Order your PKIo Private Services Server Certificate

In CertCentral, in the left menu, go to Request a Certificate > PKIOVERHEID > PKIo Private Services Server Certificate.

On the Request PKIo Private Services Server Certificate page, in the For menu, select the division to manage the certificate.

The For menu appears if using Divisions in your CertCentral account.

Add your CSR

We use the information in your CSR to auto-populate corresponding values in the order form: Common Name, SANs, and Organization. If you leave any of this information out of the CSR, the corresponding field in the form is left blank.

If using an organization from your CertCentral account, we auto-populate the Organization Contact card using the contact assigned to that organization.

Under Certificate Settings, upload your CSR or enter it into the Add Your CSR box. Your CSR must include the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags.

Note: Your CSR must use the RSA algorithm, as the ECC algorithm is unsupported. For certificates to remain secure, the CSR must use keys at least 2048 bits in length.

Common name and subject alternative names (SANs)

Once you've added the CSR, CertCentral uses the data in the CSR to auto-populate the Common name and SANs boxes on the request form. You can update the common name, reorder, add, a remove SANs as needed.

Note: The PKIo Private Services Server Certificate supports fully qualified domain names. You can’t include a wildcard domain or IP address in your certificate.

1. Use a DigiCert-controlled domain—qvtl.nl

   If company policy allows it, you can use a DigiCert-controlled domain name instead. With a PKIo Private Services Server certificate, the Subject.Serialnumber is the important certificate content, not the domain name.

   To use a DigiCert-controlled domain, select Use a DigiCert qvtl.nl domain.

   DigiCert validates your organization and authorizes it to use the DigiCert-provided domain name, {organisation_name}.qvtl.nl.

Validity period (optional)

Select a validity period for the certificate:

Domain control validation (DCV)

Using a DigiCert-controlled domain? You can skip this step. DigiCert handles the domain validation by validating your organization and authorizing it to use the DigiCert-provided domain name. You can't validate a domain you don't control.

Before DigiCert issues your certificate, you must demonstrate control over the domains included in your certificate. While placing the order, you must select one DCV method for all domains on the order.

Once you've submitted the order, go to certificate's pending Order # details page to find the domains you need to validate. You can use the DCV method selected while placing the order or use a different one per domain if required.

1. DCV method

   Use the default DCV method. Or, in the DCV method menu, select your preferred DCV method to demonstrate control over the domains.

   DigiCert-supported DCV methods:

   • DNS TXT Record (DNS Change)

     Use this method to modify the domain's DNS Record to include a TXT record. To validate the domain, you must be able to add a DigiCert-generated random value to the domain’s DNS as a TXT record.

   • Using the Verification Email DCV methods

     DigiCert sends two sets of DCV emails for this validation method: DNS TXT-based and constructed. To demonstrate control over the domain, an email recipient follows the instructions in a confirmation email sent for the domain.

     • Email to DNS TXT contact

       Use this method if you can modify the domain's DNS Record to include an email address. To learn more about what you must do to use this DCV method, see Email to DNS TXT contact.

     • Email to Constructed email addresses

       Use this method if you created a pre-approved email alias for the domain, such as admin@{domain_name}. To learn more about what you must do to use this DCV method, see Constructed email.

   • DNS CNAME Record

     Use this method if your domain has a CNAME record pointing to another domain (for example, example.com points to example.net). To validate the domain, add a DigiCert-generated random value to the domain's DNS as a CNAME record.

   • Using the HTTP Practical Demonstration DCV methods

     Use the HTTP Practical Demonstration DCV methods to validate domains exactly as named. Learn more about the HTTP Practical Demonstration DCV methods.

     Per industry regulations, you must use the HTTP Practical Demonstration DCV methods to demonstrate control over IPv4 and IPv6 addresses.

     • HTTP Practical Demonstration

       Use this method if you can host a file containing a DigiCert-generated random value at a predetermined location on your website: http://{domain-name}/.well-known/pki-validation/fileauth.txt.

     • HTTP Practical Demonstration with unique file name

       Use this method to host a file with a DigiCert-generated filename that contains a DigiCert-generated random value at a predetermined location on your website: http://{domain-name}/.well-known/pki-validation/{unique-filename}.txt.

2. Email language

   Use the default language. Or, in the Email language menu, select your preferred language for the email. This option appears if you select the Verification email DCV method.

3. DCV scope

   Use the default DCV Scope setting that aligns with your CertCentral Domain validation scope settings. Or, in the DCV Scope menu, select the scope for demonstrating control over the domains on the request.

   Note: CertCentral administrators can go to the Preferences page to configure their Domain validation scope settings (in the left menu, go to Settings > Preferences).

   Domain scope: Submit base domains versus Submit exact domain names

   • Submit base domains, for example, subdomain.example.com

     Once you've submitted subdomain.example.com, complete domain validation for the base domain, example.com. Validating the base domain also validates all subdomains of the base domain, such as subdomain.example.com and sub-subdomain.example.com.

   • Submit exact domain names, for example, subdomain.example.com

     Once you've submitted subdomain.example.com, complete domain validation for the domain exactly as named, subdomain.example.com. Exact domain name validation applies to that domain and no other domains.

Additional certificate options

1. Signature hash

   By default, DigiCert issues RSA certificates with a SHA-256 signature hash and RSA signing algorithm. We recommend using the default RSA settings. Unless, you have specific reasons for using a different key size or signing algorithm (for example, company policy requires an RSASSA-PSS signature).

   In the Signature hash menu, select the signature hash and signing algorithm you want DigiCert to use for your certificate:

   • sha256WithRSA

   • sha256WithRSAPSS

2. Server platform

   In the Server platform menu, select the server or system on which you generated the CSR. In the email we send with your certificate, the certificate format aligns with the format supported by the server or system.

   You can always change the format by downloading the certificate from the certificate's Order # details page in CertCentral. See Download a TLS/SSL certificate from your CertCentral account.

Organization

Add the information about the organization. DigiCert includes just the industry-required details on the organization on the certificate, such as the organization's name.

Add organization

You can add an existing organization from your account or a new organization. If you add a new organization, it gets added to your account.

Select Add an organization, and in the Add Organization window, do the following task as needed:

1. Add an existing organization

   1. Select Existing organization, in the Organization menu, select the organization, and then select Add.

      If an organization isn’t validated for PKIo Private Services Server certificates, or its validation has expired, DigiCert validates the organization before issuing the certificate.

   2. Organization and technical contacts

      DigiCert automatically adds the contacts assigned to the organization to the request form. Under Contacts, you can see the organization and technical contacts.

2. Add a new organization

   DigiCert must validate the new organizations before we can issue your certificate. Learn more about organization validation.

   1. Select New organization and enter the following information as needed.

      Legal name	Organization name exactly as it appears in corporate registries, such as local government registration records.
      Assumed name	Assumed name or doing business as name. Adding an assumed name requires extra validation, which may delay organization validation and certificate issuance.
      Country	Country where the organization is legally found.
      Address 1	The address where the organization is legally found.
      Address 2 (optional)	More address in formation, such as a Suite #.
      City	City where the organization is legally found.
      State/ Province/ Region	State, province, region where the organization is legally found.
      Zip/ Postal Code	Zip or postal code where the organization is legally found.
      Organization phone number	This should be a number we can check against an online third-party address listing. DigiCert must call a verified organization phone number to confirm your authority to order a certificate for the organization. We verify this phone number against online third-party address listing sources like Google Business. Learn how we confirm your authority.

   2. Once ready, select Add.

Organisation Identification Number (OIN) or Dutch KvK-number (HRN)

Once you've added your organization, you may include a serial number (OIN/HRN) in your certificate.

Contacts – authorized representative

Add an authorized representative to your certificate request: an existing or new one.

Under Contacts, select Add authorized representative. In the Add authorized representative window, do the following task as needed:

1. Add an existing authorized representative

   1. Select Existing contact and in the Contacts menu, select the contact you want to use as the authorized representative for this request.

      Note: If you select a contact who isn’t an authorized representative, we must validate them.

   2. Once ready, select Add.

2. Add a new authorized representative

   1. Select New contact and enter the contact's first and last name, job title, email address, and phone number.

   2. Once ready, select Add.

Contacts – Organization Contact

The organization contact is the person we contact to validate the organization and verifying your authority to order a DigiCert certificate for the organization. They may also receive the following notifications: Order status updates for organization-related certificates and Domain status updates for their organization controlled domains.

Items to note about adding an organization:

To use a different organization contact

1. To delete the organization, contact automatically populated for you, select the trashcan image.

2. Select Add contact.

   If you've already added a technical contact, select Add Organization Contact.

3. In the Add Contact window, in the Contact Type menu, select Organization Contact.

4. Add the contact:

   1. Add an existing contact.

      Select Existing Contact, in the Contacts menu, select a contact, and select Add.

   2. Add new contact.

      Select New Contact, enter the contact's first and last name, job title, email address, and phone number, and once ready, select Add.

Contacts – Technical Contact

We may contact the technical contact for inquiries regarding certificate orders for the organization. They may receive the certificate lifecycle-related emails: certificate issued, reissued, and expiring.

If adding an existing organization, DigiCert automatically adds the technical contact assigned to the organization to the request form. If one doesn’t exist, you can add one if needed. Adding a technical contact is optional and not required to issue your certificate.

To add a technical contact or change technical contacts

1. To delete the existing technical contact populated automatically for you, select the trashcan image.

2. Select Add Technical Contact.

3. In the Add Contact window, in the Contact Type menu, select Technical Contact.

4. Add the contact:

   1. Add an existing contact.

      Select Existing Contact, in the Contacts menu, select a contact, and once ready, select Add.

   2. Add a new contact.

      Select New Contact, enter the contact's first and last name, job title, email address, and phone number, and once ready, select Add.

Additional emails (optional)

Enter the email addresses of the people you want to receive the certificate issuance, expiring certificate, and expiring order emails. Use a comma to separate addresses or enter them on separate lines.

These recipients receive the certificate-related emails. They can’t manage the order.

Additional order options – Order Specific Renewal Message

To create a renewal message for this certificate, enter a renewal message with information that might be relevant to the certificate’s renewal. Comments and renewal messages aren’t included in the certificate.

Select payment method

Under Payment information, select a payment method to pay for the certificate.

Master Services Agreement and Qualified Certificate Terms of Use

Read the Master Services Agreement and the Qualified Certificate Terms of Use and select the following options to continue:

Select Submit request.