篩選依據: CAA resource record x 清除
enhancement

CertCentral: Improved DNS Certification Authority Authorization (CAA) resource records checking

DigiCert is happy to announce that we improved the CAA resource record checking feature and error messaging for failed checks in CertCentral.

Now, on the order’s details page, if a CAA resource record check fails, we display the check’s status and include improved error messaging to make it easier to troubleshoot problems.

Background

Before issuing an SSL/TLS certificate for your domain, a Certificate Authority (CA) must check the DNS CAA Resource Records (RR) to determine whether they can issue a certificate for your domain. A Certificate Authority can issue a certificate for your domain if one of the following conditions is met:

  • They do not find a CAA RR for your domain.
  • They find a CAA RR for your domain that authorizes them to issue a certificate for the domain.

How can DNS CAA Resource Records help me?

CAA resource records allow domain owners to control which certificate authorities (CAs) are allowed to issue public TLS certificates for each domain.

Learn more about using DNS CAA resource records

new

CertCentral Services API: Domain locking API endpoints

DigiCert is happy to announce our domain locking feature is now available in the CertCentral Services API.

Note: Before you can use the domain locking endpoints, you must first enable domain locking for your CertCentral account. See Domain locking  – Enable domain locking for your account.

New API endpoints

Updated API endpoints

We updated the response for the Domain info and List domains endpoints to include the following parameters with domain lock details:

  • domain_locking_status (string)
    Domain lock status. Only returned if domain locking is enabled for the account.
  • account_token (string)
    Domain lock account token. Only returned if domain locking is enabled for the account, and if domain locking has been activated for the domain at least once.

To learn more, see:

new

CertCentral: Domain locking is now available

DigiCert is happy to announce our domain locking feature is now available.

Does your company have more than one CertCentral account? Do you need to control which of your accounts can order certificates for specific company domains?

Domain locking allows you to control which of your CertCentral accounts can order certificates for your domains.

How does domain locking work?

DNS Certification Authority Authorization (CAA) resource records allow you to control which certificate authorities can issue certificates for your domains.

With domain locking, you can use this same CAA resource record to control which of your company's CertCentral accounts can order certificates for your domains.

How do I lock a domain?

To lock a domain:

  1. Enable domain locking for your account.
  2. Set up domain locking for a domain.
  3. Add the domain's unique verification token to the domain's DNS CAA resource record.
  4. Check the CAA record for the unique verification token.

To learn more, see:

new

End of life for account upgrades from Symantec, GeoTrust, Thawte or RapidSSL to CertCentral™

From April 5, 2022, MDT, you can no longer upgrade your Symantec, GeoTrust, Thawte, or RapidSSL account to CertCentral™.

If you haven't already moved to DigiCert CertCentral, upgrade now to maintain website security and have continued access to your certificates.

Note: During 2020, DigiCert discontinued all Symantec, GeoTrust, Thawte, RapidSSL admin consoles, enrollment services, and API services.

How do I upgrade my account?

To upgrade your account, contact DigiCert Support immediately. For more information about the account upgrade process, see Upgrade from Symantec, GeoTrust, Thawte, or RapidSSL.

What happens if I don't upgrade my account to CertCentral?

After April 5, 2022, you must get a new CertCentral account and manually add all account information, such as domains and organizations. In addition, you won't be able to migrate any of your active certificates to your new account.

For help setting up your new CertCentral account after April 5, 2022, contact DigiCert Support.

compliance

納入 ECC SSL/TLS 憑證中的 CanSignHttpExchanges 延伸程式的業界標準規定:

  • 包括 "cansignhttpexchanges=yes" 參數*的網域的 CAA 資源記錄
  • Elliptic Curve Cryptography (ECC) 密鑰配對
  • CanSignHttpExchanges 延伸程式
  • 最長 90 天有效期限*
  • 僅適用於 Signed HTTP Exchange (簽署的 HTTP 交換)

*註:這些需求在 2019 年 5 月 1 日生效。在 Signed HTTP Exchanges 延伸程式目前在開發中。隨著業界持續開發,需求可能有其他變化。

90 天最長憑證有效期限規定不會影響在 2019 年 5 月 1 日前發行的憑證。請注意,重新發行的憑證將修改為從重新發行時算起的 90 天。.但您可以在完整的採購有效期限內持續重新發行憑證。

CanSignHttpExchanges 延伸程式

最近,我們新增了新的憑證設定檔 HTTP Signed Exchanges,協助解決 AMP URL 顯示問題,您的品牌未在位址列中顯示。請參閱顯示有 Signed Exchange 的更好的 AMP URL

此新的設定檔允許您在 OV 和 EV SSL/TLS 憑證中納入 CanSignHttpExchanges 延伸程式。一針對您的帳戶啟用後,在憑證中納入 CanSignHttpExchanges 延伸程式選項會出現在其他憑證選項下的您的 OV 和 EV SSL/TLS 憑證訂購表上。請參閱取得您的 Signed HTTP Exchange (簽署的 HTTP 交換) 憑證

若要啟用用於您的帳戶的此憑證設定檔,請聯絡您的帳戶管理器,或聯絡我們的支援團隊