Skip to main content

Glossary

Access roles

ID

Role

Description

1

Administrator

Full administrative access, including create divisions and users, manage user access.

2

Limited user

Place and manage only their own orders.

3

Finance manager

Manage finances, place and manage orders.

4

Manager

Manage finances, create and approve requests, manage orders and domains, view and edit users.

5

Standard user

Place and manage orders. All changes require approval by a manager or administrator.

API key roles

Role ID

Role name

Description

0

N/A

No restrictions. Permissions are inherited from access role of the user that is assigned to the key.

100

Orders

Limits the key to these actions: Orders, Requests, and Certificates.

101

Orders, Domains, Organizations

Limits the key to these actions: Orders, Requests, Organizations, and Domains.

102

View Only

Limits key to GET requests only.

Certificate formats

Notice

All returned certificates use PEM encoding, which includes header and footer lines.

Format name

Content-Type

Certificate file extension

Description

default

application/zip

.crt

ZIP archive containing individual root, intermediate, and end-entity certificate files.

apache

application/zip

.crt

ZIP archive containing individual intermediate and end-entity certificate files.

default_cer

application/zip

.cer

ZIP archive containing individual root, intermediate, and end-entity certificate files.

cer

application/x-pkcs7-certificates

.cer

Single P7B bundle file containing root, intermediate, and end-entity certificates.

p7b

application/x-pkcs7-certificates

.p7b

Single P7B bundle file containing root, intermediate, and end-entity certificates.

default_pem

application/zip

.crt

ZIP archive containing individual root, intermediate, and end-entity certificate files.

pem_all

application/x-pem-file

.pem

Single PEM bundle containing root, intermediate, and end-entity certificate entries.

pem_nointermediate

application/x-pem-file

.pem

Single PEM file containing only end-entity certificate entry.

pem_noroot

application/x-pem-file

.pem

Single PEM bundle containing intermediate and end-entity certificate entries.

Certificate profile options

Certificate profiles allow you to do more with your certificates. Some options allow you to include an additional field in your certificate, while others allow you to include an additional x.509 extension.

These certificate profiles must be turned on for your account. They are not part of the default CertCentral configuration. To enable a certificate profile for your account, reach out to your account representative or contact our Support team.

Name

Description

data_encipherment

Include Data Encipherment key usage extension in an OV, EV, or Private SSL/TLS certificate.

non_repudiation

Include Non-Repudiation key usage extension in an OV, EV, or Private SSL/TLS certificate.

non_repudiation_and_data_enciph

Include both Non-Repudiation and Data Encipherment key usage extensions in an OV, EV, or Private SSL/TLS certificate.

http_signed_exchange

Include CanSignHTTPExchanges extension in an OV or EV SSL/TLS certificate.

delegated_credentials

Include DelegationUsage extension in an OV or EV SSL/TLS certificate.

ocsp_must_staple

Include OCSP Must-Staple extension in an OV or EV SSL/TLS certificate.

intel_vpro_eku

Include Intel vPro EKU (Extended Key Usage) field in an OV SSL/TLS certificate.

kdc_smart_card

Include KDC/SmartCardLogon EKU (Extended Key Usage) field in an OV SSL/TLS certificate.

basic_constraints_critical_true

Marks the Basic Constraints extension as critical in an OV or EV SSL/TLS certificate.

Custom order field input types

Notice

The anything input type is never specified in the metadata response. Instead, the data_type parameter is simply omitted, indicating the custom order field uses the anything input type.

Type

Description

anything

No input validation. Uses the input html tag for the form field.

text

No input validation. Uses the textarea html tag for the form field.

int

Allows only integers as input. Uses the input html tag for the form field.

email_address

Allows only a single valid email address as input. Uses the input html tag for the form field.

email_list

Allows multiple valid email addresses as input. Does not allow duplicate email addresses. Uses the input html tag for each email address.

DigiCert currencies

Code

Currency

AUD

Australian dollar

CHF

Swiss franc

GBP

British pound sterling

EUR

Euro

HKD

Hong Kong dollar

JPY

Japanese yen

SGD

Singapore dollar

SEK

Swedish krona

TWD

Taiwan dollar

USD

US dollar

Locale codes

Code

Language

language_id

en

English

1

de

German

5

es

Spanish

2

fr

French

3

it

Italian

6

ja

Japanese

13

kr

Korean

14

nl

Dutch

17

pt_br

Portuguese

4

ru

Russian

15

zh_cn

Simplified Chinese

11

zh_tw

Traditional Chinese

12

Provisioning methods

Important

If you provision a code signing certificate using email or client_app, you must have a supported hardware token or a FIPS 140-2+ Level 2 or Common Criteria EAL4+ compliant HSM that supports ECC P-256 or RSA 3072-bit key sizes or larger. If you don't have a compatible hardware token or HSM, you will not be able to install the certificate on your device.

Method

Description

email

DigiCert emails the certificate to you. Install the certificate on your own supported hardware token or HSM device.

ship_token

DigiCert installs the certificate on a certified hardware token and ships the token to the address provided.

client_app

Use the DigiCert Hardware Certificate Installer to install the certificate on an existing DigiCert provided, certified token. See also: Qualified Tokens for EV Code Signing Certificates

CSR requirements

Certificate type

CSR

ssl_certificate

Required for all orders.

dv_ssl_certificate

Required for all orders.

client_certificate

Optional for all orders.

code_signing_certificate

Required for these uses:

CSRs for code signing certificates must be ECC P-256 or RSA 3072-bit key sizes or larger.

DCV methods

Method

Description

email

DigiCert sends domain validation emails to the following email addresses:

  • Contacts listed in the WHOIS for the domain

  • Default domain contacts

  • Validation contacts found in the DNS TXT record for the domain

dns-cname-token

Create a DNS CNAME record for the domain that contains a random value.

http-token

Add a file that contains a random value and make it publicly available on the domain.

DigiCert only supports the use of the file-based DCV method to demonstrate control over fully qualified domain names (FQDNs) exactly as named in the certificate request. To learn more, visit File-based domain control validation (http-token).

dns-txt-token

Create a DNS TXT record for the domain that contains a random value.

http-token-static (Deprecated)

A legacy value for file-based DCV. The http-token-static label has the same meaning as http-token.

Hash types

ID

Name

sha256

SHA-256

sha384

SHA-384

sha512

SHA-512

sha1

SHA-1

Note: Per industry standards, DigiCert does not support SHA-1 for publicly trusted certificates, including:

  • Public DV and OV/EV TLS/SSL certificates

  • Code signing and EV code signing certificates

  • Document signing certificates

  • Client certificates

  • S/MIME certificates

Headers

Headers are based on the RFC 2616 specification.

Status

Description

200

General success response

201

Created: Useful for creation of requests, orders, etc

204

No Content: For successful requests that don't require a response

301

Moved Permanently: Returned in the unlikely event that a URL has changed. Will also return a LOCATION header with new URL. Clients should resubmit this request and submit future requests to this new URL

302

Moved Temporarily: Returned in the unlikely event that a URL has changed temporarily. Will also return a LOCATION header with new URL. Clients should resubmit this single request to this new URL

304

Content not modified: Useful when accessing a URL while waiting for a response. Only used if an IF-NONE-MATCH header was passed

400

General client error

401

Unauthorized: Returned if the page is accessed without a valid API Key

403

User doesn't have permission to perform the requested action

404

Returned if the page doesn't exist or the API doesn't have permission to interact with a particular item

406

If the client doesn't specify a valid acceptable content-type

429

Too many requests. The client has sent too many requests in a given amount of time.

500

Unexpected behavior that the API couldn't recover from

503

The system is currently unavailable

Order status

Status

Description

pending

Initial order status.

reissue_pending

Reissue was requested and is pending.

rejected

Order request was rejected.

processing

Order was approved and is being processed.

issued

Order was validated and certificate can be downloaded.

revoked

Order was revoked.

canceled

Order was canceled.

needs_approval

A CertCentral admin or manager must approve the order request before DigiCert can process the order.

expired

Order has expired.

waiting_pickup

For client certificates, the order is ready and DigiCert has emailed the recipient a link to generate the certificate.

Certificate status (Discovery)

Status

VALID

REVOKED

EXPIRED

UNDETERMINED

Certificate security rating

Rating

At risk

Not secure

Secure

Very secure

Server security vulnerabilities

Vulnerability

BEAST

BREACH

CRIME

DROWN

FREEK

Heartbleed

LogJam

POODLE (SSLv3)

POODLE (TLS)

RC4

SWEET32

NO_VULNERABILITY_FOUND

Payment methods

Allowed payment_method values when using the API to submit a certificate order request.

Name

Description

balance

Pay with account balance.

card

Pay with a new credit card.

profile

Pay with default credit card saved to the account.

Product identifiers

Notice

Actual product list will vary by account. Use the Get product list endpoint to see available products.

Name ID

Group name

Name

ssl_dv_geotrust

dv_ssl_certificate

GeoTrust Standard DV SSL Certificate

ssl_dv_rapidssl

dv_ssl_certificate

RapidSSL Standard DV SSL Certificate

ssl_dv_thawte

dv_ssl_certificate

Thawte SSL123 DV

ssl_dv_ee

dv_ssl_certificate

Encryption Everywhere DV

wildcard_dv_geotrust

dv_ssl_certificate

GeoTrust Wildcard DV SSL Certificate

wildcard_dv_rapidssl

dv_ssl_certificate

RapidSSL Wildcard DV SSL Certificate

cloud_dv_geotrust

dv_ssl_certificate

GeoTrust Cloud DV

ssl_dv_geotrust_flex

dv_ssl_certificate

Geotrust DV SSL

ssl_plus

ssl_certificate

Standard SSL Certificate

ssl_multi_domain

ssl_certificate

SSL Multi Domain Certificates

ssl_wildcard

ssl_certificate

Wildcard Certificate

ssl_ev_plus

ssl_certificate

EV SSL Certificate

ssl_ev_multi_domain

ssl_certificate

SSL EV Multi Domain Certificate

ssl_cloud_wildcard

ssl_certificate

SSL Cloud Certificates

ssl_basic

ssl-certificate

Basic OV

ssl_ev_basic

ssl-certificate

Basic EV

ssl_thawte_webserver

ssl_certificate

Thawte SSL Webserver OV

ssl_ev_thawte_webserver

ssl_certificate

Thawte SSL Webserver EV

ssl_geotrust_truebizid

ssl_certificate

GeoTrust TrueBusiness ID OV

ssl_ev_geotrust_truebizid

ssl_certificate

GeoTrust TrueBusiness ID EV

ssl_securesite_pro

securesite_ssl_certificate

Secure Site Pro SSL

ssl_ev_securesite_pro

securesite_ssl_certificate

Secure Site Pro EV SSL

ssl_securesite

securesite_ssl_certificate

Secure Site SSL

ssl_securesite_multi_domain

securesite_ssl_certificate

Secure Site Multi-Domain SSL

ssl_securesite_wildcard

securesite_ssl_certificate

Secure Site Wildcard SSL

ssl_ev_securesite

securesite_ssl_certificate

Secure Site EV SSL

ssl_ev_securesite_multi_domain

securesite_ssl_certificate

Secure Site EV Multi-Domain SSL

ssl_securesite_flex

securesite_ssl_certificate

Secure Site OV

ssl_ev_securesite_flex

securesite_ssl_certificate

Secure Site EV

client_premium

client_certificate

Client Premium Certificate

client_email_security_plus

client_certificate

Client Email Security Plus Certificate

client_digital_signature_plus

client_certificate

Client Digital Signature Plus Certificate

client_authentication_plus

client_certificate

Client Authentication Plus Certificate

class1_smime

client_certificate

Class 1 S/Mime Certificate

client_grid_premium

grid_certificate

GRID Client Premium Certificate

grid_host_ssl

grid_certificate

GRID Host SSL Plus Certificate

grid_host_ssl_multi_domain

grid_certificate

GRID Host SSL Multi Domain Certificates

client_grid_robot_fqdn

grid_certificate

GRID Robot FQDN Certificate

client_grid_robot_name

grid_certificate

GRID Robot Name Certificate

client_grid_robot_email

grid_certificate

GRID Robot Email Certificate

private_ssl_plus

private_ssl_certificate

Private SSL Plus Certificate

private_ssl_wildcard

private_ssl_certificate

Private SSL Wildcard Certificate

private_ssl_multi_domain

private_ssl_certificate

Private SSL Multi Domain Certificate

private_ssl_flex

private_ssl_certificate

Private SSL OV

code_signing

code_signing_certificate

Code Signing Certificate

code_signing_ev

code_signing_certificate

EV Code Signing Certificate

document_signing_org_1

document_signing

Document Signing Organization (2000) Certificate

document_signing_org_2

document_signing

Document Signing Organization (5000) Certificate

vmc_basic

verified_mark_certificate

Verified Mark Certificate

Product types

Type

client_certificate

code_signing_certificate

dv_ssl_certificate

ssl_certificate

verified_mark_certificate

Server platforms

When downloading a certificate, the server platform determines in which format the certificate should be sent.

TLS/SSL certificates

Platform

Certificate format

ID

Apache

apache

2

Barracuda

default

41

Bea Weblogic 7 and older

pem_all

29

BEA Weblogic 8 & 9

p7b

42

Cisco

default

30

Citrix (Other)

pem_noroot

39

Citrix Access Essentials

default

46

Citrix Access Gateway 4.x

pem_noroot

50

Citrix Access Gateway 5.x and higher

apache

58

cPanel

apache

43

F5 Big-IP

apache

31

F5 FirePass

apache

32

IBM HTTP Server

default_cer

7

Java Web Server (Javasoft / Sun)

p7b

10

Juniper

default

33

Lighttpd

apache

44

Lotus Domino

default

11

Mac OS X Server

apache

49

Microsoft Exchange Server 2003

cer

47

Microsoft Exchange Server 2007

cer

36

Microsoft Exchange Server 2010

cer

48

Microsoft Exchange Server 2013

cer

68

Microsoft Exchange Server 2016

cer

71

Microsoft Forefront Unified Access Gateway

cer

66

Microsoft IIS 1.x to 4.x

default

13

Microsoft IIS 10

cer

70

Microsoft IIS 5 or 6

cer

14

Microsoft IIS 7

cer

40

Microsoft IIS 8

cer

67

Microsoft Live Communications Server 2005

cer

37

Microsoft Lync Server 2010

cer

59

Microsoft Lync Server 2013

cer

69

Microsoft OCS R2

p7b

60

Microsoft Office Communications Server 2007

cer

38

Microsoft Small Business Server 2008 & 2011

default

62

Netscape Enterprise Server

default

15

Netscape iPlanet

default

9

nginx

pem_noroot

45

Novell iChain

default

65

Novell NetWare

cer

17

Oracle

default

18

Qmail

pem_all

34

SunOne

default

35

Tomcat

p7b

24

WebStar

default

26

Zeus Web Server

default

28

Other

default

-1

Code signing certificates

Platform

ID

Adobe AIR

52

Apple OS X

53

Microsoft Authenticode

51

Microsoft Office VBA

54

Mozilla

56

Sun Java

55

Other

57

EV code signing certificates

Platform

Device type

Supported key sizes

ID

SafeNet eToken 5110 CC

Token

  • RSA 4096

  • ECC P-256

23

SafeNet eToken 5110 FIPS

Token

  • ECC P-256 or P-384

20

Other

Must be a FIPS 140-2 Level 2 or Common Criteria EAL4+ compliant device.

HSM

  • RSA 3072 or 4096

  • ECC P-256 or P-384

-1

Permissions

Permission action

add_domains

create_child_enterprise

create_child_reseller

create_child_retail

create_containers

create_discovery_report

create_discovery_scan

create_discovery_sensor

create_domains

create_guest_keys

create_organizations

create_users

delete_account_scans

delete_scan

edit_container

edit_domains

edit_guest_keys

edit_organizations

edit_users

manage_account_metadata

manage_api_access

manage_discovery_report

manage_discovery_scan

manage_discovery_sensor

manage_finances

manage_guest_keys

manage_ip_access

manage_order_user_access

manage_orders

manage_org_container_assignments

manage_requests

manage_settings

manage_tfa

manage_user_container_assignments

place_orders

review_requests

saml_attribute_mapping

saml_manage_idp

saml_map_idp

saml_organization_mapping

saml_sso

tools_links

update_scan

view_api_access

view_child_account

view_container

view_discovery_report

view_discovery_scan

view_discovery_sensor

view_domains

view_finances

view_guest_keys

view_orders

view_organizations

view_reports

view_scan

view_users

Subaccount display currencies

Notice

When you set up a bill-to-parent subaccount, you can choose to display prices in the subaccount's preferred currency. This is for display only. Parent accounts and subaccounts that DigiCert bills directly always receive invoices in the DigiCert-supported currency associated with the account. For officially supported currencies, see DigiCert currencies.

Code

Currency

ARS

Argentine peso

AUD

Australian dollar

BRL

Brazilian real

GBP

British pound sterling

BND

Brunei dollar

KHR

Cambodia riel

CAD

Canadian dollar

CNY

Chinese yuan renminbi

COP

Colombian peso

EUR

Euro

HKD

Hong Kong dollar

INR

Indian rupee

IDR

Indonesia rupiah

JPY

Japanese yen

LAK

Lao kip

MYR

Malaysian ringgit

MXN

Mexican peso

MMK

Myanmar kyat

NZD

New Zealand dollar

NOK

Norwegian krone

PHP

Philippine peso

RUB

Russian ruble

SGD

Singapore dollar

ZAR

South African rand

KRW

South Korean won

SEK

Swedish krona

CHF

Swiss franc

TWD

Taiwan dollar

THB

Thailand baht

TRY

Turkish lira

USD

US dollar

VND

Vietnam dong

Subaccount types

Type

Description

retail

CertCentral Basic account

enterprise

CertCentral Enterprise account

reseller

CertCentral Reseller account

managed

API only account (no CertCentral UI access)

User status

Status

Description

active

Normal user status.

incomplete

User has not completed the sign up process.

inactive

User profile and settings exist, but user cannot sign in.

Validation types

Type

cs

ds

ev

ev_cs

grid

ov

private_grid

private_ssl

ra_ev

ra_ov

wfa

Organization status

The status property for an organization describes whether the organization is active or inactive in your CertCentral account.

Notice

The status property for an organization is not related to the validation status for the organization. To get the validation status for an organization, use the Validation details endpoint.

Status

Description

active

Organization is active. This means:

  • You can submit certificate order requests for the organization.

  • The organization appears in the organization selection menu when placing an order from the CertCentral console.

inactive

Organization is inactive. This means:

  • You cannot submit new certificate order requests for the organization.

  • The organization does not appear in the organization selection menu when placing an order from the CertCentral console.

Organization validation statuses

Status

Description

pending

The validation is pending.

active

The validation is active.

rejected

DigiCert's validation agents have removed or rejected the validation. To re-submit an organization for validation, use the Submit for validation endpoint.

expired

The validation has expired.

Domain is_active property

The is_active property for a domain describes whether the domain is active or inactive in your CertCentral account.

Notice

The is_active property for a domain is not related to the validation status for the domain. To get the validation status for a domain, use the Domain info endpoint.

Description

"is_active": true (active)

Domain is active. This means:

  • You can submit certificate order requests for the domain.

  • The domain appears in the list of active certificates on the Certificates > Domains page in the CertCentral console.

"is_active": false (inactive)

Domain is inactive. This means:

  • You cannot submit new certificate order requests for the domain.

  • The domain appears in the list of active certificates on the Certificates > Domains page in the CertCentral console.

Domain validation statuses

Status

Description

pending

The domain validation is pending.

approved

The domain validation is approved and on file.

rejected

DigiCert's validation agents have removed or rejected the validation. To re-submit a domain for validation, use the Submit for validation endpoint.

expired

The validation has expired.