CertCentral

On June 25, 2024, at 10:00 MDT (16:00 UTC), DigiCert will move the default issuance of public Secure Email (S/MIME) certificates to new industry-compliant public intermediate CA (ICA) certificates.

For more details about the affected S/MIME certificates and which ICA certificates we are replacing, see our knowledge base article, New Secure Email (S/MIME) Intermediate CA certificates 2024.

ICA certificate replacements

To download copies of DigiCert ICA and root certificates, see the DigiCert Trusted Root Authority Certificates page.

How does switching ICA certificates affect me?

If you install the DigiCert-provided ICA certificate included with your issued Secure Email (S/MIME) certificate, this change will not affect you, and no action will be required. Starting June 25, 2024, the new default ICA certificate will automatically come with your issued Secure Email (S/MIME) certificate (new, renewal, or reissued).

How does switching ICA certificates affect my existing certificates?

Rolling out new ICA certificates does not affect existing certificates. Active Secure Email (S/MIME) certificates issued from a replaced ICA certificate continue to be trusted until they expire.

Starting June 25, 2024, DigiCert will issue new, renewed, and reissued Secure Email (S/MIME) certificates from new ICA certificates. When installing your S/MIME certificates, always include the DigiCert-provided ICA certificate.

Best practice

We recommend always including the DigiCert-provided ICA certificate with every certificate you install. This recommendation has always been the best practice to ensure that ICA certificate replacements do not disrupt your certificate-related processes and that your certificates are trusted.

PKI Platform 8 items to note

Starting June 25, 2024, DigiCert will begin migrating your PKI Platform 8 public S/MIME issuance to the new, industry-compliant, shared CA. See ICA certificate replacements above.

Those using Local Key Management Storage (LKMS) to store their private keys must add the new ICA certificate to their local LKMS once available. Otherwise, you cannot continue to store your private keys locally.

What if I need more time before switching ICA certificates?

Contact your account manager or DigiCert Support. We will set up your account so you can continue to use the ICA certificates you are using now.

However, on September 3, 2024, DigiCert must move you to the new ICA certificates. The current ICA certificates are no longer industry-compliant and cannot be used to issue Secure Email (S/MIME) certificates after that date.

We updated the Order validation status endpoint and added a new URL query parameter, include_risk_check. Use this parameter to check the domain risk for the order. You only need to include ?include_risk_check=true on non-DV TLS orders, as we always return the risk_status for DV TLS certificates.

See Order validation status.

curl -X GET \
  'https://www.digicert.com/services/v2/order/certificate/{{order_id}}/validation?include_risk_check=true' \
  -H 'Content-Type: application/json' \
  -H 'X-DC-DEVKEY: {{api_key}}'

DigiCert ONE Switzerland and TrustLink Switzerland locations could experience downtime for approximately 30 minutes during scheduled maintenance on April 6, 2024, 09:00 – 11:00 MDT (15:00 – 17:00 UTC).

If everything goes as planned, the maintenance will not affect our DigiCert ONE Switzerland and TrustLink Switzerland customers. However, there could be service downtime if things don't go as planned.

The maintenance starts at 09:00 MDT (15:00 UTC). From 09:00 to 10:00 MDT (15:00 to 16:00 UTC), our DigiCert ONE Switzerland instance and its Managers and our TrustLink Switzerland instance could be down or experience service degradation for approximately 30 minutes.

Affected services

API notes

What can I do?

Services will be restored as soon as the maintenance is completed.

DigiCert will perform scheduled maintenance on April 6, 2024, 22:00 – 24:00 MDT (April 7, 2024, 04:00 – 06:00 UTC).

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

Services will be restored as soon as the maintenance is completed.

We are happy to announce, we added two endpoints to the CertCentral Services API: View KeyLocker signatures and Purchase KeyLocker signatures.

These endpoints make it easier to manage the signatures for your code signing certificate orders using the DigiCert KeyLocker provisioning method:

On March 19, 2024, DigiCert began enforcing technical controls on code signing certificates provisioned in DigiCert® KeyLocker, our cloud-based HSM. Additionally, we changed how KeyLocker pricing works.

On March 16, 2024, 09:00 – 11:00 MDT (15:00 –  17:00 UTC), DigiCert must perform critical maintenance on the ADSS signing service in our Document Trust Manager Switzerland location. During this time, Document Trust Manager and its ADSS signing service will be down for approximately 90 minutes.

How does this affect me?

The maintenance starts at 09:00 MDT (15:00 UTC). From 09:00 to 10:30 MDT (15:00 – 16:30 UTC), our Document Trust Manager Switzerland instance and its ADSS signing service will be down or experience service degradation for approximately 90 minutes.

What can I do?

Services will be restored as soon as the maintenance is completed.

This update does not affect Secure Email for Business requests submitted via CertCentral; it only affects requests submitted via the API.

We added a new optional subject DN attribute to the subject array of the Order Secure Email certificate endpoint. The new include_given_name_surname parameter lets you to control when the surname and given name are included in the subject distinguished name (DN) attributes of your issued Secure Email for Business (secure_email_sponsor) certificates.

To include the given name and surname in the subject distinguished name (DN) attributes on your issued Secure Email for Business (secure_email_sponsor) certificate, you must now use the subject object to submit values for the given name and surname (include_given_name_surname).

We also updated the Reissue certificate API reference to include details for using the subject object  to submit values for the given name and surname (include_given_name_surname) in the subject distinguished name (DN) attributes on the issued certificate.

{
  "certificate": {
    "emails": [
      "example@example.com"
    ],
    ...
  },
  ...
  "subject": {
    "include_given_name_surname": true
  },
  ...
}

We updated the CertCentral user invitation process to improve performance and make managing active invitations easier.

On March 11, 2024, 21:00 – 23:00 MDT (March 12, 03:00 –  05:00 UTC), DigiCert must perform critical maintenance on the ADSS signing service in our Document Trust Manager Netherlands location. During this time, Document Trust Manager and its ADSS signing service will be down for approximately 90 minutes.

How does this affect me?

The maintenance starts at 21:00 MDT (03:00 UTC). From 21:00 to 22:30 MDT (03:00 – 04:30 UTC), our Document Trust Manager Netherlands instance and its ADSS signing service will be down or experience service degradation for approximately 90 minutes.

What can I do?

Services will be restored as soon as the maintenance is completed.

DigiCert will perform scheduled maintenance on March 2, 2024, 09:00 – 11:00 MST (16:00 – 18:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

Services will be restored as soon as the maintenance is completed.

PKI Platform 8 may experience downtime or delayed responses for approximately 15 minutes during scheduled maintenance on March 2, 2024, 22:00 – 24:00 MST (March 3, 05:00 – 07:00 UTC).

PKI Platform 8 maintenance

If everything goes as planned, the maintenance will not affect our PKI Platform 8 customers. However, this maintenance is high risk, so if things don't go as planned, there could be service interruptions, delayed responses, or even downtime.

The PKI Platform 8 maintenance starts at 22:00 MST (05:00 UTC). From 22:00 to 22:30 MST (05:00 to 05:30 UTC), PKI Platform 8 may experience interruptions such as downtime (up to 15 minutes), service interruptions, or delayed responses.

API note:

What can I do?

Plan accordingly:

Services will be restored as soon as the maintenance is completed.

We updated the duplicate certificate request process in CertCentral. Now, when requesting a duplicate certificate, you can modify the duplicate certificate's validity if needed.

Previously, the duplicate certificate always expired when the certificate you were duplicating expired. You couldn't modify the duplicate certificate's validity.

See for yourself

See Duplicate a TLS/SSL certificate.

We updated the duplicate certificate endpoint and added support for the custom_expiration_date parameter. Use this parameter to modify the certificate validity for your duplicate certificate.

See Duplicate certificate.

JSON example:

{  "certificate": {               
          "common name":"example.com",               
          "csr":"-----BEGIN CERTIFICATE REQUEST----- … -----END CERTIFICATE REQUEST-----",               
          "signature_hash":sha256    
   },    
   "custom_expiration_date": "2024-10-15"
}

Some DigiCert services will be down for approximately 10 minutes during scheduled Europe maintenance on February 3, 2024, 09:00 - 11:00 MST (16:00 - 18:00 UTC).

QuoVadis services maintenance-related downtime

During the two-hour maintenance window, some QuoVadis services will be down for approximately 10 minutes while we do infrastructure-related maintenance that requires server restarts.

Affected QuoVadis Services:

API note

What can I do?

Plan accordingly:

Services will be restored as soon as the maintenance is completed.

DigiCert will perform scheduled maintenance on February 3, 2024, 22:00 – 24:00 MST (February 4, 2024, 05:00 – 07:00 UTC).

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

Plan accordingly:

Services will be restored as soon as the maintenance is completed.

We are happy to announce that the CertCentral ACME service now supports DV certificates and domain control validation (DCV) as part of the ACME workflow, along with other changes needed to support these features.

