Glossary
Access roles
ID | Role | Description |
---|---|---|
1 | Administrator | Full administrative access, including create divisions and users, manage user access. |
2 | Limited user | Place and manage only their own orders. |
3 | Finance manager | Manage finances, place and manage orders. |
4 | Manager | Manage finances, create and approve requests, manage orders and domains, view and edit users. |
5 | Standard user | Place and manage orders. All changes require approval by a manager or administrator. |
API key roles
Role ID | Role name | Description |
---|---|---|
0 | N/A | No restrictions. Permissions are inherited from access role of the user that is assigned to the key. |
100 | Orders | Limits the key to these actions: Orders, Requests, and Certificates. |
101 | Orders, Domains, Organizations | Limits the key to these actions: Orders, Requests, Organizations, and Domains. |
102 | View Only | Limits key to GET requests only. |
103 | User Management | Limits key to these actions: Users. |
Certificate formats
Notice
All returned certificates use PEM encoding, which includes header and footer lines.
Format name | Content-Type | Certificate file extension | Description |
---|---|---|---|
default |
|
| ZIP archive containing individual root, intermediate, and end-entity certificate files. |
apache |
|
| ZIP archive containing individual intermediate and end-entity certificate files. |
default_cer |
|
| ZIP archive containing individual root, intermediate, and end-entity certificate files. |
cer |
|
| Single P7B bundle file containing root, intermediate, and end-entity certificates. |
p7b |
|
| Single P7B bundle file containing root, intermediate, and end-entity certificates. |
default_pem |
|
| ZIP archive containing individual root, intermediate, and end-entity certificate files. |
pem_all |
|
| Single PEM bundle containing root, intermediate, and end-entity certificate entries. |
pem_nointermediate |
|
| Single PEM file containing only end-entity certificate entry. |
pem_noroot |
|
| Single PEM bundle containing intermediate and end-entity certificate entries. |
Certificate profile options
Certificate profiles allow you to do more with your certificates. Some options allow you to include an additional field in your certificate, while others allow you to include an additional x.509 extension.
These certificate profiles must be turned on for your account. They are not part of the default CertCentral configuration. To enable a certificate profile for your account, reach out to your account representative or contact our Support team.
Name | Description |
---|---|
data_encipherment | Include Data Encipherment key usage extension in a Private SSL/TLS certificate. |
non_repudiation | Include Non-Repudiation key usage extension in a Private SSL/TLS certificate. |
non_repudiation_and_data_enciph | Include both Non-Repudiation and Data Encipherment key usage extensions in a Private SSL/TLS certificate. |
http_signed_exchange | Include CanSignHTTPExchanges extension in an OV or EV SSL/TLS certificate. |
delegated_credentials | Include DelegationUsage extension in an OV or EV SSL/TLS certificate. |
ocsp_must_staple | Include OCSP Must-Staple extension in an OV or EV SSL/TLS certificate. |
intel_vpro_eku | Include Intel vPro EKU (Extended Key Usage) field in an OV SSL/TLS certificate. |
kdc_smart_card | Include KDC/SmartCardLogon EKU (Extended Key Usage) field in an OV SSL/TLS certificate. |
server_auth_only_eku | Include only the serverAuth EKU (Extended Key Usage) field in an OV or EV SSL/TLS certificate. |
Custom order field input types
Notice
The anything input type is never specified in the metadata response. Instead, the data_type
parameter is simply omitted, indicating the custom order field uses the anything input type.
Type | Description |
---|---|
anything | No input validation. Uses the |
text | No input validation. Uses the |
int | Allows only integers as input. Uses the |
email_address | Allows only a single valid email address as input. Uses the |
email_list | Allows multiple valid email addresses as input. Does not allow duplicate email addresses. Uses the |
DigiCert currencies
Code | Currency |
---|---|
AUD | Australian dollar |
CHF | Swiss franc |
GBP | British pound sterling |
EUR | Euro |
HKD | Hong Kong dollar |
JPY | Japanese yen |
SGD | Singapore dollar |
SEK | Swedish krona |
TWD | Taiwan dollar |
USD | US dollar |
Locale codes
Code | Language | language_id |
---|---|---|
en | English | 1 |
de | German | 5 |
es | Spanish | 2 |
fr | French | 3 |
it | Italian | 6 |
ja | Japanese | 13 |
kr | Korean | 14 |
nl | Dutch | 17 |
pt_br | Portuguese | 4 |
ru | Russian | 15 |
zh_cn | Simplified Chinese | 11 |
zh_tw | Traditional Chinese | 12 |
Provisioning methods
Important
If you provision a code signing certificate using email
or client_app
, you must have a supported hardware token or a FIPS 140-2+ Level 2 or Common Criteria EAL4+ compliant HSM that supports ECC P-256 or RSA 3072-bit key sizes or larger. If you don't have a compatible hardware token or HSM, you will not be able to install the certificate on your device.
Method | Description |
---|---|
DigiCert emails the certificate to you. Install the certificate on your own supported hardware token or HSM device. | |
ship_token | DigiCert ships a certified hardware token to the address you provide on the order. To activate your certificate, see Set Up Your DigiCert Provided eToken. |
client_app | Use the DigiCert Hardware Certificate Installer to install the certificate on an existing DigiCert provided, certified token. Learn more: |
CSR requirements
Certificate type | CSR |
---|---|
ssl_certificate | Required for all orders. |
dv_ssl_certificate | Required for all orders. |
client_certificate | Optional for all orders. |
code_signing_certificate | Required for these uses:
CSRs for code signing certificates must be ECC P-256 or RSA 3072-bit key sizes or larger. |
DCV methods
Method | Description |
---|---|
DigiCert sends domain validation emails to the following email addresses:
ImportantEnd of life for the WHOIS-based email The industry is moving away from using WHOIS to identify domain contacts. DigiCert recommends that those using the WHOIS-based Email DCV method update their domain validation processes to use one of the other supported DCV methods as soon as possible.
| |
dns-cname-token | Create a DNS CNAME record for the domain that contains a random value. |
http-token | Add a file that contains a random value and make it publicly available on the domain. DigiCert only supports the use of the file-based DCV method to demonstrate control over fully qualified domain names (FQDNs) exactly as named in the certificate request. To learn more, visit File-based domain control validation (http-token and http-token-dynamic). |
http-token-dynamic | Add a file with a random file name that contains a random value and make it publicly available on the domain ( DigiCert only supports the use of the file-based DCV method to demonstrate control over fully qualified domain names (FQDNs) exactly as named in the certificate request. To learn more, visit File-based domain control validation (http-token and http-token-dynamic). ImportantDV TLS certificates do not support the http-token-dynamic DCV method. |
dns-txt-token | Create a DNS TXT record for the domain that contains a random value. |
token-based* | To verify control over the domain, DigiCert checks the domain's DNS TXT and DNS CNAME records and the domain's website until we find the DigiCert-generated random value. Supported token-based DCV methods:
*Note: To enable the new token-based DCV method for your CertCentral account, please contact your account manager or DigiCert Support. |
http-token-static (Deprecated) | A legacy value for file-based DCV. The |
Hash types
ID | Name |
---|---|
sha256 | SHA-256 |
sha384 | SHA-384 |
sha512 | SHA-512 |
sha1 | SHA-1 Note: Per industry standards, DigiCert does not support SHA-1 for publicly trusted certificates, including:
|
Headers
Headers are based on the RFC 2616 specification.
Status | Description |
---|---|
200 | General success response |
201 | Created: Useful for creation of requests, orders, etc |
204 | No Content: For successful requests that don't require a response |
301 | Moved Permanently: Returned in the unlikely event that a URL has changed. Will also return a LOCATION header with new URL. Clients should resubmit this request and submit future requests to this new URL |
302 | Moved Temporarily: Returned in the unlikely event that a URL has changed temporarily. Will also return a LOCATION header with new URL. Clients should resubmit this single request to this new URL |
304 | Content not modified: Useful when accessing a URL while waiting for a response. Only used if an IF-NONE-MATCH header was passed |
400 | General client error |
401 | Unauthorized: Returned if the page is accessed without a valid API Key |
403 | User doesn't have permission to perform the requested action |
404 | Returned if the page doesn't exist or the API doesn't have permission to interact with a particular item |
406 | If the client doesn't specify a valid acceptable content-type |
429 | Too many requests. The client has sent too many requests in a given amount of time. |
500 | Unexpected behavior that the API couldn't recover from |
503 | The system is currently unavailable |
Order status
Status | Description |
---|---|
pending | Initial order status. |
reissue_pending | Reissue was requested and is pending. |
rejected | Order request was rejected. |
processing | Order was approved and is being processed. |
issued | Order was validated and certificate can be downloaded. |
revoked | Order was revoked. |
canceled | Order was canceled. |
needs_approval | A CertCentral admin or manager must approve the order request before DigiCert can process the order. |
expired | Order has expired. |
waiting_pickup | For client certificates, the order is ready and DigiCert has emailed the recipient a link to generate the certificate. |
CAA resource record check status
Status | Description |
---|---|
VALUE_MISMATCH | An error occurred. Make sure you have created a DigiCert CAA for this domain. |
DNS_SEC_DS | CAA check failed because DNSSEC is enabled. Check your DNS settings. If this check fails again, contact DigiCert Support.* |
DNS_SEC_RRSIG | CAA check failed because DNSSEC is enabled. Check your DNS settings. If this check fails again, contact DigiCert Support.* |
DNS_PARSE_ERROR | An error occurred on parsing a DNS response for a CAA record. If this check continues to fail, contact DigiCert Support.* |
RECORD_UNKNOWN_CRITICAL_TAG | A critical error occurred on a CAA check. If this check continues to fail, contact DigiCert Support.* |
RECORD_PARSE_ERROR | An error occurred on parsing the CAA record. If this check fails again, contact DigiCert Support.* |
REQUIRED_PARAMETER_NOT_FOUND | An error occurred on a CAA check. If this check fails again, contact DigiCert Support.* |
NOT_CALLED_YET | We have not yet checked a CAA. |
UNKNOWN | An error occurred on a CAA check. If this check fails again, contact DigiCert Support.* |
Certificate status (Discovery)
Status |
---|
VALID |
REVOKED |
EXPIRED |
UNDETERMINED |
Certificate security rating
Rating |
---|
At risk |
Not secure |
Secure |
Very secure |
Server security vulnerabilities
Vulnerability |
---|
BEAST |
BREACH |
CRIME |
DROWN |
FREEK |
Heartbleed |
LogJam |
POODLE (SSLv3) |
POODLE (TLS) |
RC4 |
SWEET32 |
NO_VULNERABILITY_FOUND |
Payment methods
Allowed payment_method
values when using the API to submit a certificate order request.
Name | Description |
---|---|
balance | Pay with account balance. |
card | Pay with a new credit card. |
profile | Pay with default credit card saved to the account. |
Product identifiers
Notice
Actual product list will vary by account. Use the Get product list endpoint to see available products.
Name ID | Group name | Name |
---|---|---|
ssl_dv_geotrust | dv_ssl_certificate | GeoTrust Standard DV SSL Certificate |
ssl_dv_rapidssl | dv_ssl_certificate | RapidSSL Standard DV SSL Certificate |
ssl_dv_thawte | dv_ssl_certificate | Thawte SSL123 DV |
ssl_dv_ee | dv_ssl_certificate | Encryption Everywhere DV |
wildcard_dv_geotrust | dv_ssl_certificate | GeoTrust Wildcard DV SSL Certificate |
wildcard_dv_rapidssl | dv_ssl_certificate | RapidSSL Wildcard DV SSL Certificate |
cloud_dv_geotrust | dv_ssl_certificate | GeoTrust Cloud DV |
ssl_dv_geotrust_flex | dv_ssl_certificate | Geotrust DV SSL |
ssl_plus | ssl_certificate | Standard SSL Certificate |
ssl_multi_domain | ssl_certificate | SSL Multi Domain Certificates |
ssl_wildcard | ssl_certificate | Wildcard Certificate |
ssl_ev_plus | ssl_certificate | EV SSL Certificate |
ssl_ev_multi_domain | ssl_certificate | SSL EV Multi Domain Certificate |
ssl_cloud_wildcard | ssl_certificate | SSL Cloud Certificates |
ssl_basic | ssl-certificate | Basic OV |
ssl_ev_basic | ssl-certificate | Basic EV |
ssl_thawte_webserver | ssl_certificate | Thawte SSL Webserver OV |
ssl_ev_thawte_webserver | ssl_certificate | Thawte SSL Webserver EV |
ssl_geotrust_truebizid | ssl_certificate | GeoTrust TrueBusiness ID OV |
ssl_ev_geotrust_truebizid | ssl_certificate | GeoTrust TrueBusiness ID EV |
ssl_securesite_pro | securesite_ssl_certificate | Secure Site Pro SSL |
ssl_ev_securesite_pro | securesite_ssl_certificate | Secure Site Pro EV SSL |
ssl_securesite | securesite_ssl_certificate | Secure Site SSL |
ssl_securesite_multi_domain | securesite_ssl_certificate | Secure Site Multi-Domain SSL |
ssl_securesite_wildcard | securesite_ssl_certificate | Secure Site Wildcard SSL |
ssl_ev_securesite | securesite_ssl_certificate | Secure Site EV SSL |
ssl_ev_securesite_multi_domain | securesite_ssl_certificate | Secure Site EV Multi-Domain SSL |
ssl_securesite_flex | securesite_ssl_certificate | Secure Site OV |
ssl_ev_securesite_flex | securesite_ssl_certificate | Secure Site EV |
client_premium | client_certificate | Client Premium Certificate |
client_email_security_plus | client_certificate | Client Email Security Plus Certificate |
client_digital_signature_plus | client_certificate | Client Digital Signature Plus Certificate |
client_authentication_plus | client_certificate | Client Authentication Plus Certificate |
class1_smime | client_certificate | Class 1 S/Mime Certificate |
client_grid_premium | grid_certificate | GRID Client Premium Certificate |
grid_host_ssl | grid_certificate | GRID Host SSL Plus Certificate |
grid_host_ssl_multi_domain | grid_certificate | GRID Host SSL Multi Domain Certificates |
client_grid_robot_fqdn | grid_certificate | GRID Robot FQDN Certificate |
client_grid_robot_name | grid_certificate | GRID Robot Name Certificate |
client_grid_robot_email | grid_certificate | GRID Robot Email Certificate |
private_ssl_plus | private_ssl_certificate | Private SSL Plus Certificate |
private_ssl_wildcard | private_ssl_certificate | Private SSL Wildcard Certificate |
private_ssl_multi_domain | private_ssl_certificate | Private SSL Multi Domain Certificate |
private_ssl_flex | private_ssl_certificate | Private SSL OV |
code_signing | code_signing_certificate | Code Signing Certificate |
code_signing_ev | code_signing_certificate | EV Code Signing Certificate |
document_signing_org_1 | document_signing | Document Signing Organization (2000) Certificate |
document_signing_org_2 | document_signing | Document Signing Organization (5000) Certificate |
vmc_basic | verified_mark_certificate | Verified Mark Certificate |
Product types
Type |
---|
client_certificate |
code_signing_certificate |
dv_ssl_certificate |
ssl_certificate |
verified_mark_certificate |
Server platforms
When downloading a certificate, the server platform determines in which format the certificate should be sent.
TLS/SSL certificates
Platform | Certificate format | ID |
---|---|---|
Apache | 2 | |
Barracuda | 41 | |
Bea Weblogic 7 and older | 29 | |
BEA Weblogic 8 & 9 | 42 | |
Cisco | 30 | |
Citrix (Other) | 39 | |
Citrix Access Essentials | 46 | |
Citrix Access Gateway 4.x | 50 | |
Citrix Access Gateway 5.x and higher | 58 | |
cPanel | 43 | |
F5 Big-IP | 31 | |
F5 FirePass | 32 | |
IBM HTTP Server | 7 | |
Java Web Server (Javasoft / Sun) | 10 | |
Juniper | 33 | |
Lighttpd | 44 | |
Lotus Domino | 11 | |
Mac OS X Server | 49 | |
Microsoft Exchange Server 2003 | 47 | |
Microsoft Exchange Server 2007 | 36 | |
Microsoft Exchange Server 2010 | 48 | |
Microsoft Exchange Server 2013 | 68 | |
Microsoft Exchange Server 2016 | 71 | |
Microsoft Forefront Unified Access Gateway | 66 | |
Microsoft IIS 1.x to 4.x | 13 | |
Microsoft IIS 10 | 70 | |
Microsoft IIS 5 or 6 | 14 | |
Microsoft IIS 7 | 40 | |
Microsoft IIS 8 | 67 | |
Microsoft Live Communications Server 2005 | 37 | |
Microsoft Lync Server 2010 | 59 | |
Microsoft Lync Server 2013 | 69 | |
Microsoft OCS R2 | 60 | |
Microsoft Office Communications Server 2007 | 38 | |
Microsoft Small Business Server 2008 & 2011 | 62 | |
Netscape Enterprise Server | 15 | |
Netscape iPlanet | 9 | |
nginx | 45 | |
Novell iChain | 65 | |
Novell NetWare | 17 | |
Oracle | 18 | |
Qmail | 34 | |
SunOne | 35 | |
Tomcat | 24 | |
WebStar | 26 | |
Zeus Web Server | 28 | |
Other | -1 |
Code Signing server platforms
Use these values for Code Signing certificate orders when your request includes a CSR and the private key and certificate will be stored and installed on a laptop or server instead of a certified hardware token or HSM.
