フィルタリング: CAA resource record x 消去
enhancement

CertCentral: Improved DNS Certification Authority Authorization (CAA) resource records checking

DigiCert is happy to announce that we improved the CAA resource record checking feature and error messaging for failed checks in CertCentral.

Now, on the order’s details page, if a CAA resource record check fails, we display the check’s status and include improved error messaging to make it easier to troubleshoot problems.

Background

Before issuing an SSL/TLS certificate for your domain, a Certificate Authority (CA) must check the DNS CAA Resource Records (RR) to determine whether they can issue a certificate for your domain. A Certificate Authority can issue a certificate for your domain if one of the following conditions is met:

  • They do not find a CAA RR for your domain.
  • They find a CAA RR for your domain that authorizes them to issue a certificate for the domain.

How can DNS CAA Resource Records help me?

CAA resource records allow domain owners to control which certificate authorities (CAs) are allowed to issue public TLS certificates for each domain.

Learn more about using DNS CAA resource records

new

CertCentral Services API: Domain locking API endpoints

DigiCert is happy to announce our domain locking feature is now available in the CertCentral Services API.

Note: Before you can use the domain locking endpoints, you must first enable domain locking for your CertCentral account. See Domain locking  – Enable domain locking for your account.

New API endpoints

Updated API endpoints

We updated the response for the Domain info and List domains endpoints to include the following parameters with domain lock details:

  • domain_locking_status (string)
    Domain lock status. Only returned if domain locking is enabled for the account.
  • account_token (string)
    Domain lock account token. Only returned if domain locking is enabled for the account, and if domain locking has been activated for the domain at least once.

To learn more, see:

new

CertCentral: Domain locking is now available

DigiCert is happy to announce our domain locking feature is now available.

Does your company have more than one CertCentral account? Do you need to control which of your accounts can order certificates for specific company domains?

Domain locking allows you to control which of your CertCentral accounts can order certificates for your domains.

How does domain locking work?

DNS Certification Authority Authorization (CAA) resource records allow you to control which certificate authorities can issue certificates for your domains.

With domain locking, you can use this same CAA resource record to control which of your company's CertCentral accounts can order certificates for your domains.

How do I lock a domain?

To lock a domain:

  1. Enable domain locking for your account.
  2. Set up domain locking for a domain.
  3. Add the domain's unique verification token to the domain's DNS CAA resource record.
  4. Check the CAA record for the unique verification token.

To learn more, see:

new

End of life for account upgrades from Symantec, GeoTrust, Thawte or RapidSSL to CertCentral™

From April 5, 2022, MDT, you can no longer upgrade your Symantec, GeoTrust, Thawte, or RapidSSL account to CertCentral™.

If you haven't already moved to DigiCert CertCentral, upgrade now to maintain website security and have continued access to your certificates.

Note: During 2020, DigiCert discontinued all Symantec, GeoTrust, Thawte, RapidSSL admin consoles, enrollment services, and API services.

How do I upgrade my account?

To upgrade your account, contact DigiCert Support immediately. For more information about the account upgrade process, see Upgrade from Symantec, GeoTrust, Thawte, or RapidSSL.

What happens if I don't upgrade my account to CertCentral?

After April 5, 2022, you must get a new CertCentral account and manually add all account information, such as domains and organizations. In addition, you won't be able to migrate any of your active certificates to your new account.

For help setting up your new CertCentral account after April 5, 2022, contact DigiCert Support.

compliance

CanSignHttpExchanges 拡張子を ECC SSL/TLS 証明書に含める業界基準の要件:

  • "cansignhttpexchanges=yes" パラメータ* を含むドメインの CAA リソースレコード
  • 楕円曲線暗号 (ECC) 鍵ペア
  • CanSignHttpExchanges extension
  • 最大90日の有効期間*
  • Signed HTTP Exchange のみに使用

*注意:これらの要件は、2019年5月1日発効済です。Signed HTTP Exchanges 拡張子は、鋭意開発中です。業界の開発が継続している中で、要件がさらに変更される場合があります。

90日の最大証明書有効期間要件は、2019年5月1日以前に発行された証明書に影響を及ぼすことはありません。再発行済証明書は、再発行時点から90日に切り上げられますので、注意してください。ただし、完全購入の有効期間については、証明書を引き続き再発行できます。

CanSignHttpExchanges 拡張子

最近、新しい証明書プロファイル HTTP Signed Exchanges を追加し、お使いのブランドがアドレスバーに表示されない AMP URL 表示問題への対応を支援しました。「Signed Exchanges 付き AMP URL の表示を改善する」 を参照してください。

この新しいプロファイルにより、お客様は CanSignHttpExchanges 拡張子を OV と EV SSL/TLS 証明書に含めることができます。お使いのアカウントについて有効にした場合、[CanSignHttpExchanges 拡張子を証明書に含める] オプションが、[追加証明書オプション] 下の OV と EV SSL/TLS 証明書要求フォームに表示されます。「Signed HTTP Exchanges 証明書を取得する」 を参照してください。

このアカウントで証明書プロファイルを有効にするには、アカウント代理人に連絡するか、当社のサポートにお問い合わせください