We improved the SAML Single Sign-on and SAML Certificate Requests workflows, allowing you to turn off SAML Single Sign-on (SSO) and SAML Certificate Requests. Previously, after configuring SAML SSO or SAML Certificate Requests for your account, the only way to turn either of these off was to remove both SAML features from your account.
Now, on the Federation Settings pages, you can turn off SAML SSO and SAML Certificate Requests for your account by deleting the federation settings.
Note: The Turn off SSO and Turn off SAML Certificate Request buttons only appear after you've configured the federation settings (turned the feature on).
For more information about SAML Single Sign-on and SAML certificate request integration with CertCentral:
We improved the user invitation workflow for SAML Single Sign-On (SSO) integrations with CertCentral, enabling you to designate invitees as SSO only users before sending your account user invitations. Now, in the Invite New Users popup window, use the SAML Single Sign-on (SSO) only option to restrict invitees to SAML SSO only.
Note: This option disables all other authentication methods for these users. Additionally, this option only appears if you have SAML enabled for your CertCentral account.
(In the sidebar menu, click Account > User Invitations. On the User Invitations page, click Invite New Users. See SAML SSO: Invite users to join your account.)
Simplified enrollment form
We also simplified the SSO only user enrollment form, removing the password and security question requirements. Now, SSO only invitees need to add only their personal information.
We made it easier to see your Discovery certificate scan results from the CertCentral Dashboard in your account, adding the Expiring Certificates Discovered, Certificate Issuers, and Certificates Analyzed By Rating widgets.
Each widget contains an interactive chart that allows you drill down to easily find more information about expiring certificates (e.g., which certificates are expiring in 8-15 days), certificates per issuing CA (e.g., DigiCert), and certificates per security rating (e.g., not secure).
More about Discovery
Discovery uses sensors to scan your network. Scans are centrally configured and managed from inside your CertCentral account.
In the DigiCert Services API, we updated the Order info endpoint enabling you to see how the certificate was requested. For certificates requested via the Services API or an ACME Directory URL, we return a new response parameter: api_key. This parameter includes the key name along with key type: API or ACME.
Note: For orders requested via another method (e.g., CertCentral account, Guest Request URL, etc.), the api_key parameter is omitted from the response.
Now, when viewing order details, you'll see the new api_key parameter in the response for orders requested via the API or an ACME Directory URL:
We added a new search filter – Requested via – to the Orders page that allows you to search for certificate orders requested via a specific API key or ACME Directory URL.
Now, on the Orders page, use the Requested via filter to find active, expired, revoked, rejected, pending reissue, pending, and duplicate certificates requested via a specific API key or ACME Directory URL.
(In the sidebar menu, click Certificates > Orders. On the Orders page, click Show Advanced Search. Then, in the Requested via dropdown select the API Key or ACME Directory URL name or type its name in the box.)
We fixed a SAML Single Sign-on (SSO) bug where some Single Sign-on only users were being prompted to reset their expired non-existent CertCentral password.
Note: This prompt appeared only after they had signed in to their account. These SSO only users could still access all account features and perform all relevant tasks.
We've updated the CertCentral SAML Federation Settings, enabling you to keep your Federation Name from appearing in the list of IdPs on the SAML Single Sign-On IdP Selection and SAML certificate requests IdP Selection pages.
Now, on the Federation Settings page, under Your IDP's Metadata, we added the Include Federation Name option. If you want to keep your Federation Name from appearing in the list of IdPs on the IdP Selection page, uncheck Add my Federation Name to the list of IdPs.
Secure Site Pro TLS/SSL certificates are available in CertCentral. With Secure Site Pro, you're charged per domain; no base certificate cost. Add one domain, get charged for one. Need nine domains, get charged for nine. Secure up to 250 domains on one certificate.
We offer two types of Secure Site Pro certificates, one for OV certificates and one for EV certificates.
Benefits included with each Secure Site Pro certificate
Each Secure Site Pro certificate includes – at no extra cost – first access to future premium feature additions to CertCentral (e.g., CT log monitoring and validation management).
Other benefits include:
To activate Secure Site Pro certificates for your CertCentral account, contact your account manager or our support team.
To learn more about our Secure Site Pro certificates, see DigiCert Secure Site Pro.
Public SSL certificates can no longer secure domain names with underscores ("_"). All previously issued certificates with underscores in domain names must expire prior to this date.
Note: The preferred underscore solution is to rename the hostnames (FQDNs) that contain underscores and replace the certificates. However, for those situations where renaming is not possible, you can use private certificates and, in some cases, you can use a wildcard certificate that secures the entire domain.
For more details, see Retiring Underscores in Domain Names.