Skip to main content

變更記錄

Upcoming changes

March 2, 2024

Upcoming scheduled Europe maintenance

DigiCert will perform scheduled maintenance on March 2, 2024, 09:00 – 11:00 MST (16:00 – 18:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

  • Schedule high-priority orders, renewals, and reissues before or after the maintenance window.

  • Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

  • Subscribe to the DigiCert Status page to get live maintenance updates, including email alerts for when maintenance starts and ends.

  • See the DigiCert Europe 2024 maintenance schedule for maintenance dates and times.

Services will be restored as soon as the maintenance is completed.

Upcoming scheduled global maintenance

PKI Platform 8 may experience downtime or delayed responses for approximately 15 minutes during scheduled maintenance on March 2, 2024, 22:00 – 24:00 MST (March 3, 05:00 – 07:00 UTC).

PKI Platform 8 maintenance

If everything goes as planned, the maintenance will not affect our PKI Platform 8 customers. However, this maintenance is high risk, so if things don't go as planned, there could be service interruptions, delayed responses, or even downtime.

The PKI Platform 8 maintenance starts at 22:00 MST (05:00 UTC). From 22:00 to 22:30 MST (05:00 to 05:30 UTC), PKI Platform 8 may experience interruptions such as downtime (up to 15 minutes), service interruptions, or delayed responses.

API note:

  • APIs may return "503 services unavailable" errors.

  • Requests placed during this window that receive a "503 services unavailable" error message will need to be placed again after services are restored.

What can I do?

  • Schedule high-priority orders, renewals, and reissues before or after the maintenance window.

  • Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

  • Subscribe to the DigiCert Status page to get live maintenance updates, including email alerts for when maintenance starts and ends.

  • See the DigiCert Global 2024 maintenance schedule for maintenance dates and times.

Plan accordingly:

Services will be restored as soon as the maintenance is completed.

Recent changes

February 8, 2024

CertCentral: Improvements to the SSL/TLS Duplicate certificate process

We updated the duplicate certificate request process in CertCentral. Now, when requesting a duplicate certificate, you can modify the duplicate certificate's validity if needed.

Previously, the duplicate certificate always expired when the certificate you were duplicating expired. You couldn't modify the duplicate certificate's validity.

See for yourself

  1. In your CertCentral account, in the left main menu, go to Certificates > Orders.

  2. On the Orders page, select the Order # of the certificate you want to duplicate.

  3. On the certificate's Order # details page, in the Certificate actions dropdown, select Request duplicate.

  4. On the Request Duplicate certificate page, under Certificate validity, next to Certificate details, select the pencil (edit icon) to modify the certificate's validity date.

    By default, a duplicate expiration date is set to match the certificate you are duplicating

See Duplicate a TLS/SSL certificate.

CertCentral Services API: Duplicate certificate enhancement

We updated the duplicate certificate endpoint and added support for the custom_expiration_date parameter. Use this parameter to modify the certificate validity for your duplicate certificate.

Important

We automatically truncate the certificate validity if you exceed the time remaining in the order, Multi-year Plan, or the maximum 397-day certificate validity period defined by CA/B Forum baseline requirements, whichever is shorter.

See Duplicate certificate.

JSON example:

{  "certificate": {               
          "common name":"example.com",               
          "csr":"-----BEGIN CERTIFICATE REQUEST----- … -----END CERTIFICATE REQUEST-----",               
          "signature_hash":sha256    
   },    
   "custom_expiration_date": "2024-10-15"
}

February 3, 2024

Upcoming scheduled Europe maintenance

Some DigiCert services will be down for approximately 10 minutes during scheduled Europe maintenance on February 3, 2024, 09:00 - 11:00 MST (16:00 - 18:00 UTC).

QuoVadis services maintenance-related downtime

During the two-hour maintenance window, some QuoVadis services will be down for approximately 10 minutes while we do infrastructure-related maintenance that requires server restarts.

Affected QuoVadis Services:

  • Sealsign signing service

  • TrustLink Switzerland instance

  • TrustLink Netherlands instance

  • ADSS signing service Netherlands instance

  • Certlookup

API note

  • APIs will return "503 services unavailable" errors.

  • Requests placed during this window that receive a "503 services unavailable" error message will need to be placed again after services are restored.

What can I do?

Plan accordingly:

  • Schedule high-priority certificate-related tasks and document signings before or after the maintenance window.

  • Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

  • Subscribe to the DigiCert Status page for live maintenance updates, including email alerts for when maintenance starts and ends.

  • See the DigiCert Europe 2024 maintenance schedule for maintenance dates and times.

Services will be restored as soon as the maintenance is completed.

Upcoming scheduled Global maintenance

DigiCert will perform scheduled maintenance on February 3, 2024, 22:00 – 24:00 MST (February 4, 2024, 05:00 – 07:00 UTC).

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

Plan accordingly:

  • Schedule high-priority orders, renewals, and reissues before or after the maintenance window.

  • Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

  • Subscribe to the DigiCert Status page for live maintenance updates, including email alerts for when maintenance starts and ends.

  • See the DigiCert Global 2024 maintenance schedule for maintenance dates and times.

Services will be restored as soon as the maintenance is completed.

January 30, 2024

CertCentral: Improved ACME Service

We are happy to announce that the CertCentral ACME service now supports DV certificates and domain control validation (DCV) as part of the ACME workflow, along with other changes needed to support these features.

Changes to the ACME workflow:
  • New ACME URLs

    Existing ACME URLs will continue to work as they did before this update. However, only the new URLs will support DV TLS certificates and domain control validation.

  • Support for DV TLS products

    You may now create ACME URLs for your DV products if available in your CertCentral account.

    Previously, ACME URLs only supported Organization Validated (OV) and Extended Validation (EV) TLS products.

  • ACME domain control validation for all TLS products

    You may now automate validation for the domains in your certificate requests using ACME. This works for all TLS products.

    DV certificates are typically issued immediately upon completion of domain validation. OV and EV certificates also require organization validation to be completed before issuance.

  • Progressive user interface with product selection

    The user interface determines if an organization is required based on your selected product.

  • Dynamic detection logic

    Determines the action based on the previous order (if one exists). If a certificate is issued, then the next request for the same common name will automatically go into one of the following flows:

    1. Renewal, if in the renewal window

    2. Reissue, if not in the renewal window

    Dynamic logic can be overwritten by providing a URL parameter.

  • No changes were made to CertCentral's managed agent-based automation with this update.

For more information, see our ACME documentation.

January 22, 2024

Update: Access to older expired certificate data postponed

On December 7, 2023, we let you know that as part of our database optimization process, expired certificate data older than 14 months would be unavailable until January 22, 2024.

This post is to let you know that access to this older expired certificate data has been delayed. As soon as access is restored, we will post another change log entry to let you know.

What if I need to view or access older expired certificate data?

If you need to access your older expired certificate data before access is restored, please contact DigiCert Support.

January 17, 2024

DigiCert user and account deactivation

Starting January 17, 2024, DigiCert may suspend users and accounts that have been inactive for 39 or more months. See the DigiCert user and account deactivation and deletion policy to learn more.

January 16, 2024

CertCentral: Updates to Sign in to your account page

We updated the DigiCert CertCentral Sign in to your account page. The next time you sign in to your account, add your username first. Then, after selecting Next, add your password and select Sign in.

Updated Sign in to your account page

  • Add username

    Add-username.png
  • Add password

    Add-password.png

January 9, 2024

CertCentral: Improvements to the code signing certificate revocation process

We are happy to announce that in CertCentral, you can now set a revocation date and time when revoking a code signing certificate due to a key compromise.

  • Signatures applied before the revocation date remain valid and trusted.

  • Signatures applied after the revocation date are invalidated and untrusted.

Previously, you had to contact DigiCert Support to set a revocation date and time when revoking a code signing certificate due to a key compromise. Now, you can do it yourself from your CertCentral account.

Java signatures

Java uses the status of the certificate, not the revocation date, to determine signature trust. Thus, all Java signatures are invalidated regardless of the certificate revocation date.

Revoking multiple certificates

When revoking all certificates on an order, DigiCert uses the date of the most recently issued certificate to establish the earliest allowed revocation date for all certificates on the order (i.e., you cannot set a revocation date before the certificate issuance date). If this issuance date does not match your key compromise date, we recommend revoking certificates individually from the Certificate history tab.

See for yourself
  1. In your CertCentral account, in the left main menu, go to Certificates > Orders.

  2. On the Orders page, select the code signing or EV code signing certificate order.

  3. On the certificate's Order details page, in the Order actions dropdown, select Revoke all certificates.

  4. On the Request to Revoke Certificate page, in the Why do you want to revoke this certificate dropdown, select Key compromise – My certificate's private key was lost, stolen, or otherwise compromised.

  5. Under Do you know when the private key was compromised, select Yes.

  6. In the date picker, select the day your key was compromised. In the time picker, select the time the key was compromised.

  7. Unless you plan to revoke the certificate, select Cancel.

For more detailed instructions, see Submit a request to revoke a Code Signing/EV Code Signing certificate.

January 6, 2024

Upcoming scheduled Europe maintenance

DigiCert will perform scheduled maintenance on January 6, 2024, 09:00 – 11:00 MST (16:00 – 18:00 UTC).

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

  • Schedule high-priority orders, renewals, and reissues before or after the maintenance window.

  • Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

  • Subscribe to the DigiCert Status page to get live maintenance updates, including email alerts for when maintenance starts and ends.

  • See the DigiCert Europe 2024 maintenance schedule for maintenance dates and times.

Services will be restored as soon as the maintenance is completed.

Upcoming scheduled Global maintenance

DigiCert will perform scheduled maintenance on January 6, 2024, 22:00 – 24:00 MST (January 7, 2024, 05:00 – 07:00 UTC).

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

  • Schedule high-priority orders, renewals, and reissues before or after the maintenance window.

  • Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

  • Subscribe to the DigiCert Status page to get live maintenance updates, including email alerts for when maintenance starts and ends.

  • See the DigiCert Global 2024 maintenance schedule for maintenance dates and times.

Services will be restored as soon as the maintenance is completed.

December 15, 2023

CertCentral: Improvements to the Reissue SSL/TLS certificate process

We updated the process for reissuing SSL/TLS certificates in CertCentral. Now, if certificate revocations are required after reissuing your certificate, we do the following:

  • Send the requestor a revocation warning email with the subject line: Reissue request will revoke previously issued certificate for order ###### within 72 hours.

  • Change the Certificate status to Revocation pending with the revocation date and time on the Certificate history page.

Learn more about reissuing an SSL/TLS certificate

Background

When reissuing an SSL/TLS certificate, some changes may require DigiCert to revoke the original certificate and any reissues and duplicates, for example, removing a domain. In CertCentral, we warn you when a change will revoke your certificates.

December 13, 2023

CertCentral Services API: Secure Email (S/MIME) certificate enhancements

We're pleased to announce several enhancements to the API workflows for requesting and reissuing Secure Email (S/MIME) certificates:

  • Reject orders when DigiCert can't immediately issue the certificate

    We updated the Order Secure Email certificate endpoint to support a new request parameter: reject_if_pending. If true, when DigiCert can't issue and return the certificate immediately, the API returns an error instead of creating the order in a pending state.

  • Get certificates with an RSASSA-PSS signature

    We updated the Order Secure Email certificate endpoint to support a new request parameter: is_rsassa_pss. If true, DigiCert issues the certificate with an RSASSA-PSS signature type.

    Note

    To get an RSASSA-PSS signature, the issuing ICA must have an RSA signature.

  • Include a user principle name (UPN) in the SAN extension for Secure Email for Business certificates

    We updated the Order Secure Email certificate endpoint to support a new request parameter: user_principle_name. Include this parameter in the certificate object to set the value of the UPN SAN attribute on Secure Email for Business certificates. For example:

    Note

    Currently, you may include only a single value in the user_principle_name array.

  • Include additional subject DN attributes

    We updated the Order Secure Email certificate endpoint to support a new object in the request body: subject. Use the subject object to submit values for optional subject DN attributes, such as email (supported for all Secure Email products) and title, serial number, or pseudonym (supported for Secure Email for Business certificates only).

  • Reissue Secure Email certificates

    We updated the Reissue certificate API reference to include details about the request parameters used to reissue a Secure Email certificate.

December 12, 2023

CertCentral: Improvements to the verified contact approval step on pending EV TLS/SSL certificate requests

We are happy to announce we improved the verified contact approval process for approving EV TSL/SSL certificate orders in CertCentral. We updated the Order details page to make completing the verified contact approval step easier on your pending EV TLS certificate requests.

Improvements:

  • After sending the approval email to the verified contacts, we add a pending Order Approval task under What do you need to do.

  • We include a Resend approval email link that allows you to do the following:

    • See who the approval email was sent to the last time it was sent.

    • Resend the approval email and choose which verified contacts it's sent to.

  • We include the date the approval email was last sent.

  • The order status remains pending until you and DigiCert complete all necessary tasks on the request.

  • Under What does DigiCert need to do, the Verify all EV contacts task shows the verification status of the verified contacts on the request.

Background

Before DigiCert can issue an EV TLS/SSL certificate, a verified contact representing the organization included on the certificate must approve the pending certificate request (new, reissue, and new).

Previously, there was a lack of verified contact transparency on these pending requests:

  • The order details page lacked information about the verified contact approval step.

  • You had to contact support to find out who the approval email was sent to and to resend it.

  • When the verified contact approval step was the only step remaining on the pending order, the order status changed to Finalizing Certificate.

See for yourself

  1. In your CertCentral account, in the left main menu, go to Certificates > Orders.

  2. On the Orders page, select a pending EV TLS/SSL certificate order.

    Note that if the certificate requestor is a verified contact for the organization, the EV approval step is automatically completed when they place the request. On the Order details page, the Order Approval task will be marked as completed.

  3. On the certificate's Order details page, you should see the improvements as they are required on the pending request.

Resources

Resend the verified contact approval email

December 8, 2023

CertCentral Services API: New delete organization endpoint

In the CertCentral Services API, we added a new API endpoint for deleting an organization from your CertCentral account. For examples and usage details, visit the API reference: Delete organization.

December 7, 2023

Older expired certificate data unavailable from December 7, 2023, to January 22, 2024

On December 7, 2023, at 09:00 MST (16:00 UTC), DigiCert will optimize our certificate databases to improve our service's uptime. As part of the database optimization process, expired certificate data older than 14 months will be unavailable from December 7, 2023, at 09:00 MST (16:00 UTC) to January 22, 2024 (approximately 37 days).

Important

Update: DigiCert postponed the certificate database optimization until December 7, 2023. We originally planned this work for December 4, 2023.

Changes to note: There are new dates for some of the certificate data unavailability. New dates are marked with an asterisk (*).

How does this affect me?

This expired certificate data unavailability only affects our CertCentral, Certificate Issuing Service (CIS), and CertCentral Simple Certificate Enrollment Protocol (SCEP) platforms. It does not affect our PKI Platform 8 or DigiCert ONE platforms.

The data for certificates that expired before November 22, 2022*, will become unavailable in stages.

The process will take approximately 37 days:

  • On December 7, 2023,* expired certificate data older than 14 months will start becoming unavailable.

  • By January 22, 2024,* all expired certificate data older than 14 months will be inaccessible.

What if I need to view or access older expired certificate data?

On January 22, 2024, access to expired certificate data older than 14 months will be restored. If you need to access your older expired certificate data before January 22, 2024, please contact DigiCert Support.

CertCentral: New delete organizations feature

We are happy to announce that we have improved the organization management workflow.

Want to remove an organization from your account that you can never validate because of a typo or misspelling? Want to remove a deprecated organization from your account?

Now, when you need to delete an organization from your CertCentral account, you can. Go to the Organizations page and use the Delete organization feature to delete one or multiple organizations simultaneously.

Previously, you could only deactivate organizations. The Deactivate organization feature allows you to block certificate issuance for an organization until it’s activated. However, the deactivated organization remains in your account.

Items to note about deleting organizations

  • Only CertCentral administrators can delete organizations.

  • Deleting an organization hides it from the list of organizations.

  • Deleting an organization also deletes any domains associated with the organization from your account.

  • Current certificates that include a deleted organization:

    • Remain valid until they expire or are revoked.

    • Cannot be reissued or duplicated.

  • You cannot delete an organization included on a pending certificate request or pending order.

  • Requesting new or renewal certificates for a deleted organization will require you to revalidate the organization.

See for yourself

  1. In your CertCentral account, in the left main menu, go to Certificates > Organizations.

  2. On the Organizations page, in the Name column, select the organization you want to delete.

  3. On the Organization details page, in the More actions dropdown, select Delete organization.

  4. In the Delete organization window:

    • Select Delete organization to delete the organization from your account.

    • Select Cancel to keep the organization in your account.

Resources

December 6, 2023

CertCentral: End of life for existing automation profiles and ACME Directory URLs configured for 4- to 6-year Multi-year Plans

On December 6, 2023, at 10:00 MDT (17:00 UTC), CertCentral will no longer support existing TLS certificate automation profiles or ACME Directory URLs configured for 4- to 6-year Multi-year Plans. Automation requests that use these retiring automation profiles or ACME Directory URLs will fail.

Background

On October 31, 2023, DigiCert stopped selling new 4- to 6-year Multi-year Plans. Automation and ACME customers configured for 4- to 6-year orders have until December 6 to reconfigure their existing automation profiles and ACME clients to use 1- to 3-year orders instead.

What do I need to do?

Automation profiles

Starting on December 6, existing automation profiles configured for 4 to 6 years of coverage will show an Action needed status and automation requests for these profiles will fail. To avoid outages, you must reconfigure these automation profiles before December 6 to have a coverage length of 1 to 3 years.

To reconfigure automation profiles in the CertCentral console:

  • For instructions on how to update an existing automation profile, see Edit an automation profile.

  • On the automation profile edit screen, select the pencil icon in the Multi-year plan details field to edit and select a new coverage length of 1 to 3 years.

To use the API to reconfigure automation profiles:

  • To update an existing automation profile, see Update profile details.

  • Use the orderCoverageLength request parameter to update the coverage length of the profile to 1Y, 2Y, or 3Y.

ACME clients

Starting on December 6, existing ACME Directory URLs for 4 to 6 years of coverage will no longer work. To avoid outages, you must reconfigure any third-party ACME clients that use these retiring credentials to use a replacement ACME Directory URL for 1 to 3 years of coverage.使用主機自動化的第三方 ACME 用戶端

Consult the documentation for your third-party ACME client for help reconfiguring it. For example, the Certbot documentation is found at https://eff-certbot.readthedocs.io

You can use any ACME Directory URL for 1 to 3 years of coverage to continue requesting certificates with your third-party ACME clients. If you don't already have a suitable replacement ACME Directory URL in your CertCentral account, create a new one to use.

To create an ACME Directory URL in the CertCentral console:

  • For instructions on how to create a new ACME Directory URL, see Create one or more ACME Directory URLs.使用主機自動化的第三方 ACME 用戶端

  • When setting the properties of certificates issued through this ACME Directory URL, select a coverage length of 1 to 3 years in the Multi-year coverage length field.

To use the API to create an ACME Directory URL:

  • To generate a new ACME Directory URL and External Account Binding (EAB) credentials, see ACME External Account Binding.

  • Use the  order_validity_days or order_validity_years request parameter to set the coverage length of the new ACME Directory URL to a maximum of 3 years.

December 5, 2023

CertCentral two-factor authentication: One-time password email verification authentication method

We are happy to announce that we added the One-time password email verification authentication method to our two-factor authentication requirements in CertCentral.

One-time password email verification authentication method

By default, CertCentral requires you to use your credentials (username and password) and a one-time password (OTP app) to access your account. Now, you can also add OTP email verification as a one-time password (OTP) requirement.

After you enter your credentials, CertCentral sends a temporary password to the email address in your CertCentral account Profile Settings. To access your account, enter the temporary passcode in the verification email.

See our CertCentral two-factor authentication guide.

DigiCert  2024 maintenance schedules

To make it easier to plan your certificate-related tasks, DigiCert has scheduled our 2024 maintenance windows in advance.

We keep these pages up to date with the latest maintenance schedule information:

With customers worldwide, we understand there is no "best time" for everyone. However, after reviewing the data on customer usage, we selected times that would impact the fewest amount of our customers.

About our maintenance schedules
  • Maintenance is scheduled for the first weekend of each month unless otherwise noted.

  • Each maintenance window is scheduled for 2 hours.

  • Although we have redundancies to protect your service, some DigiCert services may be unavailable.

  • To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance begins and when it ends.

Contact your account manager or DigiCert Support if you need more information regarding these maintenance windows.

December 4, 2023

Older expired certificate data unavailable from December 4, 2023, to January 22, 2024

On December 4, 2023, at 09:00 MST (16:00 UTC), DigiCert will optimize our certificate databases to improve our service's uptime.

Important

Update: DigiCert has postponed the certificate database optimization until December 7, 2023. See our December 7, 2023, change log entry.

December 2, 2023

Upcoming scheduled Europe maintenance

DigiCert will perform scheduled maintenance on December 2, 2023, 09:00 – 11:00 MST (16:00 – 18:00 UTC).

Important

Maintenance will be one hour later for those who don't observe daylight savings.

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

  • Schedule high-priority orders, renewals, and reissues before or after the maintenance window.

  • Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

  • Subscribe to the DigiCert Status page to get live maintenance updates, including email alerts for when maintenance starts and ends.

  • See the DigiCert Europe 2023 maintenance schedule for maintenance dates and times.

Services will be restored as soon as the maintenance is completed.

Upcoming scheduled Global maintenance

DigiCert will perform scheduled maintenance on December 2, 2023, 22:00 – 24:00 MDT (December 3, 2023, 05:00 – 07:00 UTC).

Important

Maintenance will be one hour later for those who don't observe daylight savings.

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

  • Schedule high-priority orders, renewals, and reissues before or after the maintenance window.

  • Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

  • Subscribe to the DigiCert Status page to get live maintenance updates, including email alerts for when maintenance starts and ends.

  • See the DigiCert global 2023 maintenance schedule for maintenance dates and times.

Services will be restored as soon as the maintenance is completed.

November 20, 2023

CertCentral: Improved two-factor authentication user interface

We are happy to announce that we improved the process for creating, viewing, and updating your two-factor authentication requirements in CertCentral. See our CertCentral two-factor authentication guide.

New layout and organization of rules and settings

We updated the layout, moving to a tab-style page structure to make it easier to create, view, and update the two-factor authentication requirements for your CertCentral users. Now, when you visit the Authentication settings page (in the left main menu, go to Settings > Authentication Settings), instead of scrolling to find information, you can select what you want to view:

  • Two-factor authentication

    • Add a two-factor authentication requirement

    • Applied settings

    • Issued client certificates

    • One-time password (OTP) methods

  • Default settings

    • Password settings

    • One-time password (OTP) settings

CertCentral Two-factor Authentication Settings page

November 4, 2023

Upcoming scheduled Europe maintenance

DigiCert will perform scheduled maintenance on November 4, 2023, 09:00 – 11:00 MDT (15:00 – 17:00 UTC).

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?
  • Schedule high-priority orders, renewals, and reissues before or after the maintenance window.

  • Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

  • To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.

  • See the DigiCert Europe 2023 maintenance schedule for maintenance dates and times.

Services will be restored as soon as the maintenance is completed.

Upcoming scheduled Global maintenance

DigiCert will perform scheduled maintenance on November 4, 2023, 22:00 – 24:00 MDT (October 8, 2023, 04:00 – 06:00 UTC).

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?
  • Schedule high-priority orders, renewals, and reissues before or after the maintenance window.

  • Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

  • To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.

  • See the DigiCert global 2023 maintenance schedule for maintenance dates and times.

Services will be restored as soon as the maintenance is completed.

October 31, 2023

CertCentral: Changes to Multi-year Plan coverage

On October 31, 2023, DigiCert will no longer sell 4 – 6-year Multi-year Plans for TLS and VMC certificates. We will continue to offer 1, 2, and 3-year Multi-year Plans.

How does this affect me?

For those with existing 4, 5, and 6-year Multi-year Plans, this change does not affect your coverage. You can continue to reissue and duplicate issue certificates for your Multi-year Plan until it expires.

For example, if you purchased a 5-year Multi-year Plan on April 1, 2023, you have coverage until April 1, 2028.

What if I use the CertCentral Services API?

If you use the CertCentral Services API to create 4, 5, and 6-year orders for TLS/SSL or Verified Mark certificates, you need to update your API integrations and remove the 4, 5, and 6-year coverage options from your Multi-year Plan integrations.

For more information, see End of 4 - 6-year Multi-year Plans.

What if I use certificate lifecycle automation tools with 4, 5, and 6-year Multi-year Plans?

Starting on October 31, you can no longer create new automation profiles or ACME Directory URLs for a certificate coverage length of 4 to 6 years. To avoid outages, you have until December 6, 2023 to reconfigure any existing automation profiles or third-party ACME clients that use a 4 to 6 year coverage length to instead use a new coverage length of 1 to 3 years.

What happens when I need to renew my Multi-year Plan?

When it’s time to renew your Multi-year Plan, you can renew it as a 1, 2, or 3-year Multi-year Plan.

Why will DigiCert stop selling 4, 5, and 6-year Multi-year Plans?

We are optimizing our infrastructure to support new and improved e-commerce experiences. Removing these Multi-year Plan options helps us streamline existing product lines into a cleaner, more intuitive shopping environment.

October 19, 2023

CertCentral webhooks: Get webhook notifications in Slack

We’re happy to announce that you can now receive CertCentral webhook notifications in Slack!

When you integrate CertCentral webhooks with Slack, your webhook sends notifications to a channel in your Slack workspace. These notifications have the same triggers and data as standard webhook events, and Slack presents the information as human-readable text instead of raw JSON.

Note

DigiCert will continue improving the content and formatting of Slack webhook messages to meet customer needs.

Learn more: Get webhook notifications in Slack

October 17, 2023

DigiCert site seal is replacing the Norton site seal

On October 17, 2023, at approximately 10:00 MDT (16:00 UTC), DigiCert will replace the Norton site seal image with our DigiCert site seal image wherever it appears on websites secured by Secure Site or Secure Site Pro TLS certificates. Additionally, we will remove the option to use and download the Norton site seal from CertCentral.

What do I need to do?

No action is required. DigiCert will automatically replace your static Norton site seal image with the DigiCert site seal image on October 17, 2023, at 10:00 MDT (16:00 UTC). However, DigiCert recommends replacing your Norton site seal with the DigiCert Smart Seal.

To use the Smart Seal image, you must install the DigiCert site seal code on your website. To learn more about using the DigiCert Smart Seal, see the following instructions:

Why should I use the enhanced DigiCert Smart Seal?

To make the Smart Seal more interactive and engaging, we added a hover-over effect, animation, and the ability to display your company logo in the site seal.

  • Hover-over effect

    When visitors hover over the seal, it magnifies and gives customers quick information about your organization.

  • Animation

    When visitors come to your site, the seal slowly transitions from the seal image to the additional details about your organization.

  • Logo

    Add your logo to the hover-over effect and the site seal animation. Your logo appears with additional details about your organization. DigiCert must approve your logo before it appears in the Smart Seal on your website.

See The Smartest Way to Boost Trust at Checkout to learn more about the DigiCert Smart Seal.

October 13, 2023

CertCentral: New delete domains feature

We are happy to announce that we improved the domain management workflow in CertCentral.

Want to remove a domain from your account that you can never validate because it has a typo? Want to remove all the subdomains of a base domain?

Now, when you need to delete a domain from your CertCentral account, you can. Go to the Domains page and use the Delete domain feature to delete one or multiple domains simultaneously.

Previously, you could only deactivate domains. The Deactivate domain feature allows you to block certificate issuance for a domain until it’s activated. However, the deactivated domain remains in your account.

Items to note about deleting domains:

  • Only CertCentral administrators can delete domains.

  • Deleting a domain hides it from the list of domains.

  • Current certificates that include the domain are not affected.

  • Requesting new, reissue, or renewal certificates for a deleted domain may require you to revalidate the domain.

See for yourself

  1. In your CertCentral account, in the left main menu, go to Certificates > Domains.

  2. On the Domains page, in the Domain name column, select the domain you want to delete.

  3. On the Domain details page, in the Deactivate domain dropdown, select Delete domain.

  4. In the Delete domain window, select Delete domain if you want to delete the domain. Select Cancel if you don’t want to delete it.

Resources

CertCentral Services API: New delete domain endpoint

In the CertCentral Services API, we added a new API endpoint for deleting a domain from your CertCentral account. For examples and usage details, visit the API reference: Delete domain.

October 10, 2023

CertCentral Services API: Added functionality to Update order status endpoint

In the CertCentral Services API, we added new functionality to the Update order status API endpoint. Now, if you use the Services API to manage certificate request approvals, you can use the Update order status endpoint to cancel reissue requests that are pending admin approval. Before, this endpoint could only cancel reissues after an administrator approved the request.

For example, the order 12345 has a pending request to reissue the certificate on the order. You can use this cURL request to both cancel the reissue and reject the request:

curl -X PUT \
  'https://www.digicert.com/services/v2/order/certificate/12345/status' \
  --header 'Content-Type: application/json' \
  --header 'X-DC-DEVKEY: {{api_key}}' \
  --data-raw '{
    "status": "canceled",
    "note": "Reissue canceled"
}'

When you submit this request:

  • The reissue is canceled, and the status of order 12345 changes from reissue_pending back to issued.

  • The status of the corresponding request becomes rejected.

  • The note (if provided) from the Update order status payload is stored in the processor_comment field on the rejected request.

October 7, 2023

Upcoming scheduled Europe maintenance

DigiCert will perform scheduled maintenance on October 7, 2023, 09:00 – 11:00 MDT (15:00 – 17:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

  • Schedule high-priority orders, renewals, and reissues before or after the maintenance window.

  • Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

  • To get live maintenance updates, including email alerts for when maintenance starts and ends, subscribe to the DigiCert Status page.

  • See the DigiCert Europe 2023 maintenance schedule for maintenance dates and times.

Services will be restored as soon as the maintenance is completed.

Upcoming scheduled Global maintenance

DigiCert will perform scheduled maintenance on October 7, 2023, 22:00 – 24:00 MDT (October 8, 2023, 04:00 – 06:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

  • Schedule high-priority orders, renewals, and reissues before or after the maintenance window.

  • Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

  • To get live maintenance updates, including email alerts for when maintenance starts and ends, subscribe to the DigiCert Status page.

  • See the DigiCert global 2023 maintenance schedule for maintenance dates and times.

Services will be restored as soon as the maintenance is completed.

September 11, 2023

CertCentral: Updates to client certificate request forms per new industry requirements

With the recent industry changes to S/MIME certificates, we updated our client certificate requests form, making it easier to include the required information to get your certificate.

Now, when you request one of the certificates listed below, you will see two options under Certificate to Request(s):

  • Email: Enter the email address you want to secure and appear as the certificate's common name.

  • Name: Enter the recipient's name as the common name and the email address you want to secure.

Affected certificates: Premium, Email Security Plus, and Digital Signature Plus.

See for yourself:

  1. In the left main menu, hover over Request a Certificate.

  2. Then, under Client certificates, select the client certificate you want to order: Premium, Email Security Plus, or Digital Signature Plus.

To learn more, see Order your client certificate.

Background

On August 29, 2023, at 10:00 MDT (16:00 UTC), DigiCert updated our public Secure Email (S/MIME) certificate issuance process to comply with the CA/Browser Forum's new Baseline Requirements for the Issuance and Management of Publicly‐Trusted S/MIME Certificates.

Industry changes now place certificates used to sign, verify, encrypt, or decrypt email into three categories:

  • Sponsor-validated – Secure Email (S/MIME) for an organization to issue to its organization-sponsored individuals

  • Organization-validated – Secure Email (S/MIME) certificate for an organization

  • Mailbox-validated – Secure Email (S/MIME) certificates for individuals

Our Premium, Email Security Plus, and Digital Signature Plus certificates are in the sponsor-validated category. Thus, you can only enter your email address or name as the common name on the certificate.

Learn more about the New industry requirements for public Secure Email (S/MIME) certificates.

September 9, 2023

Upcoming scheduled global maintenance

Some DigiCert services will be down for 60 minutes during scheduled maintenance on September 9, 2023, 22:00 – 24:00 MDT (September 10, 04:00 – 06:00 UTC).

Document Trust Manager PrimoSign signing service maintenance-related downtime

The Document Trust Manager maintenance starts at 22:00 MDT (04:00 UTC). At this time, the PrimoSign signing service will be down for up to 60 minutes.

Affected services

  • DigiCert ONE USA

    • Document Trust Manager PrimoSign signing service

What can I do?

Plan accordingly:

  • Schedule high-priority document signings before or after the maintenance window.

  • Expect interruptions if you use the APIs for automated tasks.

  • To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.

  • See the DigiCert global 2023 maintenance schedule for maintenance dates and times.

Services will be restored as soon as the maintenance is completed.

September 5, 2023

Industry changes to TLS certificates' BasicConstraints extension

On September 5, 2023, at 10:00 MDT (16:00 UTC), DigiCert will only issue public TLS certificates with the BasicConstraints extension set to critical per new industry requirements. Going forward, we will stop supporting the BasicConstraints extension's noncritical setting in public TLS certificate profiles.

Why is DigiCert making this BasicConstraints extension change?

To comply with industry changes mandated by the root program, all certificate authorities (CAs), such as DigiCert, must stop allowing users to set the BasicConstraints extension to noncritical in public TLS certificates.

For more details about the compliance changes affecting the BasicConstraints extension in certificate profiles, see the CA/Browser Forum's Ballot SC62v2-Certificate profiles update.

How does this affect me?

Does your TLS certificate process require the BasicConstraints extension to be set to noncritical?

  • No, it does not.

    You shouldn't notice any difference in your certificate issuance process. Your public TLS certificates are not affected by this change.

  • Yes, it does.

    You can continue to include the BasicConstraints extension set to noncritical in your public TLS certificate issued before September 5, 2023. Make sure to complete the required domain and organization validation for these orders before September 5.

What if I need the BasicConstraints extension set to noncritical in my TLS certificates after September 5?

You can use private TLS certificates. The root-program BasicConstraints extension change does not apply to private TLS certificates. If private TLS certificates meet your needs, contact your account manager to make sure the correct Private Root CA hierarchy is available for your account.

How does this affect my public TLS certificates with the BasicConstraints extension set to noncritical?

Your existing certificates are not affected by this change. However, if you reissue, duplicate issue, or renew a certificate after September 5, 2023, 10:00 MDT (16:00 UTC), we will set the BasicConstraints extension to critical when we issue the certificate.

How does this affect my API integration?

In the Services API, order requests for public TLS certificates that specify a certificate.profile_option of basic_constraints_critical_true will return a 400 error with an error code value of invalid_profile_option.

Update your API integration and remove the basic_constraints_critical_true profile option from your public TLS certificate requests by September 5, 2023.

End of issuance for individual validation TLS certificates

On September 5, 2023, at 10:00 MDT (16:00 UTC), DigiCert will stop issuing individual validation TLS certificates. This means you can no longer get an organization validation (OV) TLS certificate with a person's name in the subject field.

Affected certificates:

  • Secure Site Pro SSL

  • Secure Site OV

  • Basic OV

  • GeoTrust® TrueBusiness ID OV

  • Thawte® SSL Webserver OV

Why will DigiCert stop issuing individual validation TLS certificates?

To comply with industry changes mandated by the root program, DigiCert will only issue OV TLS certificates with an organization name in the subject field. For more details about the compliance changes affecting the individual validation TLS certificates, see the CA/Browser Forum's Ballot SC62v2-Certificate profiles update.

How does this affect me?

Your existing individual validation OV TLS certificates will continue to secure your domains until they expire. This change doesn't apply to certificates issued prior to September 5, 2023.

However, starting September 5, you cannot reissue, duplicate, or renew an existing individual validation OV TLS certificate. You can still revoke a certificate if needed.

What if I need a new individual validation TLS certificate?

  • Get needed certificates before September 5.

    You can continue to include your name in OV TLS certificates issued before September 5. Make sure to complete the required domain and individual validation for these orders by September 5.

  • Use domain validation (DV) TLS certificates.

    Starting September 5, 2023, if you need a TLS certificate for an individual, we recommend purchasing a DV TLS certificate instead. On September 5, 2023, we will enable the GeoTrust DV SSL certificate for your CertCentral account.

September 2, 2023

Upcoming scheduled Europe maintenance

Some DigiCert services will be down for 90 minutes during scheduled maintenance on September 2, 2023, 09:00 – 11:00 MDT (15:00 – 17:00 UTC).

Document Trust Manager's PrimoSign signing service  maintenance-related downtime

The DigiCert​​®​​ Document Trust Manager maintenance starts at 09:00 MDT (15:00 UTC). At that time, the PrimoSign signing service will be down for up to 90 minutes.

Affected services:

  • DigiCert ONE Netherlands instance

    • DigiCert​​®​​ Document Trust Manager PrimoSign signing service

  • DigiCert ONE Switzerland instance

    • DigiCert​​®​​ Document Trust Manager PrimoSign signing service

What can I do?

Plan accordingly

  • Schedule high-priority document signings before or after the maintenance window.

  • Expect interruptions if you use the APIs for automated tasks.

  • To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.

  • See the DigiCert Europe 2023 maintenance schedule for maintenance dates and times.

Services will be restored as soon as the maintenance is completed.

August 29, 2023

Changes coming for public Secure Email (S/MIME) certificates

On August 29, 2023, at 10:00 MDT (16:00 UTC), DigiCert will make the changes listed below to our public Secure Email (S/MIME) certificate issuance process to comply with the CA/Brower Forum's new Baseline Requirements for the Issuance and Management of Publicly‐Trusted S/MIME Certificates.

These changes will apply to all newly issued certificates containing the emailProtectionextentedKeyUsage and at least one email address. If you can use your certificate to sign, verify, encrypt, or decrypt email, then your new, reissued, and renewed certificates will be affected by these new industry requirements starting August 29, 2023, at 10:00 MDT (16:00 UTC).

What can I do?
  • Get needed Secure Email S/MIME certificates before August 29, 2023

    If you have S/MIME certificate renewals, reissues, or new orders scheduled for the end of August and the month of September, do these certificate-related activities early—before August 29. That way, your S/MIME certificate issuance will remain the same, eliminating potential surprises from the modifications to certificate profiles and the validation process. Certificates issued before August 29, 2023, can still contain the organization unit information and email-validated addresses, as needed.

  • Move to private Secure Email (S/MIME) certificates

    DigiCert recommends moving to privately trusted S/MIME certificates if public trust is not required. The rules for public S/MIME certificates do not apply to locally trusted S/MIME certificates. Contact your account representative or DigiCert Support to learn about DigiCert Private Secure Email (S/MIME) certificates.

Platform-specific changes

One of the benefits of the new S/MIME certificate baseline requirements is that it will standardize public S/MIME certificates for all certificate authorities and, more specifically, for all DigiCert platforms.

To learn more about the changes coming to your platform and what you need to do to prepare for the changes to DigiCert's public Secure Email (S/MIME) certificate issuance process, see the applicable section of our knowledge base article:

CertCentral: Document Signing Certificate changes

On August 29, 2023, at 10:00 MDT (16:00 UTC), DigiCert will no longer include the email addresses in the subject field when issuing Document Signing certificates.

Starting August 29:

  • You can no longer use the newly issued Document Signing certificate to sign your emails.

  • Your email address will not appear in signatures applied to documents using a newly issued or reissued Document Signing certificate.

The following certificates are affected by this change:

  • Document Signing - Organization (2000/5000)

  • Document Signing - Individual (500/2000)

Why will DigiCert start issuing Document Signing certificates without the email address in the subject?

We are making this change to align with upcoming industry changes affecting the issuance and management of publicly trusted secure email (S/MIME) certificates.

Starting August 29, under the new S/MIME certificate requirements, a document signing certificate must undergo a new validation process for digitally signing emails. DigiCert's Document Signing certificates do not include this validation process and, therefore, can no longer include email addresses and be used to sign emails after August 29.

How do these changes affect my Document Singing certificates?

  • Newly issued Document Signing certificates.

    Starting August 29, 2023, at 10:00 MDT (16:00 UTC), all newly issued Document Signing certificates, including new, reissued, and renewed certificates, will no longer include the email addresses in the subject field and can no longer be used to sign emails.

  • Existing Document Signing certificates.

    The industry changes do not affect Document Signing certificates issued before August 29, 2023, 10:00 MDT (16:00 UTC). You can continue to use these existing certificates to sign emails if needed until they expire. Remember, starting August 29, the changes to Document Signing certificates will affect your certificate replacements and renewals.

What can I do?

  • Get needed Document Signing certificates with email signing before August 29, 2023.

    If you have Document Signing renewals, reissues, or new orders scheduled for the end of August and September, do these certificate-related activities before August 29. That way, your Document Signing certificates will include the email address and can be used to sign emails.

  • Get a Secure Email (S/MIME) certificate.

    If you need a certificate to sign your emails, get one of DigiCert's secure email certificates that meets the new S/MIME requirements. These certificates will be available for purchase in CertCentral starting August 29.

August 22, 2023

CertCentral: Only show "Comments to Administrator" when the approval step is enabled for a user

In CertCentral, we updated our OV TLS, EV TLS, code signing, and document signing certificate request forms. Now, we will only include the Comments to Administrator field when the approval step is enabled for the user making the request.

This field allows you to provide additional information to the person approving the request. When an order skips the approval step, the field no longer serves its purpose.

Background

By default, CertCentral accounts are configured for one-step certificate request approvals. An account administrator must approve a certificate request before DigiCert can process the order (validating the organization, etc.).

However, on the Preferences page (go to Settings > Preferences), in the Certificate Requests section, you can remove the approval step from the OV and EV TLS, code signing, and document signing certificate issuance workflows for your CertCentral administrators and managers. Even with skip approval enabled, you must still approve requests submitted by standard users, limited users, and finance managers.

Learn more about removing the approval step.

August 15, 2023

Industry changes to key usage extensions allowed in Public TLS certificates.

On August 15, 2023, at 10:00 MDT (16:00 UTC), DigiCert will stop supporting the following key usage extensions in public TLS certificates:

  • Data encipherment

  • Non-repudiation

Note that these key usage extensions are not included in public TLS certificates by default.

Why is DigiCert making these key usage extension changes?

To comply with industry changes mandated by the root program, all certificate authorities (CAs), such as DigiCert, must stop allowing users to include these key usage extensions in public TLS certificates: data encipherment and non-repudiation.

For more details about the compliance changes affecting key usage extensions in certificate profiles, see the CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly‐Trusted Certificates, Section 7.1.2.7.10.

How does this affect me?

Do you currently use these key usage extensions in your public TLS certificates?

  • No, I don't.

    Then no action is required. Your public TLS certificates are not affected by this change.

  • Yes, I do.

    You can continue to include the data encipherment or non-repudiation key usage extensions in your public TLS certificate issued until August 15, 2023. Make sure to complete the required domain and organization validation for these orders by August 15.

What if I need to include the data encipherment or non-repudiation key usage extensions in my TLS certificates after August 15?

You can use private TLS certificates. The root-program key usage extension change does not apply to private TLS certificates. If private TLS certificates will meet your needs, contact your account manager to make sure the correct Private root CA hierarchy is available for your account.

How does this affect my existing certificates that include these key extensions?

Your existing certificates are not affected by this change. However, if you reissue or duplicate issue a certificate with one of these key usage extensions after August 15, we will remove the data encipherment or non-repudiation extension before we reissue the certificate.

How does this affect my API integration?

In the Services API, order requests for public TLS certificates that specify a certificate.profile_option of data_encipherment, non_repudiation, or non_repudiation_and_data_enciph will return a 400 error with an error code value of profile_option_not_allowed.

Update your API integration and remove these profile options from your public TLS certificate requests by August 15, 2023.

Upgrading the DigiCert Support Plans

On August 15, 2023, DigiCert will upgrade our support plans to provide you with a better, more customizable experience. These plans are scalable and backed by our technical experts to ensure your success.

New plans:

  • Standard support

    Our free support plan is available to all DigiCert customers. It includes 24-hour, Monday – Friday chat and email technical support and access to our comprehensive product documentation and developer portal hub, knowledge base articles, and other self-service tools.

  • Business support

    Our mid-level paid service plan includes everything in our Standard plan plus 24-hour, Monday – Friday phone technical support, faster service hold times, and business service level agreements.

  • Premium support

    Our highest-level paid service plan includes access to everything in the Business plan plus priority service hold time.

    The Premium plan is the only plan that includes the following:

    • 24-hour, 7-day-a-week technical support with local language service during business hours and English language services after hours.

    • Priority validation.

    • Access to DigiCert ONE testing environment.

    • Premium service level agreements.

    • Root cause analysis for service degradation incidents.

    • Access to a Premium Client Manager for one-on-one incident resolution, strategic planning, and project coordination.

  • For more details about what these plans include, see the following:

How does this affect me?

To show our appreciation, on August 15, 2023, DigiCert will upgrade all existing customers to either Business or Premium support plans for a limited time at no additional charge.

How the limited-time upgrade works:

  • Platinum support plans will be upgraded to Premium support for the duration of the contract.

    You will receive validation SLAS in addition to your current support benefits. You will also retain your current Platinum Client Manager (now called a Premium Client Manager).

  • Gold or Platinum-Lite support plans will be upgraded to Premium support for the duration of your contract.

    You will have all Premium support benefits except for a Premium Client Manager.

  • Included (non-paid) DigiCert support will be upgraded to Business support for up to one year.

    On August 14, 2024, if you have not selected a new go-forward support plan, you can continue with a Business support plan, upgrade to a Premium support plan, or return to our free, Standard support plan.

Need help?

If you have questions or concerns, contact your account manager. See our knowledge base article.

August 8, 2023

CertCentral: Submitting organizations for SMIME – SMIME Organization Validation prevalidation

Starting August 8 at approximately 10:00 MDT (16:00 UTC), when you order a client certificate containing the emailProtection extentedKeyUsage and at least one email address, we will automatically submit the organization included in the order for SMIME organization prevalidation. When you visit the organization's details page, you will see a pending validation for SMIME – SMIME Organization Validation.

Affected client certificates:

  • Digital Signature Plus

  • Email Security Plus

  • Premium

  • Class 1 S/MIME

This change also affects orders submitted via the CertCentral Services API. To learn more about organization prevalidation, see our Submit an organization for prevalidation instructions.

Why is DigiCert submitting these organizations for SMIME prevalidation?

As part of the new requirements for public Secure Email (S/MIME) certificates, certificate authorities (CAs), such as DigiCert, must validate the organization included in a certificate containing the emailProtection extentedKeyUsage and at least one email address for S/MIME validation before we can issue the certificate.

DigiCert will submit organizations included in these types of certificate requests for SMIME organization prevalidation starting August 8 to prepare for these new requirements.

How does this affect my client certificate process?

The pending SMIME organization validation does not prevent your client certificates from being issued at this time. Until we update our process, for client certificates containing the emailProtection extentedKeyUsage and at least one email address, DigiCert will continue to require OV - Normal Organization Validation to validate the organization included in the certificate.

Then starting August 29, 2023, DigiCert must validate the organization included in these client certificates for the new SMIME organization validation before we can issue them.

  • OV - Normal Organization Validation

    Per industry requirements, DigiCert will continue to validate the organization included in a certificate containing the emailProtection extentedKeyUsage and at least one email address for OV - Normal Organization Validation until August 29.

  • SMIME – SMIME Organization Validation

    Starting August 29, 2023, at 10:00 MDT (16:00 UTC), all newly issued certificates containing the emailProtection extentedKeyUsage and at least one email address, including new, reissued, and renewed certificates, must comply with the new Baseline Requirements for the Issuance and Management of Publicly‐Trusted S/MIME Certificates.

CertCentral Webhooks: Include certificate and chain in certificate issued events

CertCentral webhooks now support the option to include the certificate chain in certificate_issued events for public and private TLS/SSL certificates.

Now, you can get your issued TLS certificate in the same webhook event that notifies you the certificate is ready. Before, you needed to trigger a callback API request to download the certificate from CertCentral.

Example certificate_issued event with certificate chain:

{
  "event": "certificate_issued",
  "data": {
    "order_id": 1234,
    "certificate_id": 1234,
    "certificate_chain": [
      {
        "subject_common_name": "example.com",
        "pem": "-----BEGIN CERTIFICATE-----\r\nMII...\r\n-----END CERTIFICATE-----\r\n"
      },
      {
        "subject_common_name": "DigiCert Global G2 TLS RSA SHA256 2020 CA1",
        "pem": "-----BEGIN CERTIFICATE-----\r\nMII...\r\n-----END CERTIFICATE-----\r\n"
      },
      {
        "subject_common_name": "DigiCert Global Root G2",
        "pem": "-----BEGIN CERTIFICATE-----\r\nMII...\r\n-----END CERTIFICATE-----\r\n"
      }
    ]
  }
}

Note

CertCentral only sends the certificate chain in certificate_issued events for public and private TLS/SSL certificates. For other product types, certificate_issued events never include the certificate chain.

Learn how to include the certificate chain in certificate_issued events: Customize certificate issued events.

CertCentral Services API: Add issuing CA certificate details to subaccount order info response

In the CertCentral Services API, we updated the Subaccount order info API endpoint to return the name and id of the issuing CA certificate for the primary certificate on the order. This data is returned in the ca_cert object in the certificate section of the JSON response.

Example JSON response with ca_cert object, truncated for brevity:

{
  "certificate": {
    "ca_cert": {
      "id": "A937018B9FAF6CC2",
      "name": "DigiCert Global G2 TLS RSA SHA256 2020 CA1"
    },
    ...
  },
  ...
}

CertCentral Services API: Add product shim details to subaccount product list

In the CertCentral Services API, we updated the List subaccount products API endpoint to return details about the product shims configured for the subaccount.

Note

CertCentral uses product shims to map requests for legacy products to the newer products that replaced them.

Now, the List subaccount products API endpoint returns these parameters:

  • is_product_shim_enabled (boolean): Returned at the root of the JSON response. If true, product shims are configured for the subaccount. Otherwise, false.

  • product_shim_map (array of objects): In the products list, any product with legacy products mapped to it returns a product_shim_map array. This array is a list of objects with the product_name_id and product_name of the legacy product with an active shim.

Example JSON response, truncated for brevity:

{
  "currency": "JPY",
  "pricing_method": "custom",
  "balance_negative_limit": "-1",
  "products": [
    {
      "product_name_id": "ssl_dv_geotrust_flex",
      "product_name": "GeoTrust DV SSL",
      "product_shim_map": [
        {
          "product_name_id": "ssl_dv_geotrust",
          "product_name": "GeoTrust Standard DV"
        }
      ],
    },
    {
      "product_name_id": "ssl_securesite_flex",
      "product_name": "Secure Site OV",
      "product_shim_map": [
        {
          "product_name_id": "ssl_plus",
          "product_name": "Standard SSL"
        },
        {
          "product_name_id": "ssl_securesite",
          "product_name": "Secure Site SSL"
        }
      ],
    },
    ...
  ],
  "is_product_shim_enabled": true
}

August 5, 2023

Upcoming scheduled Europe maintenance

Some DigiCert services will be down for up to 30 minutes, while others may experience interruptions during scheduled maintenance on August 5, 2023, 09:00 – 11:00 MDT (15:00 – 17:00 UTC).

Upcoming scheduled global maintenance

DigiCert will perform scheduled maintenance on August 5, 2023, 22:00 – 24:00 MDT (August 6, 2023, 04:00 – 06:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

Plan accordingly:

  • Schedule high-priority orders, renewals, and reissues before or after the maintenance window.

  • Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

  • To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.

  • See the DigiCert global 2023 maintenance schedule for scheduled maintenance dates and times.

Services will be restored as soon as the maintenance is completed.

August 1, 2023

CertCentral: New SMIME – SMIME Organization Validation

In CertCentral, we added a new validation type to the organization prevalidation workflow, SMIME – SMIME Organization ValidationStarting August 29, 2023, DigiCert must validate the organization included in Secure Email (S/MIME) certificates with the new validation type, SMIME – SMIME Organization Validation, before we can issue the certificate. To learn more about organization prevalidation, see our Submit an organization for prevalidation instructions.

Why is DigiCert adding SMIME – SMIME Organization Validation?

As part of the new requirements for public Secure Email (S/MIME) certificates, certificate authorities (CAs), such as DigiCert, must validate the organization included in a Secure Email certificate for S/MIME validation before we can issue the certificate.

How does this affect my client certificate process?

DigiCert will continue to require OV - Normal Organization Validation to validate the organization included in a Secure Email (S/MIME) certificate until we update our process on August 29, 2023. Then, we will require the organization included in a Secure Email certificate to be validated for the new SMIME – SMIME Organization Validation.

  • OV - Normal Organization Validation

    Per the current industry requirements, DigiCert will continue to validate the organization included in Secure Email (S/MIME) certificates for OV - Normal Organization Validation until August 29.

  • SMIME – SMIME Organization Validation

    Starting August 29, 2023, at 10:00 MDT (16:00 UTC), all newly issued S/MIME certificates, including new, reissued, and renewed certificates, must comply with the new Baseline Requirements for the Issuance and Management of Publicly‐Trusted S/MIME Certificates.

CertCentral Services API: New product validation type for client certificates on Order info API response

In the CertCentral Services API, for client certificate orders, we updated the Order info API endpoint to return data describing the type of organization validation DigiCert will use for client certificates after August 29.

Background

The Order info API endpoint returns a product object with information about the type of certificate on the order. For certificates that require organization validation, the product object includes parameters describing the type of organization validation used for the product:

  • validation_type

  • validation_description

  • validation_name

After today's update, for client certificates that require organization validation, these fields return values associated with SMIME Organization Validation. For example:

{
... 
   "product": {
        "csr_required": false,
        "name": "Premium",
        "name_id": "client_premium",
        "type": "client_certificate",
        "validation_description": "SMIME Organization Validation",
        "validation_name": "SMIME",
        "validation_type": "smime"
    },
...
}

Before, these fields returned values associated with Normal Organization Validation. For example:

{
... 
   "product": {
        "csr_required": false,
        "name": "Premium",
        "name_id": "client_premium",
        "type": "client_certificate",
        "validation_type": "ov",
        "validation_name": "OV",
        "validation_description": "Normal Organization Validation",
    },
...
}

How does this affect my API client integration?

If you use the Order info API endpoint to retrieve validation information from the product object, make sure your integration can handle the new validation type values for client certificates.

Otherwise, this change is compatible with existing workflows for validating organizations and requesting client certificates:

  • Until August 29, you can continue ordering client certificates for organizations with an active Normal Organization Validation (OV).

  • After August 29, when ordering client certificates for an organization without active SMIME Organization Validation, DigiCert will automatically submit the organization for SMIME validation.

Stay informed about updates to client certificate API workflows

As we update our systems to comply with the new Secure Email (S/MIME) baseline requirements, we will continue updating Services API workflows for managing S/MIME certificates in CertCentral. Visit our developer portal for a comprehensive list of these changes: Services API updates for client certificate certificate workflows. Make sure to save this page and check it frequently, as we will update this article as new information becomes available.

CertCentral Webhooks: New event types, event logs, and notifications for immediately issued certificates

New CertCentral events

We updated CertCentral webhooks to send notifications for these event types:

  • Domain expired

  • Domain revalidation notice

  • Domain validated

  • Organization expired

  • Organization revalidation notice

  • Organization validated

  • Order rejected

Subscribe to these events when creating or updating a webhook in CertCentral. Learn more: CertCentral event types

Webhook event logs

We're excited to announce that webhook event logs are now available.

Every time CertCentral sends an event to your webhook listener, we create a new webhook event log entry. Each entry includes the event timestamp, event data, and response code that your webhook listener returned to CertCentral. Event logs make it easier to review your event history and troubleshoot the connection between CertCentral and your webhook listener.

Learn more: Webhook event logs

Get notified for immediately issued certificates

Now, you can choose to receive certificate issued events even when certificates are issued immediately. Before, you could only receive certificate issued events for certificates that weren't issued immediately.

Learn more: Customize certificate issued events

CertCentral Services API: Choose a recipient when emailing site seal code

In the CertCentral Services API, we updated the Email site seal API endpoint. Now, when emailing site seal code, you can choose who receives the email by including the optional parameter recipient_email in your request. If omitted, DigiCert emails the site seal to the authenticated user (the user that owns the API key in the request).

Example cURL request:

curl 'https://www.digicert.com/services/v2/order/certificate/{{order_id}}/site-seal/email-seal' \
--header 'X-DC-DEVKEY: {{api_key}}' \
--header 'Content-Type: application/json' \
--data-raw '{
  "recipient_email": "john.doe@example.com"
}'

For more information, visit the API reference documentation: Email site seal.

July 17, 2023

CertCentral Services API: Create and validate organizations with a single API request

We updated the CertCentral Services API documentation to describe how to create an organization and submit it for validation with a single API request. Learn more: Create organization.

Improve your organization validation workflows

Before this update, the API workflow to create an organization and submit it for validation required two API calls:

The Services API still supports this workflow. However, if you know the intended use for an organization at the time of its creation, we recommend performing both of these operations in the same request. Consider updating your integration if you need to improve latency for your end-users, avoid rate limiting, or reduce the number of requests you submit to the Services API for another reason.

July 11, 2023

CertCentral Services API: Remove unexpected data from Order info response

On July 11, 2023, at 10:00 MDT (16:00 UTC), DigiCert will fix an issue causing the Order info API endpoint to return unexpected verified_contacts data. We will restore the Order info response to its original behavior and stop returning verified_contacts inside the organization object.

To get verified contacts for an organization, use the Organization endpoints:

Example Order info response before and after July 11

Before the fix

Truncated JSON response with organization.verified_contacts[] array:

 {
  ...
  "organization": {
    "id": 12345,
    "name": "Example Organization, LLC",
    "display_name": "Example Organization, LLC",
    "is_active": true,
    "city": "Saratoga Springs",
    "state": "Utah",
    "country": "us",
    "telephone": "555-555-5555",
    "verified_contacts": [
      {
        "id": 1234,
        "user_id": "5678",
        "name": "John Doe",
        "first_name": "John",
        "last_name": "Doe",
        "job_title": "Developer",
        "telephone": "555-555-5555",
        "email": "john.doe@example.com"
      }
    ]
  },
  ...
}  

After the fix

Truncated JSON response without organization.verified_contacts[] array:

 {
  ...
  "organization": {
    "id": 12345,
    "name": "Example Organization, LLC",
    "display_name": "Example Organization, LLC",
    "is_active": true,
    "city": "Saratoga Springs",
    "state": "Utah",
    "country": "us",
    "telephone": "555-555-5555",
  },
  ...
}   

July 8, 2023

Upcoming scheduled global maintenance

DigiCert will perform scheduled maintenance on July 8, 2023, 22:00 – 24:00 MDT (July 9, 2023, 04:00 – 06:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

Upcoming scheduled Europe maintenance

DigiCert will perform scheduled maintenance on July 8, 2023, 09:00 – 11:00 MDT (15:00 – 17:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

June 13, 2023

CertCentral Services API: Update order-level organization and technical contact

In the CertCentral Services API, we added a new endpoint that you can use to update the order-level organization and technical contact for existing certificate orders.

Use the new endpoint to perform these operations:

  • Add an order-level technical contact.

  • Replace or modify the existing order-level technical contact.

  • Replace or modify the existing order-level organization contact.

For usage information, parameter descriptions, and example requests, visit the API reference: Update organization and technical contact for an order.

June 6, 2023

CertCentral admin can set client certificate CSR policy for all organization users

CertCentral admins can now establish an organization-wide setting for users to follow when requesting client certificates. The options are:

  • Require user to paste or upload CSR

    User must have a CSR at time of enrollment.

  • Require email recipient to generate CSR in browser

    The user can postpone CSR generation by naming an email recipient, who will be prompted to create the CSR and certificate.

  • No preference

    User can choose to enter a CSR or leave the CSR field empty (requiring the email recipient to generate the CSR).

June 3, 2023

Scheduled global maintenance

Some DigiCert services will experience service delays and performance degradation during scheduled maintenance on June 3, 2023, 22:00 – 24:00 MDT (June 4, 2023, 04:00 – 06:00 UTC).

Infrastructure maintenance-related service delay and performance degradation

The infrastructure maintenance starts at 22:00 MDT (04:00 UTC). Then for approximately 10 minutes, the services listed below will experience service delays and performance degradation that affect:

  • CertCentral® and Services API

  • Certificate Issuing Service (CIS)

  • CertCentral Simple Certificate Enrollment Protocol (SCEP)

  • Direct Cert Portal and API

API notes

Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

What can I do?

Plan accordingly:

  • Schedule high-priority orders, renewals, and reissues before or after the maintenance window.

  • Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

  • To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.

  • See the DigiCert global 2023 maintenance schedule for scheduled maintenance dates and times.

Services will be restored as soon as the maintenance is completed.

Upcoming scheduled Europe maintenance

Some DigiCert services will be down for up to 60 minutes during scheduled maintenance on June 3, 2023, 09:00 – 11:00 MDT (15:00 – 17:00 UTC).

DigiCert ONE infrastructure maintenance-related downtime

The DigiCert ONE infrastructure maintenance starts at 09:00 MDT (15:00 UTC). At that time, DigiCert ONE Netherlands and Switzerland instances, along with access to their managers, services, and APIs, will be down for up to 60 minutes.

  • DigiCert ONE Netherlands instance

    • Trust Lifecycle Manager

    • IoT Trust Manager

    • Software Trust Manager

    • Document Trust Manager

    • CA Manager

    • Account Manager

  • DigiCert ONE Switzerland instance

    • Trust Lifecycle Manager

    • IoT Trust Manager

    • Software Trust Manager

    • Document Trust Manager

    • CA Manager

    • Account Manager

API note

  • APIs will return "503 services unavailable" errors.

  • Requests placed during this window that receive a "503 services unavailable" error message will need to be placed again after services are restored.

What can I do?

Plan accordingly:

  • Schedule high-priority orders, renewals, and reissues before or after the maintenance window.

  • Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

  • To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.

  • See the DigiCert Europe 2023 maintenance schedule for maintenance dates and times.

Services will be restored as soon as the maintenance is completed.

June 1, 2023

Code signing certificates: New private key storage requirement

Starting on June 1, 2023, at 00:00 UTC, industry standards will require private keys for code signing certificates to be stored on hardware certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent.

DigiCert’s timeline to meet the new private key storage requirement

DigiCert’s timeline ensures we update our code signing certificate process so that private keys for code signing certificates are stored on hardware certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent by May 30, 2023.

Our timeline also allows you to transition to the supported provisioning methods by May 16, 2023.

Learn more about the DigiCert code signing certificate change timeline

CertCentral Services API: Webhooks

CertCentral supports webhook notifications when a certificate is issued or revoked.

You can now receive notifications for certificate events without regularly querying the Orders API for certificate status. Your external application (listener) can wait to receive notification that the certificates are ready, then send a callback request to download the certificate or programmatically alert the certificate owner.

Learn more: CertCentral webhooks

May 30, 2023

Code Signing certificate changes

CertCentral: Authenticate webhook events with secret keys

We are happy to announce that you can now add custom secret keys to CertCentral webhooks. With secret keys, you can ensure the authenticity of webhook events, enhancing the security of your webhook listener.

How webhook secret keys work

When creating or updating a webhook, you can choose to add a custom secret key. If a webhook has a secret key, webhook events include the secret key value in the custom request header X-WEBHOOK-KEY.

To prevent your webhook listener from processing invalid events, configure the endpoint for your webhook listener to validate the X-WEBHOOK-KEY value for each event it receives.

Learn more:

May 20, 2023

CertCentral Services API: Update for Encryption Everywhere DV order requests

In the CertCentral Services API, we updated the request body for creating an Encryption Everywhere DV order to stop using the use_auth_key parameter. Now, DigiCert always ignores the use_auth_key parameter in your requests to create an Encryption Everywhere DV order.

How does AuthKey domain validation work for Encryption Everywhere DV orders?

When you submit an Encryption Everywhere DV order request, DigiCert checks to see if an AuthKey exists in your CertCentral account.

  • AuthKey exists for the account

    DigiCert automatically checks the DNS records for AuthKey request tokens. If we find a valid AuthKey request token for each domain on the order, we validate the domains and the API returns your issued certificate. Otherwise, the API returns an error.

  • No AuthKey exists for the account

    The API returns an error. You must create an AuthKey before you can request Encryption Everywhere DV certificates.

Learn more about using AuthKey request tokens: DV certificate immediate issuance.

Background

For Encryption Everywhere DV certificates, DigiCert has always required completing domain control validation using AuthKey request tokens. A change we released on May 16, 2023 made it possible to pass in a false value for the use_auth_key parameter when creating an Encryption Everywhere DV order.

Now, for Encryption Everywhere DV orders, we use the certificate type to trigger the AuthKey request token check instead of looking for the use_auth_key parameter. This change makes the API easier to use and prevents Encryption Everywhere DV orders from being created in a state where the domains cannot be validated and the order must be rejected.

May 16, 2023

CertCentral Services API: New use_auth_key default for DV certificate requests

Note

Update: We are postponing these changes until May 16, 2023. We originally planned to release this update on May 10, 2023.

On May 16, 2023, at 10:00 AM MDT (16:00 UTC), DigiCert will change the default behavior for DV TLS/SSL orders in CertCentral accounts using AuthKeys.

Starting May 16, DV TLS certificate orders and reissues created with the CertCentral Services API will always use a default value of false for the use_auth_key request parameter.

After this change, to validate domains on a DV order or reissue using AuthKey request tokens, you must include the use_auth_key parameter with a true value in the body of your certificate request:

{
  ...
  "use_auth_key": true
  ...
}

Note

Today, if an AuthKey exists in your account, DigiCert uses AuthKey request tokens to validate domains on DV TLS/SSL orders and reissues by default. To opt out of this default, you must include the use_auth_key parameter with a value of false in your DV certificate order requests.

How does this affect me?

Starting May 16, for DV TLS orders and reissues that omit the use_auth_key request parameter, DigiCert will stop using AuthKey request tokens to complete domain validation.

  • For all DV products except Encryption Everywhere DV, DigiCert will still accept the request. However, we will not check domains on the order for an AuthKey request token. This means we cannot immediately complete domain validation and return the certificate data in the API response. Instead, the API will return a random value (dcv_random_value) that you can use to complete domain validation after the order is created:

    {
      "id": 123456,
      "certificate_id": 123456,
      "dcv_random_value": "icru1984rnekfj"
    }
  • For Encryption Everywhere DV certificates (ssl_dv_ee), DigiCert will reject the order. Domains on Encryption Everywhere DV certificates can only be validated using AuthKey request tokens.

What do I need to do?
  1. First, see if this change affects your API client integration.

    This change affects you if you meet all of the following criteria:

    • Your CertCentral account has an AuthKey.

      To check if an AuthKey exists in your account, use the AuthKey details endpoint.

    • You use the API to request or reissue any of these DV SSL/TLS certificates:

      Product identifier

      Name

      ssl_dv_geotrust

      GeoTrust Standard DV SSL Certificate

      ssl_dv_rapidssl

      RapidSSL Standard DV SSL Certificate

      ssl_dv_thawte

      Thawte SSL123 DV

      ssl_dv_ee

      Encryption Everywhere DV

      wildcard_dv_geotrust

      GeoTrust Wildcard DV SSL Certificate

      wildcard_dv_rapidssl

      RapidSSL Wildcard DV SSL Certificate

      cloud_dv_geotrust

      GeoTrust Cloud DV

      ssl_dv_geotrust_flex

      GeoTrust DV SSL

  2. Next, update your code.

    Review any requests to the Services API that create a DV certificate order or reissue for domains you want to validate with an AuthKey request token. See if these requests already include the use_auth_key parameter with a true value.

    • If yes:

      No action is required. After May 16, 2023, DigiCert will continue using AuthKey request tokens to validate the domains on your orders and reissues.

    • If not:

      Before May 16, 2023, update your requests to include the use_auth_key parameter with a true value:

      {
        ...
        "use_auth_key": true
        ...
      }
Why is DigiCert making this change?
  • To improve security. By default, the API should assume clients want to complete DCV using DigiCert-generated random values. DigiCert should only check for user-generated AuthKey request tokens when clients explicitly request this behavior.

  • To make the API more deterministic and easier to use. After this change, API requests that omit the use_auth_key parameter will always generate the same results, regardless of whether an AuthKey exists in the account.

  • To align our system with future API enhancements. This change makes it possible to deliver enhancements that behave the same way for different product types.

Code Signing certificate changes

May 9, 2023

CertCentral Services API: Added support for order-level organization contacts

To give API clients more control over the contacts assigned to new and renewal orders, we updated the CertCentral Services API to support order-level organization contacts.

Now, when requesting or renewing a certificate, you can assign an organization and technical contact directly to the order instead of using the contacts assigned to the organization on the request. If you do, DigiCert creates the order using the order-level contacts. The organization and technical contact for the organization remain unchanged.

Note

Before, DigiCert always created orders using the organization contact assigned to the organization on the order. Creating an order with a different organization contact required replacing the organization contact for the organization.

To submit an order-level organization and technical contact with your order, include the organization_contact and technical_contact objects at the root of your JSON request body. If omitted, DigiCert uses the organization and technical contact assigned to the organization on the order.

Example JSON request

{
  "certificate": {
    "common_name": "example.net",
    "csr": "<csr>"
  },
  "organization_contact": {
    "first_name": "Jane",
    "last_name": "Doe",
    "job_title": "Manager",
    "telephone": "555-555-5555",
    "email": "jane.doe@example.com"
  },
  "technical_contact": {
    "first_name": "John",
    "last_name": "Doe",
    "job_title": "Site Reliability Engineer",
    "telephone": "555-555-5556",
    "email": "john.doe@example.com"
  },
  "organization": {
    "id": <organization_id>
  },
  "order_validity": {
    "years": 6
  },
  "payment_method": "balance"
}

Supported products

The API supports the option to add an order-level organization contact for all certificates that require an organization contact.

May 6, 2023

Scheduled global maintenance

DigiCert will perform scheduled maintenance on May 6, 2023, 22:00 – 24:00 MDT (May 7, 2023, 04:00 – 06:00 UTC).

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

Services will be restored as soon as the maintenance is completed.

Upcoming scheduled Europe maintenance

Some DigiCert services will be down for up to 60 minutes during scheduled maintenance on May 6, 2023, 09:00 – 11:00 MDT (15:00 – 17:00 UTC).

DigiCert ONE infrastructure-related maintenance downtime

The DigiCert ONE infrastructure-related maintenance starts at 15:00 UTC. At that time, DigiCert ONE Netherland and Switzerland instances, along with access to their managers, services, and APIs, will be down for up to 60 minutes.

  • DigiCert ONE Netherlands instance

    • Trust Lifecycle Manager

    • IoT Trust Manager

    • Software Trust Manager

    • Document Trust Manager

    • CA Manager

    • Account Manager

  • DigiCert ONE Switzerland instance

    • Trust Lifecycle Manager

    • IoT Trust Manager

    • Software Trust Manager

    • Document Trust Manager

    • CA Manager

    • Account Manager

API notes

  • APIs will return "503 services unavailable" errors.

  • Requests placed during this window that receive a "503 services unavailable" error message will need to be placed again after services are restored.

Services will be restored as soon as the maintenance is completed.

May 2, 2023

Code Signing certificate changes

April 25, 2023

Secure email certificates for individuals and businesses

We are happy to announce that DigiCert is now offering enhanced Secure Email Certificates (S/MIME) at two levels, Secure Email for Individual and Secure Email for Business.

These certificates offer:

  • Secure email encryption and signing

  • Validation that your emails come from you

Secure Email for Individual is automatically validated and quick to generate – you can begin using your certificate within minutes.

Secure Email for Business includes an extra level of validation, authenticating your organization as an email sender, and includes support options.

To add these certificates to your CertCentral account, select Secure email certificates on the request page.

Don’t see Secure Email for Individual and Secure Email for Business in your account? Contact your account manager or DigiCert Support.

Note

Not available in Japan.

April 19, 2023

April 11, 2023

CertCentral Services API: Enhanced response when editing domains on an OV or EV certificate order

We improved how the API returns data when using the endpoint to edit domains on pending OV or EV orders and reissues. After this change, when editing domains on a pending OV or EV order:

  • A successful request returns a response status code of 200 OK.

  • The API returns a list of domains with an object for each domain on the order. Each object has the name and id of the domain in your account that you must validate to prove control over the domain on the order.

Before this change, successful requests to edit domains on pending OV or EV orders and reissues returned a response status code of 204 No Content. The response did not include any data, even if the request created new domains in your account.

Note

There is no change to the API behavior when updating domains on DV orders. Successful requests to edit domains on DV orders continue to return a response status code of 204 No Content.

Example response for a successful call to edit domains on a pending OV or EV order:

In this example, every domain (dns_name) on the order is submitted for validation under the scope of the base domain example.org. This means each object in the domains array returns the name and id for example.org.

Learn more: Edit domains on a pending order or reissue

April 8, 2023

Scheduled global maintenance

Some DigiCert services will be down or experience delayed responses for up to 10 minutes during scheduled maintenance on April 8, 2023, 22:00 – 24:00 MDT (April 9, 04:00 – 06:00 UTC).

Infrastructure-related maintenance downtime

The infrastructure-related maintenance starts at 22:05 MDT (04:05 UTC). At that time, the services listed below will be down for up to 10 minutes.

Affected services

Certificate Issuing Service (CIS) and CertCentral Simple Certificate Enrollment Protocol (SCEP)

  • Certificate requests submitted during this time will fail.

  • Resubmit failed requests after services are restored.

CertCentral certificate issuance

  • Certificate requests submitted during this time will fail.

  • Resubmit failed requests after services are restored.

  • CertCentral Automation

    • Reschedule automation events around maintenance.

    • Retry failed events after services are restored if events cannot be rescheduled.

QuoVadis® TrustLink® certificate issuance

  • TrustLink certificate requests submitted during this time will fail.

  • Resubmit failed requests after services are restored.

Direct Cert Portal certificate issuance

  • Certificate requests submitted during this time will fail.

  • Resubmit failed requests after services are restored.

PKI Platform 8 new domain and organization validation

  • New domains and organizations submitted for validation during this time will be delayed.

  • Requests will be queued and processed after services are restored.

What can I do?

Plan accordingly:

  • Schedule high-priority orders, renewals, and reissues before or after the maintenance window.

  • Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

  • To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.

  • See the DigiCert global 2023 maintenance schedule for scheduled maintenance dates and times.

Services will be restored as soon as the maintenance is completed.

Upcoming scheduled Europe maintenance

Some DigiCert services will be down for up to 10 minutes during scheduled maintenance on April 8, 2023, 09:00 – 11:00 MDT (15:00 – 17:00 UTC).

CertCentral Infrastructure-related maintenance downtime

The infrastructure-related maintenance starts at 10:05 MDT (16:05 UTC). At that time, CertCentral certificate issuance may be down or experience delayed response for up to 10 minutes.

Items to note:

  • Certificate requests submitted during this time will fail.

  • Resubmit failed requests after services are restored.

What can I do?

Plan accordingly:

  • Schedule high-priority orders, renewals, and reissues before or after the maintenance window.

  • Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

  • To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.

  • See the DigiCert Europe 2023 maintenance schedule for scheduled maintenance dates and times.

Services will be restored as soon as the maintenance is completed.

March 28, 2023

CertCentral: Value added tax (VAT) numbers

We are happy to announce that CertCentral now allows you to add a valued added tax (VAT)* number to all your transactions, such as purchasing a certificate and depositing funds. DigiCert will append the VAT number supplied as a reference on payment records. Remember that if you do not provide your VAT number, your orders may include unexpected taxes that would have been excluded had you provided the VAT ID number.

Important

VAT numbers are not supported by DigiCert USA and DigiCert Japan billing entities. Contact your account manager to learn more about your account’s billing entity.

You can add a VAT number to your account or division. When requesting a certificate, depositing funds, and creating a purchase order, you can use the account or division VAT number or add a custom VAT number that applies to that transaction only. The VAT number appears on your invoice/receipts and purchase orders (POs).

Important

DigiCert’s inclusion of VAT numbers in payment documentation is for customers’ use and convenience only. DigiCert does not validate the VAT numbers and is not responsible for inaccurate information provided by customers. See DigiCert’s Master Service Agreement.

CertCentral: Taxes included split out on monthly auto-invoices for negative account balances

For CertCentral customers with negative account balances, we have updated your monthly invoice to display the total amount due and how much is from sales tax. Additionally, the monthly auto-invoices will now display the customer's value added tax (VAT) ID number if they have provided it in their CertCentral account.

For customers where sales tax is required by local law, the monthly auto-invoices have always included the taxes charged as part of each purchase in the total invoice amount. However, until now, monthly auto-invoices did not split out how much of the total invoice was taxed.

CertCentral Services API: Enhanced Order validation status response

In the CertCentral Services API, we updated the Order validation status API to return a new response parameter for domains pending validation: dns_name_validations[].name_scope.

The name_scope parameter returns the domain you must validate to prove control over the domain on the certificate order. This is useful when you need to validate a domain on the certificate by completing a DCV check for either the base domain or for a subdomain between the FQDN and base domain.

For example:

{
  ...
  "dns_name_validations": [
    {
      "name_scope": "sub.example.com",
      "status": "unapproved",
      "method": "email",
      "dns_names": [
        "sub.example.com"
      ],
      "base_domain": "example.com"
    }
  ]
  ...
}

Notes:

  • For all orders, the API omits the dns_name_validations[].name_scope parameter for validated (approved) domains.

  • For DV orders, the API returns a dns_name_validations[].name_scope parameter for all pending (unapproved) domains.

  • For OV and EV orders, the API omits the dns_name_validations[].name_scope parameter unless the order specifies a domain-level validation scope for the domain. To validate domains with no name_scope, use the domain validation scope chosen for the order (order_name_scope).

CertCentral Services API: Bugfix for API endpoint to get DV order validation status

Note

Update: We are postponing these changes until March 28, 2023. We originally planned to release this update on March 22, 2023.

On March 28, 2023, at 10:00 MDT (16:00 UTC), DigiCert will fix a bug with the Order validation status API endpoint. This bug causes the API to return different values for DV TLS orders versus OV and EV TLS orders in the dns_name_validations[].dns_names array.

Starting March 28, the dns_name_validations[].dns_names array in the Order validation status API response will always contain the exact FQDN associated with the given validation details.

This fix standardizes what is returned for DV, OV, and EV TLS orders in the dns_name_validations[].dns_names array. It also aligns the API behavior with the description of the dns_names array in the API documentation.

Currently:

  • For DV orders, the dns_name_validations[].dns_names array contains the domain that was submitted for validation. Depending on the DCV scope set for the order, the domain submitted for validation may be a higher-level domain than the FQDN on the order.

  • For OV and EV TLS orders, the dns_name_validations[].dns_names array already contains the exact FQDN on the order.

What do I need to do?
  1. Check your code to determine if this change affects your API integration.

    This change affects you if you meet all of the following criteria:

    • You use the Order validation status API endpoint to get the validation status of DV orders.

    • Your integration expects the API to return a dns_name_validations[].dns_names array with the domain name submitted for validation instead of the exact FQDN on the order.

  2. Determine if action is required.

    Do you meet all of the criteria listed above?

    • If not, no action is required. You can safely ignore this change.

    • If yes, update your code before March 28, 2023.

      Wherever you handle response data from the Order validation status endpoint, make sure your integration always expects the dns_name_validations[].dns_names array to contain the exact FQDN from the order.

Warning

Failing to update your code may result in unexpected behavior after we make this change.

Examples

This example shows how the dns_name_validations[].dns_names array will change. Each JSON object shows what the Order validation details API returns when querying a DV order for the FQDNs sub.example.net and sub.example.org. The order in this example uses a DCV scope of base domain.

Before March 28, 2023 bugfix

After March 28, 2023 bugfix

{
  ...
  "dns_name_validations": [
    {
      "status": "unapproved",
      "method": "email",
      "dns_names": [
        "example.net"
      ],
      "base_domain": "example.net"
    },
    {
      "status": "unapproved",
      "method": "email",
      "dns_names": [
        "example.org"
      ],
      "base_domain": "example.org"
    }
  ]
  ...
}
{
  ...
  "dns_name_validations": [
    {
      "status": "unapproved",
      "method": "email",
      "dns_names": [
        "sub.example.net"
      ],
      "base_domain": "example.net"
    },
    {
      "status": "unapproved",
      "method": "email",
      "dns_names": [
        "sub.example.org"
      ],
      "base_domain": "example.org"
    }
  ]
  ...
}

March 15, 2023

DCV method information updates to Domain details pages

We updated the individual domain validation process (often referred to as domain prevalidation) to improve how we display the domain’s domain control validation (DCV) method.

Note that before, we always showed the last submitted DVC method. This wasn’t very clear for customers whose last submitted DCV method was different from the last method used to validate the domain.

Now, when a domain is pending validation or revalidation, we show the last submitted DCV method (in other words, the method currently being used to validate the domain). After you validate the domain, we show the DCV method last used to complete the validation.

CertCentral Services API: New Domain info response parameter

We added the dcv_approval_method parameter to the Domain info API response. This parameter returns the DCV method used to complete the most recent DCV check for the domain.

Note

This differs slightly from the value of the dcv_method response parameter, which returns the latest DCV method configured for the domain. When using a different DCV method to revalidate a domain, the latest DCV method configured for the domain (dcv_method) may differ from the DCV method used to complete the most recent DCV check (dcv_approval_method).

We only return the dcv_approval_method parameter when the request URL contains ?include_dcv=true.

Learn more about the Domain info API endpoint.

March 8, 2023

DigiCert moving to G2 root and intermediate CA (ICA) certificate hierarchies

Update:

To provide more time to increase our fifth-generation (G5) root ubiquity, DigiCert has delayed our move to our new single-purpose root and ICA certificate hierarchies. Instead, we will move to second-generation root and ICA certificate hierarchies in the interim to comply with Mozilla’s root distrust timeline for DigiCert first-generation root certificates.

On March 8, 2023, at 10:00 MST (17:00 UTC), DigiCert will begin updating the default public issuance of TLS/SSL certificates to our second-generation (G2) root and intermediate CA (ICA) certificate hierarchies. See our DigiCert root and intermediate CA certificate updates 2023 knowledge base article for more information.

How do switching root and ICA certificates affect me?

Switching to a different certificate hierarchy typically doesn't require additional work as long as you always install the DigiCert-provided ICA certificate when installing your TLS certificate.

With the change to G2 certificate hierarchies, no action is required unless you do any of the following:

  • Pin ICA/Root certificates

  • Hard-code the acceptance of ICA/Root certificates

  • Operate a trust store

If you do any of the above, we recommend updating your environment before March 8, 2023. Stop pinning or hard-coding root or ICA certificate acceptance or make the necessary changes to ensure certificates issued from the G2 certificate hierarchy are trusted (in other words, they can chain up to their trusted G2 root certificate).

How do switching root and ICA certificates affect my existing certificates?

Switching to the G2 hierarchy does not affect your existing certificates. DigiCert has timed the move to G2 root certificate hierarchies to ensure your existing certificates will not be affected by the Mozilla distrust policy. Active TLS/SSL certificates issued from a G1 hierarchy will remain trusted until they expire.

However, newly issued, renewed, reissued, and duplicate certificates issued after March 8, 2023, will chain to the G2 root hierarchy. When installing your certificates, make sure to include the DigiCert-provided ICA certificate.

What if I need more time to update my environment?

If you need more time to prepare, contact DigiCert Support. We will set up your account so you can continue to use the root and ICA certificates you are using now.

When deciding how long to stay on your current root, remember that Mozilla root distrust includes the ICA certificate and TLS/SSL certificates linked to the root. To remain trusted, all active certificates, including reissues and duplicates, must be reissued from a G2 or newer root hierarchy before the root certificate distrust date.

March 4, 2023

Upcoming scheduled maintenance

Some DigiCert services will be down for approximately 5 minutes during scheduled Europe maintenance on March 4, 2023, 09:00 - 11:00 MST (16:00 - 18:00).

QuoVadis platform maintenance-related downtime

During the two-hour maintenance window, QuoVadisQ platform services will be down for approximately 5 minutes while we do some infrastructure-related maintenance that requires server restarts.

What can I do?

  • Schedule high-priority tasks before or after the maintenance windows.

  • Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

  • To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.

  • See the DigiCert Europe 2023 maintenance schedule for scheduled maintenance dates and times.

Services will be restored as soon as the maintenance is completed.

February 28, 2023

Verified Mark Certificates (VMC):  Image and certificate file hosting and government marks

We are happy to announce that DigiCert has added two new features to our Verified Mark Certificates:

  • Government mark support

    Instead of using a trademarked logo in your Verified Mark Certificate, you can now use a government mark.

  • Image and certificate file hosting

    Instead of hosting the logo image and Verified Mark Certificate file yourself, you can now allow DigiCert to host the files on your behalf.

What are government marks?

A government mark is a logo that a government grants to an organization.

To get a VMC for a government mark, you provide your government mark’s enabling legislation instead of trademark registration. The law or government record that grants the logo to your organization proves the mark’s legitimacy to get a VMC.

Learn more about government marks.

What is image and certificate file hosting?

Our image and certificate file hosting feature allows DigiCert to host your VMC and SVG logo files on your behalf.

With DigiCert hosting, you set up your domain’s DNS record once, and then we keep your VMC and SVG logo files up-to-date. When you renew or reissue your certificate, we automatically push the latest version of your files to our hosted server with no changes required in your DNS or other configuration.

Learn more about VMC image and file hosting.

CertCentral Services API: Enhancements for VMC file hosting and government marks

To support VMC file hosting and government marks in API integrations, we made several additive enhancements to the endpoints for managing VMC orders.

Improvements to verified contacts selections when requesting SSL/TLS and code signing certificates

We are happy to announce that we have improved the verified contact selection process when ordering EV SSL/TLS, Code Signing, and EV Code Signing certificates.

Now when you select an organization with existing verified contacts, you can see if a contact is validated (green check mark) or pending validation (yellow timer). Before, you could not see the validation status for the organization’s verified contacts.

February 17, 2023

Verified Mark Certificates (VMC): Six new approved trademark offices

We are happy to announce that DigiCert now recognizes three more intellectual property offices for verifying the logo for your VMC certificate. These offices are in Denmark, France, Netherlands, New Zealand, Sweden, and Switzerland.

New approved trademark offices:

  • Denmark - Danish Patent and Trademark Office

  • France - French Patent and Trademark Office

  • Netherlands - Benelux Organization for Intellectual Property

  • New Zealand - Intellectual Property Office of New Zealand

  • Sweden - Swedish Intellectual Property Office

  • Switzerland - Swiss Federal Institute of Intellectual Property

Other approved trademark offices:

  • Australia - IP Australia

  • Brazil - National Institute of Industrial Property

  • Canada - Canadian Intellectual Property Office

  • European Union - European Union Intellectual Property Office

  • Germany - German Patent and Trade Mark Office

  • India - Office of the Controller General of Patents, Designs and Trade Marks

  • Japan - Japan Patent Office

  • Republic of Korea (South Korea) - Korean Intellectual Property Office

  • Spain - Spanish Patent and Trademark Office

  • United Kingdom - Intellectual Property Office

  • United States - United States Patent and Trademark Office

What is a Verified Mark Certificate?

Verified Mark Certificates (VMCs) are a new type of certificate that allows companies to place a certified brand logo next to the “sender” field in customer inboxes.

  • Your logo is visible before the message is opened.

  • Your logo acts as confirmation of your domain’s DMARC status and your organization’s authenticated identity.

Learn more about VMC certificates.

February 15, 2023

New Dedicated IP addresses for DigiCert Services

Update: IP Address change postponed until February 15, 2023

When we sent notifications in June 2022 about the IP address change, one of the IP addresses was incorrect. The same IP address was incorrect in this change log. We fixed that, and the information in the change log has been corrected.

To provide you with time to verify and update the IP addresses in your allowlist, we have postponed the IP address change until February 2023.

What if I already updated my allowlists?

Verify that the IP addresses in your allowlist match those in the New dedicated IP Addresses list below.

On February 15, 2023, at 08:00 MST (15:00 UTC), DigiCert will assign new dedicated IP addresses to several DigiCert services.

For more details about these IP addresses, see our New Dedicated IP Addresses knowledge base article.

If you have questions or need help, contact your account manager or DigiCert Support.

February 14, 2023

Change log RSS feed returns

We are happy to announce that we’ve reimplemented the RSS Feed for the CertCentral® Change log. You can find the new change log feed here: https://docs.digicert.com/en/certcentral/change-log.rss.

RSS feed items to note

  • The RSS feed returns the 15 most recent change log entries.

  • To make upcoming changes easier to identify, we labeled them Upcoming changes.

  • The Change log RSS feed follows RSS 2.0 specifications and is compatible with RSS 2.0 compliant feed aggregators.

RSS feed reader tips

  • All major browsers have RSS feed extensions to automatically access your selected RSS feeds and organize the results for you.

  • The new RSS feed is also auto-discoverable from the Change log web page.

certcentral-change-log-rss-feed.png

February 09, 2023

CertCentral: Improved OV and EV TLS certificate domain control validation

We are happy to announce that we updated the Prove control over your domain popup window for pending OV and EV TLS certificate orders, making it easier to see what you need to do to complete the domain validation for all domains included on your certificate.

Now, when you select a domain control validation (DCV) method, you can see basic instructions for completing the domain validation along with a link to more detailed instructions on our product documentation website.

CertCentral Services API: Expiration date now available for order-level DCV random values

We updated the CertCentral Services API to return the expiration date for order-level DCV random values.

Now, when you submit a request to the Get order DCV random value or  Change order DCV method API endpoints, the response includes the expiration date (expiration_date) of the random value:

{
   "dcv-random_value": "fjqr7th5ds",
   "expiration_date": "2023-02-24T16:25:52+00:00"
}

February 4, 2023

Upcoming scheduled maintenance

Some DigiCert services will be down for up to 10 minutes during scheduled Europe maintenance on February 4, 2023, 09:00 - 11:00 MST (16:00 - 18:00)

QuoVadis platform maintenance-related downtime

During the two-hour maintenance window, QuoVadis platform services will be down for up to 10 minutes in total while we do some infrastructure-related maintenance that requires service restarts: 5 minutes for a monthly patching restart and 5 minutes for a database restart.

What can I do?

Plan accordingly:

  • Schedule high-priority tasks before or after the maintenance windows.

  • Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks

  • To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.

  • See the DigiCert Europe 2023 maintenance schedule for scheduled maintenance dates and times.

Services will be restored as soon as the maintenance is completed.

January 25, 2023

CertCentral now supports SSO federation through OpenID Connect

To improve security and better integrate with current Single Sign-On technology, DigiCert now supports SSO federation through Open ID Connect (OIDC).

I already connect CertCentral to my identity provider using SAML. Do I need to switch to OIDC?

No, you can continue using your existing setup. However, you may wish to migrate to OIDC because it is easier to implement, works more smoothly on mobile devices, and is more accessible to APIs.

How do I connect my identity provider with CertCentral using OIDC?

See OIDC Single Sign-On guide.

January 23, 2023

CertCentral: Guest URL support for Verified Mark Certificates

We are happy to announce that we added Verified Mark Certificates (VMCs) to the available products for Guest URLs for CertCentral Enterprise and CertCentral Partner.

Previously, you had to add someone to your account before they could order a Verified Mark Certificate (VMC). Now, you can create a Guest URL that allows a person to order a VMC without needing to be a user in your account.

Bugfix: Pending verified contacts missing from Organization details pages

We fixed a bug that prevented pending verified contacts from being displayed on the Organization details page. Note that after we validated a contact, they were automatically added to the page (i.e., you could see the “validated” verified contacts but not those pending validation).

Now when you submit a verified contact for validation, they appear in the Verified Contacts section along with the pending validation types: EV, EV CS, or CS.

pending-verified-contacts.png

January 17, 2023

CertCentral: Set the domain validation scope when reissuing TLS certificates

We are happy to announce that you can now set the domain validation scope when reissuing your TLS/SSL certificates.

On the TLS/SSL certificate reissue forms, we added a DCV scope dropdown that allows you to set the domain validation scope to use when validating the domains on your reissued certificate: validate base domains or validate exact domain names. This setting makes it easier to see the default domain validation scope you will use to validate the domains when reissuing your certificate and update the scope if needed.

Note

The domain scope setting does not change the account domain validation scope setting. It only sets the domain validation scope for your reissued certificate.

January 16, 2023

CertCentral: Legacy order # renamed to Alternate order #

On January 16, we will rename Legacy order # in CertCentral. We will change the name to Alternate order # to better align with the API and the purpose of this second order number.

Note

Alternate order numbers do not replace the unique order number that DigiCert assigns to each order request.

CertCentral Services API

When ordering a certificate via the CertCentral Services API, you can assign a custom alphanumeric ID to an order by passing in the alternative_order_id parameter with your certificate request. Currently, CertCentral displays the alternative_order_id as the Legacy order #.

Legacy order number background

After DigiCert purchased Symantec’s TLS/SSL division, DigiCert implemented the Legacy order number as a way for customers to track their Symantec orders after importing them into CertCentral. This same feature is used by customers who want to use their own order numbers to track their CertCentral orders.

Additional information

See the Orders section of the CertCentral Services API to learn more about alternate order numbers. For example, on the Order Basic OV endpoint page, in the Request parameters table, you will find an alternative_order_id parameter entry. This entry provides more details about using alternate order numbers. The same information is provided in each of the Order endpoints.

January 13, 2023

Improvements to CertCentral change log structure

To make it easier to find information about updates to CertCentral and the CertCentral APIs, we improved the structure of the CertCentral change log. Now, DigiCert publishes all CertCentral change log entries to a single page with these sections:

  • Upcoming changes

    Information about upcoming changes that could impact your CertCentral experience. Entries are sorted by date with the furthest pending change on top.

  • Recent changes

    Information about recent changes made to CertCentral and the CertCentral APIs. Entries are sorted by date with the most recent change on top.

With the new structure, you can use Control + F (Windows) or Command + F (Mac) to search the entire catalogue of entries on this page for the information you need.

January 10, 2023

Bugfix: Users don’t see expiring certificate alerts in CertCentral

We fixed a bug that prevented standard and limited users from viewing the Expiring DigiCert Certificates widget on the Dashboard and the expiring certificate and order alerts on the Orders page. It also prevented them from viewing the Expiring Certificates page.

Note

This bug did not prevent these users from viewing their expiring certificates on the Orders page; it only prevented them from viewing the expiring certificate and order alerts.

Now, when standard and limited users sign in to their CertCentral account, they see:

  • Expiring DigiCert Certificates widget on the Dashboard (in the left main menu, select Dashboard)

  • Expiring certificate and order alerts on the Orders page (in the left main menu, go to Certificates > Orders)

  • Expiring Certificates page (in the left main menu, go to Certificates > Expiring Certificates)

January 7, 2023

Upcoming scheduled maintenance

Some DigiCert services will be down for up to 120 minutes during scheduled maintenance on January 7, 2023.

January 5, 2023

CertCentral: Improved Order details page for pending code signing certificate orders

DigiCert is happy to announce that we updated the Order details page for pending EV and standard code signing certificate orders.

To make it easier to see what you need to do and what DigiCert needs to do to issue your EV and standard code signing certificates, we added two new sections to the Certificate status section of the Order details page:

  • What do you need to do – see the tasks you need to complete

  • What does DigiCert need to do – see the tasks DigiCert needs to perform

January 4, 2023

CertCentral: Set the domain validation scope for your new TLS certificate orders

We are happy to announce that you can now set the domain validation scope when ordering a new TLS/SSL certificate.

On the TLS/SSL certificate request forms, we added a DCV scope dropdown that allows you to set the domain validation scope to use when validating the domains on your certificate: validate base domains or validate exact domain names. This setting makes it easier to see the default domain validation scope you will use to validate the domains on your certificate and update the scope if needed.

Note

The domain scope setting does not change the account domain validation scope setting. It only sets the domain validation scope for your certificate order.

CertCentral Services API: Set domain validation scope for new TLS certificate orders and reissues

We are happy to announce that you can now set the domain validation scope when ordering or reissuing a TLS/SSL certificate with the Services API. Use the certificate_dcv_scope parameter to define the domain validation scope for the order, overriding the domain validation scope setting for the account.

The certificate_dcv_scope parameter accepts these values:

  • base_domain: Validate each domain and subdomain in the request at the base domain level (for example, when submitting sub.example.com and example.com, validate example.com).

  • fqdn: Validate each domain and subdomain included in the order exactly as named in the request.

    When using fqdn::

    • If a domain is a subdomain of another domain included on the order, complete the DCV check for the higher-level domain.

    • For OV and EV certificates only, if a higher-level domain exists in the account with an active validation, we validate the domain under the scope of the existing domain.

2022 年 12 月 31 日

DigiCert 2022 維護排程

若要讓規劃您的憑證相關工作變得更容易,我們預先排程我們的 2022 維護視窗。請參閱 DigiCert 2022 排程的維護 — 此頁面有最新的所有維護排程資訊。

我們在全世界都有客戶,因此理解沒有對每個人的最佳時間。但在檢閱與客戶使用有關的資料後,我們選擇了會影響我們最少客戶量的時段。

關於我們的維護時程表

  • 除非另有說明,否則維護的時間安排在每個月的第一個周末。

  • 每個維護視窗都排程 2 個小時。

  • 雖然我們有保護您的服務的適當備援,但有些 DigiCert 服務仍可能無法使用。

  • 一完成維護時,即繼續所有一般操作。

  • 若要取得即時維護更新,請訂閱 DigiCert 狀態頁面。此訂閱包括維護開始和維護結束時使用的電郵提醒。

如果您需要更多有關這些維護時段的資訊,請聯絡您的帳戶管理員或 DigiCert 支援團隊

December 15, 2022

CertCentral: Single random value for completing DCV on OV and EV TLS certificate orders

To simplify the domain control validation (DCV) workflow for OV and EV TLS certificates, we've improved our random value generation process for OV and EV certificate orders.

Now, when using DCV methods that require a random value to complete the domain validation for your OV or EV TLS orders, you receive a single random value that you can use to complete the DCV check for every domain on the order.

Note

Before, DigiCert returned a unique random value for each domain submitted on the OV or EV TLS certificate order.

This change brings the DCV workflow for OV and EV orders into closer alignment with DV orders, which have always returned a single random value for all domains on the order.

Affected DCV methods:

CertCentral Services API: DCV enhancements

To improve API workflows for clients using DCV methods that require a random value for OV and EV TLS certificate orders, we made the following enhancements to the CertCentral Services API.

Updated API response for creating OV and EV TLS certificate orders

We updated the data returned when you submit an order request:

  • New response parameter: dcv_random_value

    Now, when you submit an OV or EV TLS certificate order request with a dcv_method of dns-txt-token, dns-cname-token, or http-token, the API returns a new top-level response parameter: dcv_random_value. This parameter contains a random value that you can use to complete the DCV check for every domain on the order.

  • Enhanced domains array

    Now, when you submit an OV or EV TLS certificate order request with a DCV method of dns-txt-token, dns-cname-token, or http-token, the API returns a dcv_token object for every domain in the domains array.

    Additionally, each domains[].dcv_token object now includes the same dcv_random_value that is used for the entire order. Before, we returned a different random value for each domain.

    Note

    Before, when you submitted an order for an OV or EV TLS certificate, the API response omitted the dcv_token object for these domains:

    • Domains validated under the scope of another domain on the order.

    • Domains that already existed in your account.

    • Subdomains of existing domains.

This example shows the updated API response for an OV TLS certificate request using a DCV method of dns_txt_token. For this example, the order includes these domains: example.com, sub.example.com, and example.org.

Updated API response for reissuing OV and EV TLS certificates

Now, when you reissue an OV or EV TLS certificate order request with a dcv_method of dns-txt-token, dns-cname-token, or http-token, the API returns a dcv_random_value that you can use to validate any domains added with the reissue request. For more information, visit the Reissue certificate API reference.

Note

Before, the Reissue certificate API endpoint only returned a dcv_random_value parameter for DV certificate reissues.

Added support for OV and EV TLS certificate orders to endpoints for managing order DCV

We updated the order-level endpoints for managing DCV to accept requests when the order_id path parameter contains the ID of an OV or EV TLS certificate order:

With this change, you can complete DCV for OV and EV TLS certificate orders with fewer API requests by calling the endpoints for managing DCV at the order-level instead of the domain-level.

Now, you can complete DCV checks for a domain using:

  • Any valid random value that exists for the domain (order-level or domain-level).

  • Either of the endpoints for checking DCV: Check domain DCV or Check order DCV.

Note

Before, the order-level endpoints for managing DCV only accepted requests when the order_id path parameter contained the ID of a DV certificate order. To manage DCV for individual domains on OV and EV TLS certificate orders, API clients had to use our domain-level endpoints:

Domain info API enhancements

We updated the Domain info API endpoint to return a new response parameter: higher_level_domains.

The higher_level_domains parameter contains a list of existing higher-level domains with a complete domain control validation (DCV) check for the same organization as the queried domain. Use this list to see if there are any domains in your account with active validations you can reuse to prove control over the queried domain.

For example, if you query the domain ID for demo.sub.example.com and you have already completed DCV checks for the domains sub.example.com and example.com in your account, the Domain info API returns a higher_level_domains array with this structure:

{
  ...
  "higher_level_domains": [
    {
      "name": "sub.example.com",
      "id": 4316203,
      "dcv_expiration_datetime": "2023-12-04T04:08:50+00:00"
    },
    {
      "name": "example.com",
      "id": 4316205,
      "dcv_expiration_datetime": "2023-12-04T04:08:49+00:00"
    }
  ],
  ...
}

To get the higher_level_domains array in your response data, you must submit a request to the Domain info API endpoint that includes the query string include_dcv=true:

https://www.digicert.com/services/v2/domain/{{domain_id}}?include_dcv=true

For more information, see the API reference: Domain info.

December 8, 2022

CertCentral Services API: Added verified contact details to Organization info API

To give API clients access to more information about the verified contacts that exist for an organization, we added a new array to the Organization info API response: verified_contacts.

The new verified_contacts array provides a list of objects with details about each verified contact that exists for the organization. The verified_contacts array:

  • Includes information about pending, valid, and expired verified contacts.

  • Provides a list of validation types (CS, EV, and EV CS) for each verified contact.

Note

Before, the Organization info API only returned valid verified contacts in the ev_approvers array. The ev_approvers array is still available, however it does not provide as much detail as the new verified_contacts array.

Bugfix: Duplicate verified contacts

We fixed a bug where submitting a verified contact with multiple validation types (for example, CS and EV) caused duplicate verified contacts to be created for the organization, one for each validation type. This bug affected verified contacts submitted through the CertCentral console or through the CertCentral Services API.

Now, when you submit verified contacts with multiple validation types, we assign each validation type to the same verified contact, instead of creating a duplicate.

Note

This change only affects new verified contacts submitted after the fix. We did not remove any existing duplicate verified contacts.

Before today, duplicate verified contacts were not visible in the CertCentral console or Services API. With our recent enhancements to the Organization info API endpoint (see CertCentral Services API: Added verified contact details to Organization info API), any duplicate verified contacts for the organizations you manage will appear in the newly added verified_contacts array.

December 6, 2022

CertCentral: Removing the permanent identifier in EV Code Signing certificates

On December 6, 2022, at 10:00 MST (17:00 UTC), DigiCert will no longer issue EV Code Signing certificates with a permanent identifier value in the Subject Alternative Name field.

What do I need to do?

Does your EV code signing process expect to find the permanent identifier when parsing your issued EV Code Signing certificates?

  • If yes, you need to update your process by December 6, 2022, so it no longer relies on a permanent identifier value.

  • If no, no action is required.

Does this change affect my existing EV Code Signing certificates?

This change does not affect existing EV Code Signing certificates with a permanent identifier value in the Subject Alternative Name field. However, if you reissue an EV Code Signing certificate after the change on December 6, 2022, your reissued certificate will not contain a permanent identifier.

Background

The permanent identifier is a unique code for EV code signing certificates that includes information about the certificate subject’s jurisdiction of incorporation and registration information. In 2016, the CA/Browser Forum removed the permanent identifier requirement from EV Code Signing certificates.

CertCentral Services API: Verified contact improvements

Starting December 6, 2022, DigiCert will require organizations on Code Signing (CS) and EV Code Signing (EV CS) certificate orders to have a verified contact.

This change was originally scheduled for October 19, 2022. However, we postponed the change to December 6, 2022. For more information, see the October 19, 2022 change log entry.

Learn more:

December 3, 2022

Upcoming scheduled maintenance

DigiCert will perform scheduled maintenance on December 3, 2022, 22:00 – 24:00 MST (December 4, 2022, 05:00 – 07:00 UTC).

Note

Maintenance will be one hour later for those who do not observe daylight savings.

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

Plan accordingly:

  • Schedule high-priority orders, renewals, and reissues before or after the maintenance window, including Automation events and Discovery scans.

  • Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

  • Subscribe to the DigiCert Status page to get live maintenance updates. This subscription includes email alerts for when maintenance begins and when it ends.

  • See DigiCert 2022 scheduled maintenance for scheduled maintenance dates and times.

Services will be restored as soon as the maintenance is completed.

November 5, 2022

Upcoming Scheduled Maintenance

DigiCert will perform scheduled maintenance on November 5, 2022, 22:00 –24:00 MDT (November 6, 2022, 04:00 – 06:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

November 3, 2022

CertCentral: Improved DV certificate domain control validation

We updated the Prove control over your domain popup window for pending DV orders, making it easier to see what you need to do to complete the domain validation for all domains included on your certificate.

Now, when you select a domain control validation (DCV) method, you can see basic instructions for completing the domain validation along with a link to more detailed instructions on our product documentation website.

Note

For DV orders, you must use the same DCV method for all the domains on the certificate.

See for yourself

  1. In the left main menu, go to Certificates > Orders.

  2. On the Orders page, locate and select the order number of a pending DV order.

  3. On the DV order details page, under What do I need to do, select the Prove control over domain link.

Improved Prove control over your domain popup window

dv-prove-control-over-domain.png

November 1, 2022

CertCentral: upgrade your product when renewing your order

DigiCert is happy to announce that CertCentral allows you to upgrade your product when renewing your order.

Are you tired of placing a new order and reentering all your information when upgrading to a new product?

Now you don’t have to. We’ve improved our order renewal process so you can upgrade your product when renewing your certificate order.

Don’t see that option to upgrade your product when renewing your order, or already have the products you need and don’t want to see the option to upgrade?

Don’t worry; you can enable and disable this feature as needed. When ready to upgrade, you can enable it to save the hassle of placing a new order. When done, you can disable it until the next time you want to upgrade a product. See Upgrade product on renewal settings.

CertCentral: Improved Code Signing and EV Code Signing request forms

DigiCert is happy to announce that we updated the Code Signing and EV Code Signing request forms making it easier to view and add organization-related information when ordering a certificate.

This update allows you to select an organization and review the contacts associated with that organization or enter a new organization and assign contacts to the new organization.

Changes to note

  1. You can now add a new organization along with all its contacts: organization, technical, and verified.

  2. When adding an existing organization, you can now:

    • View the contacts assigned to that organization

    • Replace the organization contact

    • Replace or remove the technical contact

    • Select the verified contact(s) you want to receive the approval email

    • Add verified contacts

Before, you could only see and select an existing organization and could not see the contacts assigned to the organization.

See for yourself

In your CertCentral account, in the left main menu, go to Request a Certificate > Code Signing or Request a Certificate > EV Code Signing to see the updates to the request forms.

CertCentral: Code Signing certificate reissue bug fix

When reissuing your code signing certificate, we now include the Subject Email Address on your reissued certificate. Adding a subject email is optional and only available in enterprise accounts.

Note that we will not include the subject email address in the reissued certificate if the domain validation on that email domain has expired.

Background

When you order a code signing certificate, you can include an email address on your code signing certificate—subject email. Including an email address on the certificate provides an additional layer of trust for end users when checking your code signing signature.

See 訂購 Code Signing 憑證.

October 21, 2022

CertCentral: Ability to require an additional email on certificate request forms

We are happy to announce that you can now make the Additional emails field a required field on CertCentral, Guest URL, and Guest Access request forms.

Tired of missing important expiring certificate notifications because the certificate owner is on vacation or no longer works for your organization?

The change helps prevent you from missing important notifications, including order renewal and expiring certificate notifications when the certificate owner is unavailable.

See for yourself:

To change this setting for CertCentral request forms:

  1. In the left menu, go to Settings > Preferences.

  2. On the Preferences page, expand Advanced settings.

  3. In the Certificate Requests section, under Additional email field, select Required so requestors must add at least one additional email to their requests.

  4. Select Save Settings.

To change this setting for Guest Access:

  1. In the left main menu, go to Account > Guest Access.

  2. On the Guest access page, in the Guest access section, under Additional emails, select Required so requestors must add at least one additional email to their requests.

  3. Select Save Settings.

To change this setting for Guest URLs:

  1. In the left main menu, go to Account > Guest Access.

  2. On the Guest access page, in the Guest URLs section, to make it required in an existing guest URL, select the name of the guest URL. Under Emails, check Require additional emails field so requestors must add at least one additional email to their requests.

  3. To make it required on a new guest URL, select Add Guest URL and then under Emails, check Require additional emails field so requestors must add at least one additional email to their requests.

  4. Select Save Settings.

October 20, 2022

Change log RSS feed is going down

On October 20, 2022, the RSS feed for the docs.digicert.com change log is going down due to a platform migration.

It will return. Check back here for updates or contact us at docs@digicert.com to be notified when the new RSS feed is available.

October 19, 2022

CertCentral Services API: Verified contact improvements

Note

Update: This API change has been postponed until December 6, 2022.

DigiCert continues to recommend you follow our guidance to update affected API implementations before December 6.

What if I already made changes to get ready for October 19?

You are prepared for December 6. You don’t need to make additional changes. DigiCert will continue processing your order requests for Code Signing (CS) and EV Code Signing (EV CS) certificates as usual now and after we update the API on December 6.

Starting October 19, 2022, DigiCert will require organizations on Code Signing (CS) and EV Code Signing (EV CS) certificate orders to have a verified contact.

DigiCert has always required a verified contact from the organization to approve code signing certificate orders before we issue the certificate. Today, DigiCert can add a verified contact to an organization during the validation process. After October 19, verified contacts must be submitted with the organization.

To make the transition easier, when you submit a request to the Order code signing certificate API endpoint, DigiCert will default to adding the authenticated user (the user who owns the API key in the request) as a verified contact for the organization.

DigiCert will apply this default when:

  • The organization in the API request has no verified contacts who can approve CS or EV CS orders.

  • The API request body does not specify a new verified contact to add to the organization.

  • The authenticated user has a job title and phone number.

To avoid a lapse in service, make sure users in your CertCentral account with active API keys have a job title and phone number.

Learn more

October 17, 2022

CertCentral: Updated the DigiCert site seal image

We are happy to announce that we updated the DigiCert site seal image and replaced the checkmark with a padlock.

digicert-site-seal-padlock.png

The updated site seal continues to provide your customers with the assurance that your website is secured by DigiCert—the leading provider of digital trust.

October 13, 2022

CertCentral: Updated the Code Signing and EV Code Signing request forms

In CertCentral, we reorganized and updated the look of the Code Signing and EV Code Signing certificate request forms. These forms are now more consistent with the look and flow of our TLS/SSL certificate request forms.

CertCentral: Code Signing certificate request form bug fix

On the code signing request form, when adding a Subject email address to appear on the certificate, you can now see the validated domains assigned to the organization with which the code signing certificate is associated.

Note

Previously, the option for viewing the validated domains assigned to the organization did not show any domains.

October 10, 2022

New Dedicated IP addresses for DigiCert Services

Update: IP Address change postponed until February 15, 2023

When we sent notifications in June 2022 about the IP address change, one of the IP addresses was incorrect. The same IP address was incorrect in this change log. We fixed that, and the information in the change log has been corrected.

To provide you with time to verify and update the IP addresses in your allowlist, we have postponed the IP address change until February 2023.

For more information:

October 8, 2022

Upcoming Scheduled Maintenance

DigiCert will perform scheduled maintenance on October 8, 2022, 22:00 –24:00 MDT (October 9, 2022, 04:00 – 06:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

Plan accordingly:

  • Schedule high-priority orders, renewals, and reissues before or after the maintenance window.

  • Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

  • To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance begins and when it ends.

  • See DigiCert 2022 scheduled maintenance for scheduled maintenance dates and times.

Services will be restored as soon as the maintenance is completed.

End of support for CBC ciphers in TLS connections

DigiCert will end support for Cipher-Block-Chaining (CBC) ciphers in TLS connections to our services on October 8, 2022, at 22:00 MDT (October 9, 2022, at 04:00 UTC).

This change affects browser-dependent services and applications relying on CBC ciphers that interact with these DigiCert services:

  • CertCentral and CertCentral Services API

  • Certificate Issuing Services (CIS)

  • CertCentral Simple Certificate Enrollment Protocol (SCEP)

This change does not affect your DigiCert-brand certificates. Your certificates will continue to work as they always have.

Why is DigiCert ending support for the CBC ciphers?

To align with Payment card industry (PCI) compliance standards, DigiCert must end support for the following CBC:

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • TLS_RSA_WITH_AES_256_CBC_SHA

What do I need to do?

If you are using a modern browser, no action is required. Most browsers support strong ciphers, such as Galois/Counter Mode (GCM) ciphers, including Mozilla Firefox, Google Chrome, Safari, and Microsoft Edge. We do recommend updating your browser to its most current version.

If you have applications or API integrations affected by this change, enable stronger ciphers, such as GCM ciphers, in those applications and update API integrations before October 8, 2022.

If you do not update API integrations and applications, they will not be able to use HTTPS to communicate with CertCentral, the CertCentral Services API, CIS, and SCEP.

Knowledge base article

See our Ending Support for CBC Ciphers in TLS connections to our services for more information.

Contact us

If you have questions or need help, contact your account manager or DigiCert Support.

September 27, 2022

CertCentral Services API: Keep the "www" subdomain label when adding a domain to your account

To give you more control over your domain prevalidation workflows, we added a new optional request parameter to the Add domain API endpoint: keep_www. Use this parameter to keep the www. subdomain label when you add a domain using a domain control validation (DCV) method of email, dns-txt-token, or dns-cname-token.

By default, if you are not using file-based DCV, the Add domain endpoint always removes the www. subdomain label from the name value. For example, if you send www.example.com, DigiCert adds example.com to your account and submits it for validation.

To keep the www and limit the scope of the approval to the www subdomain, set the value of the keep_www request parameter to true:

{
  "name": "www.example.com",
  "organization": {
    "id": 12345
  },
  "validations": [
    {
      "type": "ov"
    }
  ],
  "dcv_method": "email",
  "keep_www": true
}

September 16, 2022

CertCentral: Revocation reasons for revoking certificates

CertCentral supports including a revocation reason when revoking a certificate. Now, you can choose one of the revocation reasons listed below when revoking all certificates on an order or when revoking an individual certificate by ID or serial number.

Supported revocation reasons:

  • Key compromise* - My certificate's private key was lost, stolen, or otherwise compromised.

  • Cessation of operation - I no longer use or control the domain or email address associated with the certificate or no longer use the certificate.

  • Affiliation change - The name or any other information regarding my organization changed.

  • Superseded - I have requested a new certificate to replace this one.

  • Unspecified - None of the reasons above apply.

*Note: Selecting Key compromise does not block using the associated public key in future certificate requests. To add the public key to the blocklist and revoke all certificates with the same key, visit problemreport.digicert.com and prove possession of the key.

Revoke immediately

We also added the Revoke this certificate immediately option that allows Administrators to skip the Request and Approval process and revoke the certificate immediately. When this option is deselected, the revocation request appears on the Requests page, where an Administrator must review and approve it before it is revoked.

Background

The Mozilla root policy requires Certificate Authorities (CAs) to include a process for specifying a revocation reason when revoking TLS/SSL certificates. The reason appears in the Certificate Revocation List (CRL). The CRL is a list of revoked digital certificates. Only the issuing CA can revoke the certificate and add it to the CRL.

September 10, 2022

Upcoming Scheduled Maintenance

DigiCert will perform scheduled maintenance on September 10, 2022, 22:00 –24:00 MDT (September 11, 2022, 04:00 – 06:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

Plan accordingly:

  • Schedule high-priority orders, renewals, and reissues before or after the maintenance window.

  • Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

  • To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance begins and when it ends.

  • See DigiCert 2022 scheduled maintenance for scheduled maintenance dates and times.

September 7, 2022

CertCentral Services API: Revocation reason for TLS/SSL certificates

In the CertCentral Services API, we added the option to choose a revocation reason when you submit a request to revoke a TLS/SSL certificate.

You can choose a revocation reason when revoking all certificates on an order or when revoking an individual certificate by ID or serial number.

To choose a revocation reason, include the optional revocation_reason parameter in the body of your request.

Example JSON request body:

{
  "revocation_reason": "superseded"
}

For information about each revocation reason, visit the API documentation:

August 30, 2022

CertCentral Services API: Added label for verified contacts

In the CertCentral Services API, we added a new contact_type label for verified contacts: verified_contact.

Use the verified_contact label to identify verified contacts for an organization when you submit a request for an EV TLS, Verified Mark, Code Signing, or EV Code Signing certificate. The updated label applies to all verified contacts, regardless of which product type the order is for.

For example, this JSON payload shows how to use the verified_contact label to add a verified contact to an organization in a new certificate order request:

{
  "certificate": {
    ...
  }
  "organization": {
    "id": 12345,
    "contacts": [
      {
        "contact_type": "verified_contact",
        "user_id": 12345
      }
  },
  ...
}

Note: Before this change, verified contacts were always identified with the label ev_approver. The CertCentral Services API will continue accepting ev_approver as a valid label for verified contacts on EV TLS, VMC, Code Signing, and EV Code Signing certificate orders. The verified_contact label works the same as the ev_approver label, but the name is updated to apply to all products that require a verified contact.

Improved API documentation for adding organizations to Code Signing and EV Code Signing orders

We updated the Order code signing certificate API documentation to describe three ways to add an organization to your Code Signing (CS) or EV Code Signing (EV CS) order requests:

  1. Add an existing organization already validated for CS or EV CS certificate issuance.

  2. Add an existing organization not validated for CS or EV CS and submit the organization for validation with your order.

  3. Create a new organization and submit it for validation with your CS or EV CS order request.

Learn more: Order code signing certificate – CS and EV CS organization validation

August 24, 2022

CertCentral: Edit SANs on pending orders: new, renewals, and reissues

DigiCert is happy to announce that CertCentral allows you to modify the common name and subject alternative names (SANs) on pending orders: new, renewals, and reissues.

Tired of canceling an order and placing it again because a domain has a typo? Now, you can modify the common name/SANs directly from a pending order.

Items to note when modifying SANs

  • Only admins and managers can edit SANs on pending orders.

  • Editing domains does not change the cost of the order.

  • You can only replace a wildcard domain with another wildcard domain and a fully qualified domain name (FQDN) with another FQDN.

  • The total number of domains cannot exceed the number included in the original request.

  • Removed SANs can be added back for free, up to the amount purchased, any time after DigiCert issues your certificate.

  • To reduce the certificate cost, you must cancel the pending order. Then submit a new request without the SANs you no longer want the certificate to secure.

See for yourself

  1. In your CertCentral account, in the left main menu, go to Certificates > Orders.

  2. On the Orders page, select the pending order with the SANs you need to modify.

  3. On the certificate’s Order details page, in the Certificate status section, under What do you need to do, next to Prove control over domains, select the edit icon (pencil).

See Edit common name and SANs on a pending TLS/SSL order: new, renewals, and reissues.

CertCentral Services API: Edit SANs on a pending order and reissue

To allow you to modify SANs on pending new orders, pending renewed orders, and pending reissues in your API integrations, we added a new endpoint to the CertCentral Services API. To learn how to use the new endpoint, visit Edit domains on a pending order or reissueEdit domains on a pending order or reissue.

August 22, 2022

CertCentral Services API: New response parameters for Domain info and List domains endpoints

To make it easier for API clients to get the exact date and time domain validation reuse periods expire, we added new response parameters to the Domain info and List domains API endpoints:

  • dcv_approval_datetime: Completion date and time (UTC) of the most recent DCV check for the domain.

  • dcv_expiration_datetime: Expiration date and time (UTC) of the most recent DCV check for the domain.

Tip

For domain validation expiration dates, use the new dcv_expiration_datetime response parameter instead of relying on the dcv_expiration.ov and dcv_expiration.ev fields. Since October 1, 2021, the domain validation reuse period is the same for both OV and EV TLS/SSL certificate issuance. The new dcv_expiration_datetime response parameter returns the expiration date for both OV and EV domain validation.

Learn more:

August 6, 2022

Upcoming scheduled maintenance

Some DigiCert services will be down for about 15 minutes during scheduled maintenance on August 6, 2022, 22:00 – 24:00 MDT (August 7, 2022, 04:00 – 06:00 UTC).

What can I do?

Plan accordingly:

  • Schedule high-priority orders, renewals, and reissues before or after the maintenance window.

  • Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

  • To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.

  • For scheduled maintenance dates and times, see DigiCert 2022 scheduled maintenance.

July 11, 2022

CertCentral Services API: Archive and restore certificates

To give API clients the option to hide unused certificates from API response data, we released new API endpoints to archive and restore certificates. By default, archived certificates do not appear in response data when you submit a request to the List reissues or List duplicates API endpoints.

New API endpoints

Updated API endpoints

We updated the List reissues and List duplicates endpoints to support a new optional URL query parameter: show_archived. If the value of show_archived is true, the response data includes archived certificates. If false (default), the response omits archived certificates.

July 9, 2022

Upcoming Schedule Maintenance

Some DigiCert services will be down for a total of 20 minutes during scheduled maintenance on July 9, 2022, 22:00 – 24:00 MDT (July 10, 2022, 04:00 – 06:00 UTC).

What can I do?

Plan accordingly

  • Schedule high-priority orders, renewals, and reissues before or after the maintenance window.

  • Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

  • To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance begins and when it ends.

  • For scheduled maintenance dates and times, see the DigiCert 2022 scheduled maintenance.

July 5, 2022

CertCentral: Improved Order details page

DigiCert is happy to announce that we improved the layout and design of the Order details page.

We took your feedback and updated the Orders page to make managing your certificates and orders easier throughout their lifecycle.

When we reorganized the information on the Order details page, we didn’t remove anything. So, everything you did before the updates, you can still do now. However, there are a few things you asked for that you can do now that you couldn’t do before.

Summary of changes:
  • We added new banners, alerts, and icons to help you better understand the actions you need to take on your certificates and orders.

  • We added a Certificate history tab to the Order details page. Now, you can view and interact with all the certificates associated with the order: reissues, duplicates, expired, and revoked.

  • We added the ability to revoke an individual certificate or all the certificates on the order.

  • We also updated the Orders page to add Certificate and Order alert banners, advanced search features, and columns in the orders list.

  • These changes do not affect Guest access. When accessing an order via guest access, you will not see any of the updates.

See the changes for yourself. In your CertCentral account, in the left main menu, go to Certificates > Orders.

Want to provide feedback?

The next time you are in your CertCentral account, locate the “d” icon in the lower right corner of the page (white “d” in a blue circle) and click it. Use the Share Your Feedback feature to let us know your thoughts on the changes. And don’t hesitate to provide feedback about other CertCentral pages and functionality.

June 28, 2022

CertCentral: Improved DNS Certification Authority Authorization (CAA) resource records checking

DigiCert is happy to announce that we improved the CAA resource record checking feature and error messaging for failed checks in CertCentral.

Now, on the order’s details page, if a CAA resource record check fails, we display the check’s status and include improved error messaging to make it easier to troubleshoot problems.

Background

Before issuing an SSL/TLS certificate for your domain, a Certificate Authority (CA) must check the DNS CAA Resource Records (RR) to determine whether they can issue a certificate for your domain. A Certificate Authority can issue a certificate for your domain if one of the following conditions is met:

  • They do not find a CAA RR for your domain.

  • They find a CAA RR for your domain that authorizes them to issue a certificate for the domain.

How can DNS CAA Resource Records help me?

CAA resource records allow domain owners to control which certificate authorities (CAs) are allowed to issue public TLS certificates for each domain.

Learn more about using DNS CAA resource records

June 21, 2022

CertCentral: Bulk domain validation support for DNS TXT and DNS CNAME DCV methods

DigiCert is happy to announce that CertCentral bulk domain validation now supports two more domain control validation (DCV) methods: DNS TXT and DNS CNAME.

Remember, domain validation is only valid for 397 days. To maintain seamless certificate issuance, DigiCert recommends completing DCV before the domain's validation expires.

Don't spend extra time submitting one domain at a time for revalidation. Use our bulk domain revalidation feature to submit 2 to 25 domains at a time for revalidation.

See for yourself
  1. In your CertCentral account, in the left main menu, go to Certificates > Domains.

  2. On the Domains page, select the domains you want to submit for revalidation.

  3. In the Submit domains for revalidation dropdown, select the DCV method you want to use to validate the selected domains.

See Domain prevalidation: Bulk domain revalidation.

2022 年 6 月 6 日

CertCentral Report Library API 增強

DigiCert 很榮幸宣佈以下的 CertCentral Report Library API 增強:

刪除排程的報告以中止報告的執行

我們新增了新端點:刪除排程的報告。刪除排程的報告會中止將來的報告執行。刪除排程的報告後,完成的報告以保持適用於下載的相同報告 ID 執行。Delete scheduled report

Note

之前,您只可以編輯報告的排程,或刪除排程的報告和所有完成的報告執行。

產生只有子帳戶資料的報告

關於建立報告編輯報告端點,我們新增了新選項到允許的 division_filter_type 值的清單中:EXCLUDE_ALL_DIVISIONS。使用此值從報告中排除所有父項帳戶資料。使用此選項的報告僅納入來自所選擇的子帳戶的資料 (sub_account_filter_type)。Create reportEdit report

Note

之前,若未在父項帳戶中納入來自一個或多個分部的資料即無法產生子帳戶報告。

深入了解

2022 年 6 月 4 日

即將到來的排程維護

DigiCert 將在 2022 年 6 月 4 日北美山區夏令時間 22:00 到 -24:00 (2022 年 6 月 5 日世界協調時間 04:00 到 06:00) 執行排程的維護。雖然我們有保護您的服務的適當備援,但有些 DigiCert 服務在這段時間內仍可能無法使用。

我可以做什麼?
  • 在維護時段前後安排高優先順序訂單、續訂和重新發行的時間。

  • 預期在您使用 API 進行立刻發行憑證和自動化工作時中斷。

  • 若要取得即時維護更新,請訂閱 DigiCert 狀態頁面。此訂閱包括維護開始和維護結束時使用的電郵提醒。

  • 請參閱 DigiCert 2022 排程的維護的排程的維護日期和時間。

服務將在維護完成時盡快還原。

2022 年 5 月 31 日

CertCentral Services API:改進的訂單資訊 API 回應

更新:為了提供更多時間給 API 消費者評估他們的整合上的訂單資訊 API 回應的影響,我們將此更新延期到 2022 年 5 月 31 日。我們原本計畫在 2022 年 4 月 25 日釋出以下所述的變更。

2022 年 5 月 31 日,DigiCert 將對 Order info API 做出以下的改進。這些變更移除了未使用的值與,並將訂單詳細資料物件的資料結果更新為與不同產品類別的不同狀態中的訂單更一致。

如需更多有關公用 TLS、代碼簽署、文件簽署和第 1 類 S/MIME 憑證的資訊與回應範例,請參閱訂單資訊端點的參考文件。

如果您有疑問或需要這些變更的協助,請聯絡您的客服代表或 DigiCert 支援團隊

一般增強

以下的變更適用於與訂單狀態無關的多種憑證類型的訂單。

移除的參數:

  • public_id (字串)

    對於所有訂單,API 將停止傳回 public_id 參數。DigiCert 不再支援需要 public_id 值的快速安裝工作流程。

  • certificate.ca_cert_id (字串)

    對於 DV 憑證訂單,API 將開始傳回 ca_cert_id 參數。此參數的值是一個用於發行 ICA 憑證的內部 ID,而且無法在外部使用。API 已從其他產品類型的訂單詳細資料排除 ca_cert_id 參數。

    若要取得與發行訂單關聯的 ICA 憑證的名稱和公用 ID,請改用 ca_cert 物件。

  • verified_contacts (物件的陣列)

    對於未核准的憑證訂單,API 將停止傳回 verified_contacts 參數。API 已從其他產品類型的訂單詳細資料中排除 verified_contacts 陣列。

  • certificate.dns_names (字串的陣列)

    如果沒有和訂單關聯的 DNS 名稱 (例如,如果訂單是用於代碼簽署、文件簽署和第 1 類 S/MIME 憑證),API 將停止傳回 dns_names 陣列。

    之前,API 傳回有空字串的 dns_names 陣列:[" "]

  • certificate.organization_units (字串的陣列)

    如果沒有與訂單關聯的組織單位,API 將停止傳回 organization_units 陣列。

    之前,為了某些產品類型,API 傳回有空字串的 organization_units 陣列:[" "]

  • certificate.cert_validity

    cert_validity 物件中,API 僅傳回在建立訂單時,使用於設定憑證有效期間的單位的金鑰/值組合。例如,如果憑證的有效期間是 1 年,cert_validity 物件將傳回有值 1 的 years 參數。

    之前,cert_validity 物件有時會傳回用於 daysyears 的值。

新增的參數:

  • order_validity (物件)

    關於代碼簽署、文件簽署和用戶端憑證訂單,API 將開始傳回 order_validity 物件。

    order_validity 物件傳回訂單有效期間的 daysyearscustom_expiration_date。API 已在公用 SSL/TLS 產品的訂單詳細資料中納入 order_validity 物件。

  • payment_profile (物件)

    關於 DV 憑證訂單,如果訂單與儲存的信用卡關聯,API 將開始傳回 payment_profile 物件。API 已在其他產品類型的訂單詳細資料中納入 payment_profile 物件。

  • server_licenses (整數)

    關於 DV 憑證訂單,API 將開始傳回 server_licenses 參數。API 已在其他產品類型的訂單詳細資料中納入 server_licenses 參數。

未核准的訂單要求

以下的變更僅適用於擱置的核准或已遭到拒絕的憑證訂單要求。在核准要求和提交訂單給 DigiCert 進行驗證和發行後,這些變更使回應的資料結構更接近 API 傳回的內容。

若要管理未核准和遭到拒絕的要求,建議使用要求端點 (/request) 取代擷取訂單詳細資料。我們設計 /request 端點來管理擱置的與遭到拒絕的憑證訂單要求,而且這些端點保持不變。

Note

為了更快發行憑證,我們建議使用跳過或省略新憑證訂單的要求核准步驟的工作流程。如果您的 API 工作流程已跳過或省略核准步驟,您可以安全的忽略以下的變化。瞭解更多有關移除核准步驟的資訊:

新增的參數:

  • disable_ct (布林)

  • allow_duplicates (布林)

  • cs_provisioning_method (字串)

移除的參數:

  • server_licenses (整數)

    關於未核准的訂購要求,API 將停止傳回 server_licenses 參數。API 將繼續在核准的訂單要求的訂單詳細資料中加入 server_licenses 參數。

改進的 organization 物件

若要在未核准與核准的訂單要求的訂單詳細資料中提供一致的資料結果,API 將在未核准的訂單要求上傳回修改的 organization 物件。

API 將停止傳回所有憑證類型的未核准訂單要求上的以下預期的屬性:

  • organization.status (字串)

  • organization.is_hidden (布林)

  • organization.organization_contact (物件)

  • organization.technical_contact (物件)

  • organization.contacts (物件的陣列)

如果存在所有產品類型的未核准訂單要求,API 將開始傳回以下預期的屬性:

  • organization.name (字串)

  • organization.display_name (字串)

  • organization.assumed_name (字串)

  • organization.city (字串)

  • organization.country (字串)

若要取得未納入訂單資訊回應中的組織詳細資料,請使用組織資訊 API端點。

2022 年 5 月 24 日

從新的中繼 CA 憑證發行 GeoTrust 和 RapidSSL DV 憑證的 CertCentral

2022 年 5 月 24 日 9:00 am 和 11:00 am MDT (3:00 pm 和 5:00 pm UTC) 之間,DigiCert 將取代以下所列的 GeoTrust 和 RapidSSL 中繼 CA (ICA) 憑證。我們不再發行來自這些中繼授權單位的最長有效期 (397 天) DV 憑證。

. 舊的 ICA 憑證
  • GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1

  • GeoTrust TLS DV RSA Mixed SHA256 2021 CA-1

  • RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1

  • RapidSSL TLS DV RSA Mixed SHA256 2021 CA-1

. 新 ICA 憑證
  • GeoTrust Global TLS RSA4096 SHA256 2022 CA1

  • RapidSSL Global TLS RSA4096 SHA256 2022 CA1

請參閱 DigiCert ICA 更新知識庫文章

這如何影響我?

推出新的 ICA 憑證不會影響現有的 DV 憑證。自取代的 ICA 憑證發行的啟用憑證直到到期時仍保持信任。

但將發行來自 ICA 憑證的所有新憑證,包括重新發行憑證。為了確保忽略取代 ICA 憑證,請務必加入所提供的 ICA 憑證和您安裝的每一份 TLS 憑證。

. 不需要執行任何動作,但以下任何情況除外:
  • 固定舊版的中繼 CA 憑證

  • 將接受舊版中繼 CA 憑證的寫入硬碼中

  • 經營包括舊版中繼 CA 憑證的信任商店

需要的行動

如果進行固定、接受硬碼或操作信任存放區,請盡快更新您的環境。您應停止固定和將 ICA 憑證編成硬碼,或做必要的變更以確保自新的 ICA 憑證發行的 GeoTrust DV 和 RapidSSL DV 憑證受到信任。換言之,請確定它們可以鏈結到它們的新 ICA 憑證和信任的根。

請參閱 DigiCert 信任的根權限憑證頁面以下載新的中繼 CA 憑證的副本。

若我需要更多時間,我該怎麼辦?

如果您需要更多時間更新環境,您可以繼續使用舊的 2020 ICA 憑證,直到到期為止。請聯絡 DigiCert 支援團隊,他們可以設定您的帳戶。但在 2022 年 5 月 31 日後,從 2020 ICA 憑證發行的 RapidSSL DV 和 GeoTrust DV 憑證將修改為不到一年。

2022 年 5 月 18 日

CertCentral:DigiCert KeyGen,我們的新金鑰產生服務

DigiCert 很榮幸發佈我們的新金鑰產生服務 - KeyGen。使用 KeyGen 從您的瀏覽器產生和安裝您的用戶端和代碼簽署憑證。KeyGen 可以使用在 macOS 和 Windows 上,而且所有主要瀏覽器都支援。

使用 KeyGen 不需要產生 CSR 即可訂購您的用戶端和代碼簽署憑證。不使用 CSR 下訂單。在我們處理訂單和您的憑證就緒後, DigiCert 傳送附有關於使用 KeyGen 的指示的 "Generate your Certificate" (產生您的憑證) 電郵以取得您的憑證。

KeyGen 如何運作?

KeyGen 產生金鑰組,然後使用公用金鑰建立憑證簽署要求 (CSR)。KeyGen 將 CSR 傳送到 DigiCert,然後 DigiCert 將憑證傳回給 KeyGen。接著 KeyGen 下載包含憑證和私密金鑰的 PKCS12 (.p12) 檔案到您的桌面上。您在憑證產生程序期間建立的密碼可以保護 PKCS12 檔案。當您使用密碼開啟憑證檔案時,憑證安裝在您的個人憑證存放區中。

若要瞭解更多與從您的瀏覽器產生用戶端和代碼簽署憑證的資訊,請參閱以下的指示:

2022 年 5 月 9 日

CertCentral Services API:修復的資料類型,用於訂單資訊 API 回應中的空白使用者值

我們修復了在沒有使用者與訂單關聯時,訂單資訊 API (GET https://www.digicert.com/services/v2/order/certificate/{{order_id}}) 傳回 user 欄位的錯誤資料類型的問題。現在,對於沒有使用者資料的訂單,訂單資訊端點傳回空白的 user 物件 ("user": {} ),而非傳回空白的陣列 ("user": [])。

2022 年 5 月 7 日

即將到來的排程維護

更新:在 5 月 7 日 MDT 時間 (5 月 8 日 UTC 時間) 維護期間沒有計畫的停機時間。

DigiCert 將在 2022 年 5 月 7 日 22:00 到 24:00 MDT (2022 年 5 月 8 日 4:00 到 06:00 UTC) 之間執行排程的維護。雖然我們有保護您的服務的適當備援,但有些 DigiCert 服務在這段時間內仍可能無法使用。

服務將在我們完成維護時盡快還原。

我可以做什麼?

訂出相應計畫:

  • 在維護時段前後安排高優先順序訂單、續訂和重新發行的時間。

  • 預期在您使用 API 進行立刻發行憑證和自動化工作時中斷。

  • 若要取得即時維護更新,請訂閱 DigiCert 狀態頁面。此訂閱包括維護開始和維護結束時使用的電郵提醒。

  • 請參閱 DigiCert 2022 維護排程的維護日期和時間。

2022 年 4 月 18 日

CertCentral:多年期套餐現在可用於經過驗證的標章憑證

我們很榮幸宣佈現在 CertCentral 和 CertCentral Services API 中的經過驗證的標章憑證 (VMC) 可使用多年期套餐。

DigiCert® 多年期套餐允許您支付一次優惠費用即可得到最長六年的經過驗證的標章憑證涵蓋時間。在多年期套餐中,您可以選取想要的涵蓋時間長度 (最長 6 年)。訂單到期前,每次重新發行憑證時都無需其他費用,直到有效期間結束為止。

Note

視您套餐的時間長度而定,您可能需要在您的多年期套餐期間重新驗證您的網域和組織多次。

Services API 中適用於 VMC 的多年期套餐

在 Services API 中,當您提交 VMC 的訂購要求時,請使用 order_validity 物件設定您的多年期套餐的涵蓋時間長度 (1-6 年)。如需更多資訊,請參閱:

什麼是「經過驗證的標章憑證」?

經過驗證的標章憑證 (VMC)是新型的憑證,允許公司將通過認證的品牌標誌放在客戶收件匣的「寄件者」欄位旁邊。

  • 開啟訊息前可看到您的標誌。

  • 您的標誌作為您網域的 DMARC 狀態和您組織的驗證身分的確認。

瞭解更多有關 VMC 憑證的資訊

2022 年 4 月 11 日

CertCentral Services API:網域鎖定 API 端點

DigiCert 很榮幸發佈現在在 CertCentral Services API 中可使用我們的網域鎖定功能。

Note

在您可以使用網域鎖定端點前,您必須先啟用您的 CertCentral 帳戶的網域鎖定。請參閱網域鎖定 – 啟用您的帳戶的網域鎖定

新 API 端點

更新的 API 端點

我們更新了網域資訊列出網域端點的回應,納入以下有網域鎖定資料的參數:

  • domain_locking_status (字串)

    網域鎖定狀態。僅在啟用帳戶的網域鎖定時傳回。

  • account_token (字串)

    網域鎖定帳戶權杖。僅在啟用帳戶的網域鎖定時,或已啟用網域的網域鎖定至少一次時傳回。

若要瞭解更多資訊,請參閱 :

2022 年 4 月 5 日

CertCentral: Domain locking is now available

DigiCert is happy to announce our domain locking feature is now available.

Does your company have more than one CertCentral account? Do you need to control which of your accounts can order certificates for specific company domains?

Domain locking lets you control which of your CertCentral accounts can order certificates for your domains.

How does domain locking work?

DNS Certification Authority Authorization (CAA) resource records allow you to control which certificate authorities can issue certificates for your domains.

With domain locking, you can use this same CAA resource record to control which of your company's CertCentral accounts can order certificates for your domains.

How do I lock a domain?

To lock a domain:

  1. Enable domain locking for your account.

  2. Set up domain locking for a domain.

  3. Add the domain's unique verification token to the domain's DNS CAA resource record.

  4. Check the CAA record for the unique verification token.

To learn more, see:

帳戶從 Symantec、GeoTrust、Thawte 或 RapidSSL 升級至 CertCentral™ 的使用壽命結束

從 2022 年 4 月 5 日 MDT 起,您再也無法將您的 Symantec、GeoTrust、Thawte 或 RapidSSL 帳戶升級至 CertCentral™。

如果您尚未轉移到 DigiCert CertCentral,請立刻升級,保持您的網站安全並持續使用您的憑證。

我如何更新我的帳戶?

若要升級您的帳戶,請立刻聯絡 DigiCert 支援團隊。如需更多有關帳戶升級程序的資訊,請參與升級至 CertCentral: 您需要知道的事項

如果我未將我的帳戶升級至 CertCentral 會發生什麼情況?

在 2022 年 4 月 5 日後,您必須取得新的 CertCentral 帳戶和手動新增所有帳戶資訊,例如網域和組織。此外,您將無法將您任何的啟用憑證移轉到您的新帳戶。

如需 2022 年 4 月 5 日後設定您的新 CertCentral 帳戶的協助,請聯絡 DigiCert 支援團隊

2022 年 4 月 2 日

即將到來的排程維護

DigiCert 將在 2022 年 4 月 2 日 22:00 到 24:00 MDT (2022 年 4 月 3 日 04:00 到 06:00 UTC) 之間執行排程的維護。在此期間,有些服務可能停機最多兩小時。

Note

維護將比沒有實施日光節約時間的時區早一小時。

基礎設備相關維護停機時間

我們將在 22:00 MDT (04:00 UTC) 開始此基礎設備相關維護。然後以下所列的服務可能停機最多兩小時

CertCentral® TLS 憑證發行:

  • 在此期間提交 TLS 憑證要求將會失敗

  • 失敗的要求應在還原服務後重新提交

CIS 和 CertCentral® SCEP:

  • 憑證發行服務 (CIS) 將停用

  • CertCentral 簡易憑證註冊通訊協定 (SCEP) 將停用

  • 在此時間提交要求將會失敗

  • CIS API 將傳回「503 服務無法使用」錯誤

  • 失敗的要求應在還原服務後重新提交

Direct Cert Portal 新網域和組織驗證:

  • 在此時間提交新網域進行驗證將會失敗

  • 在此時間提交新組織進行驗證將會失敗

  • 失敗的要求應在還原服務後重新提交

QuoVadis® TrustLink® 憑證發行:

  • 在此期間提交 TrustLink 憑證要求將會延遲

  • 要求將新增到佇列中供稍後處理

  • 在還原服務後,處理佇列中的要求

PKI Platform 8 新網域和組織驗證:

  • 在此時間提交新網域進行驗證將會失敗

  • 在此時間提交新組織進行驗證將會失敗

  • 要求將新增到佇列中供稍後處理

  • 在還原服務後,處理佇列中的要求

  • 存取使用者授權代理程式 (UAA) 服務將遭到停用:UAA 系統管理員和使用者網頁入口網站

我可以做什麼?

訂出相應計畫:

  • 在維護時段前後安排高優先順序訂單、續訂和重新發行的時間。

  • 預期在您使用 API 進行立刻發行憑證和自動化工作時中斷。

  • 若要取得即時維護更新,請訂閱 DigiCert 狀態頁面。此訂閱包括維護開始和維護結束時使用的電郵提醒。

  • 關於排程的維護日期和時間,請參閱 DigiCert 2022 排程的維護

服務將在我們完成維護時盡快還原。

2022 年 3 月 30 日

CertCentral:現在可使用大量網域重新驗證

DigiCert 很榮幸宣佈我們的大量網域驗證功能現在已可以使用。不要花費額外的時間一次提交一個網域進行重新驗證。使用我們的大量網域重新驗證功能,一次提交 2 到 25 個網域進行重新驗證。

請記住,網域驗證的有效期間只有 397 天。若要保持無縫發行憑證,DigiCert 建立在網域的驗證到期前預先完成網域控制驗證 (DCV)。

Note

目前,大量網域功能僅支援電郵 DCV 方法。若要使用其他 DCV 方法,您需要個別提交每個網域。

自己查看

  1. 在您的 CertCentral 帳戶的左側主功能表中,前往憑證 > 網域

  2. 網域頁面上,選取您要提交以進行重新驗證的網域。

  3. 提交網域進行重新驗證下拉清單中,選取提交網域進行基於電郵的驗證

請參閱 網域預先驗證:大量網域重新驗證

2022 年 3 月 24 日

SSL 工具使用壽命結束

自 2022 年 3 月 24 日起,當您瀏覽 SSL 工具時,您將看到讓您知道 SSL 工具再也無法使用的彈出訊息。我們鼓勵您使用 DigiCert® SSL 安裝診斷工具

Note

如果您瀏覽其他 SSL 工具功能/頁面,我們將引導您到提供相同或類似服務的 digicert.com 上的其他網頁。

什麼是「SSL 安裝診斷工具」?

「SSL 安裝診斷工具」是一款免費、公開可用的工具,用於檢查:

  • 憑證安裝

  • 網頁伺服器設定

我需要做什麼?

開始使用 DigiCert® SSL 安裝診斷工具。您將進行以下事項:

  • 在您的瀏覽器中,以「DigiCert® SSL 安裝診斷工具」取代 SSL 工具書籤。

  • 如果您有到您的網站上的「SSL 工具」的連結,請以到「SSL 安裝診斷工具」的連結取代它們。

2022 年 3 月 21 日

DigiCert 網站圖章現在可使用於 Basic OV 和 EV 憑證訂單

DigiCert Basic OV 和 EV 憑證訂單包含 DigiCert 網站圖章。現在,您可以在相同的網站上,安裝您的 Basic SSL 憑證保護的 DigiCert 網站圖章。網站圖章向您的客戶提供您的網站安全受到 DigiCert (TLS/SSL 安全性之中最著名的名稱之一) 保護的保證。

當您按下網站圖章時,您會看到更多與網域、組織、TLS/SSL 憑證和驗證有關的詳細資料。

瞭解如何設定與安裝您的 DigiCert 網站圖章

DigiCert 智慧圖章

DigiCert 也提供更新型的網站圖章 — DigiCert 智慧圖章。此進階圖章比 DigiCert 網站圖章更有互動性和關聯性。我們新增了懸浮效果、動畫和以懸浮效果和動畫功能顯示您的公司標誌的能力。

瞭解更多有關 DigiCert 智慧圖章的資訊

2022 年 3 月 10 日

CertCentral: DV 憑證訂單現在可使用 DNS CNAME DCV 方法

在 CertCentral 和 CertCentral Services API 中,現在您可以使用 DNS CNAME 網域控制驗證 (DCV) 方法驗證您的 DV 憑證訂單上的網域。

Note

之前,您僅可以使用 DNS CNAME DCV 方法驗證 OV 和 EV 憑證訂單上的網域和在預先驗證網域時使用。

若要使用您的 DV 憑證訂單上的 DNS CNAME DCV 方法:

  • 在 CertCentral 中:

    • 訂購 DV TLS 憑證時,您可以選取 DNS CNAME 作為 DCV 方法。

    • 在 DV TLS 憑證的訂單詳細資料頁面上,您可以將 DCV 方法變更為 DNS CNAME 記錄。

  • 在 Services API 中:

    • 要求 DV TLS 憑證時,將 dcv_method 要求參數的值設定為 dns‑cname‑token。

Note

產生立刻發行 DV 憑證的要求權杖的驗證金鑰程序不支援 DNS CNAME DCV 方法。但您可以使用檔案驗證 (http‑token) 和 DNS TXT (dns‑txt‑token) DCV 方法。若要瞭解更多資訊,請瀏覽 DV 憑證立刻發行

若要瞭解更多有關使用 DNS CNAME DCV 方法的資訊:

2022 年 3 月 8 日

CertCentral Services API:改進的網域端點回應清單

為了更容易找到與您的 CertCentral 帳戶中的網域控制驗證 (DCV) 狀態有關的資訊,我們在列出網域 API 回應的網域物件中加入這些回應參數:

  • dcv_approval_datetime:網域的最新 DCV 檢查的完成日期和時間。

  • last_submitted_datetime:上次提交網域進行驗證的日期和時間。

如需更多資訊,請參閱列出網域端點的參考文件。

2022 年 3 月 5 日

即將到來的排程維護

DigiCert 將在 2022 年 3 月 5 日 22:00 到 24:00 MST (2022 年 3 月 6 日 05:00 到 07:00 UTC) 之間執行排程的維護。在此期間,有些服務可能停機最多兩小時。

基礎設備相關維護停機時間

我們將在 22:00 MST (05:00 UTC) 開始此基礎設備相關維護。然後以下所列的服務可能停機最多兩小時

CertCentral™ TLS 憑證發行:

  • 在此期間提交 TLS 憑證要求將會失敗

  • 失敗的要求應在還原服務後重新提交

CIS 和 CertCentral™ SCEP:

  • 憑證發行服務 (CIS) 將停用

  • CertCentral 簡易憑證註冊通訊協定 (SCEP) 將停用

  • 在此時間提交要求將會失敗

  • CIS API 將傳回「503 服務無法使用」錯誤

  • 失敗的要求應在還原服務後重新提交

Direct Cert Portal 新網域和組織驗證:

  • 在此時間提交新網域進行驗證將會失敗

  • 在此時間提交新組織進行驗證將會失敗

  • 失敗的要求應在還原服務後重新提交

QuoVadis™ TrustLink™ 憑證發行:

  • 在此期間提交 TrustLink 憑證要求將會延遲

  • 要求將新增到佇列中供稍後處理

  • 在還原服務後,處理佇列中的要求

PKI Platform 8 新網域和組織驗證:

  • 在此時間提交新網域進行驗證將會失敗

  • 在此時間提交新組織進行驗證將會失敗

  • 要求將新增到佇列中供稍後處理

  • 在還原服務後,處理佇列中的要求

我可以做什麼?

訂出相應計畫:

  • 在維護時段前後安排高優先順序訂單、續訂和重新發行的時間。

  • 預期在您使用 API 進行立刻發行憑證和自動化工作時中斷。

  • 若要取得即時維護更新,請訂閱 DigiCert 狀態頁面。此訂閱包括維護開始和維護結束時使用的電郵提醒。

  • 關於排程的維護日期和時間,請參閱 DigiCert 2022 維護排程

服務將在我們完成維護時盡快還原。

2022 年 2 月 17 日

CertCentral:改進的經過驗證的聯絡人 EV TLS 憑證要求核准程序

在 CertCentral 和 the CertCentral Services API 中,我們已更新 EV TLS 憑證請求程序為僅傳送 EV TLS 請求核准電郵給在您的憑證要求上納入的經過驗證的聯絡人。

Note

之前,當您要求 EV TLS 憑證時,我們會將 EV 訂單核准電郵傳送給組織所有經過驗證的聯絡人。

新增經過驗證的聯絡人到 EV TLS 憑證要求中:

  • CertCentral

    要求 EV TLS 憑證時,您可以:

    • 保持指派給組織的現有經過驗證的聯絡人

    • 移除聯絡人 (需要至少一個)

    • 新增新的聯絡人 (我們必須驗證每個新聯絡人,可能導致發行憑證延遲)

  • Sevices API

    請求 EV TLS 憑證時,在 JSON 要求的 organization.contacts 陣列中納入經過驗證的聯絡人。關於經過驗證的聯絡人,contact_type 欄位中的值是 ev_approver

若要瞭解更多有關 EV TLS 憑證要求的資訊:

2022 年 2 月 12 日

展開使用於 DigiCert 服務的 IP 位址範圍

在 2022 年 2 月 12 日 22:00 – 24:00 MST (2022 年 2 月 13 日 05:00 - 07:00 UTC) 的排程維護是我們的排程維護的一部份,DigiCert 正在擴大我們用於我們的服務的 IP 位址範圍。這些其他 IP 位址是我們努力增加服務運作時間,以及減少排程維護時間所做的努力的一部份。

我需要做什麼?

如果您的公司使用允許清單*,在 2022 年 2 月 12 日前加入以下所列的 IP 位址的區塊,以便保持您的 DigiCert 服務和 API 整合如預期般運作。

Note

*允許清單是使用於防火牆的清單,僅允許指定的 IP 位址執行特定工作或與您的系統連線。

新的 IP 位址範圍

新增此 IP 位址範圍到您的允許清單*中:216.168.240.0/20

Important

我們未正在取代或移除任何 IP 位址。我們僅展開我們提供我們的服務所使用的 IP 位址的範圍。

如需簡易參考,請參閱我們的知識庫文章展開 DigiCert 服務使用的 IP 位址範圍。如果您有疑問,請聯絡您的帳戶管理員或 DigiCert 支援團隊

受影響的服務:
  • CertCentral/Services API

  • ACME

  • Discovery/API

  • 探索感應器防火牆設定

  • ACME 自動化/API

  • 憑證發行服務 (CIS)

  • 單一憑證註冊通訊協定 (SCEP)

  • API 存取 URL

  • Direct Cert Portal/API

  • DigiCert 網站

  • 驗證服務

  • PKI Platform 8

  • PKI Platform 7 (日本和澳大利亞)

  • QuoVadis TrustLink

  • DigiCert ONE

    • Account Manager

    • CA Manager

    • IoT Device Manager

    • Document Signing Manager

    • Secure Software Manager

    • Enterprise PKI Manager

    • Automation Manager

2022 年 2 月 9 日

CertCentral Services API:網域資訊增強

我們更新了網域資訊 API 回應,納入與網域關聯的 DCV 權杖的 expiration_date 參數。現在,當您呼叫 Domain info API 並將 include_dcv 查詢參數的值設定為 true 時,回應中的 dcv_token 物件加入了網域的 DCV 權杖的 expiration_date

Example 10. 網域資訊回應範圍:
{
  ...
  "dcv_token": {
    "token": "91647jw2bx280lr5shkfsxd0pv50ahvg",
    "status": "pending",
    "expiration_date": "2022-02-24T16:25:52+00:00"
  },
  ...
}

2022 年 2 月 8 日

l帳戶安全性功能:核准的使用者電郵網域

CertCentral 系統管理員現在可指定電郵網域使用者建立 CertCentral 帳戶所針對的內容。這有助於防止將電郵傳送到未核准、一般的電郵網域 (@gmail.com, @yahoo.com) 或第三方擁有的網域。如果使用者嘗試將使用者電郵地址設定或變更為未核准的網域,他們會收到錯誤。

設定 > 喜好設定中尋找此設定。展開進階設定,然後尋找核准的電郵網域區段。

Note

此設定不會影響有未核准的電郵地址的現有使用者。只會影響新的使用者和設定此設定後所做的電郵變更。

2022 年 2 月 1 日

經過驗證的標章憑證 (VMC):三個新核准的商標局

我們很榮幸宣佈 DigiCert 現在可識別的驗證您的 VMC 憑證所使用標誌的智慧財產局增加了三個。這些新的辦事處位於韓國、巴西和印度。

新核准的商標局:

其他核准的商標局:

什麼是「經過驗證的標章憑證」?

經過驗證的標章憑證 (VMC)是新型的憑證,允許公司將通過認證的品牌標誌放在客戶收件匣的「寄件者」欄位旁邊。

  • 開啟訊息前可看到您的標誌。

  • 您的標誌作為您網域的 DMARC 狀態和您組織的驗證身分的確認。

瞭解更多有關 VMC 憑證的資訊

Bugfix:Code Signing (CS) 憑證產生電郵僅傳送給 CS 驗證的聯絡人

我們修復 Code Signing (CS) 憑證發行程序中的 Bug,其中我們僅傳送憑證產生電郵給 CS 驗證的聯絡人。此 Bug 只會發生在要求者未要求者未納入有代碼簽署憑證要求的 CSR 時。

現在,對於提交的沒有 CSR 的訂單,我們將代碼簽署憑證產生電郵傳送到:

  • 憑證要求者

  • CS 驗證的聯絡人

  • 訂單包括的其他電郵

Note

DigiCert 建議提交有您的 Code Signing 憑證要求的 CSR。目前,Internet Explorer 是唯一支援產生金鑰組的瀏覽器。請參閱我們的知識庫文章:放棄對 Firefox 69 的 Keygen 支援

2022 年 1 月 25 日

更新至 OV 和 EV TLS 憑證設定檔

我們致力於統一我們的 DV、OV 和 EV TLS 憑證設定檔,因此對我們的 EV TLS 憑證設定檔做了小變更。2022 年 1 月 25 日,我們在我們的 OV 和 EV TLS 憑證設定檔中,將 Basic Constraints 延伸程式設定為非重大

Note

DV TLS certificates 已發行,Basic Constraints 延伸程式設定為非重大

我需要做什麼?

您的方面不需要採取動作。您應該不會注意到您的憑證發行程序中的任何差別。如果您的 TLS 憑證程序需要將 Basic Constraints 延伸程式設定為重大,請立刻聯絡您的帳戶管理員或 DigiCert 支援團隊

2022 年 1 月 24 日

改進的網域頁面、驗證狀態篩選器 — 已完成/已驗證

網域頁面的驗證狀態下拉清單中,我們更新了已完成/已驗證篩選器,因此更容易找到已完成和啟用網域控制驗證 (DCV) 的網域。

Note

之前,當您搜尋有已完成/已驗證 DCV 的網域時,我們傳回所有已完成 DCV 的網域,即使網域驗證已到期。

現在,當您搜尋有已完成/已驗證 DCV 的網域時,我們僅傳回您的搜尋結果中已完成和啟用 DCV 的網域。若要尋找 DCV 已到期的網域,請使用驗證狀態下拉清單中的已到期篩選器。

尋找已完成和啟用 DCV 的網域

  1. 在 CertCentral 的左側主功能表中,前往憑證 > 網域

  2. 網域頁面的驗證狀態下拉清單中,選取已完成/已驗證

CertCentral Services API:列出網域增強

對於 List domains API,我們更新了 filters[validation]=completed 篩選條件,因此更容易找到為了發行 OV 或 EV 憑證而驗證的網域。

之前,此篩選條件傳回完成 DCV 檢查的所有網域,即使網域驗證已到期。現在,篩選條件僅傳回 OV 或 EV 網域驗證狀態為啟用的網域。

2022 年 1 月 10 日

CertCentral 網域和網域詳細資料頁面:改進的網域驗證追蹤

我們更新了網域網域詳細資料頁面,因此更容易追蹤和保持您的網域的最新驗證。這些更新符合去年業界對網域驗證重新使用期*的變更。將您的網域驗證保持為最新減少了憑證發行時間:新的、重新發行、重複發行和續訂。

Note

*2021 年 10 月 1 日,業界將所有網域驗證重新使用期減少為 398 天。DigiCert 實施 397 天網域驗證重新使用期,確保憑證不是使用到期的網域驗證發行。如需更多與此變更有關的資訊,請參閱我們的知識庫文章:2021 年網域驗證原則變更

網域頁面改進

當您瀏覽「網域」頁面時 (在左側的主功能表中,選取憑證 > 網域),您將看到三個新欄:DCV 方法驗證狀態驗證到期。現在您可以檢視用於證明網域控制權、網域驗證的狀態 (擱置、已驗證、即將到期和已到期)和網域驗證到期時間的網域控制驗證 (DCV) 方法。

由於 OV 和 EV 驗證重新使用期相同,因此我們簡化了驗證狀態排序功能。除了顯示 OV 驗證和 EV 驗證各自的篩選期外,我們僅顯示一組篩選器:

  • 已完成/已驗證

  • 擱置中驗證

  • 0-7 天內到期

  • 0-30 天內到期

  • 31-60 天內到期

  • 61-90 天內到期

  • 已到期

網域詳細資料頁面改進

當您瀏覽網域的詳細資料頁面時 (在網域頁面上,選取網域),您將在頁面頂端看到狀態列。此狀態列讓您檢視網域的驗證狀態、網域驗證到期的時間、網域驗證最近完成的時間和證明網域控制權所使用的 DCV 方法。

我們也更新了頁面的網域驗證狀態區段。我們以一個項目「網域驗證狀態」取代了 OV 和 EV 網域驗證狀態的個別項目。

2022 年 1 月 8 日

即將到來的排程維護

DigiCert 將在 2022 年 1 月 8 日 22:00 到 24:00 MST (2022 年 1 月 9 日 05:00 到 07:00 UTC) 之間執行排程的維護。雖然我們有保護您的服務的適當備援,但有些 DigiCert 服務在這段時間內仍可能無法使用。

我可以做什麼?

訂出相應計畫:

  • 在維護時段前後安排高優先順序訂單、續訂和重新發行的時間。

  • 如果您使用 API 進行立刻發行憑證和自動化工作,預期會中斷。

  • 若要取得即時維護更新,請訂閱 DigiCert 狀態頁面。此訂閱包括維護開始和維護結束時使用的電郵提醒。

  • 關於排程的維護日期和時間,請參閱 DigiCert 2022 排程的維護

服務將在我們完成維護時盡快還原。

2021 年 12 月 7 日

CertCentral Report Library 現在可用

我們很榮幸宣佈現在推出 CertCentral Enterprise 和 CertCentral Partner 的 CertCentral Report LIbrary。*報告程式庫是一種強大的報告工具,允許您一次下載超過 1000 筆記錄。使用報告程式庫建立、排程、組織和匯出報告以分享和重複使用。

「報告程式庫」包括六份自訂報告:訂單、組織、餘額歷史記錄、稽核記錄、網域和完全合格的網域名稱 (FQDN)。建立報告時,您控制了報告中出現的詳細資料和資訊,設定欄和欄順序,排程想要執行報告的頻率 (一次、每周或每月),以及選擇報告格式 (CSV、JSON, 或 Excel)。此外,在準備好在您的帳戶中下載報告時,您會收到通知。

若要建立您的第一份報告:
  1. 在您的 CertCentral 帳戶的左側主功能表中,選取報告

    若要使用報告程式庫,您必須是 CertCentral 系統管理員。CertCentral 管理員、財務管理員、標準使用者和受限的使用者沒有在他們的帳戶中存取報告的權限。

  2. 報告程式庫頁面上,選取建立報告

若要瞭解更多與建立報告有關的資訊:

Important

*在您的帳戶中看不到「報告程式庫」?請聯絡您的帳戶管理員或 DigiCert 支援團隊以尋求協助。

CertCentral Report Library API 也可以使用

我們很榮幸宣佈釋出 CertCentral Report Library API!此新的服務可以調整您的 CertCentral API 整合中的報告程式庫的主要功能,包括建立報告和下載報告結果*。

若要瞭解更多有關在您的 API 整合中加入「報告程式庫」的資訊,請參閱我們的 Report Library API 文件。

Important

*若要使用 CertCentral Report Library API,必須針對您的 CertCentral 帳戶啟用報告程式庫。如需啟用報告程式庫的協助,請聯絡您的帳戶管理員或 DigiCert 支援團隊

Bugfix:唯一的名稱檢查不包括通稱

我們更新了我們唯一的組織名稱檢查,在建立組織時加入通稱 (公司名稱)。

Note

之前,在 CertCentral 和 CertCentral Services API 中,當您嘗試建立名稱和現有的組織相同的組織時,我們會傳回錯誤,而且不讓您建立組織,即使通稱 (DBA) 不同。

現在,當您建立組織時,我們在唯一的組織檢查中加入通稱。因此,您可以建立有相同名稱的組織,只要每個組織都有唯一的通稱即可。

例如:

  • 第一個組織:沒有通稱

    • 姓名:YourOrganization

    • 通稱:

  • 第二個組織:名稱加唯一的通稱

    • 姓名:YourOrganization

    • 通稱:OrganizationAssumedName

建立組織

在 CertCentral 和 CertCentral Services API,您可以建立組織以提交供預先驗證,或在訂購 TLS/SSL 憑證時。此變更適用於兩個程序。

CertCentral:DigiCert 現在從 DigiCert Assured ID Client CA G2 中繼 CA 憑證發行用戶端憑證

為了保持符合業界標準,DigiCert 必須替代用於發行 CertCentral 用戶端憑證的中繼 CA (ICA) 憑證。

使用 DigiCert SHA2 Assured ID CA 中繼 CA 憑證的 CertCentral 用戶端憑證設定檔現在使用 DigiCert Assured ID Client CA G2 中繼 CA 憑證。此變化將根憑證從 DigiCert Assured ID Root CA 變更為 DigiCert Assured ID Root G2。

舊的 ICA 和根憑證

  • (ICA) DigiCert SHA2 Assured ID CA

  • (Root) DigiCert Assured ID Root CA

新的 ICA 和根憑證

  • (ICA) DigiCert Assured ID Client CA G2

  • (Root) DigiCert Assured ID Root G2

如需更多資訊,請參閱 DigiCert ICA 更新。若要取得一份新的中繼 CA 和根憑證,請參閱 DigiCert 信任的根權限憑證

您是否需要您的用戶端憑證鏈結到 DigiCert Assured ID Root CA 憑證?聯絡您的客服代表或 DigiCert 支援團隊

2021 年 12 月 4 日

即將到來的排程維護

DigiCert 將在 2021 年 12 月 4 日 22:00 到 24:00 MST (2021 年 12 月 5 日 05:00 到 07:00 UTC) 之間執行排程的維護。雖然我們有保護您的服務的適當備援,但有些 DigiCert 服務在這段時間內仍可能無法使用。

我可以做什麼?

訂出相應計畫:

  • 在維護時段前後安排高優先順序訂單、續訂和重新發行的時間。

  • 預期在您使用 API 進行立刻發行憑證和自動化工作時中斷。

  • 若要取得即時維護更新,請訂閱 DigiCert 狀態頁面。此訂閱包括維護開始和維護結束時使用的電郵提醒。

  • 關於排程的維護日期和時間,請參閱 DigiCert 2021 排程的維護DigiCert 2021 維護排程

服務將在我們完成維護時盡快還原。

2021 年 11 月 16 日

業界對基於檔案的 DCV (HTTP Practical Demonstration、檔案驗證、檔案、HTTP 權杖和 HTTP 驗證) 的變更

為了符合基於檔案的網域控制驗證 (DCV) 方法的新業界標準,您僅可以使用基於檔案的 DCV 方法證明有完全和命名相同的完全合格的網域名稱 (FQDN) 的控制權。

若要瞭解更多與業界變更有關的資訊,請參閱 2021 年網域驗證原則變更

這如何影響我?

截止 2021 年 11 月 16 日,您必須使用其他支援的 DCV 方法之一,例如電郵、DNS TXT 和 CNAME 等,以便:

  • 驗證萬用網域 (*.example.com)

  • 驗證更高層級的網域時在網域驗證中加入子網域。例如,如果您想要在驗證更高層級的網域 example.com 時涵蓋 www.example.com。

  • 預先驗證整個網域和子網域。

若要瞭解更多有關 DV、OV 和 EV 憑證要求的支援的 DCV 方法時:

CertCentral:使用基於檔案的 DCV 的擱置的憑證要求和網域預先驗證

擱置的憑證要求

如果您有未完成基於檔案的 DCV 檢查的擱置的憑證要求,您可能需要切換 DCV 方法*,或使用基於檔案的 DCV 方法證明有要求上的完全和命名相同的每個完全合格的網域名稱的控制權。

Important

*對於有萬用網域的未完成基於檔案的 DCV 檢查的憑證要求,您必須使用其他 DCV 方法。

若要瞭解更多有關 DV、OV 和 EV 憑證要求的支援的 DCV 方法時:

網域預先驗證

如果您計畫使用基於檔案的 DCV 方法預先驗證整個網域或整個子網域,您必須使用其他的 DCV 方法。

若要深入瞭解有關網域預先驗證的支援的 DCV 方法,請參閱適用於網域驗證的支援的網域控制驗證 (DCV) 方法

CertCentral Services API

如果您使用 CertCentral Services API 訂購憑證,或使用基於檔案的 DCV (http-token) 提交網域進行預先驗證,此變更可能影響您的 API 整合。若要瞭解更多資訊,請瀏覽基於檔案的網域控制驗證 (http-token)

2021 年 11 月 6 日

即將到來的排程維護

DigiCert 將在 2021 年 11 月 6 日 22:00 到 24:00 MDT (2021 年 11 月 7 日 04:00 到 06:00 UTC) 之間執行排程的維護。

CertCentral 基礎設備相關維護停機時間

我們將在北美山區夏令時間 22:00 到 22:10 (世界協調時間 04:00 到 04:10) 之間開始此基礎設備相關維護。然後約 30 分鐘後,以下服務將會暫停:

使用於 CertCentral、ACME 和 ACME 代理程式自動化的 DV 憑證發行

  • 在此期間提交 DV 憑證要求將會失敗

  • API 將傳回「無法連線」錯誤

  • 失敗的要求應在還原服務後重新提交

CIS 和 SCEP

  • 憑證發行服務 (CIS) 將停用

  • 簡易憑證註冊通訊協定 (SCEP) 將停用

  • DigiCert 將無法發行用於 CIS 和 SCEP 的憑證

  • API 將傳回「無法連線」錯誤

  • 傳回無法連線錯誤的要求應在還原服務後重新提交

QuoVadis TrustLink 憑證發行

  • 在此期間提交 TrustLink 憑證要求將會失敗

  • 但失敗的要求將新增到佇列中供稍後處理

  • 視需要在還原服務後處理佇列中的要求

此維護僅影響 DV 憑證發行、CIS、SCEP 和 TrustLink 憑證發行。其不會影響任何其他 DigiCert 平台或服務。

PKI Platform 8 維護

我們將在北美山區夏令時間 22:00 (世界協調時間 04:00) 開始 PKI Platform 8 維護。然後約 30 分鐘後,PKI Platform 8 將發生服務延遲和效能下降,這會影響:

  • 登入和使用您的 PKI Platform 8 執行主控台內的憑證生命周期工作。

  • 使用任何您的 PKI Platform 8 相應 API 或通訊協定 (例如 SOAP、REST、SCEP、Intune SCEP 和 EST) 執行憑證生命周期操作。

  • 執行憑證生命周期工作/操作:

    • 註冊憑證:新的、續訂或重新發行

    • 新增網域和組織

    • 提交驗證要求

    • 檢視報告、撤銷憑證和建立設定檔

    • 新增使用者、檢視憑證和下載憑證

  • PKI Platform 8 的憑證發行及其相應的 API。

此外:

  • API 將傳回「無法連線」錯誤。

  • DigiCert 還原服務後,必須重新提交接收「無法連線」錯誤的憑證註冊。

PKI Platform 8 維護僅影響 PKI Platform 8。其不會影響任何其他 DigiCert 平台或服務。

我可以做什麼?

訂出相應計畫:

  • 在維護時段前後安排高優先順序訂單、續訂和重新發行的時間。

  • 預期在您使用 API 進行立刻發行憑證和自動化工作時中斷。

  • 若要取得即時維護更新,請訂閱 DigiCert 狀態頁面。此訂閱包括維護開始和維護結束時使用的電郵提醒。

  • 關於排程的維護日期和時間,請參閱 DigiCert 2021 排程的維護DigiCert 2021 維護排程

服務將在我們完成維護時盡快還原。

2021 年 10 月 2 日

即將到來的排程維護

2021 年 10 月 2 日 22:00 到 24:00 MDT (2021 年 10 月 3 日 04:00 到 06:00 UTC) 之間,DigiCert 將執行排程的維護。

CertCentral、CIS、SCEP、Direct Cert Portal 和 DigiCert ONE 維護

DigiCert 將執行排程的維護。雖然我們有保護您的服務的適當備援,但有些 DigiCert 服務在這段時間內仍可能無法使用。

PKI Platform 8 維護和停機時間:

DigiCert 將在 PKI Platform 8 上執行排程的維護。在此期間內,PKI Platform 8 和其相應的 API 將暫停約 20 分鐘。我們將在北美山區夏令時間 22:00 (世界協調時間 04:00) 開始 PKI Platform 8 維護。

之後約有 20 分鐘:

  • 您將無法登入和使用您的 PKI Platform 8 執行主控台內憑證生命周期工作。

  • 您將無法使用任何您的 PKI Platform 8 相應 API 或通訊協定 (例如 SOAP、REST、SCEP 和 EST) 執行憑證生命周期操作。

  • 您將無法:

    • 註冊憑證:新的、續訂或重新發行

    • 新增網域和組織

    • 提交驗證要求

    • 檢視報告、撤銷憑證和建立設定檔

    • 新增使用者、檢視憑證和下載憑證

  • DigiCert 將無法發行 PKI Platform 8 的憑證和其相應的 API。

  • API 將傳回「無法連線」錯誤。

  • DigiCert 還原服務後,必須重新提交接收「無法連線」錯誤的憑證註冊。

PKI Platform 8 維護僅影響 PKI Platform 8。其不會影響任何其他 DigiCert 平台或服務。

我可以做什麼?

訂出相應計畫:

  • 在維護時段前後安排高優先順序訂單、續訂和重新發行的時間。

  • 預期在您使用 API 進行立刻發行憑證和自動化工作時中斷。

  • 若要取得即時維護更新,請訂閱 DigiCert 狀態頁面。此訂閱包括維護開始和維護結束時使用的電郵提醒。

  • 關於排程的維護日期和時間,請參閱 DigiCert 2021 排程的維護DigiCert 2021 維護排程

服務將在我們完成維護時盡快還原。

2021 年 9 月 11 日

即將到來的排程維護

2021 年 9 月 11 日 22:00 到 24:00 MDT (2021 年 9 月 12 日 04:00 到 06:00 UTC) 之間,DigiCert 將執行排程的維護。

CertCentral、CIS、SCEP、Direct Cert Portal 和 DigiCert ONE 維護

DigiCert 將執行排程的維護。雖然我們有保護您的服務的適當備援,但有些 DigiCert 服務在這段時間內仍可能無法使用。

PKI Platform 8 維護和停機時間:

DigiCert 將在 PKI Platform 8 上執行排程的維護。在此期間內,PKI Platform 8 和其相應的 API 將停機約 60 分鐘。

我們將在北美山區夏令時間 22:00 (世界協調時間 04:00) 開始 PKI Platform 8 維護。

之後約有 60 分鐘:

  • 您將無法登入和使用您的 PKI Platform 8 執行主控台內憑證生命周期工作。

  • 您將無法使用任何您的 PKI Platform 8 相應 API 或通訊協定 (例如 SOAP、REST、SCEP 和 EST) 執行憑證生命周期操作。

  • 您將無法:

    • 註冊憑證:新的、續訂或重新發行

    • 新增網域和組織

    • 提交驗證要求

    • 檢視報告、撤銷憑證和建立設定檔

    • 新增使用者、檢視憑證和下載憑證

  • DigiCert 將無法發行 PKI Platform 8 的憑證和其相應的 API。

  • API 將傳回「無法連線」錯誤。

  • DigiCert 還原服務後,必須重新提交接收「無法連線」錯誤的憑證註冊。

PKI Platform 8 維護僅影響 PKI Platform 8。其不會影響任何其他 DigiCert 平台或服務。

我可以做什麼?

訂出相應計畫:

  • 在維護時段前後安排高優先順序訂單、續訂和重新發行的時間。

  • 預期在您使用 API 進行立刻發行憑證和自動化工作時中斷。

  • 若要取得即時維護更新,請訂閱 DigiCert 狀態頁面。此訂閱包括維護開始和維護結束時使用的電郵提醒。

  • 關於排程的維護日期和時間,請參閱 DigiCert 2021 排程的維護DigiCert 2021 維護排程

服務將在我們完成維護時盡快還原。

2021 年 9 月 8 日

CertCentral Services API:網域管理增強

為了更容易保持您帳戶中的網域驗證啟用,我們新增了新的篩選器、回應爛位和新端點到我們的網域管理 API 中。藉由這些更新,您可以:

  • 尋找 OV 和 EV 驗證重新使用期間已到期或即將到期的網域。

  • 尋找受 2021 年 9 月 27 日原則變更影響以縮短 OV 網域驗證重新使用期間的網域。*

增強的 API:網域清單和子帳戶網域清單

我們對列出網域列出子帳戶網域端點做出以下的增強:

  • 新增了 validation 篩選器值 2021 年 9 月 27 日*,現有的 OV 網域驗證重新使用期將縮短為自驗證完成日期起的 397 天。對有些網域而言,減少的驗證期已到期,或將在 2021 年結束前到期。

    為了協助您找到這些網域,讓您可以重新提交它們進行驗證,我們新增了 validation 篩選器的新值:shortened_by_industry_changes。我們也新增了協助您找到 OV 或 EV 網域驗證期在不同時段到期的網域的篩選器值。新的 validation 篩選器值包括:

    • shortened_by_industry_changes

    • ov_expired_in_last_7_days

    • ov_expiring_within_7_days

    • ov_expiring_within_30_days

    • ov_expiring_from_31_to_60_days

    • ov_expiring_from_61_to_90_days

    • ev_expired_in_last_7_days

    • ev_expiring_within_7_days

    • ev_expiring_within_30_days

    • ev_expiring_from_31_to_60_days

    • ev_expiring_from_61_to_90_days

  • 新增了欄位到 dcv_expiration 物件中 您現在可以提交傳回在 dcv_expiration 物件中的下列欄位的要求:ov_shortenedov_statusev_statusdcv_approval_date。這些欄位僅在您的要求包括新增的查詢字串 filters[include_validation_reuse_status]=true 時傳回。

  • 新增了 dcv_method 篩選器 我們以網域控制驗證 (DCV) 方法新增選項到篩選網域中。若要使用此篩選,請將查詢字串 filters[dcv_method]={{value}} 附加到要求 URL。可能的值為 emaildns-cname-tokendns-txt-tokenhttp-tokenhttp-token-static

增強的 API:網域資訊

您現在可以提交要求到網域資訊端點,此端點傳回在 dcv_expiration 物件中的下列欄位:ov_shortenedov_statusev_statusdcv_approval_date。這些欄位僅在您的要求包括新增的查詢字串 include_validation_reuse_status=true 時傳回。

新的 API:即將到期的網域計數

我們新增了新端點,傳回您的帳戶中 OV 或 EV 網域驗證已到期或即將到期的網域數目。如需更多資訊,請參閱即將到期的網域計數

*2021 年 9 月 27 日,現有的網域驗證的到期日期將縮短為自完成驗證日期起的 397 天。瞭解更多與此原則變更有關的資訊:網域驗證在 2021 年的變化

2021 年 9 月 7 日

CertCentral Services API:依替代訂單 ID 取得訂單

我們建立了新端點,讓使用替代訂單 ID 取得憑證更加容易:依替代訂單 ID 取得訂單。此端點以您在 URL 路徑中提供的 alternative_order_id 傳回憑證訂單的訂單 ID、憑證 ID 和訂單狀態。

2021 年 8 月 23 日

DV 憑證 Bug 修復

我們修復了變更 DV 憑證的重新發行工作流程的漏洞。2021 年 8 月 24 日後,當您重新發行 DV 憑證和變更或移除 SAN 時,原始憑證和任何之前重新發行或重複的憑證在延遲 72 小時後遭到撤銷。

2021 年 8 月 20 日

Wildcard 變更

我們更新了產品的行為,可使用憑證中的萬用字元網域名稱和完全合格的網域名稱 (FQDN)。2021 年 8 月 23 日後,加入萬用字元網域名稱的憑證將僅免費保護 FQDN 和其所有同等級網域名稱的安全。

和萬用字元網域名稱不是同等級的主體別名 (SAN) 將被視為在萬用字元涵蓋範圍外。例如,*.digicert.com 的萬用字元憑證僅允許免費在憑證中加入 one.digicert.com、two.digicert.com 和 three.digicert.com 等 FQDN 作為 SAN。

2021 年 8 月 7 日

即將到來的排程維護

2021 年 8 月 7 日 22:00 到 24:00 MDT (2021 年 8 月 8 日 04:00 到 06:00 UTC) 之間,DigiCert 將執行排程的維護。雖然我們有保護您的服務的適當備援,但有些 DigiCert 服務在這段時間內仍可能無法使用。

我可以做什麼?

訂出相應計畫:

  • 在維護時段前後安排高優先順序訂單、續訂和重新發行的時間。

  • 若要取得即時維護更新,請訂閱 DigiCert 狀態頁面。此訂閱包括維護開始和維護結束時使用的電郵提醒。

  • 關於排程的維護日期和時間,請參閱 DigiCert 2021 排程的維護DigiCert 2021 維護排程

服務將在我們完成維護時盡快還原。

2021 年 7 月 12 日

經過驗證的標章憑證現在可用

經過驗證的標章憑證 (VMC) 是一種新型的憑證,允許公司將通過認證的品牌標誌放在客戶收件匣的寄件人欄位旁邊 — 在訊息開啟前可見 — 作為您網域的 DMARC 狀態和您組織的驗證身分的驗證。瞭解更多有關 VMC 憑證的資訊

若要在您的帳戶中停用或變更 VMC 的可用性,請瀏覽產品設定頁面

Note

如果在您的帳戶中未看到 VMC,可能是因為我們尚未提供產品給所有帳戶類型。也可能產品可用,但您的其中一個 CertCentral 帳戶的系統管理員在「產品設定」中將產品關閉。

CertCentral Services API:經過驗證的標章憑證增強

為了協助您在您的 API 整合中管理您的驗證的標章憑證 (VMC),我們已對 CertCentral Services API 做出以下的更新。

新端點:

更新的端點:

  • 訂單資訊

    我們更新了訂單資訊端點,以傳回內有供 VMC 訂單使用的商標國碼、註冊編號和標誌資訊的 vmc 物件。

  • 電郵憑證

    我們更新了電郵憑證端點,支援以電子郵件傳送您發行的 VMC。

若要瞭解更多與從您的 API 整合管理 VMC 憑證的資訊,請造訪經過驗證的標章憑證工作流程

2021 年 7 月 10 日

即將到來的排程維護

2021 年 7 月 10 日 22:00 到 24:00 MDT (2021 年 7 月 11 日 04:00 到 06:00 UTC) 之間,DigiCert 將執行排程的維護。

在維護期間內約 60 分鐘,服務停機時間下指定的服務將會停機。由於維護範圍的緣故,服務中斷下指定的服務在 10 分鐘時段內可能短暫中斷。

服務停機時間

自 22:00 – 23:00 MDT (04:00 – 05:00 UTC) 起,在我們執行資料庫相關維護時,以下的服務將停機最長 60 分鐘:

  • CertCentral / Services API

  • 直接憑證入口網站/API

  • ACME

  • Discovery/API

  • ACME 代理程式自動化/API

Note

API 備註:受影響的 API 將傳回「無法連線」錯誤。在此時段傳回「無法連線」錯誤訊息的憑證相關 API 要求將在服務還原後重新放置。

服務中斷

在 10 分鐘時段內,當我們執行基礎設備維護時,以下的 DigiCert 服務可能發生服務短暫中斷:

  • 憑證發行服務 (CIS)

  • 單一憑證註冊通訊協定 (SCEP)

  • DigiCert ONE

  • 自動化服務

  • CT 記錄監控

  • 漏洞評估

  • PCI 遵規掃描

不受影響的服務

這些服務受維護活動的影響:

  • PKI Platform 8

  • PKI Platform 7

  • QuoVadis TrustLink

我可以做什麼?

訂出相應計畫:

  • 在維護時段前後安排高優先順序訂單、續訂和重新發行的時間。

  • 預期在您使用 API 進行立刻發行憑證和自動化工作時中斷。

  • 若要取得即時維護更新,請訂閱 DigiCert 狀態頁面。此訂閱包括維護開始和維護結束時使用的電郵提醒。

  • 關於排程的維護日期和時間,請參閱 DigiCert 2021 排程的維護DigiCert 2021 維護排程

服務將在維護完成時盡快還原。

2021 年 6 月 5 日

即將到來的排程維護

2021 年 6 月 5 日 22:00 到 24:00 MDT (2021 年 6 月 6 日 04:00 到 06:00 UTC) 之間,DigiCert 將執行排程的維護。雖然我們有保護您的服務的適當備援,但有些 DigiCert 服務在這段時間內仍可能無法使用。

我可以做什麼?

訂出相應計畫:

  • 在維護時段前後安排高優先順序訂單、續訂和重新發行的時間。

  • 若要取得即時維護更新,請訂閱 DigiCert 狀態頁面。此訂閱包括維護開始和維護結束時使用的電郵提醒。

  • 關於排程的維護日期和時間,請參閱 DigiCert 2021 排程的維護DigiCert 2021 維護排程

服務將在我們完成維護時盡快還原。

2021 年 6 月 3 日

CertCentral Services API:改進的 OV/EV 訂單回應中的網域陣列

為了更容易瞭解 Services API 如何將您的 OV/EV TLS 憑證訂單上的網域分組以進行驗證,我們新增了新的回應參數到端點中以提交憑證訂單要求:domains[].dns_name。*

dns_name 參數傳回訂單上的網域的一般名稱或 SAN。為了證明您有此網域的控制權,您必須有和 domains[].namedomains[].id 金鑰/值組合關聯的網域的啟用驗證。

OV 憑證訂單範例

Example 11. JSON 負載
{
    "certificate": {
        "common_name": "subl.example.net",
        "dns names" : [
            "sub2.subl.example.net",
            "sub3.sub2.subl.example.net"
        ],
        "esr": ({csr}}
    },
    "organiation": {
        "id": ((organization id}}
    },
    "dev method": "email",
    "order validity": {
        "years": 1
    }
}

Example 12. JSON 回應
{
    "id": 137368217,
    "domains": [
        {
            "id": 3530297,
            "name": "example.net",
             "dns name" : "subl.example.net"
        },
        {
            "id": 3530297,
            "name": "example.net",
            "dns name" : "sub2.subl.example.net"
        },
        {
            "id": 3530297,
            "name": "example.net",
            "dns name": "sub3.sub2.subl.example.net"
        }
    ],
    "certificate id": 138305304
}

Services API 傳回 JSON 回應中用於以下端點的 domains[].dns_name 參數:

Note

*僅 OV/EV TLS 憑證的訂購要求傳回 domains 陣列。

2021 年 5 月 27 日

業界轉移到適用於代碼簽署憑證的3072 位元金鑰基本 RSA 代碼

2021 年 5 月 27 日起,為了因應代碼簽署憑證的業界標準變更,DigiCert 將對我們的代碼簽署憑證程序做出以下的變更。

  • 停止發行 2048 位元金鑰代碼簽署憑證

  • 僅發行 3072 位元金鑰或更強的代碼簽署憑證

  • 使用 4096 位元金鑰中繼 CA 和根憑證發行我們的代碼簽署憑證。

請參閱發行和管理公共信任的 Code Signing 憑證的基準要求附錄 A,瞭解更多與這些業界變更有關的資訊。

這些變更如何影響我現有的 2048 位元金鑰憑證?

在 2021 年 5 月 27 前發行的所有現有的 2048 位元金鑰大小的代碼簽署憑證將保持啟用。您可以繼續用這些憑證簽署代碼,直到其到期為止。

如果我需要 2048 位元金鑰代碼簽署憑證,我應該做什麼?

2021 年 5 月 27 日前,視需要採取這些行動:

  • 訂購新的 2048 位元金鑰憑證

  • 續訂即將到期的 2048 位元金鑰憑證

  • 重新發行 2048 位元金鑰憑證

自 2021 年 5 月 27 日起,這些變更如何影響我的代碼簽署憑證程序?

重新發行代碼簽署憑證

自 2021 年 5 月 27 日起,所有重新發行的代碼簽署憑證將使用:

  • 3072 位元或更強大的金鑰。請參閱以下適用於 EV 代碼簽署憑證的 eToken 和 HSM。

  • 自動從新的中繼 CA 和根憑證發行。請參閱以下的新的 ICA 和根憑證。

新的和續訂的代碼簽署憑證

自 2021 年 5 月 27 日起,所有新的和續訂的代碼簽署憑證將使用:

  • 3072 位元或更強大的金鑰。請參閱以下適用於 EV 代碼簽署憑證的 eToken 和 HSM。

  • 自動從新的中繼 CA 和根憑證發行。請參閱以下的新的 ICA 和根憑證。

代碼簽署憑證的 CSR

自 2021 年 5 月 27 日起,您必須使用 3072 位元或更大的 RSA 金鑰以產生所有憑證簽署要求 (CSR)。我們將不接受使用於代碼簽署憑證要求的 2048 位元金鑰 CSR。

EV 代碼簽署憑證的 eToken

自 2021 年 5 月 27 日起,當您重新發行、訂購或續訂 EV 代碼簽署憑證時,您必須使用支援 3072 位元金鑰的 eToken。

  • 當您訂購或續訂 EV 代碼簽署憑證時,DigiCert 在您的購買加入了 3072 位元 eToken。DigiCert 提供 eToken 與預設的硬體權杖建置選項。

  • 當您重新發行您的 EV 代碼簽署憑證時,您必須提供您自己的 3072 位元 eToken。如果您沒有,您將無法在您的 eToken 上安裝您的重新發行的憑證。

  • 您必須擁有 FIPS 140-2 Level 2 或 Common Criteria EAL4+ 相容裝置。

EV 代碼簽署憑證的 HSM

自 2021 年 5 月 27 日起,您必須使用支援 3072 位元金鑰的 HSM。請聯絡您的 HSM 廠商以獲得更多資訊。

新的 ICA 和根憑證

自 2021 年 5 月 27 日起,將從我們新的 RSA 和 ECC 中繼 CA 和根憑證 (新的、續訂和重新發行的) 發行有新的代碼簽署憑證。

RSA ICA 和根憑證:

  • DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1

  • DigiCert Trusted Root G4

ECC ICA 和根憑證

  • DigiCert Global G3 Code Signing ECC SHA384 2021 CA1

  • DigiCert Global Root G3

除非您實行固定憑證、接受寫死程式碼憑證或操作信任儲存區,否則不需要任何動作。

如果您執行這些事項之一,我們建議您盡快更新您的環境。

停止固定和將 ICA 編成硬碼,或做必要的修改以確保從新 ICA 憑證發行的憑證受到信任 (也就是說鏈結到他們的發行 CA 和受信任的根憑證)。

參考

如果您有任何疑問或疑慮,請聯絡您的帳戶管理員或我們的支援團隊

2021 年 5 月 12 日

網站圖章 Bug 修復

我們修復了允許網站圖章在未加入憑證中的完全合格網域名稱 (FQDN) 上顯示的漏洞。現在圖章僅在有完全符合的 FQDN 時顯示。

2021 年 5 月 1 日

即將到來的排程維護

2021 年 5 月 1 日 22:00 到 24:00 MDT (2021 年 5 月 2 日 04:00 到 06:00 UTC) 之間,DigiCert 將執行排程的維護。

在 2 小時時段內,最長 10 分鐘,我們將無法發行 DigiCert 平台的憑證、其相應的 API、立刻發行憑證和使用 API 進行其他自動化任務的憑證。

受影響的服務:
  • CertCentral / Service API

  • ACME

  • ACME 代理程式自動化/API

  • 直接憑證入口網站/API

  • 憑證發行服務 (CIS)

  • 單一憑證註冊通訊協定 (SCEP)

  • QuoVadis TrustLink

Note

API 備註:

  • API 將傳回「無法連線」錯誤。

  • 在此收到「無法連線」錯誤訊息的時段所提交的憑證要求在服務還原後需要重新進行。

不受影響的服務
  • PKI Platform 8

  • PKI Platform 7

  • DigiCert ONE 管理員

我可以做什麼?

訂出相應計畫:

  • 在維護時段前後安排高優先順序訂單、續訂和重新發行的時間。

  • 預期在您使用 API 進行立刻發行憑證和自動化工作時中斷。

  • 若要取得即時維護更新,請訂閱

    DigiCert 狀態頁面。此訂閱包括維護開始和維護結束時使用的電郵提醒。

  • 關於排程的維護日期和時間,請參閱 DigiCert 2021 排程的維護DigiCert 2021 維護排程

服務將在我們完成維護時盡快還原。

2021 年 4 月 29 日

CertCentral Services API:網域資訊回應中的網域驗證狀態

為了更容易取得您網域的全面驗證狀態,DigiCert 正在取代網域資訊回應中的 status 參數。若要確保您正在取得您網域上的每個不同驗證類型的完整和準確的狀態資訊,當您改從您的 API 整合呼叫網域資訊端點時,您應使用 validations 陣列。

Note

網域資訊端點將繼續傳回 status 參數值。

背景

網域資訊回應中,status 參數的設計旨在傳回單一字串值。當 DigiCert 提供更少的產品時,API 中的單一值足以代表您的網域的驗證狀態。

現在,DigiCert 提供使用很多不同驗證類型的憑證產品。不同的驗證類型有不同的需求,而且這些需求隨著業界標準變更。當 DigiCert 驗證您的網域的不同憑證發行類型時,您要求的每個驗證類型可能在不同的狀態中。

  • 網域的 EV 驗證可能已完成。

  • 相同網域的 EV 驗證可能已到期。

因此,DigiCert 可能不再使用單一值傳回與網域的驗證狀態有關的全面資訊。

除了依賴單一值外,使用網域資訊端點要求 validations 陣列 – 一份物件清單,內有網域的每個驗證類型的狀態資訊。若要取得這些資料,當您提交要求時,請加入查詢參數 include_validation=true

Example 13. 要求 include_validation=true參數

https://www.digicert.com/services/v2/domain/{{domain_id}}?include validation=true

{
...
  "validations": [
    {
      "type": "ov",
      "name": "OV",
      "description": "Normal Organization Validation",
      "validated_until": "2023-07-31T14:51:31+00:00",
      "status": "active",
      "dcv_status": "complete"
    },
    {
      "type": "ev",
      "name": "EV",
      "description": "Extended Organization Validation (EV)",
      "validated_until": "2022-05-27T14:51:31+00:00",
      "status": "active",
      "dcv_status": "complete"
    }
  ],
...
}

瞭解更多有關使用網域資訊端點的資訊

2021 年 4 月 28 日

CertCentral Services API:網站圖章增強

為了協助您在您的 API 整合中管理您的網站圖章,我們已對 CertCentral Services API 做出以下的更新:

  • 新端點:上傳網站圖章標誌

    我們新增了新端點 – 上傳網站圖章標誌 – 您可以用於上傳您的公司標誌,以便搭配 DigiCert 智慧圖章使用。此標誌出現在您網站的網站圖章中。

    Note

    僅 Secure Site 和 Secure Site Pro SSL/TLS 憑證支援該選項以在網站圖中顯示您的公司標誌。

  • 新端點:更新網站圖章設定

    我們新增了新端點 – 更新網站圖章設定 – 您可以用於變更您的網站圖章的外觀,以及在網站圖章資訊頁面上顯示的資訊。

  • 更新的端點:取得網站圖章設定

    我們更新了網站圖章設定端點,以傳回有關您可以使用更新網站圖章設定端點自訂的每個屬性的相關資訊。

相關主題:

2021 年 4 月 26 日

CertCentral Services API:依序號撤銷憑證

為了更容易從您的 API 整合管理憑證,我們更新了撤銷憑證端點路徑,以便接受要撤銷的憑證的憑證 ID 或序號。之前撤銷憑證端點路徑僅接受憑證 ID。

Example 14. 使用憑證 ID 撤銷憑證路徑:

https://www.digicert.com/services/v2/certificate/{{certificate_id}}/revoke


Example 15. 使用憑證序號撤銷憑證路徑:

https://www.digicert.com/services/v2/certificate/{{serial_number}}/revoke


瞭解更多有關使用撤銷憑證端點的資訊

2021 年 4 月 20 日

DigiCert 智慧圖章現在可搭配 Secure Site Pro 和 Secure Site TLS/SSL 憑證使用

我們很榮幸發佈我們的新網站圖「DigiCert 智慧圖章」。新的智慧圖章可以和您的 Secure Site ProSecure Site TLS 憑證一起使用,提供客戶您的網站獲得 DigiCert 保護安全的保護 — DigiCert 是 TLS/SSL 領域裏其中一個最知名的名稱 。

為了使智慧圖章更有互動和投入,我們新增了懸浮效果、動畫和以懸浮效果和動畫功能顯示您的公司標誌的能力。

  • 懸浮效果

    訪客在圖章上懸浮時,圖章會放大並顯示更多資料。

  • 動畫

    訪客來到您的網站時,圖章將在圖章和更多詳細資料之間緩慢切換。

  • 標誌*

    新增您的標誌到懸浮效果和網站圖章動畫中。您的標誌出現更多詳細資料。

    *在您的標誌出現在您網站的網站圖章中之前,DigiCert 必須先核准您的標誌。

Note

若要使用智慧圖章影像、懸浮效果、動畫和新增您的標誌到網站圖章中,您必須在您的網站上安裝新的網站圖章代碼。

改進的網站圖章資訊頁面

Secure Site 和 Secure Site Pro 憑證允許您新增資訊到網站圖章資訊頁面中。這些增加的資訊可讓網站訪客瞭瞭解您為了確保您的網站安全所正在採取的步驟。

  • 惡意軟體掃描

    網站訪客可看到您監視您的網站是否有病毒和惡意軟體。

  • CT 記錄監控

    網站訪客可看到您監控憑證透明度 (CT) 記錄,允許您在有不法份子發行用在您網域的欺詐憑證時快速做出反應

    Note

    CT 記錄監控僅適用於 Secure Site Pro 憑證。PCI 遵規掃描僅適用於 Secure Site Pro 和 Secure Site EV 憑證。

  • 封鎖淸單

    網站訪客可以查看您的公司是否在政府和特定國家的封鎖清單內。

  • PCI 遵規掃描

    網站訪客可以看到您監控您的網站確保其符合 PCI DDS 標準。

    Note

    PCI 遵規掃描僅適用於 Secure Site Pro 和 Secure Site EV 憑證。

  • 經過驗證的客戶

    網站訪客可看到您使用 TLS/SSL 憑證中的其中一個最受信任的名稱保護您的網站已有多長的時間。

瞭解如何設定和安裝您的智慧圖章與網站圖章資訊頁面

2021 年 4 月 3 日

即將到來的排程維護

2021 年 4 月 3 日 22:00 到 24:00 MDT (2021 年 4 月 4 日 04:00 到 06:00 UTC) 之間,DigiCert 將執行排程的維護。

在維護期間有最長 10 分鐘的時間內,我們將無法發行 DigiCert 平台的憑證、其相應的 API、立刻發行憑證和使用 API 進行其他自動化任務的憑證。

受影響的服務

約 10 分鐘,DigiCert 將無法發行用於這些服務和 API 的憑證:

  • CertCentral / Service API

  • ACME

  • ACME 代理程式自動化/API

  • 直接憑證入口網站/API

  • 憑證發行服務 (CIS)

  • 單一憑證註冊通訊協定 (SCEP)

  • QuoVadis TrustLink

Note

API 備註

  • API 將傳回「無法連線」錯誤。

  • 在此收到「無法連線」錯誤訊息的時段所提交的憑證要求在服務還原後需要重新進行。

不受影響的服務

這些服務不受維護活動的影響:

  • PKI Platform 8 / API

  • PKI Platform 8 SCEP

  • PKI Platform 7 / API

  • PKI Platform 7 SCEP

  • DigiCert ONE 管理員

我可以做什麼?

訂出相應計畫:

  • 在維護時段前後安排高優先順序訂單、續訂和重新發行的時間。

  • 預期在您使用 API 進行立刻發行憑證和自動化工作時中斷。

  • 若要取得即時維護更新,請訂閱 DigiCert 狀態頁面。此訂閱包括維護開始和維護結束時使用的電郵提醒。

  • 關於排程的維護日期和時間,請參閱 DigiCert 2021 排程的維護DigiCert 2021 維護排程

服務將在我們完成維護時盡快還原。

2021 年 3 月 20 日

PKI Platform 8 重大維護

2021 年 3 月 20 日 18:00 到 24:00 MST (2021 年 3 月 21 日 00:00 到 06:00 UTC) 之間,DigiCert 將執行 PKI Platform 8 的重大維護。維護時,PKI Platform 8 和其相應的 API 將關閉約六小時。

這如何影響我?

約六個小時:

  • 您將無法登入您的 PKI Platform 8 執行主控台內憑證生命周期工作。

  • 您將無法使用任何您的 PKI Platform 8 相應 API 或通訊協定 (例如 SOAP、REST、SCEP、Intune SCEP 和 EST) 執行憑證生命周期操作。

  • 您將無法:

    • 註冊憑證:新的、續訂或重新發行

    • 新增網域和組織

    • 提交驗證要求

    • 檢視報告、撤銷憑證和建立設定檔

    • 新增使用者、檢視憑證和下載憑證

  • DigiCert 將無法發行 PKI Platform 8 的憑證和其相應的 API。

  • API 將傳回「無法連線」錯誤。

  • DigiCert 還原服務後,必須重新提交接收「無法連線」錯誤的憑證註冊。

不受影響的服務:

重大維護將不會影響這些服務:

  • PKI Platform 7

  • DigiCert ONE

  • CertCentral / Service API

  • 直接憑證入口網站/API

  • 憑證發行服務 (CIS)

  • CertCentral 簡易憑證註冊通訊協定 (SCEP)

  • QuoVadis TrustLink

  • Discovery/API

  • ACME

  • ACME 代理程式自動化/API

我可以做什麼?

訂出相應計畫:

  • 安排與重大維護有關的高優先順序訂單、續訂和重新發行的時間。

  • 預期在您使用 API 和通訊協定進行立刻發行憑證和自動化工作時中斷。

  • 若要取得即時維護更新,請訂閱

    DigiCert 狀態頁面。這包括維護開始和維護結束時使用的電郵。

  • 關於重大和排程的維護日期和時間,請參閱 DigiCert 2021 排程的維護DigiCert 2021 維護排程

服務將在我們完成維護時盡快還原。

2021 年 3 月 17 日

CertCentral:新的採購單和發票系統

我們很榮幸宣佈我們正使用 CertCentral 中的新採購單和發票系統。我們已做出數個變更,讓管理您的採購單和發票變得更加容易。

下次您登入 CertCentral 時,您將在財務下看到兩個新的功能表選項:付款發票採購單與發票。此外,我們現在從我們新的發票系統傳送所有發票電郵。

付款發票頁面

當您開啟付款發票頁面時,預設為預先選取所有發票。您可以選擇全部付款或選擇您要付款的發票。

Note

如果您使用有獨立資金的分部,當您開啟付款發票頁面時,預設為選取最上層分部的所有發票。使用目的下拉清單依您帳戶中的分部檢視未支付的發票。

採購單和發票頁面

在新的採購單與發票頁面上,您可以建立採購單 (PO)。在採購單表格中,您可以檢視擱置和遭到拒絕的 PO。我們核准 PO 後,它將變成發票並移動到發票表中。

Note

如果您使用有獨立資金的分部,當您開啟付款發票頁面時,預設為選取最上層分部的所有發票。使用目的下拉清單依您帳戶中的分部檢視未支付的發票。

發票表的發票欄中,您可以在我們產生的發票中看到發票編號和 PO。您可以下載一份發票或支付發票。當您按下付款發票時,我們會引導您到付款發票頁面支付發票的費用,並讓您可以使用您帳戶中的資金。

現有的 PO 和發票移轉
  • 自動產生的發票

    當我們移轉我們的帳務系統時,我們不會移轉您自動產生的發票。在三月底時,我們將自動產生您積欠的總金額的新發票。但您可以隨時在存入資金頁面 (在左側主功能表中,前往財務 > 存入資金) 上支付您的帳戶的款項。

  • 從核准的採購單產生的發票

    當我們移轉您的發票到新系統時,我們會提供新的發票編號給這些發票。但關聯的採購單編號保持不變。如果您有任何疑問或找不到發票,請聯絡您的帳戶管理員或 DigiCert 應收帳款團隊。請確定在電郵中加入您的 PO 編號和原始發票編號。

CertCentral Services API:檢視餘額增強

為了協助您在您的 API 整中追蹤財務資料,我們更新了檢視餘額端點以傳回以下的資料:

  • unpaid_invoice_balance

    未支付的發票餘額

  • negative_balance_limit

    餘額可能成為負數的金額

  • used_credit_from_other_containers

    帳戶中其他分部積欠的金額針對啟用個別分部資金的帳戶

  • total_available_funds

    將來採購可用的總資金

如需更多資訊,請參閱檢視餘額端點的說明文件。

Example 16. 回應
{
    "balance": "454.00",
    "currency": "USD",
    "unpaid_invoice_balance": "0.00",
    "negative_balance_limit": "2000.00",
    "used_credit_from_other_containers": "0.00",
    "total_available_funds": "2454.00"
}

2021 年 3 月 12 日

CertCentral Services API:自動重新發行支援多年期套餐

我們很榮幸宣佈 CertCentral Services API 現在支援多年套餐的自動憑證重新發行要求 (自動重新發行)。自動重新發行功能使得在您的多年套餐上保持 SSL/TLS 涵蓋變得更加容易。

您可以在您的 CertCentral 帳戶中啟用自動重新發行個別的訂單。啟用自動重新發行時,我們在訂單上最新發行的憑證到期前的 30 天,自動建立和提交憑證重新發行要求。

啟用重新發行新訂單

為了提供新的多年套餐的自動重新發行設定的控制權給您,我們新增了新的要求參數到端點中以訂購 DV、OV 和 EV TLS/SSL 憑證:auto_reissue

根據預設值,停用所有訂單的自動重新發行。若要啟用自動重新發行,當您要求新的多年期套餐時,請在您的要求本文中將 auto_reissue 參數的值設定為 1

Example 17. 要求本文

{
    ...
    "auto_renew": 1,
    "auto_reissue": 1,
    ...
}

Note

在新的訂單要求中,我們在以下情況中忽略 auto_reissue 參數:

  • 產品不支援多年套餐。

  • 帳戶的多年套餐已停用。

更新現有訂單的自動重新發行設定

為了提供現有的多年套餐的自動重新發行設定的控制權給您,我們新增了新的端點:更新自動重新發行設定。使用此端點啟用或停用訂單的自動重新發行設定。

取得現有訂單的自動重新發行設定

為了協助您追蹤現有憑證訂單的自動重新發行設定,我們新增了新的回應參數到訂單資訊端點中:auto_reissueauto_reissue 參數傳回訂單的目前自動重新發行設定。

適用於公用 EV 彈性憑證的 ICA 憑證鏈選取

我們很榮幸宣佈,選擇公用DV 憑證現在支援選擇中繼 CA 憑證鏈:

  • GeoTrust DV SSL

  • Thawte SSL 123 DV

  • RapidSSL Standard DV

  • RapidSSL Wildcard DV

  • Encryption Everywhere DV

您可以新增功能到您的 CertCentral 帳戶中,讓您可以控制在您訂購這些公用 DV 產品時,由哪一個 DigiCert ICA 憑證鏈發行終端實體憑證。

此功能允許您:

  • 設定每份支援的公用 DV 憑證的預設 ICA 憑證鏈。

  • 控制憑證要求者可使用哪一個 ICA 憑證鏈發行他們的 DV 憑證。

設定 ICA 憑證鏈選取

啟用適用於您帳戶的選擇 ICA:

  1. 請聯絡您的帳戶管理員或我們的支援團隊

  2. 然後,在您的 CertCentral 帳戶的左側主功能表中,前往設定 > 產品設定

  3. 產品設定頁面上,設定每個支援和可用的 DV 憑證的預設和允許的中繼憑證鏈。

如需更多資訊和逐步說明,請參閱設定您的公用 TLS 憑證的 ICA 憑證鏈功能

DigiCert Services API:DV 憑證支援 ICA 憑證鏈選取

在 DigiCert Services API 中,我們做了以下的更新以支援您的 DV 憑證訂單要中的 ICA 選擇:

傳遞發行 ICA 憑證的 ID 作為您的訂單要求本文中 ca_cert_id 參數的值。

Example 18. DV 憑證要求
{
    "certificate": {...},
    "order_validity": {
        "years": 6
    },
    "ca_cert_id": "DF3689F672CCB90C"
    ...
}

如需更多有關在您的 API 整合中使用 ICA 選取的資訊,請參閱 DV 憑證生命週期 – 選用的 ICA 選取

2021 年 3 月 6 日

即將到來的排程維護

2021 年 3 月 6 日 22:00 到 24:00 MST (2021 年 3 月 7 日 05:00 到 07:00 UTC) 之間,DigiCert 將執行排程的維護。

雖然我們有保護您的服務的適當備援,但有些 DigiCert 服務在這段時間內仍可能無法使用。

您可以做什麼?

請做出相應計畫。

  • 安排與維護時段有關的您的高優先順序訂單、續訂和重新發行的時間。

  • 若要取得即時維護更新,請訂閱 DigiCert 狀態頁面。訂閱包括通知您維護何時開始與結束的電郵。

  • 關於排程的維護日期和時間,請參閱 DigiCert 2021 排程的維護DigiCert 2021 維護排程

服務將在維護完成時盡快還原。

2021 年 2 月 24 日

CertCentral:改進的訂單頁面上的組織搜尋

為了讓尋找您帳戶中的特定組織訂購的憑證變得更加容易,我們更新了訂單頁面上的組織搜尋。

我們現在顯示與每個組織有關的三項新資訊。當您有類似或相同名稱的組織時,這些資訊有所幫助:

  • 通稱 (如果使用)

  • 組織 ID

  • 地址

自己查看

在左側的主功能表中,前往憑證 > 訂單。在「訂單」頁面上,展開顯示進階搜尋。在組織下拉清單中,搜尋組織。您將看到以下的組織資訊:名稱、通稱 (如果使用)、組織 ID 和地址。

Tip

您也可以輸入組織名稱。

CertCentral:改進的訂單詳細資料頁面

為了讓識別您帳戶中的特定組織訂購的憑證變得更加容易,我們更新了訂單詳細資料頁面上的組織區段。

我們現在顯示與每個組織有關的兩項新資訊:

  • 通稱 (如果使用)

  • 組織 ID

自己查看

在左側的主功能表中,前往憑證 > 訂單。在訂單頁面上,按一下憑證的訂單編號。在訂單詳細資料頁面組織區段中,您將看到組織名稱、組織 ID 和通稱 (如果使用)。

CertCentral:新網域頁面上改進的組織選項

為了讓關聯新網域與您帳戶中組織變得更加容易,我們更新了新網域頁面上的組織選項。

我們現在顯示與每個組織有關的三項新資訊。當您有類似或相同名稱的組織時,這些資訊有所幫助:

  • 通稱 (如果使用)

  • 組織 ID

  • 地址

我們也新增功能以輸入您正在搜尋的組織名稱。

自己查看

在左側的主功能表中,前往憑證 > 網域。在「網域」頁面上,按一下新網域。在新網域頁面的組織下拉清單中,搜尋組織。您將看到以下的組織資訊:名稱、通稱 (如果使用) 和組織 ID。您也可以輸入組織名稱。

如需更多有關 CertCentral 中的管理網域的資訊,請參閱管理網域

CertCentral:在「新增」和「編輯分部」頁面上改進的指定組織選項

為了讓在您的帳戶中指定分部可以訂購憑證的組織變得更加容易,我們更新了「新分部」和「編輯分部」頁面上的特定組織選項。

我們現在顯示與每個組織有關的三項新資訊。當您有類似或相同名稱的組織時,這些資訊有所幫助:

  • 通稱 (如果使用)

  • 組織 ID

  • 地址

我們也新增功能以輸入您正在搜尋的組織名稱。

自己查看

在左側的主功能表中,前往帳戶 > 分部。在「分部」頁面上,按一下新分部。在「新分部」頁面的可訂購憑證項目下,選取特定組織。當您在下拉淸單中搜尋組織時,您將看到以下的組織資訊:名稱、通稱 (如果使用)、組織 ID 和地址。您也可以輸入組織名稱。

如需更多有關 CertCentral 中的分部的資訊,請參閱分部管理

CertCentral:在用戶端憑證申請表上改進的新增組織選項

為了讓訂購帳戶中的組織的用戶端憑證變得更加容易,我們更新了在用戶端憑證申請表中的組織選項。

我們現在顯示與每個組織有關的三項新資訊。當您有類似或相同名稱的組織時,這些資訊有所幫助:

  • 通稱 (如果使用)

  • 組織 ID

  • 地址

我們也新增功能以輸入您正在搜尋的組織名稱。

自己查看

下次您要求用戶端憑證時,按一下組織。在組織下拉清單中,您將看到以下的組織資訊:名稱、通稱 (如果使用)、ID 和地址。您也可以輸入組織名稱。

2021 年 2 月 19 日

CertCentral Services API:新的子帳戶端點

為了讓管理您的子帳戶變得更加容易,我們新增了兩個新端點到 CertCentral Services API 中:

2021 年 2 月 17 日

CertCentral Services API:改進的建立子帳戶端點

為了提供您更多您的子帳戶的控制權,我們新增了兩個新的要求參數到建立子帳戶端點中:child_namemax_allowed_multi_year_plan_length

CertCentral Services API:改進的建立子帳戶端點

  • child_name – 使用此參數設定子帳戶的自訂顯示名稱。

  • max_allowed_multi_year_plan_length – 使用此參數自訂子帳戶的多年期套餐訂單的最大時間長度。

Example 19. JSON 要求
{
    "account_type": "reseller",
    "user": {...},
    "organization": {...},
    "child_name": "Custom Name",
    "max_allowed_multi_year_plan_length": 4
}

建立子帳戶後,使用子帳戶資訊端點檢視子帳戶的「顯示」名稱和允許的多年期套餐訂單時間長度。

2021 年 2 月 16 日

PKI Platform 8 合作夥伴標籤重大維護

2021 年 2 月 16 日 18:00 到 22:00 MST (2021 年 2 月 17 日 01:00 到 05:00 UTC) 之間,DigiCert 將在 PKI Platform 8 Partner Lab 上執行重大維護。

這如何影響我?

約四個小時,

  • 您將無法存取「合作夥伴」標籤和其對應的 API。

  • 您將無法提交憑證要求。

  • 您將無法透過合作夥伴標籤存取 DigiCert PKI Platform 8 入口網站。

  • DigiCert 將無法透過 API 發行使用於「合作夥伴標籤」的測試憑證。

這不會影響
  • PKI Platform 8 – 生產

  • PKI Platform 7

  • DigiCert ONE

我可以做什麼?

訂出相應計畫。

  • 安排與重大維護有關的合作夥伴標籤測試,包括訂購、續訂和重新發行測試憑證。

  • 預期在您使用合作夥伴標籤 API 測試立刻發行憑證和自動化工作時會中斷。

  • 關於重大和排程的維護日期和時間,請參閱 DigiCert 2021 排程的維護DigiCert 2021 維護排程

服務將在我們完成維護時盡快還原。

February 15, 2021

DigiCert ending support for Intel vPro and KDC/SmartCardLogon EKUs in publicly trusted TLS/SSL certificates

On February 15, 2021, DigiCert will no longer issue public TLS/SSL certificates that include these EKUs

  • Intel vPro EKU

  • KDC/SmartCardLogon EKU

This means, as of February 15, 2021, we will no longer issue public TLS/SSL certificates that include either of these EKUs.

How does this affect me?

For most customers, this change will go unnoticed. It does not affect your TLS/SSL certificates or your TLS/SSL certificate process.

Note: By default, DigiCert does not issue public TLS/SSL certificates with the Intel vPro EKU or the KDC/SmartCardLogon EKU. To use these EKUs, we must first enable special certificate profiles for your account.

What if I use the Intel vPro EKU or the KDC/SmartCardLogon EKU in my public TLS/SSL certificates?

First, this change does not affect your existing public TLS/SSL certificates that include these EKUs. These certificates will continue to work as they always have until they expire.

However, on February 15, 2021, we will remove the Intel vPro EKU and KDC/SmartCardLogon EKU certificate profile options from all accounts. DigiCert will no longer issue new public TLS/SSL certificate orders the include these EKUs, including renewals, reissues, and duplicates.

Why is DigiCert doing this?

Industry standards specify that certificate authorities (CAs) should not include the Intel vPro and KDC/SmartCardLogon EKUS in public TLS/SSL certificates.

Therefore, to align with industry standards, we must stop including the Intel vPro and KDC/SmartCardLogon EKUS in our public TLS/SSL certificates.

More importantly, industry standards state that CAs should only include the serverAuth and, optionally, the clientAuth EKUs in public TLS certificates. See f. extKeyUsage (required) in section 7.1.2.3 Subscriber Certificate of the

Baseline Requirements.

As of February 15, 2021, we will only include the serverAuth EKU and, as needed, the clientAuth EKU in our public TLS/SSL certificates.

2021 年 2 月 8 日

PKI Platform 8 合作夥伴標籤重大維護

2021 年 2 月 8 日 18:00 到 24:00 MST (2021 年 2 月 9 日 01:00 到 07:00 UTC),DigiCert 將在 PKI Platform 8 合作夥伴標籤上執行重大維護。

這如何影響我?
  • 您將無法存取「合作夥伴」標籤和其對應的 API。

  • 您將無法提交憑證要求,或透過「合作夥伴」標籤存取任何的 DigiCert PKI Platform 8 入口網站。

  • DigiCert 將無法透過任何 API 發行使用於「合作夥伴標籤」平台的測試憑證。

約六個小時,

這不會影響
  • PKI Platform 8 – 生產

  • PKI Platform 7

  • DigiCert ONE

我可以做什麼

訂出相應計畫:

  • 安排與重大維護有關的合作夥伴標籤測試,包括訂購、續訂和重新發行測試憑證。

  • 預期在您使用合作夥伴標籤 API 測試立刻發行憑證和自動化工作時會中斷。

  • 關於重大和排程的維護日期和時間,請參閱 DigiCert 2021 排程的維護DigiCert 2021 維護排程

服務將在我們完成維護時盡快還原。

2021 年 2 月 6 日

即將到來的排程維護

2021 年 2 月 6 日 22:00 到 24:00 MST (2021 年 2 月 7 日 05:00 到 07:00 UTC) 之間,DigiCert 將執行排程的維護。

在維護期間,以下所列服務將關閉約 60 分鐘。由於正在執行的工作範圍的緣故,在兩個小時的維護時段內可能會有其他服務中斷。

您將無法登入這些平台和存取這些服務與 API:

  • CertCentral / Service API

  • Direct Cert Portal / Direct Cert Portal API

  • 憑證發行服務 (CIS)

  • 單一憑證註冊通訊協定 (SCEP)

  • Discovery/API

  • ACME

  • ACME 代理程式自動化/API

DigiCert 將無法發行用於這些服務和 API 的憑證:

  • CertCentral / Services API

  • Direct Cert Portal / Direct Cert Portal API

  • 憑證發行服務 (CIS)

  • 單一憑證註冊通訊協定 (SCEP)

  • 完整網站安全性(CWS)/API

  • Managed PKI for SSL (MSSL)/API

  • QV Trust 連結

這些服務不受維護活動的影響:

  • PKI Platform 8

  • PKI Platform 7

  • DigiCert ONE 管理員

Note

API 備註:

  • 處理憑證相關交易的服務將無法使用,例如要求憑證、新增網域和驗證要求等。

  • API 將傳回「無法連線」錯誤。

  • 在此收到「無法連線」錯誤訊息的時段所做的憑證要求在服務還原後需要重新進行。

我可以做什麼?

訂出相應計畫:

  • 安排與維護時段有關的高優先順序訂單、續訂和重新發行的時間。

  • 預期在您使用 API 進行立刻發行憑證和自動化工作時中斷。

  • 若要取得即時更新,請訂閱 DigiCert 狀態頁面

  • 請參閱 DigiCert 2021 排程的維護或排程的維護日期和時間。DigiCert 2021 維護排程

服務將在維護完成時盡快還原。

2021 年 2 月 5 日

CertCentral:改進的組織頁面

為了讓在組織頁面上尋找您的組織變得更加容易,我們現在顯示與每個組織有關的三項新資訊。當您有類似或相同名稱的組織時,這些其他資訊有所幫助:

  • ID

  • 通稱 (如果使用)

  • 地址

組織頁面上,您現在可看到有組織 ID 的組織編號欄。您也將看到在名稱下方顯示的組織位址。而且,如果您使用組織的通稱,您將會看到其位於組織名稱旁的括號中。

Note

之前,檢視這項資訊的唯一方式是按下組織名稱,然後開啟組織的詳細資料頁面。

如需更多有關 CertCentral 中的組織的資訊,請參閱管理組織

CertCentral:在 OV/EV 憑證申請表上改進的新增組織選項

為了讓訂購組織的 TLS/SSL 憑證變得更加容易,我們更新了在 OV 和 EV 憑證申請表中的新增組織選項。

對於發行憑證給 10 個或更多組織的帳戶,我們現在顯示三項新的組織資訊。當您有類似或相同名稱的組織時,這些資訊有所幫助:

  • 通稱 (如果使用)

  • 組織 ID

  • 地址

我們也新增功能以輸入您正在搜尋的組織名稱。

自己查看

下次您要求 OV 或 EV TLS/SSL 憑證時,按一下新增組織。在組織下拉清單中,您將看到以下的組織資訊:名稱、通稱 (如果使用)、ID 和地址。您也可以輸入組織名稱。

2021 年 1 月 29 日

CertCentral 訂單頁面:新搜尋選項

在「訂單」頁面上,我們新增了新的搜尋選項:

  • 憑證序號

  • 其他電郵地址*

下次您搜尋訂單時,請使用憑證的序號或其他電郵地址尋找憑證訂單。

Tip

* 要求憑證時或提交要求後,您可以新增電郵地址到憑證訂單中。這允許他人接收訂單的憑證通知電郵,例如憑證發行的電郵。

若要使用新的搜尋篩選條件

  1. 在左側的主功能表中,前往憑證 > 訂單

  2. 在「訂單」頁面的搜尋方塊中,輸入憑證的序號或訂單上的其他電郵地址。

  3. 按一下前往

2021 年 1 月 25 日

CertCentral Services API:改進的網域電郵端點

為了讓尋找從基於電郵的網域控制驗證 (DCV) 的 DigiCert 接收驗證電郵 DNS TXT 電郵地址變得更加容易,我們新增了新的回應參數到網域電郵端點中:dns_txt_emails

dns_txt_emails 參數傳回在網域的 DNS TXT 記錄中找到的電郵地址清單。這些是我們在正在驗證的網域的 _validation-contactemail 子網域上的 DNS TXT 記錄中找到的電郵地址。

Example 20. 有新參數的回應
{
  "name_scope": "example.com",
  "base_emails": [
    "admin@"example.com",
    "webmaster@example.com",
    "postmaster@example.com",
    "hostmaster@example.com",
    "administrator@example.com"
  ],
  "whois_emails": [
    "person@example.com"
  ],
  "dns_txt_emails": [
    "alice@example.com",
    "bob@example.com"
  ]
}

若要瞭解更多有關以新支援的電子郵件傳送給 DNS TXT 聯絡人 DCV 方法的資訊:

如需有關驗證 DV 憑證訂單上的網域的資訊:

如需有關驗證 OV/EV 憑證訂單上的網域的資訊:

2021 年 1 月 20 日

CertCentral Services API:新單位訂單詳細資料和取消單位訂單端點

我們很榮幸宣佈我們新增了兩個新端點到 CertCentral Services API 中:單位訂單詳細資料取消單位訂單

這些端點允許您取得與單位訂單有關的資訊和取消單位訂單。

取消單位訂單:

  • 您只可以在下訂單後的三十天內取消訂單。

  • 如果訂單上的子帳戶已花費任何單位,您就無法取消單位訂單。

如果您管理使用單位作為付款方法的子帳戶,您現在可以使用 Services API 執行以下的工作:

CertCentral Services API:改進的產品清單、產品限制和產品資訊端點

為了讓在您的帳戶中尋找數位憑證產品的可用訂單有效期間變得更容易,我們新增了新的回應參數到「產品清單」、「產品限制」和「產品資訊」端點中。

這些新回應參數允許您檢視您帳戶中每個產品的預設和自訂的訂單有效期。

產品清單端點

allowed_order_validity_years 參數傳回您帳戶中每個產品的支援的訂單有效期間的清單。

產品限制端點

allowed_order_lifetimes 參數傳回您的帳戶中有不同分部和使用者角色任何的使用者的自訂訂單有效期限制的淸單。

產品資訊端點

  • allowed_order_validity_years 參數在您要求憑證產品時,傳回可用的訂單有效期間的清單。

  • custom_order_expiration_date_allowed 參數在您要求憑證產品時,傳回說明您是否可以設定自訂訂單到期日的布林值。

CertCentral Services API:改進的子帳戶訂單資訊端點

為了讓尋找子帳戶訂單的有效期間相關資訊變得更容易,我們加入了新的反應參數到子帳戶訂單資訊端點中。這些新回應參數允許您查看訂單開始日期、訂單結束日期和訂單是否為多年套餐。

  • 如果訂單是多年期套餐,is_multi_year_plan 參數會傳回 "1"

  • order_valid_from 參數傳回訂單有效期間的開始日期。

  • order_valid_till 參數傳回訂單有效期間的結束日期。

Example 21. 有新參數的回應
{
...
    "date created": "2020-10-14T15:18:50+00:00",
    "date issued": "2020-10-14T15:18:52+00:00"
    "is multi year plan": "1",
    "order valid from": "2020-10-14"
    "order valid till": "2021-10-19"
    "validity years": 1
}

2021 年 1 月 9 日

即將到來的排程維護

2021 年 1 月 9 日 22:00 到 24:00 MST (2021 年 1 月 10 日 05:00 到 07:00 UTC) 之間,DigiCert 將執行排程的維護。

雖然我們有保護您的服務的適當備援,但有些 DigiCert 服務在這段時間內仍可能無法使用。

您可以做什麼?

請做出相應計畫。

  • 安排維護時段外的高優先順序訂單、續訂、重新發行和複本發行的時間。

  • 若要取得即時更新,請訂閱 DigiCert 狀態頁面。

  • 關於排程的維護日期和時間,請參閱 DigiCert 2021 排程的維護DigiCert 2021 維護排程

服務將在維護完成時盡快還原。

2021 年 1 月 13 日

CertCentral:以電子郵件傳送給 DNS TXT 聯絡人 DCV 方法

我們很榮幸宣佈 DigiCert 現在支援基於電郵的網域控制驗證 (DCV) 的以電子郵件傳送到 DNS TXT 聯絡人。這表示您可以新增電郵地址到您的網域的 DNS TXT 記錄中。DigiCert 自動搜尋 DNS TXT 記錄,然後傳送 DCV 電郵給那些地址。電郵收件人需要遵照電郵中的指示以證明有網域的控制權。

Note

之前,DigiCert 僅傳送 DCV 電郵給基於 WHOIS 和建構的電郵地址。

業界變化

由於私隱政策和其他限制的緣故,在 WHOIS 記錄中越來越無法存取聯絡人資料。通過 Ballot SC13 後,he Certificate Authority/Browser (CA/B) 論壇新增了「以電子郵件傳送給 DNS TXT 聯絡人」到支援的 DCV 方法清單中。

DNS TXT 記錄電郵聯絡人

若要使用以電子郵件傳送給 DNS TXT 聯絡人 DCV 方法,您必須將 DNS TXT 記錄放置在您要驗證的網域的 _validation-contactemail 子網域上。DigiCert 自動搜尋 WHOIS 和 DNS TXT 記錄,然後傳送 DCV 電郵到在那些記錄中找到的地址。

_validation-contactemail.example.com | Default | validatedomain@digicerttest.com

此文字記錄的 RDATA 值必須是有效的電郵地址。請參閱基準要求的附錄中的「第 B.2.1 節 - DNS TXT 記錄電郵聯絡人」。

如需更多有關 Ballot SC13、CA/Browser 論壇和以電子郵件傳送給 DNS TXT 聯絡人 DCV 方法的資訊: