Skip to main content

CertCentral two-factor authentication

DigiCert requires all CertCentral accounts to use two-factor authentication: something you know and something you have. By default, you must use your credentials (something you know) and a one-time password (something you have) to access your CertCentral account.

Why does DigiCert require two-factor authentication?

Two-factor authentication adds another layer of security to a CertCentral account. It requires users to provide two methods of identity verification before they can sign in to purchase certificates or view account information.

Requiring two forms of identification means a bad actor who gains access to someone's account password does not have instant account access. Why? No one can sign in to that account without the required second form of authentication.

Something you know: username and password

The first form of authentication required to access your account is something only you know: username and password. Each new user must create credentials—username and password—for their CertCentral account.

Something you have: One-time password or client certificate

CertCentral requires a second form of authentication before you can sign in to your account: something only you have. By default, CertCentral requires a one-time password as your second factor.

However, the "something you have" can be a one-time password generated from a one-time password (OTP) application device or a client certificate installed on a device (such as your laptop or phone).

One-time password generated from an OTP app or device

An OTP app installed on a mobile device allows users to log in from any device. Because our two-factor authentication process implements the Time-based One-Time Password (TOTP) protocol, you must use a mobile application that supports the TOTP protocol.


The TOTP protocol supports a time-based variation of the One-time password (OTP) algorithm. Each time an OTP is generated, it can only be used for a brief period. Once expired, the OTP cannot be reused. OTPs with short lifespans improve security.

Most OTP applications compatible with the TOTP protocol will work with our process. We tested these OTP applications:

  • Google Authenticator: Android, iPhone, Blackberry

  • Authy: Android, iPhone

  • Authenticator: Windows Phone

  • Duo Mobile: iPhone

Client certificate installed on a device

Client certificates let you control what devices a user can access their account from. Users can only access their account from a device their client certificate is installed on. Client certificates may also require a user to use a specific browser to access their account.

  • Windows operating systems install the client certificate in their Certificate Store. Microsoft Edge, Chrome, and Internet Explorer can access these certificates.

  • macOS installs the client certificate in their Certificate Store. Safari and Chrome can access these certificates.

  • Firefox installs the client certificate in their Certificate Store. Only Firefox can access these certificates for Windows and macOS.