Glossary

  18 minute read  

Access roles

IDRoleDescription
1AdministratorFull administrative access, including create divisions and users, manage user access.
2Limited userPlace and manage only their own orders.
3Finance managerManage finances, place and manage orders.
4ManagerManage finances, create and approve requests, manage orders and domains, view and edit users.
5Standard userPlace and manage orders. All changes require approval by a manager or administrator.

API key roles

Role IDRole nameDescription
0N/ANo restrictions. Permissions are inherited from access role of the user that is assigned to the key.
100OrdersLimits the key to these actions: Orders, Requests, and Certificates.
101Orders, Domains, OrganizationsLimits the key to these actions: Orders, Requests, Organizations, and Domains.
102View OnlyLimits key to GET requests only.
103User ManagementLimits key to these actions: Users.

Payment service provider roles

Role nameDescription
psp_asThis role applies to account servicing payment service provider entities. These entities manage payment accounts on behalf of customers, enabling access to the accounts for payment initiation or other services. It typically includes banks or institutions that provide online banking.
psp_piThis role applies to payment initiation service providers entities. These entities initiate payments on behalf of the customer directly from their bank accounts.
psp_aiThis role applies to account information service provider entities. These entities offer account aggregation services, consolidating information from multiple payment accounts held by a customer across different financial institutions.
psp_icThis role applies to issuers of card-based payment instruments. These institutions are responsible for issuing credit or debit cards to customers and providing related payment services, including managing card payments and processing transactions.

Certificate formats

Format nameContent-TypeCertificate file extensionDescription
defaultapplication/zip.crtZIP archive containing individual root, intermediate, and end-entity certificate files.
apacheapplication/zip.crtZIP archive containing individual intermediate and end-entity certificate files.
default_cerapplication/zip.cerZIP archive containing individual root, intermediate, and end-entity certificate files.
cerapplication/x-pkcs7-certificates.cerSingle P7B bundle file containing root, intermediate, and end-entity certificates.
p7bapplication/x-pkcs7-certificates.p7bSingle P7B bundle file containing root, intermediate, and end-entity certificates.
default_pemapplication/zip.crtZIP archive containing individual root, intermediate, and end-entity certificate files.
pem_allapplication/x-pem-file.pemSingle PEM bundle containing root, intermediate, and end-entity certificate entries.
pem_nointermediateapplication/x-pem-file.pemSingle PEM file containing only end-entity certificate entry.
pem_norootapplication/x-pem-file.pemSingle PEM bundle containing intermediate and end-entity certificate entries.

Certificate profile options

Certificate profiles allow you to do more with your certificates. Some options allow you to include an additional field in your certificate, while others allow you to include an additional x.509 extension such as Extended Key Usage (EKU).

Some certificate profiles are available by default, while others must be enabled for your account by DigiCert Support. Profiles not enabled by default are not included in the standard DigiCert CertCentral® configuration. To enable a specific certificate profile, please contact your account representative or contact our Support team.

NameDescription
data_enciphermentInclude Data Encipherment key usage extension in a Private SSL/TLS certificate.
non_repudiationInclude Non-Repudiation key usage extension in a Private SSL/TLS certificate.
non_repudiation_and_data_enciphInclude both Non-Repudiation and Data Encipherment key usage extensions in a Private SSL/TLS certificate.
http_signed_exchangeInclude CanSignHTTPExchanges extension in DigiCert branded OV or EV SSL/TLS certificate.
delegated_credentialsInclude DelegationUsage extension in DigiCert branded OV or EV SSL/TLS certificate.
ocsp_must_stapleInclude OCSP Must-Staple extension in DigiCert branded OV or EV SSL/TLS certificate.
intel_vpro_ekuInclude Intel vPro EKU (Extended Key Usage) field in DigiCert branded OV SSL/TLS certificate.
kdc_smart_cardInclude KDC/SmartCardLogon EKU (Extended Key Usage) field in DigiCert branded OV SSL/TLS certificate.
server_auth_only_ekuInclude only the Server Authentication EKU in an OV, EV, or DV SSL/TLS certificate, X9 PKI for TLS certificates, and Private SSL/TLS certificates.
Note: From October 1, 2025, public TLS certificates will include only the Server Authentication EKU by default. For more information, see Sunsetting the client authentication EKU from DigiCert public TLS certificates.
Certificate typeEKU availability
Public TLSAvailable by default
X9 TLSAvailable by default
Private SSLMust be turned on by DigiCert support
client_auth_only_ekuInclude only the Client Authentication EKU in the X9 PKI for TLS and Private SSL/TLS certificates. Use this profile option only when the certificate is intended for client authentication.
Certificate typeEKU availability
X9 TLSAvailable by default
Private SSLMust be turned on by DigiCert support
server_client_auth_ekuInclude both the Server and the Client Authentication EKU in an OV, EV, or DV SSL/TLS certificate.
Note: From October 1, 2025, DigiCert will stop including the Client Authentication EKU by default in Public TLS certificates. If you want the Client Authentication EKU in the Public TLS certificates after October1, this option must be included in API requests. After May 1, 2026, this profile option will be deprecated.
Certificate typeEKU availability
Public TLSAvailable by default
X9 TLSAvailable by default
Private SSLMust be turned on by DigiCert support

Custom order field input types

TypeDescription
anythingNo input validation. Uses the input html tag for the form field.
textNo input validation. Uses the textarea html tag for the form field.
intAllows only integers as input. Uses the input html tag for the form field.
email_addressAllows only a single valid email address as input. Uses the input html tag for the form field.
email_listAllows multiple valid email addresses as input. Does not allow duplicate email addresses. Uses the input html tag for each email address.

DigiCert currencies

CodeCurrency
AUDAustralian dollar
CHFSwiss franc
GBPBritish pound sterling
EUREuro
HKDHong Kong dollar
JPYJapanese yen
SGDSingapore dollar
SEKSwedish krona
TWDTaiwan dollar
USDUS dollar

Locale codes

CodeLanguagelanguage_id
enEnglish1
deGerman5
esSpanish2
frFrench3
itItalian6
jaJapanese13
krKorean14
nlDutch17
pt_brPortuguese4
ruRussian15
zh_cnSimplified Chinese11
zh_twTraditional Chinese12

Provisioning methods

MethodDescription
emailDigiCert emails the certificate to you. Install the certificate on your own supported hardware token or HSM device.
ship_tokenDigiCert ships a certified hardware token to the address you provide on the order. To activate your certificate, see Set Up Your DigiCert Provided eToken.
client_appUse the DigiCert Hardware Certificate Installer to install the certificate on an existing DigiCert provided, certified token. Learn more:

CSR requirements

Certificate typeCSR
ssl_certificateRequired for all orders.
dv_ssl_certificateRequired for all orders.
client_certificateOptional for all orders.
code_signing_certificateRequired for these uses:
CSRs for code signing certificates must be ECC P-256 or RSA 3072-bit key sizes or larger.

DCV methods

MethodDescription
emailDigiCert sends domain validation emails to the following email addresses:
dns-cname-tokenCreate a DNS CNAME record for the domain that contains a random value.
http-tokenAdd a file that contains a random value and make it publicly available on the domain.
DigiCert only supports the use of the file-based DCV method to demonstrate control over fully qualified domain names (FQDNs) exactly as named in the certificate request. To learn more, visit File-based domain control validation (http-token and http-token-dynamic).
http-token-dynamicAdd a file with a random file name that contains a random value and make it publicly available on the domain (http://{domain-name}/.well-known/pki-validation/{filename}.txt).
DigiCert only supports the use of the file-based DCV method to demonstrate control over fully qualified domain names (FQDNs) exactly as named in the certificate request. To learn more, visit File-based domain control validation (http-token and http-token-dynamic).
dns-txt-tokenCreate a DNS TXT record for the domain that contains a random value.
token-based*****To verify control over the domain, DigiCert checks the domain’s DNS TXT and DNS CNAME records and the domain’s website until we find the DigiCert-generated random value.
Supported token-based DCV methods:
*Note: To enable the new token-based DCV method for your CertCentral account, please contact your account manager or DigiCert Support.
http-token-static (Deprecated)A legacy value for file-based DCV. The http-token-static label has the same meaning as http-token.

Hash types

IDName
sha256SHA-256
sha384SHA-384
sha512SHA-512
sha1SHA-1
Note: Per industry standards, DigiCert does not support SHA-1 for publicly trusted certificates, including:

Headers

Headers are based on the RFC 2616 specification.

StatusDescription
200General success response
201Created: Useful for creation of requests, orders, etc
204No Content: For successful requests that don’t require a response
301Moved Permanently: Returned in the unlikely event that a URL has changed. Will also return a LOCATION header with new URL. Clients should resubmit this request and submit future requests to this new URL
302Moved Temporarily: Returned in the unlikely event that a URL has changed temporarily. Will also return a LOCATION header with new URL. Clients should resubmit this single request to this new URL
304Content not modified: Useful when accessing a URL while waiting for a response. Only used if an IF-NONE-MATCH header was passed
400General client error
401Unauthorized: Returned if the page is accessed without a valid API Key
403User doesn’t have permission to perform the requested action
404Returned if the page doesn’t exist or the API doesn’t have permission to interact with a particular item
406If the client doesn’t specify a valid acceptable content-type
429Too many requests. The client has sent too many requests in a given amount of time.
500Unexpected behavior that the API couldn’t recover from
503The system is currently unavailable

Order status

StatusDescription
pendingInitial order status.
reissue_pendingReissue was requested and is pending.
rejectedOrder request was rejected.
processingOrder was approved and is being processed.
issuedOrder was validated and certificate can be downloaded.
revokedOrder was revoked.
canceledOrder was canceled.
needs_approvalA CertCentral admin or manager must approve the order request before DigiCert can process the order.
expiredOrder has expired.
waiting_pickupFor client certificates, the order is ready and DigiCert has emailed the recipient a link to generate the certificate.

CAA resource record check status

StatusDescription
VALUE_MISMATCHAn error occurred. Make sure you have created a DigiCert CAA for this domain.
DNS_SEC_DSCAA check failed because DNSSEC is enabled. Check your DNS settings. If this check fails again, contact DigiCert Support.*****
DNS_SEC_RRSIGCAA check failed because DNSSEC is enabled. Check your DNS settings. If this check fails again, contact DigiCert Support.*****
DNS_PARSE_ERRORAn error occurred on parsing a DNS response for a CAA record. If this check continues to fail, contact DigiCert Support.*****
RECORD_UNKNOWN_CRITICAL_TAGA critical error occurred on a CAA check. If this check continues to fail, contact DigiCert Support.*****
RECORD_PARSE_ERRORAn error occurred on parsing the CAA record. If this check fails again, contact DigiCert Support.*****
REQUIRED_PARAMETER_NOT_FOUNDAn error occurred on a CAA check. If this check fails again, contact DigiCert Support.*****
NOT_CALLED_YETWe have not yet checked a CAA.
UNKNOWNAn error occurred on a CAA check. If this check fails again, contact DigiCert Support.*****
***** Contact DigiCert Support

Certificate status (Discovery)

Status
VALID
REVOKED
EXPIRED
UNDETERMINED

Certificate security rating

Rating
At risk
Not secure
Secure
Very secure

Server security vulnerabilities

Vulnerability
BEAST
BREACH
CRIME
DROWN
FREEK
Heartbleed
LogJam
POODLE (SSLv3)
POODLE (TLS)
RC4
SWEET32
NO_VULNERABILITY_FOUND

Payment methods

Allowed payment_method values when using the API to submit a certificate order request.

NameDescription
balancePay with account balance.
cardPay with a new credit card.
profilePay with default credit card saved to the account.

Product identifiers

Name IDGroup nameName
ssl_dv_geotrustdv_ssl_certificateGeoTrust Standard DV SSL Certificate
ssl_dv_rapidssldv_ssl_certificateRapidSSL Standard DV SSL Certificate
ssl_dv_thawtedv_ssl_certificateThawte SSL123 DV
ssl_dv_eedv_ssl_certificateEncryption Everywhere DV
wildcard_dv_geotrustdv_ssl_certificateGeoTrust Wildcard DV SSL Certificate
wildcard_dv_rapidssldv_ssl_certificateRapidSSL Wildcard DV SSL Certificate
cloud_dv_geotrustdv_ssl_certificateGeoTrust Cloud DV
ssl_dv_geotrust_flexdv_ssl_certificateGeotrust DV SSL
ssl_plusssl_certificateStandard SSL Certificate
ssl_multi_domainssl_certificateSSL Multi Domain Certificates
ssl_wildcardssl_certificateWildcard Certificate
ssl_ev_plusssl_certificateEV SSL Certificate
ssl_ev_multi_domainssl_certificateSSL EV Multi Domain Certificate
ssl_cloud_wildcardssl_certificateSSL Cloud Certificates
ssl_basicssl-certificateBasic OV
ssl_ev_basicssl-certificateBasic EV
ssl_thawte_webserverssl_certificateThawte SSL Webserver OV
ssl_ev_thawte_webserverssl_certificateThawte SSL Webserver EV
ssl_geotrust_truebizidssl_certificateGeoTrust TrueBusiness ID OV
ssl_ev_geotrust_truebizidssl_certificateGeoTrust TrueBusiness ID EV
ssl_securesite_prosecuresite_ssl_certificateSecure Site Pro SSL
ssl_ev_securesite_prosecuresite_ssl_certificateSecure Site Pro EV SSL
ssl_securesitesecuresite_ssl_certificateSecure Site SSL
ssl_securesite_multi_domainsecuresite_ssl_certificateSecure Site Multi-Domain SSL
ssl_securesite_wildcardsecuresite_ssl_certificateSecure Site Wildcard SSL
ssl_ev_securesitesecuresite_ssl_certificateSecure Site EV SSL
ssl_ev_securesite_multi_domainsecuresite_ssl_certificateSecure Site EV Multi-Domain SSL
ssl_securesite_flexsecuresite_ssl_certificateSecure Site OV
ssl_ev_securesite_flexsecuresite_ssl_certificateSecure Site EV
client_premiumclient_certificateClient Premium Certificate
client_email_security_plusclient_certificateClient Email Security Plus Certificate
client_digital_signature_plusclient_certificateClient Digital Signature Plus Certificate
client_authentication_plusclient_certificateClient Authentication Plus Certificate
class1_smimeclient_certificateClass 1 S/Mime Certificate
client_grid_premiumgrid_certificateGRID Client Premium Certificate
grid_host_sslgrid_certificateGRID Host SSL Plus Certificate
grid_host_ssl_multi_domaingrid_certificateGRID Host SSL Multi Domain Certificates
client_grid_robot_fqdngrid_certificateGRID Robot FQDN Certificate
client_grid_robot_namegrid_certificateGRID Robot Name Certificate
client_grid_robot_emailgrid_certificateGRID Robot Email Certificate
private_ssl_plusprivate_ssl_certificatePrivate SSL Plus Certificate
private_ssl_wildcardprivate_ssl_certificatePrivate SSL Wildcard Certificate
private_ssl_multi_domainprivate_ssl_certificatePrivate SSL Multi Domain Certificate
private_ssl_flexprivate_ssl_certificatePrivate SSL OV
code_signingcode_signing_certificateCode Signing Certificate
code_signing_evcode_signing_certificateEV Code Signing Certificate
document_signing_org_1document_signingDocument Signing Organization (2000) Certificate
document_signing_org_2document_signingDocument Signing Organization (5000) Certificate
vmc_basicverified_mark_certificateVerified Mark Certificate
mark_certificatecommon_mark_certificateCommon Mark Certificate
secure_email_mailboxsecure_email_certificateSecure Email for Individual Mailbox
secure_email_sponsorsecure_email_certificateSecure Email for Employee
secure_email_organizationsecure_email_certificateSecure Email for Organization
ds_individualdocument_signingDocument Signing for Individual
ds_org_individualdocument_signingDocument Signing for Employee
ds_orgdocument_signingDocument Signing for Organization
eu_esealeuropean_organization_certificateEU Qualified eSeal Certificate
eu_eseal_psd2european_organization_certificateEU Qualified eSeal PSD2 Certificate
eu_individualeuropean_individual_certificateEU Qualified Personal Certificate
eu_individual_orgeuropean_individual_certificateEU Qualified Personal Organisation Certificate
eu_qwaceuropean_organization_certificateEU Qualified Website Authentication Certificate
eu_qwac_psd2european_organization_certificateEU Qualified Website Authentication PSD2 Certificate
pkio_qualified_burgerpkio_citizen_certificatePKIo Citizen - Signing Certificate
pkio_qualified_organisation_personpkio_personal_organisation_certificatePKIo Personal Organization - Signing Certificate
pkio_qualified_organisation_person_profpkio_professional_certificatePKIo Professional - Signing Certificate
pkio_qualified_organisation_servicespkio_organisation_services_certificatePKIo Qualified eSeal Certificate

Product types

Type
client_certificate
code_signing_certificate
dv_ssl_certificate
ssl_certificate
verified_mark_certificate

Server platforms

When downloading a certificate, the server platform determines in which format the certificate should be sent.

TLS/SSL certificates

PlatformCertificate formatID
Apacheapache2
Barracudadefault41
Bea Weblogic 7 and olderpem_all29
BEA Weblogic 8 & 9p7b42
Ciscodefault30
Citrix (Other)pem_noroot39
Citrix Access Essentialsdefault46
Citrix Access Gateway 4.xpem_noroot50
Citrix Access Gateway 5.x and higherapache58
cPanelapache43
F5 Big-IPapache31
F5 FirePassapache32
IBM HTTP Serverdefault_cer7
Java Web Server (Javasoft / Sun)p7b10
Juniperdefault33
Lighttpdapache44
Lotus Dominodefault11
Mac OS X Serverapache49
Microsoft Exchange Server 2003cer47
Microsoft Exchange Server 2007cer36
Microsoft Exchange Server 2010cer48
Microsoft Exchange Server 2013cer68
Microsoft Exchange Server 2016cer71
Microsoft Forefront Unified Access Gatewaycer66
Microsoft IIS 1.x to 4.xdefault13
Microsoft IIS 10cer70
Microsoft IIS 5 or 6cer14
Microsoft IIS 7cer40
Microsoft IIS 8cer67
Microsoft Live Communications Server 2005cer37
Microsoft Lync Server 2010cer59
Microsoft Lync Server 2013cer69
Microsoft OCS R2p7b60
Microsoft Office Communications Server 2007cer38
Microsoft Small Business Server 2008 & 2011default62
Netscape Enterprise Serverdefault15
Netscape iPlanetdefault9
nginxpem_noroot45
Novell iChaindefault65
Novell NetWarecer17
Oracledefault18
Qmailpem_all34
SunOnedefault35
Tomcatp7b24
WebStardefault26
Zeus Web Serverdefault28
Otherdefault-1

Code Signing server platforms

Use these values for Code Signing certificate orders when your request includes a CSR and the private key and certificate will be stored and installed on a laptop or server instead of a certified hardware token or HSM.

PlatformID
Adobe AIR52
Apple OS X53
Microsoft Authenticode51
Microsoft Office VBA54
Mozilla56
Sun Java55
Other57

Code Signing and EV Code Signing hardware platforms

Use these values for Code Signing and EV Code Signing certificates when the private key and certificate will be stored and installed on a certified hardware token or HSM.

PlatformDevice typeSupported key sizesID
SafeNet eToken 5110 FIPSTokenECC P-256 or P-38420
SafeNet eToken 5110 CCTokenRSA 4096
ECC P-25623
SafeNet eToken 5110+ FIPSTokenRSA 4096
ECC P-25624
SafeNet eToken 5110+ CC (940B)TokenECC P-25625
Other
Must be a FIPS 140-2 Level 2 or Common Criteria EAL4+ compliant device.		HSMRSA 3072 or 4096
ECC P-256 or P-384-1

Permissions

Permission action
add_domains
create_child_enterprise
create_child_reseller
create_child_retail
create_containers
create_discovery_report
create_discovery_scan
create_discovery_sensor
create_domains
create_guest_keys
create_organizations
create_users
delete_account_scans
delete_scan
edit_container
edit_domains
edit_guest_keys
edit_organizations
edit_users
manage_account_metadata
manage_api_access
manage_discovery_report
manage_discovery_scan
manage_discovery_sensor
manage_finances
manage_guest_keys
manage_ip_access
manage_order_user_access
manage_orders
manage_org_container_assignments
manage_requests
manage_settings
manage_tfa
manage_user_container_assignments
place_orders
review_requests
saml_attribute_mapping
saml_manage_idp
saml_map_idp
saml_organization_mapping
saml_sso
tools_links
update_scan
view_api_access
view_child_account
view_container
view_discovery_report
view_discovery_scan
view_discovery_sensor
view_domains
view_finances
view_guest_keys
view_orders
view_organizations
view_reports
view_scan
view_users

Subaccount display currencies

CodeCurrency
ARSArgentine peso
AUDAustralian dollar
BRLBrazilian real
GBPBritish pound sterling
BNDBrunei dollar
KHRCambodia riel
CADCanadian dollar
CNYChinese yuan renminbi
COPColombian peso
EUREuro
HKDHong Kong dollar
INRIndian rupee
IDRIndonesia rupiah
JPYJapanese yen
LAKLao kip
MYRMalaysian ringgit
MXNMexican peso
MMKMyanmar kyat
NZDNew Zealand dollar
NOKNorwegian krone
PHPPhilippine peso
RUBRussian ruble
SGDSingapore dollar
ZARSouth African rand
KRWSouth Korean won
SEKSwedish krona
CHFSwiss franc
TWDTaiwan dollar
THBThailand baht
TRYTurkish lira
USDUS dollar
VNDVietnam dong

Subaccount types

TypeDescription
retailCertCentral Basic account
enterpriseCertCentral Enterprise account
resellerCertCentral Reseller account
managedAPI only account (no CertCentral UI access)

User status

StatusDescription
activeNormal user status.
incompleteUser has not completed the sign up process.
inactiveUser profile and settings exist, but user cannot sign in.

Validation types

Type
cs
ds
ev
ev_cs
grid
ov
private_grid
private_ssl
vmc
smime

Organization status

The status property for an organization describes whether the organization is active or inactive in your CertCentral account.

StatusDescription
activeOrganization is active. This means:
inactiveOrganization is inactive. This means:

Organization validation statuses

StatusDescription
pendingThe validation is pending.
activeThe validation is active.
rejectedDigiCert’s validation agents have removed or rejected the validation. To re-submit an organization for validation, use the Submit for validation endpoint.
expiredThe validation has expired.

Domain is_active property

The is_active property for a domain describes whether the domain is active or inactive in your CertCentral account.

Description
"is_active": true (active)Domain is active. This means:
"is_active": false (inactive)Domain is inactive. This means:

Domain validation statuses

StatusDescription
pendingThe domain validation is pending.
approvedThe domain validation is approved and on file.
rejectedDigiCert’s validation agents have removed or rejected the validation. To re-submit a domain for validation, use the Submit for validation endpoint.
expiredThe validation has expired.

Trademark offices and country codes for VMC and CMC logos

Registered trademarks

CountryCountry codeTrademark office name (source)
AustraliaauIP Australia
BrazilbrNational Institute of Industrial Property
NetherlandsbxBenelux Organization for Intellectual Property
CanadacaCanadian Intellectual Property Office
SwitzerlandchSwiss Federal Institute of Intellectual Property
GermanydeGerman Patent and Trade Mark Office
DenmarkdkDanish Patent and Trademark Office
European UnionemEuropean Union Intellectual Property Office
SpainesSpanish Patent and Trademark Office
FrancefrFrench Patent and Trademark Office
United KingdomgbIntellectual Property Office
IndiainOffice of the Controller General of Patents, Designs and Trade Marks
JapanjpJapan Patent Office
Republic of Korea (South Korea)krKorean Intellectual Property Office
New ZealandnzIntellectual Property Office of New Zealand
SwedenseSwedish Intellectual Property Office
United StatesusUnited States Patent and Trademark Office

Government marks

CountryCountry code
Austriaat
Australiaau
Belgiumbe
Bulgariabg
Brazilbr
Canadaca
Switzerlandch
Cypruscy
Czech Republiccz
Germanyde
Denmarkdk
Estoniaee
Spaines
European Unioneu
Finlandfi
Francefr
United Kingdomgb
Greecegr
Croatiahr
Hungaryhu
Irelandie
Indiain
Italyit
Japanjp
Republic of Korea (South Korea)kr
Lithuanialt
Maltamt
Netherlandsnl
New Zealandnz
Polandpl
Portugalpt
Romaniaro
Swedense
Sloveniasi
Slovakiask
United Statesus