Access roles

ID Role Description
1 Administrator Full administrative access, including create divisions and users, manage user access.
2 Limited user Place and manage only their own orders.
3 Finance manager Manage finances, place and manage orders.
4 Manager Manage finances, create and approve requests, manage orders and domains, view and edit users.
5 Standard user Place and manage orders. All changes require approval by a manager or administrator.

API key roles

Role ID Role name Description
0 N/A No restrictions.
Permissions are inherited from access role of the user that is assigned to the key.
100 Orders Limits the key to these actions: Orders, Requests, and Certificates.
101 Orders, Domains, Organizations Limits the key to these actions: Orders, Requests, Certificates, Organizations, and Domains.
102 View Only Limits key to GET requests only.

Certificate formats

All returned certificates use PEM encoding, which includes header and footer lines.

Format name Content-Type Certificate file extension Description
default application/zip .crt ZIP archive containing individual root, intermediate, and end-entity certificate files.
apache application/zip .crt ZIP archive containing individual intermediate and end-entity certificate files.
default_cer application/zip .cer ZIP archive containing individual root, intermediate, and end-entity certificate files.
cer application/x-pkcs7-certificates .cer Single P7B bundle file containing root, intermediate, and end-entity certificates.
p7b application/x-pkcs7-certificates .p7b Single P7B bundle file containing root, intermediate, and end-entity certificates.
default_pem application/zip .crt ZIP archive containing individual root, intermediate, and end-entity certificate files.
pem_all application/x-pem-file .pem Single PEM bundle containing root, intermediate, and end-entity certificate entries.
pem_nointermediate application/x-pem-file .pem Single PEM file containing only end-entity certificate entry.
pem_noroot application/x-pem-file .pem Single PEM bundle containing intermediate and end-entity certificate entries.

Custom order field input types

The anything input type is never specified in the metadata response. Instead, the data_type parameter is simply omitted, indicating the custom order field uses the anything input type.

Type Description
anything No input validation.
Uses the input html tag for the form field.
text No input validation.
Uses the textarea html tag for the form field.
int Allows only integers as input.
Uses the input html tag for the form field.
email_address Allows only a single valid email address as input.
Uses the input html tag for the form field.
email_list Allows multiple valid email addresses as input. Does not allow duplicate email addresses.
Uses the input html tag for each email address.

DigiCert currencies

Code Currency
AUD Australian dollar
GBP British pound sterling
EUR Euro
HKD Hong Kong dollar
JPY Japanese yen
SGD Singapore dollar
SEK Swedish krona
TWD Taiwan dollar
USD US dollar

Locale codes

Code Language
en English
de German
es Spanish
fr French
it Italian
ja Japanese
kr Korean
pt_br Portuguese
ru Russian
zh_cn Simplified Chinese
zh_tw Traditional Chinese

CS provisioning methods

Method Description
email DigiCert emails the certificate to you.
Install the certificate on your own supported hardware token or HSM device.
ship_token DigiCert installs the certificate on a certified hardware token and ships the token to the address provided.
client_app Use the DigiCert Certificate Utility to install the certificate on an existing DigiCert provided, certified token.
Note: You can also install the certificate on your own supported token.

CSR requirements

Certificate type CSR
ssl_certificate Required for all orders.
dv_ssl_certificate Required for all orders.
client_certificate Optional for all orders.
code_signing_certificate Required for these uses:

DCV methods

Method Description
email DigiCert sends domain validation emails to the following email addresses:
  • Contacts listed in the WHOIS for the domain
  • Default domain contacts
  • Validation contacts found in the DNS TXT record for the domain
dns-cname-token Create a DNS CNAME record for the domain that contains a random value.
Note: This method cannot be used to demonstrate control over the domains on DV certificate requests.
http-token Add a file that contains a random value and make it publicly available on the domain.
dns-txt-token Create a DNS TXT record for the domain that contains a random value.

Hash types

ID Name
sha256 SHA-256
sha384 SHA-384
sha512 SHA-512
sha1 SHA-1
Note: Per industry standards, DigiCert does not support SHA-1 for publicly trusted certificates, including:
  • Public DV and OV/EV TLS/SSL certificates
  • Code signing and EV code signing certificates
  • Document signing certificates
  • Client certificates
  • S/MIME certificates


Headers are based on the RFC 2616 specification.

Status Description
200 General success response
201 Created: Useful for creation of requests, orders, etc
204 No Content: For successful requests that don't require a response
301 Moved Permanently: Returned in the unlikely event that a URL has changed. Will also return a LOCATION header with new URL. Clients should resubmit this request and submit future requests to this new URL
302 Moved Temporarily: Returned in the unlikely event that a URL has changed temporarily. Will also return a LOCATION header with new URL. Clients should resubmit this single request to this new URL
304 Content not modified: Useful when accessing a URL while waiting for a response. Only used if an IF-NONE-MATCH header was passed
400 General client error
401 Unauthorized: Returned if the page is accessed without a valid API Key
403 User doesn't have permission to perform the requested action
404 Returned if the page doesn't exist or the API doesn't have permission to interact with a particular item
406 If the client doesn't specify a valid acceptable content-type
429 Too many requests. The client has sent too many requests in a given amount of time.
500 Unexpected behavior that the API couldn't recover from
503 The system is currently unavailable

Order status

Status Description
pending Initial order status.
reissue_pending Reissue was requested and is pending.
rejected Order request was rejected.
processing Order was approved and is being processed.
issued Order was validated and certificate can be downloaded.
revoked Order was revoked.
canceled Order was canceled.
needs_csr Order requires a CSR before it can be processed.
needs_approval Order request requires approval before is can be processed.
expired Order has expired.

Certificate status (Discovery)


Certificate security rating

At risk
Not secure
Very secure

Server security vulnerabilities


Product identifiers

Actual product list will vary by account. Use the Get product list endpoint to see available products.

Name ID Group name Name
ssl_dv_geotrust dv_ssl_certificate GeoTrust Standard DV SSL Certificate
ssl_dv_rapidssl dv_ssl_certificate RapidSSL Standard DV SSL Certificate
ssl_dv_thawte dv_ssl_certificate Thawte SSL123 DV
ssl_dv_ee dv_ssl_certificate Encryption Everywhere DV
wildcard_dv_geotrust dv_ssl_certificate GeoTrust Wildcard DV SSL Certificate
wildcard_dv_rapidssl dv_ssl_certificate RapidSSL Wildcard DV SSL Certificate
cloud_dv_geotrust dv_ssl_certificate GeoTrust Cloud DV
ssl_dv_geotrust_flex dv_ssl_certificate Geotrust DV SSL
ssl_plus ssl_certificate Standard SSL Certificate
ssl_multi_domain ssl_certificate SSL Multi Domain Certificates
ssl_wildcard ssl_certificate Wildcard Certificate
ssl_ev_plus ssl_certificate EV SSL Certificate
ssl_ev_multi_domain ssl_certificate SSL EV Multi Domain Certificate
ssl_cloud_wildcard ssl_certificate SSL Cloud Certificates
ssl_basic ssl-certificate Basic OV
ssl_ev_basic ssl-certificate Basic EV
ssl_thawte_webserver ssl_certificate Thawte SSL Webserver OV
ssl_ev_thawte_webserver ssl_certificate Thawte SSL Webserver EV
ssl_geotrust_truebizid ssl_certificate GeoTrust TrueBusiness ID OV
ssl_ev_geotrust_truebizid ssl_certificate GeoTrust TrueBusiness ID EV
ssl_securesite_pro securesite_ssl_certificate Secure Site Pro SSL
ssl_ev_securesite_pro securesite_ssl_certificate Secure Site Pro EV SSL
ssl_securesite securesite_ssl_certificate Secure Site SSL
ssl_securesite_multi_domain securesite_ssl_certificate Secure Site Multi-Domain SSL
ssl_securesite_wildcard securesite_ssl_certificate Secure Site Wildcard SSL
ssl_ev_securesite securesite_ssl_certificate Secure Site EV SSL
ssl_ev_securesite_multi_domain securesite_ssl_certificate Secure Site EV Multi-Domain SSL
ssl_securesite_flex securesite_ssl_certificate Secure Site OV
ssl_ev_securesite_flex securesite_ssl_certificate Secure Site EV
client_premium client_certificate Client Premium Certificate
client_email_security_plus client_certificate Client Email Security Plus Certificate
client_digital_signature_plus client_certificate Client Digital Signature Plus Certificate
client_authentication_plus client_certificate Client Authentication Plus Certificate
class1_smime client_certificate Class 1 S/Mime Certificate
client_grid_premium grid_certificate GRID Client Premium Certificate
grid_host_ssl grid_certificate GRID Host SSL Plus Certificate
grid_host_ssl_multi_domain grid_certificate GRID Host SSL Multi Domain Certificates
client_grid_robot_fqdn grid_certificate GRID Robot FQDN Certificate
client_grid_robot_name grid_certificate GRID Robot Name Certificate
client_grid_robot_email grid_certificate GRID Robot Email Certificate
private_ssl_plus private_ssl_certificate Private SSL Plus Certificate
private_ssl_wildcard private_ssl_certificate Private SSL Wildcard Certificate
private_ssl_multi_domain private_ssl_certificate Private SSL Multi Domain Certificate
private_ssl_flex private_ssl_certificate Private SSL OV
code_signing code_signing_certificate Code Signing Certificate
code_signing_ev code_signing_certificate EV Code Signing Certificate
document_signing_org_1 document_signing Document Signing Organization (2000) Certificate
document_signing_org_2 document_signing Document Signing Organization (5000) Certificate

Product types


Server platforms

When downloading a certificate, the server platform determines in which format the certificate should be sent.

TLS/SSL certificates

Platform Certificate format ID
Apache apache 2
Barracuda default 41
Bea Weblogic 7 and older pem_all 29
BEA Weblogic 8 & 9 p7b 42
Cisco default 30
Citrix (Other) pem_noroot 39
Citrix Access Essentials default 46
Citrix Access Gateway 4.x pem_noroot 50
Citrix Access Gateway 5.x and higher apache 58
cPanel apache 43
F5 Big-IP apache 31
F5 FirePass apache 32
IBM HTTP Server default_cer 7
Java Web Server (Javasoft / Sun) p7b 10
Juniper default 33
Lighttpd apache 44
Lotus Domino default 11
Mac OS X Server apache 49
Microsoft Exchange Server 2003 cer 47
Microsoft Exchange Server 2007 cer 36
Microsoft Exchange Server 2010 cer 48
Microsoft Exchange Server 2013 cer 68
Microsoft Exchange Server 2016 cer 71
Microsoft Forefront Unified Access Gateway cer 66
Microsoft IIS 1.x to 4.x default 13
Microsoft IIS 10 cer 70
Microsoft IIS 5 or 6 cer 14
Microsoft IIS 7 cer 40
Microsoft IIS 8 cer 67
Microsoft Live Communications Server 2005 cer 37
Microsoft Lync Server 2010 cer 59
Microsoft Lync Server 2013 cer 69
Microsoft OCS R2 p7b 60
Microsoft Office Communications Server 2007 cer 38
Microsoft Small Business Server 2008 & 2011 default 62
Netscape Enterprise Server default 15
Netscape iPlanet default 9
nginx pem_noroot 45
Novell iChain default 65
Novell NetWare cer 17
Oracle default 18
Qmail pem_all 34
SunOne default 35
Tomcat p7b 24
WebStar default 26
Zeus Web Server default 28
Other default -1

Code signing certificates

Platform ID
Adobe AIR 52
Apple OS X 53
Microsoft Authenticode 51
Microsoft Office VBA 54
Mozilla 56
Sun Java 55
Other 57

EV code signing certificates

Platform Device type ID
AEP Keyper HSM 15
ARX PrivateServer HSM 16
Bull Trustway Crypto PCI HSM 17
ePass3003 Token 21
SafeNet eToken 5100 Token 6
SafeNet eToken 5105 Token 7
SafeNet eToken 5110 Token 19
SafeNet eToken 5110 FIPS Token 20
SafeNet eToken 5200 Token 8
SafeNet eToken 5205 Token 9
SafeNet eToken PRO 72K Token 3
SafeNet eToken PRO Anywhere Token 2
SafeNet iKey 4000 Token 10
Safenet Luna HSM 12
nCipher nShield HSM 13
Utimaco CryptoServer HSM 14
Must be a FIPS 140-2 Level 2 device.
HSM -1


Permission action

Subaccount display currencies

When you set up a bill-to-parent subaccount, you can choose to display prices in the subaccount's preferred currency. This is for display only. Parent accounts and subaccounts that DigiCert bills directly always receive invoices in the DigiCert-supported currency associated with the account. For officially supported currencies, see DigiCert currencies.

Code Currency
ARS Argentine peso
AUD Australian dollar
BRL Brazilian real
GBP British pound sterling
BND Brunei dollar
KHR Cambodia riel
CAD Canadian dollar
CNY Chinese yuan renminbi
COP Colombian peso
EUR Euro
HKD Hong Kong dollar
INR Indian rupee
IDR Indonesia rupiah
JPY Japanese yen
LAK Lao kip
MYR Malaysian ringgit
MXN Mexican peso
MMK Myanmar kyat
NZD New Zealand dollar
NOK Norwegian krone
PHP Philippine peso
RUB Russian ruble
SGD Singapore dollar
ZAR South African rand
KRW South Korean won
SEK Swedish krona
CHF Swiss franc
TWD Taiwan dollar
THB Thailand baht
TRY Turkish lira
USD US dollar
VND Vietnam dong

Subaccount types

Type Description
retail CertCentral Basic account
enterprise CertCentral Enterprise account
reseller CertCentral Reseller account
managed API only account (no CertCentral UI access)

User status

Status Description
active Normal user status.
incomplete User has not completed the sign up process.
inactive User profile and settings exist, but user cannot sign in.

Validation types


Organization status

The status property for an organization describes whether the organization is active or inactive in your CertCentral account.

The status property for an organization is not related to the validation status for the organization. To get the validation status for an organization, use the Validation details endpoint.

Status Description
active Organization is active. This means:
  • You can submit certificate order requests for the organization.
  • The organization appears in the organization selection menu when placing an order from the CertCentral console.
inactive Organization is inactive. This means:
  • You cannot submit new certificate order requests for the organization.
  • The organization does not appear in the organization selection menu when placing an order from the CertCentral console.

Organization validation statuses

Status Description
pending The validation is pending.
active The validation is active.
rejected DigiCert's validation agents have removed or rejected the validation.
To re-submit an organization for validation, use the Submit for validation endpoint.
expired The validation has expired.