Skip to main content

CertCentral

2022 changes

2022 年 12 月 31 日

DigiCert 2022 年维护计划

为了让您更轻松地规划证书相关任务,我们提前预定了 2022 年维护时限。请参阅 DigiCert 2022 年预定维护 - 本页始终提供所有最新的维护计划信息。

鉴于我们客户遍布世界各地,我们知道该时间并非对每个人都“合适”。但是,在审查有关客户使用情况的数据后,我们选择了受影响的客户数量最少的时间。

关于我们的维护计划

  • 除非另外说明,否则预定维护时间是每个月的第一个周末。

  • 每次维护时限预定 2 小时。

  • 尽管我们提供了冗余以保护您的服务,但一些 DigiCert 服务可能不可用。

  • 完成维护后,所有运营将恢复正常。

  • 要获取实时更新,请订阅 DigiCert 状态页面。订阅包括关于维护开始时间和维护结束时间的电子邮件提醒。

有关这些维护时限的更多信息,请联系您的客户经理或 DigiCert 支持团队

December 15, 2022

CertCentral: Single random value for completing DCV on OV and EV TLS certificate orders

To simplify the domain control validation (DCV) workflow for OV and EV TLS certificates, we've improved our random value generation process for OV and EV certificate orders.

Now, when using DCV methods that require a random value to complete the domain validation for your OV or EV TLS orders, you receive a single random value that you can use to complete the DCV check for every domain on the order.

注意

Before, DigiCert returned a unique random value for each domain submitted on the OV or EV TLS certificate order.

This change brings the DCV workflow for OV and EV orders into closer alignment with DV orders, which have always returned a single random value for all domains on the order.

Affected DCV methods:

CertCentral Services API: DCV enhancements

To improve API workflows for clients using DCV methods that require a random value for OV and EV TLS certificate orders, we made the following enhancements to the CertCentral Services API.

Updated API response for creating OV and EV TLS certificate orders

We updated the data returned when you submit an order request:

  • New response parameter: dcv_random_value

    Now, when you submit an OV or EV TLS certificate order request with a dcv_method of dns-txt-token, dns-cname-token, or http-token, the API returns a new top-level response parameter: dcv_random_value. This parameter contains a random value that you can use to complete the DCV check for every domain on the order.

  • Enhanced domains array

    Now, when you submit an OV or EV TLS certificate order request with a DCV method of dns-txt-token, dns-cname-token, or http-token, the API returns a dcv_token object for every domain in the domains array.

    Additionally, each domains[].dcv_token object now includes the same dcv_random_value that is used for the entire order. Before, we returned a different random value for each domain.

    注意

    Before, when you submitted an order for an OV or EV TLS certificate, the API response omitted the dcv_token object for these domains:

    • Domains validated under the scope of another domain on the order.

    • Domains that already existed in your account.

    • Subdomains of existing domains.

This example shows the updated API response for an OV TLS certificate request using a DCV method of dns_txt_token. For this example, the order includes these domains: example.com, sub.example.com, and example.org.

Updated API response for reissuing OV and EV TLS certificates

Now, when you reissue an OV or EV TLS certificate order request with a dcv_method of dns-txt-token, dns-cname-token, or http-token, the API returns a dcv_random_value that you can use to validate any domains added with the reissue request. For more information, visit the Reissue certificate API reference.

注意

Before, the Reissue certificate API endpoint only returned a dcv_random_value parameter for DV certificate reissues.

Added support for OV and EV TLS certificate orders to endpoints for managing order DCV

We updated the order-level endpoints for managing DCV to accept requests when the order_id path parameter contains the ID of an OV or EV TLS certificate order:

With this change, you can complete DCV for OV and EV TLS certificate orders with fewer API requests by calling the endpoints for managing DCV at the order-level instead of the domain-level.

Now, you can complete DCV checks for a domain using:

  • Any valid random value that exists for the domain (order-level or domain-level).

  • Either of the endpoints for checking DCV: Check domain DCV or Check order DCV.

注意

Before, the order-level endpoints for managing DCV only accepted requests when the order_id path parameter contained the ID of a DV certificate order. To manage DCV for individual domains on OV and EV TLS certificate orders, API clients had to use our domain-level endpoints:

Domain info API enhancements

We updated the Domain info API endpoint to return a new response parameter: higher_level_domains.

The higher_level_domains parameter contains a list of existing higher-level domains with a complete domain control validation (DCV) check for the same organization as the queried domain. Use this list to see if there are any domains in your account with active validations you can reuse to prove control over the queried domain.

For example, if you query the domain ID for demo.sub.example.com and you have already completed DCV checks for the domains sub.example.com and example.com in your account, the Domain info API returns a higher_level_domains array with this structure:

{
  ...
  "higher_level_domains": [
    {
      "name": "sub.example.com",
      "id": 4316203,
      "dcv_expiration_datetime": "2023-12-04T04:08:50+00:00"
    },
    {
      "name": "example.com",
      "id": 4316205,
      "dcv_expiration_datetime": "2023-12-04T04:08:49+00:00"
    }
  ],
  ...
}

To get the higher_level_domains array in your response data, you must submit a request to the Domain info API endpoint that includes the query string include_dcv=true:

https://www.digicert.com/services/v2/domain/{{domain_id}}?include_dcv=true

For more information, see the API reference: Domain info.

December 8, 2022

CertCentral Services API: Added verified contact details to Organization info API

To give API clients access to more information about the verified contacts that exist for an organization, we added a new array to the Organization info API response: verified_contacts.

The new verified_contacts array provides a list of objects with details about each verified contact that exists for the organization. The verified_contacts array:

  • Includes information about pending, valid, and expired verified contacts.

  • Provides a list of validation types (CS, EV, and EV CS) for each verified contact.

注意

Before, the Organization info API only returned valid verified contacts in the ev_approvers array. The ev_approvers array is still available, however it does not provide as much detail as the new verified_contacts array.

Bugfix: Duplicate verified contacts

We fixed a bug where submitting a verified contact with multiple validation types (for example, CS and EV) caused duplicate verified contacts to be created for the organization, one for each validation type. This bug affected verified contacts submitted through the CertCentral console or through the CertCentral Services API.

Now, when you submit verified contacts with multiple validation types, we assign each validation type to the same verified contact, instead of creating a duplicate.

注意

This change only affects new verified contacts submitted after the fix. We did not remove any existing duplicate verified contacts.

Before today, duplicate verified contacts were not visible in the CertCentral console or Services API. With our recent enhancements to the Organization info API endpoint (see CertCentral Services API: Added verified contact details to Organization info API), any duplicate verified contacts for the organizations you manage will appear in the newly added verified_contacts array.

December 6, 2022

CertCentral: Removing the permanent identifier in EV Code Signing certificates

On December 6, 2022, at 10:00 MST (17:00 UTC), DigiCert will no longer issue EV Code Signing certificates with a permanent identifier value in the Subject Alternative Name field.

What do I need to do?

Does your EV code signing process expect to find the permanent identifier when parsing your issued EV Code Signing certificates?

  • If yes, you need to update your process by December 6, 2022, so it no longer relies on a permanent identifier value.

  • If no, no action is required.

Does this change affect my existing EV Code Signing certificates?

This change does not affect existing EV Code Signing certificates with a permanent identifier value in the Subject Alternative Name field. However, if you reissue an EV Code Signing certificate after the change on December 6, 2022, your reissued certificate will not contain a permanent identifier.

Background

The permanent identifier is a unique code for EV code signing certificates that includes information about the certificate subject’s jurisdiction of incorporation and registration information. In 2016, the CA/Browser Forum removed the permanent identifier requirement from EV Code Signing certificates.

CertCentral Services API: Verified contact improvements

Starting December 6, 2022, DigiCert will require organizations on Code Signing (CS) and EV Code Signing (EV CS) certificate orders to have a verified contact.

This change was originally scheduled for October 19, 2022. However, we postponed the change to December 6, 2022. For more information, see the October 19, 2022 change log entry.

Learn more:

December 3, 2022

Upcoming scheduled maintenance

DigiCert will perform scheduled maintenance on December 3, 2022, 22:00 – 24:00 MST (December 4, 2022, 05:00 – 07:00 UTC).

注意

Maintenance will be one hour later for those who do not observe daylight savings.

Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

Plan accordingly:

  • Schedule high-priority orders, renewals, and reissues before or after the maintenance window, including Automation events and Discovery scans.

  • Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

  • Subscribe to the DigiCert Status page to get live maintenance updates. This subscription includes email alerts for when maintenance begins and when it ends.

  • See DigiCert 2022 scheduled maintenance for scheduled maintenance dates and times.

Services will be restored as soon as the maintenance is completed.

November 5, 2022

Upcoming Scheduled Maintenance

DigiCert will perform scheduled maintenance on November 5, 2022, 22:00 –24:00 MDT (November 6, 2022, 04:00 – 06:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

November 3, 2022

CertCentral: Improved DV certificate domain control validation

We updated the Prove control over your domain popup window for pending DV orders, making it easier to see what you need to do to complete the domain validation for all domains included on your certificate.

Now, when you select a domain control validation (DCV) method, you can see basic instructions for completing the domain validation along with a link to more detailed instructions on our product documentation website.

注意

For DV orders, you must use the same DCV method for all the domains on the certificate.

See for yourself

  1. In the left main menu, go to Certificates > Orders.

  2. On the Orders page, locate and select the order number of a pending DV order.

  3. On the DV order details page, under What do I need to do, select the Prove control over domain link.

Improved Prove control over your domain popup window

dv-prove-control-over-domain.png

November 1, 2022

CertCentral: upgrade your product when renewing your order

DigiCert is happy to announce that CertCentral allows you to upgrade your product when renewing your order.

Are you tired of placing a new order and reentering all your information when upgrading to a new product?

Now you don’t have to. We’ve improved our order renewal process so you can upgrade your product when renewing your certificate order.

Don’t see that option to upgrade your product when renewing your order, or already have the products you need and don’t want to see the option to upgrade?

Don’t worry; you can enable and disable this feature as needed. When ready to upgrade, you can enable it to save the hassle of placing a new order. When done, you can disable it until the next time you want to upgrade a product. See Upgrade product on renewal settings.

CertCentral: Improved Code Signing and EV Code Signing request forms

DigiCert is happy to announce that we updated the Code Signing and EV Code Signing request forms making it easier to view and add organization-related information when ordering a certificate.

This update allows you to select an organization and review the contacts associated with that organization or enter a new organization and assign contacts to the new organization.

Changes to note

  1. You can now add a new organization along with all its contacts: organization, technical, and verified.

  2. When adding an existing organization, you can now:

    • View the contacts assigned to that organization

    • Replace the organization contact

    • Replace or remove the technical contact

    • Select the verified contact(s) you want to receive the approval email

    • Add verified contacts

Before, you could only see and select an existing organization and could not see the contacts assigned to the organization.

See for yourself

In your CertCentral account, in the left main menu, go to Request a Certificate > Code Signing or Request a Certificate > EV Code Signing to see the updates to the request forms.

CertCentral: Code Signing certificate reissue bug fix

When reissuing your code signing certificate, we now include the Subject Email Address on your reissued certificate. Adding a subject email is optional and only available in enterprise accounts.

Note that we will not include the subject email address in the reissued certificate if the domain validation on that email domain has expired.

Background

When you order a code signing certificate, you can include an email address on your code signing certificate—subject email. Including an email address on the certificate provides an additional layer of trust for end users when checking your code signing signature.

See 订购代码签名证书.

October 21, 2022

CertCentral: Ability to require an additional email on certificate request forms

We are happy to announce that you can now make the Additional emails field a required field on CertCentral, Guest URL, and Guest Access request forms.

Tired of missing important expiring certificate notifications because the certificate owner is on vacation or no longer works for your organization?

The change helps prevent you from missing important notifications, including order renewal and expiring certificate notifications when the certificate owner is unavailable.

See for yourself:

To change this setting for CertCentral request forms:

  1. In the left menu, go to Settings > Preferences.

  2. On the Preferences page, expand Advanced settings.

  3. In the Certificate Requests section, under Additional email field, select Required so requestors must add at least one additional email to their requests.

  4. Select Save Settings.

To change this setting for Guest Access:

  1. In the left main menu, go to Account > Guest Access.

  2. On the Guest access page, in the Guest access section, under Additional emails, select Required so requestors must add at least one additional email to their requests.

  3. Select Save Settings.

To change this setting for Guest URLs:

  1. In the left main menu, go to Account > Guest Access.

  2. On the Guest access page, in the Guest URLs section, to make it required in an existing guest URL, select the name of the guest URL. Under Emails, check Require additional emails field so requestors must add at least one additional email to their requests.

  3. To make it required on a new guest URL, select Add Guest URL and then under Emails, check Require additional emails field so requestors must add at least one additional email to their requests.

  4. Select Save Settings.

October 20, 2022

Change log RSS feed is going down

On October 20, 2022, the RSS feed for the docs.digicert.com change log is going down due to a platform migration.

It will return. Check back here for updates or contact us at docs@digicert.com to be notified when the new RSS feed is available.

October 19, 2022

CertCentral Services API: Verified contact improvements

注意

Update: This API change has been postponed until December 6, 2022.

DigiCert continues to recommend you follow our guidance to update affected API implementations before December 6.

What if I already made changes to get ready for October 19?

You are prepared for December 6. You don’t need to make additional changes. DigiCert will continue processing your order requests for Code Signing (CS) and EV Code Signing (EV CS) certificates as usual now and after we update the API on December 6.

Starting October 19, 2022, DigiCert will require organizations on Code Signing (CS) and EV Code Signing (EV CS) certificate orders to have a verified contact.

DigiCert has always required a verified contact from the organization to approve code signing certificate orders before we issue the certificate. Today, DigiCert can add a verified contact to an organization during the validation process. After October 19, verified contacts must be submitted with the organization.

To make the transition easier, when you submit a request to the Order code signing certificate API endpoint, DigiCert will default to adding the authenticated user (the user who owns the API key in the request) as a verified contact for the organization.

DigiCert will apply this default when:

  • The organization in the API request has no verified contacts who can approve CS or EV CS orders.

  • The API request body does not specify a new verified contact to add to the organization.

  • The authenticated user has a job title and phone number.

To avoid a lapse in service, make sure users in your CertCentral account with active API keys have a job title and phone number.

Learn more

October 17, 2022

CertCentral: Updated the DigiCert site seal image

We are happy to announce that we updated the DigiCert site seal image and replaced the checkmark with a padlock.

digicert-site-seal-padlock.png

The updated site seal continues to provide your customers with the assurance that your website is secured by DigiCert—the leading provider of digital trust.

October 13, 2022

CertCentral: Updated the Code Signing and EV Code Signing request forms

In CertCentral, we reorganized and updated the look of the Code Signing and EV Code Signing certificate request forms. These forms are now more consistent with the look and flow of our TLS/SSL certificate request forms.

CertCentral: Code Signing certificate request form bug fix

On the code signing request form, when adding a Subject email address to appear on the certificate, you can now see the validated domains assigned to the organization with which the code signing certificate is associated.

注意

Previously, the option for viewing the validated domains assigned to the organization did not show any domains.

October 10, 2022

New Dedicated IP addresses for DigiCert Services

Update: IP Address change postponed until February 15, 2023

When we sent notifications in June 2022 about the IP address change, one of the IP addresses was incorrect. The same IP address was incorrect in this change log. We fixed that, and the information in the change log has been corrected.

To provide you with time to verify and update the IP addresses in your allowlist, we have postponed the IP address change until February 2023.

For more information:

October 8, 2022

Upcoming Scheduled Maintenance

DigiCert will perform scheduled maintenance on October 8, 2022, 22:00 –24:00 MDT (October 9, 2022, 04:00 – 06:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

Plan accordingly:

  • Schedule high-priority orders, renewals, and reissues before or after the maintenance window.

  • Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

  • To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance begins and when it ends.

  • See DigiCert 2022 scheduled maintenance for scheduled maintenance dates and times.

Services will be restored as soon as the maintenance is completed.

End of support for CBC ciphers in TLS connections

DigiCert will end support for Cipher-Block-Chaining (CBC) ciphers in TLS connections to our services on October 8, 2022, at 22:00 MDT (October 9, 2022, at 04:00 UTC).

This change affects browser-dependent services and applications relying on CBC ciphers that interact with these DigiCert services:

  • CertCentral and CertCentral Services API

  • Certificate Issuing Services (CIS)

  • CertCentral Simple Certificate Enrollment Protocol (SCEP)

This change does not affect your DigiCert-brand certificates. Your certificates will continue to work as they always have.

Why is DigiCert ending support for the CBC ciphers?

To align with Payment card industry (PCI) compliance standards, DigiCert must end support for the following CBC:

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • TLS_RSA_WITH_AES_256_CBC_SHA

What do I need to do?

If you are using a modern browser, no action is required. Most browsers support strong ciphers, such as Galois/Counter Mode (GCM) ciphers, including Mozilla Firefox, Google Chrome, Safari, and Microsoft Edge. We do recommend updating your browser to its most current version.

If you have applications or API integrations affected by this change, enable stronger ciphers, such as GCM ciphers, in those applications and update API integrations before October 8, 2022.

If you do not update API integrations and applications, they will not be able to use HTTPS to communicate with CertCentral, the CertCentral Services API, CIS, and SCEP.

Knowledge base article

See our Ending Support for CBC Ciphers in TLS connections to our services for more information.

Contact us

If you have questions or need help, contact your account manager or DigiCert Support.

September 27, 2022

CertCentral Services API: Keep the "www" subdomain label when adding a domain to your account

To give you more control over your domain prevalidation workflows, we added a new optional request parameter to the Add domain API endpoint: keep_www. Use this parameter to keep the www. subdomain label when you add a domain using a domain control validation (DCV) method of email, dns-txt-token, or dns-cname-token.

By default, if you are not using file-based DCV, the Add domain endpoint always removes the www. subdomain label from the name value. For example, if you send www.example.com, DigiCert adds example.com to your account and submits it for validation.

To keep the www and limit the scope of the approval to the www subdomain, set the value of the keep_www request parameter to true:

{
  "name": "www.example.com",
  "organization": {
    "id": 12345
  },
  "validations": [
    {
      "type": "ov"
    }
  ],
  "dcv_method": "email",
  "keep_www": true
}

September 16, 2022

CertCentral: Revocation reasons for revoking certificates

CertCentral supports including a revocation reason when revoking a certificate. Now, you can choose one of the revocation reasons listed below when revoking all certificates on an order or when revoking an individual certificate by ID or serial number.

Supported revocation reasons:

  • Key compromise* - My certificate's private key was lost, stolen, or otherwise compromised.

  • Cessation of operation - I no longer use or control the domain or email address associated with the certificate or no longer use the certificate.

  • Affiliation change - The name or any other information regarding my organization changed.

  • Superseded - I have requested a new certificate to replace this one.

  • Unspecified - None of the reasons above apply.

*Note: Selecting Key compromise does not block using the associated public key in future certificate requests. To add the public key to the blocklist and revoke all certificates with the same key, visit problemreport.digicert.com and prove possession of the key.

Revoke immediately

We also added the Revoke this certificate immediately option that allows Administrators to skip the Request and Approval process and revoke the certificate immediately. When this option is deselected, the revocation request appears on the Requests page, where an Administrator must review and approve it before it is revoked.

Background

The Mozilla root policy requires Certificate Authorities (CAs) to include a process for specifying a revocation reason when revoking TLS/SSL certificates. The reason appears in the Certificate Revocation List (CRL). The CRL is a list of revoked digital certificates. Only the issuing CA can revoke the certificate and add it to the CRL.

September 10, 2022

Upcoming Scheduled Maintenance

DigiCert will perform scheduled maintenance on September 10, 2022, 22:00 –24:00 MDT (September 11, 2022, 04:00 – 06:00 UTC). Although we have redundancies to protect your services, some DigiCert services may be unavailable during this time.

What can I do?

Plan accordingly:

  • Schedule high-priority orders, renewals, and reissues before or after the maintenance window.

  • Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

  • To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance begins and when it ends.

  • See DigiCert 2022 scheduled maintenance for scheduled maintenance dates and times.

September 7, 2022

CertCentral Services API: Revocation reason for TLS/SSL certificates

In the CertCentral Services API, we added the option to choose a revocation reason when you submit a request to revoke a TLS/SSL certificate.

You can choose a revocation reason when revoking all certificates on an order or when revoking an individual certificate by ID or serial number.

To choose a revocation reason, include the optional revocation_reason parameter in the body of your request.

Example JSON request body:

{
  "revocation_reason": "superseded"
}

For information about each revocation reason, visit the API documentation:

August 30, 2022

CertCentral Services API: Added label for verified contacts

In the CertCentral Services API, we added a new contact_type label for verified contacts: verified_contact.

Use the verified_contact label to identify verified contacts for an organization when you submit a request for an EV TLS, Verified Mark, Code Signing, or EV Code Signing certificate. The updated label applies to all verified contacts, regardless of which product type the order is for.

For example, this JSON payload shows how to use the verified_contact label to add a verified contact to an organization in a new certificate order request:

{
  "certificate": {
    ...
  }
  "organization": {
    "id": 12345,
    "contacts": [
      {
        "contact_type": "verified_contact",
        "user_id": 12345
      }
  },
  ...
}

Note: Before this change, verified contacts were always identified with the label ev_approver. The CertCentral Services API will continue accepting ev_approver as a valid label for verified contacts on EV TLS, VMC, Code Signing, and EV Code Signing certificate orders. The verified_contact label works the same as the ev_approver label, but the name is updated to apply to all products that require a verified contact.

Improved API documentation for adding organizations to Code Signing and EV Code Signing orders

We updated the Order code signing certificate API documentation to describe three ways to add an organization to your Code Signing (CS) or EV Code Signing (EV CS) order requests:

  1. Add an existing organization already validated for CS or EV CS certificate issuance.

  2. Add an existing organization not validated for CS or EV CS and submit the organization for validation with your order.

  3. Create a new organization and submit it for validation with your CS or EV CS order request.

Learn more: Order code signing certificate – CS and EV CS organization validation

August 24, 2022

CertCentral: Edit SANs on pending orders: new, renewals, and reissues

DigiCert is happy to announce that CertCentral allows you to modify the common name and subject alternative names (SANs) on pending orders: new, renewals, and reissues.

Tired of canceling an order and placing it again because a domain has a typo? Now, you can modify the common name/SANs directly from a pending order.

Items to note when modifying SANs

  • Only admins and managers can edit SANs on pending orders.

  • Editing domains does not change the cost of the order.

  • You can only replace a wildcard domain with another wildcard domain and a fully qualified domain name (FQDN) with another FQDN.

  • The total number of domains cannot exceed the number included in the original request.

  • Removed SANs can be added back for free, up to the amount purchased, any time after DigiCert issues your certificate.

  • To reduce the certificate cost, you must cancel the pending order. Then submit a new request without the SANs you no longer want the certificate to secure.

See for yourself

  1. In your CertCentral account, in the left main menu, go to Certificates > Orders.

  2. On the Orders page, select the pending order with the SANs you need to modify.

  3. On the certificate’s Order details page, in the Certificate status section, under What do you need to do, next to Prove control over domains, select the edit icon (pencil).

See Edit common name and SANs on a pending TLS/SSL order: new, renewals, and reissues.

CertCentral Services API: Edit SANs on a pending order and reissue

To allow you to modify SANs on pending new orders, pending renewed orders, and pending reissues in your API integrations, we added a new endpoint to the CertCentral Services API. To learn how to use the new endpoint, visit Edit domains on a pending order or reissueEdit domains on a pending order or reissue.

August 22, 2022

CertCentral Services API: New response parameters for Domain info and List domains endpoints

To make it easier for API clients to get the exact date and time domain validation reuse periods expire, we added new response parameters to the Domain info and List domains API endpoints:

  • dcv_approval_datetime: Completion date and time (UTC) of the most recent DCV check for the domain.

  • dcv_expiration_datetime: Expiration date and time (UTC) of the most recent DCV check for the domain.

提示

For domain validation expiration dates, use the new dcv_expiration_datetime response parameter instead of relying on the dcv_expiration.ov and dcv_expiration.ev fields. Since October 1, 2021, the domain validation reuse period is the same for both OV and EV TLS/SSL certificate issuance. The new dcv_expiration_datetime response parameter returns the expiration date for both OV and EV domain validation.

Learn more:

August 6, 2022

Upcoming scheduled maintenance

Some DigiCert services will be down for about 15 minutes during scheduled maintenance on August 6, 2022, 22:00 – 24:00 MDT (August 7, 2022, 04:00 – 06:00 UTC).

What can I do?

Plan accordingly:

  • Schedule high-priority orders, renewals, and reissues before or after the maintenance window.

  • Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

  • To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance starts and when maintenance ends.

  • For scheduled maintenance dates and times, see DigiCert 2022 scheduled maintenance.

July 11, 2022

CertCentral Services API: Archive and restore certificates

To give API clients the option to hide unused certificates from API response data, we released new API endpoints to archive and restore certificates. By default, archived certificates do not appear in response data when you submit a request to the List reissues or List duplicates API endpoints.

New API endpoints

Updated API endpoints

We updated the List reissues and List duplicates endpoints to support a new optional URL query parameter: show_archived. If the value of show_archived is true, the response data includes archived certificates. If false (default), the response omits archived certificates.

July 9, 2022

Upcoming Schedule Maintenance

Some DigiCert services will be down for a total of 20 minutes during scheduled maintenance on July 9, 2022, 22:00 – 24:00 MDT (July 10, 2022, 04:00 – 06:00 UTC).

What can I do?

Plan accordingly

  • Schedule high-priority orders, renewals, and reissues before or after the maintenance window.

  • Expect interruptions if you use the APIs for immediate certificate issuance and automated tasks.

  • To get live maintenance updates, subscribe to the DigiCert Status page. This subscription includes email alerts for when maintenance begins and when it ends.

  • For scheduled maintenance dates and times, see the DigiCert 2022 scheduled maintenance.

July 5, 2022

CertCentral: Improved Order details page

DigiCert is happy to announce that we improved the layout and design of the Order details page.

We took your feedback and updated the Orders page to make managing your certificates and orders easier throughout their lifecycle.

When we reorganized the information on the Order details page, we didn’t remove anything. So, everything you did before the updates, you can still do now. However, there are a few things you asked for that you can do now that you couldn’t do before.

Summary of changes:
  • We added new banners, alerts, and icons to help you better understand the actions you need to take on your certificates and orders.

  • We added a Certificate history tab to the Order details page. Now, you can view and interact with all the certificates associated with the order: reissues, duplicates, expired, and revoked.

  • We added the ability to revoke an individual certificate or all the certificates on the order.

  • We also updated the Orders page to add Certificate and Order alert banners, advanced search features, and columns in the orders list.

  • These changes do not affect Guest access. When accessing an order via guest access, you will not see any of the updates.

See the changes for yourself. In your CertCentral account, in the left main menu, go to Certificates > Orders.

Want to provide feedback?

The next time you are in your CertCentral account, locate the “d” icon in the lower right corner of the page (white “d” in a blue circle) and click it. Use the Share Your Feedback feature to let us know your thoughts on the changes. And don’t hesitate to provide feedback about other CertCentral pages and functionality.

June 28, 2022

CertCentral: Improved DNS Certification Authority Authorization (CAA) resource records checking

DigiCert is happy to announce that we improved the CAA resource record checking feature and error messaging for failed checks in CertCentral.

Now, on the order’s details page, if a CAA resource record check fails, we display the check’s status and include improved error messaging to make it easier to troubleshoot problems.

Background

Before issuing an SSL/TLS certificate for your domain, a Certificate Authority (CA) must check the DNS CAA Resource Records (RR) to determine whether they can issue a certificate for your domain. A Certificate Authority can issue a certificate for your domain if one of the following conditions is met:

  • They do not find a CAA RR for your domain.

  • They find a CAA RR for your domain that authorizes them to issue a certificate for the domain.

How can DNS CAA Resource Records help me?

CAA resource records allow domain owners to control which certificate authorities (CAs) are allowed to issue public TLS certificates for each domain.

Learn more about using DNS CAA resource records

June 21, 2022

CertCentral: Bulk domain validation support for DNS TXT and DNS CNAME DCV methods

DigiCert is happy to announce that CertCentral bulk domain validation now supports two more domain control validation (DCV) methods: DNS TXT and DNS CNAME.

Remember, domain validation is only valid for 397 days. To maintain seamless certificate issuance, DigiCert recommends completing DCV before the domain's validation expires.

Don't spend extra time submitting one domain at a time for revalidation. Use our bulk domain revalidation feature to submit 2 to 25 domains at a time for revalidation.

See for yourself
  1. In your CertCentral account, in the left main menu, go to Certificates > Domains.

  2. On the Domains page, select the domains you want to submit for revalidation.

  3. In the Submit domains for revalidation dropdown, select the DCV method you want to use to validate the selected domains.

See Domain prevalidation: Bulk domain revalidation.

2022 年 6 月 6 日

CertCentral 报告库 API 增强功能

DigiCert 很高兴宣布 CertCentral 报告库 API 增加了以下增强功能:

通过删除预定报告暂停报告运行

我们添加了一个新端点:删除预定的报告。删除预定报告将会暂停未来的报告运行。删除预定报告后,您仍可下载具有相同报告 ID 的已完成的报告运行。Delete scheduled report

注意

在此之前,您只能编辑报告的时间表,或删除预定报告和所有已完成的报告运行。

仅使用子帐户数据生成报告

对于创建报告编辑报告端点,我们在允许的 division_filter_type 值列表中添加了一个新选项:EXCLUDE_ALL_DIVISIONS。使用此值可以从报告中排除所有父帐户数据。使用此选项的报告仅包括来自所选子帐户的数据 (sub_account_filter_type)。Create reportEdit report

注意

在此之前,如果未包含父帐户中一个或多个分区的数据,则无法生成子帐户报告。

了解更多

2022 年 6 月 4 日

即将开始的预定维护

DigiCert 执行预定维护的时间为 2021 年 6 月 4 日 22:00 – 24:00 MDT(2021 年 6 月 5 日 04:00 – 06:00 UTC)。尽管我们提供了冗余以保护您的服务,但在此期间,一些 DigiCert 服务可能不可用。

我可以做什么?
  • 将高优先级订单、续订和补发计划安排在维护期之前或之后。

  • 如果您使用 API 执行直接颁发证书和其他自动化任务,可能会遇到中断。

  • 要获取实时更新,请订阅 DigiCert 状态页面。订阅包括关于维护开始时间和维护结束时间的电子邮件提醒。

  • 请参阅 DigiCert 2022 年预定维护了解预定的维护日期和时间。

一旦维护完成,将立即恢复服务。

2022 年 5 月 31 日

CertCentral 服务 API:改进了订单信息 API 响应

更新:为了让 API 消费者有更多时间评估订单信息 API 响应变化对其集成的影响,我们将此更新推迟到了 2022年 5 月 31 日。我们原本计划在 2022 年 4 月 25 日发布以下更改。

2022 年 5 月 31 日,DigiCert 对订单信息 API 进行以下改进。这些更改删除了未使用的值,并更新了订单详情对象的数据结构,使各种产品类型的不同状态下的订单更加保持一致。

有关公共 TLS、代码签名、文档签名和 1 类 S/MIME 证书的更多信息和响应示例,请参阅订单信息端点的参考文档。

如果您对这些更改有疑问或需要帮助,请联系您的客户代表或 DigiCert 支持团队

一般增强功能

以下更改适用于各种证书类型的订单,无论订单状态如何。

删除的参数:

  • public_id(字符串)

    对于所有订单,API 将不再返回 public_id 参数。DigiCert 不再支持需要 public_id 值的快速安装工作流。

  • certificate.ca_cert_id(字符串)

    对于DV 证书订单,API 将不再返回 ca_cert_id 参数。此参数的值是颁发 ICA 证书的内部 ID,不能在外部使用。API 在其他产品类型的订单详情中不再包括 ca_cert_id 参数。

    要获取与订单关联的颁发 ICA 证书的名称和公共 ID,请改用 ca_cert 对象。

  • verified_contacts(对象数组)

    对于文档签名证书订单,API 将不再返回 verified_contacts 数组。API 在其他产品类型的订单详情中不再包括 verified_contacts 数组。

  • certificate.dns_names(字符串数组)

    如果没有与订单关联的 DNS 名称(例如,如果订单用于代码签名、文档签名或 1 类 S/MIME 证书),API 将不再返回 dns_names 数组。

    在此之前,API 返回带有空字符串的 dns_names 数组:[" "]

  • certificate.organization_units(字符串数组)

    如果没有与订单关联的组织单位,API 将不再返回 organization_units 数组。

    在此之前,对于某些产品类型,API 返回带有空字符串的 organization_units 数组:[" "]

  • certificate.cert_validity

    cert_validity 对象中,API 将仅在订单创建时返回用于设置证书有效期的组织单位的密钥/值对。例如,如果证书的有效期为 1 年,则 cert_validity 对象将返回值为 1 的 years 参数。

    在此之前, cert_validity 对象有时同时返回 daysyears 的值。

添加的参数:

  • order_validity(对象)

    对于代码签名、文档签名和客户端证书订单,API 将开始返回 order_validity 对象。

    order_validity 对象返回订单有效期的 daysyearscustom_expiration_date。API 已经在公共 SSL/TLS 产品的订单详情中包括 order_validity 对象。

  • payment_profile(对象)

    对于 DV 证书订单,如果订单与保存的信用卡关联,API 将开始返回 payment_profile 对象。API 已经在其他产品类型的订单详情中包括 payment_profile 数组。

  • server_licenses(整数)

    对于 DV 证书订单,API 将开始返回 server_licenses 参数。API 已经在其他产品类型的订单详情中包括 server_licenses 参数。

未批准的订单请求

以下更改仅适用于正在等待批准或已被拒绝的证书订单请求。这些更改使响应的数据结构更接近 API 在请求获得批准以及将订单提交给 DigiCert 进行验证和颁发后返回的数据结构。

为了管理未批准和被拒绝的请求,我们建议使用请求端点 (/request),而不是获取订单详情。我们设计了 /request 端点来管理待处理和被拒绝的证书订单请求,这些端点保持不变。

注意

为了加快颁发证书,我们建议在工作流中跳过或省略新证书订单的请求审批步骤。如果 API 工作流已经跳过或省略了审批步骤,您可以忽略以下更改。了解有关删除审批步骤的更多信息:

添加的参数:

  • disable_ct(布尔值)

  • allow_duplicates(布尔值)

  • cs_provisioning_method(字符串)

删除的参数:

  • server_licenses(整数)

    对于未批准的订单请求,API 将不再返回 server_licenses 参数。API 将继续在经核准的订单请求的订单详情中包含 server_licenses 参数。

改进了 organization 对象

为了在未批准和经核准的订单请求的订单详情中提供一致的数据结构,API 将在未批准的订单请求中返回一个修改的 organization 对象。

对于所有产品类型的未批准的订单请求,API 将不再返回以下意外属性:

  • organization.status(字符串)

  • organization.is_hidden(布尔值)

  • organization.organization_contact(对象)

  • organization.technical_contact(对象)

  • organization.contacts(对象数组)

对于所有产品类型的未批准的订单请求,API 将开始返回以下预期属性(如果存在):

  • organization.name(字符串)

  • organization.display_name(字符串)

  • organization.assumed_name(字符串)

  • organization.city(字符串)

  • organization.country(字符串)

如需获取订单信息响应中未包含的组织详情,请使用组织信息 API 端点。

2022 年 5 月 24 日

CertCentral 将从新的中间 CA 证书颁发 GeoTrust 和 RapidSSL DV 证书

MDT 时间 2022 年 5 月 24 日上午 9:00 至 11:00(UTC 时间下午 3:00 至 5:00),DigiCert 将替换下列 GeoTrust 和 RapidSSL 中间 CA (ICA) 证书。我们无法再从这些中间证书颁发具有最长有效期(397 天)的 DV 证书。

. 旧 ICA 证书
  • GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1

  • GeoTrust TLS DV RSA Mixed SHA256 2021 CA-1

  • RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1

  • RapidSSL TLS DV RSA Mixed SHA256 2021 CA-1

. 新 ICA 证书
  • GeoTrust Global TLS RSA4096 SHA256 2022 CA1

  • RapidSSL Global TLS RSA4096 SHA256 2022 CA1

请参阅 DigiCert ICA 更新知识库文章

对我有什么影响?

推出新 ICA 证书不会影响现有 DV 证书。到期前,从被替换的 ICA 证书颁发的活跃证书将一直受信任。

但是,所有新证书(包括补发证书)将从新的 ICA 证书颁发。为了确保 ICA 证书的更换不造成中断,请始终在您安装的每个 TLS 证书中包含所提供的 ICA 证书。

. 无需操作,除非您执行以下任一操作:
  • 固定旧版的中间 CA 证书

  • 对接受旧版中间 CA 证书进行硬编码

  • 管理含有旧版中间 CA 证书的信任商店

所需操作

如果您进行固定、硬编码接受或操作信任存储,请尽快更新您的环境。您应该停止固定和硬编码 ICA 证书,或进行必要的更改,以确保从新的 ICA 证书颁发的 GeoTrust DV 和 RapidSSL DV 证书受信任。也就是说,确保它们可以链接到新的 ICA 证书和受信任的根。

请参阅 DigiCert 受信任的根证书颁发机构证书页面下载新的中间 CA 证书的副本。

如果我需要更多时间怎么办?

如果您需要更多时间来更新环境,可以继续使用旧的 2020 ICA 证书,直到证书到期。请联系 DigiCert 支持团队,他们可以为您的帐户进行设置。但在 2022 年 5 月 31 日之后,2020 ICA 证书颁发的 RapidSSL DV 和 GeoTrust DV 证书的有效期将被缩短为不到一年。

2022 年 5 月 18 日

CertCentral:DigiCert KeyGen,我们的新密钥生成服务

DigiCert 很高兴宣布我们将使用新的密钥生成服务 — KeyGen。使用 KeyGen 从浏览器生成并安装客户端和代码签名证书。KeyGen 可以在 macOS 和 Windows 上使用,并且在所有主要浏览器中均受支持。

通过 KeyGen,您不需要生成 CSR 来订购客户端和代码签名证书。在不使用 CSR 的情况下提交订单。然后,在订单处理完毕且证书准备就绪后,DigiCert 会发送一封“生成证书”的电子邮件,其中将告知您如何使用 KeyGen 获取证书。

KeyGen 是如何工作的?

KeyGen 生成密钥对,然后使用公钥创建证书签名请求 (CSR)。KeyGen 将 CSR 发送给 DigiCert,DigiCert 将证书发送回 KeyGen。然后,KeyGen 将包含证书和私钥的 PKCS12 (.p12) 文件下载到计算机桌面。您在证书生成过程中创建的密码将保护 PKCS12 文件。当您使用密码打开证书文件时,证书将安装在您的个人证书存储中。

如需了解有关从浏览器生成客户端和代码签名证书的详细信息,请参阅以下说明:

2022 年 5 月 9 日

CertCentral 服务 API:修复订单信息 API 响应中空用户值的数据类型

我们修复了一个问题,即当没有用户与订单关联时,订单信息 API (GET https://www.digicert.com/services/v2/order/certificate/{{order_id}}) 为 user 字段返回错误的数据类型。现在,对于没有用户数据的订单,订单信息端点返回一个空的 user 对象 ("user": {}),而不是返回一个空数组 ("user": [])。

2022 年 5 月 7 日

即将开始的预定维护

更新:MDT 时间 5 月 7 日(UTC 时间 5 月 8 日)的维护期间不会停机。

DigiCert 执行预定维护的时间为 2022 年 5 月 7 日 22:00 – 24:00 MDT(2022 年 5 月 8 日 04:00 – 06:00 UTC)。尽管我们提供了冗余以保护您的服务,但在此期间,一些 DigiCert 服务可能不可用。

一旦完成维护,将立即恢复服务。

我可以做什么?

调整计划:

  • 将高优先级订单、续订和补发计划安排在维护期之前或之后。

  • 如果您使用 API 执行直接颁发证书和其他自动化任务,可能会遇到中断。

  • 要获取实时更新,请订阅 DigiCert 状态页面。订阅包括关于维护开始时间和维护结束时间的电子邮件提醒。

  • 请参阅 DigiCert 2022 年维护计划了解维护日期和时间。

2022 年 4 月 18 日

CertCentral:多年期计划现在可用于经认证的标记证书

我们很高兴宣布,多年期计划现在可用于 CertCentral 和 CertCentral 服务 API 中的经认证的标记证书 (VMC)。

购买 DigiCert® 多年计划,您只需支付一次优惠价就能享用长达六年的经认证的标记证书保障。通过多年期计划,您可以选择您需要的保障期(最多六年)。在计划到期前,每次在有效期满时,都可以免费补发证书。

注意

根据计划的有效期,您可能需要在多年计划期间多次验证域和组织。

服务 API 中 VMC 的多年期计划

在服务 API 中,当您提交 VMC 的订单请求时,使用 order_validity 对象设置多年期计划的保障期(1-6 年)。有关更多信息,请参阅:

什么是经认证的标记证书?

经认证的标记证书 (VMC) 是一种新的证书类型,允许公司在客户收件箱的“发件人”字段旁放置经认证的品牌徽标。

  • 收件人在打开邮件之前可看到该徽标。

  • 该徽标用于确认您的域的 DMARC 状态和您组织的经认证的身份。

进一步了解 VMC 证书

2022 年 4 月 11 日

CertCentral 服务 API:域锁定 API 端点

DigiCert 很高兴宣布在 CertCentral 服务 API 中推出域锁定功能。

注意

在使用域锁定端点之前,您必须首先为 CertCentral 帐户启用域锁定。请参阅域锁定 - 为您的帐户启用域锁定

新的 API 端点

更新的 API 端点

我们更新了域信息列出域端点的响应,在其中包括以下参数和域锁定详情:

  • domain_locking_status(字符串)

    域锁定状态。仅当帐户启用了域锁定时返回。

  • account_token(字符串)

    域锁定帐户令牌。仅当帐户启用了域锁定,并且为域至少激活了一次域锁定时返回。

有关更多信息,请参阅:

2022 年 4 月 5 日

CertCentral: Domain locking is now available

DigiCert is happy to announce our domain locking feature is now available.

Does your company have more than one CertCentral account? Do you need to control which of your accounts can order certificates for specific company domains?

Domain locking lets you control which of your CertCentral accounts can order certificates for your domains.

How does domain locking work?

DNS Certification Authority Authorization (CAA) resource records allow you to control which certificate authorities can issue certificates for your domains.

With domain locking, you can use this same CAA resource record to control which of your company's CertCentral accounts can order certificates for your domains.

How do I lock a domain?

To lock a domain:

  1. Enable domain locking for your account.

  2. Set up domain locking for a domain.

  3. Add the domain's unique verification token to the domain's DNS CAA resource record.

  4. Check the CAA record for the unique verification token.

To learn more, see:

终止从 Symantec、GeoTrust、Thawte 或 RapidSSL 到 CertCentral™ 的帐户升级

从 MDT 时间 2022 年 4 月 5 日起,您无法再将 Symantec、GeoTrust、Thawte 和 RapidSSL 帐户升级到 CertCentral™。

如果您还没有迁移到 DigiCert CertCentral,请立即升级以维护网站安全并继续保留对证书的访问权限。

我该如何升级帐户?

如需升级帐户,请立即联系 DigiCert 支持团队。有关帐户升级过程的更多信息,请参阅升级到 CertCentral: 须知事项

如果不将帐户升级到 CertCentral 会怎样?

2022 年 4 月 5 日之后,您必须获得一个新的 CertCentral 帐户,并手动添加所有帐户信息,例如域和组织。此外,您将无法将任何活跃的证书迁移到新帐户。

在 2022 年 4 月 5 日之后,如需获得帮助以设置新的 CertCentral 帐户,请联系 DigiCert 支持团队

2022 年 4 月 2 日

即将开始的预定维护

DigiCert 执行预定维护的时间为 2022 年 4 月 2 日 22:00 – 24:00 MDT(2022 年 4 月 3 日 04:00 – 06:00 UTC)。在此期间,某些服务可能会中断最多两个小时。

注意

如果不使用夏令时,则维护时间将提前一小时。

基础设施相关的维护停机

基础设施相关的维护的开始时间为 22:00 MDT (4:00 UTC)。然后,下面列出的服务可能会中断最多两个小时

CertCentral® TLS 证书颁发:

  • 在此期间提交的 TLS 证书请求将失败

  • 如果请求失败,则应在恢复服务后再次提交请求

CIS 和 CertCentral® SCEP:

  • 证书颁发服务 (CIS) 将停止

  • CertCentral 简单证书注册协议 (SCEP) 将停止

  • 在此期间提交请求将失败

  • CIS API 将返回“503 服务不可用”错误

  • 如果请求失败,则应在恢复服务后再次提交请求

Direct Cert Portal 新域和组织验证:

  • 在此期间将无法提交新域进行验证

  • 在此期间将无法提交新组织进行验证

  • 如果请求失败,则应在恢复服务后再次提交请求

QuoVadis® TrustLink® 证书颁发:

  • 在此期间提交的 TrustLink 证书请求将延迟处理

  • 但是,请求将添加到队列,以稍后进行处理

  • 加入队列的请求将会在恢复服务后进行处理

PKI Platform 8 新域和组织验证:

  • 在此期间将无法提交新域进行验证

  • 在此期间将无法提交新组织进行验证

  • 但是,请求将添加到队列,以稍后进行处理

  • 加入队列的请求将会在恢复服务后进行处理

  • 将禁用 UAA 管理员和用户 web 门户对用户授权代理 (UAA) 服务的访问权限

我可以做什么?

调整计划:

  • 将高优先级订单、续订和补发计划安排在维护期之前或之后。

  • 如果您使用 API 执行直接颁发证书和其他自动化任务,可能会遇到中断。

  • 要获取实时更新,请订阅 DigiCert 状态页面。订阅包括关于维护开始时间和维护结束时间的电子邮件提醒。

  • 有关预定维护日期和时间,请参阅 DigiCert 2022 年预定维护

一旦完成维护,将立即恢复服务。

2022 年 3 月 30 日

CertCentral:批量域重新验证功能现已推出

DigiCert 很高兴宣布,我们的批量域验证功能现已推出。无需浪费时间一次提交一个域进行重新验证。使用批量域重新验证功能,一次可提交 2 到 25 个域进行重新验证。

请记住,域验证的有效期只有 397 天。为了保持无缝的证书颁发流程,DigiCert 建议在域验证到期之前提前完成域控制验证 (DCV)。

注意

目前,批量域功能仅支持电子邮件 DCV 方法。如需使用其他 DCV 方法,需要分别提交每个域。

请自行参阅

  1. 在您的 CertCentral 帐户的左侧主菜单中,转到证书 > 域

  2. 页面,选择要提交重新验证的域。

  3. 提交域以进行重新验证下拉列表中,选择提交域以进行基于电子邮件的验证

请参阅 域预验证:批量域重新验证

2022 年 3 月 24 日

终止 SSL 工具的使用

从 2022 年 3 月 24 日起,当您访问 SSL 工具时,将有弹出消息告诉您 SSL 工具不再可用。欢迎您使用 DigiCert® SSL 安装诊断工具

注意

如果您访问其他 SSL 工具功能/页面,我们会将您引导至 digicert.com 上提供相同或类似服务的其他网站页面。

什么是 SSL 安装诊断工具?

SSL 安装诊断工具是一个免费的公共工具,用于检查:

  • 证书安装

  • Web 服务器配置

我需要做些什么?

开始使用 DigiCert® SSL 安装诊断工具。您需要执行以下操作:

  • 在浏览器中,将 SSL 工具书签替换为 DigiCert® SSL 安装诊断工具。

  • 如果您的网站上有 SSL 工具链接,请将其替换为 SSL 安装诊断工具链接。

2022 年 3 月 21 日

DigiCert 网站标章现在可用于 Basic OV 和 EV 证书订单

DigiCert Basic OV 和 EV 证书订单包括 DigiCert 网站标章。现在,您可以在 Basic SSL 证书保护的同一站点上安装 DigiCert 网站标章。网站标章向您的客户保证您的网站受 DigiCert 的保护,DigiCert 的 TLS/SSL 安全性备受赞誉。

点击网站标章时,您会看到更多关于域、组织、TLS/SSL 证书和验证的详情。

了解如何配置和安装 DigiCert 网站标章

DigiCert Smart Seal

DigiCert 还提供了一种更具创新性的网站标章 - DigiCert Smart Seal。该高级标章比 DigiCert 网站标章更具互动性和吸引力。我们增加了光标悬停效果、动画效果,以及在光标悬停效果和动画功能中显示公司徽标的功能。

了解有关 DigiCert Smart Seal 的更多信息

2022 年 3 月 10 日

CertCentral:DNS CNAME DCV 方法现在可用于 DV 证书订单

在 CertCentral 和 CertCentral 服务 API 中,您现在可以使用 DNS CNAME 域控制验证 (DCV) 方法验证 DV 证书订单上的域。

注意

在此之前,您只能使用 DNS CNAME DCV 方法来验证 OV 和 EV 证书订单上的域和预验证域。

如需在 DV 证书订单上使用 DNS CNAME DCV 方法,请执行以下操作:

  • 在 CertCentral 中:

    • 订购 DV TLS 证书时,您可以选择 DNS CNAME 作为 DCV 方法。

    • 在 DV TLS 证书的订单详情页面上,您可以将 DCV 方法更改为 DNS CNAME 记录。

  • 服务 API:

    • 请求 DV TLS 证书时,将 dcv_method 请求参数的值设置为 dns‑cname‑token。

注意

生成请求令牌以立即颁发 DV 证书的 AuthKey 进程不支持 DNS CNAME DCV 方法。但是,您可以使用文件认证 (http‑token) 和 DNS TXT (dns‑txt‑token) DCV 方法。有关更多信息,请访问立即颁发 DV 证书

了解有关 DNS CNAME DCV 方法的更多信息:

2022 年 3 月 8 日

CertCentral 服务 API:改进了列出域端点响应

为了更轻松地找到有关 CertCentral 帐户中域的域控制验证 (DCV) 状态的信息,我们将这些响应参数添加到列出域 API 响应中的域对象中:

  • dcv_approval_datetime:域最近一次完成 DCV 检查的日期和时间。

  • last_submitted_datetime:上次提交域进行验证的日期和时间。

有关更多信息,请参阅列出域端点的参考文档:

2022 年 3 月 5 日

即将开始的预定维护

DigiCert 执行预定维护的时间为 2022 年 3 月 5 日 22:00 – 24:00 MDT(2022 年 3 月 6 日 5:00 – 7:00 UTC)。在此期间,某些服务可能会中断最多两个小时。

基础设施相关的维护停机

基础设施相关的维护的开始时间为 22:00 MDT (5:00 UTC)。然后,下面列出的服务可能会中断最多两个小时

CertCentral™ TLS 证书颁发:

  • 在此期间提交的 TLS 证书请求将失败

  • 如果请求失败,则应在恢复服务后再次提交请求

CIS 和 CertCentral™ SCEP:

  • 证书颁发服务 (CIS) 将停止

  • CertCentral 简单证书注册协议 (SCEP) 将停止

  • 在此期间提交请求将失败

  • CIS API 将返回“503 服务不可用”错误信息

  • 如果请求失败,则应在恢复服务后再次提交请求

Direct Cert Portal 新域和组织验证:

  • 在此期间将无法提交新域进行验证

  • 在此期间将无法提交新组织进行验证

  • 如果请求失败,则应在恢复服务后再次提交请求

QuoVadis™ TrustLink™ 证书颁发:

  • 在此期间提交的 TrustLink 证书请求将延迟处理

  • 但是,请求将添加到队列,以稍后进行处理

  • 加入队列的请求将会在恢复服务后进行处理

PKI Platform 8 新域和组织验证:

  • 在此期间将无法提交新域进行验证

  • 在此期间将无法提交新组织进行验证

  • 但是,请求将添加到队列,以稍后进行处理

  • 加入队列的请求将会在恢复服务后进行处理

我可以做什么?

调整计划:

  • 将高优先级订单、续订和补发计划安排在维护期之前或之后。

  • 如果您使用 API 执行直接颁发证书和其他自动化任务,可能会遇到中断。

  • 要获取实时更新,请订阅 DigiCert 状态页面。订阅包括关于维护开始时间和维护结束时间的电子邮件提醒。

  • 有关预定维护日期和时间,请参阅 DigiCert 2022 年维护计划

一旦完成维护,将立即恢复服务。

2022 年 2 月 17 日

CertCentral:改进了经认证的联系人 EV TLS 证书申请审批流程

在 CertCentral 和 CertCentral 服务 API 中,我们更新了 EV TLS 证书申请流程,仅向证书申请中包含的已验证的联系人发送 EV TLS 申请审批电子邮件。

注意

在此之前,当您申请 EV TLS 证书时,我们向该组织所有的已验证的联系人发送 EV 订单审批电子邮件。

将已验证的联系人添加到 EV EV TLS 证书申请中:

  • CertCentral

    申请 EV TLS 证书时,您可以:

    • 保留现有的已分配到组织的已验证联系人

    • 删除联系人(至少一个)

    • 添加新联系人(我们必须验证每个新联系人,这可能会使证书颁发延迟)

  • 服务 API

    申请 EV TLS 证书时,在 JSON 请求的 organization.contacts 数组中包括已验证的联系人。对于已验证的联系人,contact_type 字段的值为 ev_approver

有关 EV TLS 证书申请的更多信息:

2022 年 2 月 12 日

扩展 DigiCert 服务的 IP 地址范围

在 MST 时间 2022 年 2 月 12 日 22:00–24:00(UTC 时间 2022 年 2 月 13 日 05:00-07:00)进行的预定维护中,DigiCert 扩大了用于服务的 IP 地址范围。增加这些 IP 地址是为了增加服务正常运行时间,减少预定维护期间服务停机的情况。

我需要做些什么?

如果您的公司使用允许列表*,请在 2022 年 2 月 12 日前更新列表,将下面列出的 IP 地址块添加到列表中,使 DigiCert 服务和 API 集成正常运行。

注意

*允许列表针对的是防火墙,仅允许指定的 IP 地址执行特定任务或连接至您的系统。

新的 IP 地址范围

将此范围内的 IP 地址添加到允许列表*中:216.168.240.0/20

重要

我们不会替换或删除任何 IP 地址,只是在扩大提供服务的 IP 地址范围。

请参阅我们的知识库文章:扩展 DigiCert 服务的 IP 地址范围。如果您有疑问,请联系客户经理或 DigiCert 支持团队

受影响的服务:
  • CertCentral/服务 API

  • ACME

  • Discovery/API

  • Discovery 传感器防火墙设置

  • ACME 自动化/API

  • 证书颁发服务 (CIS)

  • 简单证书注册协议 (SCEP)

  • API 访问 URL

  • Direct Cert Portal/API

  • DigiCert 网站

  • 验证服务

  • PKI Platform 8

  • PKI Platform 7(日本和澳大利亚)

  • QuoVadis TrustLink

  • DigiCert ONE

    • Account Manager

    • CA Manager

    • IoT Device Manager

    • Document Signing Manager

    • Secure Software Manager

    • Enterprise PKI Manager

    • Automation Manager

2022 年 2 月 9 日

CertCentral 服务 API:域信息增强

我们更新了域信息 API 响应,使其包括与域关联的 DCV 令牌的 expiration_date 参数。现在,当您调用域信息 API 并将 include_dcv 查询参数的值设置为 true 时,响应中的 dcv_token 对象包括域 DCV 令牌的 expiration_date

3. 域信息响应示例:
{
  ...
  "dcv_token": {
    "token": "91647jw2bx280lr5shkfsxd0pv50ahvg",
    "status": "pending",
    "expiration_date": "2022-02-24T16:25:52+00:00"
  },
  ...
}

2022 年 2 月 8 日

帐户安全功能:经核准的用户电子邮件域

CertCentral 管理员现在能够指定用户可以为哪些电子邮件域创建 CertCentral 帐户。使用该设置可以防止电子邮件发送到未经批准的通用电子邮件域(@ @gmail.com、@yahoo.com)或第三方拥有的域。如果用户试图将用户电子邮件地址设置或更改为未经批准的域,则会收到错误消息。

设置 > 首选项 中找到此设置。展开高级设置,然后找到经核准的电子邮件域部分。

注意

该设置不会影响具有未经批准的电子邮件地址的现有用户,仅影响新用户和配置此设置后所做的电子邮件更改。

2022 年 2 月 1 日

经认证的标记证书 (VMC):三个新认可的商标局

我们很高兴宣布 DigiCert 现在认可了另外三家知识产权局验证 VMC 证书徽标。它们分别位于韩国、巴西和印度。

新认可的商标局:

其他认可的商标局:

什么是经认证的标记证书?

经认证的标记证书 (VMC) 是一种新的证书类型,允许公司在客户收件箱的“发件人”字段旁放置经认证的品牌徽标。

  • 收件人在打开邮件之前可看到该徽标。

  • 该徽标用于确认您的域的 DMARC 状态和您组织的经认证的身份。

进一步了解 VMC 证书

错误修复:代码签名 (CS) 证书生成电子邮件仅发送给已验证的 CS 联系人

我们修复了代码签名 (CS) 证书颁发过程中的一个错误,即我们只向已验证的 CS 联系人发送证书生成电子邮件。只有当申请人在代码签名证书请求中未提供 CSR 时,才会发生此错误。

现在,对于未提供 CSR 的订单,我们将代码签名证书生成电子邮件发送至:

  • 证书申请人

  • 已验证的 CS 联系人

  • 订单上的其他电子邮件地址

注意

DigiCert 建议在提交代码签名证书请求时提供 CSR。目前,Internet Explorer 是唯一支持生成密钥对的浏览器。请参阅我们的知识库文章:Firefox 69 将终止支持 Keygen

2022 年 1 月 25 日

OV 和 EV TLS 证书配置文件更新

在调整 DV、OV 和 EV TLS 证书配置文件的过程中,我们对 OV 和 EV TLS 证书配置文件进行了轻微更改。2022 年 1 月 25 日,我们在 OV 和 EV TLS 证书配置文件中将基本约束扩展设置为非关键

注意

DV TLS 证书颁发时的基本约束扩展设置为非关键

我需要做些什么?

您无需执行任何操作。证书颁发过程没有任何差异。但是,如果您的 TLS 证书流程要求将基本约束扩展设置为关键,请立即联系您的客户经理或 DigiCert 支持团队

2022 年 1 月 24 日

改进的域页面、验证状态筛选器 - 已完成/已验证

页面的验证状态下拉列表中,我们更新了已完成/已验证筛选器,以便您更容易找到已完成域控制验证 (DCV) 且活跃的域。

注意

在此之前,当您搜索已完成/已验证 DCV 的域时,我们返回的是所有已完成 DCV 的域,包括域验证已过期的域。

现在,当您搜索已完成/已验证 DCV 的域时,搜索结果中只会返回已完成 DCV 且活跃的域。要查找 DCV 过期的域,请使用验证状态下拉列表中的已过期筛选器。

查找已完成 DCV 且活跃的域

  1. 在 CertCentral 的左侧主菜单中,转到证书 > 域

  2. 页面的验证状态下拉列表中,选择已完成/已验证

CertCentral 服务 API:列出域增强功能

对于列出域 API,我们更新了 filters[validation]=completed 筛选器,以便您更容易找到用于颁发 OV 或 EV 证书的已验证的域。

在此之前,此筛选器返回所有已完成 DCV 检查的域,包括域验证已过期的域。现在,该筛选器仅返回具有活跃的 OV 或 EV 域验证状态的域。

2022 年 1 月 10 日

CertCentral 域和域详细信息页面:改进的域验证跟踪

我们更新了域详细信息页面,以更加方便跟踪域的验证状态并保持更新。这些更新符合去年业内对域验证重用有效期*的更改。保持域验证的最新状态可以减少证书颁发次数,包括新证书、补发、副本和续订证书。

注意

*2021 年 10 月 1 日,行业将所有域验证重用有效期缩短为 398 天。DigiCert 实行 397 天的域验证重用有效期,以确保不会使用过期的域验证颁发证书。有关此变更的更多信息,请参阅知识库文章:2021 年验证政策变更

域页面改进

当您访问域页面(在左侧主菜单中,选择证书 > 域)后,将看到三个新增列:DCV 方法验证状态验证到期。现在,您可以查看用于证明对域的控制权的域控制验证 (DCV) 方法、域验证的状态(待处理、已验证、即将到期和已过期)以及域验证的到期时间。

由于 OV 和 EV 验证的重用有效期相同,因此我们简化了验证状态分类功能。不再分别显示 OV 验证和 EV 验证的筛选器,只显示一组筛选器:

  • 已完成/已验证

  • 等待验证

  • 0-7 天后到期

  • 0-30 天后到期

  • 31-60 天后到期

  • 61-90 天后到期

  • 已过期

域详细信息页面改进

访问域的详细信息页面(在页面上,选择一个域)时,您现在将在页面顶部看到一个状态栏。在此状态栏中可查看域的验证状态、域验证到期时间、最近一次完成域验证的时间,以及用于证明对域的控制权的 DCV 方法。

我们还更新了页面的域验证状态部分。我们将分开的 OV 和 EV 域验证状态条目替换为一个条目:域验证状态。

2022 年 1 月 8 日

即将开始的预定维护

DigiCert 执行预定维护的时间为 2022 年 1 月 8 日 22:00 – 24:00 MDT(2022 年 1 月 9 日 05:00 – 07:00 UTC)。尽管我们提供了冗余以保护您的服务,但在此期间,一些 DigiCert 服务可能不可用。

我可以做什么?

调整计划:

  • 将高优先级订单、续订和补发计划安排在维护期之前或之后。

  • 如果您使用 API 执行直接颁发证书和自动化任务,可能会遇到中断。

  • 要获取实时更新,请订阅 DigiCert 状态页面。订阅包括关于维护开始时间和维护结束时间的电子邮件提醒。

  • 有关预定维护日期和时间,请参阅 DigiCert 2022 年预定维护

一旦完成维护,将立即恢复服务。