Order an OV wildcard SSL/TLS certificate

Use these instructions to order a Secure Site Wildcard SSL or Wildcard SSL Certificate.

After submitting your order, you'll need to complete domain validation for the domain on the order (demonstrate control over the domain) before we can issue your certificate. See Demonstrate control over domains on your SSL certificate order.

  1. Create your Certificate Signing Request (CSR)

    To remain secure, certificates must use at least a 2048-bit key size. For more information and instructions about creating a CSR, see Create a CSR (Certificate Signing Request).

  1. Select the wildcard SSL/TLS certificate you want to order

    1. In your CertCentral account, in the sidebar menu, click Request a Certificate and then under All Products, click Product Summary.
    2. On the Request a Certificate page, look over the certificate options and select the certificate you want to order.
  1. Add your CSR

    We use the information in your CSR to autopopulate corresponding values in the order form: Common Name, Other Hostnames (SANs), and Organization. If you leave any of this information out of the CSR, the corresponding field in the form is left blank.

    If the organization in the CSR already exist in your account, we autopopulate the Organization Contact card with the contact assigned to that organization.

    On the "Request" page, under Certificate Settings, upload your CSR to or Paste it in the Add Your CSR box.

When copying the text from the CSR file, make sure to include the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags.

  1. Common Name

    After adding your CSR to the form, we autopopulate the Common Name field with the common name from the CSR.

    To add the common name yourself, type the common name in the box, or under Common Name, expand Show Recently Created Domains and select the domain from the list.

Make sure to format the common name correctly (*.example.com).

  1. Other Hostnames (SANs)

    After adding your CSR, we populate the Other Hostnames (SANs) box with the SANs included in the CSR. You can still remove or add additional SANs as needed.

    1. Single wildcard domain certificate
      In the Other Hostnames (SANs) box, enter the subdomain(s) that you want your Wildcard Certificate to secure. Note that the SANs names must be a based off the wildcard domain entered in common name field.
      For example, if *.yourdomain.com is the common name, you can add www.yourdomain.com, www.app.yourdomain.com, and mail.yourdomain.com as SANs.
    2. Multiple-wildcard-domain certificate
      Adding wildcard domains (*.yourdomain.com, *.anotherdomain.com, etc.) increases the cost of the certificate.
      In the Other Hostnames (SANs) box, enter the wildcard domains and the domains based off those wildcard domains that you want to secure. The SANs must be a wildcard domain (for example, *.yourdomain.com) or based off your listed wildcard domains.
      For example, if one of your wildcard domains is *.yourdomain.com, then you can add the SANs www.yourdomain.com or www.app.yourdomain.com to your certificate order.
    3. Subdomains
      By default, wildcard certificates only secure a specific subdomain level. If your certificate is for *.yourdomain.com, it will secure subdomains of the same level automatically, which means under most circumstances you don’t need to enter in secure.yourdomain.com to use the certificate for that FQDN.
      To secure subdomains on different levels (e.g., test.secure.yourdomain.com and six.test.secure.yourdomain.com) request a duplicate certificate. Since these subdomains are not on the same level as the wildcard (*) character, you must manually add them as SANs to the certificate. Requesting multiple duplicate certificates allows you to secure additional subdomains without invalidating the previous certificates.

Subdomains

By default, wildcard certificates only secure a specific subdomain level. If your certificate is for *.yourdomain.com, it will secure subdomains of the same level automatically, which means under most circumstances you don’t need to enter in secure.yourdomain.com to use the certificate for that FQDN.

To secure subdomains on different levels (e.g., test.secure.yourdomain.com and six.test.secure.yourdomain.com) request a duplicate certificate. Since these subdomains are not on the same level as the wildcard (*) character, you must manually add them as SANs to the certificate. Requesting multiple duplicate certificates allows you to secure additional subdomains without invalidating the previous certificates.

  1. Validity period

    Select a validity period for the certificate: 1 year, 2 years, Custom expiration date, or Custom length.

    Custom validity periods

    • Certificate pricing is prorated to match the custom certificate length.
    • Certificate validity can't exceed the industry allowed maximum lifecycle period for the certificate. For example, you can't set a 900-day validity period for a certificate.
  1. Select a DCV Method to prove control over your domains

    Before DigiCert can issue your certificate, you must demonstrate control over the domains on your certificate order. To learn more about the available DCV Methods, see Demonstrate control over domains on a pending certificate order.

    In the DCV verification method dropdown, choose the DCV method you want to use to demonstrate control over the domain on the certificate order.

    You must use the selected DCV method to prove control over every domain on the order.

    • Verification Email
      The email recipient demonstrates control over the domain by following the instructions in a confirmation email sent for the domain.
    • DNS CNAME
      Demonstrate control over your domain by creating a DNS CNAME record containing a randomly generated value.
    • DNS TXT
      Demonstrate control over the domain on your order by creating a DNS TXT record containing a randomly generated value.
    • HTTP Practical Demonstration
      Demonstrate control over your domain by hosting .txt file containing a randomly generated value at a predetermined location on your website.

After submitting the certificate order, you can change the DCV method per domain from the certificate's Order details page, if needed. (In the sidebar menu, click Certificates > Orders. On the Orders page, click the certificate's order number link.)

  1. Additional Certificate Options

    The information is this section is optional.

    Expand Additional Certificate Options and provide information as needed.

    1. Signature Hash
      Unless you have a specific reason for choosing a different signature hash, DigiCert recommends using the default signature hash: SHA-256.
    2. Server Platform
      Select the server or system you generated the CSR on.
    3. Organization Units
      Adding an organization unit (OU) is optional. Leave this box blank if you don't want to include OU information in your certificate.
      Organization unit information included in a certificate request requires additional validation and may delay certificate issuance.
    4. Auto-Renew
      To set up automatic renewal for this certificate, check Auto-renew order 30 days before expiration.
      With auto renew enabled, a new certificate order will be automatically submitted when this certificate nears its expiration date. If your certificate still has time remaining before it expires, DigiCert adds the remaining time from your current certificate to your new certificate (up to 825 days – approximately 27 months).

If you include organization units in your order, DigiCert will need to validate them before we can issue your certificate.

Auto Renew can't be used with credit card payments. To automatically renew a certificate, the order must be charged to account balance. You can configure the finance settings for your account on the Finance Settings page (in the sidebar menu, click Finances > Settings).

  1. Organization

    If your CSR includes an organization currently used in your account, we populate the Organization field in the order form with that organization's information.

    To add an organization, click Add Organization.

    1. Add an existing organization
      In the Add Organization window, select Existing Organization, in the Organization dropdown, select an organization, and then click Add.
    2. Add a new organization
      If you add a new organization, we will need to validate the organization before we can issue your certificate.
      In the Add Organization window, select New Organization, fill out the form (add the organization's legal name, address, etc.) and then click Add.

Unless you update the Organization Contact, we will use you as the primary contact to validate this certificate order.

  1. Organization Contact (required)

    The Organization Contact is someone who works for the organization included in the certificate order. We contact them to validate the organization and verify the request for OV TLS/SSL certificates.

    We populate the Organization Contact card for you.

    • When adding a CSR that includes an existing organization in your account, we populate the Organization Contact card with the contact assigned to that organization.
    • When manually adding an existing organization, we populate the Organization Contact card with the contact assigned to that organization.
    • When adding a new organization, we populate the Organization Contact card with your contact information.

    To use a different organization contact:

    1. Delete the organization contact populated automatically for you (click trashcan icon).
    2. Click Add Contact.
    3. In the Add Contact window, in the Contact Type dropdown, select Organization Contact.
    4. Add the contact
      1. Add an existing contact
        Select Existing Contact, in the Contactsdropdown, select a contact, and then click Add.
      2. Add a new contact
        Select New Contact, fill out the form (add the person's first and last name, Job Title, etc.) and then click Add.

    Technical Contact (optional)

    In addition to yourself, this person will receive order emails including the one with the certificate attached, as well as renewal notifications.

    To add a technical contact

    1. Click Add Technical Contact.
      If you've not added an organization contact, click Add Contact.
    2. In the Add Contact window, in the Contact Type dropdown, select Technical Contact.
    3. Add the contact
      1. Add an existing contact
        Select Existing Contact, next, in the Contacts dropdown, select a contact, and then click Add.
      2. Add a new contact
        Select New Contact, fill out the form (add the person's first and last name, Job Title, etc.) and then click Add.
  1. Additional Order Options

    The information is this section is optional.

    Expand Additional Order Optionsand add information as needed.

    1. Comments to Administrator
      Enter any information that your administrator might need for approving your request, about the purpose of the certificate, etc.
    2. Order Specific Renewal Message
      To create a renewal message for this certificate right now, type a renewal message with information that might be relevant to the certificate’s renewal.

Comments and renewal messages are not included in the certificate.

  1. Additional Emails

    Enter the email addresses (comma separated) for the people you want to receive the certificate notification emails, such as certificate issuance, duplicate certificate, certificate renewals, etc.

These recipients can't manage the order, however they will receive all the certificate related emails.

  1. Select Payment Method

    Under Payment Information, select a payment method to pay for the certificate:

    1. Pay with Credit Card
      Don’t have a contract or don’t want to use the contract to pay for this certificate? Use a credit card to pay for the certificate.
      Note: We authorize the card when the request is made. However, we only complete the transaction once we issue your certificate.
    2. Pay with Contract Terms
      Have a contract and want to use it to pay for the certificate?
      Note: When you have a contract, it is the default payment method.
    3. Pay with Account Balance
      Don’t have a contract or don’t want to use the contract to pay for this certificate? Bill the cost to your account balance.
      To deposit funds, click the Deposit link.
      Note: The Deposit link takes you to another page inside your CertCentral account. Any information entered in the request form will not be saved.
  1. Certificate Services Agreement

    Read through the agreement and check I agree to the Certificate Services Agreement.

  1. Click Submit Certificate Request.

  1. Demonstrate control over the domains on your order

    Now that you've submitted your order, you need to complete domain validation for the domain on the order (demonstrate control over the domain) before we can issue your certificate. See Demonstrate control over domains on your SSL certificate order.

  1. Complete organization validation

    To validate/authenticate your authority to order a certificate for the organization on your certificate order, we will call a verified phone number to speak with some who represents you, the certificate requestor, such as the organization or technical contact.

    To get organization consent for your certificate order:

    1. Answer the organization/validation phone call (preferred method)*
      After you submit your certificate order, make sure that the organization contact, technical contact, and company receptionist are aware that you’ve ordered an SSL/TLS certificate. Let them know that DigiCert will call a verified phone number to speak with one of them to complete organization validation/authentication. This phone call usually takes place within 24 hours of the certificate order being placed.
    2. Respond to the organization consent message
      If the DigiCert validation agent can’t reach someone who represents you at the verified phone number, they will leave a message that includes a call back phone number and a verification code. Make sure that organization or technical contact responds to the message and provides us with the verification code.