Order your X9 PKI for TLS certificate

In CertCentral, in the left menu, go to Request a Certificate > X9 PKI Certificates > X9 PKI for TLS.

On the Request X9 PKI for TLS Certificate page in the For menu, select the division to manage the certificate.

The For menu only appears if you use Divisions in CertCentral.

Add your CSR

We use the information in your CSR to auto-populate corresponding values in the order form: Common Name, SANs, and Organization. If you leave any of this information out of the CSR, the corresponding field in the form is left blank.

If the organization in the CSR already exists in your account, we auto-populate the Organization Contact card with the contact assigned to that organization.

Under Certificate Settings, upload your CSR or paste it into the Add your CSR box. Your CSR must include the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags.

Common name and subject alternative names (SANs)

After adding your CSR, we auto-populate the Common name and SANs boxes with the common name and SANs included in the CSR. You can still change the common name and reorder, add, or remove additional SANs as needed.

Note: The X9 PKI for TLS certificate only supports fully qualified domain names and IP addresses. You cannot include a wildcard domain in your certificate.

Validity period

By default, DigiCert issues X9 PKI for TLS certificate with a 1-year validity. Use the default 1-year validity or configure a custom validity for your certificate.

Auto-renew

To set up automatic renewal for this certificate, check Auto-renew expiring order.

With auto-renew enabled, DigiCert automatically submits a request to renew the order thirty days before it expires. This option is not available if you pay with a credit card.

You must charge the order to the account balance to use the automatic renewal option. To configure your account's finance settings, in the left menu, go to Finances > Settings.

Domain control validation (DCV)

Before DigiCert can issue your certificate, you must demonstrate control over the domains and IP addresses included in your certificate. While placing the order, you can only select one DCV method for all domains on the order.

After submitting your order, you can view the domains you must validate on the certificate's pending Order # details page. You can use the DCV method selected while placing the order or use a different one per domain if required.

1. DCV method

   Use the default DCV method. Or, in the DCV method menu, select your preferred DCV method to demonstrate control over the domains.

   DigiCert supported DCV methods

   • DNS TXT Record (DNS Change)

     Use this method if you can modify the domain's DNS Record to include a TXT record. To demonstrate control over the domain, you must be able to add a DigiCert-generated random value to the domain’s DNS as a TXT record.

   • Using the Verification Email DCV methods

     DigiCert sends two sets of DCV emails for this validation method: DNS TXT-based and constructed. To demonstrate control over the domain, an email recipient follows the instructions in a confirmation email sent for the domain.

     • Email to DNS TXT contact

       Use this method if you can modify the domain's DNS Record to include an email address. To learn more about what you must do to use this DCV method, see Email to DNS TXT contact.

     • Email to Constructed email addresses

       Use this method if you created a pre-approved email alias for the domain, such as admin@{domain_name}. To learn more about what you must do to use this DCV method, see Constructed email.

   • DNS CNAME Record

     Use this method if you modified the DNS Record to include a CNAME record. To demonstrate control over the domain, you must be able to add a DigiCert-generated random value to the domain's DNS as a CNAME record.

   • Using the HTTP Practical Demonstration DCV methods

     You can only use the HTTP Practical Demonstration DCV methods to demonstrate control over fully qualified domain names (FQDNs) exactly as named. To learn more, see HTTP Practical Demonstration and HTTP Practical Demonstration with unique filename DCV methods.

     IP addresses: Per industry regulations, you must use the HTTP Practical Demonstration DCV methods to demonstrate control over IPv4 and IPv6 addresses.

     • HTTP Practical Demonstration

       Use this method if you can host a file containing a DigiCert-generated random value at a predetermined location on your website: http://{domain-name}/.well-known/pki-validation/fileauth.txt.

     • HTTP Practical Demonstration with unique file name

       Use this method if you need to host a file with a DigiCert-generated filename that contains a DigiCert-generated random value at a predetermined location on your website: http://{domain-name}/.well-known/pki-validation/{unique-filename}.txt.

2. Email language

   Use the default language. Or, in the Email language menu, select your preferred language for the email. This option only appears when you select the Verification email DCV method.

3. DCV scope

   Use the default DCV Scope setting that aligns with your CertCentral Domain validation scope settings. Or, in the DCV Scope menu, select the scope for demonstrating control over the domains on the request.

   Note: CertCentral administrators can go to the Preferences page to configure their Domain validation scope settings (in the left menu, go to Settings > Preferences).

   Domain scope: Submit base domains versus Submit exact domain names

   • Submit base domains, for example, subdomain.example.com

     When submitting subdomain.example.com, you must complete domain validation for the base domain, example.com. Validating the base domain also validates all subdomains of the base domain, such as subdomain.example.com and sub2subdomain.example.com.

   • Submit exact domain names, for example, subdomain.example.com

     When submitting subdomain.example.com, you must complete domain validation for the domain exactly as named—subdomain.example.com. Exact domain name validation only applies to that domain.

Additional certificate options

1. Signature hash

   DigiCert issues RSA certificates with a SHA-256 signature hash and RSA signing algorithm by default. DigiCert recommends using the default RSA settings unless you have specific reasons for using a different key size or signing algorithm.

   In the Signature hash menu, select the signature hash and signing algorithm you want DigiCert to use for your certificate: sha256WithRSA, or sha384WithRSA.

   Elliptical-curve cryptography (ECC)

   For ECC certificates, there is a one-to-one correlation between the signature hash and the signing algorithm:

   • With the ECC p-256 key size, your certificate includes a SHA-256 signature hash with an ECDSA signing algorithm.

   • With the ECC p-384 key size, your certificate includes a SHA-384 signature hash with an ECDSA signing algorithm.

2. Server platform

   In the Server platform menu, select the server or system on which you generated the CSR. When we email your certificate, the certificate format aligns with the format supported by the server or system.After we issue the certificate, you can change the format by downloading the certificate from the certificate's Order # details page in CertCentral. See Download a TLS/SSL certificate from your CertCentral account.

3. Profile options for the certificate

   Certificate profiles allow you to do more with your certificates. For example, DigiCert X9 PKI for TLS certificates include the Digital signature key usage and the client authentication and server authentication EKUs by default.

   1. Key usage

      Select the key usages (KUs) to include in your X9 PKI for TLS certificate.

      • Digital signature only

        The Digital signature KU allows a key to create digital signatures that verify the signer's identity. See RFC-3280.

      • Digital signature and key encipherment/key agreement

        • If using an RSA CSR, the certificate will contain the key encipherment KU.

          The key encipherment KU is used to encrypt keys that can then be used to decrypt data.

        • If using an ECC CSR, the certificate will contain the key agreement KU.

          The key agreement KU allows the sender and receiver of the public key to derive the key without using encryption. This key is then used to encrypt messages between the sender and receiver.

   2. Extended key usage (EKU)

      Select the EKUs to include in your X9 PKI for TLS certificate.

      Server authentication secures websites using HTTPS. Client authentication identifies who you are for host-to-host communications.

      • Dual EKUs: server and client authentication

      • Server authentication only

      • Client authentication only

Organization

Add the information about the organization included on the certificate. Only specific details on the organization will be included on the certificate, such as the organization's name.

Add organization

You can add an existing organization from your account or a new organization. If you add a new organization, it gets added to your account.

Select Add organization, and in the Add Organization window, complete the following task as needed:

1. Add an existing organization

   1. Select Existing organization, in the Organization menu, select the organization, and then select Add.

      If you choose an organization not validated for X9 Organization Validation or the organization's validation has expired, DigiCert must validate the organization before we issue your certificate.

   2. Organization and technical contacts

      DigiCert automatically adds the contacts assigned to the organization to the request form. Under Contacts, you can see the organization and technical contacts.

2. Add a new organization

   DigiCert must validate the new organizations before we can issue your certificate. Learn more about organization validation.

   1. Select New organization and enter the following information:

      Legal name	Organization name exactly as it appears in corporate registries, such as local government registration records.
      Assumed name	Assumed name or doing business as name. Adding an assumed name requires additional validation, which may delay organization validation and certificate issuance.
      Country	Country where the organization is legally located.
      Address 1	The address where the organization is legally located.
      Address 2 (optional)	Additional address in formation, such as a Suite #.
      City	City where the organization is legally located.
      State/ Province/ Region	State, province, region where the organization is legally located.
      Zip/ Postal Code	Zip or postal code where the organization is legally located.
      Organization phone number	This should be a number we can check against an online third-party address listing. DigiCert must call a verified organization phone number to confirm your authority to order a certificate for the organization. We verify this phone number against online third-party address listing sources like Google Business. Learn how we confirm your authority.

   2. When ready, select Add.

Contacts – Organization Contact

The organization contact is the person we contact when validating the organization and verifying your authority to order a DigiCert certificate for the organization. They may also receive the following notifications: Order status updates for certificates requested for their organization and Domain status updates for domains associated with their organization.

Items to note about adding an organization:

To use a different organization contact

1. To delete the auto-populated organization contact, select the trashcan icon.

2. Select Add contact.

   If you've already added a technical contact, select Add Organization Contact.

3. In the Add Contact window, in the Contact Type menu, select Organization Contact.

4. Add the contact:

   1. Add an existing contact

      Select Existing Contact. In the Contacts menu, select a contact and then select Add.

   2. Add new contact

      Select New Contact, enter the contact's first and last name, job title, email address, and phone number, and then select Add.

Contacts – Technical Contact

Adding a technical contact is optional and not required to issue your certificate.

The technical contact is someone we may contact for inquiries regarding certificate orders for the organization. They may receive the certificate lifecycle-related emails, like certificate issued, certificate reissued, and certificate expiring.

When adding an existing organization, DigiCert includes the technical contact assigned to the organization in the request form by default. If no technical contact has been assigned, one can be added if necessary.

To use a different technical contact

1. To delete the auto-populated technical contact, select the trashcan icon.

2. Select Add contact.

   If you've already added a technical contact, select Add Technical Contact.

3. In the Add Contact window, in the Contact Type menu, select Technical Contact.

4. Add the contact:

   1. Add an existing contact

      Select Existing Contact. In the Contacts menu, select a contact and then select Add.

   2. Add new contact

      Select New Contact, enter the contact's first and last name, job title, email address, and phone number, and then select Add.

Additional emails (optional)

Enter the email addresses you want to receive the certificate issuance, expiring certificate, and expiring order notifications. Use a comma to separate addresses or enter them on separate lines.

These recipients don't manage the order. They only receive the certificate-related emails.

Additional order options – Order Specific Renewal Message

To create a renewal message for this certificate, enter a renewal message with information that might be relevant to the certificate’s renewal. Comments and renewal messages are not included in the certificate.

Payment information

Under Payment information, select a payment method to pay for the certificate:

Master Services Agreement

Read through the Master Services Agreement.

Select Submit request.

By selecting Submit request, you agree to the Master Service Agreement.