December 4, 2019
Improved client certificate process
We improved the client certificate process, enabling you to cancel client certificate orders in an Emailed to Recipient state—orders that are waiting for the email recipient to generate and install the client certificate in one of the supported browsers.
Note: Previously, when a client certificate was in an Emailed to Recipient state, you had to contact support to cancel the order.
Now, if you need to cancel a client certificate order in the Emailed to Recipient state, go to the client certificate's Order details page and in the Certificate Actions dropdown list, select Cancel Order. See Cancel pending client certificate orders.
CertCentral Services API: Improved client certificate process
In the DigiCert Services API, we updated the Update order status endpoint enabling you to cancel client certificate orders in a waiting_pickup state—orders that are waiting for the email recipient to generate and install the client certificate in one of the supported browsers.
Note: Previously, when a client certificate was in a waiting_pickup state, you received a forbidden error and had to contact support to cancel the order.
Now, you can use the Update order status endpoint to cancel a client certificate order in the waiting_pickup state.
November 5, 2019
We updated the OV and EV SSL/TLS certificate order forms, adding a new DCV verification method dropdown. Now, when ordering OV and EV certificates, you can select the DCV method you want to use to validate the new domains on the order. See our Order your SSL/TLS certificates instructions.
Note: The selected DCV method applies to all unvalidated domains on the order. After submitting the order, you can change the DCV method per domain on the certificate's Order details page. See our Demonstrate control over domains on a pending certificate order instructions.
We updated the domain pre-validation forms, consolidating the OV and EV certificate validation options. Now, when pre-validating a domain, use the new unified domain validation option—OV/EV Domain Validation*. See our Domain pre-validation: Domain control validation (DCV) methods instructions.
Note*: The domain control validation (DCV) methods for OV and EV certificates are the same (verification email, DNS TXT, etc.). The only difference between them is how long the domain validation is valid for. For OV SSL certificates, domains will need to be revalidated every 825 days (approximately 27 months). For EV SSL certificates, domains will need to be revalidated every 13 months.
September 9, 2019
We added two new features to the Expiring Certificates page (in the sidebar, click Certificates > Expiring Certificates), making it easier to manage renewal notifications for your expiring certificates.
First, we added a Renewal Notices column with an interactive check box. Use this check box to enable or disable renewal notices for an expiring certificate.
Second, we added two Renewal Notices filters: Disabled and Enabled. These filters allow you to see only the certificate orders with renewal notices enabled or disabled.
In the DigiCert Services API, we updated the List keys and Get key info endpoints response parameters, enabling you to see the organization associated with your ACME certificate orders.
Now, when you call the List keys and Get key info endpoints, we return the name of the organization (organization_name) associated with the ACME certificate order in the response.
July 30, 2019
We improved our ACME protocol, adding support for the Signed HTTP Exchange certificate profile option. Now, you can use your ACME client to order OV and EV SSL/TLS certificate with the CanSignHttpExchanges extension included.
First create the ACME Directory URL for your Signed HTTP Exchanges certificate. Then use your ACME client to issue and install the certificate with the CanSignHttpExchanges extension.
See ACME Directory URLs for Signed HTTP Exchange certificates and ACME user guide.
Background
The Signed HTTP Exchange certificate profile option is used to address the AMP URL display issue where your brand isn’t displayed in the address bar. See Display better AMP URLs with Signed Exchanges and Get your Signed HTTP Exchanges certificate.
This profile option allows you to include the CanSignHTTPExchanges extension in OV and EV SSL/TLS certificates. Once enabled for your account, the Include the CanSignHttpExchanges extension in the certificate option appears on your Add ACME Directory URL forms.
To enable this certificate profile for your account, please contact your account manager or contact our Support team.
We updated the information icons in the list of ACME Directory URLs on the Account Access page to help you quickly identify certificates that include a certificate profile option (for example, Signed HTTP Exchanges).
In the sidebar menu, click Account > Account Access. On the Account Access page, in the ACME Directory URLs section, click an information icon to see details about the certificate that can be ordered via the ACME Directory URL.
In the DigiCert Services API, we improved the List keys endpoint response parameters, enabling you to see ACME Directory URLs. Now, when you call the List keys endpoint, we return ACME URL (acme_urls) as well as API key (api_keys) information in the response.
In the DigiCert Services API, we improved the Get key info endpoint, enabling you to get details about ACME Directory URLs.
Include the ACME Directory URL ID in the call to the Get key info endpoint (/key/{{key_id}} where key_id is the ACME Directory URL ID) to get information about an ACME Directory URL.
July 16, 2019
In Discovery, we updated the rating system for Strict-Transport-Security (STS) security headers. Now, we only check STS for HTTP 200 requests and ignore it for HTTP 301 requests. We only penalize the server when the website is missing the Strict-Transport-Security (STS) security header or the setting is wrong. In these cases, we rate the server as "At risk".
Previously, we checked STS for HTTP 301 requests and penalized the server if it was missing the Strict-Transport-Security (STS) security header. In these cases, we rated the server as "Not secure".
To view Security headers results, go to the endpoint's Server details page. In the sidebar menu, click Discovery > View Results. On the Certificates page, click View endpoints. On the Endpoints page, click the endpoint's IP address / FQDN link.
Update note: The updated STS rating system is available in the latest sensor version – 3.7.7. After sensor update is complete, rerun your scans to see your updated STS ratings.
July 15, 2019
We improved the Transaction Summary on the Reissue Certificate for Order pages, allowing you to see how many days remain until the certificate expires. Now, when you reissue a certificate, the Transaction Summary shows the certificate validity along with days until it expires (e.g., 1 year (expires in 43 days).
In the DigiCert Services API, we updated the List orders, Order info, List reissues, and List duplicates endpoints enabling you to see how many days remain until the certificate expires. For these endpoints, we return a days_remaining parameter in their responses.
July 11, 2019
We improved the SAML SSO-only users' integration with the CertCentral Services API, adding an account setting that allows you to grant SSO-only users API access. On the SAML Sign-on (SSO) page, under Configure SSO Settings for users, you'll now see the Enable API access for SSO-only users check box (in the sidebar menu, click Settings > Single Sign-On). See Configure SAML Single Sign-On.
Note: This setting allows SSO-only users with API keys to bypass Single Sign-on. Disabling API access for SSO-only users doesn't revoke existing API keys. It only blocks the creation of new API keys.
July 10, 2019
We improved the Users page, adding a Last Login column that lets you see when a user last signed in to their account (in the sidebar menu, click Account > Users).
We also added the last login information to the User's details page directly under their name (on the Users pages, in the Name column, click the username link).
Note: Previously, this information was only found in the Audit Logs (in the sidebar menu, click Account > Audit Logs).
In the DigiCert Services API, we updated the User info endpoint enabling you to see when a user last logged in to their account. Now, when viewing user details, we return a last_login_date parameter in the response.
July 3, 2019
We improved the certificate's Order # details page and Order # details panel, adding a new Order requested via entry that lets you see where the order was requested: via the API, via an ACME Directory URL, or from inside CertCentral. If the order was requested via the API or an ACME Directory URL, we also include the API key name or ACME Directory URL name.
Note: We also made it easier to see who requested the certificate, adding a new Order requested by entry to the Order Details section. Previously, we included the requested by information in the Requested on details.
Order # details panel
In the sidebar menu, click Certificates > Orders. On the Orders page, click the certificate order's Quick View link. In the Order # detail panel, expand Show More Certificate Info. In the Order Details section, you'll see the new Order requested via entry.
Order # details page
In the sidebar menu, click Certificates > Orders. On the Orders page, click the certificate's order number link. On the Order # details page, in the Order Details section, you'll see the new Order requested via entry.
July 2, 2019
We improved the user invitation workflow for SAML Single Sign-On (SSO) integrations with CertCentral, enabling you to designate invitees as SSO only users before sending your account user invitations. Now, in the Invite New Users popup window, use the SAML Single Sign-on (SSO) only option to restrict invitees to SAML SSO only.
Note: This option disables all other authentication methods for these users. Additionally, this option only appears if you have SAML enabled for your CertCentral account.
(In the sidebar menu, click Account > User Invitations. On the User Invitations page, click Invite New Users. See SAML SSO: Invite users to join your account.)
Simplified enrollment form
We also simplified the SSO only user enrollment form, removing the password and security question requirements. Now, SSO only invitees need to add only their personal information.
We made it easier to see your Discovery certificate scan results from the CertCentral Dashboard in your account, adding the Expiring Certificates Discovered, Certificate Issuers, and Certificates Analyzed By Rating widgets.
Each widget contains an interactive chart that allows you drill down to easily find more information about expiring certificates (e.g., which certificates are expiring in 8-15 days), certificates per issuing CA (e.g., DigiCert), and certificates per security rating (e.g., not secure).
More about Discovery
Discovery uses sensors to scan your network. Scans are centrally configured and managed from inside your CertCentral account.
- To activate Discovery for your CertCentral account, contact your account manager or our support team.
- For information about getting Discovery up and running, see Discovery: Install a sensor and run a scan.
In the DigiCert Services API, we updated the Order info endpoint enabling you to see how the certificate was requested. For certificates requested via the Services API or an ACME Directory URL, we return a new response parameter: api_key. This parameter includes the key name along with key type: API or ACME.
Note: For orders requested via another method (e.g., CertCentral account, Guest Request URL, etc.), the api_key parameter is omitted from the response.
Now, when viewing order details, you'll see the new api_key parameter in the response for orders requested via the API or an ACME Directory URL:
GET https://dev.digicert.com/services-api/order/certificate/{order_id}
Response:
We added a new search filter – Requested via – to the Orders page that allows you to search for certificate orders requested via a specific API key or ACME Directory URL.
Now, on the Orders page, use the Requested via filter to find active, expired, revoked, rejected, pending reissue, pending, and duplicate certificates requested via a specific API key or ACME Directory URL.
(In the sidebar menu, click Certificates > Orders. On the Orders page, click Show Advanced Search. Then, in the Requested via dropdown select the API Key or ACME Directory URL name or type its name in the box.)
July 1, 2019
We improved our Basic and Secure Site single domain certificate offerings (Standard SSL, EV SSL, Secure Site SSL, and Secure Site EV SSL), adding the Include both [your-domain].com and www. [your-domain].com in the certificate option to these certificates' order, reissue, and duplicate forms. This option allows you to choose whether to include both versions of the common name (FQDN) in these single domain certificates for free.
![Include both [your-domain].com and www. [your-domain].com in the certificate](https://docs.digicert.com/media/images/opt-out-plus-feature-check-box-1.original.png){kind=link}
- To secure both versions of the common name (FQDN), check Include both [your-domain].com and www. [your-domain].com in the certificate.
- To secure only the common name (FQDN), uncheck Include both [your-domain].com and www. [your-domain].com in the certificate.
See Order your SSL/TLS certificates.
Works for subdomains too
The new option allows you to get both versions of base and subdomains. Now, to secure both versions of a subdomain, add the subdomain to the Common Name box (sub.domain.com) and check Include both [your-domain].com and www. [your-domain].com in the certificate. When DigiCert issues your certificate, it will include both versions of the subdomain on the certificate: [sub.domain].com and www.[sub.doman].com.
Removed Use Plus Feature for Subdomains
The Include both [your-domain].com and www. [your-domain].com in the certificate option makes the Plus Feature -- Use Plus Feature for Subdomains obsolete. So, we removed the option from the Division Preferences page (in the sidebar menu, click Settings > Preferences).
In the DigiCert Services API, we updated the Order OV/EV SSL, Order SSL (type_hint), Order Secure Site SSL, Order Private SSL, Reissue certificate, and Duplicate certificate endpoints listed below. These changes provide more control when requesting, reissuing, and duplicating your single domain certificates, allowing you choose whether to include a specific additional SAN on these single domain certificates for free.
- /ssl_plus
- /ssl_ev_plus
- /ssl_securesite
- /ssl_ev_securesite
- /private_ssl_plus
- /ssl*
- /reissue
- /duplicate
*Note: For the Order SSL (type_hint) endpoint, only use the dns_names[] parameter as described below to add the free SAN.
To secure both versions of your domain ([your-domain].com and www. [your-domain].com), in your request, use the common_name parameter to add the domain ([your-domain].com) and the dns_names[] parameter to add the other version of the domain (www. [your-domain].com).
When DigiCert issues your certificate, it will secure both versions of your domain.
To secure only the common name (FQDN), omit the dns_names[] parameter from your request.
June 19, 2019
We've improved the Order # details page, allowing you to see the certificate profile option added to your certificate. Now, when you go to a certificate's Order # details page, in the Order Details section, you can see the Profile Option included in that certificate order.
Certificate profile options
When a certificate profile is enabled for your account, the profile option appears on your SSL/TLS certificate request forms under Additional Certificate Options. When ordering an SSL/TLS certificate, you can add a profile to your certificate.
To learn more about the supported certificate profile options, see Certificate profile options. To enable a certificate profile for your account, reach out to your account manager or contact our Support team.
June 12, 2019
In the DigiCert Services API, we improved the Duplicate certificate endpoint workflow. Now, if the duplicate certificate can be immediately issued, we return the duplicate certificate in the response body.
For more information, see Duplicate certificate.
We improved the duplicate certificate order process in CertCentral. Now, if the duplicate certificate can be immediately issued, we take you directly to the Duplicates page where you can immediately download the certificate.
June 11, 2019
We improved the Skip approval step account setting, applying the setting to certificate requests placed through the online portal as well as through the API.
To access the skip approval setting in your account, in the sidebar menu, click Settings > Preferences. On the Division Preferences page, expand Advanced Settings and scroll down to the Certificate Request section. See Remove the approval step from the certificate order process.
June 5, 2019
We fixed a bug on the Guest URL Request a Certificate page, where clicking Order Now redirected you to the DigiCert account sign in page.
Now, when you order a certificate from a Guest URL and click Order Now, your request is submitted to your account administrator for approval. For more information about guest URLs, see Managing Guest URLs.
We added the Auto-Renewal User feature to the New Division page that optionally allows you to set a default user for the division's auto-renewal orders when creating a new division. If set, this user replaces the original requester on all division auto-renewal certificate orders and helps prevent auto-renewal interruptions.
In your account, in the sidebar menu, click Account > Divisions. On the Divisions page, click New Division. On the New Division page, in the Auto-Renewal User dropdown, set a default user for all division auto-renewal orders.
We are adding a new tool to the CertCentral portfolio—ACME protocol support—that allows you to integrate your ACME client with CertCentral to order OV and EV TLS/SSL certificates.
Note: This is the open beta period for ACME protocol support in CertCentral. To report errors or for help connecting your ACME client to CertCentral, contact our support team.
To access ACME in your CertCentral account, go to the Account Access page (in the sidebar menu, click Account > Account Access) and you'll see a new ACME Directory URLs section.
For information about connecting your ACME client with your CertCentral account, see our ACME user guide.
To turn ACME off for your account, contact your account manager or our support team.
Known issues
For a list of current known issues, see ACME Beta: Known issues.
May 29, 2019
We've added a new Auto-Renewal User feature to the Edit division page that optionally allows you to set a default user for the division's auto-renewal orders. If set, this user replaces the original requester on all division auto-renewal certificate orders and helps prevent auto-renewal interruptions.
(In your account, in the sidebar menu, click Account > Divisions. On the Divisions page, select the division (or click My Division). Edit the division and in the Auto-Renewal User dropdown, set a default user for all division auto-renewal orders.)
We improved the automatic certificate renewal feature, adding an "Auto-renewal disabled" notification to the process. If something happens that prevents us from automatically renewing a certificate, we now send an "Auto-renew disabled" email notification, letting you know auto-renewal has been disabled for the order, what will happen now, and how to re-enable auto-renewal for the order.
Note: Automatic certificate renewals are tied to a specific user (order specific or division specific). If that user ever loses permissions to place orders, the automatic certificate renewal process is disabled.
May 1, 2019
We've updated the CertCentral SAML Federation Settings, enabling you to keep your Federation Name from appearing in the list of IdPs on the SAML Single Sign-On IdP Selection and SAML certificate requests IdP Selection pages.
Now, on the Federation Settings page, under Your IDP's Metadata, we added the Include Federation Name option. If you want to keep your Federation Name from appearing in the list of IdPs on the IdP Selection page, uncheck Add my Federation Name to the list of IdPs.
Secure Site Pro TLS/SSL certificates are available in CertCentral. With Secure Site Pro, you're charged per domain; no base certificate cost. Add one domain, get charged for one. Need nine domains, get charged for nine. Secure up to 250 domains on one certificate.
We offer two types of Secure Site Pro certificates, one for OV certificates and one for EV certificates.
- Secure Site Pro SSL
Get the OV certificate that fits your needs. Provide encryption and authentication for one domain, one wildcard domain and all its subdomains, or use Subject Alternative Names (SANs) to secure multiple domains and wildcard domains with one certificate. - Secure Site Pro EV SSL
Get the extended validation certificate that fits your needs. Provide encryption and authentication to secure one domain or use Subject Alternative Names (SANs) to secure multiple sites (fully qualified domain names) with one certificate.
Benefits included with each Secure Site Pro certificate
Each Secure Site Pro certificate includes – at no extra cost – first access to future premium feature additions to CertCentral (e.g., CT log monitoring and validation management).
Other benefits include:
- Priority validation
- Priority support
- Two premium site seals
- Malware check
- Industry-leading warranties
To activate Secure Site Pro certificates for your CertCentral account, contact your account manager or our support team.
To learn more about our Secure Site Pro certificates, see DigiCert Secure Site Pro.
Public SSL certificates can no longer secure domain names with underscores ("_"). All previously issued certificates with underscores in domain names must expire prior to this date.
Note: The preferred underscore solution is to rename the hostnames (FQDNs) that contain underscores and replace the certificates. However, for those situations where renaming is not possible, you can use private certificates and, in some cases, you can use a wildcard certificate that secures the entire domain.
For more details, see Retiring Underscores in Domain Names.
April 18, 2019
DigiCert will continue to support the SHA1 signature for Code Signing certificates. We are removing the max expiration restriction of December 30, 2019.
April 17, 2019
We added DV certificates to the available products for Guest URLs. Now, you can add GeoTrust and RapidSSL DV certificates to your Guest URLs.
We fixed a bug where adding Secure Site certificates to a Guest URL prevented you from editing the Guest URL. Now, when you add Secure Site certificates to a Guest URL, you can edit the Guest URL as needed.
We fixed a bug where adding Private SSL certificates to a Guest URL prevented you from editing the Guest URL. Now, when you add Private SSL certificates to a Guest URL, you can edit the Guest URL as needed.
April 9, 2019
We fixed a bug where new organizations added during the SSL/TLS certificate request process weren't listed on the Organizations page (in the sidebar menu, click Certificates > Organizations).
With this fix, new organizations added during the SSL/TLS certificate request process will now be automatically listed on the Organizations page in your account.
Retroactive fix: All Organizations will be listed
The fix for this bug is retroactive too. If you've enabled users to add new organizations during the request process, the next time you go to the Organizations page in your account, these organizations will be added to the list.
Note: This bug didn't affect your ability to request additional SSL/TLS certificates for these organizations, as they appeared in the list of existing organizations on the certificate request forms where you could add them to the certificate. This bug also didn't affect organizations added from the New Organizations page (on the Organizations page, click New Organization).
We improved the CertCentral audit logs, making it easier to track API key creations. Now, the audit logs will contain information about who created the API key, when it was created, name of API, etc.
(To access the audit logs in your account, in the sidebar menu, click Account > Audit Logs.)
March 22, 2019
We improved the Transaction Summary on the certificate request pages, making it easier to track the cost of the certificate. For example, you request a Multi-Domain certificate and add 5 domains. In the Transaction Summary, we show the base price (which includes 4 SANs) plus the price of the additional SAN added to the order.
Previously, the Transaction Summary only tracked the total cost of the certificate without the itemized cost.
March 5, 2019
We fixed a DV certificate reissue bug where we weren't honoring the valid until date on the original order for certificates with more than a year remaining until they expired.
Now, when you reissue a DV certificate with more than a year remaining until it expires, the reissued certificate will retain the valid until date of the original certificate.
In the DigiCert Services API, we improved the DV certificate request endpoints allowing you to use the new email_domain field along with the existing email field to more precisely set the desired recipients of the domain control validation (DCV) emails.
For example, when ordering a certificate for my.example.com, you can have a domain owner for the base domain (example.com) validate the subdomain. To change the email recipient for the DCV email, in your DV certificate request, add the dcv_emails parameter. Then, add the email_domain field specifying the base domain (example.com) and the email field specifying the email address of the desired DCV email recipient (admin@example.com).
Example request for a GeoTrust Standard DV Certificate
DV certificate endpoints:
- GeoTrust Standard DV -- https://www.digicert.com/services/v2/order/certificate/ssl_dv_geotrust
- GeoTrust Wildcard DV -- https://www.digicert.com/services/v2/order/certificate/wildcard_dv_geotrust
- RapidSSL Standard DV -- https://www.digicert.com/services/v2/order/certificate/ssl_dv_rapidssl
- RapidSSL Wildcard DV -- https://www.digicert.com/services/v2/order/certificate/wildcard_dv_rapidssl
February 26, 2019
We enhanced the DigiCert Services API request endpoints enabling you to get faster responses to your certificate requests.
We made it easier to Add Contacts for OV certificate orders (Standard SSL, Secure Site SSL, etc.). Now when you order an OV certificate, we populate the Organization Contact card for you. If needed, you can add a technical contact.
- When adding a CSR that includes an existing organization in your account, we populate the Organization Contact card with the contact assigned to that organization.
- When you manually add an existing organization, we populate the Organization Contact card with the contact assigned to that organization.
- When you add a new organization, we populate the Organization Contact card with your contact information.
To use a different organization contact, delete the one populated automatically and manually add one.
We made it easier to Add Contacts for EV certificate orders (EV SSL, Secure Site EV SSL, etc.). Now when you order an EV certificate, we will populate the Verified Contact cards for you if EV verified contact information is available in your account. If needed, you can add organization and technical contacts.
- When adding a CSR that includes an existing organization in your account, we populate the Verified Contact card with the EV verified contacts assigned to that organization.
- When you manually add an existing organization, we populate the Verified Contact card with the EV verified contacts assigned to that organization.
Assigning Verified Contacts to an organization is not a prerequisite for adding an organization. There may be instances were verified contact information won't be available for an organization. In this case, manually add the Verified Contacts.
February 12, 2019
We enhanced our DV certificate offering. You can now renew your DV certificate orders, allowing you to keep the original order ID.
Previously, when a DV certificate order neared its expiration date, you had to order a new certificate for the domains on the expiring order.
Note: DV certificates don't support domain pre-validation. When you renew a DV certificate, you must demonstrate control over the domains on the renewal order.
In the DV Certificate Enrollment guide, see Renewing DV Certificates.
January 31, 2019
We enhanced the Order # details page for pending OV SSL and EV SSL certificate orders. In the DigiCert Needs To section, under Verify Organization Details, we now list the steps that need to be completed to validate the organization (e.g., complete Place of Business Verification) along with the status for each step: complete or pending.
Previously, we provided only a high-level overview of the organization validation process – Verify Organization Details – without offering any details as to what steps needed to be completed before the organization was fully validated.
We fixed a bug on the forms in CertCentral where the state/province/territory field appeared as being required when the country selected didn't require that information (for example when adding a new organization or a credit card).
Note: This bug didn't prevent you from completing these transactions. For example, you were still able to add an organization or a credit card with or without filling in the state/province/territory field.
Now, in the forms, the state/province/territory field is labeled as optional for countries that don't require this information as part of their transactions.
Note: US and Canada are the only countries that require you to add a state or province/territory.
January 28, 2019
We added a new Add contact feature to the OV SSL/TLS certificate request forms allowing you to add a single technical contact and a single organization contact during the request process.
Previously, you were unable to add contacts when ordering OV SSL/TLS certificates (such as Secure Site SSL and Multi-Domain SSL certificates).
Note: A technical contact is someone we can contact should problems arise while processing your order. An organization contact is someone we can contact when completing the organization validation for your certificate.
We enhanced the Add contact feature on the EV SSL/TLS certificate request forms allowing you to add a single technical contact and a single organization contact during the request process.
Previously, you could only add Verified Contacts (for EV) when ordering EV SSL/TLS certificates (such as Secure Site EV and EV Multi-Domain SSL).
Note: A technical contact is someone we can contact should problems arise while processing your order. An organization contact is someone we can contact when completing the organization validation for your certificate.
January 16, 2019
We moved the CertCentral DV Certificate Enrollment guide to https://docs.digicert.com/certcentral/documentation/dv-certificate-enrollment/.
A pdf version of the guide is still available (see link at the bottom of the Introduction page).
Additionally, we updated and added instructions to cover the supported DCV methods for DV certificates in CertCentral.
- Added new Domain Control Validation (DCV) instructions
- Use the Email DCV method
- Use the DNS TXT DCV method
- Use the File DCV method
- File DCV method common mistakes
- Updated the order DV certificate instructions
- Order a RapidSSL Standard DV Certificate
- Order a RapidSSL Wildcard DV Certificate
- Order a GeoTrust Standard DV Certificate
- Order a GeoTrust Wildcard DV Certificate
- Order a GeoTrust Cloud DV Certificate
- Updated the reissue DV certificate instructions
- Reissue a RapidSSL Standard DV Certificate
- Reissue a RapidSSL Wildcard DV Certificate
- Reissue a GeoTrust Standard DV Certificate
- Reissue a GeoTrust Wildcard DV Certificate
- Reissue a GeoTrust Cloud DV Certificate
January 15, 2019
We added two more Domain Control Validation (DCV) methods to the DV certificate Order and Reissue pages: DNS TXT and File.
Note: Previously (unless you are using the DigiCert Services API), you could only use the Email DCV method to prove control over the domains on your DV certificate orders.
Now, when ordering or reissuing a DV certificate, you can choose DNS TXT, File, or Email as the DCV method to complete domain validation for the order.
We added new Prove control over domains features to the DV certificates' Order # details page.
Previously, you were unable to take any actions to complete your domain validation on the DV certificates' Order # details page.
Now, you can take more actions to complete the domain validation for the order:
- Use the DNS TXT, Email, and File DCV methods
- Resend/send the DCV Emails and choose which email address to send it to
- Verify your domain's DNS TXT record
- Verify your domain's fileauth.txt file
- Choose a different DCV method than the one selected when ordering the certificate
(In the sidebar menu, click Certificates > Orders. On the Orders page, in the Order # column of the DV certificate order, click the order number.)
We enhanced the Certificate Details section of the DV certificates' Order # details page adding additional DV certificate information: Serial Number and Thumbprint.
Note: This enhancement is not retroactive. This new information only appears for orders placed after 17:00 UTC time January 15, 2019.
(In the sidebar menu, click Certificates > Orders. On the Orders page, in the Order # column of the DV certificate order, click the order number.)
We enhanced the Get order details endpoint enabling the DV certificate's thumbprint and serial number to be returned in the response.
{
"id": "12345",
"certificate":{
"id":123456,
"thumbprint":"{{thumbprint}}",
"serial_number":"{{serial_number}}
...
}
Note: This enhancement is not retroactive. The thumbprint and serial number are only returned for orders placed after 17:00 UTC time January 15, 2019.
For more information, see the Get order details endpoint in the DigiCert Services CertCentral API documentation.
January 7, 2019
We improved the look and feel of our DigiCert account sign in page (www.digicert.com/account/), bringing it up to date with the design of our certificate management platform, CertCentral.
December 20, 2018
We enhanced the order Notes feature, enabling the order notes from the previous order to carry over to the renewed certificate order.
Previously, if you wanted any of the notes to carry over, you had to manually add the notes to the renewed order yourself.
Now, notes from the previous order are automatically carried over to the renewal order. These notes are timestamped with author's name (for example, 18 Dec 2018 8:22 PM John Smith).
These notes are on the renewed Order # details page (in the sidebar menu, click Certificates > Orders and then click the order number link). They are also in the Order # details panel (click the Quick View link).
We enhanced the DV certificates Order # details page, enabling you to see which domains on the order are pending validation (i.e., domains that you still need to demonstrate control over).
Previously, domains pending validation weren't listed on the Order # details page.
Now, when you visit a DV certificate's Order # details page, domains pending validation will be shown. (In the sidebar menu, click Certificate > Orders and then on the Orders page, click the order number link).
We fixed a bug on the Orders page (in the sidebar menu, click Certificates > Orders) where the Organization Contact information was missing in the Order # details panel.
Now, when you visit the Orders page and use the Quick View link to view order details, you will see the Organization Contact information in the Order # details panel. (Expand Show More Certificate Info and in the Order Details section, expand Show Org Contact).
December 18, 2018
DigiCert began issuing public SSL certificates containing underscores for a limited time.
- Maximum 30-day validity for public SSL certificates containing underscores in domain names.
- Underscores must not be in the base domain ("example_domain.com" is not allowed).
- Underscores must not be in the left most domain label ("_example.domain.com" and "example_domain.example.com" are not allowed).
For more details, see Retiring Underscores in Domain Names.
In the top menu, we added two new contact support options (phone and chat icons) making it easier to contact support from within CertCentral (via email, chat, or phone).
The phone icon provides you with email and phone options. The chat icon provides you with a chat window where you can start a chat with one of our dedicated support team members.
We enhanced the sidebar menu, making it easier to see the menu option for the pages you are visiting. Now, when you visit a page in CertCentral, the menu option for that page will have a horizontal blue bar next to it.
We fixed a bug in the Add Organization feature on the SSL/TLS certificate request forms where the validation status (EV and OV validated) was not included for new organizations added and validated as part of the certificate order.
Now, new organizations added when ordering an SSL certificate will show a Validated status.
Note: The organization's validation status doesn't appear until we've fully validated the organization.
December 17, 2018
We enhanced our RapidSSL DV certificate offerings enabling you to include a second, very specific domain, in these single domain certificates.
- RapidSSL Standard DV
By default now, when ordering a RapidSSL Standard DV Certificate, you get both versions of the common name in the certificate – [your-domain].com and www.[your-domain].com.
After entering the common name, make sure the Include both www.[your-domain].com and [your-domain].com in the certificate box is checked.
Previously, you had to order separate certificates for [your-domain].com and www.[your-domain].com. - RapidSSL Wildcard DV
By default now, when ordering a RapidSSL Wildcard DV Certificate, you get the wildcard domain and the base domain in the certificate – *.[your-domain].com and [your-domain].com.
After entering the common name, make sure the Include both *.[your-domain].com and [your-domain].com in the certificate box is checked.
Previously, you had to order separate certificates for *.[your-domain].com and [your-domain].com.
We enhanced the RapidSSL certificate endpoints to include the dns_names parameter, enabling you to include a second, very specific domain, in these single domain certificates.
- RapidSSL Standard DV
When ordering a RapidSSL Standard DV Certificate, you may include both version of your domain in the certificate — [your-domain].com and www.[your-domain].com."common_name": "[your-domain].com",
"dns_names": ["www.[your-domain].com"],
Previously, you had to order separate certificates for [your-domain].com and www.[your-domain].com. - RapidSSL Wildcard DV
When ordering a RapidSSL Wildcard DV Certificate, you may include the base domain in the certificate — *.[your-domain].com and [your-domain].com)."common_name": "*.your-domain.com",
"dns_names": ["[your-domain].com"],
Previously, you had to order separate certificates for *.[your-domain].com and [your-domain].com.
For DigiCert Services API documentation, see CertCentral API.
Individual Document Signing certificates are available in CertCentral:
- Document Signing – Individual (500)
- Document Signing – Individual (2000)
To activate Individual Document Signing certificates for your CertCentral account, contact your Sales representative.
Previously, only Organization Document Signing certificates were available.
- Document Signing – Organization (2000)
- Document Signing – Organization (5000)
To learn more about these certificates, see Document Signing Certificate.
December 14, 2018
We enhanced the Orders Report feature on the Orders page (in the sidebar menu, click Certificates > Orders). Now when you run a report (click Orders Report), it will include your DV SSL certificate orders.
December 13, 2018
We enhanced the Add Verified Contacts process on the organization details pages making it easier to add existing and new verified contacts when submitting an organization for pre-validation (in the sidebar menu, click Certificates > Organizations. Then in the Name column, click the organization name link).
To make adding a verified contact easier, we removed the separate links (Add New Contact and Add from Existing Contacts) each with their own window. Now, we provide a single Add Contact link and a single Add Contact window where you can add a new or existing contact.
Add New Contact Note
By default, the Allow non-CertCentral account users to be used as verified contacts feature is disabled for a CertCentral account.
You can enable this feature on the Division Preferences page (in the sidebar menu, click Settings > Preferences). In the Advance Settings section, under Verified Contacts, you can allow non-CertCentral account users to be used as verified contacts (check Allow non-DigiCert users to be used as verified contacts).
December 6, 2018
We added a new feature Allow users to add new contacts when requesting TLS certificates that provides you with the flexibility to choose whether standard users, finance managers, and limited users can add a new non-CertCentral account user as a Verified Contact (for EV) when ordering an EV TLS/SSL certificate from inside their account or when using a guest URL.
Previously, the only way to prevent these user roles from adding a new non-CertCentral account user as a verified contact during the order process was to edit the request and select an existing contact for the order or reject the certificate request.
Now, you can control whether the User, Finance Manager, and Limited User roles can add a new non-CertCentral account user as a verified contact from the EV SSL/TLS certificate request pages. This feature doesn't remove the option from the EV SSL/TLS certificate order pages for the Administrator and Manager roles.
On the Division Preferences page (Settings > Preferences). In the Certificate Request section (expand Advanced Settings), under Add New Contacts, uncheck Allow users to add new contacts when requesting TLS certificates and then click Save Settings.
Note: This change does not remove the ability to add an existing contact (CertCentral account users or non-CertCentral account users) as the verified contact to an order as this is required for all EV SSL/TLS certificate orders.
We enhanced the Allow users to add new organizations when requesting TLS certificate feature providing you with the flexibility to choose whether standard users, finance managers, and limited users can add a new organization when ordering a TLS certificate (OV and EV) from inside their account or when using a guest URL.
Previously, the feature removed the ability to add a new organization for all user roles: Administrator, Manager, Standard User, Finance Manager, and Limited User.
Now, the Allow users to add new organizations when requesting TLS certificate feature only affects the User, Finance Manager, and Limited User roles ability to add new organizations from the certificate request pages. Administrator and Manager roles retain the ability to add new organizations whether this feature is enabled or disabled.
On the Division Preferences page (Settings > Preferences). In the Certificate Request section (expand Advanced Settings), under Add New Organization, uncheck Allow users to add new organizations when requesting TLS certificates and then click Save Settings.
Note: This change does not remove the ability to add an existing, pre-validated organization to an order as this is required for all OV and EV TLS certificate orders.
December 5, 2018
We enhanced the add existing organization feature for the EV SSL/TLS certificates order process making it easier to include the EV verified contacts for an organization in your certificate order.
Previously, information about who the EV verified contacts are for an organization didn't appear on the EV certificate request pages.
Now, when you add an existing organization that already has EV verified contacts assigned to it, the Verified Contact (for EV) cards are populated with the verified contacts' information.
Note: If your CSR includes an organization currently used in your account, the Organization card is populated with the organization's information contained in your account. If this same organization already has assigned EV verified contacts, the Verified Contact (for EV) cards are populated with their information (name, title, email, and phone number).
We fixed a bug on the User Invitations page preventing the Invited By filter from showing the administrators who sent the user invite requests.
Now, when you go to the User Invitations page (in the sidebar menu, click Account > User Invitations), the Invited By filter shows the admins who sent user invitations.
December 3, 2018
We enhanced our SSL/TLS and client certificate product offerings, enabling you to set a custom validity period (in days) when ordering one of these certificates. Previously, you could only choose a custom expiration date.
Custom validity periods start on the day we issue the certificate. Certificate pricing is prorated to match the custom certificate length.
Note: Custom certificate lengths can't exceed the industry allowed maximum lifecycle period for the certificate. For example, you can't set a 900-day validity period for an SSL/TLS certificate.
We enhanced the SSL/TLS and Client certificate endpoints to include a new validity_days parameter that allows you to set the number of days that the certificate is valid for.
Parameter Priority Note: If you include more than one certificate validity parameter in your request, we prioritize the certificate validity parameters in this order: custom_expiration_date > validity_days > validity_years.
For DigiCert Services API documentation, see CertCentral API.
We added a new Order Management - List Order Reissues API endpoint that allows you to view all the reissue certificates for a certificate order. See the List order reissues endpoint.
November 29, 2018
We enhanced the add existing organization feature of the SSL/TLS certificate order process, enabling you to filter the existing organization list to see only organizations that are fully validated.
Note: If your CSR includes an organization currently used in your account, the Organization card auto populates with the organization's information contained in your account.
To manually add an existing organization when ordering your SSL/TLS certificate, click Add Organization. In the Add Organization window, check Hide non-validated organizations to filter the organizations so only the fully validated ones are shown.
Note: If you have more than nine active organizations in your account, the filter also works for the Organization drop-down list.
We enhanced the Organization Unit(s) feature of the SSL/TLS certificate order process, enabling you to add multiple organization units. Previously, you could only add one organization unit.
Note: The Organization Unit(s) field on the request form will be auto populated with the values from your CSR.
To manually add organization units when ordering your SSL/TLS certificate, expand Additional Certificate Options and in the Organization Unit(s) field, you can now add one or more organization units.
Note: Adding organization units is optional. You can leave this field blank. However, if you do include organization units in your order, DigiCert will need to validate them before we can issue your certificate.
We fixed a Custom Order Fields* bug preventing the feature from working properly when deactivating, activating, changing a field from required to optional, and changing a field from optional to required.
*Custom Order Fields is disabled by default. To enable this feature for your CertCentral account, please contact your DigiCert account representative. See Managing Custom Order Form Fields in the Advanced CertCentral Getting Started Guide.
November 28, 2018
We enhanced the order details page for issued certificates, making it easier to find the certificate details on page. (In the sidebar menu, click Certificates > Orders and then on the Orders page click the order number.)
To make finding the certificate details easier, we moved that information so it's the first thing you see on the order details page. Additionally, we moved all certificate actions, such as Reissue Certificate and Revoke Certificate, to the Certificate Actions drop-down list.
November 12, 2018
We enhanced the functionality of the Domain management – Get domain control emails API endpoint. You can now use the domain name to retrieve the Domain Control Validation (DCV) email addresses (WHOIS-based and constructed) for any domain.
Previously, you had to have the domain ID to retrieve the DCV email addresses. However, for a domain to have an ID, you had to submit it for pre-validation.
Now, you can use either the domain name or the domain ID with the Domain management – Get domain control emails endpoint to retrieve the DCV email addresses (WHOIS-based and constructed) for a domain. See the Get domain emails endpoint.
November 7, 2018
We fixed a bug on the TLS/SSL certificate order forms where adding a CSR only auto populated the Common Name field. While fixing this bug, we enhanced the CSR upload feature to also auto populate the Organization field.
We now use information from your CSR to auto populate these order form fields: Common Name, Other Hostnames (SANs), Organization Unit (OU), and Organization.
You can still change the information in these fields as needed (for example, you can add or remove SANs).
Organization field note
When you include an organization currently used in your account, the Organization card auto populates with the organization's information contained in your account.
October 25, 2018
We enhanced the add existing organization feature of the TLS/SSL certificate order process, enabling you to see the organization's address and phone number, along with its validation status (EV Validated, Pending OV Validated, etc.). Note that organizations not yet submitted for validation won't have any validation status listed.
Previously, you were unable to see any information about the organization from the Request Certificate pages. To view organization details and validation status, you had to visit the Organizations page (in the sidebar menu, click Certificates > Organizations).
Note: If you have more than nine active organizations in your account, you will still use the Organization drop-down list, and you will still need to visit the Organizations page to view details about an organization. However, you will now see the top two most used organizations at the top of the list under Recently Used.
October 12, 2018
We enhanced the Add Contact feature of the EV TLS/SSL certificate order process, enabling you to see if the existing contact listed is a CertCentral account user or a contact (non-CertCentral account user).
Previously, when adding an existing contact as a Verified Contact for your EV TLS certificate order, you were presented with a list of contacts to select from without a way to distinguish account users from non-account users.
With this improvement, the contacts listed are now categorized as Users (CertCentral account users) and Contacts (non-CertCentral account users).
Note: By default, the Allow non-CertCentral account users to be used as verified contacts feature is disabled for a CertCentral account.
How to enable the Allow non-CertCentral account users to be used as verified contacts feature
On the Division Preferences page (Settings > Preferences), in the Advance Settings section, under Verified Contacts, you can allow non-CertCentral account users to be used as verified contacts (check Allow non-DigiCert users to be used as verified contacts).
With the non-CertCentral user feature enabled, when adding verified contacts as part of the EV certificate request process, you will see two options: Existing Contact and New Contact. The Existing Contact option lets you assign a CertCenrtal user as the verified EV contact. The New Contact option lets you enter information for a non-CertCentral account user.
October 11, 2018
We enhanced the add new organization feature of the TLS/SSL certificate order process, enabling you to edit the details of a newly added organization.
Previously, after adding a new organization on the Certificate Request page, you were unable to go back and edit the organization's details. To edit the organization's details, you had to delete the organization and re-add it with the correct information.
With this improvement, you may now edit the newly added organization details. Click the edit icon (pencil), and you can modify the organization's details before submitting your order.
September 13, 2018
We enhanced the Add Organization step of the TLS/SSL certificate ordering process.
Previously, you were required to add a new organization before requesting your certificate (Certificates > Organizations). Additionally, the new organization was not available on the Certificate Request page until we completed its organization validation.
With this improvement, you can add a new organization as part of the request process. Note that because the organization is not pre-validated, DigiCert will need to validate the new organization before we can issue your certificate.
Note: When adding a new organization from a Certificate Request page, the requestor (person ordering the certificate) becomes the contact for the new organization.
When ordering a TLS/SSL certificate, you can still choose to use an existing, pre-validated organization.
Editing a Request
Before a TLS/SSL certificate request is approved, you can Edit the request and add a new organization. The person who adds the new organization becomes the contact for the new organization.
We added a new Add Contacts feature to the EV TLS/SSL certificate request process that lets you assign an existing CertCentral user (admin, manager, finance manager, or user) as the verified EV contact for the organization as part of the request process.
Previously, you were required to assign a verified EV contact to an organization before requesting your certificate (Certificates > Organizations).
Allow non-CertCentral account users to be used as verified contacts enabled
On the Division Preferences page (Settings > Preferences), in the Advance Settings section, under Verified Contacts, you can allow non-CertCentral account users to be used as verified contacts (check Allow non-DigiCert users to be used as verified contacts).
With the non-CertCentral user feature enabled, when adding verified contacts as part of the EV certificate request process, you will see two options: Existing Contact and New Contact. The Existing Contact option lets you assign a CertCenrtal user as the verified EV contact. The New Contact option lets you enter information for a non-CertCentral account user.
September 11, 2018
We added a Skip Approval Step feature that lets you remove the approval step from your SSL, Code Signing, and Document Signing certificate order processes.
Note: Admin approvals are still required for certificate revocations, Guest URL certificate requests, and Finance Manager, Standard User, and Limited User certificate requests.
You can activate this feature on the Division Preferences page (Settings > Preferences). In the Certificate Request section (expand Advanced Settings), under Approval Steps, select Skip approval step: remove the approval step from your certificate order processes and then click Save Settings.
Note: These orders don't require an approval, so they won't be listed on the Requests page (Certificates > Requests). Instead, these orders will only appear on the Orders page (Certificate > Orders).
August 27, 2018
Enhancements made to Wildcard certificates. You can secure multiple wildcard domains on a single wildcard certificate.
When you order a Wildcard certificate in CertCentral, you can secure multiple wildcard domains in one wildcard certificate (*.example.com, *.yourdomain.com, and *.mydomain.com). You can still secure a single wildcard domain (*.example.com) with your Wildcard certificate.
Items to note:
- For each wildcard domain, the base domain is also secured for free (for example, *.yourdomain.com secures yourdomain.com).
- Other Hostnames (SANs) must be a wildcard domain (for example, *.yourdomain.com) or based off your listed wildcard domains. For example, if one of your wildcard domains is *.yourdomain.com, then you can add the SANs www.yourdomain.com or www.app.yourdomain.com to your certificate order.
- Adding wildcards SANs to a certificate order may incur additional cost.
March 15, 2018
Enhancements to Order # pages (click Certificates > Orders and then click an Order # link) and Order # detail panes (click Certificates > Orders and then click Quick View link).
When viewing an order's validation status, you can now see the validation status of each SAN on an order: pending or complete.
Enhancements to the SSL certificate request (Request a Certificate > SSL Certificates) and SSL certificate renewal pages. We've simplified the look and feel of the request and renewal pages, placing specific information in expandable sections. This enables the end user to focus on the most important parts of the order and renewal processes.
We've grouped the following certificate and order options under the section headings below.
- Additional Certificate Options
- Signature Hash
- Server Platform
- Auto-Renew
- Additional Order Options
- Comments to Administrator
- Order Specific Renewal Message
- Additional Emails
- Additional Users Who Can Manage the Order
March 13, 2018
Enhancements to Order # pages (click Certificates > Orders and then click an Order # link) and Order # detail panes (click Certificates > Orders and then click Quick View link).
You can now see an order's validation statuses: pending or completed. You can also see if the order is waiting on domain or organization validation to be completed before it can be issued.
February 1, 2018
This is for informational purposes only, no action is required.
As of February 1, 2018, DigiCert publishes all newly issued public SSL/TLS certificates to public CT logs. This does not affect any OV certificates issued before February 1, 2018. Note that CT logging has been required for EV certificates since 2015. See DigiCert Certificates Will Be Publicly Logged Starting Feb. 1.
New "exclude from CT log when ordering a certificate" feature added to CertCentral. When you activate this feature (Settings > Preferences), you allow account users to keep public SSL/TLS certificates from being logged to public CT logs on a per certificate order basis.
While ordering an SSL certificate, users have an option not to log the SSL/TLS certificate to public CT logs. The feature is available when a user orders a new certificate, reissues a certificate, and renews a certificate. See CertCentral Public SSL/TLS Certificate CT Logging Guide.
New optional CT logging opt out field (disable_ct) added to the SSL certificate request API endpoints. Also, a new CT Log issued certificate opt out endpoint (ct-status) added. See CertCentral API Public SSL /TLS Certificate Transparency Opt Out Guide.
November 3, 2017
Enhancements to the Overview page (click Dashboard). Added the ability to request a certificate from the Dashboard; note the new Request a Certificate button at the top of the page.
Enhancements to the Request a Certificate drop-down list on the Orders page (click Certificates > Orders) and the Requests page (click Certificates > Requests). Added certificate type headers (e.g., CODE SIGNING CERTIFICATES) to the list to make finding certificates by type easier.
Enhancements to the Expiring Certificates page (click Certificates > Expiring Certificates). Added a Quick View link allowing you to see details about each expiring certificate without leaving the page.
October 26, 2017
Enhancements to the Orders page (click Certificates > Orders) and Requests page (click Certificates > Requests). Added the ability to request a certificate from these pages; note the new Request a Certificatebutton at the top of the pages.
October 18, 2017
Enhancements to the Orders page (click Certificates > Orders); improved page performance.
October 16, 2017
Enhancements to the Order details page (viewed when clicking an order # on the Certificates > Orders page); improved page performance.
October 10, 2017
Enhancements to the order details pane on the Requests page (viewed when clicking an order #); improved page performance.
October 2, 2017
Enhancements to user list queries; improved user search along with page performances (e.g., Orders page).
Enhancements to Request a Certificate pages; improved organization and domain searches along with page performance.
September 25, 2017
Enhancements to client certificates; added support for multiple organizational units (OUs).
Enhancements to client certificates; added support for multiple organizational units (OUs).
September 5, 2017
Enhancements made to Account Balance and the Purchase Order process. See CertCentral Account Balance and PO Process Changes.