Skip to main content

Configure advanced account preferences

The Advanced Settings section of the Preferences page (Settings > Preferences) contains configuration options for domain control validation (DCV), certificate request behavior, and code signing certificate settings. Expand Advanced Settings at the bottom of the Preferences page to access these settings.

  1. In the CertCentral main menu, go to Settings > Preferences.

  2. On the Preferences page, expand Advanced Settings.

  3. Configure the following advanced preferences as required:

  4. Select Save settings.

Configure DigiCert account user management settings

Before you begin

Review the following before configuring the add user process:

  • Limit what users can access in CertCentral:

    If using the automatic default role option, consider the following to limit what users can view and do in CertCentral until you assign them proper access:

    • Use the Standard User or Limited User role as the default role. For a Limited User role, select Standard User and then select Limit to placing and managing their own orders.

    • If using divisions, create a dedicated division with limited access to your organizations and domains, and restrict the default role to that division. After users activate their CertCentral service, update their role and division restrictions as needed.

  • Adding users in batches:

    If you need to add multiple users with the same role and division access, configure the default role to meet those requirements first, then add all users in the batch. After all users in the batch have activated their CertCentral service, update the default role for the next batch or switch to the administrator approval process.

    Important

    Do not update the default user role or switch to the administrator approval process until all users from the current batch have activated their CertCentral service. Any changes to the process take effect immediately and will affect users who are still in the process of activating their access.

Select one of the options to control how new users receive CertCentral access when added through DigiCert account provisioning.

  • Require administrator approval before granting access: DigiCert sends an email notification to a CertCentral administrator when a user requests access. The administrator must approve the request and assign a role before the user can sign in.

  • Automatically grant user access using a default user role: Users added through DigiCert account provisioning receive the default role automatically. Administrators can update individual user access after account activation.

For full configuration steps, see Default role assignment during DigiCert account provisioning.

Enable verified contacts

(Optional)To allow non-CertCentral users as verified contacts, select Allow non-CertCentral users to be used as verified contacts.

  • By default, verified contacts for OV (Organization Validation) and EV (Extended Validation) certificate requests must be existing CertCentral account users.

  • Enabling this setting applies to all OV and EV certificate requests in the account.

  • The Verified Contacts setting allows users outside the account to be added as verified contacts.

Configure DCV methods

DCV methods define how DigiCert verifies control of a domain before issuing a certificate. The following methods are available:

Notice

Changes to DCV methods apply to all new certificate requests and domain validation workflows in the account.

  1. In the Domain Control Validation (DCV) section, select the DCV methods to make available on certificate request forms.

    • DNS TXT Record: Add a DigiCert-generated random value to the domain's DNS as a TXT record.

    • DNS CNAME Record: Add a DigiCert-generated random value to the domain's DNS as a CNAME record.

    • Verification Email: Send a confirmation email to approved email recipients for the domain.

    • HTTP Practical Demonstration: Host a file containing a DigiCert-generated random value at a predetermined location on the domain's website.

    • HTTP Practical Demonstration with unique file name: Host a file with a random filename that contains the DigiCert-generated value.

  2. From the Set default DCV method dropdown, select the method shown by default when multiple methods are available.

  3. (Optional) Select Hide DCV methods on TLS certificate request forms.

  4. Configure Send verification DCV emails to and Domain validation scope as needed.

  5. Proceed to configure the remaining preferences on the page or select Save settings.

Enable domain lock

Domain lock limits access to account domains to CertCentral account users only. When enabled at the account level, domain lock must be configured individually for each domain on the Domain Details page.

(Optional) Select Enable domain lock for this account. Learn more about enabling a domain lock.

Add approved email domains

The Approved email domains section restricts which email domains users can register with when signing up for CertCentral. Users can only sign up with email addresses that match a domain listed under Approved email URLs. For full configuration steps, see Add approved email domains.

Configure certificate requests

The Certificate Requests section controls certificate request form behavior, approval workflows, and issuance settings across all certificate types.

  1. Configure the certificate request, approval workflow and issuance settings as follows:

    1. (Optional) Enable Certificate transparency (CT) logging.

    2. (Optional) Enable Allow users to add new organizations when requesting TLS and Code Signing certificates.

      When selected, users can create new organizations directly from a certificate request form.

    3. (Optional) Enable Allow users to add new contacts when requesting TLS and Code Signing certificates.

      When selected, users can add contacts directly from a certificate request form.

    4. Configure the how contact details appear on certificate request forms. Three options are available:

      • Allow editing of contact details: Users can view and change contact information on request forms.

      • Show contact details as read-only: Users can view but cannot change contact information on request forms.

      • Hide contact details: Contact information is not displayed on request forms.

    5. (Optional) Enable Autopopulate OU field. Enable independently for:

      • Public SSL, Private SSL, Code Signing and EV Code Signing, and Document Signing.

      When enabled for a certificate type, the Autopopulate OU field setting uses the OU (organizational unit) information from the CSR (Certificate Signing Request) to populate the OU field on the request form automatically.

    6. Configure the approval steps. Three options are available:

      Approval steps control the certificate request workflow for all certificate types. These settings also apply to Services API requests.

      • Skip the approval step for certificate requests from Administrators and Managers

        Requests submitted by administrators and managers are issued without a separate approval step.

      • One step: certificate requests must be approved

        All requests require approval before issuance. When this option is selected, Automatically approve New and Reissue certificate requests when the requester is also an approver becomes available as a sub-option.

      • Two steps: require an additional review step before a certificate request can be approved

        Requests go through a review step before the approval step.

    7. (Optional) Enable ACME certificate approval.

      When selected, requests submitted through the ACME protocol require administrator approval before issuance.

      Notice

      ACME certificate requests must be approved before they will be issued.

    8. (Optional) Enable DV certificate approval.

      When selected, DV certificate requests require administrator approval before issuance.

      Notice

      DV certificate requests must be approved before they will be issued

    9. (Optional) Enable Client certificate approval.

      When selected, all client certificate requests require administrator approval before issuance.

      Notice

      Client certificate requests must be approved before they will be issued

  2. Proceed to configure the remaining preferences on the page or select Save settings.

Provision code signing and EV code signing certificate settings

The Code signing and EV code signing certificate settings section controls provisioning, revocation behavior, and display options for code signing certificate requests.

  1. Configure the following provisioning settings:

    1. Provisioning options: Provisioning options determine how code signing private keys and certificates are delivered or stored. The following options are available:

      • DigiCert-provided hardware token: DigiCert ships a hardware token to the address entered under Shipping address.

      • Use existing token: The requester provides an existing hardware token.

      • Install on an HSM: The certificate is installed on an HSM (hardware security module).

    2. Set default provisioning option. Use this to select the provisioning method shown by default on request forms.

      Set the default separately for Code Signing certificates and for EV Code Signing certificates.

    3. Select a certificate revocation option.

      • Revoke individual certificates: DigiCert revokes each certificate independently.

      • Revoke order when all certificates are revoked: When all certificates under an order are revoked, DigiCert revokes the order automatically.

    4. (Optional) Enable Show additional certificate options by selecting Expand additional certificate options.

      When selected, the signature hash, server platform, and auto-renew fields are expanded by default on code signing certificate request forms.

    5. (Optional) Enable Hide recently created domains by selecing Hide recently created domains on enrollment page.

      When selected, recently created domains do not appear in the domain list on the enrollment page.

    6. Select an additional email field. Two options are available.

      • Optional: Requesters may leave the field blank.

      • Required: Requesters must enter at least one email address.

      The additional email field on certificate request forms collects extra email addresses for certificate issuance, expiring certificate, and expiring order notifications.

    7. (Optional) Enable Upgrade products on renewal by selecting Allow users to upgrade products on renewal.

      When selected, users can upgrade to a higher certificate product at renewal.

      To disable the upgrade option during renewal, deselect Allow users to upgrade products on renewal.

  2. Review all the preferences on the page and select Save settings.

Related topics

In diesem Abschnitt: