Order DV SSL
19 minute read
POST
https://www.digicert.com/services/v2/order/certificate/{{dv_ssl_certificate_id}}
Use this endpoint to request or renew a DV SSL certificate. To renew a certificate, you must place the request from the same account used to order the original certificate.
Replace {{dv_ssl_certificate_id}} in the URL with the product identifier for the type of certificate to order:
ssl_dv_geotrust: GeoTrust Standard DV SSL Certificatessl_dv_rapidssl: RapidSSL Standard DV SSL Certificatewildcard_dv_geotrust: GeoTrust Wildcard DV SSL Certificatewildcard_dv_rapidssl: RapidSSL Wildcard DV SSL Certificatecloud_dv_geotrust: GeoTrust Cloud DV
If you have multiple AuthKeys associated with your account, it is recommended to specify an AuthKey ID in your API request for ordering. If an AuthKey ID is not included in the request, the AuthKey without validity is used for ordering the certificate. An error is returned If the specified AuthKey is not active, has expired, or does not exist.
Note
Public TLS/SSL certificate validity periods will continue to decrease
Due to industry-wide changes, the validity of Public TLS/SSL certificates will continue to shorten over time. Starting February 24, 2026, the maximum validity period for a Public TLS/SSL certificate will be 199 days. By 2029, the maximum validity period will be reduced to 46 days.
Accounts that have Multi-year Plans (MYP) enabled can purchase 1-, 2-, or 3-year coverage for a limited period. For accounts that do not have MYP enabled can purchase 1-year coverage; although a 1-year duration can be specified, the effective validity is limited to a maximum of 199 days.
For more information, see Moving to 199-day validity for public TLS/SSL certificates.
Note
Enterprise License Agreement (ELA) and Flat Fee contracts only support 1- and 2-year Multi-year Plans.Note
In addition to these products, DigiCert offers flexible certificates that support any type of domain configuration. You can order a flexible DV certificate with the Order GeoTrust DV SSL endpoint. To activate this certificate type for your CertCentral account, contact your account manager or our Support team. For more information, see Flex certificates.
You can only order certificates that are enabled for your account. Use the Product list endpoint to get the list of products available for your account.
Example requests and responses
curl -X POST \
'https://www.digicert.com/services/v2/order/certificate/{{dv_ssl_certificate_id}}' \
-H 'Content-Type: application/json' \
-H 'X-DC-DEVKEY: {{api_key}}' \
-d '{
"certificate": {
"common_name": "example.com",
"dns_names": [
"sub.example.com",
"log.example.com"
],
"csr": "<csr>",
"server_platform": {
"id": 2
},
"cert_validity": {
"days": 199
}
},
"container": {
"id": 69748
},
"custom_renewal_message": "Renew me.",
"skip_approval": true,
"disable_ct": 0,
"order_validity": {
"years": 1
},
"custom_fields": [
{
"metadata_id": 12,
"value": "Invoice #12345"
}
],
"payment_method": "balance",
"dcv_method": "email",
"dcv_emails": [
{
"dns_name": "example.com",
"email_domain": "example.com",
"email": "admin@example.com"
},
{
"dns_name": "sub.example.com",
"email_domain": "example.com",
"email": "jim.smith@example.com"
},
{
"dns_name": "log.example.com",
"email_domain": "example.com",
"email": "it@example.com"
}
],
"locale": "en",
"technical_contact": {
"first_name": "Jim",
"last_name": "Smith",
"telephone": "555-555-5555",
"job_title": "IT Admin",
"email": "jim.smith@example.com"
}
}'curl -X POST \
'https://www.digicert.com/services/v2/order/certificate/{{dv_ssl_certificate_id}}' \
-H 'Content-Type: application/json' \
-H 'X-DC-DEVKEY: {{api_key}}' \
-d '{
"certificate": {
"common_name": "example.com",
"dns_names": [
"sub.example.com",
"log.example.com"
],
"csr": "<csr>",
"server_platform": {
"id": 2
},
"cert_validity": {
"days": 199
}
},
"container": {
"id": 69748
},
"custom_renewal_message": "Renew me.",
"skip_approval": true,
"disable_ct": 0,
"order_validity": {
"years": 1
},
"custom_fields": [
{
"metadata_id": 12,
"value": "Invoice #12345"
}
],
"payment_method": "balance",
"dcv_method": "token-based",
"use_auth_key": true,
"auth_key_id": "{auth_key_id}",
"locale": "en",
"technical_contact": {
"first_name": "Jim",
"last_name": "Smith",
"telephone": "555-555-5555",
"job_title": "IT Admin",
"email": "jim.smith@example.com"
}
}'import requests
url = "https://www.digicert.com/services/v2/order/certificate/{{dv_ssl_certificate_id}}"
payload = "{\n \"certificate\": {\n \"common_name\": \"example.com\",\n \"dns_names\": [\n \t\"sub.example.com\",\n \t\"log.example.com\"\n ],\n \"csr\": \"<csr>\",\n \"cert_validity\": {\n \"days\": 199\n },\n \"server_platform\": {\n \"id\": 2\n }\n },\n \"container\": {\n \"id\": 69748\n },\n \"custom_renewal_message\": \"Renew me.\",\n \"skip_approval\": true,\n \"disable_ct\": 0,\n \"order_validity\": {\n \"years\": 1\n },\n \"custom_fields\": [\n {\n \"metadata_id\": 12,\n \"value\": \"Invoice #12345\"\n }\n ],\n \"payment_method\": \"balance\",\n \"dcv_method\": \"email\",\n \"dcv_emails\": [\n \t{\n \t\t\"dns_name\": \"example.com\",\n \t\t\"email_domain\": \"example.com\",\n \t\t\"email\": \"admin@example.com\"\n \t},\n \t{\n \t\t\"dns_name\": \"sub.example.com\",\n \t\t\"email_domain\": \"example.com\",\n \t\t\"email\": \"jim.smith@example.com\"\n \t},\n \t{\n \t\t\"dns_name\": \"log.example.com\",\n \t\t\"email_domain\": \"example.com\",\n \t\t\"email\": \"it@example.com\"\n \t}\n ],\n \"locale\": \"en\",\n \"technical_contact\": {\n \"first_name\": \"Jim\",\n \"last_name\": \"Smith\",\n \"telephone\": \"555-555-5555\",\n \"job_title\": \"IT Admin\",\n \"email\": \"jim.smith@example.com\"\n }\n}"
headers = {
'X-DC-DEVKEY': "{{api_key}}",
'Content-Type': "application/json"
}
response = requests.request("POST", url, data=payload, headers=headers)
print(response.text)package main
import (
"fmt"
"strings"
"net/http"
"io/ioutil"
)
func main() {
url := "https://www.digicert.com/services/v2/order/certificate/{{dv_ssl_certificate_id}}"
payload := strings.NewReader("{\n \"certificate\": {\n \"common_name\": \"example.com\",\n \"dns_names\": [\n \t\"sub.example.com\",\n \t\"log.example.com\"\n ],\n \"csr\": \"<csr>\",\n \"cert_validity\": {\n \"days\": 199\n },\n \"server_platform\": {\n \"id\": 2\n }\n },\n \"container\": {\n \"id\": 69748\n },\n \"custom_renewal_message\": \"Renew me.\",\n \"skip_approval\": true,\n \"disable_ct\": 0,\n \"order_validity\": {\n \"years\": 1\n },\n \"custom_fields\": [\n {\n \"metadata_id\": 12,\n \"value\": \"Invoice #12345\"\n }\n ],\n \"payment_method\": \"balance\",\n \"dcv_method\": \"email\",\n \"dcv_emails\": [\n \t{\n \t\t\"dns_name\": \"example.com\",\n \t\t\"email_domain\": \"example.com\",\n \t\t\"email\": \"admin@example.com\"\n \t},\n \t{\n \t\t\"dns_name\": \"sub.example.com\",\n \t\t\"email_domain\": \"example.com\",\n \t\t\"email\": \"jim.smith@example.com\"\n \t},\n \t{\n \t\t\"dns_name\": \"log.example.com\",\n \t\t\"email_domain\": \"example.com\",\n \t\t\"email\": \"it@example.com\"\n \t}\n ],\n \"locale\": \"en\",\n \"technical_contact\": {\n \"first_name\": \"Jim\",\n \"last_name\": \"Smith\",\n \"telephone\": \"555-555-5555\",\n \"job_title\": \"IT Admin\",\n \"email\": \"jim.smith@example.com\"\n }\n}")
req, _ := http.NewRequest("POST", url, payload)
req.Header.Add("X-DC-DEVKEY", "{{api_key}}")
req.Header.Add("Content-Type", "application/json")
res, _ := http.DefaultClient.Do(req)
defer res.Body.Close()
body, _ := ioutil.ReadAll(res.Body)
fmt.Println(res)
fmt.Println(string(body))
}var request = require("request");
var options = { method: 'POST',
url: 'https://www.digicert.com/services/v2/order/certificate/{{dv_ssl_certificate_id}}',
headers:
{ 'Content-Type': 'application/json',
'X-DC-DEVKEY': '{{api_key}}' },
body:
{ certificate:
{ common_name: 'example.com',
dns_names: [ 'sub.example.com', 'log.example.com' ],
csr: '<csr>',
cert_validity: { days: 199 },
server_platform: { id: 2 } },
custom_expiration_date: '',
container: { id: 69748 },
custom_renewal_message: 'Renew me.',
skip_approval: true,
disable_ct: 0,
order_validity: { years: 1 },
custom_fields: [ { metadata_id: 12, value: 'Invoice #12345' } ],
payment_method: 'balance',
dcv_method: 'email',
dcv_emails:
[ { dns_name: 'example.com',
email_domain: 'example.com',
email: 'admin@example.com' },
{ dns_name: 'sub.example.com',
email_domain: 'example.com',
email: 'jim.smith@example.com' },
{ dns_name: 'log.example.com',
email_domain: 'example.com',
email: 'it@example.com' } ],
locale: 'en',
technical_contact:
{ first_name: 'Jim',
last_name: 'Smith',
telephone: '555-555-5555',
job_title: 'IT Admin',
email: 'jim.smith@example.com' } },
json: true };
request(options, function (error, response, body) {
if (error) throw new Error(error);
console.log(body);
});{
"id": 6484932,
"certificate_id": 6079436
}{
"id": 6484932,
"certificate_id": 6079436,
"dcv_random_value": {{dcv_token}}
}{
"id": 144457158,
"requests": [
{
"id": 11963731,
"status": "pending"
}
]
}{
"id": 144457159,
"requests": [
{
"id": 11963732,
"status": "submitted"
}
]
}{
"id": 144457160,
"requests": [
{
"id": 11963733,
"status": "approved"
}
],
"certificate_id": 145451220,
"dcv_random_value": {{dcv_token}}
}{
"id": 144457162,
"requests": [
{
"id": 11963735,
"status": "approved"
}
],
"certificate_id": 145451222
}Request parameters
Note
For information about allowed values for certificate fields, see Publicly Trusted Certificates – Data Entries that Violate Industry Standards.| Name | Req/Opt | Type | Description |
|---|---|---|---|
| certificate | required | object | Certificate details. |
| .. common_name | required | string | Domain to be secured. |
| .. dns_names | optional | array | Additional domains to be secured. Can result in additional costs. (See Best practices – Get both versions of a domain for free.) |
| .. csr | required* | string | Certificate signing request (CSR). Note: The Services API does not extract information from the CSR to fill in the details of a certificate request. You must provide values for all relevant request parameters, including certificate.common_name and certificate.dns_names. |
| .. profile_option | optional | string | If using custom certificate profiles, specify the profile name. Allowed values: See Glossary – Certificate profile options. Note: Until May 1, 2026, you can include the Server Authentication EKU ( server_auth_only_eku) or the Server and Client Authentication EKU (server_client_auth_eku) in your public TLS/SSL certificates requested through the API. For more information about certificate profiles and the corresponding changes, see Certificate profile option, what changed on October 1, 2025, and what is changing on May 1, 2026. |
| .. organization_units | optional | array | Department in your organization the certificate is for. Deprecated. This field is ignored for public TLS/SSL certificate requests. See our knowledge base article. |
| .. server_platform | optional | object | Server platform type. Default:-1 (other) |
| .. .. id | required | int | Server platform ID. See Glossary – Server platforms. |
| .. cert_validity | optional | object | Defines the validity period of the certificate issued for this order. This object is honored only for accounts with MYP enabled and if the order validity exceeds one year. The certificate validity must not exceed the order validity or the maximum allowed certificate validity of 199 days, whichever is shorter. If the order validity is less than the value specified in certificate.cert_validity object, the certificate validity is limited to the order validity.Due to industry-wide changes, the validity of Public TLS/SSL certificates will continue to shorten. Starting February 24, 2026, the maximum validity period for a Public TLS/SSL certificate will be 199 days. By 2029, the maximum validity period will be 46 days. For more information, see Moving to 199-day validity for public TLS certificates.. |
| .. .. days | optional | int | Number of days the order is valid. Can be replaced with cert_validity.custom_expiration_date. Max: 199 If the order validity is less than 199 days, this value is ignored and the certificate validity is capped at the order validity. |
| .. .. custom_expiration_date | optional | string | Custom expiration date for the order. Overrides cert_validity.days . Format: dd MMM YYYY (for example, "09 JUN 2025") Range: Must be within 199 days of the date you request the order. If the order validity is less than 199 days, this value is ignored and the certificate expiration matches the order validity. |
| .. ca_cert_id | optional | string | ID of the intermediate certificate authority (ICA) certificate to select as the issuing certificate. To get the ca_cert_id value for an ICA, use the Product list endpoint. The following public DV products support the option for ICA selection:
Account administrators can customize the default and allowed ICAs for each product at the container or user role level. If you do not provide a value for this parameter, we issue the certificate using the default ICA. If you provide the ca_cert_id value for an ICA that is not allowed, the request returns an error*. To see the custom ICA settings for each product, use the Product limits endpoint.*This parameter is ignored if the option for ICA selection is not enabled for your account. For more information, seeConfigure the ICA certificate chain feature for your public TLS certificates. |
| renewed_thumbprint | optional* | string | If order is a renewal, enter the SHA-1 thumbprint of the previous order's primary certificate. For more information, see How to check a certificate's thumbprint. *Renewal orders must include either a renewed_thumbprint or renewal_of_order_id value. |
| order_validity | required | object | Defines the validity period of the order. Note: Accounts that have Multi-year Plans (MYP) enabled can purchase 1-, 2-, or 3-year coverage. When MYP is enabled, the order validity ( order_validity) can be set upto 3 years and the certificate validity (certificate.cert_validity), which is the validity of the first certificate issued for the order, can be set upto 199 days. If the order validity exceeds 199 days and the certificate.cert_validity object is not included in the request, the certificate validity defaults to 199 days (maximum certificate validity). If the order validity is less than the maximum certificate validity (199 days), the certificate.cert_validity object is ignored and the certificate validity is capped at the order validity.For accounts that do not have MYP enabled, the order validity ( order_validity) can be set upto 1 year; although a 1-year duration can be specified, the effective validity is limited to a maximum of 199 days.For more information, see Moving to 199-day validity for public TLS/SSL certificates. |
| .. years | required* | int | Number of years the order is valid. *Can be replaced by order_validity.days or order_validity.custom_expiration_date. Range for MYP: 1-3 Range for non-MYP: 1 For accounts that do not have MYP enabled, a requested 1-year validity is enforced as a 199-day validity. |
| .. days | optional | int | Number of days the order is valid. Overrides order_validity.years. Max value for MYP: 1095 Max value for non-MYP: 199. For accounts that do not have MYP enabled, any requested validity period greater than 199 days is capped at 199 days. |
| .. custom_expiration_date | optional | string | Custom expiration date for the order. Overrides order_validity.days and order_validity.years. Format: dd MMM YYYY (for example, "09 JUN 2025") Range for MYP: Must be within three years of the date you request the order. Range for non-MYP: Must be within 199 days of the date you request the order. For accounts that do not have MYP enabled, custom expiration dates beyond 199 days are rejected with a 400 Bad Request error and the system does not automatically adjust the expiration date. |
| comments | optional | string | Comments about the order for the administrator or approver reviewing the order request. The comments value is stored on the order request. If the order skips the approval step (skip_approval is set to true), any provided comments value is ignored since CertCentral creates the order directly without creating a corresponding request. |
| apply_cr_discount | optional | bool | When true, applies any competitive replacement discounts that are available for the domains on the order. To calculate competitive replacement discounts before you place an order, use the List replacement benefits endpoint.Default: false |
| serial_number | optional | string | Serial number of the non-DigiCert certificate for which you expect to receive a competitive replacement discount when you place the order. If not provided, we use the information from your order request to look for a match among certificates on the CT log servers, and we apply a discount based on the best match we can find. |
| auto_renew | optional | int | Specify if the certificate should automatically renew. Allowed values:0 (disabled) or 1 (enabled) Default:0 |
| auto_reissue | optional | int | Auto-reissue setting for the order. When auto-reissue is enabled for a Multi-year Plan, DigiCert automatically creates a reissue request for the most recently issued certificate when that certificate is within 30 days of expiring. Auto-reissue repeats until the order expires. To learn more about reissuing certificates in a Multi-year Plan, seeMulti-year Plans. Allowed values:0 (disabled) or 1 (enabled) Default:0 (disabled) Note: We ignore the auto_reissue request parameter if:
|
| custom_renewal_message | optional | string | Custom message to be included in renewal notifications. |
| disable_renewal_notifications | optional | bool | Specify if renewal notification emails should be disabled. Default: false |
| additional_emails | optional | array | Additional email addresses to receive certificate notification emails (e.g., certificate issuance, duplicate certificate, certificate renewals, etc.). |
| renewal_of_order_id | optional* | int | If order is a renewal, enter the previous order's ID. *Renewal orders must include either a renewed_thumbprint or renewal_of_order_id value. |
| payment_method | optional | string | Payment method for the order. Allowed values:
|
| credit_card | conditional | object | Object with information about the credit card charged for the order. Required if payment_method is card. |
| .. number | required | string | Credit card number. |
| .. expiration_month | required | integer | Credit card expiration month. Format as a two-digit number between 01 (Jan) and 12 (Dec). |
| .. expiration_year | required | integer | Credit card expiration year. Format as a four-digit number. For example: 2026 |
| .. cvv | required | integer | Card verification value (CVV). Format as a three- or four-digit number. For example: 333 or 4444 |
| .. cardholder_name | required | string | Cardholder’s first and last name. |
| billing_address | conditional | object | Object with information about the billing address. Required if payment_method is card. |
| .. address | required | string | Billing street address. |
| .. address2 | optional | string | Continuation of street address. |
| .. city | required | string | Billing city. |
| .. state | conditional | string | Billing state or province. Optional for some countries. |
| .. country | required | string | Billing country. |
| .. zip | conditional | string | Billing zip or postal code. Optional for some countries. |
| vat_number | optional | string | If the payment method is card (new credit card) or profile (default credit card), use the vat_number request parameter to set a value-added tax (VAT) or goods and services tax (GST) identification number for the order transaction. DigiCert includes this number on the transaction receipt as a reference for your financial records.If omitted, DigiCert uses the VAT/GST number from the finance settings for the CertCentral account. If the VAT/GST number is absent from both the order request and account settings, DigiCert doesn't store a VAT/GST number for the transaction. Note
|
| dcv_method | optional | string | DCV method to use when verifying domain control. See Glossary – DCV methods |
| dcv_emails | optional | array | List specifying the email scope when sending DCV emails. You can add an entry for each DNS name being secured by the certificate. |
| use_auth_key | optional | boolean | Set to true if you wish to associate this order with a specific AuthKey.Note: If true, you must include the auth_key_id parameter in the request payload. Also, ensure that the dcv_method parameter is set to token-based. |
| auth_key_id | conditional | string | AuthKey ID of the AuthKey you want to use for this order. This parameter is required if use_auth_key is set to true. |
| .. dns_name | required | string | DNS name on the certificate that this scope should apply to. |
| .. email_domain | required | string | Base domain to use when verifying DCV email addresses. This value must match the dns_names base domain. |
| optional | string | Email address to use when sending DCV emails. This email address must be one of the allowed DCV email addresses for the domain—either a constructed email address (admin@, administrator@, webmaster@, hostmaster@, postmaster@) or a DNS-based contact email published in DNS TXT records. | |
| locale | optional | string | Language that the DCV email should use. See Glossary – Locale codes. |
| skip_approval | optional | bool | Specify if the order should skip the approval step and be immediately submitted for validation and issued when complete. Default: false |
| disable_ct | optional | int | Specify if CT logging for the certificate should be disabled. Order-specific CT logging must be enabled or this will be ignored. See Allow Users to Keep Certificates Out of CT Logs. Default: false |
| container | optional | object | If needed, specify the container the order should be placed under. |
| .. id | required | int | Container ID. |
| custom_fields | optional* | array | Account-specific custom fields. *Whether or not these fields are required depends on your custom field settings. |
| .. metadata_id | required | int | Custom field ID. |
| .. value | required | string | Value for the custom field. Data validation type depends on your custom field settings. |
| technical_contact | optional | object | Technical contact details. |
| .. first_name | required | string | First name of the technical contact. |
| .. last_name | required | string | Last name of the technical contact. |
| .. telephone | required | string | Telephone number of the technical contact. |
| .. job_title | optional | string | Job title of the technical contact. |
| required | string | Email address of the technical contact. | |
| alternative_order_id | optional | string | A custom alphanumeric ID to assign the order. To see the alternative_order_id assigned to an order, use the Order info endpoint.Alternative order IDs do not replace the unique order ID that DigiCert assigns each order request. You cannot use alternative order IDs to search for or identify orders in API calls that require an order_id parameter in the URL path or request body.If the Require unique alternative order IDs option is enabled in your account settings, you cannot submit order requests with an alternative order ID that is already assigned to an order in your account. Use this feature to enable nonce order requests, or to prevent your integration from creating duplicate orders in cases where you do not receive a response from the API. Account administrators can toggle this option from the CertCentral console. From the Settings > Preferences page, open the Advanced Settings menu, and look for the Alternative order ID option. This parameter is always optional, even if the Require unique alternative order IDs option is enabled in your account. If a request does not use this parameter, no alternative_order_id value is assigned to the order.Maximum length: 64 characters Note: The Require unique alternative order IDs option may not appear in the advanced settings menu for all CertCentral accounts. To enable this option for your account, contact your account manager or our Support team. |
| enable_guest_access | optional | int | Whether to enable guest access for the order. This parameter is not allowed if guest access is disabled in your account settings. Allowed values:1 (enabled) or 0 (disabled) Default: The default configuration for new orders is determined by your account settings. Account administrators can change these settings from the Guest Access page in the CertCentral console. |
| use_auth_key | optional | bool | If true, when you submit the order request, DigiCert checks the DNS records for an AuthKey request token to complete domain control validation. To learn more about using AuthKey request tokens, see DV certificate immediate issuance.Default: falseNote: For Encryption Everywhere DV certificates, this parameter is ignored. When requesting an Encryption Everywhere certificate, if an AuthKey exists for the account, DigiCert always checks the DNS records for an AuthKey request token. If no AuthKey exists for the account, or if DigiCert doesn't find a valid AuthKey request token for one or more domains on the order, the API returns an error. |
| certificate_dcv_scope | optional | string | Domain validation scope for domains on the order. Domain validation scope determines the specific domains that you must validate before DigiCert can issue your certificate. Allowed values:
Default: This parameter overrides the domain validation scope settings for your CertCentral account. If you omit this parameter, the account setting is used. |
Response parameters
| Name | Type | Description |
|---|---|---|
| id | int | Order ID. |
| certificate_id | int | Certificate ID. |
| dcv_random_value | string | Random value used for domain control validation. Only returned when using dns-txt-token, dns-cname-token, or http-token as the DCV method. Not returned if use_auth_key is true. |
| certificate_chain | array | Ordered list of objects with information about each certificate in the certificate chain (for example, SSL certificate, intermediate CA certificate, and root certificate). The first object in the array contains the end-entity certificate. The next objects contain the intermediate CA certificates. The final object contains the root certificate. Each certificate is signed by the certificate in the object that follows it. For example, the end-entity certificate is signed by the intermediate CA certificate. Note: This endpoint only returns the certificate_chain array for TLS certificates that DigiCert issues immediately. To get the certificate chain after DigiCert issues a certificate, use the Certificate chain endpoint. |
| .. subject_common_name | string | Common name on the certificate. |
| .. pem | string | PEM-encoded certificate data. Note: The pem response parameter includes newline characters \r\n, which are an inherent part of PEM-encoded certificates. |
| requests | array | Contains information about the request. |
| .. id | int | Request ID. |
| .. status | string | Request status. Possible values:pending, submitted, approved, rejected |
Was this page helpful?
Provide feedback