New feature: Document Signing certificate renewals
We fixed a bug on the Expiring Certificates page where we provided a Renew Now link for expiring Document Signing (DS) certificate orders. When you clicked Renew Now, it opened an SSL certificate renewal form where you were unable to complete your DS certificate renewal.
Note: To renew your DS certificate, you were required to order a new certificate.
Now, on the Expiring Certificate page when you click Renew Now for an expiring DS certificate order, it opens a DS certificate renewal form where you are able renew your certificate.
To learn more about renewing a DS certificate, see Renew a document signing certificate.
We updated the Document Signing (DS) certificate's Order details page and Order details panel adding a new Renew Certificate option making it easier to renew your DS certificate before it expires. Note that the Renew Certificate option doesn't appear on the Order details panel and page until 90 days before it expires.
Order details panel
In the left main menu, click Certificates > Orders. On the Orders page, click the DS certificate order's Quick View link. In the Order details panel, you'll see the new Renew Certificate option.
Order details page
In the left main menu, click Certificates > Orders. On the Orders page, click the DS certificate's order number link. On the Order details page, in the Order Actions dropdown, you'll see the new Renew Certificate option.
We added two new statuses to the Organizations and Organization details pages: validation expires soon, and validation expired. These new statuses make it easier to proactively track your organization validations and make sure they stay up to date.
Now, when you visit the Organizations page (in the sidebar menu click Certificates > Organizations), you can quickly identify organizations with validation that is expiring soon or has already expired. For more details about the expiring or expired organization validation, click the organization name.
We fixed a bug where some accounts were unable to submit organizations for EV CS – Code Signing Organization Extended Validation. The affected accounts only contained EV Code Signing and Code Signing products.
As part of the fix, we split up the EV and EV CS verified contact options. Now, when submitting an organization for EV CS – Code Signing Organization Extended Validation, you can submit the organization's verified contact for EV CS order approvals only. Similarly, when submitting an organization for EV – Extended Organization Validation (EV), you can submit the organization's verified contact for EV SSL certificate order approvals only.
Note: For EV code signing certificate orders, organizations and the organization's verified contacts need to be pre-validated. For more information about organization pre-validation, see our Submit an organization for pre-validation instructions.
Industry standards compliance reminder
For public and private certificates, Certificate Authorities (CAs) don't accept abbreviations for these parts of an address in your certificate orders or organization pre-validation requests:
*This applies to organization and jurisdiction addresses.
We made it easier to define the domain validation scope for your account when submitting your domains for validation (pre-validation or via certificate orders).
On the Division Preferences page, we added two domain validation scope options:
To configure the domain validation scope for your account, in the sidebar menu, click Settings > Preferences. On the Division Preference page, expand Advanced Settings. In the Domain Control Validation (DCV) section, under Domain Validation Scope, you'll see the new settings.
We fixed a bug where we were limiting the maximum allowed number of SANS to 10 on Wildcard SSL certificate reissue and new certificate orders.
Now, when reissuing or ordering a new Wildcard SSL certificate, you can add up to 250 SANs.
We fixed a bug where some account admins were unable to view or edit the details of their CertCentral user accounts. Now, all account admins can once again view and edit user account details (email address, role, etc.).
To learn more about CertCentral, check out our short video How to Manage Your Entire Certificate Lifecycle in 60 Seconds—or Less.
We fixed a bug where removing the approval step from the certificate order process blocked custom form field values from being recorded on the certificate's Order details page.
Now, if you create custom fields for your certificate order forms and enable the Skip approval step for your account, the custom order values are recorded on the certificate's Order details page.
Custom order from fields
Skip approval step
In the sidebar menu, click Settings > Preferences. On the Division Preferences page, expand Advanced Settings. In the Certificate Request section, under Approval Steps, select Skip approval step: remove the approval step from your certificate order processes. See Remove the approval step from the certificate order process.
We fixed a certificate order form bug where Additional Emails added to the order weren’t being recorded on the certificate's Order details page.
Now, if you add additional email address to the order for those you want to receive the certificate notification emails, the email addresses are recorded on the certificate's Order details page.
We fixed a cancel order bug where cancelling a certificate renewal removed the renewal option from the order.
Note: To renew these certificates, you had to contact our Support team.
Now, if you cancel a certificate renewal, the renew option remains for the order, allowing you to renew the certificate later when ready.
We fixed a SAML Single Sign-on (SSO) bug where some Single Sign-on only users were being prompted to reset their expired non-existent CertCentral password.
Note: This prompt appeared only after they had signed in to their account. These SSO only users could still access all account features and perform all relevant tasks.
We fixed a bug on the Guest URL Request a Certificate page, where clicking Order Now redirected you to the DigiCert account sign in page.
Now, when you order a certificate from a Guest URL and click Order Now, your request is submitted to your account administrator for approval. For more information about guest URLs, see Managing Guest URLs.
We added the Auto-Renewal User feature to the New Division page that optionally allows you to set a default user for the division's auto-renewal orders when creating a new division. If set, this user replaces the original requester on all division auto-renewal certificate orders and helps prevent auto-renewal interruptions.
In your account, in the sidebar menu, click Account > Divisions. On the Divisions page, click New Division. On the New Division page, in the Auto-Renewal User dropdown, set a default user for all division auto-renewal orders.
We are adding a new tool to the CertCentral portfolio—ACME protocol support—that allows you to integrate your ACME client with CertCentral to order OV and EV TLS/SSL certificates.
Note: This is the open beta period for ACME protocol support in CertCentral. To report errors or for help connecting your ACME client to CertCentral, contact our support team.
To access ACME in your CertCentral account, go to the Account Access page (in the sidebar menu, click Account > Account Access) and you'll see a new ACME Directory URLs section.
For information about connecting your ACME client with your CertCentral account, see our ACME user guide.
To turn ACME off for your account, contact your account manager or our support team.
For a list of current known issues, see ACME Beta: Known issues.
We fixed a bug where you could display our DigiCert and Norton site seals on internal domain names.
Now, our site seals will no longer resolve to internal domain names.
We added DV certificates to the available products for Guest URLs. Now, you can add GeoTrust and RapidSSL DV certificates to your Guest URLs.
We fixed a bug where adding Secure Site certificates to a Guest URL prevented you from editing the Guest URL. Now, when you add Secure Site certificates to a Guest URL, you can edit the Guest URL as needed.
We fixed a bug where adding Private SSL certificates to a Guest URL prevented you from editing the Guest URL. Now, when you add Private SSL certificates to a Guest URL, you can edit the Guest URL as needed.
We fixed a bug where new organizations added during the SSL/TLS certificate request process weren't listed on the Organizations page (in the sidebar menu, click Certificates > Organizations).
With this fix, new organizations added during the SSL/TLS certificate request process will now be automatically listed on the Organizations page in your account.
Retroactive fix: All Organizations will be listed
The fix for this bug is retroactive too. If you've enabled users to add new organizations during the request process, the next time you go to the Organizations page in your account, these organizations will be added to the list.
Note: This bug didn't affect your ability to request additional SSL/TLS certificates for these organizations, as they appeared in the list of existing organizations on the certificate request forms where you could add them to the certificate. This bug also didn't affect organizations added from the New Organizations page (on the Organizations page, click New Organization).
We improved the CertCentral audit logs, making it easier to track API key creations. Now, the audit logs will contain information about who created the API key, when it was created, name of API, etc.
(To access the audit logs in your account, in the sidebar menu, click Account > Audit Logs.)
We fixed a pending certificate reissue bug where we listed domains dropped from the original or previously issued certificate in the You Need To section on the pending reissue's Order # details page.
This issue only affected domains with expired domain validation. If you removed a domain with up-to-date domain validation, we didn't include it in the You Need To section.
Note: You were only required to complete the DCV for the domains you included in your reissue request. You could ignore the domains you had removed. Additionally, when we reissued your certificate, we didn't include the domains dropped from the original or previously issued certificate in the reissue.
Now, when you reissue a certificate and remove domains included in the original or previously issued certificate, we only show the domains included in the reissue request with pending domain validation in the You Need To section on the pending reissue's Order # details page.
We fixed a duplicate certificate orders bug where we added the original certificate requestor as the requestor on all duplicate certificate orders, regardless of who requested the duplicate.
Now, on duplicate certificate orders, we add the name of the user who requested the duplicate.
Note: This fix is not retroactive and doesn't affect issued duplicate certificate orders.
In the DigiCert Services API, we fixed a bug in the List duplicates endpoint where we weren’t returning the name of the requestor on duplicate certificate orders.
Now, when you use the List duplicates endpoint, we return the name of the user requesting the duplicate certificate.
To fix this issue, we added some new response parameters enabling us to return the name of the requestor in the response:
= Requestor's user ID
= Requestor's first name
= Requestor's last name
In the DigiCert Services API, we fixed a bug in the Order info endpoint where it wasn’t returning the email addresses for an issued client certificate order (Authentication Plus, Email Security Plus, etc.).
Note: When using the List orders endpoint to retrieve information for all issued certificates, the email addresses for client certificate orders were returned.
Now, when you use the Order info endpoint to view the details of an issued an issued client certificate order, the email addresses are returned in the response.
We fixed an organization unit (OU) entry character limit bug where we were applying the 64 character limit collectively instead of individually to the OU entries on SSL/TLS certificate requests with multiple OUs. When an admin tried to approve the request, they incorrectly received the "Organization units must be less than 64 characters in order to be compliant with industry standards" error message.
Note: This bug only affected requests requiring admin approval.
Now, when an admin approves an SSL/TLS certificate request with multiple OUs (where each entry is within the 64 character limit standard), the request gets submitted to DigiCert as expected.
Compliance Note: Industry standards set a 64 character limit for individual organization unit entries. However, when you add multiple OUs to an order, each one is to be counted individually and not combined. See Publicly Trusted Certificates – Data Entries that Violate Industry Standards.
We fixed a bug on certificate requests where you were unable to edit the division that the request/certificate was assigned to.
Note: Once the certificate was issued, you could go to its Order # details page and edit the division the certificate was assigned to.
Now, when you edit a certificate request, you can change the division the request/certificate is assigned to.
We fixed a certificate reissue bug where it appeared that you could revoke a certificate with a pending reissue. To fix this bug, we improved the reissue certificate workflow removing the Revoke Certificate option from certificates with a pending reissue.
Previously, when a certificate had a pending reissue, you could submit a request to revoke the original or previously issued certificate. When the administrator approved the request, the certificate was incorrectly marked as being revoked on the Requests page. However, when you went to the Orders page, the certificate was correctly marked as issued and was still active.
When a certificate has a reissue pending, you can't revoke the certificate as it is tied to the certificate reissue process. If something happens where you need to revoke a certificate with a pending reissue on it, you have two options:
We fixed a DigiCert Services API certificate reissue bug where it appeared that you could submit a request to revoke a certificate with a pending reissue. When you use the revoke certificate endpoint, we returned a 201 Created response with the request details.
Now, when you use the revoke certificate endpoint to revoke a certificate with a pending reissue, we return an error with a message letting you know that you can’t revoke an order with a pending reissue along with information on what to do if you need to revoke the certificate.
"An order cannot be revoked while pending reissue. You can cancel the reissue then revoke the certificate, or revoke the certificate once the reissue is complete."
We fixed a DV certificate reissue bug where we weren't honoring the valid until date on the original order for certificates with more than a year remaining until they expired.
Now, when you reissue a DV certificate with more than a year remaining until it expires, the reissued certificate will retain the valid until date of the original certificate.
In the DigiCert Services API, we improved the DV certificate request endpoints allowing you to use the new
email_domain field along with the existing
For example, when ordering a certificate for my.example.com, you can have a domain owner for the base domain (example.com) validate the subdomain. To change the email recipient for the DCV email, in your DV certificate request, add the dcv_emails parameter. Then, add the
email_domain field specifying the base domain (example.com) and the
DV certificate endpoints:
We fixed a bug on the certificate reissue Order # details page where it wasn’t displaying the signature hash for the certificate correctly. This only happened on reissues when you changed the signature hash (i.e., in the original certificate, you used SHA256 but in the reissue, you used SHA384).
Note: The reissued certificate was issued with the correct signature hash.
Now when you reissue a certificate with a different signature hash, the hash is displayed correctly on the certificate's Order # details page.
We fixed a code signing certificate reissue bug where we weren't sending the email letting you know your certificate was issued.
