变更日志
Recent changes
December 8, 2023
CertCentral Services API: New delete organization endpoint
In the CertCentral Services API, we added a new API endpoint for deleting an organization from your CertCentral account. For examples and usage details, visit the API reference: Delete organization.
December 7, 2023
CertCentral: New delete organizations feature
We are happy to announce that we have improved the organization management workflow.
Want to remove an organization from your account that you can never validate because of a typo or misspelling? Want to remove a deprecated organization from your account?
Now, when you need to delete an organization from your CertCentral account, you can. Go to the Organizations page and use the Delete organization feature to delete one or multiple organizations simultaneously.
Previously, you could only deactivate organizations. The Deactivate organization feature allows you to block certificate issuance for an organization until it’s activated. However, the deactivated organization remains in your account.
Items to note about deleting organizations
Only CertCentral administrators can delete organizations.
Deleting an organization hides it from the list of organizations.
Deleting an organization also deletes any domains associated with the organization from your account.
Current certificates that include a deleted organization:
Remain valid until they expire or are revoked.
Cannot be reissued or duplicated.
You cannot delete an organization included on a pending certificate request or pending order.
Requesting new or renewal certificates for a deleted organization will require you to revalidate the organization.
See for yourself
In your CertCentral account, in the left main menu, go to Certificates > Organizations.
On the Organizations page, in the Name column, select the organization you want to delete.
On the Organization details page, in the More actions dropdown, select Delete organization.
In the Delete organization window:
Select Delete organization to delete the organization from your account.
Select Cancel to keep the organization in your account.
Resources
December 6, 2023
CertCentral: End of life for existing automation profiles and ACME Directory URLs configured for 4- to 6-year Multi-year Plans
On December 6, 2023, at 10:00 MDT (17:00 UTC), CertCentral will no longer support existing TLS certificate automation profiles or ACME Directory URLs configured for 4- to 6-year Multi-year Plans. Automation requests that use these retiring automation profiles or ACME Directory URLs will fail.
Background
On October 31, 2023, DigiCert stopped selling new 4- to 6-year Multi-year Plans. Automation and ACME customers configured for 4- to 6-year orders have until December 6 to reconfigure their existing automation profiles and ACME clients to use 1- to 3-year orders instead.
What do I need to do?
Automation profiles
Starting on December 6, existing automation profiles configured for 4 to 6 years of coverage will show an Action needed status and automation requests for these profiles will fail. To avoid outages, you must reconfigure these automation profiles before December 6 to have a coverage length of 1 to 3 years.
To reconfigure automation profiles in the CertCentral console:
For instructions on how to update an existing automation profile, see Edit an automation profile.
On the automation profile edit screen, select the pencil icon in the Multi-year plan details field to edit and select a new coverage length of 1 to 3 years.
To use the API to reconfigure automation profiles:
To update an existing automation profile, see Update profile details.
Use the orderCoverageLength request parameter to update the coverage length of the profile to
1Y,2Y, or3Y.
ACME clients
Starting on December 6, existing ACME Directory URLs for 4 to 6 years of coverage will no longer work. To avoid outages, you must reconfigure any third-party ACME clients that use these retiring credentials to use a replacement ACME Directory URL for 1 to 3 years of coverage.
Consult the documentation for your third-party ACME client for help reconfiguring it. For example, the Certbot documentation is found at https://eff-certbot.readthedocs.io
You can use any ACME Directory URL for 1 to 3 years of coverage to continue requesting certificates with your third-party ACME clients. If you don't already have a suitable replacement ACME Directory URL in your CertCentral account, create a new one to use.
To create an ACME Directory URL in the CertCentral console:
For instructions on how to create a new ACME Directory URL, see Create one or more ACME Directory URLs.
When setting the properties of certificates issued through this ACME Directory URL, select a coverage length of 1 to 3 years in the Multi-year coverage length field.
To use the API to create an ACME Directory URL:
To generate a new ACME Directory URL and External Account Binding (EAB) credentials, see ACME External Account Binding.
Use the order_validity_days or order_validity_years request parameter to set the coverage length of the new ACME Directory URL to a maximum of 3 years.
December 5, 2023
CertCentral two-factor authentication: One-time password email verification authentication method
We are happy to announce that we added the One-time password email verification authentication method to our two-factor authentication requirements in CertCentral.
By default, CertCentral requires you to use your credentials (username and password) and a one-time password (OTP app) to access your account. Now, you can also add OTP email verification as a one-time password (OTP) requirement.
After you enter your credentials, CertCentral sends a temporary password to the email address in your CertCentral account Profile Settings. To access your account, enter the temporary passcode in the verification email.
DigiCert 2024 maintenance schedules
To make it easier to plan your certificate-related tasks, DigiCert has scheduled our 2024 maintenance windows in advance.
We keep these pages up to date with the latest maintenance schedule information:
With customers worldwide, we understand there is no "best time" for everyone. However, after reviewing the data on customer usage, we selected times that would impact the fewest amount of our customers.
About our maintenance schedules
Maintenance is scheduled for the first weekend of each month unless otherwise noted.
Each maintenance window is scheduled for 2 hours.
Although we have redundancies to protect your service, some DigiCert services may be unavailable.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance begins and when it ends.
Contact your account manager or DigiCert Support if you need more information regarding these maintenance windows.
December 4, 2023
December 2, 2023
Upcoming scheduled Europe maintenance
DigiCert will perform scheduled maintenance on December 2, 2023, 09:00 – 11:00 MST (16:00 – 18:00 UTC).
重要
Maintenance will be one hour later for those who don't observe daylight savings.
Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.
What can I do?
Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
Subscribe to the DigiCert Status page to get live maintenance updates, including email alerts for when maintenance starts and ends.
See the DigiCert Europe 2023 maintenance schedule for maintenance dates and times.
Services will be restored as soon as the maintenance is completed.
Upcoming scheduled Global maintenance
DigiCert will perform scheduled maintenance on December 2, 2023, 22:00 – 24:00 MDT (December 3, 2023, 05:00 – 07:00 UTC).
重要
Maintenance will be one hour later for those who don't observe daylight savings.
Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.
What can I do?
Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
Subscribe to the DigiCert Status page to get live maintenance updates, including email alerts for when maintenance starts and ends.
See the DigiCert global 2023 maintenance schedule for maintenance dates and times.
Services will be restored as soon as the maintenance is completed.
November 20, 2023
CertCentral: Improved two-factor authentication user interface
We are happy to announce that we improved the process for creating, viewing, and updating your two-factor authentication requirements in CertCentral. See our CertCentral two-factor authentication guide.
New layout and organization of rules and settings
We updated the layout, moving to a tab-style page structure to make it easier to create, view, and update the two-factor authentication requirements for your CertCentral users. Now, when you visit the Authentication settings page (in the left main menu, go to Settings > Authentication Settings), instead of scrolling to find information, you can select what you want to view:
Two-factor authentication
Add a two-factor authentication requirement
Applied settings
Issued client certificates
One-time password (OTP) methods
Default settings
Password settings
One-time password (OTP) settings
November 4, 2023
Upcoming scheduled Europe maintenance
DigiCert will perform scheduled maintenance on November 4, 2023, 09:00 – 11:00 MDT (15:00 – 17:00 UTC).
Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.
Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.
See the DigiCert Europe 2023 maintenance schedule for maintenance dates and times.
Services will be restored as soon as the maintenance is completed.
Upcoming scheduled Global maintenance
DigiCert will perform scheduled maintenance on November 4, 2023, 22:00 – 24:00 MDT (October 8, 2023, 04:00 – 06:00 UTC).
Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.
Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.
See the DigiCert global 2023 maintenance schedule for maintenance dates and times.
Services will be restored as soon as the maintenance is completed.
October 31, 2023
CertCentral: Changes to Multi-year Plan coverage
On October 31, 2023, DigiCert will no longer sell 4 – 6-year Multi-year Plans for TLS and VMC certificates. We will continue to offer 1, 2, and 3-year Multi-year Plans.
How does this affect me?
For those with existing 4, 5, and 6-year Multi-year Plans, this change does not affect your coverage. You can continue to reissue and duplicate issue certificates for your Multi-year Plan until it expires.
For example, if you purchased a 5-year Multi-year Plan on April 1, 2023, you have coverage until April 1, 2028.
What if I use the CertCentral Services API?
If you use the CertCentral Services API to create 4, 5, and 6-year orders for TLS/SSL or Verified Mark certificates, you need to update your API integrations and remove the 4, 5, and 6-year coverage options from your Multi-year Plan integrations.
For more information, see End of 4 - 6-year Multi-year Plans.
What if I use certificate lifecycle automation tools with 4, 5, and 6-year Multi-year Plans?
Starting on October 31, you can no longer create new automation profiles or ACME Directory URLs for a certificate coverage length of 4 to 6 years. To avoid outages, you have until December 6, 2023 to reconfigure any existing automation profiles or third-party ACME clients that use a 4 to 6 year coverage length to instead use a new coverage length of 1 to 3 years.
What happens when I need to renew my Multi-year Plan?
When it’s time to renew your Multi-year Plan, you can renew it as a 1, 2, or 3-year Multi-year Plan.
Why will DigiCert stop selling 4, 5, and 6-year Multi-year Plans?
We are optimizing our infrastructure to support new and improved e-commerce experiences. Removing these Multi-year Plan options helps us streamline existing product lines into a cleaner, more intuitive shopping environment.
October 19, 2023
CertCentral webhooks: Get webhook notifications in Slack
We’re happy to announce that you can now receive CertCentral webhook notifications in Slack!
When you integrate CertCentral webhooks with Slack, your webhook sends notifications to a channel in your Slack workspace. These notifications have the same triggers and data as standard webhook events, and Slack presents the information as human-readable text instead of raw JSON.
注意
DigiCert will continue improving the content and formatting of Slack webhook messages to meet customer needs.
Learn more: Get webhook notifications in Slack
October 17, 2023
DigiCert site seal is replacing the Norton site seal
On October 17, 2023, at approximately 10:00 MDT (16:00 UTC), DigiCert will replace the Norton site seal image with our DigiCert site seal image wherever it appears on websites secured by Secure Site or Secure Site Pro TLS certificates. Additionally, we will remove the option to use and download the Norton site seal from CertCentral.
What do I need to do?
No action is required. DigiCert will automatically replace your static Norton site seal image with the DigiCert site seal image on October 17, 2023, at 10:00 MDT (16:00 UTC). However, DigiCert recommends replacing your Norton site seal with the DigiCert Smart Seal.
To use the Smart Seal image, you must install the DigiCert site seal code on your website. To learn more about using the DigiCert Smart Seal, see the following instructions:
Why should I use the enhanced DigiCert Smart Seal?
To make the Smart Seal more interactive and engaging, we added a hover-over effect, animation, and the ability to display your company logo in the site seal.
Hover-over effect
When visitors hover over the seal, it magnifies and gives customers quick information about your organization.
Animation
When visitors come to your site, the seal slowly transitions from the seal image to the additional details about your organization.
Logo
Add your logo to the hover-over effect and the site seal animation. Your logo appears with additional details about your organization. DigiCert must approve your logo before it appears in the Smart Seal on your website.
See The Smartest Way to Boost Trust at Checkout to learn more about the DigiCert Smart Seal.
October 13, 2023
CertCentral: New delete domains feature
We are happy to announce that we improved the domain management workflow in CertCentral.
Want to remove a domain from your account that you can never validate because it has a typo? Want to remove all the subdomains of a base domain?
Now, when you need to delete a domain from your CertCentral account, you can. Go to the Domains page and use the Delete domain feature to delete one or multiple domains simultaneously.
Previously, you could only deactivate domains. The Deactivate domain feature allows you to block certificate issuance for a domain until it’s activated. However, the deactivated domain remains in your account.
Items to note about deleting domains:
Only CertCentral administrators can delete domains.
Deleting a domain hides it from the list of domains.
Current certificates that include the domain are not affected.
Requesting new, reissue, or renewal certificates for a deleted domain may require you to revalidate the domain.
See for yourself
In your CertCentral account, in the left main menu, go to Certificates > Domains.
On the Domains page, in the Domain name column, select the domain you want to delete.
On the Domain details page, in the Deactivate domain dropdown, select Delete domain.
In the Delete domain window, select Delete domain if you want to delete the domain. Select Cancel if you don’t want to delete it.
Resources
CertCentral Services API: New delete domain endpoint
In the CertCentral Services API, we added a new API endpoint for deleting a domain from your CertCentral account. For examples and usage details, visit the API reference: Delete domain.
October 10, 2023
CertCentral Services API: Added functionality to Update order status endpoint
In the CertCentral Services API, we added new functionality to the Update order status API endpoint. Now, if you use the Services API to manage certificate request approvals, you can use the Update order status endpoint to cancel reissue requests that are pending admin approval. Before, this endpoint could only cancel reissues after an administrator approved the request.
For example, the order 12345 has a pending request to reissue the certificate on the order. You can use this cURL request to both cancel the reissue and reject the request:
curl -X PUT \
'https://www.digicert.com/services/v2/order/certificate/12345/status' \
--header 'Content-Type: application/json' \
--header 'X-DC-DEVKEY: {{api_key}}' \
--data-raw '{
"status": "canceled",
"note": "Reissue canceled"
}'When you submit this request:
The reissue is canceled, and the
statusof order12345changes fromreissue_pendingback toissued.The
statusof the correspondingrequestbecomesrejected.The
note(if provided) from the Update order status payload is stored in theprocessor_commentfield on the rejectedrequest.
October 7, 2023
Upcoming scheduled Europe maintenance
DigiCert will perform scheduled maintenance on October 7, 2023, 09:00 – 11:00 MDT (15:00 – 17:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.
What can I do?
Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
To get live maintenance updates, including email alerts for when maintenance starts and ends, subscribe to the DigiCert Status page.
See the DigiCert Europe 2023 maintenance schedule for maintenance dates and times.
Services will be restored as soon as the maintenance is completed.
Upcoming scheduled Global maintenance
DigiCert will perform scheduled maintenance on October 7, 2023, 22:00 – 24:00 MDT (October 8, 2023, 04:00 – 06:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.
What can I do?
Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
To get live maintenance updates, including email alerts for when maintenance starts and ends, subscribe to the DigiCert Status page.
See the DigiCert global 2023 maintenance schedule for maintenance dates and times.
Services will be restored as soon as the maintenance is completed.
September 11, 2023
CertCentral: Updates to client certificate request forms per new industry requirements
With the recent industry changes to S/MIME certificates, we updated our client certificate requests form, making it easier to include the required information to get your certificate.
Now, when you request one of the certificates listed below, you will see two options under Certificate to Request(s):
Email: Enter the email address you want to secure and appear as the certificate's common name.
Name: Enter the recipient's name as the common name and the email address you want to secure.
Affected certificates: Premium, Email Security Plus, and Digital Signature Plus.
See for yourself:
In the left main menu, hover over Request a Certificate.
Then, under Client certificates, select the client certificate you want to order: Premium, Email Security Plus, or Digital Signature Plus.
To learn more, see Order your client certificate.
Background
On August 29, 2023, at 10:00 MDT (16:00 UTC), DigiCert updated our public Secure Email (S/MIME) certificate issuance process to comply with the CA/Browser Forum's new Baseline Requirements for the Issuance and Management of Publicly‐Trusted S/MIME Certificates.
Industry changes now place certificates used to sign, verify, encrypt, or decrypt email into three categories:
Sponsor-validated – Secure Email (S/MIME) for an organization to issue to its organization-sponsored individuals
Organization-validated – Secure Email (S/MIME) certificate for an organization
Mailbox-validated – Secure Email (S/MIME) certificates for individuals
Our Premium, Email Security Plus, and Digital Signature Plus certificates are in the sponsor-validated category. Thus, you can only enter your email address or name as the common name on the certificate.
Learn more about the New industry requirements for public Secure Email (S/MIME) certificates.
September 9, 2023
Upcoming scheduled global maintenance
Some DigiCert services will be down for 60 minutes during scheduled maintenance on September 9, 2023, 22:00 – 24:00 MDT (September 10, 04:00 – 06:00 UTC).
Document Trust Manager PrimoSign signing service maintenance-related downtime
The Document Trust Manager maintenance starts at 22:00 MDT (04:00 UTC). At this time, the PrimoSign signing service will be down for up to 60 minutes.
Affected services
DigiCert ONE USA
Document Trust Manager PrimoSign signing service
What can I do?
Plan accordingly:
Schedule high-priority document signings before or after the maintenance window.
Expect interruptions if you use the APIs for automated tasks.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.
See the DigiCert global 2023 maintenance schedule for maintenance dates and times.
Services will be restored as soon as the maintenance is completed.
September 5, 2023
Industry changes to TLS certificates' BasicConstraints extension
On September 5, 2023, at 10:00 MDT (16:00 UTC), DigiCert will only issue public TLS certificates with the BasicConstraints extension set to critical per new industry requirements. Going forward, we will stop supporting the BasicConstraints extension's noncritical setting in public TLS certificate profiles.
Why is DigiCert making this BasicConstraints extension change?
To comply with industry changes mandated by the root program, all certificate authorities (CAs), such as DigiCert, must stop allowing users to set the BasicConstraints extension to noncritical in public TLS certificates.
For more details about the compliance changes affecting the BasicConstraints extension in certificate profiles, see the CA/Browser Forum's Ballot SC62v2-Certificate profiles update.
How does this affect me?
Does your TLS certificate process require the BasicConstraints extension to be set to noncritical?
No, it does not.
You shouldn't notice any difference in your certificate issuance process. Your public TLS certificates are not affected by this change.
Yes, it does.
You can continue to include the BasicConstraints extension set to noncritical in your public TLS certificate issued before September 5, 2023. Make sure to complete the required domain and organization validation for these orders before September 5.
What if I need the BasicConstraints extension set to noncritical in my TLS certificates after September 5?
You can use private TLS certificates. The root-program BasicConstraints extension change does not apply to private TLS certificates. If private TLS certificates meet your needs, contact your account manager to make sure the correct Private Root CA hierarchy is available for your account.
How does this affect my public TLS certificates with the BasicConstraints extension set to noncritical?
Your existing certificates are not affected by this change. However, if you reissue, duplicate issue, or renew a certificate after September 5, 2023, 10:00 MDT (16:00 UTC), we will set the BasicConstraints extension to critical when we issue the certificate.
How does this affect my API integration?
In the Services API, order requests for public TLS certificates that specify a certificate.profile_option of basic_constraints_critical_true will return a 400 error with an error code value of invalid_profile_option.
Update your API integration and remove the basic_constraints_critical_true profile option from your public TLS certificate requests by September 5, 2023.
End of issuance for individual validation TLS certificates
On September 5, 2023, at 10:00 MDT (16:00 UTC), DigiCert will stop issuing individual validation TLS certificates. This means you can no longer get an organization validation (OV) TLS certificate with a person's name in the subject field.
Affected certificates:
Secure Site Pro SSL
Secure Site OV
Basic OV
GeoTrust® TrueBusiness ID OV
Thawte® SSL Webserver OV
Why will DigiCert stop issuing individual validation TLS certificates?
To comply with industry changes mandated by the root program, DigiCert will only issue OV TLS certificates with an organization name in the subject field. For more details about the compliance changes affecting the individual validation TLS certificates, see the CA/Browser Forum's Ballot SC62v2-Certificate profiles update.
How does this affect me?
Your existing individual validation OV TLS certificates will continue to secure your domains until they expire. This change doesn't apply to certificates issued prior to September 5, 2023.
However, starting September 5, you cannot reissue, duplicate, or renew an existing individual validation OV TLS certificate. You can still revoke a certificate if needed.
What if I need a new individual validation TLS certificate?
Get needed certificates before September 5.
You can continue to include your name in OV TLS certificates issued before September 5. Make sure to complete the required domain and individual validation for these orders by September 5.
Use domain validation (DV) TLS certificates.
Starting September 5, 2023, if you need a TLS certificate for an individual, we recommend purchasing a DV TLS certificate instead. On September 5, 2023, we will enable the GeoTrust DV SSL certificate for your CertCentral account.
September 2, 2023
Upcoming scheduled Europe maintenance
Some DigiCert services will be down for 90 minutes during scheduled maintenance on September 2, 2023, 09:00 – 11:00 MDT (15:00 – 17:00 UTC).
Document Trust Manager's PrimoSign signing service maintenance-related downtime
The DigiCert® Document Trust Manager maintenance starts at 09:00 MDT (15:00 UTC). At that time, the PrimoSign signing service will be down for up to 90 minutes.
Affected services:
DigiCert ONE Netherlands instance
DigiCert® Document Trust Manager PrimoSign signing service
DigiCert ONE Switzerland instance
DigiCert® Document Trust Manager PrimoSign signing service
What can I do?
Plan accordingly
Schedule high-priority document signings before or after the maintenance window.
Expect interruptions if you use the APIs for automated tasks.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.
See the DigiCert Europe 2023 maintenance schedule for maintenance dates and times.
Services will be restored as soon as the maintenance is completed.
August 29, 2023
Changes coming for public Secure Email (S/MIME) certificates
On August 29, 2023, at 10:00 MDT (16:00 UTC), DigiCert will make the changes listed below to our public Secure Email (S/MIME) certificate issuance process to comply with the CA/Brower Forum's new Baseline Requirements for the Issuance and Management of Publicly‐Trusted S/MIME Certificates.
These changes will apply to all newly issued certificates containing the emailProtectionextentedKeyUsage and at least one email address. If you can use your certificate to sign, verify, encrypt, or decrypt email, then your new, reissued, and renewed certificates will be affected by these new industry requirements starting August 29, 2023, at 10:00 MDT (16:00 UTC).
What can I do?
Get needed Secure Email S/MIME certificates before August 29, 2023
If you have S/MIME certificate renewals, reissues, or new orders scheduled for the end of August and the month of September, do these certificate-related activities early—before August 29. That way, your S/MIME certificate issuance will remain the same, eliminating potential surprises from the modifications to certificate profiles and the validation process. Certificates issued before August 29, 2023, can still contain the organization unit information and email-validated addresses, as needed.
Move to private Secure Email (S/MIME) certificates
DigiCert recommends moving to privately trusted S/MIME certificates if public trust is not required. The rules for public S/MIME certificates do not apply to locally trusted S/MIME certificates. Contact your account representative or DigiCert Support to learn about DigiCert Private Secure Email (S/MIME) certificates.
Platform-specific changes
One of the benefits of the new S/MIME certificate baseline requirements is that it will standardize public S/MIME certificates for all certificate authorities and, more specifically, for all DigiCert platforms.
To learn more about the changes coming to your platform and what you need to do to prepare for the changes to DigiCert's public Secure Email (S/MIME) certificate issuance process, see the applicable section of our knowledge base article:
CertCentral: Document Signing Certificate changes
On August 29, 2023, at 10:00 MDT (16:00 UTC), DigiCert will no longer include the email addresses in the subject field when issuing Document Signing certificates.
Starting August 29:
You can no longer use the newly issued Document Signing certificate to sign your emails.
Your email address will not appear in signatures applied to documents using a newly issued or reissued Document Signing certificate.
The following certificates are affected by this change:
Document Signing - Organization (2000/5000)
Document Signing - Individual (500/2000)
Why will DigiCert start issuing Document Signing certificates without the email address in the subject?
We are making this change to align with upcoming industry changes affecting the issuance and management of publicly trusted secure email (S/MIME) certificates.
Starting August 29, under the new S/MIME certificate requirements, a document signing certificate must undergo a new validation process for digitally signing emails. DigiCert's Document Signing certificates do not include this validation process and, therefore, can no longer include email addresses and be used to sign emails after August 29.
How do these changes affect my Document Singing certificates?
Newly issued Document Signing certificates.
Starting August 29, 2023, at 10:00 MDT (16:00 UTC), all newly issued Document Signing certificates, including new, reissued, and renewed certificates, will no longer include the email addresses in the subject field and can no longer be used to sign emails.
Existing Document Signing certificates.
The industry changes do not affect Document Signing certificates issued before August 29, 2023, 10:00 MDT (16:00 UTC). You can continue to use these existing certificates to sign emails if needed until they expire. Remember, starting August 29, the changes to Document Signing certificates will affect your certificate replacements and renewals.
What can I do?
Get needed Document Signing certificates with email signing before August 29, 2023.
If you have Document Signing renewals, reissues, or new orders scheduled for the end of August and September, do these certificate-related activities before August 29. That way, your Document Signing certificates will include the email address and can be used to sign emails.
Get a Secure Email (S/MIME) certificate.
If you need a certificate to sign your emails, get one of DigiCert's secure email certificates that meets the new S/MIME requirements. These certificates will be available for purchase in CertCentral starting August 29.
August 22, 2023
CertCentral: Only show "Comments to Administrator" when the approval step is enabled for a user
In CertCentral, we updated our OV TLS, EV TLS, code signing, and document signing certificate request forms. Now, we will only include the Comments to Administrator field when the approval step is enabled for the user making the request.
This field allows you to provide additional information to the person approving the request. When an order skips the approval step, the field no longer serves its purpose.
Background
By default, CertCentral accounts are configured for one-step certificate request approvals. An account administrator must approve a certificate request before DigiCert can process the order (validating the organization, etc.).
However, on the Preferences page (go to Settings > Preferences), in the Certificate Requests section, you can remove the approval step from the OV and EV TLS, code signing, and document signing certificate issuance workflows for your CertCentral administrators and managers. Even with skip approval enabled, you must still approve requests submitted by standard users, limited users, and finance managers.
August 15, 2023
Industry changes to key usage extensions allowed in Public TLS certificates.
On August 15, 2023, at 10:00 MDT (16:00 UTC), DigiCert will stop supporting the following key usage extensions in public TLS certificates:
Data encipherment
Non-repudiation
Note that these key usage extensions are not included in public TLS certificates by default.
Why is DigiCert making these key usage extension changes?
To comply with industry changes mandated by the root program, all certificate authorities (CAs), such as DigiCert, must stop allowing users to include these key usage extensions in public TLS certificates: data encipherment and non-repudiation.
For more details about the compliance changes affecting key usage extensions in certificate profiles, see the CA/Browser Forum Baseline Requirements for the Issuance and Management of Publicly‐Trusted Certificates, Section 7.1.2.7.10.
How does this affect me?
Do you currently use these key usage extensions in your public TLS certificates?
No, I don't.
Then no action is required. Your public TLS certificates are not affected by this change.
Yes, I do.
You can continue to include the data encipherment or non-repudiation key usage extensions in your public TLS certificate issued until August 15, 2023. Make sure to complete the required domain and organization validation for these orders by August 15.
What if I need to include the data encipherment or non-repudiation key usage extensions in my TLS certificates after August 15?
You can use private TLS certificates. The root-program key usage extension change does not apply to private TLS certificates. If private TLS certificates will meet your needs, contact your account manager to make sure the correct Private root CA hierarchy is available for your account.
How does this affect my existing certificates that include these key extensions?
Your existing certificates are not affected by this change. However, if you reissue or duplicate issue a certificate with one of these key usage extensions after August 15, we will remove the data encipherment or non-repudiation extension before we reissue the certificate.
How does this affect my API integration?
In the Services API, order requests for public TLS certificates that specify a certificate.profile_option of data_encipherment, non_repudiation, or non_repudiation_and_data_enciph will return a 400 error with an error code value of profile_option_not_allowed.
Update your API integration and remove these profile options from your public TLS certificate requests by August 15, 2023.
Upgrading the DigiCert Support Plans
On August 15, 2023, DigiCert will upgrade our support plans to provide you with a better, more customizable experience. These plans are scalable and backed by our technical experts to ensure your success.
New plans:
Standard support
Our free support plan is available to all DigiCert customers. It includes 24-hour, Monday – Friday chat and email technical support and access to our comprehensive product documentation and developer portal hub, knowledge base articles, and other self-service tools.
Business support
Our mid-level paid service plan includes everything in our Standard plan plus 24-hour, Monday – Friday phone technical support, faster service hold times, and business service level agreements.
Premium support
Our highest-level paid service plan includes access to everything in the Business plan plus priority service hold time.
The Premium plan is the only plan that includes the following:
24-hour, 7-day-a-week technical support with local language service during business hours and English language services after hours.
Priority validation.
Access to DigiCert ONE testing environment.
Premium service level agreements.
Root cause analysis for service degradation incidents.
Access to a Premium Client Manager for one-on-one incident resolution, strategic planning, and project coordination.
For more details about what these plans include, see the following:
How does this affect me?
To show our appreciation, on August 15, 2023, DigiCert will upgrade all existing customers to either Business or Premium support plans for a limited time at no additional charge.
How the limited-time upgrade works:
Platinum support plans will be upgraded to Premium support for the duration of the contract.
You will receive validation SLAS in addition to your current support benefits. You will also retain your current Platinum Client Manager (now called a Premium Client Manager).
Gold or Platinum-Lite support plans will be upgraded to Premium support for the duration of your contract.
You will have all Premium support benefits except for a Premium Client Manager.
Included (non-paid) DigiCert support will be upgraded to Business support for up to one year.
On August 14, 2024, if you have not selected a new go-forward support plan, you can continue with a Business support plan, upgrade to a Premium support plan, or return to our free, Standard support plan.
Need help?
If you have questions or concerns, contact your account manager. See our knowledge base article.
August 8, 2023
CertCentral: Submitting organizations for SMIME – SMIME Organization Validation prevalidation
Starting August 8 at approximately 10:00 MDT (16:00 UTC), when you order a client certificate containing the emailProtection extentedKeyUsage and at least one email address, we will automatically submit the organization included in the order for SMIME organization prevalidation. When you visit the organization's details page, you will see a pending validation for SMIME – SMIME Organization Validation.
Affected client certificates:
Digital Signature Plus
Email Security Plus
Premium
Class 1 S/MIME
This change also affects orders submitted via the CertCentral Services API. To learn more about organization prevalidation, see our Submit an organization for prevalidation instructions.
Why is DigiCert submitting these organizations for SMIME prevalidation?
As part of the new requirements for public Secure Email (S/MIME) certificates, certificate authorities (CAs), such as DigiCert, must validate the organization included in a certificate containing the emailProtection extentedKeyUsage and at least one email address for S/MIME validation before we can issue the certificate.
DigiCert will submit organizations included in these types of certificate requests for SMIME organization prevalidation starting August 8 to prepare for these new requirements.
How does this affect my client certificate process?
The pending SMIME organization validation does not prevent your client certificates from being issued at this time. Until we update our process, for client certificates containing the emailProtection extentedKeyUsage and at least one email address, DigiCert will continue to require OV - Normal Organization Validation to validate the organization included in the certificate.
Then starting August 29, 2023, DigiCert must validate the organization included in these client certificates for the new SMIME organization validation before we can issue them.
OV - Normal Organization Validation
Per industry requirements, DigiCert will continue to validate the organization included in a certificate containing the emailProtection extentedKeyUsage and at least one email address for OV - Normal Organization Validation until August 29.
SMIME – SMIME Organization Validation
Starting August 29, 2023, at 10:00 MDT (16:00 UTC), all newly issued certificates containing the emailProtection extentedKeyUsage and at least one email address, including new, reissued, and renewed certificates, must comply with the new Baseline Requirements for the Issuance and Management of Publicly‐Trusted S/MIME Certificates.
CertCentral Webhooks: Include certificate and chain in certificate issued events
CertCentral webhooks now support the option to include the certificate chain in certificate_issued events for public and private TLS/SSL certificates.
Now, you can get your issued TLS certificate in the same webhook event that notifies you the certificate is ready. Before, you needed to trigger a callback API request to download the certificate from CertCentral.
Example certificate_issued event with certificate chain:
{
"event": "certificate_issued",
"data": {
"order_id": 1234,
"certificate_id": 1234,
"certificate_chain": [
{
"subject_common_name": "example.com",
"pem": "-----BEGIN CERTIFICATE-----\r\nMII...\r\n-----END CERTIFICATE-----\r\n"
},
{
"subject_common_name": "DigiCert Global G2 TLS RSA SHA256 2020 CA1",
"pem": "-----BEGIN CERTIFICATE-----\r\nMII...\r\n-----END CERTIFICATE-----\r\n"
},
{
"subject_common_name": "DigiCert Global Root G2",
"pem": "-----BEGIN CERTIFICATE-----\r\nMII...\r\n-----END CERTIFICATE-----\r\n"
}
]
}
}注意
CertCentral only sends the certificate chain in certificate_issued events for public and private TLS/SSL certificates. For other product types, certificate_issued events never include the certificate chain.
Learn how to include the certificate chain in certificate_issued events: Customize certificate issued events.
CertCentral Services API: Add issuing CA certificate details to subaccount order info response
In the CertCentral Services API, we updated the Subaccount order info API endpoint to return the name and id of the issuing CA certificate for the primary certificate on the order. This data is returned in the ca_cert object in the certificate section of the JSON response.
Example JSON response with ca_cert object, truncated for brevity:
{
"certificate": {
"ca_cert": {
"id": "A937018B9FAF6CC2",
"name": "DigiCert Global G2 TLS RSA SHA256 2020 CA1"
},
...
},
...
}
CertCentral Services API: Add product shim details to subaccount product list
In the CertCentral Services API, we updated the List subaccount products API endpoint to return details about the product shims configured for the subaccount.
注意
CertCentral uses product shims to map requests for legacy products to the newer products that replaced them.
Now, the List subaccount products API endpoint returns these parameters:
is_product_shim_enabled(boolean): Returned at the root of the JSON response. If true, product shims are configured for the subaccount. Otherwise, false.product_shim_map(array of objects): In theproductslist, any product with legacy products mapped to it returns aproduct_shim_maparray. This array is a list of objects with theproduct_name_idandproduct_nameof the legacy product with an active shim.
Example JSON response, truncated for brevity:
{
"currency": "JPY",
"pricing_method": "custom",
"balance_negative_limit": "-1",
"products": [
{
"product_name_id": "ssl_dv_geotrust_flex",
"product_name": "GeoTrust DV SSL",
"product_shim_map": [
{
"product_name_id": "ssl_dv_geotrust",
"product_name": "GeoTrust Standard DV"
}
],
},
{
"product_name_id": "ssl_securesite_flex",
"product_name": "Secure Site OV",
"product_shim_map": [
{
"product_name_id": "ssl_plus",
"product_name": "Standard SSL"
},
{
"product_name_id": "ssl_securesite",
"product_name": "Secure Site SSL"
}
],
},
...
],
"is_product_shim_enabled": true
}August 5, 2023
Upcoming scheduled Europe maintenance
Some DigiCert services will be down for up to 30 minutes, while others may experience interruptions during scheduled maintenance on August 5, 2023, 09:00 – 11:00 MDT (15:00 – 17:00 UTC).
Upcoming scheduled global maintenance
DigiCert will perform scheduled maintenance on August 5, 2023, 22:00 – 24:00 MDT (August 6, 2023, 04:00 – 06:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.
What can I do?
Plan accordingly:
Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.
See the DigiCert global 2023 maintenance schedule for scheduled maintenance dates and times.
Services will be restored as soon as the maintenance is completed.
August 1, 2023
CertCentral: New SMIME – SMIME Organization Validation
In CertCentral, we added a new validation type to the organization prevalidation workflow, SMIME – SMIME Organization Validation. Starting August 29, 2023, DigiCert must validate the organization included in Secure Email (S/MIME) certificates with the new validation type, SMIME – SMIME Organization Validation, before we can issue the certificate. To learn more about organization prevalidation, see our Submit an organization for prevalidation instructions.
Why is DigiCert adding SMIME – SMIME Organization Validation?
As part of the new requirements for public Secure Email (S/MIME) certificates, certificate authorities (CAs), such as DigiCert, must validate the organization included in a Secure Email certificate for S/MIME validation before we can issue the certificate.
How does this affect my client certificate process?
DigiCert will continue to require OV - Normal Organization Validation to validate the organization included in a Secure Email (S/MIME) certificate until we update our process on August 29, 2023. Then, we will require the organization included in a Secure Email certificate to be validated for the new SMIME – SMIME Organization Validation.
OV - Normal Organization Validation
Per the current industry requirements, DigiCert will continue to validate the organization included in Secure Email (S/MIME) certificates for OV - Normal Organization Validation until August 29.
SMIME – SMIME Organization Validation
Starting August 29, 2023, at 10:00 MDT (16:00 UTC), all newly issued S/MIME certificates, including new, reissued, and renewed certificates, must comply with the new Baseline Requirements for the Issuance and Management of Publicly‐Trusted S/MIME Certificates.
CertCentral Services API: New product validation type for client certificates on Order info API response
In the CertCentral Services API, for client certificate orders, we updated the Order info API endpoint to return data describing the type of organization validation DigiCert will use for client certificates after August 29.
Background
The Order info API endpoint returns a product object with information about the type of certificate on the order. For certificates that require organization validation, the product object includes parameters describing the type of organization validation used for the product:
validation_typevalidation_descriptionvalidation_name
After today's update, for client certificates that require organization validation, these fields return values associated with SMIME Organization Validation. For example:
{
...
"product": {
"csr_required": false,
"name": "Premium",
"name_id": "client_premium",
"type": "client_certificate",
"validation_description": "SMIME Organization Validation",
"validation_name": "SMIME",
"validation_type": "smime"
},
...
}Before, these fields returned values associated with Normal Organization Validation. For example:
{
...
"product": {
"csr_required": false,
"name": "Premium",
"name_id": "client_premium",
"type": "client_certificate",
"validation_type": "ov",
"validation_name": "OV",
"validation_description": "Normal Organization Validation",
},
...
}How does this affect my API client integration?
If you use the Order info API endpoint to retrieve validation information from the product object, make sure your integration can handle the new validation type values for client certificates.
Otherwise, this change is compatible with existing workflows for validating organizations and requesting client certificates:
Until August 29, you can continue ordering client certificates for organizations with an active Normal Organization Validation (OV).
After August 29, when ordering client certificates for an organization without active SMIME Organization Validation, DigiCert will automatically submit the organization for SMIME validation.
Stay informed about updates to client certificate API workflows
As we update our systems to comply with the new Secure Email (S/MIME) baseline requirements, we will continue updating Services API workflows for managing S/MIME certificates in CertCentral. Visit our developer portal for a comprehensive list of these changes: Services API updates for client certificate certificate workflows. Make sure to save this page and check it frequently, as we will update this article as new information becomes available.
CertCentral Webhooks: New event types, event logs, and notifications for immediately issued certificates
New CertCentral events
We updated CertCentral webhooks to send notifications for these event types:
Domain expired
Domain revalidation notice
Domain validated
Organization expired
Organization revalidation notice
Organization validated
Order rejected
Subscribe to these events when creating or updating a webhook in CertCentral. Learn more: CertCentral event types
Webhook event logs
We're excited to announce that webhook event logs are now available.
Every time CertCentral sends an event to your webhook listener, we create a new webhook event log entry. Each entry includes the event timestamp, event data, and response code that your webhook listener returned to CertCentral. Event logs make it easier to review your event history and troubleshoot the connection between CertCentral and your webhook listener.
Learn more: Webhook event logs
Get notified for immediately issued certificates
Now, you can choose to receive certificate issued events even when certificates are issued immediately. Before, you could only receive certificate issued events for certificates that weren't issued immediately.
Learn more: Customize certificate issued events
CertCentral Services API: Choose a recipient when emailing site seal code
In the CertCentral Services API, we updated the Email site seal API endpoint. Now, when emailing site seal code, you can choose who receives the email by including the optional parameter recipient_email in your request. If omitted, DigiCert emails the site seal to the authenticated user (the user that owns the API key in the request).
Example cURL request:
curl 'https://www.digicert.com/services/v2/order/certificate/{{order_id}}/site-seal/email-seal' \
--header 'X-DC-DEVKEY: {{api_key}}' \
--header 'Content-Type: application/json' \
--data-raw '{
"recipient_email": "john.doe@example.com"
}'For more information, visit the API reference documentation: Email site seal.
July 17, 2023
CertCentral Services API: Create and validate organizations with a single API request
We updated the CertCentral Services API documentation to describe how to create an organization and submit it for validation with a single API request. Learn more: Create organization.
Improve your organization validation workflows
Before this update, the API workflow to create an organization and submit it for validation required two API calls:
One to create the organization.
A second to submit the organization for validation.
The Services API still supports this workflow. However, if you know the intended use for an organization at the time of its creation, we recommend performing both of these operations in the same request. Consider updating your integration if you need to improve latency for your end-users, avoid rate limiting, or reduce the number of requests you submit to the Services API for another reason.
July 11, 2023
CertCentral Services API: Remove unexpected data from Order info response
On July 11, 2023, at 10:00 MDT (16:00 UTC), DigiCert will fix an issue causing the Order info API endpoint to return unexpected verified_contacts data. We will restore the Order info response to its original behavior and stop returning verified_contacts inside the organization object.
To get verified contacts for an organization, use the Organization endpoints:
Example Order info response before and after July 11
Before the fix
Truncated JSON response with organization.verified_contacts[] array:
{
...
"organization": {
"id": 12345,
"name": "Example Organization, LLC",
"display_name": "Example Organization, LLC",
"is_active": true,
"city": "Saratoga Springs",
"state": "Utah",
"country": "us",
"telephone": "555-555-5555",
"verified_contacts": [
{
"id": 1234,
"user_id": "5678",
"name": "John Doe",
"first_name": "John",
"last_name": "Doe",
"job_title": "Developer",
"telephone": "555-555-5555",
"email": "john.doe@example.com"
}
]
},
...
} After the fix
Truncated JSON response without organization.verified_contacts[] array:
{
...
"organization": {
"id": 12345,
"name": "Example Organization, LLC",
"display_name": "Example Organization, LLC",
"is_active": true,
"city": "Saratoga Springs",
"state": "Utah",
"country": "us",
"telephone": "555-555-5555",
},
...
} July 8, 2023
Upcoming scheduled global maintenance
DigiCert will perform scheduled maintenance on July 8, 2023, 22:00 – 24:00 MDT (July 9, 2023, 04:00 – 06:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.
Upcoming scheduled Europe maintenance
DigiCert will perform scheduled maintenance on July 8, 2023, 09:00 – 11:00 MDT (15:00 – 17:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.
June 13, 2023
CertCentral Services API: Update order-level organization and technical contact
In the CertCentral Services API, we added a new endpoint that you can use to update the order-level organization and technical contact for existing certificate orders.
Use the new endpoint to perform these operations:
Add an order-level technical contact.
Replace or modify the existing order-level technical contact.
Replace or modify the existing order-level organization contact.
For usage information, parameter descriptions, and example requests, visit the API reference: Update organization and technical contact for an order.
June 6, 2023
CertCentral admin can set client certificate CSR policy for all organization users
CertCentral admins can now establish an organization-wide setting for users to follow when requesting client certificates. The options are:
Require user to paste or upload CSR
User must have a CSR at time of enrollment.
Require email recipient to generate CSR in browser
The user can postpone CSR generation by naming an email recipient, who will be prompted to create the CSR and certificate.
No preference
User can choose to enter a CSR or leave the CSR field empty (requiring the email recipient to generate the CSR).
June 3, 2023
Scheduled global maintenance
Some DigiCert services will experience service delays and performance degradation during scheduled maintenance on June 3, 2023, 22:00 – 24:00 MDT (June 4, 2023, 04:00 – 06:00 UTC).
Infrastructure maintenance-related service delay and performance degradation
The infrastructure maintenance starts at 22:00 MDT (04:00 UTC). Then for approximately 10 minutes, the services listed below will experience service delays and performance degradation that affect:
CertCentral® and Services API
Certificate Issuing Service (CIS)
CertCentral Simple Certificate Enrollment Protocol (SCEP)
Direct Cert Portal and API
API notes
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
What can I do?
Plan accordingly:
Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.
See the DigiCert global 2023 maintenance schedule for scheduled maintenance dates and times.
Services will be restored as soon as the maintenance is completed.
Upcoming scheduled Europe maintenance
Some DigiCert services will be down for up to 60 minutes during scheduled maintenance on June 3, 2023, 09:00 – 11:00 MDT (15:00 – 17:00 UTC).
DigiCert ONE infrastructure maintenance-related downtime
The DigiCert ONE infrastructure maintenance starts at 09:00 MDT (15:00 UTC). At that time, DigiCert ONE Netherlands and Switzerland instances, along with access to their managers, services, and APIs, will be down for up to 60 minutes.
DigiCert ONE Netherlands instance
Trust Lifecycle Manager
IoT Trust Manager
Software Trust Manager
Document Trust Manager
CA Manager
Account Manager
DigiCert ONE Switzerland instance
Trust Lifecycle Manager
IoT Trust Manager
Software Trust Manager
Document Trust Manager
CA Manager
Account Manager
API note
APIs will return "503 services unavailable" errors.
Requests placed during this window that receive a "503 services unavailable" error message will need to be placed again after services are restored.
What can I do?
Plan accordingly:
Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.
See the DigiCert Europe 2023 maintenance schedule for maintenance dates and times.
Services will be restored as soon as the maintenance is completed.
June 1, 2023
Code signing certificates: New private key storage requirement
Starting on June 1, 2023, at 00:00 UTC, industry standards will require private keys for code signing certificates to be stored on hardware certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent.
DigiCert’s timeline to meet the new private key storage requirement
DigiCert’s timeline ensures we update our code signing certificate process so that private keys for code signing certificates are stored on hardware certified as FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent by May 30, 2023.
Our timeline also allows you to transition to the supported provisioning methods by May 16, 2023.
Learn more about the DigiCert code signing certificate change timeline
CertCentral Services API: Webhooks
CertCentral supports webhook notifications when a certificate is issued or revoked.
You can now receive notifications for certificate events without regularly querying the Orders API for certificate status. Your external application (listener) can wait to receive notification that the certificates are ready, then send a callback request to download the certificate or programmatically alert the certificate owner.
Learn more: CertCentral webhooks
May 30, 2023
Code Signing certificate changes
CertCentral: Authenticate webhook events with secret keys
We are happy to announce that you can now add custom secret keys to CertCentral webhooks. With secret keys, you can ensure the authenticity of webhook events, enhancing the security of your webhook listener.
How webhook secret keys work
When creating or updating a webhook, you can choose to add a custom secret key. If a webhook has a secret key, webhook events include the secret key value in the custom request header X-WEBHOOK-KEY.
To prevent your webhook listener from processing invalid events, configure the endpoint for your webhook listener to validate the X-WEBHOOK-KEY value for each event it receives.
Learn more:
May 20, 2023
CertCentral Services API: Update for Encryption Everywhere DV order requests
In the CertCentral Services API, we updated the request body for creating an Encryption Everywhere DV order to stop using the use_auth_key parameter. Now, DigiCert always ignores the use_auth_key parameter in your requests to create an Encryption Everywhere DV order.
How does AuthKey domain validation work for Encryption Everywhere DV orders?
When you submit an Encryption Everywhere DV order request, DigiCert checks to see if an AuthKey exists in your CertCentral account.
AuthKey exists for the account
DigiCert automatically checks the DNS records for AuthKey request tokens. If we find a valid AuthKey request token for each domain on the order, we validate the domains and the API returns your issued certificate. Otherwise, the API returns an error.
No AuthKey exists for the account
The API returns an error. You must create an AuthKey before you can request Encryption Everywhere DV certificates.
Learn more about using AuthKey request tokens: DV certificate immediate issuance.
Background
For Encryption Everywhere DV certificates, DigiCert has always required completing domain control validation using AuthKey request tokens. A change we released on May 16, 2023 made it possible to pass in a false value for the use_auth_key parameter when creating an Encryption Everywhere DV order.
Now, for Encryption Everywhere DV orders, we use the certificate type to trigger the AuthKey request token check instead of looking for the use_auth_key parameter. This change makes the API easier to use and prevents Encryption Everywhere DV orders from being created in a state where the domains cannot be validated and the order must be rejected.
May 16, 2023
CertCentral Services API: New use_auth_key default for DV certificate requests
注意
Update: We are postponing these changes until May 16, 2023. We originally planned to release this update on May 10, 2023.
On May 16, 2023, at 10:00 AM MDT (16:00 UTC), DigiCert will change the default behavior for DV TLS/SSL orders in CertCentral accounts using AuthKeys.
Starting May 16, DV TLS certificate orders and reissues created with the CertCentral Services API will always use a default value of false for the use_auth_key request parameter.
After this change, to validate domains on a DV order or reissue using AuthKey request tokens, you must include the use_auth_key parameter with a true value in the body of your certificate request:
{
...
"use_auth_key": true
...
}注意
Today, if an AuthKey exists in your account, DigiCert uses AuthKey request tokens to validate domains on DV TLS/SSL orders and reissues by default. To opt out of this default, you must include the use_auth_key parameter with a value of false in your DV certificate order requests.
How does this affect me?
Starting May 16, for DV TLS orders and reissues that omit the use_auth_key request parameter, DigiCert will stop using AuthKey request tokens to complete domain validation.
For all DV products except Encryption Everywhere DV, DigiCert will still accept the request. However, we will not check domains on the order for an AuthKey request token. This means we cannot immediately complete domain validation and return the certificate data in the API response. Instead, the API will return a random value (
dcv_random_value) that you can use to complete domain validation after the order is created:{ "id": 123456, "certificate_id": 123456, "dcv_random_value": "icru1984rnekfj" }For Encryption Everywhere DV certificates (
ssl_dv_ee), DigiCert will reject the order. Domains on Encryption Everywhere DV certificates can only be validated using AuthKey request tokens.
What do I need to do?
First, see if this change affects your API client integration.
This change affects you if you meet all of the following criteria:
Your CertCentral account has an AuthKey.
To check if an AuthKey exists in your account, use the AuthKey details endpoint.
You use the API to request or reissue any of these DV SSL/TLS certificates:
Product identifier
Name
ssl_dv_geotrustGeoTrust Standard DV SSL Certificate
ssl_dv_rapidsslRapidSSL Standard DV SSL Certificate
ssl_dv_thawteThawte SSL123 DV
ssl_dv_eeEncryption Everywhere DV
wildcard_dv_geotrustGeoTrust Wildcard DV SSL Certificate
wildcard_dv_rapidsslRapidSSL Wildcard DV SSL Certificate
cloud_dv_geotrustGeoTrust Cloud DV
ssl_dv_geotrust_flexGeoTrust DV SSL
Next, update your code.
Review any requests to the Services API that create a DV certificate order or reissue for domains you want to validate with an AuthKey request token. See if these requests already include the
use_auth_keyparameter with a true value.If yes:
No action is required. After May 16, 2023, DigiCert will continue using AuthKey request tokens to validate the domains on your orders and reissues.
If not:
Before May 16, 2023, update your requests to include the
use_auth_keyparameter with a true value:{ ... "use_auth_key": true ... }
Why is DigiCert making this change?
To improve security. By default, the API should assume clients want to complete DCV using DigiCert-generated random values. DigiCert should only check for user-generated AuthKey request tokens when clients explicitly request this behavior.
To make the API more deterministic and easier to use. After this change, API requests that omit the
use_auth_keyparameter will always generate the same results, regardless of whether an AuthKey exists in the account.To align our system with future API enhancements. This change makes it possible to deliver enhancements that behave the same way for different product types.
Code Signing certificate changes
May 9, 2023
CertCentral Services API: Added support for order-level organization contacts
To give API clients more control over the contacts assigned to new and renewal orders, we updated the CertCentral Services API to support order-level organization contacts.
Now, when requesting or renewing a certificate, you can assign an organization and technical contact directly to the order instead of using the contacts assigned to the organization on the request. If you do, DigiCert creates the order using the order-level contacts. The organization and technical contact for the organization remain unchanged.
注意
Before, DigiCert always created orders using the organization contact assigned to the organization on the order. Creating an order with a different organization contact required replacing the organization contact for the organization.
To submit an order-level organization and technical contact with your order, include the organization_contact and technical_contact objects at the root of your JSON request body. If omitted, DigiCert uses the organization and technical contact assigned to the organization on the order.
Example JSON request
{
"certificate": {
"common_name": "example.net",
"csr": "<csr>"
},
"organization_contact": {
"first_name": "Jane",
"last_name": "Doe",
"job_title": "Manager",
"telephone": "555-555-5555",
"email": "jane.doe@example.com"
},
"technical_contact": {
"first_name": "John",
"last_name": "Doe",
"job_title": "Site Reliability Engineer",
"telephone": "555-555-5556",
"email": "john.doe@example.com"
},
"organization": {
"id": <organization_id>
},
"order_validity": {
"years": 6
},
"payment_method": "balance"
}Supported products
The API supports the option to add an order-level organization contact for all certificates that require an organization contact.
May 6, 2023
Scheduled global maintenance
DigiCert will perform scheduled maintenance on May 6, 2023, 22:00 – 24:00 MDT (May 7, 2023, 04:00 – 06:00 UTC).
Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.
Services will be restored as soon as the maintenance is completed.
Upcoming scheduled Europe maintenance
Some DigiCert services will be down for up to 60 minutes during scheduled maintenance on May 6, 2023, 09:00 – 11:00 MDT (15:00 – 17:00 UTC).
DigiCert ONE infrastructure-related maintenance downtime
The DigiCert ONE infrastructure-related maintenance starts at 15:00 UTC. At that time, DigiCert ONE Netherland and Switzerland instances, along with access to their managers, services, and APIs, will be down for up to 60 minutes.
DigiCert ONE Netherlands instance
Trust Lifecycle Manager
IoT Trust Manager
Software Trust Manager
Document Trust Manager
CA Manager
Account Manager
DigiCert ONE Switzerland instance
Trust Lifecycle Manager
IoT Trust Manager
Software Trust Manager
Document Trust Manager
CA Manager
Account Manager
API notes
APIs will return "503 services unavailable" errors.
Requests placed during this window that receive a "503 services unavailable" error message will need to be placed again after services are restored.
Services will be restored as soon as the maintenance is completed.
May 2, 2023
Code Signing certificate changes
April 25, 2023
Secure email certificates for individuals and businesses
We are happy to announce that DigiCert is now offering enhanced Secure Email Certificates (S/MIME) at two levels, Secure Email for Individual and Secure Email for Business.
These certificates offer:
Secure email encryption and signing
Validation that your emails come from you
Secure Email for Individual is automatically validated and quick to generate – you can begin using your certificate within minutes.
Secure Email for Business includes an extra level of validation, authenticating your organization as an email sender, and includes support options.
To add these certificates to your CertCentral account, select Secure email certificates on the request page.
Don’t see Secure Email for Individual and Secure Email for Business in your account? Contact your account manager or DigiCert Support.
注意
Not available in Japan.
April 19, 2023
CertCentral Orders page: Improved order status search
We updated the Issued filter in the Order Status search feature on the CertCentral Orders page to only return your issued certificates. Previously, the issued filter returned issued, renewed, expired, and reissue pending orders in the search results, making it difficult to find only your issued certificates.
See for yourself
In the left main menu, go to Certificates > Orders.
On the Orders page, in the Order Status dropdown, select Issued and then select Go.
How the Order Status filter work
When using the Order Status search feature, you can only use one filter at a time. See the table below for information on the results that each filter returns in its search.
For multiple status searches, leave the Order Status search as Unfiltered and download a CSV file. You can also use the Reports library to build a custom report (in the left main menu, go to Reports).
Filter | Search results |
|---|---|
Active | Issued, pending, and pending reissue certificates |
Issued | Issued certificates |
Pending | Pending certificates |
Reissue pending | Reissue pending certificates |
Revoked | Revoked orders |
Rejected | Rejected pending certificates |
Expired | Expired certificates and orders |
Renew | Renewed certificates |
April 11, 2023
CertCentral Services API: Enhanced response when editing domains on an OV or EV certificate order
We improved how the API returns data when using the endpoint to edit domains on pending OV or EV orders and reissues. After this change, when editing domains on a pending OV or EV order:
A successful request returns a response status code of
200 OK.The API returns a list of
domainswith an object for each domain on the order. Each object has thenameandidof the domain in your account that you must validate to prove control over the domain on the order.
Before this change, successful requests to edit domains on pending OV or EV orders and reissues returned a response status code of 204 No Content. The response did not include any data, even if the request created new domains in your account.
注意
There is no change to the API behavior when updating domains on DV orders. Successful requests to edit domains on DV orders continue to return a response status code of 204 No Content.
Example response for a successful call to edit domains on a pending OV or EV order:
In this example, every domain (dns_name) on the order is submitted for validation under the scope of the base domain example.org. This means each object in the domains array returns the name and id for example.org.
Learn more: Edit domains on a pending order or reissue
April 8, 2023
Scheduled global maintenance
Some DigiCert services will be down or experience delayed responses for up to 10 minutes during scheduled maintenance on April 8, 2023, 22:00 – 24:00 MDT (April 9, 04:00 – 06:00 UTC).
Infrastructure-related maintenance downtime
The infrastructure-related maintenance starts at 22:05 MDT (04:05 UTC). At that time, the services listed below will be down for up to 10 minutes.
Affected services
Certificate Issuing Service (CIS) and CertCentral Simple Certificate Enrollment Protocol (SCEP)
Certificate requests submitted during this time will fail.
Resubmit failed requests after services are restored.
CertCentral certificate issuance
Certificate requests submitted during this time will fail.
Resubmit failed requests after services are restored.
CertCentral Automation
Reschedule automation events around maintenance.
Retry failed events after services are restored if events cannot be rescheduled.
QuoVadis® TrustLink® certificate issuance
TrustLink certificate requests submitted during this time will fail.
Resubmit failed requests after services are restored.
Direct Cert Portal certificate issuance
Certificate requests submitted during this time will fail.
Resubmit failed requests after services are restored.
PKI Platform 8 new domain and organization validation
New domains and organizations submitted for validation during this time will be delayed.
Requests will be queued and processed after services are restored.
What can I do?
Plan accordingly:
Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.
See the DigiCert global 2023 maintenance schedule for scheduled maintenance dates and times.
Services will be restored as soon as the maintenance is completed.
Upcoming scheduled Europe maintenance
Some DigiCert services will be down for up to 10 minutes during scheduled maintenance on April 8, 2023, 09:00 – 11:00 MDT (15:00 – 17:00 UTC).
CertCentral Infrastructure-related maintenance downtime
The infrastructure-related maintenance starts at 10:05 MDT (16:05 UTC). At that time, CertCentral certificate issuance may be down or experience delayed response for up to 10 minutes.
Items to note:
Certificate requests submitted during this time will fail.
Resubmit failed requests after services are restored.
What can I do?
Plan accordingly:
Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.
See the DigiCert Europe 2023 maintenance schedule for scheduled maintenance dates and times.
Services will be restored as soon as the maintenance is completed.
March 28, 2023
CertCentral: Value added tax (VAT) numbers
We are happy to announce that CertCentral now allows you to add a valued added tax (VAT)* number to all your transactions, such as purchasing a certificate and depositing funds. DigiCert will append the VAT number supplied as a reference on payment records. Remember that if you do not provide your VAT number, your orders may include unexpected taxes that would have been excluded had you provided the VAT ID number.
重要
VAT numbers are not supported by DigiCert USA and DigiCert Japan billing entities. Contact your account manager to learn more about your account’s billing entity.
You can add a VAT number to your account or division. When requesting a certificate, depositing funds, and creating a purchase order, you can use the account or division VAT number or add a custom VAT number that applies to that transaction only. The VAT number appears on your invoice/receipts and purchase orders (POs).
重要
DigiCert’s inclusion of VAT numbers in payment documentation is for customers’ use and convenience only. DigiCert does not validate the VAT numbers and is not responsible for inaccurate information provided by customers. See DigiCert’s Master Service Agreement.
Add a VAT number for your CertCentral account
In CertCentral, in the left main menu, go to Finance > Settings.
On the Finance Settings page, under Payment settings, in the VAT identification number (optional) box, add your VAT number.
Then select Save Settings.
See Add a value added or goods and services tax number to your CertCentral account.
Add a VAT number to your certificate request:
On the Dashboard (Overview page), in the Request a Certificate dropdown, select a certificate.
On the Request page, in the Payment Information section, select Bill to credit card.
Under Billing information, check Assign VAT.
Add a VAT number
If you assigned a VAT to your account, you see two options:
Same VAT as the account**
Custom VAT for this order
**If you don’t have an account VAT, you can only add a custom VAT for the order.
CertCentral: Taxes included split out on monthly auto-invoices for negative account balances
For CertCentral customers with negative account balances, we have updated your monthly invoice to display the total amount due and how much is from sales tax. Additionally, the monthly auto-invoices will now display the customer's value added tax (VAT) ID number if they have provided it in their CertCentral account.
For customers where sales tax is required by local law, the monthly auto-invoices have always included the taxes charged as part of each purchase in the total invoice amount. However, until now, monthly auto-invoices did not split out how much of the total invoice was taxed.
CertCentral Services API: Enhanced Order validation status response
In the CertCentral Services API, we updated the Order validation status API to return a new response parameter for domains pending validation: dns_name_validations[].name_scope.
The name_scope parameter returns the domain you must validate to prove control over the domain on the certificate order. This is useful when you need to validate a domain on the certificate by completing a DCV check for either the base domain or for a subdomain between the FQDN and base domain.
For example:
{
...
"dns_name_validations": [
{
"name_scope": "sub.example.com",
"status": "unapproved",
"method": "email",
"dns_names": [
"sub.example.com"
],
"base_domain": "example.com"
}
]
...
}Notes:
For all orders, the API omits the
dns_name_validations[].name_scopeparameter for validated (approved) domains.For DV orders, the API returns a
dns_name_validations[].name_scopeparameter for all pending (unapproved) domains.For OV and EV orders, the API omits the
dns_name_validations[].name_scopeparameter unless the order specifies a domain-level validation scope for the domain. To validate domains with noname_scope, use the domain validation scope chosen for the order (order_name_scope).
CertCentral Services API: Bugfix for API endpoint to get DV order validation status
注意
Update: We are postponing these changes until March 28, 2023. We originally planned to release this update on March 22, 2023.
On March 28, 2023, at 10:00 MDT (16:00 UTC), DigiCert will fix a bug with the Order validation status API endpoint. This bug causes the API to return different values for DV TLS orders versus OV and EV TLS orders in the dns_name_validations[].dns_names array.
Starting March 28, the dns_name_validations[].dns_names array in the Order validation status API response will always contain the exact FQDN associated with the given validation details.
This fix standardizes what is returned for DV, OV, and EV TLS orders in the dns_name_validations[].dns_names array. It also aligns the API behavior with the description of the dns_names array in the API documentation.
Currently:
For DV orders, the
dns_name_validations[].dns_namesarray contains the domain that was submitted for validation. Depending on the DCV scope set for the order, the domain submitted for validation may be a higher-level domain than the FQDN on the order.For OV and EV TLS orders, the
dns_name_validations[].dns_namesarray already contains the exact FQDN on the order.
What do I need to do?
Check your code to determine if this change affects your API integration.
This change affects you if you meet all of the following criteria:
You use the Order validation status API endpoint to get the validation status of DV orders.
Your integration expects the API to return a
dns_name_validations[].dns_namesarray with the domain name submitted for validation instead of the exact FQDN on the order.
Determine if action is required.
Do you meet all of the criteria listed above?
If not, no action is required. You can safely ignore this change.
If yes, update your code before March 28, 2023.
Wherever you handle response data from the Order validation status endpoint, make sure your integration always expects the
dns_name_validations[].dns_namesarray to contain the exact FQDN from the order.
警告
Failing to update your code may result in unexpected behavior after we make this change.
Examples
This example shows how the dns_name_validations[].dns_names array will change. Each JSON object shows what the Order validation details API returns when querying a DV order for the FQDNs sub.example.net and sub.example.org. The order in this example uses a DCV scope of base domain.
Before March 28, 2023 bugfix | After March 28, 2023 bugfix |
|---|---|
{
...
"dns_name_validations": [
{
"status": "unapproved",
"method": "email",
"dns_names": [
"example.net"
],
"base_domain": "example.net"
},
{
"status": "unapproved",
"method": "email",
"dns_names": [
"example.org"
],
"base_domain": "example.org"
}
]
...
} | {
...
"dns_name_validations": [
{
"status": "unapproved",
"method": "email",
"dns_names": [
"sub.example.net"
],
"base_domain": "example.net"
},
{
"status": "unapproved",
"method": "email",
"dns_names": [
"sub.example.org"
],
"base_domain": "example.org"
}
]
...
} |
March 15, 2023
DCV method information updates to Domain details pages
We updated the individual domain validation process (often referred to as domain prevalidation) to improve how we display the domain’s domain control validation (DCV) method.
Note that before, we always showed the last submitted DVC method. This wasn’t very clear for customers whose last submitted DCV method was different from the last method used to validate the domain.
Now, when a domain is pending validation or revalidation, we show the last submitted DCV method (in other words, the method currently being used to validate the domain). After you validate the domain, we show the DCV method last used to complete the validation.
CertCentral Services API: New Domain info response parameter
We added the dcv_approval_method parameter to the Domain info API response. This parameter returns the DCV method used to complete the most recent DCV check for the domain.
注意
This differs slightly from the value of the dcv_method response parameter, which returns the latest DCV method configured for the domain. When using a different DCV method to revalidate a domain, the latest DCV method configured for the domain (dcv_method) may differ from the DCV method used to complete the most recent DCV check (dcv_approval_method).
We only return the dcv_approval_method parameter when the request URL contains ?include_dcv=true.
March 8, 2023
DigiCert moving to G2 root and intermediate CA (ICA) certificate hierarchies
Update:
To provide more time to increase our fifth-generation (G5) root ubiquity, DigiCert has delayed our move to our new single-purpose root and ICA certificate hierarchies. Instead, we will move to second-generation root and ICA certificate hierarchies in the interim to comply with Mozilla’s root distrust timeline for DigiCert first-generation root certificates.
On March 8, 2023, at 10:00 MST (17:00 UTC), DigiCert will begin updating the default public issuance of TLS/SSL certificates to our second-generation (G2) root and intermediate CA (ICA) certificate hierarchies. See our DigiCert root and intermediate CA certificate updates 2023 knowledge base article for more information.
How do switching root and ICA certificates affect me?
Switching to a different certificate hierarchy typically doesn't require additional work as long as you always install the DigiCert-provided ICA certificate when installing your TLS certificate.
With the change to G2 certificate hierarchies, no action is required unless you do any of the following:
Pin ICA/Root certificates
Hard-code the acceptance of ICA/Root certificates
Operate a trust store
If you do any of the above, we recommend updating your environment before March 8, 2023. Stop pinning or hard-coding root or ICA certificate acceptance or make the necessary changes to ensure certificates issued from the G2 certificate hierarchy are trusted (in other words, they can chain up to their trusted G2 root certificate).
How do switching root and ICA certificates affect my existing certificates?
Switching to the G2 hierarchy does not affect your existing certificates. DigiCert has timed the move to G2 root certificate hierarchies to ensure your existing certificates will not be affected by the Mozilla distrust policy. Active TLS/SSL certificates issued from a G1 hierarchy will remain trusted until they expire.
However, newly issued, renewed, reissued, and duplicate certificates issued after March 8, 2023, will chain to the G2 root hierarchy. When installing your certificates, make sure to include the DigiCert-provided ICA certificate.
What if I need more time to update my environment?
If you need more time to prepare, contact DigiCert Support. We will set up your account so you can continue to use the root and ICA certificates you are using now.
When deciding how long to stay on your current root, remember that Mozilla root distrust includes the ICA certificate and TLS/SSL certificates linked to the root. To remain trusted, all active certificates, including reissues and duplicates, must be reissued from a G2 or newer root hierarchy before the root certificate distrust date.
March 4, 2023
Upcoming scheduled maintenance
Some DigiCert services will be down for approximately 5 minutes during scheduled Europe maintenance on March 4, 2023, 09:00 - 11:00 MST (16:00 - 18:00).
QuoVadis platform maintenance-related downtime
During the two-hour maintenance window, QuoVadisQ platform services will be down for approximately 5 minutes while we do some infrastructure-related maintenance that requires server restarts.
What can I do?
Schedule high-priority tasks before or after the maintenance windows.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.
See the DigiCert Europe 2023 maintenance schedule for scheduled maintenance dates and times.
Services will be restored as soon as the maintenance is completed.
February 28, 2023
Verified Mark Certificates (VMC): Image and certificate file hosting and government marks
We are happy to announce that DigiCert has added two new features to our Verified Mark Certificates:
Government mark support
Instead of using a trademarked logo in your Verified Mark Certificate, you can now use a government mark.
Image and certificate file hosting
Instead of hosting the logo image and Verified Mark Certificate file yourself, you can now allow DigiCert to host the files on your behalf.
What are government marks?
A government mark is a logo that a government grants to an organization.
To get a VMC for a government mark, you provide your government mark’s enabling legislation instead of trademark registration. The law or government record that grants the logo to your organization proves the mark’s legitimacy to get a VMC.
What is image and certificate file hosting?
Our image and certificate file hosting feature allows DigiCert to host your VMC and SVG logo files on your behalf.
With DigiCert hosting, you set up your domain’s DNS record once, and then we keep your VMC and SVG logo files up-to-date. When you renew or reissue your certificate, we automatically push the latest version of your files to our hosted server with no changes required in your DNS or other configuration.
CertCentral Services API: Enhancements for VMC file hosting and government marks
To support VMC file hosting and government marks in API integrations, we made several additive enhancements to the endpoints for managing VMC orders.
Improvements to verified contacts selections when requesting SSL/TLS and code signing certificates
We are happy to announce that we have improved the verified contact selection process when ordering EV SSL/TLS, Code Signing, and EV Code Signing certificates.
Now when you select an organization with existing verified contacts, you can see if a contact is validated (green check mark) or pending validation (yellow timer). Before, you could not see the validation status for the organization’s verified contacts.
Example: Pending and validated verified contacts
February 17, 2023
Verified Mark Certificates (VMC): Six new approved trademark offices
We are happy to announce that DigiCert now recognizes three more intellectual property offices for verifying the logo for your VMC certificate. These offices are in Denmark, France, Netherlands, New Zealand, Sweden, and Switzerland.
New approved trademark offices:
Denmark - Danish Patent and Trademark Office
France - French Patent and Trademark Office
Netherlands - Benelux Organization for Intellectual Property
New Zealand - Intellectual Property Office of New Zealand
Sweden - Swedish Intellectual Property Office
Switzerland - Swiss Federal Institute of Intellectual Property
Other approved trademark offices:
Australia - IP Australia
Brazil - National Institute of Industrial Property
Canada - Canadian Intellectual Property Office
European Union - European Union Intellectual Property Office
Germany - German Patent and Trade Mark Office
India - Office of the Controller General of Patents, Designs and Trade Marks
Japan - Japan Patent Office
Republic of Korea (South Korea) - Korean Intellectual Property Office
Spain - Spanish Patent and Trademark Office
United Kingdom - Intellectual Property Office
United States - United States Patent and Trademark Office
What is a Verified Mark Certificate?
Verified Mark Certificates (VMCs) are a new type of certificate that allows companies to place a certified brand logo next to the “sender” field in customer inboxes.
Your logo is visible before the message is opened.
Your logo acts as confirmation of your domain’s DMARC status and your organization’s authenticated identity.
February 15, 2023
New Dedicated IP addresses for DigiCert Services
Update: IP Address change postponed until February 15, 2023
When we sent notifications in June 2022 about the IP address change, one of the IP addresses was incorrect. The same IP address was incorrect in this change log. We fixed that, and the information in the change log has been corrected.
To provide you with time to verify and update the IP addresses in your allowlist, we have postponed the IP address change until February 2023.
What if I already updated my allowlists?
Verify that the IP addresses in your allowlist match those in the New dedicated IP Addresses list below.
On February 15, 2023, at 08:00 MST (15:00 UTC), DigiCert will assign new dedicated IP addresses to several DigiCert services.
For more details about these IP addresses, see our New Dedicated IP Addresses knowledge base article.
If you have questions or need help, contact your account manager or DigiCert Support.
February 14, 2023
Change log RSS feed returns
We are happy to announce that we’ve reimplemented the RSS Feed for the CertCentral® Change log. You can find the new change log feed here: https://docs.digicert.com/en/certcentral/change-log.rss.
RSS feed items to note
The RSS feed returns the 15 most recent change log entries.
To make upcoming changes easier to identify, we labeled them Upcoming changes.
The Change log RSS feed follows RSS 2.0 specifications and is compatible with RSS 2.0 compliant feed aggregators.
RSS feed reader tips
All major browsers have RSS feed extensions to automatically access your selected RSS feeds and organize the results for you.
The new RSS feed is also auto-discoverable from the Change log web page.
February 09, 2023
CertCentral: Improved OV and EV TLS certificate domain control validation
We are happy to announce that we updated the Prove control over your domain popup window for pending OV and EV TLS certificate orders, making it easier to see what you need to do to complete the domain validation for all domains included on your certificate.
Now, when you select a domain control validation (DCV) method, you can see basic instructions for completing the domain validation along with a link to more detailed instructions on our product documentation website.
Changes to note:
Basic instruction improvements for each DCV method
Better formatting
Easy to scan
Order token improvements
Quickly identify the order token to use for all token-based DCV methods
See the token expiration date
Token generation improvement
Automatic token generation replaces the token generation feature
DigiCert automatically generates a new token when the old one expires
See for yourself
In the left main menu, go to Certificates > Orders.
On the Orders page, locate and select the order number of a pending OV or EV certificate order.
On the OV or EV certificate’s Order details page, under What do I need to do, select the domain name link.
Improved Prove control over your domain popup window
CertCentral Services API: Expiration date now available for order-level DCV random values
We updated the CertCentral Services API to return the expiration date for order-level DCV random values.
Now, when you submit a request to the Get order DCV random value or Change order DCV method API endpoints, the response includes the expiration date (expiration_date) of the random value:
{
"dcv-random_value": "fjqr7th5ds",
"expiration_date": "2023-02-24T16:25:52+00:00"
}February 4, 2023
Upcoming scheduled maintenance
Some DigiCert services will be down for up to 10 minutes during scheduled Europe maintenance on February 4, 2023, 09:00 - 11:00 MST (16:00 - 18:00)
QuoVadis platform maintenance-related downtime
During the two-hour maintenance window, QuoVadis platform services will be down for up to 10 minutes in total while we do some infrastructure-related maintenance that requires service restarts: 5 minutes for a monthly patching restart and 5 minutes for a database restart.
What can I do?
Plan accordingly:
Schedule high-priority tasks before or after the maintenance windows.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.
See the DigiCert Europe 2023 maintenance schedule for scheduled maintenance dates and times.
Services will be restored as soon as the maintenance is completed.
January 25, 2023
CertCentral now supports SSO federation through OpenID Connect
To improve security and better integrate with current Single Sign-On technology, DigiCert now supports SSO federation through Open ID Connect (OIDC).
I already connect CertCentral to my identity provider using SAML. Do I need to switch to OIDC?
No, you can continue using your existing setup. However, you may wish to migrate to OIDC because it is easier to implement, works more smoothly on mobile devices, and is more accessible to APIs.
How do I connect my identity provider with CertCentral using OIDC?
January 23, 2023
CertCentral: Guest URL support for Verified Mark Certificates
We are happy to announce that we added Verified Mark Certificates (VMCs) to the available products for Guest URLs for CertCentral Enterprise and CertCentral Partner.
Previously, you had to add someone to your account before they could order a Verified Mark Certificate (VMC). Now, you can create a Guest URL that allows a person to order a VMC without needing to be a user in your account.
See for yourself
In your CertCentral account, in the left menu, go to Account > Guest Access.
On the Guest Access page, in the Guest URLs section, select the Add Guest URL link.
In the Add Guest URL popup window, in the Allowed products field, search for and select Verified Mark Certificate.
Bugfix: Pending verified contacts missing from Organization details pages
We fixed a bug that prevented pending verified contacts from being displayed on the Organization details page. Note that after we validated a contact, they were automatically added to the page (i.e., you could see the “validated” verified contacts but not those pending validation).
Now when you submit a verified contact for validation, they appear in the Verified Contacts section along with the pending validation types: EV, EV CS, or CS.
January 17, 2023
CertCentral: Set the domain validation scope when reissuing TLS certificates
We are happy to announce that you can now set the domain validation scope when reissuing your TLS/SSL certificates.
On the TLS/SSL certificate reissue forms, we added a DCV scope dropdown that allows you to set the domain validation scope to use when validating the domains on your reissued certificate: validate base domains or validate exact domain names. This setting makes it easier to see the default domain validation scope you will use to validate the domains when reissuing your certificate and update the scope if needed.
注意
The domain scope setting does not change the account domain validation scope setting. It only sets the domain validation scope for your reissued certificate.
January 16, 2023
CertCentral: Legacy order # renamed to Alternate order #
On January 16, we will rename Legacy order # in CertCentral. We will change the name to Alternate order # to better align with the API and the purpose of this second order number.
注意
Alternate order numbers do not replace the unique order number that DigiCert assigns to each order request.
Starting January 16
Before January 16
CertCentral Services API
When ordering a certificate via the CertCentral Services API, you can assign a custom alphanumeric ID to an order by passing in the alternative_order_id parameter with your certificate request. Currently, CertCentral displays the alternative_order_id as the Legacy order #.
Legacy order number background
After DigiCert purchased Symantec’s TLS/SSL division, DigiCert implemented the Legacy order number as a way for customers to track their Symantec orders after importing them into CertCentral. This same feature is used by customers who want to use their own order numbers to track their CertCentral orders.
Additional information
See the Orders section of the CertCentral Services API to learn more about alternate order numbers. For example, on the Order Basic OV endpoint page, in the Request parameters table, you will find an alternative_order_id parameter entry. This entry provides more details about using alternate order numbers. The same information is provided in each of the Order endpoints.
January 13, 2023
Improvements to CertCentral change log structure
To make it easier to find information about updates to CertCentral and the CertCentral APIs, we improved the structure of the CertCentral change log. Now, DigiCert publishes all CertCentral change log entries to a single page with these sections:
Upcoming changes
Information about upcoming changes that could impact your CertCentral experience. Entries are sorted by date with the furthest pending change on top.
Recent changes
Information about recent changes made to CertCentral and the CertCentral APIs. Entries are sorted by date with the most recent change on top.
With the new structure, you can use Control + F (Windows) or Command + F (Mac) to search the entire catalogue of entries on this page for the information you need.
January 10, 2023
Bugfix: Users don’t see expiring certificate alerts in CertCentral
We fixed a bug that prevented standard and limited users from viewing the Expiring DigiCert Certificates widget on the Dashboard and the expiring certificate and order alerts on the Orders page. It also prevented them from viewing the Expiring Certificates page.
注意
This bug did not prevent these users from viewing their expiring certificates on the Orders page; it only prevented them from viewing the expiring certificate and order alerts.
Now, when standard and limited users sign in to their CertCentral account, they see:
Expiring DigiCert Certificates widget on the Dashboard (in the left main menu, select Dashboard)
Expiring certificate and order alerts on the Orders page (in the left main menu, go to Certificates > Orders)
Expiring Certificates page (in the left main menu, go to Certificates > Expiring Certificates)
January 7, 2023
Upcoming scheduled maintenance
Some DigiCert services will be down for up to 120 minutes during scheduled maintenance on January 7, 2023.
January 5, 2023
CertCentral: Improved Order details page for pending code signing certificate orders
DigiCert is happy to announce that we updated the Order details page for pending EV and standard code signing certificate orders.
To make it easier to see what you need to do and what DigiCert needs to do to issue your EV and standard code signing certificates, we added two new sections to the Certificate status section of the Order details page:
What do you need to do – see the tasks you need to complete
What does DigiCert need to do – see the tasks DigiCert needs to perform
January 4, 2023
CertCentral: Set the domain validation scope for your new TLS certificate orders
We are happy to announce that you can now set the domain validation scope when ordering a new TLS/SSL certificate.
On the TLS/SSL certificate request forms, we added a DCV scope dropdown that allows you to set the domain validation scope to use when validating the domains on your certificate: validate base domains or validate exact domain names. This setting makes it easier to see the default domain validation scope you will use to validate the domains on your certificate and update the scope if needed.
注意
The domain scope setting does not change the account domain validation scope setting. It only sets the domain validation scope for your certificate order.
CertCentral Services API: Set domain validation scope for new TLS certificate orders and reissues
We are happy to announce that you can now set the domain validation scope when ordering or reissuing a TLS/SSL certificate with the Services API. Use the certificate_dcv_scope parameter to define the domain validation scope for the order, overriding the domain validation scope setting for the account.
The certificate_dcv_scope parameter accepts these values:
base_domain:Validate each domain and subdomain in the request at the base domain level (for example, when submitting sub.example.com and example.com, validate example.com).fqdn:Validate each domain and subdomain included in the order exactly as named in the request.When using
fqdn::If a domain is a subdomain of another domain included on the order, complete the DCV check for the higher-level domain.
For OV and EV certificates only, if a higher-level domain exists in the account with an active validation, we validate the domain under the scope of the existing domain.
2022 年 12 月 31 日
DigiCert 2022 年维护计划
为了让您更轻松地规划证书相关任务,我们提前预定了 2022 年维护时限。请参阅 DigiCert 2022 年预定维护 - 本页始终提供所有最新的维护计划信息。
鉴于我们客户遍布世界各地,我们知道该时间并非对每个人都“合适”。但是,在审查有关客户使用情况的数据后,我们选择了受影响的客户数量最少的时间。
关于我们的维护计划
除非另外说明,否则预定维护时间是每个月的第一个周末。
每次维护时限预定 2 小时。
尽管我们提供了冗余以保护您的服务,但一些 DigiCert 服务可能不可用。
完成维护后,所有运营将恢复正常。
要获取实时更新,请订阅 DigiCert 状态页面。订阅包括关于维护开始时间和维护结束时间的电子邮件提醒。
有关这些维护时限的更多信息,请联系您的客户经理或 DigiCert 支持团队。
December 15, 2022
CertCentral: Single random value for completing DCV on OV and EV TLS certificate orders
To simplify the domain control validation (DCV) workflow for OV and EV TLS certificates, we've improved our random value generation process for OV and EV certificate orders.
Now, when using DCV methods that require a random value to complete the domain validation for your OV or EV TLS orders, you receive a single random value that you can use to complete the DCV check for every domain on the order.
注意
Before, DigiCert returned a unique random value for each domain submitted on the OV or EV TLS certificate order.
This change brings the DCV workflow for OV and EV orders into closer alignment with DV orders, which have always returned a single random value for all domains on the order.
Affected DCV methods:
HTTP Practical Demonstration (also known as File or FileAuth)
CertCentral Services API: DCV enhancements
To improve API workflows for clients using DCV methods that require a random value for OV and EV TLS certificate orders, we made the following enhancements to the CertCentral Services API.
Updated API response for creating OV and EV TLS certificate orders
We updated the data returned when you submit an order request:
New response parameter:
dcv_random_valueNow, when you submit an OV or EV TLS certificate order request with a
dcv_methodofdns-txt-token,dns-cname-token, orhttp-token, the API returns a new top-level response parameter:dcv_random_value. This parameter contains a random value that you can use to complete the DCV check for every domain on the order.Enhanced
domainsarrayNow, when you submit an OV or EV TLS certificate order request with a DCV method of
dns-txt-token,dns-cname-token, orhttp-token, the API returns adcv_tokenobject for every domain in thedomainsarray.Additionally, each
domains[].dcv_tokenobject now includes the samedcv_random_valuethat is used for the entire order. Before, we returned a different random value for each domain.注意
Before, when you submitted an order for an OV or EV TLS certificate, the API response omitted the
dcv_tokenobject for these domains:Domains validated under the scope of another domain on the order.
Domains that already existed in your account.
Subdomains of existing domains.
This example shows the updated API response for an OV TLS certificate request using a DCV method of dns_txt_token. For this example, the order includes these domains: example.com, sub.example.com, and example.org.
Updated API response for reissuing OV and EV TLS certificates
Now, when you reissue an OV or EV TLS certificate order request with a dcv_method of dns-txt-token, dns-cname-token, or http-token, the API returns a dcv_random_value that you can use to validate any domains added with the reissue request. For more information, visit the Reissue certificate API reference.
注意
Before, the Reissue certificate API endpoint only returned a dcv_random_value parameter for DV certificate reissues.
Added support for OV and EV TLS certificate orders to endpoints for managing order DCV
We updated the order-level endpoints for managing DCV to accept requests when the order_id path parameter contains the ID of an OV or EV TLS certificate order:
With this change, you can complete DCV for OV and EV TLS certificate orders with fewer API requests by calling the endpoints for managing DCV at the order-level instead of the domain-level.
Now, you can complete DCV checks for a domain using:
Any valid random value that exists for the domain (order-level or domain-level).
Either of the endpoints for checking DCV: Check domain DCV or Check order DCV.
注意
Before, the order-level endpoints for managing DCV only accepted requests when the order_id path parameter contained the ID of a DV certificate order. To manage DCV for individual domains on OV and EV TLS certificate orders, API clients had to use our domain-level endpoints:
Domain info API enhancements
We updated the Domain info API endpoint to return a new response parameter: higher_level_domains.
The higher_level_domains parameter contains a list of existing higher-level domains with a complete domain control validation (DCV) check for the same organization as the queried domain. Use this list to see if there are any domains in your account with active validations you can reuse to prove control over the queried domain.
For example, if you query the domain ID for demo.sub.example.com and you have already completed DCV checks for the domains sub.example.com and example.com in your account, the Domain info API returns a higher_level_domains array with this structure:
{
...
"higher_level_domains": [
{
"name": "sub.example.com",
"id": 4316203,
"dcv_expiration_datetime": "2023-12-04T04:08:50+00:00"
},
{
"name": "example.com",
"id": 4316205,
"dcv_expiration_datetime": "2023-12-04T04:08:49+00:00"
}
],
...
} To get the higher_level_domains array in your response data, you must submit a request to the Domain info API endpoint that includes the query string include_dcv=true:
https://www.digicert.com/services/v2/domain/{{domain_id}}?include_dcv=trueFor more information, see the API reference: Domain info.
December 8, 2022
CertCentral Services API: Added verified contact details to Organization info API
To give API clients access to more information about the verified contacts that exist for an organization, we added a new array to the Organization info API response: verified_contacts.
The new verified_contacts array provides a list of objects with details about each verified contact that exists for the organization. The verified_contacts array:
Includes information about pending, valid, and expired verified contacts.
Provides a list of validation types (CS, EV, and EV CS) for each verified contact.
注意
Before, the Organization info API only returned valid verified contacts in the ev_approvers array. The ev_approvers array is still available, however it does not provide as much detail as the new verified_contacts array.
Bugfix: Duplicate verified contacts
We fixed a bug where submitting a verified contact with multiple validation types (for example, CS and EV) caused duplicate verified contacts to be created for the organization, one for each validation type. This bug affected verified contacts submitted through the CertCentral console or through the CertCentral Services API.
Now, when you submit verified contacts with multiple validation types, we assign each validation type to the same verified contact, instead of creating a duplicate.
注意
This change only affects new verified contacts submitted after the fix. We did not remove any existing duplicate verified contacts.
Before today, duplicate verified contacts were not visible in the CertCentral console or Services API. With our recent enhancements to the Organization info API endpoint (see CertCentral Services API: Added verified contact details to Organization info API), any duplicate verified contacts for the organizations you manage will appear in the newly added verified_contacts array.
December 6, 2022
CertCentral: Removing the permanent identifier in EV Code Signing certificates
On December 6, 2022, at 10:00 MST (17:00 UTC), DigiCert will no longer issue EV Code Signing certificates with a permanent identifier value in the Subject Alternative Name field.
What do I need to do?
Does your EV code signing process expect to find the permanent identifier when parsing your issued EV Code Signing certificates?
If yes, you need to update your process by December 6, 2022, so it no longer relies on a permanent identifier value.
If no, no action is required.
Does this change affect my existing EV Code Signing certificates?
This change does not affect existing EV Code Signing certificates with a permanent identifier value in the Subject Alternative Name field. However, if you reissue an EV Code Signing certificate after the change on December 6, 2022, your reissued certificate will not contain a permanent identifier.
Background
The permanent identifier is a unique code for EV code signing certificates that includes information about the certificate subject’s jurisdiction of incorporation and registration information. In 2016, the CA/Browser Forum removed the permanent identifier requirement from EV Code Signing certificates.
CertCentral Services API: Verified contact improvements
Starting December 6, 2022, DigiCert will require organizations on Code Signing (CS) and EV Code Signing (EV CS) certificate orders to have a verified contact.
This change was originally scheduled for October 19, 2022. However, we postponed the change to December 6, 2022. For more information, see the October 19, 2022 change log entry.
Learn more:
December 3, 2022
Upcoming scheduled maintenance
DigiCert will perform scheduled maintenance on December 3, 2022, 22:00 – 24:00 MST (December 4, 2022, 05:00 – 07:00 UTC).
注意
Maintenance will be one hour later for those who do not observe daylight savings.
Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.
What can I do?
Plan accordingly:
Schedule high-priority orders, renewals, and reissues before or after the maintenance window, including Automation events and Discovery scans.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
Subscribe to the DigiCert Status page to get live maintenance updates. This subscription includes email alerts for when maintenance begins and when it ends.
See DigiCert 2022 scheduled maintenance for scheduled maintenance dates and times.
Services will be restored as soon as the maintenance is completed.
November 5, 2022
Upcoming Scheduled Maintenance
DigiCert will perform scheduled maintenance on November 5, 2022, 22:00 –24:00 MDT (November 6, 2022, 04:00 – 06:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.
November 3, 2022
CertCentral: Improved DV certificate domain control validation
We updated the Prove control over your domain popup window for pending DV orders, making it easier to see what you need to do to complete the domain validation for all domains included on your certificate.
Now, when you select a domain control validation (DCV) method, you can see basic instructions for completing the domain validation along with a link to more detailed instructions on our product documentation website.
注意
For DV orders, you must use the same DCV method for all the domains on the certificate.
See for yourself
In the left main menu, go to Certificates > Orders.
On the Orders page, locate and select the order number of a pending DV order.
On the DV order details page, under What do I need to do, select the Prove control over domain link.
Improved Prove control over your domain popup window
November 1, 2022
CertCentral: upgrade your product when renewing your order
DigiCert is happy to announce that CertCentral allows you to upgrade your product when renewing your order.
Are you tired of placing a new order and reentering all your information when upgrading to a new product?
Now you don’t have to. We’ve improved our order renewal process so you can upgrade your product when renewing your certificate order.
Don’t see that option to upgrade your product when renewing your order, or already have the products you need and don’t want to see the option to upgrade?
Don’t worry; you can enable and disable this feature as needed. When ready to upgrade, you can enable it to save the hassle of placing a new order. When done, you can disable it until the next time you want to upgrade a product. See Upgrade product on renewal settings.
CertCentral: Improved Code Signing and EV Code Signing request forms
DigiCert is happy to announce that we updated the Code Signing and EV Code Signing request forms making it easier to view and add organization-related information when ordering a certificate.
This update allows you to select an organization and review the contacts associated with that organization or enter a new organization and assign contacts to the new organization.
Changes to note
You can now add a new organization along with all its contacts: organization, technical, and verified.
When adding an existing organization, you can now:
View the contacts assigned to that organization
Replace the organization contact
Replace or remove the technical contact
Select the verified contact(s) you want to receive the approval email
Add verified contacts
Before, you could only see and select an existing organization and could not see the contacts assigned to the organization.
See for yourself
In your CertCentral account, in the left main menu, go to Request a Certificate > Code Signing or Request a Certificate > EV Code Signing to see the updates to the request forms.
CertCentral: Code Signing certificate reissue bug fix
When reissuing your code signing certificate, we now include the Subject Email Address on your reissued certificate. Adding a subject email is optional and only available in enterprise accounts.
Note that we will not include the subject email address in the reissued certificate if the domain validation on that email domain has expired.
Background
When you order a code signing certificate, you can include an email address on your code signing certificate—subject email. Including an email address on the certificate provides an additional layer of trust for end users when checking your code signing signature.
See 订购代码签名证书.
October 21, 2022
CertCentral: Ability to require an additional email on certificate request forms
We are happy to announce that you can now make the Additional emails field a required field on CertCentral, Guest URL, and Guest Access request forms.
Tired of missing important expiring certificate notifications because the certificate owner is on vacation or no longer works for your organization?
The change helps prevent you from missing important notifications, including order renewal and expiring certificate notifications when the certificate owner is unavailable.
See for yourself:
To change this setting for CertCentral request forms:
In the left menu, go to Settings > Preferences.
On the Preferences page, expand Advanced settings.
In the Certificate Requests section, under Additional email field, select Required so requestors must add at least one additional email to their requests.
Select Save Settings.
To change this setting for Guest Access:
In the left main menu, go to Account > Guest Access.
On the Guest access page, in the Guest access section, under Additional emails, select Required so requestors must add at least one additional email to their requests.
Select Save Settings.
To change this setting for Guest URLs:
In the left main menu, go to Account > Guest Access.
On the Guest access page, in the Guest URLs section, to make it required in an existing guest URL, select the name of the guest URL. Under Emails, check Require additional emails field so requestors must add at least one additional email to their requests.
To make it required on a new guest URL, select Add Guest URL and then under Emails, check Require additional emails field so requestors must add at least one additional email to their requests.
Select Save Settings.
October 20, 2022
Change log RSS feed is going down
On October 20, 2022, the RSS feed for the docs.digicert.com change log is going down due to a platform migration.
It will return. Check back here for updates or contact us at docs@digicert.com to be notified when the new RSS feed is available.
October 19, 2022
CertCentral Services API: Verified contact improvements
注意
Update: This API change has been postponed until December 6, 2022.
DigiCert continues to recommend you follow our guidance to update affected API implementations before December 6.
What if I already made changes to get ready for October 19?
You are prepared for December 6. You don’t need to make additional changes. DigiCert will continue processing your order requests for Code Signing (CS) and EV Code Signing (EV CS) certificates as usual now and after we update the API on December 6.
Starting October 19, 2022, DigiCert will require organizations on Code Signing (CS) and EV Code Signing (EV CS) certificate orders to have a verified contact.
DigiCert has always required a verified contact from the organization to approve code signing certificate orders before we issue the certificate. Today, DigiCert can add a verified contact to an organization during the validation process. After October 19, verified contacts must be submitted with the organization.
To make the transition easier, when you submit a request to the Order code signing certificate API endpoint, DigiCert will default to adding the authenticated user (the user who owns the API key in the request) as a verified contact for the organization.
DigiCert will apply this default when:
The organization in the API request has no verified contacts who can approve CS or EV CS orders.
The API request body does not specify a new verified contact to add to the organization.
The authenticated user has a job title and phone number.
To avoid a lapse in service, make sure users in your CertCentral account with active API keys have a job title and phone number.
Learn more
October 17, 2022
CertCentral: Updated the DigiCert site seal image
We are happy to announce that we updated the DigiCert site seal image and replaced the checkmark with a padlock.
The updated site seal continues to provide your customers with the assurance that your website is secured by DigiCert—the leading provider of digital trust.
October 13, 2022
CertCentral: Updated the Code Signing and EV Code Signing request forms
In CertCentral, we reorganized and updated the look of the Code Signing and EV Code Signing certificate request forms. These forms are now more consistent with the look and flow of our TLS/SSL certificate request forms.
CertCentral: Code Signing certificate request form bug fix
On the code signing request form, when adding a Subject email address to appear on the certificate, you can now see the validated domains assigned to the organization with which the code signing certificate is associated.
注意
Previously, the option for viewing the validated domains assigned to the organization did not show any domains.
October 10, 2022
New Dedicated IP addresses for DigiCert Services
Update: IP Address change postponed until February 15, 2023
When we sent notifications in June 2022 about the IP address change, one of the IP addresses was incorrect. The same IP address was incorrect in this change log. We fixed that, and the information in the change log has been corrected.
To provide you with time to verify and update the IP addresses in your allowlist, we have postponed the IP address change until February 2023.
For more information:
New Dedicated IP Addresses knowledge base
October 8, 2022
Upcoming Scheduled Maintenance
DigiCert will perform scheduled maintenance on October 8, 2022, 22:00 –24:00 MDT (October 9, 2022, 04:00 – 06:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.
What can I do?
Plan accordingly:
Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance begins and when it ends.
See DigiCert 2022 scheduled maintenance for scheduled maintenance dates and times.
Services will be restored as soon as the maintenance is completed.
End of support for CBC ciphers in TLS connections
DigiCert will end support for Cipher-Block-Chaining (CBC) ciphers in TLS connections to our services on October 8, 2022, at 22:00 MDT (October 9, 2022, at 04:00 UTC).
This change affects browser-dependent services and applications relying on CBC ciphers that interact with these DigiCert services:
CertCentral and CertCentral Services API
Certificate Issuing Services (CIS)
CertCentral Simple Certificate Enrollment Protocol (SCEP)
This change does not affect your DigiCert-brand certificates. Your certificates will continue to work as they always have.
Why is DigiCert ending support for the CBC ciphers?
To align with Payment card industry (PCI) compliance standards, DigiCert must end support for the following CBC:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_RSA_WITH_AES_256_CBC_SHA
What do I need to do?
If you are using a modern browser, no action is required. Most browsers support strong ciphers, such as Galois/Counter Mode (GCM) ciphers, including Mozilla Firefox, Google Chrome, Safari, and Microsoft Edge. We do recommend updating your browser to its most current version.
If you have applications or API integrations affected by this change, enable stronger ciphers, such as GCM ciphers, in those applications and update API integrations before October 8, 2022.
If you do not update API integrations and applications, they will not be able to use HTTPS to communicate with CertCentral, the CertCentral Services API, CIS, and SCEP.
Knowledge base article
See our Ending Support for CBC Ciphers in TLS connections to our services for more information.
Contact us
If you have questions or need help, contact your account manager or DigiCert Support.
September 27, 2022
CertCentral Services API: Keep the "www" subdomain label when adding a domain to your account
To give you more control over your domain prevalidation workflows, we added a new optional request parameter to the Add domain API endpoint: keep_www. Use this parameter to keep the www. subdomain label when you add a domain using a domain control validation (DCV) method of email, dns-txt-token, or dns-cname-token.
By default, if you are not using file-based DCV, the Add domain endpoint always removes the www. subdomain label from the name value. For example, if you send www.example.com, DigiCert adds example.com to your account and submits it for validation.
To keep the www and limit the scope of the approval to the www subdomain, set the value of the keep_www request parameter to true:
{
"name": "www.example.com",
"organization": {
"id": 12345
},
"validations": [
{
"type": "ov"
}
],
"dcv_method": "email",
"keep_www": true
}September 16, 2022
CertCentral: Revocation reasons for revoking certificates
CertCentral supports including a revocation reason when revoking a certificate. Now, you can choose one of the revocation reasons listed below when revoking all certificates on an order or when revoking an individual certificate by ID or serial number.
Supported revocation reasons:
Key compromise* - My certificate's private key was lost, stolen, or otherwise compromised.
Cessation of operation - I no longer use or control the domain or email address associated with the certificate or no longer use the certificate.
Affiliation change - The name or any other information regarding my organization changed.
Superseded - I have requested a new certificate to replace this one.
Unspecified - None of the reasons above apply.
*Note: Selecting Key compromise does not block using the associated public key in future certificate requests. To add the public key to the blocklist and revoke all certificates with the same key, visit problemreport.digicert.com and prove possession of the key.
Revoke immediately
We also added the Revoke this certificate immediately option that allows Administrators to skip the Request and Approval process and revoke the certificate immediately. When this option is deselected, the revocation request appears on the Requests page, where an Administrator must review and approve it before it is revoked.
Background
The Mozilla root policy requires Certificate Authorities (CAs) to include a process for specifying a revocation reason when revoking TLS/SSL certificates. The reason appears in the Certificate Revocation List (CRL). The CRL is a list of revoked digital certificates. Only the issuing CA can revoke the certificate and add it to the CRL.
September 10, 2022
Upcoming Scheduled Maintenance
DigiCert will perform scheduled maintenance on September 10, 2022, 22:00 –24:00 MDT (September 11, 2022, 04:00 – 06:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.
What can I do?
Plan accordingly:
Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance begins and when it ends.
See DigiCert 2022 scheduled maintenance for scheduled maintenance dates and times.
September 7, 2022
CertCentral Services API: Revocation reason for TLS/SSL certificates
In the CertCentral Services API, we added the option to choose a revocation reason when you submit a request to revoke a TLS/SSL certificate.
You can choose a revocation reason when revoking all certificates on an order or when revoking an individual certificate by ID or serial number.
To choose a revocation reason, include the optional revocation_reason parameter in the body of your request.
Example JSON request body:
{
"revocation_reason": "superseded"
}
For information about each revocation reason, visit the API documentation:
Revoke certificate (by ID or serial number)
August 30, 2022
CertCentral Services API: Added label for verified contacts
In the CertCentral Services API, we added a new contact_type label for verified contacts: verified_contact.
Use the verified_contact label to identify verified contacts for an organization when you submit a request for an EV TLS, Verified Mark, Code Signing, or EV Code Signing certificate. The updated label applies to all verified contacts, regardless of which product type the order is for.
For example, this JSON payload shows how to use the verified_contact label to add a verified contact to an organization in a new certificate order request:
{
"certificate": {
...
}
"organization": {
"id": 12345,
"contacts": [
{
"contact_type": "verified_contact",
"user_id": 12345
}
},
...
} Note: Before this change, verified contacts were always identified with the label ev_approver. The CertCentral Services API will continue accepting ev_approver as a valid label for verified contacts on EV TLS, VMC, Code Signing, and EV Code Signing certificate orders. The verified_contact label works the same as the ev_approver label, but the name is updated to apply to all products that require a verified contact.
Improved API documentation for adding organizations to Code Signing and EV Code Signing orders
We updated the Order code signing certificate API documentation to describe three ways to add an organization to your Code Signing (CS) or EV Code Signing (EV CS) order requests:
Add an existing organization already validated for CS or EV CS certificate issuance.
Add an existing organization not validated for CS or EV CS and submit the organization for validation with your order.
Create a new organization and submit it for validation with your CS or EV CS order request.
Learn more: Order code signing certificate – CS and EV CS organization validation
August 24, 2022
CertCentral: Edit SANs on pending orders: new, renewals, and reissues
DigiCert is happy to announce that CertCentral allows you to modify the common name and subject alternative names (SANs) on pending orders: new, renewals, and reissues.
Tired of canceling an order and placing it again because a domain has a typo? Now, you can modify the common name/SANs directly from a pending order.
Items to note when modifying SANs
Only admins and managers can edit SANs on pending orders.
Editing domains does not change the cost of the order.
You can only replace a wildcard domain with another wildcard domain and a fully qualified domain name (FQDN) with another FQDN.
The total number of domains cannot exceed the number included in the original request.
Removed SANs can be added back for free, up to the amount purchased, any time after DigiCert issues your certificate.
To reduce the certificate cost, you must cancel the pending order. Then submit a new request without the SANs you no longer want the certificate to secure.
See for yourself
In your CertCentral account, in the left main menu, go to Certificates > Orders.
On the Orders page, select the pending order with the SANs you need to modify.
On the certificate’s Order details page, in the Certificate status section, under What do you need to do, next to Prove control over domains, select the edit icon (pencil).
See Edit common name and SANs on a pending TLS/SSL order: new, renewals, and reissues.
CertCentral Services API: Edit SANs on a pending order and reissue
To allow you to modify SANs on pending new orders, pending renewed orders, and pending reissues in your API integrations, we added a new endpoint to the CertCentral Services API. To learn how to use the new endpoint, visit Edit domains on a pending order or reissue.
August 22, 2022
CertCentral Services API: New response parameters for Domain info and List domains endpoints
To make it easier for API clients to get the exact date and time domain validation reuse periods expire, we added new response parameters to the Domain info and List domains API endpoints:
dcv_approval_datetime: Completion date and time (UTC) of the most recent DCV check for the domain.dcv_expiration_datetime: Expiration date and time (UTC) of the most recent DCV check for the domain.
提示
For domain validation expiration dates, use the new dcv_expiration_datetime response parameter instead of relying on the dcv_expiration.ov and dcv_expiration.ev fields. Since October 1, 2021, the domain validation reuse period is the same for both OV and EV TLS/SSL certificate issuance. The new dcv_expiration_datetime response parameter returns the expiration date for both OV and EV domain validation.
Learn more:
August 6, 2022
Upcoming scheduled maintenance
Some DigiCert services will be down for about 15 minutes during scheduled maintenance on August 6, 2022, 22:00 – 24:00 MDT (August 7, 2022, 04:00 – 06:00 UTC).
What can I do?
Plan accordingly:
Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.
For scheduled maintenance dates and times, see DigiCert 2022 scheduled maintenance.
July 11, 2022
CertCentral Services API: Archive and restore certificates
To give API clients the option to hide unused certificates from API response data, we released new API endpoints to archive and restore certificates. By default, archived certificates do not appear in response data when you submit a request to the List reissues or List duplicates API endpoints.
New API endpoints
Use this endpoint to archive a certificate.
Use this endpoint to restore an archived certificate.
Updated API endpoints
We updated the List reissues and List duplicates endpoints to support a new optional URL query parameter: show_archived. If the value of show_archived is true, the response data includes archived certificates. If false (default), the response omits archived certificates.
July 9, 2022
Upcoming Schedule Maintenance
Some DigiCert services will be down for a total of 20 minutes during scheduled maintenance on July 9, 2022, 22:00 – 24:00 MDT (July 10, 2022, 04:00 – 06:00 UTC).
What can I do?
Plan accordingly
Schedule high-priority orders, renewals, and reissues before or after the maintenance window.
Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.
To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance begins and when it ends.
For scheduled maintenance dates and times, see the DigiCert 2022 scheduled maintenance.
July 5, 2022
CertCentral: Improved Order details page
DigiCert is happy to announce that we improved the layout and design of the Order details page.
We took your feedback and updated the Orders page to make managing your certificates and orders easier throughout their lifecycle.
When we reorganized the information on the Order details page, we didn’t remove anything. So, everything you did before the updates, you can still do now. However, there are a few things you asked for that you can do now that you couldn’t do before.
Summary of changes:
We added new banners, alerts, and icons to help you better understand the actions you need to take on your certificates and orders.
We added a Certificate history tab to the Order details page. Now, you can view and interact with all the certificates associated with the order: reissues, duplicates, expired, and revoked.
We added the ability to revoke an individual certificate or all the certificates on the order.
We also updated the Orders page to add Certificate and Order alert banners, advanced search features, and columns in the orders list.
These changes do not affect Guest access. When accessing an order via guest access, you will not see any of the updates.
See the changes for yourself. In your CertCentral account, in the left main menu, go to Certificates > Orders.
Want to provide feedback?
The next time you are in your CertCentral account, locate the “d” icon in the lower right corner of the page (white “d” in a blue circle) and click it. Use the Share Your Feedback feature to let us know your thoughts on the changes. And don’t hesitate to provide feedback about other CertCentral pages and functionality.
June 28, 2022
CertCentral: Improved DNS Certification Authority Authorization (CAA) resource records checking
DigiCert is happy to announce that we improved the CAA resource record checking feature and error messaging for failed checks in CertCentral.
Now, on the order’s details page, if a CAA resource record check fails, we display the check’s status and include improved error messaging to make it easier to troubleshoot problems.
Background
Before issuing an SSL/TLS certificate for your domain, a Certificate Authority (CA) must check the DNS CAA Resource Records (RR) to determine whether they can issue a certificate for your domain. A Certificate Authority can issue a certificate for your domain if one of the following conditions is met:
They do not find a CAA RR for your domain.
They find a CAA RR for your domain that authorizes them to issue a certificate for the domain.
How can DNS CAA Resource Records help me?
CAA resource records allow domain owners to control which certificate authorities (CAs) are allowed to issue public TLS certificates for each domain.
June 21, 2022
CertCentral: Bulk domain validation support for DNS TXT and DNS CNAME DCV methods
DigiCert is happy to announce that CertCentral bulk domain validation now supports two more domain control validation (DCV) methods: DNS TXT and DNS CNAME.
Remember, domain validation is only valid for 397 days. To maintain seamless certificate issuance, DigiCert recommends completing DCV before the domain's validation expires.
Don't spend extra time submitting one domain at a time for revalidation. Use our bulk domain revalidation feature to submit 2 to 25 domains at a time for revalidation.
See for yourself
In your CertCentral account, in the left main menu, go to Certificates > Domains.
On the Domains page, select the domains you want to submit for revalidation.
In the Submit domains for revalidation dropdown, select the DCV method you want to use to validate the selected domains.
2022 年 6 月 6 日
CertCentral 报告库 API 增强功能
DigiCert 很高兴宣布 CertCentral 报告库 API 增加了以下增强功能:
通过删除预定报告暂停报告运行
我们添加了一个新端点:删除预定的报告。删除预定报告将会暂停未来的报告运行。删除预定报告后,您仍可下载具有相同报告 ID 的已完成的报告运行。
注意
在此之前,您只能编辑报告的时间表,或删除预定报告和所有已完成的报告运行。
仅使用子帐户数据生成报告
对于创建报告和编辑报告端点,我们在允许的 division_filter_type 值列表中添加了一个新选项:EXCLUDE_ALL_DIVISIONS。使用此值可以从报告中排除所有父帐户数据。使用此选项的报告仅包括来自所选子帐户的数据 (sub_account_filter_type)。
注意
在此之前,如果未包含父帐户中一个或多个分区的数据,则无法生成子帐户报告。
了解更多
2022 年 6 月 4 日
即将开始的预定维护
DigiCert 执行预定维护的时间为 2021 年 6 月 4 日 22:00 – 24:00 MDT(2021 年 6 月 5 日 04:00 – 06:00 UTC)。尽管我们提供了冗余以保护您的服务,但在此期间,一些 DigiCert 服务可能不可用。
我可以做什么?
将高优先级订单、续订和补发计划安排在维护期之前或之后。
如果您使用 API 执行直接颁发证书和其他自动化任务,可能会遇到中断。
要获取实时更新,请订阅 DigiCert 状态页面。订阅包括关于维护开始时间和维护结束时间的电子邮件提醒。
请参阅 DigiCert 2022 年预定维护了解预定的维护日期和时间。
一旦维护完成,将立即恢复服务。
2022 年 5 月 31 日
CertCentral 服务 API:改进了订单信息 API 响应
更新:为了让 API 消费者有更多时间评估订单信息 API 响应变化对其集成的影响,我们将此更新推迟到了 2022年 5 月 31 日。我们原本计划在 2022 年 4 月 25 日发布以下更改。
2022 年 5 月 31 日,DigiCert 对订单信息 API 进行以下改进。这些更改删除了未使用的值,并更新了订单详情对象的数据结构,使各种产品类型的不同状态下的订单更加保持一致。
有关公共 TLS、代码签名、文档签名和 1 类 S/MIME 证书的更多信息和响应示例,请参阅订单信息端点的参考文档。
如果您对这些更改有疑问或需要帮助,请联系您的客户代表或 DigiCert 支持团队。
一般增强功能
以下更改适用于各种证书类型的订单,无论订单状态如何。
删除的参数:
public_id(字符串)对于所有订单,API 将不再返回
public_id参数。DigiCert 不再支持需要public_id值的快速安装工作流。certificate.ca_cert_id(字符串)对于DV 证书订单,API 将不再返回
ca_cert_id参数。此参数的值是颁发 ICA 证书的内部 ID,不能在外部使用。API 在其他产品类型的订单详情中不再包括ca_cert_id参数。要获取与订单关联的颁发 ICA 证书的名称和公共 ID,请改用
ca_cert对象。verified_contacts(对象数组)对于文档签名证书订单,API 将不再返回
verified_contacts数组。API 在其他产品类型的订单详情中不再包括verified_contacts数组。certificate.dns_names(字符串数组)如果没有与订单关联的 DNS 名称(例如,如果订单用于代码签名、文档签名或 1 类 S/MIME 证书),API 将不再返回
dns_names数组。在此之前,API 返回带有空字符串的
dns_names数组:[" "]certificate.organization_units(字符串数组)如果没有与订单关联的组织单位,API 将不再返回
organization_units数组。在此之前,对于某些产品类型,API 返回带有空字符串的
organization_units数组:[" "]certificate.cert_validity在
cert_validity对象中,API 将仅在订单创建时返回用于设置证书有效期的组织单位的密钥/值对。例如,如果证书的有效期为 1 年,则cert_validity对象将返回值为 1 的years参数。在此之前,
cert_validity对象有时同时返回days和years的值。
添加的参数:
order_validity(对象)对于代码签名、文档签名和客户端证书订单,API 将开始返回
order_validity对象。order_validity对象返回订单有效期的days、years或custom_expiration_date。API 已经在公共 SSL/TLS 产品的订单详情中包括order_validity对象。payment_profile(对象)对于 DV 证书订单,如果订单与保存的信用卡关联,API 将开始返回
payment_profile对象。API 已经在其他产品类型的订单详情中包括payment_profile数组。server_licenses(整数)对于 DV 证书订单,API 将开始返回
server_licenses参数。API 已经在其他产品类型的订单详情中包括server_licenses参数。
未批准的订单请求
以下更改仅适用于正在等待批准或已被拒绝的证书订单请求。这些更改使响应的数据结构更接近 API 在请求获得批准以及将订单提交给 DigiCert 进行验证和颁发后返回的数据结构。
为了管理未批准和被拒绝的请求,我们建议使用请求端点 (/request),而不是获取订单详情。我们设计了 /request 端点来管理待处理和被拒绝的证书订单请求,这些端点保持不变。
注意
为了加快颁发证书,我们建议在工作流中跳过或省略新证书订单的请求审批步骤。如果 API 工作流已经跳过或省略了审批步骤,您可以忽略以下更改。了解有关删除审批步骤的更多信息:
添加的参数:
disable_ct(布尔值)allow_duplicates(布尔值)cs_provisioning_method(字符串)
删除的参数:
server_licenses(整数)对于未批准的订单请求,API 将不再返回
server_licenses参数。API 将继续在经核准的订单请求的订单详情中包含server_licenses参数。
改进了 organization 对象
为了在未批准和经核准的订单请求的订单详情中提供一致的数据结构,API 将在未批准的订单请求中返回一个修改的 organization 对象。
对于所有产品类型的未批准的订单请求,API 将不再返回以下意外属性:
organization.status(字符串)organization.is_hidden(布尔值)organization.organization_contact(对象)organization.technical_contact(对象)organization.contacts(对象数组)
对于所有产品类型的未批准的订单请求,API 将开始返回以下预期属性(如果存在):
organization.name(字符串)organization.display_name(字符串)organization.assumed_name(字符串)organization.city(字符串)organization.country(字符串)
如需获取订单信息响应中未包含的组织详情,请使用组织信息 API 端点。
2022 年 5 月 24 日
CertCentral 将从新的中间 CA 证书颁发 GeoTrust 和 RapidSSL DV 证书
MDT 时间 2022 年 5 月 24 日上午 9:00 至 11:00(UTC 时间下午 3:00 至 5:00),DigiCert 将替换下列 GeoTrust 和 RapidSSL 中间 CA (ICA) 证书。我们无法再从这些中间证书颁发具有最长有效期(397 天)的 DV 证书。
GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1
GeoTrust TLS DV RSA Mixed SHA256 2021 CA-1
RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1
RapidSSL TLS DV RSA Mixed SHA256 2021 CA-1
GeoTrust Global TLS RSA4096 SHA256 2022 CA1
RapidSSL Global TLS RSA4096 SHA256 2022 CA1
请参阅 DigiCert ICA 更新知识库文章。
对我有什么影响?
推出新 ICA 证书不会影响现有 DV 证书。到期前,从被替换的 ICA 证书颁发的活跃证书将一直受信任。
但是,所有新证书(包括补发证书)将从新的 ICA 证书颁发。为了确保 ICA 证书的更换不造成中断,请始终在您安装的每个 TLS 证书中包含所提供的 ICA 证书。
固定旧版的中间 CA 证书
对接受旧版中间 CA 证书进行硬编码
管理含有旧版中间 CA 证书的信任商店
所需操作
如果您进行固定、硬编码接受或操作信任存储,请尽快更新您的环境。您应该停止固定和硬编码 ICA 证书,或进行必要的更改,以确保从新的 ICA 证书颁发的 GeoTrust DV 和 RapidSSL DV 证书受信任。也就是说,确保它们可以链接到新的 ICA 证书和受信任的根。
请参阅 DigiCert 受信任的根证书颁发机构证书页面下载新的中间 CA 证书的副本。
如果我需要更多时间怎么办?
如果您需要更多时间来更新环境,可以继续使用旧的 2020 ICA 证书,直到证书到期。请联系 DigiCert 支持团队,他们可以为您的帐户进行设置。但在 2022 年 5 月 31 日之后,2020 ICA 证书颁发的 RapidSSL DV 和 GeoTrust DV 证书的有效期将被缩短为不到一年。
2022 年 5 月 18 日
CertCentral:DigiCert KeyGen,我们的新密钥生成服务
DigiCert 很高兴宣布我们将使用新的密钥生成服务 — KeyGen。使用 KeyGen 从浏览器生成并安装客户端和代码签名证书。KeyGen 可以在 macOS 和 Windows 上使用,并且在所有主要浏览器中均受支持。
通过 KeyGen,您不需要生成 CSR 来订购客户端和代码签名证书。在不使用 CSR 的情况下提交订单。然后,在订单处理完毕且证书准备就绪后,DigiCert 会发送一封“生成证书”的电子邮件,其中将告知您如何使用 KeyGen 获取证书。
KeyGen 是如何工作的?
KeyGen 生成密钥对,然后使用公钥创建证书签名请求 (CSR)。KeyGen 将 CSR 发送给 DigiCert,DigiCert 将证书发送回 KeyGen。然后,KeyGen 将包含证书和私钥的 PKCS12 (.p12) 文件下载到计算机桌面。您在证书生成过程中创建的密码将保护 PKCS12 文件。当您使用密码打开证书文件时,证书将安装在您的个人证书存储中。
如需了解有关从浏览器生成客户端和代码签名证书的详细信息,请参阅以下说明:
2022 年 5 月 9 日
CertCentral 服务 API:修复订单信息 API 响应中空用户值的数据类型
我们修复了一个问题,即当没有用户与订单关联时,订单信息 API (GET https://www.digicert.com/services/v2/order/certificate/{{order_id}}) 为 user 字段返回错误的数据类型。现在,对于没有用户数据的订单,订单信息端点返回一个空的 user 对象 ("user": {}),而不是返回一个空数组 ("user": [])。
2022 年 5 月 7 日
即将开始的预定维护
更新:MDT 时间 5 月 7 日(UTC 时间 5 月 8 日)的维护期间不会停机。
DigiCert 执行预定维护的时间为 2022 年 5 月 7 日 22:00 – 24:00 MDT(2022 年 5 月 8 日 04:00 – 06:00 UTC)。尽管我们提供了冗余以保护您的服务,但在此期间,一些 DigiCert 服务可能不可用。
一旦完成维护,将立即恢复服务。
我可以做什么?
调整计划:
将高优先级订单、续订和补发计划安排在维护期之前或之后。
如果您使用 API 执行直接颁发证书和其他自动化任务,可能会遇到中断。
要获取实时更新,请订阅 DigiCert 状态页面。订阅包括关于维护开始时间和维护结束时间的电子邮件提醒。
请参阅 DigiCert 2022 年维护计划了解维护日期和时间。
2022 年 4 月 18 日
CertCentral:多年期计划现在可用于经认证的标记证书
我们很高兴宣布,多年期计划现在可用于 CertCentral 和 CertCentral 服务 API 中的经认证的标记证书 (VMC)。
购买 DigiCert® 多年计划,您只需支付一次优惠价就能享用长达六年的经认证的标记证书保障。通过多年期计划,您可以选择您需要的保障期(最多六年)。在计划到期前,每次在有效期满时,都可以免费补发证书。
注意
根据计划的有效期,您可能需要在多年计划期间多次验证域和组织。
服务 API 中 VMC 的多年期计划
在服务 API 中,当您提交 VMC 的订单请求时,使用 order_validity 对象设置多年期计划的保障期(1-6 年)。有关更多信息,请参阅:
什么是经认证的标记证书?
经认证的标记证书 (VMC) 是一种新的证书类型,允许公司在客户收件箱的“发件人”字段旁放置经认证的品牌徽标。
收件人在打开邮件之前可看到该徽标。
该徽标用于确认您的域的 DMARC 状态和您组织的经认证的身份。
2022 年 4 月 11 日
CertCentral 服务 API:域锁定 API 端点
DigiCert 很高兴宣布在 CertCentral 服务 API 中推出域锁定功能。
注意
在使用域锁定端点之前,您必须首先为 CertCentral 帐户启用域锁定。请参阅域锁定 - 为您的帐户启用域锁定。
新的 API 端点
为指定域启用域锁定。
为指定域禁用域锁定。
检查指定域的 DNS CAA 资源记录以获取域锁定帐户令牌。
更新的 API 端点
我们更新了域信息和列出域端点的响应,在其中包括以下参数和域锁定详情:
domain_locking_status(字符串)域锁定状态。仅当帐户启用了域锁定时返回。
account_token(字符串)域锁定帐户令牌。仅当帐户启用了域锁定,并且为域至少激活了一次域锁定时返回。
有关更多信息,请参阅:
2022 年 4 月 5 日
CertCentral: Domain locking is now available
DigiCert is happy to announce our domain locking feature is now available.
Does your company have more than one CertCentral account? Do you need to control which of your accounts can order certificates for specific company domains?
Domain locking lets you control which of your CertCentral accounts can order certificates for your domains.
How does domain locking work?
DNS Certification Authority Authorization (CAA) resource records allow you to control which certificate authorities can issue certificates for your domains.
With domain locking, you can use this same CAA resource record to control which of your company's CertCentral accounts can order certificates for your domains.
How do I lock a domain?
To lock a domain:
Enable domain locking for your account.
Set up domain locking for a domain.
Add the domain's unique verification token to the domain's DNS CAA resource record.
Check the CAA record for the unique verification token.
To learn more, see:
终止从 Symantec、GeoTrust、Thawte 或 RapidSSL 到 CertCentral™ 的帐户升级
从 MDT 时间 2022 年 4 月 5 日起,您无法再将 Symantec、GeoTrust、Thawte 和 RapidSSL 帐户升级到 CertCentral™。
如果您还没有迁移到 DigiCert CertCentral,请立即升级以维护网站安全并继续保留对证书的访问权限。
我该如何升级帐户?
如需升级帐户,请立即联系 DigiCert 支持团队。有关帐户升级过程的更多信息,请参阅升级到 CertCentral: 须知事项
如果不将帐户升级到 CertCentral 会怎样?
2022 年 4 月 5 日之后,您必须获得一个新的 CertCentral 帐户,并手动添加所有帐户信息,例如域和组织。此外,您将无法将任何活跃的证书迁移到新帐户。
在 2022 年 4 月 5 日之后,如需获得帮助以设置新的 CertCentral 帐户,请联系 DigiCert 支持团队。
2022 年 4 月 2 日
即将开始的预定维护
DigiCert 执行预定维护的时间为 2022 年 4 月 2 日 22:00 – 24:00 MDT(2022 年 4 月 3 日 04:00 – 06:00 UTC)。在此期间,某些服务可能会中断最多两个小时。
注意
如果不使用夏令时,则维护时间将提前一小时。
基础设施相关的维护停机
基础设施相关的维护的开始时间为 22:00 MDT (4:00 UTC)。然后,下面列出的服务可能会中断最多两个小时。
CertCentral® TLS 证书颁发:
在此期间提交的 TLS 证书请求将失败
如果请求失败,则应在恢复服务后再次提交请求
CIS 和 CertCentral® SCEP:
证书颁发服务 (CIS) 将停止
CertCentral 简单证书注册协议 (SCEP) 将停止
在此期间提交请求将失败
CIS API 将返回“503 服务不可用”错误
如果请求失败,则应在恢复服务后再次提交请求
Direct Cert Portal 新域和组织验证:
在此期间将无法提交新域进行验证
在此期间将无法提交新组织进行验证
如果请求失败,则应在恢复服务后再次提交请求
QuoVadis® TrustLink® 证书颁发:
在此期间提交的 TrustLink 证书请求将延迟处理
但是,请求将添加到队列,以稍后进行处理
加入队列的请求将会在恢复服务后进行处理
PKI Platform 8 新域和组织验证:
在此期间将无法提交新域进行验证
在此期间将无法提交新组织进行验证
但是,请求将添加到队列,以稍后进行处理
加入队列的请求将会在恢复服务后进行处理
将禁用 UAA 管理员和用户 web 门户对用户授权代理 (UAA) 服务的访问权限
我可以做什么?
调整计划:
将高优先级订单、续订和补发计划安排在维护期之前或之后。
如果您使用 API 执行直接颁发证书和其他自动化任务,可能会遇到中断。
要获取实时更新,请订阅 DigiCert 状态页面。订阅包括关于维护开始时间和维护结束时间的电子邮件提醒。
有关预定维护日期和时间,请参阅 DigiCert 2022 年预定维护。
一旦完成维护,将立即恢复服务。
2022 年 3 月 30 日
CertCentral:批量域重新验证功能现已推出
DigiCert 很高兴宣布,我们的批量域验证功能现已推出。无需浪费时间一次提交一个域进行重新验证。使用批量域重新验证功能,一次可提交 2 到 25 个域进行重新验证。
请记住,域验证的有效期只有 397 天。为了保持无缝的证书颁发流程,DigiCert 建议在域验证到期之前提前完成域控制验证 (DCV)。
注意
目前,批量域功能仅支持电子邮件 DCV 方法。如需使用其他 DCV 方法,需要分别提交每个域。
请自行参阅
在您的 CertCentral 帐户的左侧主菜单中,转到证书 > 域。
在域页面,选择要提交重新验证的域。
在提交域以进行重新验证下拉列表中,选择提交域以进行基于电子邮件的验证。
请参阅 域预验证:批量域重新验证。
2022 年 3 月 24 日
终止 SSL 工具的使用
从 2022 年 3 月 24 日起,当您访问 SSL 工具时,将有弹出消息告诉您 SSL 工具不再可用。欢迎您使用 DigiCert® SSL 安装诊断工具。
注意
如果您访问其他 SSL 工具功能/页面,我们会将您引导至 digicert.com 上提供相同或类似服务的其他网站页面。
什么是 SSL 安装诊断工具?
SSL 安装诊断工具是一个免费的公共工具,用于检查:
证书安装
Web 服务器配置
我需要做些什么?
开始使用 DigiCert® SSL 安装诊断工具。您需要执行以下操作:
在浏览器中,将 SSL 工具书签替换为 DigiCert® SSL 安装诊断工具。
如果您的网站上有 SSL 工具链接,请将其替换为 SSL 安装诊断工具链接。
2022 年 3 月 21 日
DigiCert 网站标章现在可用于 Basic OV 和 EV 证书订单
DigiCert Basic OV 和 EV 证书订单包括 DigiCert 网站标章。现在,您可以在 Basic SSL 证书保护的同一站点上安装 DigiCert 网站标章。网站标章向您的客户保证您的网站受 DigiCert 的保护,DigiCert 的 TLS/SSL 安全性备受赞誉。
点击网站标章时,您会看到更多关于域、组织、TLS/SSL 证书和验证的详情。
DigiCert Smart Seal
DigiCert 还提供了一种更具创新性的网站标章 - DigiCert Smart Seal。该高级标章比 DigiCert 网站标章更具互动性和吸引力。我们增加了光标悬停效果、动画效果,以及在光标悬停效果和动画功能中显示公司徽标的功能。
2022 年 3 月 10 日
CertCentral:DNS CNAME DCV 方法现在可用于 DV 证书订单
在 CertCentral 和 CertCentral 服务 API 中,您现在可以使用 DNS CNAME 域控制验证 (DCV) 方法验证 DV 证书订单上的域。
注意
在此之前,您只能使用 DNS CNAME DCV 方法来验证 OV 和 EV 证书订单上的域和预验证域。
如需在 DV 证书订单上使用 DNS CNAME DCV 方法,请执行以下操作:
在 CertCentral 中:
订购 DV TLS 证书时,您可以选择 DNS CNAME 作为 DCV 方法。
在 DV TLS 证书的订单详情页面上,您可以将 DCV 方法更改为 DNS CNAME 记录。
服务 API:
请求 DV TLS 证书时,将 dcv_method 请求参数的值设置为 dns‑cname‑token。
注意
生成请求令牌以立即颁发 DV 证书的 AuthKey 进程不支持 DNS CNAME DCV 方法。但是,您可以使用文件认证 (http‑token) 和 DNS TXT (dns‑txt‑token) DCV 方法。有关更多信息,请访问立即颁发 DV 证书。
了解有关 DNS CNAME DCV 方法的更多信息:
有关 CertCentral:
服务 API:
2022 年 3 月 8 日
CertCentral 服务 API:改进了列出域端点响应
为了更轻松地找到有关 CertCentral 帐户中域的域控制验证 (DCV) 状态的信息,我们将这些响应参数添加到列出域 API 响应中的域对象中:
dcv_approval_datetime:域最近一次完成 DCV 检查的日期和时间。last_submitted_datetime:上次提交域进行验证的日期和时间。
有关更多信息,请参阅列出域端点的参考文档:
2022 年 3 月 5 日
即将开始的预定维护
DigiCert 执行预定维护的时间为 2022 年 3 月 5 日 22:00 – 24:00 MDT(2022 年 3 月 6 日 5:00 – 7:00 UTC)。在此期间,某些服务可能会中断最多两个小时。
基础设施相关的维护停机
基础设施相关的维护的开始时间为 22:00 MDT (5:00 UTC)。然后,下面列出的服务可能会中断最多两个小时。
CertCentral™ TLS 证书颁发:
在此期间提交的 TLS 证书请求将失败
如果请求失败,则应在恢复服务后再次提交请求
CIS 和 CertCentral™ SCEP:
证书颁发服务 (CIS) 将停止
CertCentral 简单证书注册协议 (SCEP) 将停止
在此期间提交请求将失败
CIS API 将返回“503 服务不可用”错误信息
如果请求失败,则应在恢复服务后再次提交请求
Direct Cert Portal 新域和组织验证:
在此期间将无法提交新域进行验证
在此期间将无法提交新组织进行验证
如果请求失败,则应在恢复服务后再次提交请求
QuoVadis™ TrustLink™ 证书颁发:
在此期间提交的 TrustLink 证书请求将延迟处理
但是,请求将添加到队列,以稍后进行处理
加入队列的请求将会在恢复服务后进行处理
PKI Platform 8 新域和组织验证:
在此期间将无法提交新域进行验证
在此期间将无法提交新组织进行验证
但是,请求将添加到队列,以稍后进行处理
加入队列的请求将会在恢复服务后进行处理
我可以做什么?
调整计划:
将高优先级订单、续订和补发计划安排在维护期之前或之后。
如果您使用 API 执行直接颁发证书和其他自动化任务,可能会遇到中断。
要获取实时更新,请订阅 DigiCert 状态页面。订阅包括关于维护开始时间和维护结束时间的电子邮件提醒。
有关预定维护日期和时间,请参阅 DigiCert 2022 年维护计划。
一旦完成维护,将立即恢复服务。
2022 年 2 月 17 日
CertCentral:改进了经认证的联系人 EV TLS 证书申请审批流程
在 CertCentral 和 CertCentral 服务 API 中,我们更新了 EV TLS 证书申请流程,仅向证书申请中包含的已验证的联系人发送 EV TLS 申请审批电子邮件。
注意
在此之前,当您申请 EV TLS 证书时,我们向该组织所有的已验证的联系人发送 EV 订单审批电子邮件。
将已验证的联系人添加到 EV EV TLS 证书申请中:
CertCentral
申请 EV TLS 证书时,您可以:
保留现有的已分配到组织的已验证联系人
删除联系人(至少一个)
添加新联系人(我们必须验证每个新联系人,这可能会使证书颁发延迟)
服务 API
申请 EV TLS 证书时,在 JSON 请求的
organization.contacts数组中包括已验证的联系人。对于已验证的联系人,contact_type字段的值为ev_approver。
有关 EV TLS 证书申请的更多信息:
有关 CertCentral,请参阅订购 EV SSL/TLS 证书。
有关服务 API,请参阅订购 Basic EV、订购 Secure Site EV 和订购 Secure Site Pro EV。
2022 年 2 月 12 日
扩展 DigiCert 服务的 IP 地址范围
在 MST 时间 2022 年 2 月 12 日 22:00–24:00(UTC 时间 2022 年 2 月 13 日 05:00-07:00)进行的预定维护中,DigiCert 扩大了用于服务的 IP 地址范围。增加这些 IP 地址是为了增加服务正常运行时间,减少预定维护期间服务停机的情况。
我需要做些什么?
如果您的公司使用允许列表*,请在 2022 年 2 月 12 日前更新列表,将下面列出的 IP 地址块添加到列表中,使 DigiCert 服务和 API 集成正常运行。
注意
*允许列表针对的是防火墙,仅允许指定的 IP 地址执行特定任务或连接至您的系统。
新的 IP 地址范围
将此范围内的 IP 地址添加到允许列表*中:216.168.240.0/20
重要
我们不会替换或删除任何 IP 地址,只是在扩大提供服务的 IP 地址范围。
请参阅我们的知识库文章:扩展 DigiCert 服务的 IP 地址范围。如果您有疑问,请联系客户经理或 DigiCert 支持团队。
受影响的服务:
CertCentral/服务 API
ACME
Discovery/API
Discovery 传感器防火墙设置
ACME 自动化/API
证书颁发服务 (CIS)
简单证书注册协议 (SCEP)
API 访问 URL
Direct Cert Portal/API
DigiCert 网站
验证服务
PKI Platform 8
PKI Platform 7(日本和澳大利亚)
QuoVadis TrustLink
DigiCert ONE
Account Manager
CA Manager
IoT Device Manager
Document Signing Manager
Secure Software Manager
Enterprise PKI Manager
Automation Manager
2022 年 2 月 9 日
CertCentral 服务 API:域信息增强
我们更新了域信息 API 响应,使其包括与域关联的 DCV 令牌的 expiration_date 参数。现在,当您调用域信息 API 并将 include_dcv 查询参数的值设置为 true 时,响应中的 dcv_token 对象包括域 DCV 令牌的 expiration_date。
{
...
"dcv_token": {
"token": "91647jw2bx280lr5shkfsxd0pv50ahvg",
"status": "pending",
"expiration_date": "2022-02-24T16:25:52+00:00"
},
...
}2022 年 2 月 8 日
帐户安全功能:经核准的用户电子邮件域
CertCentral 管理员现在能够指定用户可以为哪些电子邮件域创建 CertCentral 帐户。使用该设置可以防止电子邮件发送到未经批准的通用电子邮件域(@ @gmail.com、@yahoo.com)或第三方拥有的域。如果用户试图将用户电子邮件地址设置或更改为未经批准的域,则会收到错误消息。
在设置 > 首选项 中找到此设置。展开高级设置,然后找到经核准的电子邮件域部分。
注意
该设置不会影响具有未经批准的电子邮件地址的现有用户,仅影响新用户和配置此设置后所做的电子邮件更改。
2022 年 2 月 1 日
经认证的标记证书 (VMC):三个新认可的商标局
我们很高兴宣布 DigiCert 现在认可了另外三家知识产权局验证 VMC 证书徽标。它们分别位于韩国、巴西和印度。
新认可的商标局:
其他认可的商标局:
什么是经认证的标记证书?
经认证的标记证书 (VMC) 是一种新的证书类型,允许公司在客户收件箱的“发件人”字段旁放置经认证的品牌徽标。
收件人在打开邮件之前可看到该徽标。
该徽标用于确认您的域的 DMARC 状态和您组织的经认证的身份。
错误修复:代码签名 (CS) 证书生成电子邮件仅发送给已验证的 CS 联系人
我们修复了代码签名 (CS) 证书颁发过程中的一个错误,即我们只向已验证的 CS 联系人发送证书生成电子邮件。只有当申请人在代码签名证书请求中未提供 CSR 时,才会发生此错误。
现在,对于未提供 CSR 的订单,我们将代码签名证书生成电子邮件发送至:
证书申请人
已验证的 CS 联系人
订单上的其他电子邮件地址
注意
DigiCert 建议在提交代码签名证书请求时提供 CSR。目前,Internet Explorer 是唯一支持生成密钥对的浏览器。请参阅我们的知识库文章:Firefox 69 将终止支持 Keygen。
2022 年 1 月 25 日
OV 和 EV TLS 证书配置文件更新
在调整 DV、OV 和 EV TLS 证书配置文件的过程中,我们对 OV 和 EV TLS 证书配置文件进行了轻微更改。2022 年 1 月 25 日,我们在 OV 和 EV TLS 证书配置文件中将基本约束扩展设置为非关键。
注意
DV TLS 证书颁发时的基本约束扩展设置为非关键。
我需要做些什么?
您无需执行任何操作。证书颁发过程没有任何差异。但是,如果您的 TLS 证书流程要求将基本约束扩展设置为关键,请立即联系您的客户经理或 DigiCert 支持团队。
2022 年 1 月 24 日
改进的域页面、验证状态筛选器 - 已完成/已验证
在域页面的验证状态下拉列表中,我们更新了已完成/已验证筛选器,以便您更容易找到已完成域控制验证 (DCV) 且活跃的域。
注意
在此之前,当您搜索已完成/已验证 DCV 的域时,我们返回的是所有已完成 DCV 的域,包括域验证已过期的域。
现在,当您搜索已完成/已验证 DCV 的域时,搜索结果中只会返回已完成 DCV 且活跃的域。要查找 DCV 过期的域,请使用验证状态下拉列表中的已过期筛选器。
查找已完成 DCV 且活跃的域
在 CertCentral 的左侧主菜单中,转到证书 > 域。
在域页面的验证状态下拉列表中,选择已完成/已验证。
CertCentral 服务 API:列出域增强功能
对于列出域 API,我们更新了 filters[validation]=completed 筛选器,以便您更容易找到用于颁发 OV 或 EV 证书的已验证的域。
在此之前,此筛选器返回所有已完成 DCV 检查的域,包括域验证已过期的域。现在,该筛选器仅返回具有活跃的 OV 或 EV 域验证状态的域。
2022 年 1 月 10 日
CertCentral 域和域详细信息页面:改进的域验证跟踪
我们更新了域和域详细信息页面,以更加方便跟踪域的验证状态并保持更新。这些更新符合去年业内对域验证重用有效期*的更改。保持域验证的最新状态可以减少证书颁发次数,包括新证书、补发、副本和续订证书。
注意
*2021 年 10 月 1 日,行业将所有域验证重用有效期缩短为 398 天。DigiCert 实行 397 天的域验证重用有效期,以确保不会使用过期的域验证颁发证书。有关此变更的更多信息,请参阅知识库文章:2021 年验证政策变更。
域页面改进
当您访问域页面(在左侧主菜单中,选择证书 > 域)后,将看到三个新增列:DCV 方法、验证状态及验证到期。现在,您可以查看用于证明对域的控制权的域控制验证 (DCV) 方法、域验证的状态(待处理、已验证、即将到期和已过期)以及域验证的到期时间。
由于 OV 和 EV 验证的重用有效期相同,因此我们简化了验证状态分类功能。不再分别显示 OV 验证和 EV 验证的筛选器,只显示一组筛选器:
已完成/已验证
等待验证
0-7 天后到期
0-30 天后到期
31-60 天后到期
61-90 天后到期
已过期
域详细信息页面改进
访问域的详细信息页面(在域页面上,选择一个域)时,您现在将在页面顶部看到一个状态栏。在此状态栏中可查看域的验证状态、域验证到期时间、最近一次完成域验证的时间,以及用于证明对域的控制权的 DCV 方法。
我们还更新了页面的域验证状态部分。我们将分开的 OV 和 EV 域验证状态条目替换为一个条目:域验证状态。
2022 年 1 月 8 日
即将开始的预定维护
DigiCert 执行预定维护的时间为 2022 年 1 月 8 日 22:00 – 24:00 MDT(2022 年 1 月 9 日 05:00 – 07:00 UTC)。尽管我们提供了冗余以保护您的服务,但在此期间,一些 DigiCert 服务可能不可用。
我可以做什么?
调整计划:
将高优先级订单、续订和补发计划安排在维护期之前或之后。
如果您使用 API 执行直接颁发证书和自动化任务,可能会遇到中断。
要获取实时更新,请订阅 DigiCert 状态页面。订阅包括关于维护开始时间和维护结束时间的电子邮件提醒。
有关预定维护日期和时间,请参阅 DigiCert 2022 年预定维护。
一旦完成维护,将立即恢复服务。
2021 年 12 月 7 日
CertCentral 报告库现在可用
我们很高兴宣布针对 CertCentral Enterprise 和 CertCentral 合作伙伴推出 CertCentral 报告库。*报告库是一个功能强大的报告工具,可用于一次下载 1000 多条记录。使用报告库生成、计划、整理和导出报告以共享和重复使用。
报告库包括六个可自定义的报告:订单、组织、余额历史记录、审核日志、域和完全限定域名 (FQDN)。生成报告时,您可以管理报告中显示的详情和信息、配置列和列顺序、预定报告运行的频率(一次、每周一次或每月一次),以及选择报告格式(CSV、JSON 或 Excel)。此外,当您的帐户提供报告可供下载时,您会收到通知。
如需生成您的第一份报告:
在 CertCentral 的左侧主菜单中,选择报告。
只有 CertCentral 管理员才能使用报告库。CertCentral 经理、财务经理、标准用户和有限用户无法在其帐户中访问报告。
在报告库页面上,选择生成报告。
有关生成报告的更多信息:
重要
*在帐户中看不到报告库?请联系您的客户经理或 DigiCert 支持以获取帮助。
CertCentral 报告库 API 也已推出
我们隆重宣布发布 CertCentral 报告库 API!通过这项新的 API 服务,您可以在 CertCentral API 集成中利用报告库的关键功能,包括生成报告和下载报告结果*。
请参阅报告库 API 文档,以了解有关在 API 集成中包含报告库的更多信息。
重要
*要使用 CertCentral 报告库 API,必须为 CertCentral 帐户启用报告库。如需获得帮助以激活报告库,请联系您的客户经理或 DigiCert 支持团队。
错误修复:唯一组织名称检查不包括假名
我们更新了唯一组织名称检查,在创建组织时可以包括假名(经营名称)。
注意
在此之前,在 CertCentral 和 CertCentral 服务 API 中,当您尝试创建与现有组织同名的组织时,我们会返回一个错误消息,以阻止您创建组织,即使假名 (DBA) 不相同也是如此。
现在,当您创建组织时,我们允许在唯一组织检查中包含假名。因此,只要每个组织都有一个唯一假名,您就可以创建具有相同名称的组织。
例如:
第一组织:无假名
姓名:您的组织
假名:
第二组织:名称加唯一假名
姓名:您的组织
假名:组织假名
创建组织
在 CertCentral 和 CertCentral 服务 API 中,您可以创建一个组织以提交预验证或订购 TLS/SSL 证书。此变更适用于这两个过程。
CertCentral:DigiCert 现在从 DigiCert Assured ID Client CA G2 intermediate CA 证书颁发客户端证书
为了与行业标准保持一致,DigiCert 必须更换用于颁发 CertCentral 客户端证书的中间 CA (ICA) 证书。
CertCentral 客户端证书配置文件原来使用 DigiCert SHA2 Assured ID CA intermediate CA 证书,现在使用 DigiCert Assured ID Client CA G2 intermediate CA 证书。此变更还将根证书从 DigiCert Assured ID Root CA 更改为 DigiCert Assured ID Root G2。
旧 ICA 和根证书
(ICA) DigiCert SHA2 Assured ID CA
(Root) DigiCert Assured ID Root CA
新 ICA 和根证书
(ICA) DigiCert Assured ID Client CA G2
(Root) DigiCert Assured ID Root G2
有关更多信息,请参阅 DigiCert ICA 更新。如需获取新中间 CA 证书的副本,请参阅 DigiCert 受信任根颁发机构证书。
您仍然需要将客户端证书链接到 DigiCert Assured ID Root CA 证书吗?联系客户经理或 DigiCert 支持团队。
2021 年 12 月 4 日
即将开始的预定维护
DigiCert 执行预定维护的时间为 2022 年 12 月 4 日 22:00 – 24:00 MDT(2022 年 12 月 5 日 05:00 – 07:00 UTC)。尽管我们提供了冗余以保护您的服务,但在此期间,一些 DigiCert 服务可能不可用。
我可以做什么?
调整计划:
将高优先级订单、续订和补发计划安排在维护期之前或之后。
如果您使用 API 执行直接颁发证书和其他自动化任务,可能会遇到中断。
要获取实时更新,请订阅 DigiCert 状态页面。订阅包括关于维护开始时间和维护结束时间的电子邮件提醒。
有关预定维护日期和时间,请参阅 DigiCert 2021 年预定维护。
一旦完成维护,将立即恢复服务。
2021 年 11 月 16 日
基于文件的 DCV(HTTP 实用演示、文件认证、文件、HTTP 令牌和 HTTP 认证)的行业更改
为了符合基于文件的域控制验证 (DCV) 方法的新行业标准,您只能使用基于文件的 DCV 来证明对完全限定域名 (FQDN) 的控制权,其名称要完全相同。
有关该行业变更的更多信息,请参阅 2021 年域验证政策变更。
对我有什么影响?
从 2021 年 11 月 16 日起,您执行以下任务必须使用其他受支持的 DCV 方法之一,如电子邮件、DNS TXT 和 CNAME:
验证通配符域 (*.example.com)
验证更高级别的域时,在域验证中包括子域。例如,如果您想在验证更高级别的域 example.com 时包括 www.example.com。
预验证全部域和子域。
如需了解有关 DV、OV 和 EV 证书请求支持的 DCV 方法的更多信息:
CertCentral:待处理的证书请求和使用基于文件的 DCV 方法的域预验证
待处理的证书请求
如果您有一个待处理的证书请求,其中含有未完成的基于文件 DCV 检查,您可能需要切换 DCV 方法*或使用基于文件的 DCV 方法来证明对请求中每个完全限定域名(其名称要完全相同)的控制权。
重要
*对于未完成基于文件的通配符域 DCV 检查的证书请求,必须使用不同的 DCV 方法。
如需了解有关 DV、OV 和 EV 证书请求支持的 DCV 方法的更多信息:
域预验证
如果您计划使用基于文件的 DCV 方法预验证整个域或整个子域,则必须使用不同的 DCV 方法。
如需了解有关域预验证支持的 DCV 方法的更多信息,请参阅支持用于域预验证的域控制验证 (DCV) 方法。
CertCentral 服务 API
如果使用 CertCentral 服务 API 订购证书或提交域以使用基于文件的 DCV (http-token) 进行预验证,此更改可能会影响 API 集成。如需了解更多信息,请访问基于文件的域控制验证 (http-token)。
2021 年 11 月 6 日
即将开始的预定维护
DigiCert 执行预定维护的时间为 2021 年 11 月 6 日 22:00 – 24:00 MDT(2021 年 11 月 7 日 04:00 – 06:00 UTC)。
CertCentral 基础设施相关的维护停机
我们将在 22:00 和 22:10 MDT(04:00 和 04:10 UTC)之间开始与基础设施相关的维护。在大约 30 分钟内,以下服务将停止:
为 CertCentral、ACME 和 ACME 代理自动化颁发 DV 证书
在此期间提交的 DV 证书请求将失败
API 将返回“无法连接”错误
如果请求失败,则应在恢复服务后再次提交请求
CIS 和 SCEP
证书颁发服务 (CIS) 将停止
简单证书注册协议 (SCEP) 将停止
DigiCert 将无法为 CIS 和 SCEP 颁发证书
API 将返回“无法连接”错误
如果请求返回“无法连接”错误,则应在恢复服务后再次提交请求
QuoVadis TrustLink 证书颁发
在此期间提交的 TrustLink 证书请求将失败
但是,失败的请求将添加到队列,以稍后进行处理
加入队列的请求将会在恢复服务后根据需要进行处理
该维护仅影响 DV 证书颁发、CIS、SCEP 和 TrustLink 证书颁发。不影响任何其他 DigiCert 平台或服务。
PKI Platform 8 维护
PKI Platform 8 维护的开始时间为 22:00 MDT (04:00 UTC)。在大约 30 分钟内,PKI Platform 8 将遇到服务延迟和性能下降,这会影响:
登录并使用 PKI Platform 8 执行控制中心内的证书生命周期任务。
使用任何 PKI Platform 8 相应的 API 或协议(例如,SOAP、REST、SCEP 和 EST)执行证书生命周期操作。
执行证书生命周期任务/操作:
注册证书:新证书、续订或补发
添加域和组织
提交验证请求
查看报告、吊销证书和创建配置文件
添加用户、查看证书和下载证书
为 PKI Platform 8 及其相应的 API 颁发证书。
此外:
API 将返回“无法连接”错误。
如果在注册证书时收到“无法连接”错误,必须在 DigiCert 恢复服务后再次提交。
PKI Platform 8 维护只影响 PKI Platform 8。不影响任何其他 DigiCert 平台或服务。
我可以做什么?
调整计划:
将高优先级订单、续订和补发计划安排在维护期之前或之后。
如果您使用 API 执行直接颁发证书和其他自动化任务,可能会遇到中断。
要获取实时更新,请订阅 DigiCert 状态页面。订阅包括关于维护开始时间和维护结束时间的电子邮件提醒。
有关预定维护日期和时间,请参阅 DigiCert 2021 年预定维护。
一旦完成维护,将立即恢复服务。
2021 年 10 月 2 日
即将开始的预定维护
2021 年 10 月 2 日 22:00 – 24:00 MST(2021 年 10 月 3 日 04:00 – 06:00 UTC),DigiCert 会执行此预定维护。
CertCentral、CIS、SCEP、Direct Cert Portal 和 DigiCert ONE 维护
DigiCert 将执行预定维护。尽管我们提供了冗余以保护您的服务,但在此期间,一些 DigiCert 服务可能不可用。
PKI Platform 8 维护和停机:
DigiCert 将在 PKI Platform 8 上执行预定维护。在此期间,PKI Platform 8 及其相应的 API 将停止大约 20 分钟。PKI Platform 8 维护的开始时间为 22:00 MDT (04:00 UTC)。
在大约 20 分钟内:
您将无法登录并使用 PKI Platform 8 执行控制中心内的证书生命周期任务。
您将无法使用任何 PKI Platform 8 相应的 API 或协议(例如,SOAP、REST、SCEP 和 EST)执行证书生命周期操作。
您将无法:
注册证书:新证书、续订或补发
添加域和组织
提交验证请求
查看报告、吊销证书和创建配置文件
添加用户、查看证书和下载证书
DigiCert 将无法为 PKI Platform 8 及其相应 API 签发证书。
API 将返回“无法连接”错误。
如果在注册证书时收到“无法连接”错误,必须在 DigiCert 恢复服务后再次提交。
PKI Platform 8 维护只影响 PKI Platform 8。不影响任何其他 DigiCert 平台或服务。
我可以做什么?
调整计划:
将高优先级订单、续订和补发计划安排在维护期之前或之后。
如果您使用 API 执行直接颁发证书和其他自动化任务,可能会遇到中断。
要获取实时更新,请订阅 DigiCert 状态页面。订阅包括关于维护开始时间和维护结束时间的电子邮件提醒。
有关预定维护日期和时间,请参阅 DigiCert 2021 年预定维护。
一旦完成维护,将立即恢复服务。
2021 年 9 月 11 日
即将开始的预定维护
2021 年 9 月 11 日 22:00 – 24:00 MST(2021 年 9 月 12 日 04:00 – 06:00 UTC),DigiCert 会执行此预定维护。
CertCentral、CIS、SCEP、Direct Cert Portal 和 DigiCert ONE 维护
DigiCert 将执行预定维护。尽管我们提供了冗余以保护您的服务,但在此期间,一些 DigiCert 服务可能不可用。
PKI Platform 8 维护和停机:
DigiCert 将在 PKI Platform 8 上执行预定维护。在此期间,PKI Platform 8 及其相应的 API 将停止大约 60 分钟。
PKI Platform 8 维护的开始时间为 22:00 MDT (04:00 UTC)。
在大约 60 分钟内:
您将无法登录并使用 PKI Platform 8 执行控制中心内的证书生命周期任务。
您将无法使用任何 PKI Platform 8 相应的 API 或协议(例如,SOAP、REST、SCEP 和 EST)执行证书生命周期操作。
您将无法:
注册证书:新证书、续订或补发
添加域和组织
提交验证请求
查看报告、吊销证书和创建配置文件
添加用户、查看证书和下载证书
DigiCert 将无法为 PKI Platform 8 及其相应 API 签发证书。
API 将返回“无法连接”错误。
如果在注册证书时收到“无法连接”错误,必须在 DigiCert 恢复服务后再次提交。
PKI Platform 8 维护只影响 PKI Platform 8。不影响任何其他 DigiCert 平台或服务。
我可以做什么?
调整计划:
将高优先级订单、续订和补发计划安排在维护期之前或之后。
如果您使用 API 执行直接颁发证书和其他自动化任务,可能会遇到中断。
要获取实时更新,请订阅 DigiCert 状态页面。订阅包括关于维护开始时间和维护结束时间的电子邮件提醒。
有关预定维护日期和时间,请参阅 DigiCert 2021 年预定维护。
一旦完成维护,将立即恢复服务。
2021 年 9 月 8 日
CertCentral 服务 API:域管理增强功能
为了更方便维护您帐户中的域的有效验证,我们在域管理 API 中新增了筛选器、响应字段和新端点。通过这些更新,您可以:
查找 OV 和 EV 验证重复使用有效期已过期或即将到期的域。
查找在 2021 年 9 月 27 日政策改为缩短 OV 域验证重复使用有效期后,受到影响的域。*
增强的 API:列出域和列出子帐户域
添加了
validation筛选值2021 年 9 月 27 日*,现有 OV 域验证重复使用有效期将缩短至完成验证日期后 397 天。对于某些域,缩短的验证期将已经过期,或在 2021 年底之前到期。为了帮助您找到这些域,以便重新提交验证,我们为
validation筛选器添加了一个新值:shortened_by_industry_changes。我们还添加了筛选值以方便您查找 OV 或 EV 域验证有效期在不同时间段到期的域。新的validation筛选值包括:shortened_by_industry_changesov_expired_in_last_7_daysov_expiring_within_7_daysov_expiring_within_30_daysov_expiring_from_31_to_60_daysov_expiring_from_61_to_90_daysev_expired_in_last_7_daysev_expiring_within_7_daysev_expiring_within_30_daysev_expiring_from_31_to_60_daysev_expiring_from_61_to_90_days
向
dcv_expiration对象添加了字段从现在起,您可以提交在dcv_expiration对象中返回以下字段的请求:ov_shortened、ov_status、ev_status和dcv_approval_date。仅当请求中包括新增的查询字符串filters[include_validation_reuse_status]=true时,才返回这些字段。添加了
dcv_method筛选器我们添加了按域控制验证 (DCV) 方法筛选域的选项。如需使用该筛选器,请在请求 URL 后追加查询字符串filters[dcv_method]={{value}}。可能的值是email、dns-cname-token、dns-txt-token、http-token和http-token-static。
增强的 API:域信息
从现在起,您可以向域信息端点提交请求,在 dcv_expiration 对象中返回以下字段:ov_shortened、ov_status、ev_status 和 dcv_approval_date。仅当请求中包括新增的查询字符串 include_validation_reuse_status=true 时,才返回这些字段。
新 API:即将到期的域计数
我们新增了一个端点,返回您的帐户中具有已过期或即将过期的 OV 或 EV 域验证的域的数量。有关更多信息,请参阅即将到期的域计数。
*2021 年 9 月 27 日,现有 OV 域验证的到期日期将缩短至验证完成日期后 397 天。进一步了解该策略更改:2021 年域验证更改。
2021 年 9 月 7 日
CertCentral 服务 API:按替代订单 ID 获取订单
我们创建了一个新端点,简化了使用替代订单 ID 获取证书订单详情的流程:按替代订单 ID 获取订单。该端点返回具有您在 URL 路径中提供的 alternative_order_id 的证书订单的订单编号、证书编号和订单状态。
2021 年 8 月 23 日
DV 证书错误修复
我们修复了一个漏洞,更改了 DV 证书补发流程。2021 年 8 月 24 日之后,当您补发 DV 证书并更改或删除 SAN 时,原始证书以及之前补发或重复的证书将在 72 小时之后吊销。
2021 年 8 月 20 日
通配符更改
我们更新了可以使用证书中的通配符域名和完全限定的域名 (FQDN) 的产品的行为。2021 年 8 月 23 日之后,包含通配符域名的证书将仅免费保护 FQDN 及其所有相同级别的域名。
与通配符域名不在同一级别的使用者可选名称 (SAN) 将被视为通配符保障范围的额外项目。例如,*.digicert.com 的通配符证书将仅允许类似于 one.digicert.com、two.digicert.com 和 three.digicert.com 的 FQDN 作为 SAN 免费包括在证书中。
2021 年 8 月 7 日
即将开始的预定维护
2021 年 8 月 7 日 22:00 – 24:00 MST(2021 年 8 月 8 日 04:00 – 06:00 UTC),DigiCert 会执行此预定维护。尽管我们提供了冗余以保护您的服务,但在此期间,一些 DigiCert 服务可能不可用。
我可以做什么?
调整计划:
将高优先级订单、续订和补发计划安排在维护期之前或之后。
要获取实时更新,请订阅 DigiCert 状态页面。这包括关于维护开始时间和维护结束时间的电子邮件提醒。
有关预定维护日期和时间,请参阅 DigiCert 2021 年预定维护。
一旦完成维护,将立即恢复服务。
2021 年 7 月 12 日
经认证的标记证书现已推出
经认证的标记证书 (VMC) 是一种新的证书类型,公司可以将经认证的的品牌徽标放在客户收件箱的“发件人”字段旁边(甚至是在对方打开邮件之前),以确认您的域的 DMARC 状态以及组织经验证的身份。进一步了解 VMC 证书。
如需禁用或更改帐户中的 VMC 可用性,请访问产品设置页面。
注意
如果您在帐户中看不到 VMC,可能是因为我们尚未对所有帐户类型提供该产品。还有可能是产品可用,但您的某位 CertCentral 帐户管理员在产品设置中禁用了该产品。
CertCentral 服务 API:经认证的标记证书增强功能
为了方便您在 API 集成中管理经认证的标记证书 (VMC) 订单,我们对 CertCentral 服务 API 进行了以下更新。
新端点:
订购经认证的标记证书
我们新增了一个端点 - 订购经认证的标记证书,您可以使用该端点创建或续订 VMC 订单。
更新 VMC 订单
我们新增了一个端点 - 更新 VMC 订单,您可以使用该端点更新待处理 VMC 订单的商标国家/地区代码或注册编号。
验证 VMC 徽标格式(SVG 或编码)
我们新增了两个端点 - 验证徽标格式 (SVG) 和验证徽标格式(编码),您可以使用这些端点检查 SVG 文件的格式是否符合 VMC 的要求。
上传 VMC 徽标(SVG 或编码)
我们新增了两个端点 - 上传 VMC 徽标 (SVG) 和上传 VMC 徽标(编码),您可以使用这些端点上传待处理 VMC 订单的徽标。
获取 VMC 徽标
我们新增了一个端点 - 获取 VMC 徽标,您可以使用该端点下载 VMC 订单的徽标。
更新的端点:
如需了解从 API 集成管理 VMC 证书的更多信息,请访问经认证的标记证书工作流。
2021 年 7 月 10 日
即将开始的预定维护
2021 年 7 月 10 日 22:00 – 24:00 MST(2021 年 7 月 11 日 04:00 – 06:00 UTC),DigiCert 会执行此预定维护。
在维护期间,在服务停机下指定的服务将中断大约 60 分钟时间。根据维护范围,在服务中断下指定的服务可能会暂时中断 10 分钟。
服务停机
在 22:00 – 23:00 MDT (04:00 – 05:00 UTC) 期间,执行与数据库相关的维护时,以下服务将中断最多 60 分钟:
CertCentral / 服务 API
Direct Cert Portal / API
ACME
Discovery / API
ACME 代理自动化 / API
注意
API 注释:受影响的 API 将返回“无法连接”错误。在此期间,与证书相关的 API 请求如果返回“无法连接”错误消息,则需要在恢复服务后再次提交请求。
服务中断
我们在执行基础设施维护时,以下 DigiCert 服务将暂时中断 10 分钟:
证书颁发服务 (CIS)
简单证书注册协议 (SCEP)
DigiCert ONE
自动化服务
CT 日志监控
脆弱性评估
PCI 合规性扫描
不受影响的服务
维护活动不影响以下服务:
PKI Platform 8
PKI Platform 7
QuoVadis TrustLink
我可以做什么?
调整计划:
将高优先级订单、续订和补发计划安排在维护期之前或之后。
如果您使用 API 执行直接颁发证书和其他自动化任务,可能会遇到中断。
要获取实时更新,请订阅 DigiCert 状态页面。这包括关于维护开始时间和维护结束时间的电子邮件提醒。
有关预定维护日期和时间,请参阅 DigiCert 2021 年预定维护。
一旦维护完成,将立即恢复服务。
2021 年 6 月 5 日
即将开始的预定维护
2021 年 7 月 5 日 22:00 – 24:00 MST(2021 年 7 月 6 日 04:00 – 06:00 UTC),DigiCert 会执行此预定维护。尽管我们提供了冗余以保护您的服务,但在此期间,一些 DigiCert 服务可能不可用。
我可以做什么?
调整计划:
将高优先级订单、续订和补发计划安排在维护期之前或之后。
要获取实时更新,请订阅 DigiCert 状态页面。这包括关于维护开始时间和维护结束时间的电子邮件提醒。
有关预定维护日期和时间,请参阅 DigiCert 2021 年预定维护。
一旦完成维护,将立即恢复服务。
2021 年 6 月 3 日
CertCentral 服务 API:OV/EV 订单响应中的域数组改进
为了方便您查看服务 API 如何对 OV/EV TLS 证书订单上的域分组验证,我们向提交证书订单请求的端点新增了一个响应参数:domains[].dns_name。*
dns_name 参数返回订单上的域的公用名或 SAN。如需证明您对域的控制权,必须对与 domains[].name 和 domains[].id 密钥/值对相关的域进行了有效的验证。
OV 证书订单示例
{
"certificate": {
"common_name": "subl.example.net",
"dns names" : [
"sub2.subl.example.net",
"sub3.sub2.subl.example.net"
],
"esr": ({csr}}
},
"organiation": {
"id": ((organization id}}
},
"dev method": "email",
"order validity": {
"years": 1
}
}{
"id": 137368217,
"domains": [
{
"id": 3530297,
"name": "example.net",
"dns name" : "subl.example.net"
},
{
"id": 3530297,
"name": "example.net",
"dns name" : "sub2.subl.example.net"
},
{
"id": 3530297,
"name": "example.net",
"dns name": "sub3.sub2.subl.example.net"
}
],
"certificate id": 138305304
}服务 API 在以下端点的 JSON 响应中返回 domains[].dns_name 参数:
注意
*仅申请 OV/EV TLS 证书的订单请求返回 domains 数组。
2021 年 5 月 27 日
行业要求改为最低 3072 位密钥 RSA 代码签名证书
从 2021 年 5 月 27 日起,为了遵守新的代码签名证书行业要求,DigiCert 对我们的代码签名证书流程进行了以下更改。
停止颁发 2048 位密钥的代码签名证书
仅颁发最低 3072 位密钥的代码签名证书
使用 4096 位密钥的中间证书 CA 和根证书颁发代码签名证书。
请参阅关于颁发和管理公共信任的代码签名证书的基准要求附录 A,进一步了解这些行业变化。
这些更改对现有的 2048 位密钥证书有什么影响?
在 2021 年 5 月 27 日之前颁发的所有现有的 2048 位密钥代码签名证书将仍然有效。在证书过期之前,您可以继续使用这些证书对代码签名。
如果我需要 2048 位密钥代码签名证书,该怎么办?
请在 2021 年 5 月 27 日之前根据需要执行这些操作:
订购新的 2048 位密钥证书
续订即将到期的 2048 位密钥证书
补发 2048 位密钥证书
从 2021 年 5 月 27 日开始,这些更改对我的代码签名证书流程会有什么影响?
补发代码签名证书
从 2021 年 5 月 27 日开始,所有补发的代码签名证书将会:
具有最低 3072 位密钥。请参阅下面的 EV 代码签名证书的电子令牌和 EV 代码签名证书的 HSM。
从新的中间证书 CA 和根证书自动颁发。请参阅下面的新 ICA 和根证书。
新订购和续订的代码签名证书
从 2021 年 5 月 27 日开始,所有新订购和续订的代码签名证书将会:
具有最低 3072 位密钥。请参阅下面的 EV 代码签名证书的电子令牌和 EV 代码签名证书的 HSM。
从新的中间证书 CA 和根证书自动颁发。请参阅下面的新 ICA 和根证书。
代码签名证书的 CSR
从 2021 年 5 月 27 日开始,您必须使用最低 3072 位 RSA 密钥生成所有证书签名请求 (CSR)。对于代码签名证书请求,我们将不再接受 2048 位密钥的 CSR。
EV 代码签名证书的电子令牌
从 2021 年 5 月 27 日开始,您必须使用支持 3072 位密钥的电子令牌补发、订购或续订 EV 代码签名证书。
订购或续订 EV 代码签名证书时,DigiCert 将在您的购买交易中包括一个 3072 位电子令牌。DigiCert 通过预配置的硬件令牌设置选项提供电子令牌。
补发 EV 代码签名证书时,您必须提供您自己的 3072 位电子令牌。如果没有,您将无法在电子令牌上安装补发的证书。
必须是符合 FIPS 140-2 Level 2 或通用标准 EAL4+ 的设备。
EV 代码签名证书的 HSM
从 2021 年 5 月 27 日开始,您必须使用支持 3072 位密钥的 HSM。如需了解更多信息,请与您的 HSM 供应商联系。
新 ICA 和根证书
从 2021 年 5 月 27 日开始,DigiCert 将从新的 RSA 和 ECC 中间证书 CA 和根证书颁发所有新代码签名证书(新订购、续订和补发)。
RSA ICA 和根证书:
DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
DigiCert Trusted Root G4
ECC ICA 和根证书
DigiCert Global G3 Code Signing ECC SHA384 2021 CA1
DigiCert Global Root G3
除非您进行证书固定、硬编码证书接受或操作信任存储,否则无需执行操作。
如果您执行以上任何一项操作,我们建议您尽快更新您的环境。
停止固定 ICA 和对其进行硬编码,或进行必要的更改以确保通过新 ICA 颁发的证书受信任(换句话说,可以链接到其更新的 ICA 和受信任的根证书)。
参考
如需进一步了解代码签名证书更改,请参阅 2021 年代码签名更改。
如需获取新中间 CA 和根证书的副本,请参阅 DigiCert 受信任根颁发机构证书
如果您有疑问或顾虑,请联系客户经理或我们的支持团队。
2021 年 5 月 12 日
网站标章错误修复
我们修复了漏洞,使网站标章可以显示在未包括在证书中的完全限定的域名 (FQDN)。目前,只有当 FQDN 完全匹配时,才会显示标章。
2021 年 5 月 1 日
即将开始的预定维护
2021 年 5 月 1 日 22:00 – 24:00 MST(2021 年 5 月 2 日 04:00 – 06:00 UTC),DigiCert 会执行此预定维护。
在持续两个小时的维护期间中,总共有最多 10 分钟,我们将无法为 DigiCert 平台及其相应的 API、立即要颁发的证书以及使用 API 执行自动化任务的服务颁发证书。
受影响的服务:
CertCentral / 服务 API
ACME
ACME 代理自动化 / API
Direct Cert Portal / API
证书颁发服务 (CIS)
简单证书注册协议 (SCEP)
QuoVadis TrustLink
注意
API 注释:
API 将返回“无法连接”错误。
如果在此期间提交证书请求时收到“无法连接”错误消息,则需要在恢复服务后再次提交请求。
不受影响的服务
PKI Platform 8
PKI Platform 7
DigiCert ONE 管理器
我可以做什么?
调整计划:
将高优先级订单、续订和补发计划安排在维护期之前或之后。
如果您使用 API 执行直接颁发证书和其他自动化任务,可能会遇到中断。
要获取实时维护更新,请订阅
DigiCert 状态页面。这包括关于维护开始时间和维护结束时间的电子邮件提醒。
有关预定维护日期和时间,请参阅 DigiCert 2021 年预定维护。
一旦完成维护,将立即恢复服务。
2021 年 4 月 29 日
CertCentral 服务 API:域信息响应中的域验证状态
为了更方便获取域的全面验证状态,DigiCert 将在域信息响应中弃用 status 参数。为了确保您获得域的每种不同验证类型的完整和准确的状态信息,请在从 API 集成调用域信息端点时改为使用 validations 数组。
注意
域信息端点将继续返回 status 参数值。
背景
在域信息响应中,status 参数设计为返回单个字符串值。由于 DigiCert 提供的产品减少,因此在 API 中使用一个值足以充分表示域的验证状态。
目前,DigiCert 提供使用多种不同验证类型的证书产品。不同的验证类型具有不同的要求,这些要求会随着行业标准的发展而改变。当 DigiCert 验证域的不同证书颁发类型时,您请求的每种验证类型可能会有不同的状态。
域的 OV 验证可能已完成。
同一域的 EV 验证可能已过期。
因此,DigiCert 无法再使用一个值返回一个域的验证状态的全面信息。
现在不再依赖于一个值,而是使用域信息端点请求 validations 数组,这是一个对象列表,含有域的每种验证类型的状态信息。如需获取该数据,请在提交请求时包括查询参数 include_validation=true。
include_validation=true 参数https://www.digicert.com/services/v2/domain/{{domain_id}}?include validation=true
{
...
"validations": [
{
"type": "ov",
"name": "OV",
"description": "Normal Organization Validation",
"validated_until": "2023-07-31T14:51:31+00:00",
"status": "active",
"dcv_status": "complete"
},
{
"type": "ev",
"name": "EV",
"description": "Extended Organization Validation (EV)",
"validated_until": "2022-05-27T14:51:31+00:00",
"status": "active",
"dcv_status": "complete"
}
],
...
}2021 年 4 月 28 日
CertCentral 服务 API:网站标章增强功能
为了方便您在 API 集成中管理网站标章,我们对 CertCentral 服务 API 进行了以下更新:
相关主题:
2021 年 4 月 26 日
CertCentral 服务 API:按序列号吊销证书
为了简化从 API 集成管理证书的流程,我们更新了吊销证书端点路径,以接受要吊销的证书的证书编号或序列号。以前,吊销证书端点路径仅接受证书编号。
https://www.digicert.com/services/v2/certificate/{{certificate_id}}/revoke
https://www.digicert.com/services/v2/certificate/{{serial_number}}/revoke
2021 年 4 月 20 日
DigiCert Smart Seal 现在可以和 Secure Site Pro 和 Secure Site TLS/SSL 证书一起使用
我们宣布一个好消息,我们的新网站标章 DigiCert Smart Seal 已发布。新的 Smart Seal 与 Secure Site Pro 和 Secure Site TLS 证书一起使用,向您的客户保证您的网站受 DigiCert 的保护。DigiCert 的 TLS/SSL 安全性备受赞誉。
为了增强 Smart Seal 的互动性和吸引力,我们增加了光标悬停效果、动画效果,以及在光标悬停效果和动画功能中显示公司徽标的功能。
光标悬停效果
当访客将光标悬停在标章上时,它将放大显示其他详细信息。
动画
当访客进入网站后,该标章会在标章和更多详细信息之间缓慢变化。
徽标*
将徽标添加到光标悬停效果和网站标章动画中。徽标会显示更多详细信息。
*DigiCert 必须批准您的徽标,它才会显示在您网站的 Smart Seal 中。
注意
您必须在网站上安装新的网站标章代码,才能使用 Smart Seal 图像、光标悬停效果、动画,以及将徽标添加到网站标章中。
改进的网站标章信息页
Secure Site 和 Secure Site Pro 证书允许您向网站标章信息页添加信息。该额外信息使网站访客能够看到您采取了哪些措施确保网站安全。
恶意软件扫描
网站访问者可以看到,您在监控网站的病毒和恶意软件。
CT 日志监控
网站访客可以看到您在监控证书透明度日志,一旦恶意人员为您的域发放证书,您可以迅速采取行动
注意
CT 日志监控仅适用于 Secure Site Pro 证书。PCI 合规性扫描仅适用于 Secure Site Pro 和 Secure Site EV 证书。
黑名单
网站访客可以看到您的公司没有被列入政府和特定国家/地区的黑名单。
PCI 合规性扫描
网站访客可以看到您在监控您的网站,以确保其符合 PCI DDS 标准。
注意
PCI 合规性扫描仅适用于 Secure Site Pro 和 Secure Site EV 证书。
经认证的客户
网站访客可以看到您使用 TLS/SSL 证书中最受信赖的服务之一来保护您的网站已经持续了多长时间。
2021 年 4 月 3 日
即将开始的预定维护
2021 年 4 月 3 日 22:00 – 24:00 MST(2021 年 4 月 4 日 04:00 – 06:00 UTC),DigiCert 会执行此预定维护。
在维护期间,最多 10 分钟我们将无法为 DigiCert 平台及其相应的 API、立即要颁发的证书以及使用 API 执行其他自动化任务的服务颁发证书。
受影响的服务
大约在 10 分钟内,DigiCert 将无法为以下服务和 API 颁发证书:
CertCentral / 服务 API
ACME
ACME 代理自动化 / API
Direct Cert Portal / API
证书颁发服务 (CIS)
简单证书注册协议 (SCEP)
QuoVadis TrustLink
注意
API 注释
API 将返回“无法连接”错误。
如果在此期间提交证书请求时收到“无法连接”错误消息,则需要在恢复服务后再次提交请求。
不受影响的服务
维护活动不影响以下服务:
PKI Platform 8 / API
PKI Platform 8 SCEP
PKI Platform 7 / API
PKI Platform 7 SCEP
DigiCert ONE 管理器
我可以做什么?
调整计划:
将高优先级订单、续订和补发计划安排在维护期之前或之后。
如果您使用 API 执行直接颁发证书和其他自动化任务,可能会遇到中断。
要获取实时更新,请订阅 DigiCert 状态页面。这包括关于维护开始时间和维护结束时间的电子邮件提醒。
有关预定维护日期和时间,请参阅 DigiCert 2021 年预定维护。
一旦完成维护,将立即恢复服务。
2021 年 3 月 20 日
PKI Platform 8 关键维护
2021 年 3 月 20 日 18:00 – 24:00 MST(2021 年 3 月 21 日 00:00 – 06:00 UTC),DigiCert 会对 PKI Platform 8 合作伙伴实验室执行关键维护。在维护期间,PKI Platform 8 及其相应的 API 将停运大约六小时。
对我有什么影响?
在大约六小时期间:
您将无法登录 PKI Platform 8 执行控制中心内的证书生命周期任务。
您将无法使用任何 PKI Platform 8 相应的 API 或协议(例如,SOAP、REST、SCEP、Intune SCEP 和 EST)执行证书生命周期操作。
您将无法:
注册证书:新证书、续订或补发
添加域和组织
提交验证请求
查看报告、吊销证书和创建配置文件
添加用户、查看证书和下载证书
DigiCert 将无法为 PKI Platform 8 及其相应 API 签发证书。
API 将返回“无法连接”错误。
如果在注册证书时收到“无法连接”错误,必须在 DigiCert 恢复服务后再次提交。
不受影响的服务:
关键维护不会影响这些服务:
PKI Platform 7
DigiCert ONE
CertCentral / 服务 API
Direct Cert Portal / API
证书颁发服务 (CIS)
CertCentral 简单证书注册协议 (SCEP)
QuoVadis TrustLink
Discovery / API
ACME
ACME 代理自动化 / API
我可以做什么?
调整计划:
将高优先级订单、续订和补发计划安排在关键维护时间以外的其他时间。
如果您使用 API 和协议执行直接颁发证书和其他自动化任务,可能会遇到中断。
要获取实时维护更新,请订阅
DigiCert 状态页面。这包括关于维护开始时间和维护结束时间的电子邮件。
有关关键维护和预定维护的日期和时间,请参阅 DigiCert 2021 年预定维护。
一旦完成维护,将立即恢复服务。
2021 年 3 月 17 日
CertCentral:新采购订单和发票系统
我们宣布一个好消息,我们目前在 CertCentral 中使用新的采购订单和发票系统。我们进行了一些更改,以简化管理采购订单和发票的流程。
您下一次登录 CertCentral 时,将会在财务下看到两个新的菜单选项:支付发票和采购订单和发票。而且,所有发票电子邮件都会从新的发票系统发送。
支付发票页面
打开支付发票页面后,会默认预先选中所有发票。您可以选择全部支付,或者选择需要支付的部分发票。
注意
如果您使用具有单独资金的分区,则在打开支付发票页面时,会默认选中顶层分区的所有发票。使用适用于下拉菜单按分区查看帐户中未支付的发票。
采购订单和发票页面
在新的采购订单和发票页面上,可以创建采购订单 (PO)。在采购订单表中,可以查看待处理和被拒绝的 PO。我们批准 PO 后,该 PO 将成为发票,并移动到发票表中。
注意
如果您使用具有单独资金的分区,则在打开支付发票页面时,会默认选中顶层分区的所有发票。使用适用于下拉菜单按分区查看帐户中未支付的发票。
在发票表的发票列中,可以看到发票编号和用于生成发票的 PO。您可以下载发票副本或支付发票。您单击支付发票后,会转到支付发票页面,您可以在其中支付发票,并在帐户中充值。
现有 PO 和发票迁移
自动生成的发票
我们在迁移帐单系统时,没有迁移您的自动生成的发票。在三月底,我们将为您的未付总额自动生成新发票。但是,您可以随时在充值页面(在左侧主菜单中,转到财务 > 充值)支付帐户款项。
从批准的采购订单生成的发票
我们将您的发票迁移到新系统时,为其指定了新的发票编号。但是,相关的采购订单编号仍然不变。如果您有疑问或找不到发票,请联系客户经理或 DigiCert 应收账款部门。务必在电子邮件中注明您的订单编号和原始发票编号。
CertCentral 服务 API:查看余额增强功能
为了帮助您在 API 集成中追踪财务数据,我们更新了查看余额端点,以返回以下数据:
unpaid_invoice_balance未支付的发票余额
negative_balance_limit余额变为负值之前的金额
used_credit_from_other_containers(启用了分区资金分开的)帐户中的其他分区的欠付金额
total_available_funds可用于以后进行购买的可用资金总额
有关更多信息,请参阅查看余额端点的文档:
{
"balance": "454.00",
"currency": "USD",
"unpaid_invoice_balance": "0.00",
"negative_balance_limit": "2000.00",
"used_credit_from_other_containers": "0.00",
"total_available_funds": "2454.00"
}2021 年 3 月 12 日
CertCentral 服务 API:多年计划的自动补发支持
我们宣布一个好消息,从现在起,CertCentral 服务 API 支持为多年计划自动申请补发证书(自动补发)。自动补发功能简化了维护多年计划 SSL/TLS 有效期的流程。
您可以在 CertCentral 帐户中为单个订单启用自动补发。启用自动补发后,我们会在订单上最近颁发的证书到期之前 30 天自动创建和提交证书补发申请。
为新订单启用自动补发
为了向您提供对新多年计划自动补发设置的控制权限,我们在订购 DV、OV 和 EV TLS/SSL 证书的端点中添加了新的请求参数:auto_reissue。
系统会默认对所有订单禁用自动补发。如需在申请新多年计划时启用自动补发,请将请求主体中的 auto_reissue 参数设置为 1。
{
...
"auto_renew": 1,
"auto_reissue": 1,
...
}注意
在新订单请求中,如果符合以下条件,会忽略 auto_reissue 参数:
产品不支持多年计划。
已经对帐户禁用多年计划。
更新现有订单的自动补发设置
为了向您提供对现有多年计划自动补发设置的控制权限,我们添加了新端点:更新自动补发设置。使用此端点启用或禁用订单的自动补发设置。
获取现有订单的自动补发设置
为了帮助您追踪现有证书订单的自动补发设置,我们在订单信息端点中添加了新的响应参数:auto_reissue。auto_reissue 参数会返回订单当前的自动补发设置。
面向公共 DV 灵活证书的 ICA 证书链选择
我们很高兴宣布,从现在起,部分公共 DV 证书支持中间 CA 证书链选项:
GeoTrust DV SSL
Thawte SSL 123 DV
RapidSSL Standard DV
RapidSSL Wildcard DV
Encryption Everywhere DV
您可以在 CertCentral 帐户中添加一个功能,用于控制当您在订购这些公共 DV 产品时,哪个 DigiCert ICA 证书链颁发最终实体证书。
该功能可用于:
为每个受支持的公共 DV 产品设置默认的 ICA 证书链。
控制证书请求者可以使用哪个 ICA 证书链颁发 DV 证书。
配置 ICA 证书链选项
如需为帐户启用 ICA 选择,请执行以下操作:
联系客户经理或我们的支持团队。
然后,在您的 CertCentral 帐户的左侧主菜单中,转到设置 > 产品设置。
在产品设置页面上,为每个受支持和可用的 DV 证书配置默认和允许的中间证书。
有关更多信息和步骤说明,请参阅为公共 TLS 证书配置 ICA 证书链功能。
DigiCert 服务 API:DV 证书支持 ICA 证书链选择
在 DigiCert 服务 API 中,我们进行了以下更新,以支持在您的 DV 证书订单请求中选择 ICA:
更新了产品列表端点
在帐户中添加 ICA 证书选择链功能后,产品列表端点会返回每个可用于为支持的 DV 产品颁发最终实体证书的 ICA 证书的名称和 ID(请参阅 allowed_ca_certs)。
更新了产品限制端点
为 DV 产品配置允许和默认的 ICA 证书后,产品限制端点返回默认颁发证书的 ICA (default_intermediate ) 和允许颁发证书的 ICA (allowed_intermediates),以供具有指定的容器和用户角色分配的证书申请人进行选择。
更新了产品信息端点
从现在起,产品列表端点会返回您在申请特定产品时可以选择的颁发证书的 ICA 的名称、ID 和证书链信息(请参阅 allowed_ca_certs)。
对这些 DV 证书订单请求添加了对 ICA 证书链选择的支持:
传递颁发证书的 ICA 证书的 ID 作为订单请求主体中的 ca_cert_id 参数的值。
{
"certificate": {...},
"order_validity": {
"years": 6
},
"ca_cert_id": "DF3689F672CCB90C"
...
}有关在 API 集成中使用 ICA 选择的更多信息,请参阅 DV 证书生命周期 - 可选 ICA 选择。
2021 年 3 月 6 日
即将开始的预定维护
2021 年 3 月 6 日 22:00 – 24:00 MST(2021 年 3 月 7 日 05:00 – 07:00 UTC),DigiCert 会执行此预定维护。
尽管我们提供了冗余以保护您的服务,但在此期间,一些 DigiCert 可能不可用。
您可以做什么?
请做好相应的准备。
将高优先级订单、续订和补发计划安排在维护时间以外的其他时间。
要获取实时更新,请订阅 DigiCert 状态页面。订阅包括通过电子邮件通知您维护开始和结束时间。
有关预定维护日期和时间,请参阅 DigiCert 2021 年预定维护。
一旦维护完成,将立即恢复服务。
2021 年 2 月 24 日
CertCentral:改进了订单页面上的组织搜索
为了更加方便您查找为帐户中的特定组织订购的证书,我们更新了订单页面上的组织搜索。
我们现在为每个组织新增显示三项信息。如果您有多个具有相似或相同名称的组织,则该信息十分有用:
假名(如果使用)
组织 ID
地址
请自行参阅
在左侧主菜单中,转到证书 > 订单。在“订单”页面上,展开显示高级搜索。在组织下拉列表中,搜索组织。您将看到以下组织信息:名称、假名(如果使用)、组织 ID 和地址。
提示
还可以键入组织名称。
CertCentral:改进了订单详情页面
为了更加方便您查找帐户中订购了证书的组织,我们更新了订单详情页面上的组织部分。
我们现在为每个组织新增显示三项信息:
假名(如果使用)
组织 ID
请自行参阅
在左侧主菜单中,转到证书 > 订单。在订单页面,单击证书订单编号。在订单详情页面的组织部分,您将看到组织名称、组织 ID 和假名(如果使用)。
CertCentral:改进了“新域”页面上的组织选项
为了更加方便您将新域与帐户中的组织关联,我们更新了新域页面上的组织选项。
我们现在为每个组织新增显示三项信息。如果您有多个具有相似或相同名称的组织,则该信息十分有用:
假名(如果使用)
组织 ID
地址
我们还增加了键入组织名称进行搜索的功能。
请自行参阅
在左侧主菜单中,转到证书 > 域。在域页面上,单击新域。在新域页面的组织下拉列表中,搜索组织。您将看到以下组织信息:名称、假名(如果使用)和组织 ID。还可以键入组织名称。
有关在 CertCentral 中管理域的更多信息,请参阅管理域。
CertCentral:改进了“新建分区”和“编辑分区”页面上的“指定组织”选项
为了更加方便您在帐户中指定分区可以为哪些组织订购证书,我们更新了“新建分区”和“编辑分区”页面上的特定组织选项。
我们现在为每个组织新增显示三项信息。如果您有多个具有相似或相同名称的组织,则该信息十分有用:
假名(如果使用)
组织 ID
地址
我们还增加了键入组织名称进行搜索的功能。
请自行参阅
在左侧主菜单中,转到帐户 > 分区。在分区页面上,单击新建分区。在“新建分区”页面的可以为...订购证书下,选择特定组织。当您搜索下拉列表中的组织时,将看到以下组织信息:名称、假名(如果使用)、组织 ID 和地址。还可以键入组织名称。
有关 CertCentral 中的分区的更多信息,请参阅分区管理。
CertCentral:改进了客户端证书申请表上的添加组织选项
为了更加方便为帐户中的组织订购客户端证书,我们更新了客户端证书申请表上的组织选项。
我们现在为每个组织新增显示三项信息。如果您有多个具有相似或相同名称的组织,则该信息十分有用:
假名(如果使用)
组织 ID
地址
我们还增加了键入组织名称进行搜索的功能。
请自行参阅
当您下一次申请客户端证书时,单击组织。在组织下拉列表中,您将看到以下组织信息:名称、假名(如果使用)、ID 和地址。还可以键入组织名称。
2021 年 2 月 19 日
CertCentral 服务 API:新增子帐户端点
为了更加方便您管理子帐户,我们在 CertCentral 服务 API 中新增了两个端点:
2021 年 2 月 17 日
CertCentral 服务 API:改进了“创建子帐户”端点
为了让您对子帐户拥有更多控制权,我们对创建子帐户端点新增了两个请求参数:child_name 和 max_allowed_multi_year_plan_length。
CertCentral 服务 API:改进了“创建子帐户”端点
child_name- 使用此参数为子帐户设置自定义显示名称。max_allowed_multi_year_plan_length- 使用此参数为子帐户自定义多年期计划的最大有效期。
{
"account_type": "reseller",
"user": {...},
"organization": {...},
"child_name": "Custom Name",
"max_allowed_multi_year_plan_length": 4
}创建子帐户后,使用子帐户信息端点查看子帐户的“显示”名称和允许的多年期计划订单有效期。
2021 年 2 月 16 日
PKI Platform 8 合作伙伴实验室关键维护
2021 年 2 月 16 日 18:00 – 22:00 MST(2021 年 2 月 17 日 01:00 – 05:00 UTC),DigiCert 会对 PKI Platform 8 合作伙伴实验室执行关键维护。
对我有什么影响?
在大约四小时期间:
您将无法访问该合作伙伴实验室及其相应的 API。
您将无法提交证书请求。
您将无法通过合作伙伴实验室访问 DigiCert PKI Platform 8 门户。
DigiCert 将无法通过 API 为合作伙伴实验室颁发测试证书。
这不影响
PKI Platform 8 – Production
PKI Platform 7
DigiCert ONE
我可以做什么?
调整计划。
将合作伙伴实验室测试时间预定在关键维护期以外的其他时间段,包括订购、续订和补发测试证书。
如果您使用合作伙伴实验室 API 测试直接颁发证书和自动化任务,可能会遇到中断。
有关关键维护和预定维护的日期和时间,请参阅 DigiCert 2021 年预定维护。
一旦完成维护,将立即恢复服务。
February 15, 2021
2021 年 2 月 8 日
PKI Platform 8 合作伙伴实验室关键维护
2021 年 2 月 8 日 18:00 – 24:00 MST(2021 年 2 月 9 日 1:00 – 07:00 UTC),DigiCert 会对 PKI Platform 8 合作伙伴实验室执行关键维护。
对我有什么影响?
您将无法访问该合作伙伴实验室及其相应的 API。
您将无法提交证书请求,也无法通过合作伙伴实验室访问任何 DigiCert PKI Platform 8 门户。
DigiCert 将无法通过任何 API 为合作伙伴实验室平台颁发测试证书。
在大约六小时期间:
这不影响
PKI Platform 8 – Production
PKI Platform 7
DigiCert ONE
我可以做什么
调整计划:
将合作伙伴实验室测试时间预定在关键维护期以外的其他时间段,包括订购、续订和补发测试证书。
如果您使用合作伙伴实验室 API 测试直接颁发证书和自动化任务,可能会遇到中断。
有关关键维护和预定维护的日期和时间,请参阅 DigiCert 2021 年预定维护。
一旦完成维护,将立即恢复服务。
2021 年 2 月 6 日
即将开始的预定维护
2021 年 2 月 6 日 22:00 – 24:00 MST(2021 年 2 月 7 日 05:00 – 07:00 UTC),DigiCert 会执行此预定维护。
在维护期间,下列服务将中断大约 60 分钟。但是,根据执行的维护范围,在两小时维护期间可能会发生更多服务中断。
您将无法登录这些平台以及访问这些服务和 API:
CertCentral / 服务 API
Direct Cert Portal / Direct Cert Portal API
证书颁发服务 (CIS)
简单证书注册协议 (SCEP)
Discovery / API
ACME
ACME 代理自动化 / API
DigiCert 将无法为以下服务和 API 颁发证书:
CertCentral / 服务 API
Direct Cert Portal / Direct Cert Portal API
证书颁发服务 (CIS)
简单证书注册协议 (SCEP)
完整的网站安全性 (CWS) / API
Managed PKI for SSL (MSSL) / API
QV 信任链接
维护活动不影响以下服务:
PKI Platform 8
PKI Platform 7
DigiCert ONE 管理器
注意
API 注释:
用于处理证书相关交易的服务将不可用,例如,申请证书、添加域和验证请求。
API 将返回“无法连接”错误。
如果在此期间提交证书请求时收到“无法连接”错误消息,则需要在恢复服务后再次提交请求。
我可以做什么?
调整计划:
将高优先级订单、续订和补发计划安排在关键维护时间以外的其他时间。
如果您使用 API 执行直接颁发证书和其他自动化任务,可能会遇到中断。
订阅 DigiCert 状态 页面以获取实时更新。
请参阅 DigiCert 2021 年预定维护了解预定的维护日期和时间。
一旦维护完成,将立即恢复服务。
2021 年 2 月 5 日
CertCentral:改进了组织页面
为了更加方便您在组织页面上查找组织,我们现在显示与每个组织有关的三项新增信息。如果您有多个具有相似或相同名称的组织,则该附加信息十分有用:
ID
假名(如果使用)
地址
在组织页面上,您现在能看到一个列有组织 ID 的组织编号列。还能看到在名称下面显示有组织地址。而且,如果您使用组织的假名,将在组织名称旁边的括号中看到该名称。
注意
以前只能使用一种方式查看该组织,即单击组织名称并打开组织详情页面。
有关 CertCentral 中的组织的更多信息,请参阅管理组织。
CertCentral:改进了 OV/EV 证书申请表上的添加组织选项
为了更加方便为帐户中的组织订购 TLS/SSL 证书,我们更新了 OV 和 EV 证书申请表上的添加组织选项。
对于为 10 个或更多组织颁发证书的帐户,我们现在新增显示三项组织信息。如果您有多个具有相似或相同名称的组织,则该信息十分有用:
假名(如果使用)
组织 ID
地址
我们还增加了键入组织名称进行搜索的功能。
请自行参阅
您下一次申请 OV 或 EV TLS/SSL 证书时,单击添加组织。在组织下拉列表中,您将看到以下组织信息:名称、假名(如果使用)、ID 和地址。还可以键入组织名称。
2021 年 1 月 29 日
CertCentral 订单页面:新增搜索选项
在订单页面,我们新增了两个搜索选项:
证书序列号
其他电子邮件地址*
您下一次搜索订单时,可使用证书序列号或其他电子邮件地址查找证书订单。
提示
*申请证书或提交请求时,您可以在证书订单中添加电子邮件地址。这可以让其他人接收订单的证书通知邮件,例如通知证书已补发的邮件。
使用新增搜索筛选器的具体步骤
在左侧主菜单中,转到证书 > 订单。
在订单页面的搜索框中,输入证书序列号或订单上的其他电子邮件地址。
单击开始。
2021 年 1 月 25 日
CertCentral 服务 API:改进的域电子邮件端点
为了更加方便查找在基于电子邮件的域控制验证 (DCV) 流程中用于接收 DigiCert 验证邮件的 DNS TXT 电子邮件地址,我们对域电子邮件端点新增了一个响应参数:dns_txt_emails。
dns_txt_emails 参数返回在域的 DNS TXT 记录中找到的电子邮件地址的列表。这是我们在验证的域的 _validation-contactemail 子域上的 DNS TXT 记录中找到的电子邮件地址。
{
"name_scope": "example.com",
"base_emails": [
"admin@"example.com",
"webmaster@example.com",
"postmaster@example.com",
"hostmaster@example.com",
"administrator@example.com"
],
"whois_emails": [
"person@example.com"
],
"dns_txt_emails": [
"alice@example.com",
"bob@example.com"
]
}关于新支持的“发送电子邮件给 DNS TXT 联系人”DCV 方法的更多信息:
关于验证 DV 证书订单上的域的信息:
关于验证 OV/EV 证书订单上的域的信息:
2021 年 1 月 20 日
CertCentral 服务 API:新增单位数量订单详情和取消单位数量订单端点
我们很高兴宣布,我们在 CertCentral 服务 API 中新增了两个端点:单位数量订单详情和取消单位数量订单。
这些端点可用于获取关于单位数量订单的信息以及取消单位数量订单。
取消单位数量订单:
您只能在下单后三十天内取消订单。
如果订单上的子帐户已经使用了任何单位数量,则不能取消单位数量订单。
如果您管理的子帐户使用单位数量作为付款方式,则您现在可以使用服务 API 执行以下任务:
CertCentral 服务 API:改进了产品列表、产品限制和产品信息端点
为了更加方便在帐户中查找数字证书产品的可用订单有效期,我们对产品列表、产品限制和产品信息端点新增了响应参数。
这些新响应参数允许您查看帐户中每个产品的默认和自定义订单有效期。
allowed_order_validity_years 参数返回帐户中每个产品支持的订单有效期列表。
allowed_order_lifetimes 参数返回对帐户中具有不同分区和用户角色分配的用户设定的自定义订单有效期限制的列表。
allowed_order_validity_years参数返回当您申请证书产品时可用的订单有效期列表。custom_order_expiration_date_allowed参数返回布尔值,用于描述在您申请证书产品是否可以设置自定义订单到期日期。
CertCentral 服务 API:改进了子帐户订单信息端点
为了更加方便查找子帐户订单的有效期信息,我们对子帐户订单信息端点新增了响应参数。这些新的响应参数允许您查看订单开始日期、订单结束日期以及订单是否为多年计划。
如果订单是多年计划,则
is_multi_year_plan参数返回"1"。order_valid_from参数返回订单有效期的开始日期。order_valid_till参数返回订单有效期的结束日期。
{
...
"date created": "2020-10-14T15:18:50+00:00",
"date issued": "2020-10-14T15:18:52+00:00"
"is multi year plan": "1",
"order valid from": "2020-10-14"
"order valid till": "2021-10-19"
"validity years": 1
}2021 年 1 月 9 日
即将开始的预定维护
2021 年 1 月 9 日 22:00 – 24:00 MST(2021 年 1 月 10 日 05:00 – 07:00 UTC),DigiCert 会执行此预定维护。
尽管我们提供了冗余以保护您的服务,但在此期间,一些 DigiCert 可能不可用。
您可以做什么?
请做好相应的准备。
将高优先级订单、续订、补发和重复颁发预定在维护时限之外。
要获取实时更新,请订阅 DigiCert 状态页面。
有关预定维护日期和时间,请参阅 DigiCert 2021 年预定维护。
完成维护后,会立即恢复服务。
2021 年 1 月 13 日
CertCentral:“发送电子邮件给 DNS TXT 联系人”DCV 方法
我们很高兴宣布,DigiCert 现在支持发送电子邮件给 DNS TXT 联系人进行基于电子邮件的域控制验证 (DCV)。这意味着您可以在域的 DNS TXT 记录中添加电子邮件地址。DigiCert 自动搜索 DNS TXT 记录并发送 DCV 电子邮件到这些地址。收件人需要按照邮件中的说明证明对域的控制权。
注意
以前,DigiCert 仅发送 DCV 电子邮件至基于 WHOIS 的电子邮件地址和构造的电子邮件地址。
行业变化
由于隐私权政策和其他约束,访问 WHOIS 记录中的联系人信息越来越难。通过 SC13 投票表决后,证书颁发机构/浏览器 (CA/B) 论坛在支持的 DCV 方法列表中添加了“发送电子邮件给 DNS TXT 联系人”。
DNS TXT 记录电子邮件联系人
如需使用发送电子邮件给 DNS TXT 联系人 DCV 方法,必须将 DNS TXT 记录放入需要验证的域的 _validation-contactemail 子域上。DigiCert 自动搜索 WHOIS 和 DNS TXT 记录并发送 DCV 电子邮件到在这些记录中找到的地址。
_validation-contactemail.example.com | Default | validatedomain@digicerttest.com
此文本记录的 RDATA 值必须是有效的电子邮件地址。请参阅基准要求附录中的 B.2.1 DNS TXT 记录电子邮件联系人。
有关“投票 SC13”、CA/浏览器论坛和“发送电子邮件给 DNS TXT 联系人”DCV 方法的更多信息: