrade now to maintain website security and have continued access to your certificates.
Note: During 2020, DigiCert discontinued all Symantec, GeoTrust, Thawte, RapidSSL admin consoles, enrollment services, and API services.
How do I upgrade my account?
To upgrade your account, contact DigiCert Support immediately. For more information about the account upgrade process, see Upgrade from Symantec, GeoTrust, Thawte, or RapidSSL.
What happens if I don't upgrade my account to CertCentral?
After April 5, 2022, you must get a new CertCentral account and manually add all account information, such as domains and organizations. In addition, you won't be able to migrate any of your active certificates to your new account.
For help setting up your new CertCentral account after April 5, 2022, contact DigiCert Support.
Industry standard requirements for including the CanSignHttpExchanges extension in an ECC SSL/TLS certificate:
*Note: These requirements took effect as of May 1, 2019. The Signed HTTP Exchanges extension is under active development. There may be additional changes to the requirements as industry development continues.
The 90-day maximum certificate validity requirement doesn't affect certificates issued prior to May 1, 2019. Note that reissued certificate will be truncated to 90-days from the time of reissue. However, you can continue reissuing the certificate for the full purchased validity period.
Recently, we added a new certificate profile, HTTP Signed Exchanges to help address the AMP URL display issue where your brand isn’t displayed in the address bar. See, Display better AMP URLs with Signed Exchanges.
This new profile allows you to include the CanSignHttpExchanges extension in OV and EV SSL/TLS certificates. Once enabled for your account, the Include the CanSignHttpExchanges extension in the certificate option appears on your OV and EV SSL/TLS certificate order forms under Additional Certificate Options. See Get your Signed HTTP Exchanges certificate.
To enable this certificate profile for your account, please contact your account manager or contact our Support team.