Warning
Important! Starting May 16, 2023, DigiCert will stop accepting Code Signing (code_signing
) certificate requests using browser-based key generation and certificate installation or any other process that includes creating a CSR and installing your certificate on a laptop or server. This change affects new, renewal, and reissue code signing certificate requests submitted using the CertCentral UI and the Services API.
Learn more:
Platform | ID |
---|---|
Adobe AIR | 52 |
Apple OS X | 53 |
Microsoft Authenticode | 51 |
Microsoft Office VBA | 54 |
Mozilla | 56 |
Sun Java | 55 |
Other | 57 |
Code Signing and EV Code Signing hardware platforms
Use these values for Code Signing and EV Code Signing certificates when the private key and certificate will be stored and installed on a certified hardware token or HSM.
Platform | Device type | Supported key sizes | ID |
---|---|---|---|
SafeNet eToken 5110 FIPS | Token |
| 20 |
SafeNet eToken 5110 CC | Token |
| 23 |
SafeNet eToken 5110+ FIPS | Token |
| 24 |
Other Must be a FIPS 140-2 Level 2 or Common Criteria EAL4+ compliant device. | HSM |
| -1 |
Permissions
Permission action |
---|
add_domains |
create_child_enterprise |
create_child_reseller |
create_child_retail |
create_containers |
create_discovery_report |
create_discovery_scan |
create_discovery_sensor |
create_domains |
create_guest_keys |
create_organizations |
create_users |
delete_account_scans |
delete_scan |
edit_container |
edit_domains |
edit_guest_keys |
edit_organizations |
edit_users |
manage_account_metadata |
manage_api_access |
manage_discovery_report |
manage_discovery_scan |
manage_discovery_sensor |
manage_finances |
manage_guest_keys |
manage_ip_access |
manage_order_user_access |
manage_orders |
manage_org_container_assignments |
manage_requests |
manage_settings |
manage_tfa |
manage_user_container_assignments |
place_orders |
review_requests |
saml_attribute_mapping |
saml_manage_idp |
saml_map_idp |
saml_organization_mapping |
saml_sso |
tools_links |
update_scan |
view_api_access |
view_child_account |
view_container |
view_discovery_report |
view_discovery_scan |
view_discovery_sensor |
view_domains |
view_finances |
view_guest_keys |
view_orders |
view_organizations |
view_reports |
view_scan |
view_users |
Subaccount display currencies
Notice
When you set up a bill-to-parent subaccount, you can choose to display prices in the subaccount's preferred currency. This is for display only. Parent accounts and subaccounts that DigiCert bills directly always receive invoices in the DigiCert-supported currency associated with the account. For officially supported currencies, see DigiCert currencies.
Code | Currency |
---|---|
ARS | Argentine peso |
AUD | Australian dollar |
BRL | Brazilian real |
GBP | British pound sterling |
BND | Brunei dollar |
KHR | Cambodia riel |
CAD | Canadian dollar |
CNY | Chinese yuan renminbi |
COP | Colombian peso |
EUR | Euro |
HKD | Hong Kong dollar |
INR | Indian rupee |
IDR | Indonesia rupiah |
JPY | Japanese yen |
LAK | Lao kip |
MYR | Malaysian ringgit |
MXN | Mexican peso |
MMK | Myanmar kyat |
NZD | New Zealand dollar |
NOK | Norwegian krone |
PHP | Philippine peso |
RUB | Russian ruble |
SGD | Singapore dollar |
ZAR | South African rand |
KRW | South Korean won |
SEK | Swedish krona |
CHF | Swiss franc |
TWD | Taiwan dollar |
THB | Thailand baht |
TRY | Turkish lira |
USD | US dollar |
VND | Vietnam dong |
Subaccount types
Type | Description |
---|---|
retail | CertCentral Basic account |
enterprise | CertCentral Enterprise account |
reseller | CertCentral Reseller account |
managed | API only account (no CertCentral UI access) |
User status
Status | Description |
---|---|
active | Normal user status. |
incomplete | User has not completed the sign up process. |
inactive | User profile and settings exist, but user cannot sign in. |
Validation types
Type |
---|
cs |
ds |
ev |
ev_cs |
grid |
ov |
private_grid |
private_ssl |
vmc NoteThe API returns a validation type of |
smime |
Organization status
The status
property for an organization describes whether the organization is active or inactive in your CertCentral account.
To activate an organization, use the Activate organization endpoint.
To deactiveate an organization, use the Deactiveate organization endpoint.
Notice
The status
property for an organization is not related to the validation status for the organization. To get the validation status for an organization, use the Validation details endpoint.
Status | Description |
---|---|
active | Organization is active. This means:
|
inactive | Organization is inactive. This means:
|
Organization validation statuses
Status | Description |
---|---|
pending | The validation is pending. |
active | The validation is active. |
rejected | DigiCert's validation agents have removed or rejected the validation. To re-submit an organization for validation, use the Submit for validation endpoint. |
expired | The validation has expired. |
Domain is_active property
The is_active
property for a domain describes whether the domain is active or inactive in your CertCentral account.
To activate a domain, use the Activate domain endpoint.
To deactivate a domain, use the Deactivate domain endpoint.
Notice
The is_active
property for a domain is not related to the validation status for the domain. To get the validation status for a domain, use the Domain info endpoint.
Description | |
---|---|
| Domain is active. This means:
|
| Domain is inactive. This means:
|
Domain validation statuses
Status | Description |
---|---|
pending | The domain validation is pending. |
approved | The domain validation is approved and on file. |
rejected | DigiCert's validation agents have removed or rejected the validation. To re-submit a domain for validation, use the Submit for validation endpoint. |
expired | The validation has expired. |
Trademark offices and country codes for VMC logos
Registered trademarks
Country | Country code | Trademark office name (source) |
---|---|---|
Australia |
| IP Australia |
Brazil |
| National Institute of Industrial Property |
Netherlands |
| Benelux Organization for Intellectual Property |
Canada |
| Canadian Intellectual Property Office |
Switzerland |
| Swiss Federal Institute of Intellectual Property |
Germany |
| German Patent and Trade Mark Office |
Denmark |
| Danish Patent and Trademark Office |
European Union |
| European Union Intellectual Property Office |
Spain |
| Spanish Patent and Trademark Office |
France |
| French Patent and Trademark Office |
United Kingdom |
| Intellectual Property Office |
India |
| Office of the Controller General of Patents, Designs and Trade Marks |
Japan |
| Japan Patent Office |
Republic of Korea (South Korea) |
| Korean Intellectual Property Office |
New Zealand |
| Intellectual Property Office of New Zealand |
Sweden |
| Swedish Intellectual Property Office |
United States |
| United States Patent and Trademark Office |
Government marks
Country | Country code |
---|---|
Austria |
|
Australia |
|
Belgium |
|
Bulgaria |
|
Brazil |
|
Canada |
|
Switzerland |
|
Cyprus |
|
Czech Republic |
|
Germany |
|
Denmark |
|
Estonia |
|
Spain |
|
European Union |
|
Finland |
|
France |
|
United Kingdom |
|
Greece |
|
Croatia |
|
Hungary |
|
Ireland |
|
India |
|
Italy |
|
Japan |
|
Republic of Korea (South Korea) |
|
Lithuania |
|
Malta |
|
Netherlands |
|
New Zealand |
|
Poland |
|
Portugal |
|
Romania |
|
Sweden |
|
Slovenia |
|
Slovakia |
|
United States |
|