Skip to main content

Reissue certificate

POST https://www.digicert.com/services/v2/order/certificate/{{order_id}}/reissue

Use this endpoint to reissue a certificate. A certificate reissue replaces the existing certificate with a new one that has different information, such as a different common name, CSR, or signature hash.

Notice

When you reissue a certificate for a Multi-year Plan, you can set a new expiration date for the reissued certificate. For more information, see Multi-year plans.

Reissue Code Signing and EV Code Signing certificates

When reissuing a Code Signing or EV Code Signing certificate, you can choose a provisioning method for the reissued certificate by including the cs_provisioning_method parameter in your request payload.

If you submit a reissue request without providing a cs_provisioning_method value:

  • By default, DigiCert reissues the certificate using the current provisioning method for the order. To get the current provisioning method for an order, check the value of the cs_provisioning_method parameter on the Order info API response.

  • If the provisioning method stored on the order is not currently enabled in your account preferences, DigiCert reissues the certificate using the default provisioning method from your account preferences. Then, the provisioning method stored on the order is updated to match the provisioning method used to reissue the certificate.

Example requests and responses

Request parameters

Name

Req/Opt

Type

Description

certificate

required

object

Details about the certificate.

.. csr

conditional

string

Certificate signing request (CSR) or public key. Format the CSR/public key as a base64-encoded string without line breaks or escape characters. Include the PEM headers and footers (such as -----BEGIN CERTIFICATE REQUEST-----... and ...-----END CERTIFICATE REQUEST-----).

Usage depends on certificate type:

  • TLS/SSL certificate reissues: A CSR is required when reissuing TLS/SSL certificates.

  • Code Signing and EV Code Signing certificate reissues: A CSR is required when reissuing Code Signing or EV Code Signing certificates that will be installed on HSMs (cs_provisioning_method is email). The CSR must use a key size your hardware supports. If the provisioning method is ship_token or client_app, omit the CSR from your request.

  • S/MIME certificates: If you omit the CSR, you must generate the CSR in the browser after the order is created. For browser-generated certificates, DigiCert uses an RSA algorithm, SHA256 signature hash, and a 2048-bit key length CSR. To get a certificate with a different key length, signature hash, or algorithm, you must include a CSR with your request.

.. common_name

conditional*

string

Domain to be secured.

*Note: The common_name request parameter is required on reissue requests for public and private TLS/SSL certificates and non-S/MIME client certificates. However, you should omit the common_name parameter from reissue requests for Verified Mark Certificates (VMC), Code Signing and EV Code Signing certificates, Secure Email certificates, S/MIME client certificates, and Document Signing certificates.

.. dns_names

optional

array

For TLS/SSL and VMC certificates, list of additional domains to be secured.

.. emails

conditional

array

For Secure Email and client certificates, list of one or more email addresses to secure. Required for Secure Email and client certificates; ignored for other products.

For both Secure Email and client certificates, if the common name on the certificate will be an email address, DigiCert automatically uses the first email address from the emails array. Learn more about common name requirements:

Note: Orders for secure_email_sponsor and secure_email_organization certificates cannot include email addresses from public email service providers unless the domains for those email providers are already validated for the organization in your CertCentral account.

.. user_principle_name

optional

array

List of user principle names (UPN) to include in the UPN SAN attribute on the issued certificate.

Note: This parameter is only supported on secure_email_sponsor certificates. It is ignored on reissue requests for other products.

Max length: 1

Max characters per item: 255

.. common_name_indicator

conditional

string

Choose the source of the common name value for the certificate. Required for secure_email_sponsor and secure_email_organization certificates; ignored for other products.

Allowed values: Allowed values depend on product type. See Order Secure Email certificate – Common name value.

.. individual

conditional

object

First and last name or pseudonym of the individual on the certificate.

The individual object is only used with secure_email_sponsor certificates. When you reissue a secure_email_sponsor certificate, if the common_name_indicator is given_name_surname or pseudonym, you must populate the individual object in your request body

.. .. first_name

conditional

string

Individual first name. Required on secure_email_sponsor reissues if common_name_indicator is given_name_surname. Ignored for other products.

.. .. last_name

conditional

string

Individual last name. Required on secure_email_sponsor reissues if common_name_indicator is given_name_surname. Ignored for other products.

.. .. pseudonym

conditional

string

Individual pseudonym. Required on secure_email_sponsor reissues if common_name_indictator is pseudonym. Ignored for other products.

.. usage_designation

conditional

object

Object that determines the primary use and additional uses for the certificate. Learn more: Order Secure Email certificate – Certificate uses.

Required for Secure Email certificates. Ignored for other products.

.. .. primary_usage

conditional

string

Primary use for the certificate.

Allowed values: See Order Secure Email certificate – Primary uses.

.. .. additional_usages

optional

array of strings

List of additional certificate uses.

Allowed values: See Order Secure Email certificate – Certificate uses.

.. is_rsassa_pss

optional

bool

For certificate requests with an RSA CSR or public key, this parameter changes the type of RSA signature DigiCert uses for the end-entity certificate. If true, DigiCert issues the end-entity certificate with an RSASSA-PSS signature. If false (default), DigiCert issues the end-entity certificate with an RSA signature.

Important: This parameter is only honored when the issuing ICA certificate has an RSA key. If the issuing ICA certificate has an ECC key, DigiCert issues the end-entity certificate with an ECC signature that has same key size as the issuing ICA certificate.

.. server_platform

conditional

object

Server platform type.

.. .. id

required

int

Server platform ID. Usage depends on certificate type.

TLS/SSL certificate reissues: Providing a new server_platform.id is optional. For allowed values, see Glossary – TLS/SSL certificates.

Code Signing and EV Code Signing certificate reissues: For allowed values, see Glossary – Code Signing and EV Code Signing hardware platforms. Usage requirements depend on provisioning method (cs_provisioning_method).

  • ship_token: server_platform.id is optional and has no impact on the token type DigiCert ships. If not provided, defaults to 23.

  • email: server_platform.id is optional. If not provided, defaults to -1.

    Note: When the provisioning method is email, the CSR in your request must use a key size your hardware supports.

  • client_app: server_platform.id is required.

.. cert_validity

optional

object

Defines the validity period of the reissued certificate. If not provided, the validity period for the reissued certificate defaults to the time remaining in the Multi-year Plan or the maximum certificate validity period defined by CA/B Forum baseline requirements, whichever is shorter. This object is ignored for reissues that are not associated with a Multi-year Plan.

.. .. years

optional

int

Number of years the certificate is valid after it is issued. Can be replaced with cert_validity.days or cert_validity.custom_expiration_date.

Allowed value: 1

.. .. days

optional

int

Number of days the certificate is valid after it is issued. Overrides cert_validity.years.

Max: 397

.. .. custom_expiration_date

optional

string

A custom expiration date for the certificate. Overrides cert_validity.days and cert_validity.years.

Format: dd MMM YYYY (for example, "09 JUN 2021")

Range: Must be within 397 days of the date you request the certificate.

.. signature_hash

required

string

Hash algorithm used to signing the certificate.

.. profile_option

optional

string

Certificate profile option for the reissued certificate.

Allowed values: See Glossary – Certificate profile options

.. ca_cert_id

optional

string

ID of the intermediate certificate authority (ICA) certificate to select as the issuing certificate. To get the ca_cert_id value for an ICA, use the Product list endpoint.

Account administrators can customize the default and allowed ICAs for each product at the container or user role level. If you do not provide a value for this parameter, we issue the certificate using the default ICA. If you provide the ca_cert_id value for an ICA that is not allowed, the request returns an error*. To see the custom ICA settings for each product, use the Product limits endpoint.

*This parameter is ignored if the option for ICA selection is not enabled for your account. For more information, see ICA certificate chain selection.

dcv_method

optional

string

For TLS/SSL certificate reissues, DCV method to use when verifying domain control. See Glossary – DCV methods.

comments

optional

string

Comments about the reissue for the administrator reviewing the reissue request. The comments value is stored on the reissue request. If the reissue skips the approval step (skip_approval is set to true), any provided comments value is ignored since CertCentral processes the reissue directly without creating a corresponding request.

skip_approval

optional

bool

Specify if the order should skip the approval step and be immediately submitted for validation and issued when complete.

Default: false

certificate_dcv_scope

optional

string

use_auth_key

optional

bool

Use this parameter to complete DCV checks for new domains on a DV TLS/SSL reissue using an AuthKey request token.

cs_provisioning_method

optional

string

ship_info

optional

object

For Code Signing or EV Code Signing reissues with a cs_provisioning_method of ship_token, specify the shipping address for the hardware token.

Optional for both Code Signing and EV Code Signing certificates. For orders that omit the ship_info object, DigiCert uses the default token shipping address from your CertCentral account settings.

.. name

required

string

Name of the recipient.

.. addr1

required

string

Shipping address for the token.

.. addr2

optional

string

Secondary address field.

.. city

required

string

Shipping city.

.. state

required

string

Shipping state

.. zip

required

string

Shipping postal code.

.. country

required

string

Shipping country.

.. method

required

string

Shipping priority for the token.

Allowed values:STANDARD, EXPEDITED (incurs added cost)

subject

optional

object

Object with optional data to include in subject distinguished name (DN) attributes on the issued certificate.

This object is only used in reissue requests for Secure Email certificates. It is ignored in reissue requests for other product types. Learn more: Order Secure Email (S/MIME) certificate.

.. serial_number

optional

string

Value to use in the subject DN serial number attribute. Supported on secure_email_sponsor certificates.

Character limit: 100

.. pseudonym

optional

string

Value to use in the subject DN pseudonym attribute. Supported on secure_email_sponsor certificates.

Note: If you are already submitting the pseudonym value in the certificate.individual object, use subject.include_pseudonym instead.

Character limit: 128

.. job_title

optional

string

Value to use in the subject DN title attribute. Supported on secure_email_sponsor certificates.

Character limit: 128

.. include_pseudonym

optional

boolean

If true, the subject DN pseudonym attribute includes the pseudonym value from the certificate.individual object. If false (default), the subject DN does not include the pseudonym attribute.

Note: If there is no pseudonym value on the certificate.individual object, set the value of the subject DN pseudonym attribute with subject.pseudonym, instead.

.. include_email

optional

boolean

If true, the subject DN email attribute includes the first email address from the certificate.emails array. Otherwise, false (default). Supported on secure_email_individual, secure_email_sponsor, and secure_email_organization certificates.

.. include_given_name_surname

optional

boolean

If true, the subject DN surname and given name attributes include surname and given name from theindividual array. Otherwise, false (default). Supported on secure_email_sponsor certificates.

Response parameters

Name

Type

Description

id

int

Order ID.

certificate_id

int

Certificate ID.

Only returned if skip_approval is true.

dcv_random_value

string

Random value used for domain control validation (DCV). Use this token to complete the DCV check for any domain submitted for validation with the order. Only returned when the DCV method is dns-txt-token, dns-cname-token, or http-token.

requests

array

List of requests.

.. id

int

Request ID.