On December 7, 2023, we let you know that as part of our database optimization process, expired certificate data older than 14 months would be unavailable until January 22, 2024.

This post is to let you know that access to this older expired certificate data has been delayed. As soon as access is restored, we will post another change log entry to let you know.

What if I need to view or access older expired certificate data?

If you need to access your older expired certificate data before access is restored, please contact DigiCert Support.

Starting January 17, 2024, DigiCert may suspend users and accounts that have been inactive for 39 or more months. See the DigiCert user and account deactivation and deletion policy to learn more.

We updated the DigiCert CertCentral Sign in to your account page. The next time you sign in to your account, add your username first. Then, after selecting Next, add your password and select Sign in.

Updated Sign in to your account page

We are happy to announce that in CertCentral, you can now set a revocation date and time when revoking a code signing certificate due to a key compromise.

Previously, you had to contact DigiCert Support to set a revocation date and time when revoking a code signing certificate due to a key compromise. Now, you can do it yourself from your CertCentral account.

Java signatures

Java uses the status of the certificate, not the revocation date, to determine signature trust. Thus, all Java signatures are invalidated regardless of the certificate revocation date.

Revoking multiple certificates

When revoking all certificates on an order, DigiCert uses the date of the most recently issued certificate to establish the earliest allowed revocation date for all certificates on the order (i.e., you cannot set a revocation date before the certificate issuance date). If this issuance date does not match your key compromise date, we recommend revoking certificates individually from the Certificate history tab.

DigiCert will perform scheduled maintenance on January 6, 2024, 09:00 – 11:00 MST (16:00 – 18:00 UTC).

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

Services will be restored as soon as the maintenance is completed.

DigiCert will perform scheduled maintenance on January 6, 2024, 22:00 – 24:00 MST (January 7, 2024, 05:00 – 07:00 UTC).

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

Services will be restored as soon as the maintenance is completed.

We updated the process for reissuing SSL/TLS certificates in CertCentral. Now, if certificate revocations are required after reissuing your certificate, we do the following:

Learn more about reissuing an SSL/TLS certificate

Background

When reissuing an SSL/TLS certificate, some changes may require DigiCert to revoke the original certificate and any reissues and duplicates, for example, removing a domain. In CertCentral, we warn you when a change will revoke your certificates.

We're pleased to announce several enhancements to the API workflows for requesting and reissuing Secure Email (S/MIME) certificates:

We are happy to announce we improved the verified contact approval process for approving EV TSL/SSL certificate orders in CertCentral. We updated the Order details page to make completing the verified contact approval step easier on your pending EV TLS certificate requests.

Improvements:

Background

Before DigiCert can issue an EV TLS/SSL certificate, a verified contact representing the organization included on the certificate must approve the pending certificate request (new, reissue, and new).

Previously, there was a lack of verified contact transparency on these pending requests:

See for yourself

Resources

Resend the verified contact approval email

In the CertCentral Services API, we added a new API endpoint for deleting an organization from your CertCentral account. For examples and usage details, visit the API reference: Delete organization.

On December 7, 2023, at 09:00 MST (16:00 UTC), DigiCert will optimize our certificate databases to improve our service's uptime. As part of the database optimization process, expired certificate data older than 14 months will be unavailable from December 7, 2023, at 09:00 MST (16:00 UTC) to January 22, 2024 (approximately 37 days).

We are happy to announce that we have improved the organization management workflow.

Want to remove an organization from your account that you can never validate because of a typo or misspelling? Want to remove a deprecated organization from your account?

Now, when you need to delete an organization from your CertCentral account, you can. Go to the Organizations page and use the Delete organization feature to delete one or multiple organizations simultaneously.

Previously, you could only deactivate organizations. The Deactivate organization feature allows you to block certificate issuance for an organization until it’s activated. However, the deactivated organization remains in your account.

Items to note about deleting organizations

See for yourself

Resources

On December 6, 2023, at 10:00 MDT (17:00 UTC), CertCentral will no longer support existing TLS certificate automation profiles or ACME Directory URLs configured for 4- to 6-year Multi-year Plans. Automation requests that use these retiring automation profiles or ACME Directory URLs will fail.

Background

On October 31, 2023, DigiCert stopped selling new 4- to 6-year Multi-year Plans. Automation and ACME customers configured for 4- to 6-year orders have until December 6 to reconfigure their existing automation profiles and ACME clients to use 1- to 3-year orders instead.

Automation profiles

Starting on December 6, existing automation profiles configured for 4 to 6 years of coverage will show an Action needed status and automation requests for these profiles will fail. To avoid outages, you must reconfigure these automation profiles before December 6 to have a coverage length of 1 to 3 years.

To reconfigure automation profiles in the CertCentral console:

To use the API to reconfigure automation profiles:

ACME clients

Starting on December 6, existing ACME Directory URLs for 4 to 6 years of coverage will no longer work. To avoid outages, you must reconfigure any third-party ACME clients that use these retiring credentials to use a replacement ACME Directory URL for 1 to 3 years of coverage.Third-party ACME integration

Consult the documentation for your third-party ACME client for help reconfiguring it. For example, the Certbot documentation is found at https://eff-certbot.readthedocs.io

You can use any ACME Directory URL for 1 to 3 years of coverage to continue requesting certificates with your third-party ACME clients. If you don't already have a suitable replacement ACME Directory URL in your CertCentral account, create a new one to use.

To create an ACME Directory URL in the CertCentral console:

To use the API to create an ACME Directory URL:

We are happy to announce that we added the One-time password email verification authentication method to our two-factor authentication requirements in CertCentral.

One-time password email verification authentication method

By default, CertCentral requires you to use your credentials (username and password) and a one-time password (OTP app) to access your account. Now, you can also add OTP email verification as a one-time password (OTP) requirement.

After you enter your credentials, CertCentral sends a temporary password to the email address in your CertCentral account Profile Settings. To access your account, enter the temporary passcode in the verification email.

See our CertCentral two-factor authentication guide.

To make it easier to plan your certificate-related tasks, DigiCert has scheduled our 2024 maintenance windows in advance.

We keep these pages up to date with the latest maintenance schedule information:

With customers worldwide, we understand there is no "best time" for everyone. However, after reviewing the data on customer usage, we selected times that would impact the fewest amount of our customers.

On December 4, 2023, at 09:00 MST (16:00 UTC), DigiCert will optimize our certificate databases to improve our service's uptime.

DigiCert will perform scheduled maintenance on December 2, 2023, 09:00 – 11:00 MST (16:00 – 18:00 UTC).

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

Services will be restored as soon as the maintenance is completed.

DigiCert will perform scheduled maintenance on December 2, 2023, 22:00 – 24:00 MDT (December 3, 2023, 05:00 – 07:00 UTC).

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

Services will be restored as soon as the maintenance is completed.

We are happy to announce that we improved the process for creating, viewing, and updating your two-factor authentication requirements in CertCentral. See our CertCentral two-factor authentication guide.

New layout and organization of rules and settings

We updated the layout, moving to a tab-style page structure to make it easier to create, view, and update the two-factor authentication requirements for your CertCentral users. Now, when you visit the Authentication settings page (in the left main menu, go to Settings > Authentication Settings), instead of scrolling to find information, you can select what you want to view:

DigiCert will perform scheduled maintenance on November 4, 2023, 09:00 – 11:00 MDT (15:00 – 17:00 UTC).

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

Services will be restored as soon as the maintenance is completed.

DigiCert will perform scheduled maintenance on November 4, 2023, 22:00 – 24:00 MDT (October 8, 2023, 04:00 – 06:00 UTC).

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

Services will be restored as soon as the maintenance is completed.

On October 31, 2023, DigiCert will no longer sell 4 – 6-year Multi-year Plans for TLS and VMC certificates. We will continue to offer 1, 2, and 3-year Multi-year Plans.

How does this affect me?

For those with existing 4, 5, and 6-year Multi-year Plans, this change does not affect your coverage. You can continue to reissue and duplicate issue certificates for your Multi-year Plan until it expires.

For example, if you purchased a 5-year Multi-year Plan on April 1, 2023, you have coverage until April 1, 2028.

What if I use the CertCentral Services API?

If you use the CertCentral Services API to create 4, 5, and 6-year orders for TLS/SSL or Verified Mark certificates, you need to update your API integrations and remove the 4, 5, and 6-year coverage options from your Multi-year Plan integrations.

For more information, see End of 4 - 6-year Multi-year Plans.

What if I use certificate lifecycle automation tools with 4, 5, and 6-year Multi-year Plans?

Starting on October 31, you can no longer create new automation profiles or ACME Directory URLs for a certificate coverage length of 4 to 6 years. To avoid outages, you have until December 6, 2023 to reconfigure any existing automation profiles or third-party ACME clients that use a 4 to 6 year coverage length to instead use a new coverage length of 1 to 3 years.

What happens when I need to renew my Multi-year Plan?

When it’s time to renew your Multi-year Plan, you can renew it as a 1, 2, or 3-year Multi-year Plan.

Why will DigiCert stop selling 4, 5, and 6-year Multi-year Plans?

We are optimizing our infrastructure to support new and improved e-commerce experiences. Removing these Multi-year Plan options helps us streamline existing product lines into a cleaner, more intuitive shopping environment.

We’re happy to announce that you can now receive CertCentral webhook notifications in Slack!

When you integrate CertCentral webhooks with Slack, your webhook sends notifications to a channel in your Slack workspace. These notifications have the same triggers and data as standard webhook events, and Slack presents the information as human-readable text instead of raw JSON.

Learn more: Get webhook notifications in Slack

On October 17, 2023, at approximately 10:00 MDT (16:00 UTC), DigiCert will replace the Norton site seal image with our DigiCert site seal image wherever it appears on websites secured by Secure Site or Secure Site Pro TLS certificates. Additionally, we will remove the option to use and download the Norton site seal from CertCentral.

We are happy to announce that we improved the domain management workflow in CertCentral.

Want to remove a domain from your account that you can never validate because it has a typo? Want to remove all the subdomains of a base domain?

Now, when you need to delete a domain from your CertCentral account, you can. Go to the Domains page and use the Delete domain feature to delete one or multiple domains simultaneously.

Previously, you could only deactivate domains. The Deactivate domain feature allows you to block certificate issuance for a domain until it’s activated. However, the deactivated domain remains in your account.

Items to note about deleting domains:

See for yourself

Resources

In the CertCentral Services API, we added a new API endpoint for deleting a domain from your CertCentral account. For examples and usage details, visit the API reference: Delete domain.

In the CertCentral Services API, we added new functionality to the Update order status API endpoint. Now, if you use the Services API to manage certificate request approvals, you can use the Update order status endpoint to cancel reissue requests that are pending admin approval. Before, this endpoint could only cancel reissues after an administrator approved the request.

For example, the order 12345 has a pending request to reissue the certificate on the order. You can use this cURL request to both cancel the reissue and reject the request:

curl -X PUT \
  'https://www.digicert.com/services/v2/order/certificate/12345/status' \
  --header 'Content-Type: application/json' \
  --header 'X-DC-DEVKEY: {{api_key}}' \
  --data-raw '{
    "status": "canceled",
    "note": "Reissue canceled"
}'

When you submit this request:

DigiCert will perform scheduled maintenance on October 7, 2023, 09:00 – 11:00 MDT (15:00 – 17:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

Services will be restored as soon as the maintenance is completed.

DigiCert will perform scheduled maintenance on October 7, 2023, 22:00 – 24:00 MDT (October 8, 2023, 04:00 – 06:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

Services will be restored as soon as the maintenance is completed.

With the recent industry changes to S/MIME certificates, we updated our client certificate requests form, making it easier to include the required information to get your certificate.

Now, when you request one of the certificates listed below, you will see two options under Certificate to Request(s):

Affected certificates: Premium, Email Security Plus, and Digital Signature Plus.

See for yourself:

To learn more, see Order your client certificate.

On August 29, 2023, at 10:00 MDT (16:00 UTC), DigiCert updated our public Secure Email (S/MIME) certificate issuance process to comply with the CA/Browser Forum's new Baseline Requirements for the Issuance and Management of Publicly‐Trusted S/MIME Certificates.

Industry changes now place certificates used to sign, verify, encrypt, or decrypt email into three categories:

Our Premium, Email Security Plus, and Digital Signature Plus certificates are in the sponsor-validated category. Thus, you can only enter your email address or name as the common name on the certificate.

Learn more about the New industry requirements for public Secure Email (S/MIME) certificates.

Some DigiCert services will be down for 60 minutes during scheduled maintenance on September 9, 2023, 22:00 – 24:00 MDT (September 10, 04:00 – 06:00 UTC).

Document Trust Manager PrimoSign signing service maintenance-related downtime

The Document Trust Manager maintenance starts at 22:00 MDT (04:00 UTC). At this time, the PrimoSign signing service will be down for up to 60 minutes.

Affected services

On September 5, 2023, at 10:00 MDT (16:00 UTC), DigiCert will only issue public TLS certificates with the BasicConstraints extension set to critical per new industry requirements. Going forward, we will stop supporting the BasicConstraints extension's noncritical setting in public TLS certificate profiles.

Why is DigiCert making this BasicConstraints extension change?

To comply with industry changes mandated by the root program, all certificate authorities (CAs), such as DigiCert, must stop allowing users to set the BasicConstraints extension to noncritical in public TLS certificates.

For more details about the compliance changes affecting the BasicConstraints extension in certificate profiles, see the CA/Browser Forum's Ballot SC62v2-Certificate profiles update.

On September 5, 2023, at 10:00 MDT (16:00 UTC), DigiCert will stop issuing individual validation TLS certificates. This means you can no longer get an organization validation (OV) TLS certificate with a person's name in the subject field.

Affected certificates:

Why will DigiCert stop issuing individual validation TLS certificates?

To comply with industry changes mandated by the root program, DigiCert will only issue OV TLS certificates with an organization name in the subject field. For more details about the compliance changes affecting the individual validation TLS certificates, see the CA/Browser Forum's Ballot SC62v2-Certificate profiles update.

Some DigiCert services will be down for 90 minutes during scheduled maintenance on September 2, 2023, 09:00 – 11:00 MDT (15:00 – 17:00 UTC).

Document Trust Manager's PrimoSign signing service  maintenance-related downtime

The DigiCert​​®​​ Document Trust Manager maintenance starts at 09:00 MDT (15:00 UTC). At that time, the PrimoSign signing service will be down for up to 90 minutes.

Affected services:

What can I do?

Plan accordingly

Services will be restored as soon as the maintenance is completed.

On August 29, 2023, at 10:00 MDT (16:00 UTC), DigiCert will make the changes listed below to our public Secure Email (S/MIME) certificate issuance process to comply with the CA/Brower Forum's new Baseline Requirements for the Issuance and Management of Publicly‐Trusted S/MIME Certificates.

These changes will apply to all newly issued certificates containing the emailProtectionextentedKeyUsage and at least one email address. If you can use your certificate to sign, verify, encrypt, or decrypt email, then your new, reissued, and renewed certificates will be affected by these new industry requirements starting August 29, 2023, at 10:00 MDT (16:00 UTC).

On August 29, 2023, at 10:00 MDT (16:00 UTC), DigiCert will no longer include the email addresses in the subject field when issuing Document Signing certificates.

Starting August 29:

The following certificates are affected by this change:

Why will DigiCert start issuing Document Signing certificates without the email address in the subject?

We are making this change to align with upcoming industry changes affecting the issuance and management of publicly trusted secure email (S/MIME) certificates.

Starting August 29, under the new S/MIME certificate requirements, a document signing certificate must undergo a new validation process for digitally signing emails. DigiCert's Document Signing certificates do not include this validation process and, therefore, can no longer include email addresses and be used to sign emails after August 29.

How do these changes affect my Document Singing certificates?

What can I do?

In CertCentral, we updated our OV TLS, EV TLS, code signing, and document signing certificate request forms. Now, we will only include the Comments to Administrator field when the approval step is enabled for the user making the request.

This field allows you to provide additional information to the person approving the request. When an order skips the approval step, the field no longer serves its purpose.

Background

By default, CertCentral accounts are configured for one-step certificate request approvals. An account administrator must approve a certificate request before DigiCert can process the order (validating the organization, etc.).

However, on the Preferences page (go to Settings > Preferences), in the Certificate Requests section, you can remove the approval step from the OV and EV TLS, code signing, and document signing certificate issuance workflows for your CertCentral administrators and managers. Even with skip approval enabled, you must still approve requests submitted by standard users, limited users, and finance managers.

Learn more about removing the approval step.

On August 15, 2023, at 10:00 MDT (16:00 UTC), DigiCert will stop supporting the following key usage extensions in public TLS certificates:

Note that these key usage extensions are not included in public TLS certificates by default.

Why is DigiCert making these key usage extension changes?

To comply with industry changes mandated by the root program, all certificate authorities (CAs), such as DigiCert, must stop allowing users to include these key usage extensions in public TLS certificates: data encipherment and non-repudiation.

For more details about the compliance changes affecting key usage extensions in certificate profiles, see the CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly‐Trusted Certificates, Section 7.1.2.7.10.

How does this affect me?

Do you currently use these key usage extensions in your public TLS certificates?

What if I need to include the data encipherment or non-repudiation key usage extensions in my TLS certificates after August 15?

You can use private TLS certificates. The root-program key usage extension change does not apply to private TLS certificates. If private TLS certificates will meet your needs, contact your account manager to make sure the correct Private root CA hierarchy is available for your account.

How does this affect my existing certificates that include these key extensions?

Your existing certificates are not affected by this change. However, if you reissue or duplicate issue a certificate with one of these key usage extensions after August 15, we will remove the data encipherment or non-repudiation extension before we reissue the certificate.

How does this affect my API integration?

In the Services API, order requests for public TLS certificates that specify a certificate.profile_option of data_encipherment, non_repudiation, or non_repudiation_and_data_enciph will return a 400 error with an error code value of profile_option_not_allowed.

Update your API integration and remove these profile options from your public TLS certificate requests by August 15, 2023.

On August 15, 2023, DigiCert will upgrade our support plans to provide you with a better, more customizable experience. These plans are scalable and backed by our technical experts to ensure your success.

New plans:

Starting August 8 at approximately 10:00 MDT (16:00 UTC), when you order a client certificate containing the emailProtection extentedKeyUsage and at least one email address, we will automatically submit the organization included in the order for SMIME organization prevalidation. When you visit the organization's details page, you will see a pending validation for SMIME – SMIME Organization Validation.

Affected client certificates:

This change also affects orders submitted via the CertCentral Services API. To learn more about organization prevalidation, see our Submit an organization for prevalidation instructions.

Why is DigiCert submitting these organizations for SMIME prevalidation?

As part of the new requirements for public Secure Email (S/MIME) certificates, certificate authorities (CAs), such as DigiCert, must validate the organization included in a certificate containing the emailProtection extentedKeyUsage and at least one email address for S/MIME validation before we can issue the certificate.

DigiCert will submit organizations included in these types of certificate requests for SMIME organization prevalidation starting August 8 to prepare for these new requirements.

How does this affect my client certificate process?

The pending SMIME organization validation does not prevent your client certificates from being issued at this time. Until we update our process, for client certificates containing the emailProtection extentedKeyUsage and at least one email address, DigiCert will continue to require OV - Normal Organization Validation to validate the organization included in the certificate.

Then starting August 29, 2023, DigiCert must validate the organization included in these client certificates for the new SMIME organization validation before we can issue them.

CertCentral webhooks now support the option to include the certificate chain in certificate_issued events for public and private TLS/SSL certificates.

Now, you can get your issued TLS certificate in the same webhook event that notifies you the certificate is ready. Before, you needed to trigger a callback API request to download the certificate from CertCentral.

Example certificate_issued event with certificate chain:

{
  "event": "certificate_issued",
  "data": {
    "order_id": 1234,
    "certificate_id": 1234,
    "certificate_chain": [
      {
        "subject_common_name": "example.com",
        "pem": "-----BEGIN CERTIFICATE-----\r\nMII...\r\n-----END CERTIFICATE-----\r\n"
      },
      {
        "subject_common_name": "DigiCert Global G2 TLS RSA SHA256 2020 CA1",
        "pem": "-----BEGIN CERTIFICATE-----\r\nMII...\r\n-----END CERTIFICATE-----\r\n"
      },
      {
        "subject_common_name": "DigiCert Global Root G2",
        "pem": "-----BEGIN CERTIFICATE-----\r\nMII...\r\n-----END CERTIFICATE-----\r\n"
      }
    ]
  }
}

Learn how to include the certificate chain in certificate_issued events: Customize certificate issued events.

In the CertCentral Services API, we updated the Subaccount order info API endpoint to return the name and id of the issuing CA certificate for the primary certificate on the order. This data is returned in the ca_cert object in the certificate section of the JSON response.

Example JSON response with ca_cert object, truncated for brevity:

{
  "certificate": {
    "ca_cert": {
      "id": "A937018B9FAF6CC2",
      "name": "DigiCert Global G2 TLS RSA SHA256 2020 CA1"
    },
    ...
  },
  ...
}

In the CertCentral Services API, we updated the List subaccount products API endpoint to return details about the product shims configured for the subaccount.

Now, the List subaccount products API endpoint returns these parameters:

Example JSON response, truncated for brevity:

{
  "currency": "JPY",
  "pricing_method": "custom",
  "balance_negative_limit": "-1",
  "products": [
    {
      "product_name_id": "ssl_dv_geotrust_flex",
      "product_name": "GeoTrust DV SSL",
      "product_shim_map": [
        {
          "product_name_id": "ssl_dv_geotrust",
          "product_name": "GeoTrust Standard DV"
        }
      ],
    },
    {
      "product_name_id": "ssl_securesite_flex",
      "product_name": "Secure Site OV",
      "product_shim_map": [
        {
          "product_name_id": "ssl_plus",
          "product_name": "Standard SSL"
        },
        {
          "product_name_id": "ssl_securesite",
          "product_name": "Secure Site SSL"
        }
      ],
    },
    ...
  ],
  "is_product_shim_enabled": true
}

Some DigiCert services will be down for up to 30 minutes, while others may experience interruptions during scheduled maintenance on August 5, 2023, 09:00 – 11:00 MDT (15:00 – 17:00 UTC).

DigiCert will perform scheduled maintenance on August 5, 2023, 22:00 – 24:00 MDT (August 6, 2023, 04:00 – 06:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

Plan accordingly:

Services will be restored as soon as the maintenance is completed.

In CertCentral, we added a new validation type to the organization prevalidation workflow, SMIME – SMIME Organization Validation. Starting August 29, 2023, DigiCert must validate the organization included in Secure Email (S/MIME) certificates with the new validation type, SMIME – SMIME Organization Validation, before we can issue the certificate. To learn more about organization prevalidation, see our Submit an organization for prevalidation instructions.

Why is DigiCert adding SMIME – SMIME Organization Validation?

As part of the new requirements for public Secure Email (S/MIME) certificates, certificate authorities (CAs), such as DigiCert, must validate the organization included in a Secure Email certificate for S/MIME validation before we can issue the certificate.

How does this affect my client certificate process?

DigiCert will continue to require OV - Normal Organization Validation to validate the organization included in a Secure Email (S/MIME) certificate until we update our process on August 29, 2023. Then, we will require the organization included in a Secure Email certificate to be validated for the new SMIME – SMIME Organization Validation.

In the CertCentral Services API, for client certificate orders, we updated the Order info API endpoint to return data describing the type of organization validation DigiCert will use for client certificates after August 29.

Background

The Order info API endpoint returns a product object with information about the type of certificate on the order. For certificates that require organization validation, the product object includes parameters describing the type of organization validation used for the product:

After today's update, for client certificates that require organization validation, these fields return values associated with SMIME Organization Validation. For example:

{
... 
   "product": {
        "csr_required": false,
        "name": "Premium",
        "name_id": "client_premium",
        "type": "client_certificate",
        "validation_description": "SMIME Organization Validation",
        "validation_name": "SMIME",
        "validation_type": "smime"
    },
...
}

Before, these fields returned values associated with Normal Organization Validation. For example:

{
... 
   "product": {
        "csr_required": false,
        "name": "Premium",
        "name_id": "client_premium",
        "type": "client_certificate",
        "validation_type": "ov",
        "validation_name": "OV",
        "validation_description": "Normal Organization Validation",
    },
...
}

How does this affect my API client integration?

If you use the Order info API endpoint to retrieve validation information from the product object, make sure your integration can handle the new validation type values for client certificates.

Otherwise, this change is compatible with existing workflows for validating organizations and requesting client certificates:

Stay informed about updates to client certificate API workflows

As we update our systems to comply with the new Secure Email (S/MIME) baseline requirements, we will continue updating Services API workflows for managing S/MIME certificates in CertCentral. Visit our developer portal for a comprehensive list of these changes: Services API updates for client certificate certificate workflows. Make sure to save this page and check it frequently, as we will update this article as new information becomes available.

In the CertCentral Services API, we updated the Email site seal API endpoint. Now, when emailing site seal code, you can choose who receives the email by including the optional parameter recipient_email in your request. If omitted, DigiCert emails the site seal to the authenticated user (the user that owns the API key in the request).

Example cURL request:

curl 'https://www.digicert.com/services/v2/order/certificate/{{order_id}}/site-seal/email-seal' \
--header 'X-DC-DEVKEY: {{api_key}}' \
--header 'Content-Type: application/json' \
--data-raw '{
  "recipient_email": "john.doe@example.com"
}'

For more information, visit the API reference documentation: Email site seal.

We updated the CertCentral Services API documentation to describe how to create an organization and submit it for validation with a single API request. Learn more: Create organization.

On July 11, 2023, at 10:00 MDT (16:00 UTC), DigiCert will fix an issue causing the Order info API endpoint to return unexpected verified_contacts data. We will restore the Order info response to its original behavior and stop returning verified_contacts inside the organization object.

To get verified contacts for an organization, use the Organization endpoints:

{
  ...
  "organization": {
    "id": 12345,
    "name": "Example Organization, LLC",
    "display_name": "Example Organization, LLC",
    "is_active": true,
    "city": "Saratoga Springs",
    "state": "Utah",
    "country": "us",
    "telephone": "555-555-5555",
    "verified_contacts": [
      {
        "id": 1234,
        "user_id": "5678",
        "name": "John Doe",
        "first_name": "John",
        "last_name": "Doe",
        "job_title": "Developer",
        "telephone": "555-555-5555",
        "email": "john.doe@example.com"
      }
    ]
  },
  ...
}  

{
  ...
  "organization": {
    "id": 12345,
    "name": "Example Organization, LLC",
    "display_name": "Example Organization, LLC",
    "is_active": true,
    "city": "Saratoga Springs",
    "state": "Utah",
    "country": "us",
    "telephone": "555-555-5555",
  },
  ...
}   

DigiCert will perform scheduled maintenance on July 8, 2023, 22:00 – 24:00 MDT (July 9, 2023, 04:00 – 06:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

DigiCert will perform scheduled maintenance on July 8, 2023, 09:00 – 11:00 MDT (15:00 – 17:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

In the CertCentral Services API, we added a new endpoint that you can use to update the order-level organization and technical contact for existing certificate orders.

Use the new endpoint to perform these operations:

For usage information, parameter descriptions, and example requests, visit the API reference: Update organization and technical contact for an order.

CertCentral admins can now establish an organization-wide setting for users to follow when requesting client certificates. The options are:

Some DigiCert services will experience service delays and performance degradation during scheduled maintenance on June 3, 2023, 22:00 – 24:00 MDT (June 4, 2023, 04:00 – 06:00 UTC).

Infrastructure maintenance-related service delay and performance degradation

The infrastructure maintenance starts at 22:00 MDT (04:00 UTC). Then for approximately 10 minutes, the services listed below will experience service delays and performance degradation that affect:

API notes

Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

What can I do?

Plan accordingly:

Services will be restored as soon as the maintenance is completed.

Some DigiCert services will be down for up to 60 minutes during scheduled maintenance on June 3, 2023, 09:00 – 11:00 MDT (15:00 – 17:00 UTC).

DigiCert ONE infrastructure maintenance-related downtime

The DigiCert ONE infrastructure maintenance starts at 09:00 MDT (15:00 UTC). At that time, DigiCert ONE Netherlands and Switzerland instances, along with access to their managers, services, and APIs, will be down for up to 60 minutes.

API note

What can I do?

Plan accordingly:

Services will be restored as soon as the maintenance is completed.

Starting on June 1, 2023, at 00:00 UTC, industry standards will require private keys for code signing certificates to be stored on hardware certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent.

CertCentral supports webhook notifications when a certificate is issued or revoked.

You can now receive notifications for certificate events without regularly querying the Orders API for certificate status. Your external application (listener) can wait to receive notification that the certificates are ready, then send a callback request to download the certificate or programmatically alert the certificate owner.

Learn more: CertCentral webhooks

We are happy to announce that you can now add custom secret keys to CertCentral webhooks. With secret keys, you can ensure the authenticity of webhook events, enhancing the security of your webhook listener.

How webhook secret keys work

When creating or updating a webhook, you can choose to add a custom secret key. If a webhook has a secret key, webhook events include the secret key value in the custom request header X-WEBHOOK-KEY.

To prevent your webhook listener from processing invalid events, configure the endpoint for your webhook listener to validate the X-WEBHOOK-KEY value for each event it receives.

Learn more:

In the CertCentral Services API, we updated the request body for creating an Encryption Everywhere DV order to stop using the use_auth_key parameter. Now, DigiCert always ignores the use_auth_key parameter in your requests to create an Encryption Everywhere DV order.

On May 16, 2023, at 10:00 AM MDT (16:00 UTC), DigiCert will change the default behavior for DV TLS/SSL orders in CertCentral accounts using AuthKeys.

Starting May 16, DV TLS certificate orders and reissues created with the CertCentral Services API will always use a default value of false for the use_auth_key request parameter.

After this change, to validate domains on a DV order or reissue using AuthKey request tokens, you must include the use_auth_key parameter with a true value in the body of your certificate request:

{
  ...
  "use_auth_key": true
  ...
}

To give API clients more control over the contacts assigned to new and renewal orders, we updated the CertCentral Services API to support order-level organization contacts.

Now, when requesting or renewing a certificate, you can assign an organization and technical contact directly to the order instead of using the contacts assigned to the organization on the request. If you do, DigiCert creates the order using the order-level contacts. The organization and technical contact for the organization remain unchanged.

To submit an order-level organization and technical contact with your order, include the organization_contact and technical_contact objects at the root of your JSON request body. If omitted, DigiCert uses the organization and technical contact assigned to the organization on the order.

Example JSON request

{
  "certificate": {
    "common_name": "example.net",
    "csr": "<csr>"
  },
  "organization_contact": {
    "first_name": "Jane",
    "last_name": "Doe",
    "job_title": "Manager",
    "telephone": "555-555-5555",
    "email": "jane.doe@example.com"
  },
  "technical_contact": {
    "first_name": "John",
    "last_name": "Doe",
    "job_title": "Site Reliability Engineer",
    "telephone": "555-555-5556",
    "email": "john.doe@example.com"
  },
  "organization": {
    "id": <organization_id>
  },
  "order_validity": {
    "years": 6
  },
  "payment_method": "balance"
}

Supported products

The API supports the option to add an order-level organization contact for all certificates that require an organization contact.

DigiCert will perform scheduled maintenance on May 6, 2023, 22:00 – 24:00 MDT (May 7, 2023, 04:00 – 06:00 UTC).

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

Services will be restored as soon as the maintenance is completed.

Some DigiCert services will be down for up to 60 minutes during scheduled maintenance on May 6, 2023, 09:00 – 11:00 MDT (15:00 – 17:00 UTC).

DigiCert ONE infrastructure-related maintenance downtime

The DigiCert ONE infrastructure-related maintenance starts at 15:00 UTC. At that time, DigiCert ONE Netherland and Switzerland instances, along with access to their managers, services, and APIs, will be down for up to 60 minutes.

API notes

Services will be restored as soon as the maintenance is completed.

We are happy to announce that DigiCert is now offering enhanced Secure Email Certificates (S/MIME) at two levels, Secure Email for Individual and Secure Email for Business.

These certificates offer:

Secure Email for Individual is automatically validated and quick to generate – you can begin using your certificate within minutes.

Secure Email for Business includes an extra level of validation, authenticating your organization as an email sender, and includes support options.

To add these certificates to your CertCentral account, select Secure email certificates on the request page.

Don’t see Secure Email for Individual and Secure Email for Business in your account? Contact your account manager or DigiCert Support.

We updated the Issued filter in the Order Status search feature on the CertCentral Orders page to only return your issued certificates. Previously, the issued filter returned issued, renewed, expired, and reissue pending orders in the search results, making it difficult to find only your issued certificates.

See for yourself

How the Order Status filter work

When using the Order Status search feature, you can only use one filter at a time. See the table below for information on the results that each filter returns in its search.

For multiple status searches, leave the Order Status search as Unfiltered and download a CSV file. You can also use the Reports library to build a custom report (in the left main menu, go to Reports).

We improved how the API returns data when using the endpoint to edit domains on pending OV or EV orders and reissues. After this change, when editing domains on a pending OV or EV order:

Before this change, successful requests to edit domains on pending OV or EV orders and reissues returned a response status code of 204 No Content. The response did not include any data, even if the request created new domains in your account.

Example response for a successful call to edit domains on a pending OV or EV order:

{
  "domains": [
    {
      "id": 4069862,
      "name": "example.org",
      "dns_name": "example.org",
      "dcv_token": {
        "token": "<random_value>",
        "expiration_date": "2023-04-29T22:52:24+00:00"
      }
    },
    {
      "id": 4069862,
      "name": "example.org",
      "dns_name": "subdomain.example.org",
      "dcv_token": {
        "token": "<random_value>",
        "expiration_date": "2023-04-29T22:52:24+00:00"
      }
    },
    {
      "id": 4069862,
      "name": "example.org",
      "dns_name": "another.subdomain.example.org",
      "dcv_token": {
        "token": "<random_value>",
        "expiration_date": "2023-04-29T22:52:24+00:00"
      }
    }
  ]
}

In this example, every domain (dns_name) on the order is submitted for validation under the scope of the base domain example.org. This means each object in the domains array returns the name and id for example.org.

Learn more: Edit domains on a pending order or reissue

Some DigiCert services will be down or experience delayed responses for up to 10 minutes during scheduled maintenance on April 8, 2023, 22:00 – 24:00 MDT (April 9, 04:00 – 06:00 UTC).

Infrastructure-related maintenance downtime

The infrastructure-related maintenance starts at 22:05 MDT (04:05 UTC). At that time, the services listed below will be down for up to 10 minutes.

Affected services

Certificate Issuing Service (CIS) and CertCentral Simple Certificate Enrollment Protocol (SCEP)

CertCentral certificate issuance

QuoVadis® TrustLink® certificate issuance

Direct Cert Portal certificate issuance

PKI Platform 8 new domain and organization validation

Some DigiCert services will be down for up to 10 minutes during scheduled maintenance on April 8, 2023, 09:00 – 11:00 MDT (15:00 – 17:00 UTC).

CertCentral Infrastructure-related maintenance downtime

The infrastructure-related maintenance starts at 10:05 MDT (16:05 UTC). At that time, CertCentral certificate issuance may be down or experience delayed response for up to 10 minutes.

Items to note:

We are happy to announce that CertCentral now allows you to add a valued added tax (VAT)* number to all your transactions, such as purchasing a certificate and depositing funds. DigiCert will append the VAT number supplied as a reference on payment records. Remember that if you do not provide your VAT number, your orders may include unexpected taxes that would have been excluded had you provided the VAT ID number.

You can add a VAT number to your account or division. When requesting a certificate, depositing funds, and creating a purchase order, you can use the account or division VAT number or add a custom VAT number that applies to that transaction only. The VAT number appears on your invoice/receipts and purchase orders (POs).

In the CertCentral Services API, we updated the Order validation status API to return a new response parameter for domains pending validation: dns_name_validations[].name_scope.

The name_scope parameter returns the domain you must validate to prove control over the domain on the certificate order. This is useful when you need to validate a domain on the certificate by completing a DCV check for either the base domain or for a subdomain between the FQDN and base domain.

For example:

{
  ...
  "dns_name_validations": [
    {
      "name_scope": "sub.example.com",
      "status": "unapproved",
      "method": "email",
      "dns_names": [
        "sub.example.com"
      ],
      "base_domain": "example.com"
    }
  ]
  ...
}

Notes:

On March 28, 2023, at 10:00 MDT (16:00 UTC), DigiCert will fix a bug with the Order validation status API endpoint. This bug causes the API to return different values for DV TLS orders versus OV and EV TLS orders in the dns_name_validations[].dns_names array.

Starting March 28, the dns_name_validations[].dns_names array in the Order validation status API response will always contain the exact FQDN associated with the given validation details.

This fix standardizes what is returned for DV, OV, and EV TLS orders in the dns_name_validations[].dns_names array. It also aligns the API behavior with the description of the dns_names array in the API documentation.

Currently:

{
  ...
  "dns_name_validations": [
    {
      "status": "unapproved",
      "method": "email",
      "dns_names": [
        "example.net"
      ],
      "base_domain": "example.net"
    },
    {
      "status": "unapproved",
      "method": "email",
      "dns_names": [
        "example.org"
      ],
      "base_domain": "example.org"
    }
  ]
  ...
}

{
  ...
  "dns_name_validations": [
    {
      "status": "unapproved",
      "method": "email",
      "dns_names": [
        "sub.example.net"
      ],
      "base_domain": "example.net"
    },
    {
      "status": "unapproved",
      "method": "email",
      "dns_names": [
        "sub.example.org"
      ],
      "base_domain": "example.org"
    }
  ]
  ...
}

We updated the individual domain validation process (often referred to as domain prevalidation) to improve how we display the domain’s domain control validation (DCV) method.

Note that before, we always showed the last submitted DVC method. This wasn’t very clear for customers whose last submitted DCV method was different from the last method used to validate the domain.

Now, when a domain is pending validation or revalidation, we show the last submitted DCV method (in other words, the method currently being used to validate the domain). After you validate the domain, we show the DCV method last used to complete the validation.

We added the dcv_approval_method parameter to the Domain info API response. This parameter returns the DCV method used to complete the most recent DCV check for the domain.

We only return the dcv_approval_method parameter when the request URL contains ?include_dcv=true.

Learn more about the Domain info API endpoint.

On March 8, 2023, at 10:00 MST (17:00 UTC), DigiCert will begin updating the default public issuance of TLS/SSL certificates to our second-generation (G2) root and intermediate CA (ICA) certificate hierarchies. See our DigiCert root and intermediate CA certificate updates 2023 knowledge base article for more information.

Some DigiCert services will be down for approximately 5 minutes during scheduled Europe maintenance on March 4, 2023, 09:00 - 11:00 MST (16:00 - 18:00).

QuoVadis platform maintenance-related downtime

During the two-hour maintenance window, QuoVadisQ platform services will be down for approximately 5 minutes while we do some infrastructure-related maintenance that requires server restarts.

Services will be restored as soon as the maintenance is completed.

We are happy to announce that DigiCert has added two new features to our Verified Mark Certificates:

To support VMC file hosting and government marks in API integrations, we made several additive enhancements to the endpoints for managing VMC orders.

We are happy to announce that we have improved the verified contact selection process when ordering EV SSL/TLS, Code Signing, and EV Code Signing certificates.

Now when you select an organization with existing verified contacts, you can see if a contact is validated (green check mark) or pending validation (yellow timer). Before, you could not see the validation status for the organization’s verified contacts.

Example: Pending and validated verified contacts

We are happy to announce that DigiCert now recognizes three more intellectual property offices for verifying the logo for your VMC certificate. These offices are in Denmark, France, Netherlands, New Zealand, Sweden, and Switzerland.

New approved trademark offices:

Other approved trademark offices:

On February 15, 2023, at 08:00 MST (15:00 UTC), DigiCert will assign new dedicated IP addresses to several DigiCert services.

For more details about these IP addresses, see our New Dedicated IP Addresses knowledge base article.

If you have questions or need help, contact your account manager or DigiCert Support.

We are happy to announce that we’ve reimplemented the RSS Feed for the CertCentral® Change log. You can find the new change log feed here: https://docs.digicert.com/en/certcentral/change-log.rss.

RSS feed items to note

RSS feed reader tips

We are happy to announce that we updated the Prove control over your domain popup window for pending OV and EV TLS certificate orders, making it easier to see what you need to do to complete the domain validation for all domains included on your certificate.

Now, when you select a domain control validation (DCV) method, you can see basic instructions for completing the domain validation along with a link to more detailed instructions on our product documentation website.

Changes to note:

• Basic instruction improvements for each DCV method

  • Better formatting

  • Easy to scan

• Order token improvements

  • Quickly identify the order token to use for all token-based DCV methods

  • See the token expiration date

• Token generation improvement

  • Automatic token generation replaces the token generation feature

  • DigiCert automatically generates a new token when the old one expires

See for yourself

1. In the left main menu, go to Certificates > Orders.

2. On the Orders page, locate and select the order number of a pending OV or EV certificate order.

3. On the OV or EV certificate’s Order details page, under What do I need to do, select the domain name link.

Improved Prove control over your domain popup window

We updated the CertCentral Services API to return the expiration date for order-level DCV random values.

Now, when you submit a request to the Get order DCV random value or  Change order DCV method API endpoints, the response includes the expiration date (expiration_date) of the random value:

{
   "dcv-random_value": "fjqr7th5ds",
   "expiration_date": "2023-02-24T16:25:52+00:00"
}

Some DigiCert services will be down for up to 10 minutes during scheduled Europe maintenance on February 4, 2023, 09:00 - 11:00 MST (16:00 - 18:00)

QuoVadis platform maintenance-related downtime

During the two-hour maintenance window, QuoVadis platform services will be down for up to 10 minutes in total while we do some infrastructure-related maintenance that requires service restarts: 5 minutes for a monthly patching restart and 5 minutes for a database restart.

To improve security and better integrate with current Single Sign-On technology, DigiCert now supports SSO federation through Open ID Connect (OIDC).

We are happy to announce that we added Verified Mark Certificates (VMCs) to the available products for Guest URLs for CertCentral Enterprise and CertCentral Partner.

Previously, you had to add someone to your account before they could order a Verified Mark Certificate (VMC). Now, you can create a Guest URL that allows a person to order a VMC without needing to be a user in your account.

See for yourself

1. In your CertCentral account, in the left menu, go to Account > Guest Access.

2. On the Guest Access page, in the Guest URLs section, select the Add Guest URL link.

3. In the Add Guest URL popup window, in the Allowed products field, search for and select Verified Mark Certificate.

We fixed a bug that prevented pending verified contacts from being displayed on the Organization details page. Note that after we validated a contact, they were automatically added to the page (i.e., you could see the “validated” verified contacts but not those pending validation).

Now when you submit a verified contact for validation, they appear in the Verified Contacts section along with the pending validation types: EV, EV CS, or CS.

We are happy to announce that you can now set the domain validation scope when reissuing your TLS/SSL certificates.

On the TLS/SSL certificate reissue forms, we added a DCV scope dropdown that allows you to set the domain validation scope to use when validating the domains on your reissued certificate: validate base domains or validate exact domain names. This setting makes it easier to see the default domain validation scope you will use to validate the domains when reissuing your certificate and update the scope if needed.

On January 16, we will rename Legacy order # in CertCentral. We will change the name to Alternate order # to better align with the API and the purpose of this second order number.

Starting January 16

Before January 16

To make it easier to find information about updates to CertCentral and the CertCentral APIs, we improved the structure of the CertCentral change log. Now, DigiCert publishes all CertCentral change log entries to a single page with these sections:

With the new structure, you can use Control + F (Windows) or Command + F (Mac) to search the entire catalogue of entries on this page for the information you need.

We fixed a bug that prevented standard and limited users from viewing the Expiring DigiCert Certificates widget on the Dashboard and the expiring certificate and order alerts on the Orders page. It also prevented them from viewing the Expiring Certificates page.

Now, when standard and limited users sign in to their CertCentral account, they see:

Some DigiCert services will be down for up to 120 minutes during scheduled maintenance on January 7, 2023.

DigiCert is happy to announce that we updated the Order details page for pending EV and standard code signing certificate orders.

To make it easier to see what you need to do and what DigiCert needs to do to issue your EV and standard code signing certificates, we added two new sections to the Certificate status section of the Order details page:

We are happy to announce that you can now set the domain validation scope when ordering a new TLS/SSL certificate.

On the TLS/SSL certificate request forms, we added a DCV scope dropdown that allows you to set the domain validation scope to use when validating the domains on your certificate: validate base domains or validate exact domain names. This setting makes it easier to see the default domain validation scope you will use to validate the domains on your certificate and update the scope if needed.

We are happy to announce that you can now set the domain validation scope when ordering or reissuing a TLS/SSL certificate with the Services API. Use the certificate_dcv_scope parameter to define the domain validation scope for the order, overriding the domain validation scope setting for the account.

The certificate_dcv_scope parameter accepts these values:

{
  ...
  "skip_approval": true,
  "dcv_method": "dns-txt-token",
  "certificate_dcv_scope": "base_domain",
  ...
}

To make it easier to plan your certificate-related tasks, we scheduled our 2022 maintenance windows in advance. See DigiCert 2022 scheduled maintenance—this page is updated with all current maintenance schedule information.

With customers worldwide, we understand there is not a "best time" for everyone. However, after reviewing the data on customer usage, we selected times that would impact the fewest amount of our customers.

About our maintenance schedule

If you need more information regarding these maintenance windows, contact your account manager or DigiCert Support.

To simplify the domain control validation (DCV) workflow for OV and EV TLS certificates, we've improved our random value generation process for OV and EV certificate orders.

Now, when using DCV methods that require a random value to complete the domain validation for your OV or EV TLS orders, you receive a single random value that you can use to complete the DCV check for every domain on the order.

This change brings the DCV workflow for OV and EV orders into closer alignment with DV orders, which have always returned a single random value for all domains on the order.

Affected DCV methods:

To improve API workflows for clients using DCV methods that require a random value for OV and EV TLS certificate orders, we made the following enhancements to the CertCentral Services API.

{
  "id": 12345,
  "dcv_random_value": "ab12cdef345gh6i78jklmnop901qrs23",1
  "domains": [
    {
      "id": 1469,
      "name": "example.com",
      "dns_name": "example.com",
      "dcv_token": {
        "token": "ab12cdef345gh6i78jklmnop901qrs23",
        "status": "pending",
        "expiration_date": "2023-08-16T01:16:29+00:00"
      }
    },
    {
      "id": 1469,
      "name": "example.com",
      "dns_name": "sub.example.com",
      "dcv_token"2: {
        "token": "ab12cdef345gh6i78jklmnop901qrs23",
        "status": "pending",
        "expiration_date": "2023-08-16T01:16:29+00:00"
      }
    },
    {
      "id": 1470,
      "name": "example.org",
      "dns_name": "example.org",
      "dcv_token": {
        "token"3: "ab12cdef345gh6i78jklmnop901qrs23",
        "status": "pending",
        "expiration_date": "2023-08-16T01:16:29+00:00"
      }
    }
  ],
  "certificate_id": 123456
}

{
  ...
  "higher_level_domains": [
    {
      "name": "sub.example.com",
      "id": 4316203,
      "dcv_expiration_datetime": "2023-12-04T04:08:50+00:00"
    },
    {
      "name": "example.com",
      "id": 4316205,
      "dcv_expiration_datetime": "2023-12-04T04:08:49+00:00"
    }
  ],
  ...
}

https://www.digicert.com/services/v2/domain/{{domain_id}}?include_dcv=true

To give API clients access to more information about the verified contacts that exist for an organization, we added a new array to the Organization info API response: verified_contacts.

The new verified_contacts array provides a list of objects with details about each verified contact that exists for the organization. The verified_contacts array:

{
... 
 "verified_contacts": [
    {
      "id": 942858,
      "name": "Jane Doe",
      "first_name": "Jane",
      "last_name": "Doe",
      "job_title": "Site Reliability Engineer",
      "telephone": "1234567890",
      "email": "jane.doe@example.com",
      "verified_roles": [
        {
          "validation_type": "EV",
          "status": "pending"
        },
        {
          "validation_type": "CS",
          "status": "pending"
        }
      ]
    }
  ],
...
}

We fixed a bug where submitting a verified contact with multiple validation types (for example, CS and EV) caused duplicate verified contacts to be created for the organization, one for each validation type. This bug affected verified contacts submitted through the CertCentral console or through the CertCentral Services API.

Now, when you submit verified contacts with multiple validation types, we assign each validation type to the same verified contact, instead of creating a duplicate.

On December 6, 2022, at 10:00 MST (17:00 UTC), DigiCert will no longer issue EV Code Signing certificates with a permanent identifier value in the Subject Alternative Name field.

What do I need to do?

Does your EV code signing process expect to find the permanent identifier when parsing your issued EV Code Signing certificates?

Does this change affect my existing EV Code Signing certificates?

This change does not affect existing EV Code Signing certificates with a permanent identifier value in the Subject Alternative Name field. However, if you reissue an EV Code Signing certificate after the change on December 6, 2022, your reissued certificate will not contain a permanent identifier.

Background

The permanent identifier is a unique code for EV code signing certificates that includes information about the certificate subject’s jurisdiction of incorporation and registration information. In 2016, the CA/Browser Forum removed the permanent identifier requirement from EV Code Signing certificates.

Starting December 6, 2022, DigiCert will require organizations on Code Signing (CS) and EV Code Signing (EV CS) certificate orders to have a verified contact.

This change was originally scheduled for October 19, 2022. However, we postponed the change to December 6, 2022. For more information, see the October 19, 2022 change log entry.

Learn more:

DigiCert will perform scheduled maintenance on December 3, 2022, 22:00 – 24:00 MST (December 4, 2022, 05:00 – 07:00 UTC).

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

DigiCert will perform scheduled maintenance on November 5, 2022, 22:00 –24:00 MDT (November 6, 2022, 04:00 – 06:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

We updated the Prove control over your domain popup window for pending DV orders, making it easier to see what you need to do to complete the domain validation for all domains included on your certificate.

Now, when you select a domain control validation (DCV) method, you can see basic instructions for completing the domain validation along with a link to more detailed instructions on our product documentation website.

See for yourself

Improved Prove control over your domain popup window

DigiCert is happy to announce that CertCentral allows you to upgrade your product when renewing your order.

Are you tired of placing a new order and reentering all your information when upgrading to a new product?

Now you don’t have to. We’ve improved our order renewal process so you can upgrade your product when renewing your certificate order.

Don’t see that option to upgrade your product when renewing your order, or already have the products you need and don’t want to see the option to upgrade?

Don’t worry; you can enable and disable this feature as needed. When ready to upgrade, you can enable it to save the hassle of placing a new order. When done, you can disable it until the next time you want to upgrade a product. See Upgrade product on renewal settings.

DigiCert is happy to announce that we updated the Code Signing and EV Code Signing request forms making it easier to view and add organization-related information when ordering a certificate.

This update allows you to select an organization and review the contacts associated with that organization or enter a new organization and assign contacts to the new organization.

Changes to note

Before, you could only see and select an existing organization and could not see the contacts assigned to the organization.

See for yourself

In your CertCentral account, in the left main menu, go to Request a Certificate > Code Signing or Request a Certificate > EV Code Signing to see the updates to the request forms.

When reissuing your code signing certificate, we now include the Subject Email Address on your reissued certificate. Adding a subject email is optional and only available in enterprise accounts.

Note that we will not include the subject email address in the reissued certificate if the domain validation on that email domain has expired.

Background

When you order a code signing certificate, you can include an email address on your code signing certificate—subject email. Including an email address on the certificate provides an additional layer of trust for end users when checking your code signing signature.

See Order a Code Signing certificate.

We are happy to announce that you can now make the Additional emails field a required field on CertCentral, Guest URL, and Guest Access request forms.

Tired of missing important expiring certificate notifications because the certificate owner is on vacation or no longer works for your organization?

The change helps prevent you from missing important notifications, including order renewal and expiring certificate notifications when the certificate owner is unavailable.

See for yourself:

To change this setting for CertCentral request forms:

To change this setting for Guest Access:

To change this setting for Guest URLs:

On October 20, 2022, the RSS feed for the docs.digicert.com change log is going down due to a platform migration.

It will return. Check back here for updates or contact us at docs@digicert.com to be notified when the new RSS feed is available.

Starting October 19, 2022, DigiCert will require organizations on Code Signing (CS) and EV Code Signing (EV CS) certificate orders to have a verified contact.

DigiCert has always required a verified contact from the organization to approve code signing certificate orders before we issue the certificate. Today, DigiCert can add a verified contact to an organization during the validation process. After October 19, verified contacts must be submitted with the organization.

To make the transition easier, when you submit a request to the Order code signing certificate API endpoint, DigiCert will default to adding the authenticated user (the user who owns the API key in the request) as a verified contact for the organization.

DigiCert will apply this default when:

To avoid a lapse in service, make sure users in your CertCentral account with active API keys have a job title and phone number.

Learn more

We are happy to announce that we updated the DigiCert site seal image and replaced the checkmark with a padlock.

The updated site seal continues to provide your customers with the assurance that your website is secured by DigiCert—the leading provider of digital trust.

In CertCentral, we reorganized and updated the look of the Code Signing and EV Code Signing certificate request forms. These forms are now more consistent with the look and flow of our TLS/SSL certificate request forms.

On the code signing request form, when adding a Subject email address to appear on the certificate, you can now see the validated domains assigned to the organization with which the code signing certificate is associated.

DigiCert will perform scheduled maintenance on October 8, 2022, 22:00 –24:00 MDT (October 9, 2022, 04:00 – 06:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

DigiCert will end support for Cipher-Block-Chaining (CBC) ciphers in TLS connections to our services on October 8, 2022, at 22:00 MDT (October 9, 2022, at 04:00 UTC).

This change affects browser-dependent services and applications relying on CBC ciphers that interact with these DigiCert services:

This change does not affect your DigiCert-brand certificates. Your certificates will continue to work as they always have.

To give you more control over your domain prevalidation workflows, we added a new optional request parameter to the Add domain API endpoint: keep_www. Use this parameter to keep the www. subdomain label when you add a domain using a domain control validation (DCV) method of email, dns-txt-token, or dns-cname-token.

By default, if you are not using file-based DCV, the Add domain endpoint always removes the www. subdomain label from the name value. For example, if you send www.example.com, DigiCert adds example.com to your account and submits it for validation.

To keep the www and limit the scope of the approval to the www subdomain, set the value of the keep_www request parameter to true:

{
  "name": "www.example.com",
  "organization": {
    "id": 12345
  },
  "validations": [
    {
      "type": "ov"
    }
  ],
  "dcv_method": "email",
  "keep_www": true
}

CertCentral supports including a revocation reason when revoking a certificate. Now, you can choose one of the revocation reasons listed below when revoking all certificates on an order or when revoking an individual certificate by ID or serial number.

Supported revocation reasons:

*Note: Selecting Key compromise does not block using the associated public key in future certificate requests. To add the public key to the blocklist and revoke all certificates with the same key, visit problemreport.digicert.com and prove possession of the key.

Revoke immediately

We also added the Revoke this certificate immediately option that allows Administrators to skip the Request and Approval process and revoke the certificate immediately. When this option is deselected, the revocation request appears on the Requests page, where an Administrator must review and approve it before it is revoked.

Background

The Mozilla root policy requires Certificate Authorities (CAs) to include a process for specifying a revocation reason when revoking TLS/SSL certificates. The reason appears in the Certificate Revocation List (CRL). The CRL is a list of revoked digital certificates. Only the issuing CA can revoke the certificate and add it to the CRL.

DigiCert will perform scheduled maintenance on September 10, 2022, 22:00 –24:00 MDT (September 11, 2022, 04:00 – 06:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

In the CertCentral Services API, we added the option to choose a revocation reason when you submit a request to revoke a TLS/SSL certificate.

You can choose a revocation reason when revoking all certificates on an order or when revoking an individual certificate by ID or serial number.

To choose a revocation reason, include the optional revocation_reason parameter in the body of your request.

Example JSON request body:

{
  "revocation_reason": "superseded"
}

For information about each revocation reason, visit the API documentation:

In the CertCentral Services API, we added a new contact_type label for verified contacts: verified_contact.

Use the verified_contact label to identify verified contacts for an organization when you submit a request for an EV TLS, Verified Mark, Code Signing, or EV Code Signing certificate. The updated label applies to all verified contacts, regardless of which product type the order is for.

For example, this JSON payload shows how to use the verified_contact label to add a verified contact to an organization in a new certificate order request:

{
  "certificate": {
    ...
  }
  "organization": {
    "id": 12345,
    "contacts": [
      {
        "contact_type": "verified_contact",
        "user_id": 12345
      }
  },
  ...
}

Note: Before this change, verified contacts were always identified with the label ev_approver. The CertCentral Services API will continue accepting ev_approver as a valid label for verified contacts on EV TLS, VMC, Code Signing, and EV Code Signing certificate orders. The verified_contact label works the same as the ev_approver label, but the name is updated to apply to all products that require a verified contact.

We updated the Order code signing certificate API documentation to describe three ways to add an organization to your Code Signing (CS) or EV Code Signing (EV CS) order requests:

Learn more: Order code signing certificate – CS and EV CS organization validation

DigiCert is happy to announce that CertCentral allows you to modify the common name and subject alternative names (SANs) on pending orders: new, renewals, and reissues.

Tired of canceling an order and placing it again because a domain has a typo? Now, you can modify the common name/SANs directly from a pending order.

Items to note when modifying SANs

See for yourself

See Edit common name and SANs on a pending TLS/SSL order: new, renewals, and reissues.

To make it easier for API clients to get the exact date and time domain validation reuse periods expire, we added new response parameters to the Domain info and List domains API endpoints:

Learn more:

Some DigiCert services will be down for about 15 minutes during scheduled maintenance on August 6, 2022, 22:00 – 24:00 MDT (August 7, 2022, 04:00 – 06:00 UTC).

To give API clients the option to hide unused certificates from API response data, we released new API endpoints to archive and restore certificates. By default, archived certificates do not appear in response data when you submit a request to the List reissues or List duplicates API endpoints.

New API endpoints

Updated API endpoints

We updated the List reissues and List duplicates endpoints to support a new optional URL query parameter: show_archived. If the value of show_archived is true, the response data includes archived certificates. If false (default), the response omits archived certificates.

Some DigiCert services will be down for a total of 20 minutes during scheduled maintenance on July 9, 2022, 22:00 – 24:00 MDT (July 10, 2022, 04:00 – 06:00 UTC).

DigiCert is happy to announce that we improved the layout and design of the Order details page.

We took your feedback and updated the Orders page to make managing your certificates and orders easier throughout their lifecycle.

When we reorganized the information on the Order details page, we didn’t remove anything. So, everything you did before the updates, you can still do now. However, there are a few things you asked for that you can do now that you couldn’t do before.

DigiCert is happy to announce that we improved the CAA resource record checking feature and error messaging for failed checks in CertCentral.

Now, on the order’s details page, if a CAA resource record check fails, we display the check’s status and include improved error messaging to make it easier to troubleshoot problems.

DigiCert is happy to announce that CertCentral bulk domain validation now supports two more domain control validation (DCV) methods: DNS TXT and DNS CNAME.

Remember, domain validation is only valid for 397 days. To maintain seamless certificate issuance, DigiCert recommends completing DCV before the domain's validation expires.

Don't spend extra time submitting one domain at a time for revalidation. Use our bulk domain revalidation feature to submit 2 to 25 domains at a time for revalidation.

DigiCert is happy to announce the following enhancements to the CertCentral Report Library API:

DigiCert will perform scheduled maintenance on June 4, 2022, 22:00 –24:00 MDT (June 5, 2022, 04:00 – 06:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

Update: To give API consumers more time to evaluate the impact of the Order info API response changes on their integrations, we are postponing this update until May 31, 2022. We originally planned to release the changes described below on April 25, 2022.

On May 31, 2022, DigiCert will make the following improvements to the Order info API. These changes remove unused values and update the data structure of the order details object to be more consistent for orders in different states across product types.

For more information and response examples for public TLS, code signing, document signing, and Class 1 S/MIME certificates, see the reference documentation for the Order info endpoint.

If you have questions or need help with these changes, contact your account representative or DigiCert Support.

On May 24, 2022, between 9:00 am and 11:00 am MDT (3:00 pm and 5:00 pm UTC), DigiCert will replace the GeoTrust and RapidSSL intermediate CA (ICA) certificates listed below. We can no longer issue maximum validity (397-day) DV certificates from these intermediates.

See the DigiCert ICA Update KB article.