Note: When you checked on the order in your account, the reissued code signing certificate was available to download from its Order # details page.
Now when we reissue your code signing certificate, we send the email letting you know your code signing certificate was issued.
We fixed a bug on the Orders page (in the sidebar menu, click Certificates > Order) where using the Product column header to sort the orders by certificate type didn't show any results.
Note: When this happened, to see your full list of orders, you had to click a different column header (e.g., Order #) or leave the page and come back.
Now, on the Orders page, you can use the Product column header to sort your list of orders by certificate type.
We fixed a bug where on some of the forms the state field appeared twice or was required for countries that don't require that information.
Now, on the Edit Billing Contact, New Purchase Order, and EV Code Signing Certificate order, reissue, and renewal forms, the state field only appears once and for countries that don't require that information, the State / Province / Region field is listed as optional.
Edit Billing Contact form
To change the billing contact for your account, in the sidebar menu, click Finances > Settings. On the Finance Settings page, under Billing Contact click the Edit link. If you haven't set up a billing contact for your account, click the Change Billing Contact link.
We enhanced the Order # details page for pending OV SSL and EV SSL certificate orders. In the DigiCert Needs To section, under Verify Organization Details, we now list the steps that need to be completed to validate the organization (e.g., complete Place of Business Verification) along with the status for each step: complete or pending.
Previously, we provided only a high-level overview of the organization validation process – Verify Organization Details – without offering any details as to what steps needed to be completed before the organization was fully validated.
We fixed a bug on the forms in CertCentral where the state/province/territory field appeared as being required when the country selected didn't require that information (for example when adding a new organization or a credit card).
Note: This bug didn't prevent you from completing these transactions. For example, you were still able to add an organization or a credit card with or without filling in the state/province/territory field.
Now, in the forms, the state/province/territory field is labeled as optional for countries that don't require this information as part of their transactions.
Note: US and Canada are the only countries that require you to add a state or province/territory.
We added a new Cancel Reissue feature enabling you to cancel a pending reissue on a certificate.
On the Orders page (in the sidebar menu, click Certificate > Orders), locate the Reissue Pending certificate request and click its order number link. On the Order # details page, in the Certificate Details section, in the Certificate Actions drop-down list, select Cancel Reissue.
Note: For reissue requests awaiting approval, the approver can just reject the reissue request. For certificate reissues that have already been issued, the administrator must revoke the certificate.
We fixed a bug where standard users were unable to access the domain control validation (DCV) features on their SSL/TLS certificate's Order # details page.
Note: Account administrators and managers were able to access the DCV features on the Order # details pages and complete the DCV for the orders.
Now, when standard users order a certificate for a new domain, they can access the DCV features on the Order # details page.
(In the sidebar menu, click Certificate > Orders. On the orders page locate the pending certificate order and click the order number link. On the Order # details page, click the domain link.)
We fixed a bug where the SSL/TLS certificate Order# details page and Order details panel weren't showing domain control validation as being completed after you finished validating the domains on your certificate order.
Note: This bug didn't stop your certificate orders from being issued after you completed the domain control validation.
(In the sidebar menu, click Certificates > Orders. On the Orders page, in the Order # column of the certificate order, click the order number or Quick View link.)
We enhanced the order Notes feature, enabling the order notes from the previous order to carry over to the renewed certificate order.
Previously, if you wanted any of the notes to carry over, you had to manually add the notes to the renewed order yourself.
Now, notes from the previous order are automatically carried over to the renewal order. These notes are timestamped with author's name (for example, 18 Dec 2018 8:22 PM John Smith).
These notes are on the renewed Order # details page (in the sidebar menu, click Certificates > Orders and then click the order number link). They are also in the Order # details panel (click the Quick View link).
We enhanced the DV certificates Order # details page, enabling you to see which domains on the order are pending validation (i.e., domains that you still need to demonstrate control over).
Previously, domains pending validation weren't listed on the Order # details page.
Now, when you visit a DV certificate's Order # details page, domains pending validation will be shown. (In the sidebar menu, click Certificate > Orders and then on the Orders page, click the order number link).
We fixed a bug on the Orders page (in the sidebar menu, click Certificates > Orders) where the Organization Contact information was missing in the Order # details panel.
