CertCentral glossary
glossário
- 30-day device verification
An optional OTP app authentication setting that allows users to remember a trusted device for 30 days before re-verification is required. Applies to OTP app authentication only.
- Account credit
A CertCentral payment method that uses prepaid funds deposited into your account. Required as the payment method for Azure Key Vault certificate orders. Credit cards are not supported for Key Vault integrations.
- Account user
A CertCentral user who can sign in using CertCentral credentials, single sign-on (SSO), or both, depending on account authentication policies.
- ACME agent
A lightweight DigiCert software client installed on a standard host to automate certificate lifecycle management using the ACME protocol.
- ACME credentials
The set of values used to authenticate a third-party ACME client or DigiCert ACME agent with CertCentral. ACME credentials consist of an ACME directory URL, an External Account Binding (EAB) key identifier (KID), and an HMAC key. Generated in CertCentral per certificate type. See External Account Binding (EAB).
- ACME directory URL
The endpoint URL that an ACME client uses to discover available operations and submit certificate requests to CertCentral. Each set of ACME credentials includes a unique directory URL scoped to a specific certificate type and account region. The URL must match the region where the certificate order is processed; using the wrong regional URL causes certificate issuance failures.
- Administrator
A CertCentral role with full administrative access, including creating and managing users, divisions, and account settings. Available in all account types.
- Annual plan
A DigiCert TLS certificate coverage model providing one year of certificate protection for a single price. The default plan as of February 24, 2026.
- Approval workflow
An approval workflow is a CertCentral account setting that requires administrator or manager review before DigiCert processes a certificate request. When an account uses an approval workflow, a certificate request appears at Certificates > Requests with status Needs Approval until an authorized user approves the request. Extended Validation TLS, Code Signing, and Extended Validation Code Signing requests require specific subroles for approval. See Certificate orders and requests.
- Approved email domains
A CertCentral account setting that restricts which email domains users can use when creating or updating their account.
- Automation event
A scheduled or triggered action that instructs a DigiCert agent or sensor to issue, renew, replace, or revoke a certificate on a target host or network appliance. Automation events appear in the automation log and can be retried if they fail.
- Automation log
A record in CertCentral that captures the status, timestamps, and error details for each automation event. Used to monitor automation health, identify failures, and determine whether a retry is needed.
- Automation profile
A template for TLS certificate deployment that defines certificate properties and lifecycle behavior. Used when scheduling automation events.
- Auto-renew
A CertCentral setting that automatically initiates certificate renewal before the expiration date without manual intervention. Auto-renew behavior is configured per automation profile or per individual certificate order. The renewal timing, notification behavior, and retry logic are all configurable.
- Certificate order
A certificate order is a record in CertCentral that tracks a certificate from the start of DigiCert processing through issuance. Find orders at Certificates > Orders, where an order appears when a certificate request moves to processing, directly after submission or after administrator approval. See Certificate orders and requests.
- Certificate profile (ACME-based)
A configuration template that defines the certificate type, validity period, key algorithm, and subject attributes applied to certificates requested through a specific ACME credential set. Certificate profiles are created in CertCentral and associated with ACME credentials before automation begins. Distinct from an automation profile, which controls deployment scheduling and renewal behavior.
- Certificate request
A certificate request is a submission that appears at Certificates > Requests when the account requires administrator or manager approval before DigiCert processes the certificate. A request with status Needs Approval is waiting for approval before the request becomes a certificate order. See Certificate orders and requests.
- Certificate signing request ( CSR)
A file generated on a server that contains the public key and identifying information required to create a certificate, including the common name, organization, and country. Submitted to DigiCert to request a certificate. The private key associated with the CSR must be kept secure and never shared.
- Certificate transparency (CT) logging ( CT log)
The practice of submitting issued public TLS/SSL certificates to publicly auditable logs. Required by default for all public TLS/SSL certificates.
- Client certificate
A browser-based certificate used as the second authentication factor for CertCentral sign-in. Restricts account access to devices on which the certificate is installed.
- Common name
The primary domain or identifier secured by a certificate.
- DigiCert account provisioning
The process of creating a user in DigiCert account and assigning them access to CertCentral as an application. The user activates their CertCentral service by signing in to DigiCert account and selecting CertCentral.
- Division-level access
A restriction of a user's CertCentral access to specific divisions. Works in combination with role scope. A user must have both a role that permits an action and access to the division where the action occurs.
- DNS integration
A CertCentral configuration that connects a supported DNS provider, such as UltraDNS or an F5 BIG-IP DNS module, to automate the creation and removal of DNS records required for domain control validation during automated certificate issuance. Used primarily with DV certificate automation on load balancers.
- DNS TXT record automation
A UltraDNS integration feature where CertCentral automatically adds and updates DNS TXT records with DigiCert-generated validation values for domain control validation.
- Domain control validation ( DCV)
The process of demonstrating control over a fully qualified domain name or IP address before DigiCert issues a certificate.
- Domain prevalidation
The process of validating a domain before submitting a certificate request to enable faster issuance. Supported for OV and EV certificates only.
- Electronic Identification, Authentication and Trust Services ( eIDAS)
An EU regulation establishing a legal framework for electronic identification and trust services across EU member states. DigiCert issues qualified certificates under eIDAS, including QWAC, QWAC PSD2, EU Qualified Personal, and EU Qualified eSeal certificates.
- EV approval role
A requirement that users who request or approve extended validation (EV) certificates must have a complete CertCentral profile including job title and phone number.
- Extended key usage ( EKU)
A certificate extension that defines the specific purposes for which a certificate's public key may be used. DigiCert public TLS certificates include the Server Authentication EKU by default. A second option, Server Authentication and Client Authentication, is available until March 1, 2027, after which DigiCert issues public TLS certificates with Server Authentication only.
- External Account Binding ( EAB)
Authentication credentials consisting of a key identifier (KID) and HMAC key used to link an ACME client to a CertCentral account.
- Federation name
A unique identifier used in the custom SP-initiated SSO URL generated during SAML configuration. DigiCert recommends using the company name.
- Finance Manager
A CertCentral role granting access to financial functions and certificate ordering. Available in all account types.
- Identity provider ( IdP)
An external system that authenticates users and provides identity assertions to CertCentral via SAML or OIDC.
- Intermediate certificate authority ( ICA)
A certificate authority whose certificate is signed by a root certificate authority. ICA certificates form the chain of trust between the root CA and end-entity certificates. DigiCert may rotate intermediate CAs. Do not pin or hardcode ICA certificates in your configuration.
- Invitation sent
A CertCentral user invitation status indicating the invitation has been emailed and is awaiting acceptance.
- IP restriction
A CertCentral account setting that limits access to specified IP address ranges. Operates on a deny-by-default model once enabled.
- KeyLocker
A DigiCert cloud-based key storage and signing service for code signing certificates. KeyLocker stores private keys in a FIPS 140-2 Level 3 certified hardware security module (HSM) hosted by DigiCert, removing the need for a physical token. Code signing users provisioned to KeyLocker sign directly from the cloud and do not need to download the certificate from CertCentral.
- Lifecycle action
The certificate operation that an ACME client performs when it contacts CertCentral using a set of ACME credentials. Supported actions include issue, renew, reissue, duplicate, and revoke. The default lifecycle action for each credential set is determined by account type and can be configured in CertCentral.
- Limited User
A CertCentral role restricted to placing and managing the user's own orders only. Available in Enterprise and Partner accounts. Created by selecting Standard User and enabling the limit to own orders option.
- Managed automation
A DigiCert-native certificate lifecycle automation model that uses the DigiCert ACME agent or sensor, installed and managed centrally through CertCentral, to deploy, renew, and replace certificates on target hosts and network appliances. For automation using independently maintained clients, see Third-party ACME client.
- Manager
A CertCentral role granting certificate, order, domain, and finance management access without full administrative control. Available in Enterprise and Partner accounts.
- Multi-year Plan
A DigiCert TLS certificate coverage model providing up to three years of certificate protection for a single price. Available for Enterprise and Partner accounts.
- Needs administrator approval
A CertCentral user invitation status indicating the user has accepted the invitation and requires administrator approval before access is granted.
- One-time password ( OTP)
A temporary passcode used as the second authentication factor during CertCentral sign-in. Supported via email delivery or an authenticator app using the TOTP protocol.
- OpenID Connect ( OIDC)
A federated authentication protocol that allows users to sign in to CertCentral using credentials from a configured identity provider.
- Pending order
A pending order is a certificate order at Certificates > Orders where DigiCert is processing the order, waiting for domain control validation, organization validation, or payment processing. When approval is required, the approval stage completes before the order is created. A pending order is not waiting for administrator approval. See Certificate orders and requests.
- PKIoverheid
A Dutch public key infrastructure operated by Logius on behalf of the Dutch government. DigiCert issues PKIoverheid certificates under the Staat der Nederlanden (State of the Netherlands) root hierarchy. PKIoverheid certificates are used by Dutch government entities and regulated organizations for secure communications and authentication.
- Prevalidated domain
A domain that has completed domain control validation (DCV) before a certificate request is submitted, allowing faster certificate issuance without repeating the DCV process at order time. Required for certain third-party ACME client workflows. See Domain prevalidation.
- Qualified website authentication certificate ( QWAC)
A qualified certificate for website authentication issued under the EU eIDAS regulation. Required by payment service providers under the Revised Payment Services Directive (PSD2) for secure communication between financial institutions. DigiCert issues standard QWAC and QWAC PSD2 certificates. QWAC certificates chain to a qualified trust service provider (QTSP) root.
- Random value
A DigiCert-generated token placed in a DNS record or validation file to confirm domain control. Expires after 30 days.
- Regional directory URL
One of multiple ACME directory URL variants that CertCentral provides to route certificate requests to a specific DigiCert processing region. The correct regional directory URL must match the account's provisioned region. Mismatches cause certificate issuance or renewal failures. Customers who have migrated between DigiCert regions must update their ACME client configurations to use the new regional URL.
- Restricted user
A CertCentral user whose access is limited to assigned divisions only. Cannot manage users, settings, or resources outside those divisions.
- SAML
Security Assertion Markup Language. A federated authentication standard that connects CertCentral to an identity provider for single sign-on.
- SAML Admin
A designation that appears next to a manager's role on the Users page when they have been granted access to SAML settings. Administrators always have SAML access by default and are never shown with this designation.
- SAML SSO-only user
A CertCentral user restricted to signing in exclusively through a SAML identity provider. Cannot use CertCentral credentials and cannot modify their own username or email address.
- Sensor
A DigiCert software client installed on a dedicated network host to automate certificate management on proprietary network appliances such as load balancers.
- Service provider (SP) metadata
Configuration data that CertCentral generates after SAML federation settings are saved. Provided to the identity provider to complete the SAML connection.
- Service user
A CertCentral account entity with API-only access, linked to an API key. Used for automated integrations and third-party tools. Cannot sign in interactively.
- Signed HTTP Exchange ( SXG)
A web packaging format that allows a signed HTTP response to be served by a party other than the origin server, enabling offline sharing of web content with verified origin attribution. DigiCert issues SXG certificates using the ECC key algorithm with the CanSignHttpExchanges extension. ACME credentials for SXG certificates require a separate credential set from standard TLS credentials.
- Signed HTTP Exchange (SXG)
A web packaging format that allows a signed HTTP response to be served by a party other than the origin server, enabling offline sharing of web content with verified origin attribution. DigiCert issues SXG certificates using the ECC key algorithm with the CanSignHttpExchanges extension. ACME credentials for SXG certificates require a separate credential set from standard TLS credentials.
- Standard User
A CertCentral role granting certificate request and order management access. Changes require manager or administrator approval. Available in Enterprise and Partner accounts.
- Subject alternative name ( SAN)
An additional domain or IP address secured by a certificate beyond the primary common name.
- Third-party ACME client
An ACMEv2-compliant client not developed by DigiCert, such as Certbot, win-acme, or Kubernetes cert-manager, that uses ACME credentials to request and manage certificates from CertCentral. Third-party clients are maintained independently on each host and do not support DigiCert centralized management features such as automation profiles or sensor-based appliance automation.
- Two-factor authentication ( 2FA)
A sign-in requirement combining a username and password with a second factor such as a one-time password or client certificate. Required for all CertCentral accounts.
- Unrestricted user
A CertCentral user with access to all divisions in the account.
- Validation reuse period
The duration for which completed domain or organization validation remains valid for subsequent certificate requests.
- Verified contact
A validated representative of an organization who can approve EV TLS/SSL, code signing, and mark certificate orders on behalf of the organization.