Order EU Qualified Personal

  11 minute read  

POST https://certcentral.digicert.eu/services/v2/order/certificate/eu_individual

Use this endpoint to order an EU Qualified Personal certificate. EU Qualified Personal is an eIDAS certificate that is issued to a natural person and is used to apply electronic signatures. You can get an EU Qualified Personal certificate that applies qualified or advanced electronic signatures.

Example requests and responses

curl -X POST \
  'https://certcentral.digicert.eu/services/v2/order/certificate/eu_individual' \
  -H 'Content-Type: application/json' \
  -H 'X-DC-DEVKEY: {{api_key}}' \
  -d '{
    "certificate": {
    "signature_hash": "sha256",
    "profile_option": "encryption",
    "common_name_indicator": "given_name_surname",
    "individual": {
      "first_name": "John",
      "last_name": "Doe",
      "pseudonym": "JohnDoe123",
      "email": "john.doe@example.com",
      "telephone": "+1-555-555-5555",
      "country": "us",
      "city": "New York City",
      "state": "New York",
      "zip": "10001"
    }
  },
  "cs_provisioning_method": "qscd",
  "ship_info": {
    "name": "John Doe",
    "addr1": "360 Taylor Street",
    "addr2": "Floor 74",
    "city": "Richmond",
    "state": "va",
    "zip": "69662",
    "country": "us",
    "method": "STANDARD"
  },
  "order_validity": {
    "years": 1
  },
  "skip_approval": "true"
  "payment_method": "balance"
}
curl -X POST \
  'https://certcentral.digicert.eu/services/v2/order/certificate/eu_individual' \
  -H 'Content-Type: application/json' \
  -H 'X-DC-DEVKEY: {{api_key}}' \
  -d '{
    "certificate": {
    "signature_hash": "sha256",
    "profile_option": "encryption",
    "common_name_indicator": "given_name_surname",
    "cs_provisioning_method": "csr",
    "csr": "-----BEGIN CERTIFICATE REQUEST-----MII...-----END CERTIFICATE REQUEST-----",
    "individual": {
      "first_name": "John",
      "last_name": "Doe",
      "pseudonym": "JohnDoe123",
      "email": "john.doe@example.com",
      "telephone": "+1-555-555-5555",
      "country": "us",
      "city": "New York City",
      "state": "New York",
      "zip": "10001"
    }
  },  
  "order_validity": {
    "years": 1
  },
  "skip_approval": "true"
  "payment_method": "balance"
}
{
  "id": 112233,
  "requests": [
    {
      "id": 113,
      "status": "pending"
    }
  ]
}
{
  "id": 112233,
  "requests": [
    {
      "id": 113,
      "status": "submitted"
    }
  ]
}
{
  "id": 112233,
  "requests": [
    {
      "id": 113,
      "status": "approved"
    }
  ],  
  "certificate_id": 113
}
{
  "id": 112233,  
  "certificate_id": 113
}

Request parameters

NameReq/OptTypeDescription
certificaterequiredobjectCertificate details.
.. signature_hashrequiredstringHash algorithm used for signing the certificate.
EU Qualified certificates support only SHA-256 hash algorithm.
profile_optionrequiredstringSelect a profile option that best defines the certificate usage. The options are:
  • nonrepudiation: Use for signing documents with a non-repudiable and tamper-proof electronic signature, which is trusted and recognized across the European Union.
  • authentication: Use for personal identity verification, providing the highest level of assurance.
  • encryption: Use for encrypting emails for non-repudiation of emails and to ensure the integrity of the email messages.
common_name_indicatorrequiredstringChoose the source of the common name value for the certificate.
Allowed valued: given_name_surname or pseudonym
individualrequiredobjectInformation about the individual who is the intended certificate holder and who will use the certificate for digital signatures, encryption, or authentication purposes.
.. first_namerequiredstringIndividual's first name (given name). This can include middle names or initials, but do not include titles or prefixes such as "Dr.".
.. last_namerequiredstringIndividual's last name (given name). This can include middle names or initials, but do not include titles or prefixes such as "Dr.".
.. pseudonymoptionalstringIndividual’s preferred or professional name (pseudonym). This can include titles, prefixes, academic or professional suffixes, abbreviations, and accrediations.
Required if common_name_indicator is pseudonym.
.. emailrequiredstringIndividual's email address. This email address is used for processing the order request and receiving order approval notifications. This email address does not appear on the certificate.
To view an email address on the certificate, enter the email address in the subject.email request parameter. The email address is displayed alongside the subject email on the certificate.
.. telephonerequiredstringIndividual’s phone number with the country code (for example, +1-555-555-5555).
.. countryrequiredstringIndividual's country, represented by a two-letter country code.
.. staterequiredstringIndividual's state or province.
.. cityoptionalstringIindividual's city.
.. zipoptionalstringIndividual's postal code.
provisioning_methodrequiredstringSpecify the key provisioning method. Key provisioning method refers to where the private key and the certificate will be stored. The methods are:
  • Qualified signature/seal creation device (QSCD): This method provides a qualified certificate that can create qualified electronic signatures or seals. If you select the qscd provisioning method in the request body, DigiCert ships the QSCD hardware token to you. You must include shipping details in the ship_info object to receive the QSCD. After receiving the device and the PIN, you must use the DigiCert Trust Assistant to initialize and install your certificate on the token. To do so, use the certificate's order details page on the CertCentral Europe platform user interface to download and install the DigiCert Trust Assistant. You can use the DigiCert Trust Assistant to unlock and install the certificate on your QSCD token. For more information, go to the EU (eIDAS) products page in the CertCentral platform documentation, select the relevant certificate order link, and view the What's Next subsection.
  • Certificate signing request (CSR): This method results in an advanced electronic signature. If you select the csr provisioning method in the request body, you must submit a CSR using the csr request parameter while ordering the certificate. If you do not submit the CSR in the request body, DigiCert sends you an email with instructions and a link for providing the CSR before issuing the certificate.
ship_infooptionalobjectFor orders with the provisioning_method of qscd, specify the shipping address for the hardware token.
.. namerequiredstringFirst and last name of the recipient of the order.
.. addr1requiredstringShipping address for the token.
.. addr2requiredstringContinuation of street address.
.. cityrequiredstringShipping city.
.. staterequiredstringShipping state.
.. ziprequiredstringShipping postal code.
.. countryrequiredstringShipping country.
.. methodrequiredstringShipping priority for the token.
Allowed values: STANDARD or EXPEDITED (incurs additional cost).
.. csroptionalstringCertificate signing request (CSR) or public key in PEM format. Format the CSR/public key as a base64-encoded string without line breaks or escape characters. Include the PEM headers and footers (such as -----BEGIN CERTIFICATE REQUEST-----... and ...-----END CERTIFICATE REQUEST-----). For more information about generating a CSR, see Create a CSR.
After placing the order, if the status of the order is pending, you can use the Update CSR endpoint to update the CSR. To check the status of the order, use the [Order validation status](/certcentral-apis/services-api/orders/validation-status.html) endpoint.
Note: Required if provisioning_method is csr.
containeroptionalobjectIf needed, specify the container the order should be placed under.
.. idrequiredintContainer ID.
custom_fieldsoptional*arrayAccount-specific custom fields.
*Whether or not these fields are required depends on your custom field settings.
.. metadata_idrequiredintCustom field ID.
.. valuerequiredstringValue for the custom field. Data validation type depends on your custom field settings.
alternative_order_idoptionalstringA custom alphanumeric ID to assign the order. To see the alternative_order_id assigned to an order, use the Order info endpoint.
Alternative order IDs do not replace the unique order ID that DigiCert assigns each order request. You cannot use alternative order IDs to search for or identify orders in API calls that require an order_id parameter in the URL path or request body.
If the Require unique alternative order IDs option is enabled in your account settings, you cannot submit order requests with an alternative order ID that is already assigned to an order in your account. Use this feature to enable nonce order requests, or to prevent your integration from creating duplicate orders in cases where you do not receive a response from the API. Account administrators can toggle this option from the CertCentral console. From the Settings > Preferences page, open the Advanced Settings menu, and look for the Alternative order ID option.
This parameter is always optional, even if the Require unique alternative order IDs option is enabled in your account. If a request does not use this parameter, no alternative_order_id value is assigned to the order.
Maximum length: 64 characters
Note: The Require unique alternative order IDs option may not appear in the advanced settings menu for all CertCentral accounts. To enable this option for your account, contact your account manager or our Support team.
enable_guest_accessoptionalintWhether to enable guest access for the order. This parameter is not allowed if guest access is disabled in your account settings.
Allowed values:1 (enabled) or 0 (disabled)
Default: The default configuration for new orders is determined by your account settings. Account administrators can change these settings from the Guest Access page in the CertCentral console.
renewed_thumbprintoptional*stringIf order is a renewal, enter the SHA-1 thumbprint of the previous order's primary certificate. For more information, see How to check a certificate's thumbprint.
*Renewal orders must include either a renewed_thumbprint or renewal_of_order_id value.
.. cert_validityoptionalobjectDefines the validity period of the certificate issued for this order. This object is honored only for accounts with MYP enabled and if the order validity exceeds one year. The certificate validity must not exceed the order validity or the maximum allowed certificate validity of 199 days, whichever is shorter. If the order validity is less than the value specified in certificate.cert_validity object, the certificate validity is limited to the order validity.
Due to industry-wide changes, the validity of Public TLS/SSL certificates will continue to shorten. Starting February 24, 2026, the maximum validity period for a Public TLS/SSL certificate will be 199 days. By 2029, the maximum validity period will be 46 days. For more information, see Moving to 199-day validity for public TLS certificates..
This object is not used for requests from accounts that do not have Multi-year Plans enabled.
.. .. daysoptionalintNumber of days the order is valid. Can be replaced with cert_validity.custom_expiration_date.
Max: 199
If the order validity is less than 199 days, this value is ignored and the certificate validity is capped at the order validity.
.. .. daysoptionalintNumber of days the certificate is valid after it is issued. Overrides cert_validity.years.
Max: 397
.. .. custom_expiration_dateoptionalstringCustom expiration date for the order. Overrides cert_validity.days .
Format: dd MMM YYYY (for example, "09 JUN 2025")
Range: Must be within 199 days of the date you request the order.
commentsoptionalstringComments about the order for the administrator or approver reviewing the order request. The comments value is stored on the order request. If the order skips the approval step (skip_approval is set to true), any provided comments value is ignored since CertCentral creates the order directly without creating a corresponding request.
skip_approvaloptionalboolSpecify if the order should skip the approval step and be immediately submitted for validation and issued when complete.
Default: false
auto_renewoptionalintSpecify if the certificate should automatically renew.
Allowed values:0 (disabled) or 1 (enabled)
Default:0
custom_renewal_messageoptionalstringCustom message to be included in renewal notifications.
disable_renewal_notificationsoptionalboolSpecify if renewal notification emails should be disabled.
Default: false
additional_emailsoptionalarrayAdditional email addresses to receive certificate notification emails (e.g., certificate issuance, duplicate certificate, certificate renewals, etc.).
localeoptionalstringLanguage that the DCV email should use. See Glossary – Locale codes.
renewal_of_order_idoptional*intIf order is a renewal, enter the previous order's ID.
*Renewal orders must include either a renewed_thumbprint or renewal_of_order_id value.
payment_methodrequiredstringPayment method for the order. Allowed values:
  • balance (default): Pay with account balance. Returns an error if the option to bill to account balance is disabled for the account, or if the account balance has insufficient funds. Learn how to debit purchases against your CertCentral account balance.
  • profile: Pay with the account’s default credit card. Returns an error if no default credit card is configured for the account. Learn how to set up a default credit card.
  • card: Pay with a new credit card. Requests that use card as the payment method must include a credit_card and billing_address object. Returns an error if the option to pay with a credit card is disabled for the account.
credit_cardrequired (if payment_method is card)objectObject with information about the credit card charged for the order. Required if payment_method is card.
.. numberrequiredstringCredit card number.
.. expiration_monthrequiredstringCredit card expiration month. Format as a two-digit number between 01 (Jan) and 12 (Dec).
.. expiration_yearrequiredstringCredit card expiration year. Format as a four-digit number. For example: 2026
.. cvvrequiredstringCard verification value (CVV). Format as a three- or four-digit number. For example: 333 or 4444
.. cardholder_namerequiredstringCardholder’s first and last name.
.. save_credit_cardoptionalnullSpecify whether to save the credit card details. true for saving the details, false for not saving the details, and null for not indicating the preference.
Allowed Values: true, false, or null.
.. set_as_defaultrequiredstringSet the card as the default payment option or method. To set this card as your default payment method, use 1. To keep your default payment method, use 0.
Allowed Values: 1 or 0.
billing_addressconditionalobjectObject with information about the billing address. Required if payment_method is card.
.. addressrequiredstringBilling street address.
.. address2optionalstringContinuation of street address.
.. cityrequiredstringBilling city.
.. stateconditionalstringBilling state or province. Optional for some countries.
.. countryrequiredstringBilling country.
.. zipconditionalstringBilling zip or postal code. Optional for some countries.

Response parameters

NameTypeDescription
idintOrder ID.
requestsarrayContains information about the request.
.. idintRequest ID.
.. statusstringRequest status.
Possible values:pending, submitted, approved, rejected
certificate_idintCertificate ID. Returned if request status is approved.

After placing the order, go to the EU (eIDAS) products page in the CertCentral platform documentation, select the relevant certificate order link, and view the What’s Next subsection to carry out the subsequent tasks.

Alternatively, you can order the EU Qualified Personal certificate through the CertCentral Europe platform. For more information, see Order your EU Qualified Personal certificate.