Now, when you visit the Orders page and use the Quick View link to view order details, you will see the Organization Contact information in the Order # details panel. (Expand Show More Certificate Info and in the Order Details section, expand Show Org Contact).
DigiCert began issuing public SSL certificates containing underscores for a limited time.
For more details, see Retiring Underscores in Domain Names.
In the top menu, we added two new contact support options (phone and chat icons) making it easier to contact support from within CertCentral (via email, chat, or phone).
We enhanced the sidebar menu, making it easier to see the menu option for the pages you are visiting. Now, when you visit a page in CertCentral, the menu option for that page will have a horizontal blue bar next to it.
We fixed a bug in the Add Organization feature on the SSL/TLS certificate request forms where the validation status (EV and OV validated) was not included for new organizations added and validated as part of the certificate order.
Now, new organizations added when ordering an SSL certificate will show a Validated status.
Note: The organization's validation status doesn't appear until we've fully validated the organization.
We enhanced the add existing organization feature for the EV SSL/TLS certificates order process making it easier to include the EV verified contacts for an organization in your certificate order.
Previously, information about who the EV verified contacts are for an organization didn't appear on the EV certificate request pages.
Now, when you add an existing organization that already has EV verified contacts assigned to it, the Verified Contact (for EV) cards are populated with the verified contacts' information.
Note: If your CSR includes an organization currently used in your account, the Organization card is populated with the organization's information contained in your account. If this same organization already has assigned EV verified contacts, the Verified Contact (for EV) cards are populated with their information (name, title, email, and phone number).
We fixed a bug on the User Invitations page preventing the Invited By filter from showing the administrators who sent the user invite requests.
Now, when you go to the User Invitations page (in the sidebar menu, click Account > User Invitations), the Invited By filter shows the admins who sent user invitations.
We fixed a bug on the pending SSL certificate's order details page where the link for a pending domain that provides you with actions to prove control over a domain was broken.
Now, when you go to a pending certificate's order details page and click the link for a pending domain, the Prove Control Over Domain window opens where you can choose a DCV method to prove control over that domain.
We enhanced the add existing organization feature of the SSL/TLS certificate order process, enabling you to filter the existing organization list to see only organizations that are fully validated.
Note: If your CSR includes an organization currently used in your account, the Organization card auto populates with the organization's information contained in your account.
To manually add an existing organization when ordering your SSL/TLS certificate, click Add Organization. In the Add Organization window, check Hide non-validated organizations to filter the organizations so only the fully validated ones are shown.
Note: If you have more than nine active organizations in your account, the filter also works for the Organization drop-down list.
We enhanced the Organization Unit(s) feature of the SSL/TLS certificate order process, enabling you to add multiple organization units. Previously, you could only add one organization unit.
Note: The Organization Unit(s) field on the request form will be auto populated with the values from your CSR.
To manually add organization units when ordering your SSL/TLS certificate, expand Additional Certificate Options and in the Organization Unit(s) field, you can now add one or more organization units.
Note: Adding organization units is optional. You can leave this field blank. However, if you do include organization units in your order, DigiCert will need to validate them before we can issue your certificate.
We fixed a Custom Order Fields* bug preventing the feature from working properly when deactivating, activating, changing a field from required to optional, and changing a field from optional to required.
*Custom Order Fields is disabled by default. To enable this feature for your CertCentral account, please contact your DigiCert account representative. See Managing Custom Order Form Fields in the Advanced CertCentral Getting Started Guide.
We fixed a domain validation display bug on the order details pages where domains with expired validations were showing a completed status with no actions for completing the domain validation.
Now, when you go to an order's details page, we show a pending validation status symbol next to the domain along with actions for completing the domain validation. (In the sidebar menu, click Certificates > Orders and then on the Orders page click the order number.)
We fixed a bug on the TLS/SSL certificate order forms where adding a CSR only auto populated the Common Name field. While fixing this bug, we enhanced the CSR upload feature to also auto populate the Organization field.
We now use information from your CSR to auto populate these order form fields: Common Name, Other Hostnames (SANs), Organization Unit (OU), and Organization.
You can still change the information in these fields as needed (for example, you can add or remove SANs).
Organization field note
When you include an organization currently used in your account, the Organization card auto populates with the organization's information contained in your account.
We fixed a bug where you were unable to cancel a pending Client certificate order (Premium, Authentication Plus, Grid Premium, Grid Robot Email, and so on).
Now, you can go to the Orders page (in the sidebar menu, click Certificates > Orders) and find the Client certificate order that needs to be canceled. Then on the certificate's Order# details page, in the Certificate Actions drop-down list, select Cancel Order.
We fixed a bug where email recipients were sent a link to a Service Not Found page, preventing them from being able to download a reissued certificate.
Now, when you send someone a link to download a reissued certificate, the link works. The recipient is able to download the certificate.
We fixed a download csv file bug on the Duplicates page. Previously, when you downloaded a csv file, you got a file without the .csv extension. To get it to work, you had to add .csv extension to the end of the file.
Now, when you download a csv file from the Duplicates page, you receive a working csv file: duplicates.csv.
Secure Site TLS/SSL certificates are available in CertCentral:
To activate Secure Site certificates for your CertCentral account, contact your Sales representative.
Benefits included with each Secure Site certificate:
To learn more about our Secure Site certificates, see DigiCert Secure Site Overview.
Updates to the full SHA256 EV hierarchy certificate profile
On September 27, 2018, we removed the Symantec policy OID from EV TLS certificates issued from the full SHA256 EV hierarchy [DigiCert Global G2 Root => DigiCert Global G2 Intermediate => EV TLS/SSL certificate].
Problem: Chrome bug on macOS
July 2018, we discovered a bug in Chrome on macOS where it wasn't showing the EV indicator for EV TLS certificate with more than two policy OIDs – https://bugs.chromium.org/p/chromium/issues/detail?id=867944.
We removed the Symantec policy OID from the full SHA256 EV hierarchy certificate profile. With this change, Chrome on macOS again showed the EV indicator for the EV TLS certificates issued from the full SHA256 EV hierarchy.
Affected EV TLS certificates
EV TLS certificates (from the full SHA256 EV hierarchy) issued after January 31, 2018 and prior to September 27, 2018 contain these three policy OIDs in the Certificate Extension - Certificate Policies:
What do I need to do?
We fixed an Order details page bug where information not relevant to a certificate order was being displayed on the page.
Now, when you visit your TLS/SSL, Code Signing, EV Code Signing, Client, and Document Signing certificate Order details pages, only information relevant to that order will be displayed.
We fixed a Certificate Service Agreement UI bug where certain characters and symbols were being displayed with improper encoding.
Now when you read through the Certificate Service Agreement, each character and symbol will have the proper coding.
We fixed a Limited User role bug. When an administrator assigned a Limited User to a certificate order, the limited user didn't receive the necessary permissions to renew, reissue, or revoke the certificate.
Now, when a Limited User is assigned to a certificate order, they can renew, reissue, or revoke the certificate.
We fixed an Additional Emails bug where additional emails added to a certificate order weren't being saved.
Now, when you go to a certificate's Order details page and add and save additional email addresses to the order, the additional email addresses are saved and will be there when you return to the page.
We fixed a Code Signing (CS) certificate approval email bug where the CS approval email was sent when the CS requestor was also a CS verified contact.
Now, when the code signing certificate requestor is also the verified CS contact for the organization, we don't send a CS approver email.
We fixed a Search feature bug and a Division filter bug on the Requests page (Certificates > Requests).
Now, when you use a Request ID, Order ID, common name, etc. to Search for a specific request, your results will be returned when a match exists. Also, the Division filter will return the requests for the selected division.
We fixed a Pending Cert Request widget bug on the CertCentral Dashboard.
Now, the number of pending certificate requests (new and revoke requests) in the Pending Cert Requestwidget will match the number of pending certificate requests on the Requests page (Certificates > Requests).
Fixed Single Sign-on bug. When an SSO only user request a CertCentral password reset, they will no longer receive the password reset email.
Now, they will receive an email that directs them to log in using SSO and asks them to contact their CertCentral account manager if a different type of account access is required.
New feature included in the "help" (?) menu drop-down; added a link to the new Change Log page.
Fixed billing contact bug. Changing the billing contact in a division does not change the billing contact in another division (e.g., top level division).