Skip to main content

Request X9 PKI for TLS certificate

Notice

The X9 PKI for TLS certificate is not available in all CertCentral accounts by default. To enable it, contact your account representative or DigiCert Support.

Before you begin

CSR requirements

A CSR is required with every X9 PKI for TLS certificate request. The certificate must use at least an RSA 2048-bit key size. See Generate a certificate signing request (CSR).

Algorithm

Supported key lengths

RSA

2048, 3072, 4096

ECC

p-256, p-384

Domain validation

The X9 PKI for TLS certificate supports only fully qualified domain names and IP addresses. Wildcard domains are not supported.

Before DigiCert issues your certificate, domain control must be demonstrated using one of the following options:

  • Complete domain validation before ordering: Prevalidate your domains for faster issuance. See Perform domain control validation (DCV).

  • Validate as part of the order: Add new or expired domains and complete validation during the order process.

Organization validation

Before DigiCert can issue your certificate, DigiCert must complete X9 PKI Organization Validation.

  • Submit the organization for validation before ordering: Prevalidate for faster issuance. See Submit an organization for validation.

  • Validate as part of the order: Add a new or expired organization and DigiCert completes validation during the order process.

Order an X9 PKI

  1. In the CertCentral main menu, go to Request a Certificate > X9 PKI Certificates > X9 PKI for TLS.

  2. In the For menu, select the division to manage the certificate.

    The For menu appears only if you use Divisions in CertCentral.

  3. Under Certificate Settings, upload or paste your CSR. CertCentral auto-populates Common Name, SANs, and Organization from the CSR. If those fields are absent from the CSR, the corresponding form fields remain blank.

  4. Confirm or update the Common name and Subject alternative names (SANs). The X9 PKI for TLS certificate supports only fully qualified domain names and IP addresses. Wildcard domains are not supported.

  5. Select the Validity period:

    • 1 year (default)

    • Custom expiration date: Must be within 397 days of the request date

    • Custom length: Maximum 397 days

  6. To set up automatic renewal, select Auto-renew expiring order.

    Auto-renew submits a renewal request 30 days before the certificate expires.

    Note

    This option requires payment by account balance. It is not available when paying by credit card.

    • To configure account finance settings, go to Finances > Settings. See Finances.

  7. Select the DCV method for all domains on the order.

    Supported methods:

    CertCentral administrators can configure Domain validation scope under Settings > Preferences.

    For full instructions on each method, see Perform domain control validation (DCV).

    • DNS TXT Record

    • DNS CNAME Record

    • Email to DNS TXT contact

    • Email to Constructed email addresses

    • HTTP Practical Demonstration

      For IP addresses, use HTTP Practical Demonstration methods only. The industry requirements mandate this.

    • HTTP Practical Demonstration with unique filename

    After submitting the order, you can assign a different DCV method per domain from the Order details page.

  8. Under Additional certificate options, configure the following:

    • Signature hash: Select SHA-256 or SHA-384 with RSA. For ECC certificates, the signature hash and signing algorithm correspond automatically to the key size (p-256 = SHA-256 with ECDSA; p-384 = SHA-384 with ECDSA).

    • Server platform: Select the server or system where you generated the CSR.

    • Key usage: Select Digital signature only or Digital signature and key encipherment/key agreement.

    • Extended key usage (EKU): Select Dual EKUs: server and client authentication (default), Server authentication only, or Client authentication only.

  9. Add the organization:

    • Select Add organization.

    • Select an existing organization or add a new one.

    • If the organization is not validated for X9 Organization Validation or validation has expired, DigiCert validates the organization before issuance.

  10. Confirm or update the Organization contact and optionally add a Technical contact.

  11. (Optional) Under Additional emails, enter email addresses for certificate lifecycle notifications. These recipients do not manage the order.

  12. Under Payment information, select a payment method: credit card, contract terms, or account balance.

  13. Read the Master Services Agreement.

  14. Select Submit request.

Next steps after submission

CertCentral opens the Order details page for your X9 PKI for TLS certificate. The order remains pending until the following are complete:

Domain validation: Complete domain control validation for all domains and IP addresses on the order. See Perform domain control validation (DCV).

Organization validation: DigiCert calls a verified, publicly listed phone number to speak with someone who represents the organization.

After you submit your request, inform your organization contact, technical contact, and company receptionist that DigiCert will call a verified phone number within 24 hours to confirm your authority to order the certificate. If DigiCert cannot reach anyone, a validation agent leaves a message with a call-back number and a verification code. The organization or technical contact must respond with the verification code.

After domain and organization validation are complete, DigiCert issues the certificate and emails a copy to the certificate requestor. You can also download the certificate from the Order details page. See Download issued certificates.

Related topics

What's next

Download issued certificates to download and install your certificate after issuance

Dans cette section​: