Reissue certificate

14 minute read

POST https://www.digicert.com/services/v2/order/certificate/{{order_id}}/reissue

Use this endpoint to reissue a certificate. A certificate reissue replaces the existing certificate with a new one that has different information, such as a different common name, CSR, or signature hash.

Note

Public TLS/SSL certificate validity periods will continue to decrease

Due to industry-wide changes, the validity of Public TLS/SSL certificates will continue to shorten over time. Starting February 24, 2026, the maximum validity period for a Public TLS/SSL certificate will be 199 days. By 2029, the maximum validity period will be reduced to 46 days.

Accounts that have Multi-year Plans (MYP) enabled can purchase 1-, 2-, or 3-year coverage for a limited period. For accounts that do not have MYP enabled can purchase 1-year coverage; although a 1-year duration can be specified, the effective validity is limited to a maximum of 199 days.

For more information, see Moving to 199-day validity for public TLS/SSL certificates.

Reissue Code Signing and EV Code Signing certificates

When reissuing a Code Signing or EV Code Signing certificate, you can choose a provisioning method for the reissued certificate by including the cs_provisioning_method parameter in your request payload.

If you submit a reissue request without providing a cs_provisioning_method value:

By default, DigiCert reissues the certificate using the current provisioning method for the order. To get the current provisioning method for an order, check the value of the cs_provisioning_method parameter on the Order info API response.
If the provisioning method stored on the order is not currently enabled in your account preferences, DigiCert reissues the certificate using the default provisioning method from your account preferences. Then, the provisioning method stored on the order is updated to match the provisioning method used to reissue the certificate.

Example requests and responses

curl -X POST \
  'https://www.digicert.com/services/v2/order/certificate/{{order_id}}/reissue' \
  -H 'Content-Type: application/json' \
  -H 'X-DC-DEVKEY: {{api_key}}' \
  -d '{
  "certificate": {
    "common_name": "example.com",
    "dns_names": [
        "sub.example.com"
    ],
    "csr": "<csr>",
    "server_platform": {
      "id": 2
    },
    "signature_hash": "sha256"
  }
}'

import requests

url = "https://www.digicert.com/services/v2/order/certificate/{{order_id}}/reissue"

payload = "{\n  \"certificate\": {\n    \"common_name\": \"example.com\",\n    \"dns_names\": [\n        \"sub.example.com\"\n    ],\n    \"csr\": \"<csr>\",\n    \"server_platform\": {\n      \"id\": 2\n    },\n    \"signature_hash\": \"sha256\"\n  }\n}"
headers = {
    'X-DC-DEVKEY': "{{api_key}}",
    'Content-Type': "application/json"
    }

response = requests.request("POST", url, data=payload, headers=headers)

print(response.text)

package main

import (
	"fmt"
	"strings"
	"net/http"
	"io/ioutil"
)

func main() {

	url := "https://www.digicert.com/services/v2/order/certificate/{{order_id}}/reissue"

	payload := strings.NewReader("{\n  \"certificate\": {\n    \"common_name\": \"example.com\",\n    \"dns_names\": [\n        \"sub.example.com\"\n    ],\n    \"csr\": \"<csr>\",\n    \"server_platform\": {\n      \"id\": 2\n    },\n    \"signature_hash\": \"sha256\"\n  }\n}")

	req, _ := http.NewRequest("POST", url, payload)

	req.Header.Add("X-DC-DEVKEY", "{{api_key}}")
	req.Header.Add("Content-Type", "application/json")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := ioutil.ReadAll(res.Body)

	fmt.Println(res)
	fmt.Println(string(body))

}

var request = require("request");

var options = { method: 'POST',
  url: 'https://www.digicert.com/services/v2/order/certificate/{{order_id}}/reissue',
  headers: 
   { 'Content-Type': 'application/json',
     'X-DC-DEVKEY': '{{api_key}}' },
  body: 
   { certificate: 
      { common_name: 'example.com',
        dns_names: [ 'sub.example.com' ],
        csr: '<csr>',
        server_platform: { id: 2 },
        signature_hash: 'sha256' } },
  json: true };

request(options, function (error, response, body) {
  if (error) throw new Error(error);

  console.log(body);
});

{
  "id": 112233,
  "requests": [
    {
      "id": 332211
    }
  ]
}

{
  "id": 112233,
  "certificate_id": 111112
}

Request parameters

Name	Req/Opt	Type	Description
certificate	required	object	Details about the certificate.
.. csr	conditional	string	Certificate signing request (CSR) or public key. Format the CSR/public key as a base64-encoded string without line breaks or escape characters. Include the PEM headers and footers (such as `-----BEGIN CERTIFICATE REQUEST-----...` and `...-----END CERTIFICATE REQUEST-----`). Usage depends on certificate type: TLS/SSL certificate reissues: A CSR is required when reissuing TLS/SSL certificates. Code Signing and EV Code Signing certificate reissues: A CSR is required when reissuing Code Signing or EV Code Signing certificates that will be installed on HSMs (`cs_provisioning_method` is `email`). The CSR must use a key size your hardware supports. If the provisioning method is `ship_token` or `client_app`, omit the CSR from your request. S/MIME certificates: If you omit the CSR, you must generate the CSR in the browser after the order is created. For browser-generated certificates, DigiCert uses an RSA algorithm, SHA256 signature hash, and a 2048-bit key length CSR. To get a certificate with a different key length, signature hash, or algorithm, you must include a CSR with your request.
.. common_name	conditional^*	string	Domain to be secured. ^*Note: The `common_name` request parameter is required on reissue requests for public and private TLS/SSL certificates and non-S/MIME client certificates. However, you should omit the `common_name` parameter from reissue requests for Verified Mark Certificates (VMC), Code Signing and EV Code Signing certificates, Secure Email certificates, S/MIME client certificates, and Document Signing certificates.
.. dns_names	optional	array	For TLS/SSL and VMC certificates, list of additional domains to be secured.
.. emails	conditional	array	For Secure Email and client certificates, list of one or more email addresses to secure. Required for Secure Email and client certificates; ignored for other products. For both Secure Email and client certificates, if the common name on the certificate will be an email address, DigiCert automatically uses the first email address from the `emails` array. Learn more about common name requirements: Order client certificate – Common name value for public S/MIME certificates Order Secure Email certificate – Common name value Note: Orders for `secure_email_sponsor` and `secure_email_organization` certificates cannot include email addresses from public email service providers unless the domains for those email providers are already validated for the organization in your CertCentral account.
.. user_principle_name	optional	array	List of user principle names (UPN) to include in the UPN SAN attribute on the issued certificate. Note: This parameter is only supported on `secure_email_sponsor` certificates. It is ignored on reissue requests for other products. Max length: 1 Max characters per item: 255
.. common_name_indicator	conditional	string	Choose the source of the common name value for the certificate. Required for `secure_email_sponsor` and `secure_email_organization` certificates; ignored for other products. Allowed values: Allowed values depend on product type. See Order Secure Email certificate – Common name value.
.. individual	conditional	object	First and last name or pseudonym of the individual on the certificate. The `individual` object is only used with `secure_email_sponsor` certificates. When you reissue a `secure_email_sponsor` certificate, if the `common_name_indicator` is `given_name_surname` or `pseudonym`, you must populate the `individual` object in your request body
.. .. first_name	conditional	string	Individual first name. Required on `secure_email_sponsor` reissues if `common_name_indicator` is `given_name_surname`. Ignored for other products.
.. .. last_name	conditional	string	Individual last name. Required on `secure_email_sponsor` reissues if `common_name_indicator` is `given_name_surname`. Ignored for other products.
.. .. pseudonym	conditional	string	Individual pseudonym. Required on `secure_email_sponsor` reissues if `common_name_indictator` is `pseudonym`. Ignored for other products.
.. usage_designation	conditional	object	Object that determines the primary use and additional uses for the certificate. Learn more: Order Secure Email certificate – Certificate uses. Required for Secure Email certificates. Ignored for other products.
.. .. primary_usage	conditional	string	Primary use for the certificate. Allowed values: See Order Secure Email certificate – Primary uses.
.. .. additional_usages	optional	array of strings	List of additional certificate uses. Allowed values: See Order Secure Email certificate – Certificate uses.
.. is_rsassa_pss	optional	bool	For certificate requests with an RSA CSR or public key, this parameter changes the type of RSA signature DigiCert uses for the end-entity certificate. If `true`, DigiCert issues the end-entity certificate with an RSASSA-PSS signature. If `false` (default), DigiCert issues the end-entity certificate with an RSA signature. Important: This parameter is only honored when the issuing ICA certificate has an RSA key. If the issuing ICA certificate has an ECC key, DigiCert issues the end-entity certificate with an ECC signature that has same key size as the issuing ICA certificate.
.. server_platform	conditional	object	Server platform type.
.. .. id	required	int	Server platform ID. Usage depends on certificate type. TLS/SSL certificate reissues: Providing a new `server_platform.id` is optional. For allowed values, see Glossary – TLS/SSL certificates. Code Signing and EV Code Signing certificate reissues: For allowed values, see Glossary – Code Signing and EV Code Signing hardware platforms. Usage requirements depend on provisioning method (`cs_provisioning_method`). `ship_token`: `server_platform.id` is optional and has no impact on the token type DigiCert ships. If not provided, defaults to `23`. `email`: `server_platform.id` is optional. If not provided, defaults to `-1`. Note: When the provisioning method is `email`, the CSR in your request must use a key size your hardware supports. `client_app`: `server_platform.id` is required.
.. cert_validity	optional	object	Defines the validity period of the certificate issued for this order. This object is honored only for accounts with MYP enabled and if the order validity exceeds one year. The certificate validity must not exceed the order validity or the maximum allowed certificate validity of 199 days, whichever is shorter. If the order validity is less than the value specified in `certificate.cert_validity` object, the certificate validity is limited to the order validity. Due to industry-wide changes, the validity of Public TLS/SSL certificates will continue to shorten. Starting February 24, 2026, the maximum validity period for a Public TLS/SSL certificate will be 199 days. By 2029, the maximum validity period will be 46 days. For more information, see Moving to 199-day validity for public TLS certificates..
.. .. days	optional	int	Number of days the order is valid. Can be replaced with cert_validity.custom_expiration_date. Max: 199 If the order validity is less than 199 days, this value is ignored and the certificate validity is capped at the order validity.
.. .. custom_expiration_date	optional	string	Custom expiration date for the order. Overrides cert_validity.days . Format: dd MMM YYYY (for example, "09 JUN 2025") Range: Must be within 199 days of the date you request the order. If the order validity is less than 199 days, this value is ignored and the certificate expiration matches the order validity.
.. signature_hash	required	string	Hash algorithm used to signing the certificate.
.. profile_option	optional	string	Certificate profile option for the reissued certificate. Allowed values: See Glossary – Certificate profile options Note: Until May 1, 2026, you can include the Server Authentication EKU (`server_auth_only_eku`) or the Server and Client Authentication EKU (`server_client_auth_eku`) in your public TLS/SSL certificates requested through the API. For more information about certificate profiles and the corresponding changes, see Certificate profile option, what changed on October 1, 2025, and what is changing on May 1, 2026.
.. ca_cert_id	optional	string	ID of the intermediate certificate authority (ICA) certificate to select as the issuing certificate. To get the `ca_cert_id` value for an ICA, use the Product list endpoint. Account administrators can customize the default and allowed ICAs for each product at the container or user role level. If you do not provide a value for this parameter, we issue the certificate using the default ICA. If you provide the `ca_cert_id` value for an ICA that is not allowed, the request returns an error^. To see the custom ICA settings for each product, use the Product limits endpoint. This parameter is ignored if the option for ICA selection is not enabled for your account. For more information, see ICA certificate chain selection.
dcv_method	optional	string	For TLS/SSL certificate reissues, DCV method to use when verifying domain control. See Glossary – DCV methods.
comments	optional	string	Comments about the reissue for the administrator reviewing the reissue request. The `comments` value is stored on the reissue `request`. If the reissue skips the approval step (`skip_approval` is set to `true`), any provided `comments` value is ignored since CertCentral processes the reissue directly without creating a corresponding `request`.
skip_approval	optional	bool	Specify if the order should skip the approval step and be immediately submitted for validation and issued when complete. Default: false
certificate_dcv_scope	optional	string	Domain validation scope for domains on the order. Domain validation scope determines the specific domains that you must validate before DigiCert can issue your certificate. Allowed values: `base_domain`: Validate each domain and subdomain in the request at the base domain level (for example, example.com). `fqdn`: Validate each domain and subdomain included in the order exactly as named in the request. When using `fqdn`: If a domain is a subdomain of another domain included on the order, complete the DCV check for the higher-level domain. For OV and EV certificates only, if a higher-level domain exists in the account with an active validation, we validate the domain under the scope of the existing domain. Default: This parameter overrides the domain validation scope settings for your CertCentral account. If you omit this parameter, the account setting is used.
use_auth_key	optional	bool	Use this parameter to complete DCV checks for new domains on a DV TLS/SSL reissue using an AuthKey request token. If `true`, when you submit the order request, DigiCert checks the DNS records for an AuthKey request token to complete domain control validation. To learn more about using AuthKey request tokens, see DV certificate immediate issuance. Default:`false` Note: For Encryption Everywhere DV certificates, this parameter is ignored. When requesting an Encryption Everywhere certificate, if an AuthKey exists for the account, DigiCert always checks the DNS records for an AuthKey request token. If no AuthKey exists for the account, or if DigiCert doesn't find a valid AuthKey request token for one or more domains on the order, the API returns an error.
cs_provisioning_method	optional	string	For Code Signing or EV Code Signing reissues, provisioning method for the certificate. Optional for both Code Signing and EV Code Signing certificate reissues. If omitted: By default, DigiCert reissues the certificate using the current provisioning method for the order. To get the current provisioning method for an order, check the value of the `cs_provisioning_method` parameter on the Order info API response. If the provisioning method stored on the order is not currently enabled in your account preferences, DigiCert reissues the certificate using the default provisioning method from your account preferences. Then, the provisioning method stored on the order is updated to match the provisioning method used to reissue the certificate. Allowed values: `ship_token`: DigiCert ships you a hardware token with instructions to activate your certificate (see Set Up Your DigiCert Provided eToken). To provide your shipping address, use the `ship_info` object. Otherwise, DigiCert uses the default shipping address from your CertCentral account settings. `email`: DigiCert sends you the certificate to install on your own Common Criteria EAL4+ standard or FIPS 140-2 level 2 HSM. If you don't have a compatible HSM, select a different provisioning method. A CSR is required when using this provisioning method^*. `client_app`: Install the certificate on a supported secure token you already own. To identify your device, use the `certificate.server_platform` object.
ship_info	optional	object	For Code Signing or EV Code Signing reissues with a `cs_provisioning_method` of `ship_token`, specify the shipping address for the hardware token. Optional for both Code Signing and EV Code Signing certificates. For orders that omit the `ship_info` object, DigiCert uses the default token shipping address from your CertCentral account settings.
.. name	required	string	Name of the recipient.
.. addr1	required	string	Shipping address for the token.
.. addr2	optional	string	Secondary address field.
.. city	required	string	Shipping city.
.. state	required	string	Shipping state
.. zip	required	string	Shipping postal code.
.. country	required	string	Shipping country.
.. method	required	string	Shipping priority for the token. Allowed values:`STANDARD`, `EXPEDITED` (incurs added cost)
subject	optional	object	Object with optional data to include in subject distinguished name (DN) attributes on the issued certificate. This object is only used in reissue requests for Secure Email certificates. It is ignored in reissue requests for other product types. Learn more: [Order secure email certificate](/certcentral-apis/services-api/orders/order-secure-email-certificate.html).
.. serial_number	optional	string	Value to use in the subject DN serial number attribute. Supported on `secure_email_sponsor` certificates. Character limit: 100
.. pseudonym	optional	string	Value to use in the subject DN pseudonym attribute. Supported on `secure_email_sponsor` certificates. Note: If you are already submitting the `pseudonym` value in the `certificate.individual` object, use `subject.include_pseudonym` instead. Character limit: 128
.. job_title	optional	string	Value to use in the subject DN title attribute. Supported on `secure_email_sponsor` certificates. Character limit: 128
.. include_pseudonym	optional	boolean	If `true`, the subject DN pseudonym attribute includes the `pseudonym` value from the `certificate.individual` object. If `false` (default), the subject DN does not include the pseudonym attribute. Note: If there is no `pseudonym` value on the `certificate.individual` object, set the value of the subject DN pseudonym attribute with `subject.pseudonym`, instead.
.. include_email	optional	boolean	If `true`, the subject DN email attribute includes the first email address from the `certificate.emails` array. Otherwise, `false` (default). Supported on `secure_email_individual`, `secure_email_sponsor`, and `secure_email_organization` certificates.
.. include_given_name_surname	optional	boolean	If `true`, the subject DN surname and given name attributes include surname and given name from the`individual` array. Otherwise, `false` (default). Supported on `secure_email_sponsor` certificates.
store_reissue_as_duplicate	optional	boolean	Use this parameter to reissue a public TLS certificate reissue as a duplicate certificate; the parameter is ignored for other products, such as private TLS and code signing. If `true`, DigiCert reissues the certificate as a duplicate rather than a reissued certificate. Default:`false` For public TLS certificates, using the `store_reissue_as_duplicate` parameter allows you to duplicate a certificate through the reissue workflow, enabling the order to go into a pending state. This process lets you approve the request and complete expired domain and organization validation, which are unavailable in the duplicate issue workflow. To reissue the certificate as a duplicate: All certificate fields must be identical to the original, except for the CSR, certificate validity, server platform, and signature hash. When duplicating a multi-domain certificate, you can move a SAN to the common name if desired. When duplicating a wildcard certificate, you can add SANs if they are subdomains of the wildcard.

Response parameters

Name	Type	Description
id	int	Order ID.
certificate_id	int	Certificate ID. Only returned if skip_approval is true.
dcv_random_value	string	Random value used for domain control validation (DCV). Use this token to complete the DCV check for any domain submitted for validation with the order. Only returned when the DCV method is `dns-txt-token`, `dns-cname-token`, or `http-token`.
requests	array	List of requests.
.. id	int	Request ID.