Enrolling for a certificate

Use the /enroll resource to request a certificate.

Service endpoints

Pilot

https://pilot-certmanager-webservices.websecurity.symantec.com/vswebservices/​rest/services/enroll

Production

https://certmanager-webservices.websecurity.symantec.com/vswebservices/​rest/services/enroll

Parameters

Table: Enrollment request parameters

Name

Data type

Required

Max Length

Description

challenge

Text

Y

32

Challenge phrase for the certificate.

firstName

Text

Y

240

Subscriber first name.

middleInitial

Text

N

1

Subscriber middle initial.

lastName

Text

Y

240

Subscriber last name.

email

Text

Y

240

Subscriber email address. For multiple email addresses, use a comma-separated list.

csr

Base64-encoded CSR

Y

The Base64-encoded PKCS#10 certificate request for the Enrollment transaction. The headers ("-----BEGIN..." and "-----END...") are optional.

To generate a CSR, use your server software. When you generate the CSR, you must supply a fully qualified domain name (FQDN) for the common name.

certProductType

Certificate type parameter

Y

Certificate product type. Allowed values:

  • HAServer - Standard Extended Validation SSL

  • HAGlobalServer - Premium Extended Validation SSL

  • Server - Standard SSL

  • GlobalServer - Premium SSL

  • IntranetServer - Standard Intranet SSL

  • IntranetGlobalServer - Premium Intranet SSL

  • PrivateServer - Private SSL

  • GeotrustServer - Rapid SSL Enterprise

  • PrivateServer - Private SSL

  • CodeSigning - Code Signing for Authenticode

  • JavaCodeSigning - Code Signing for Java

  • EVCodeSigning - Extended Validation (EV) Code Signing for Microsoft

Note:

Code signing certificates are returned in .p7b format.

serverType

Server type parameter

Y

Server software type. See serverType for more information.

This parameter is ignored for code signing certificates.

validityPeriod

1Y, 2Y, or 3Y

Y

2

Validity period. 3Y (3 years) valid only for Private SSL and code signing certificates.

specificEndDate

MM/DD/YYYY

N

10

The end date for the certificate. For all public SSL/TLS certificates, the end date must be 2 years or less from the start date. For Private SSL and code signing certificates, the end date must be 3 years or less from the start date.

For this parameter to take effect, you must enable an option the Control Center. Go to the Configuration tab, Enrollment page, Select Certificate Lifecycle Options section, and select Applicants can request a specific end date within the validity period.

extraLicenses

Number (0-999)

N

3

Extra number of licenses to bind with the certificate.

The default value is 0.

comment

T61

N

512

Subscriber comments.

jobTitle

T61

N

64

Subscriber title.

employeeID

T61

N

64

Subscriber employee ID number.

serverIP

Text

N

15

Server IP address.

mailStop

T61

N

64

Subscriber mailstop.

signatureAlgorithm

Text (see Description field)

N

The certificate's signature algorithm. Enter one of the following values:

  • sha1WithRSAEncryption

  • sha256WithRSAEncryption (default)

  • sha256WithRSAEncryptionFull

  • ECDSAwithSHA256

  • ECDSAwithSHA256andRSAroot

Note:

EV Code Signing certificates support only the sha256WithRSAEncryption signature algorithm.

ctLogOption

Text (see Description field)

N

Optional and case sensitive. Sets the Certificate Transparency logging level for the certificate. Defaults to public (full Certificate Transparency logging). public is the best choice for public websites.

Valid values:

  • public - Log domain names for best security. Provides the best browsing experience and helps you monitor certificates issued for your domains.

  • nolog - Don't log domain names. Intended for private domains to keep internal names hidden from public. However, Google Chrome disables the green address bar (EV only) and shows warnings when anyone connects to your site.

For certificates with private subdomains ("secretproject.example.com"), don't log your certificates. Apply the CT exemption policy on company devices so internal users don't see warnings in Chrome.

Learn more about Certificate Transparency

See Presenting Certificate Transparency logging options.

additionalField#

T61

N

64

Enter up to 10 additional fields. # indicates 1-10.

subject_alt_name#

Text (valid FQDN)

N

255

The subject alternative names (SANs). One certificate can secure the common name in the CSR and additional domains that are entered as SANs (also known as subjectAltName). Each SAN must be an FQDN.

Enter up to 20 SANs. # indicates 1-20. The newer format, subject_alt_names, supports up to 100 SANs.

subject_alt_names

Text

N

A comma-separated list of domain names. Enter up to 100 SANs. Example:

mail.example.com, blog.example.com, ftp.example.com

Note:

You can use either subject_alt_name# (the older format, limited to 20 SANs) or the new subject_alt_names format.

Sample request (POST)

java
POST https://certmanager-webservices.websecurity.symantec.com/vswebservices/rest/services/enroll HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 1301

additionalField7=7&firstName=ws&additionalField6=6&additionalField5=5&co
mment=mpki4ssl+web+services+enrollment&additionalField4=4&additionalFiel
d3=3&additionalField2=2&additionalField1=1&certProductType=GlobalServer&
employeeID=eid1234&subject_alt_name4=san20.symantec.com&subject_alt_name
3=san19.symantec.com&subject_alt_name2=san2.symantec.com&subject_alt_nam
e1=san1.symantec.com&csr=-----BEGIN+NEW+CERTIFICATE+REQUEST-----%0AMIIBp
DCCAQ0CAQAwZDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx%0AFjAUBgNVBA
cTDU1vdW50YWluIFZpZXcxDjAMBgNVBAoTBW1jZWxwMRgwFgYDVQQD%0AEw93cy52ZXJpc2l
nbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMiT%0AIGXTdLji%2BJZ4pKLHFF
TB%2BQyyWSduAiz0cvLd36wxH%2B3gYDzknbiaVg81jFdyRQTt%0A7ZWvLswQ1F75GGyWaLs
278lltGDMvp06HrA3wrKiCokAfW6PXjnBCkEwmS3kiD1H%0AgavyBHAhnhzFhmmqrYDZ9dX0
qq2aFkLXi1pnUbn%2FAgMBAAGgADANBgkqhkiG9w0B%0AAQsFAAOBgQBnRMeUafT%2F9nKhB
l4BNEYAuolkFvk%2Bpn7su15Wp0X4kiXJD0JiZu%2BL%0Ait7WjtPenwpVCNYEJsxqUn66ec
lJ0jtxZZKcj%2Bl7uZUl2eJl%2FAjypb3LBiGiSTR4%0AjhNiJJ%2Fea3SELjc0QS%2F7wlJ
fOVE%2B%2FAP7mTUhQywzwgXhfMPjUI4%2BNg%3D%3D%0A-----END+NEW+CERTIFICATE+R
EQUEST-----%0A%0A&serverType=Microsoft&additionalField10=10&deptNo=dept1
00&lastName=test&email=foo%40symantec.com&validityPeriod=1Y&additionalFi
eld9=9&challenge=p&jobTitle=engineer&serverIP=12.34.56.78&additionalFiel
d8=8

Sample response

After the request is submitted, the service sends an HTTP response to the requesting application. A successful enrollment response contains a transaction ID for retrieving the certificate when it has been approved manually or automatically. If automatic approval is enabled, the response contains a certificate for your application to extract.

Here's a successful enrollment transaction response:

java
HTTP/1.0 200 OK
Date: Tue, 27 Jan 2009 18:07:07 GMT
Server: Apache/2.0.63
Connection: Close
Content-Type: application/xml;charset=UTF-8
Content-Length: 2815

<Response xmlns:tns="http://webservices.mpki4ssl.symantec.com"
xmlns="urn:symantec:api">
<StatusCode>0x00</StatusCode>
<Message>success</Message>
<Certificate>
-----BEGIN CERTIFICATE-----
MIAGCSqGSIb3DQEHAqCAMIACAQExADALBgkqhkiG9w0BBwGggDCCBJYwggP/oAMC
AQICEAHylxIQ0fJuHI7ThGImWccwDQYJKoZIhvcNAQEFBQAwgboxHzAdBgNVBAoT
FlZlcmlTaWduIFRydXN0IE5ldHdvcmsxFzAVBgNVBAsTDlZlcmlTaWduLCBJbmMu
MTMwMQYDVQQLEypWZXJpU2lnbiBJbnRlcm5hdGlvbmFsIFNlcnZlciBDQSAtIENs
YXNzIDMxSTBHBgNVBAsTQHd3dy52ZXJpc2lnbi5jb20vQ1BTIEluY29ycC5ieSBS
ZWYuIExJQUJJTElUWSBMVEQuKGMpOTcgVmVyaVNpZ24wHhcNMDkwMTIzMDAwMDAw
WhcNMTAwMTIzMjM1OTU5WjBkMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZv
cm5pYTEWMBQGA1UEBxQNTW91bnRhaW4gVmlldzEOMAwGA1UEChQFbWNlbHAxGDAW
BgNVBAMUD3dzLnZlcmlzaWduLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAyJMgZdN0uOL4lnikoscUVMH5DLJZJ24CLPRy8t3frDEf7eBgPOSduJpWDzWM
V3JFBO3tla8uzBDUXvkYbJZouzbvyWW0YMy+nToesDfCsqIKiQB9bo9eOcEKQTCZ
LeSIPUeBq/IEcCGeHMWGaaqtgNn11fSqrZoWQteLWmdRuf8CAwEAAaOCAfAwggHs
MGgGA1UdEQRhMF+CEXNhbjEudmVyaXNpZ24uY29tghFzYW4yLnZlcmlzaWduLmNv
bYISc2FuMTkudmVyaXNpZ24uY29tghJzYW4yMC52ZXJpc2lnbi5jb22CD3dzLnZl
cmlzaWduLmNvbTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDBGBgNVHR8EPzA9MDug
OaA3hjVodHRwOi8vY3JsLnZlcmlzaWduLmNvbS9DbGFzczNJbnRlcm5hdGlvbmFs
U2VydmVyLmNybDBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBxcDMCowKAYIKwYBBQUH
AgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwNAYDVR0lBC0wKwYJYIZI
AYb4QgQBBgorBgEEAYI3CgMDBggrBgEFBQcDAQYIKwYBBQUHAwIwNAYIKwYBBQUH
AQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC52ZXJpc2lnbi5jb20wbgYI
KwYBBQUHAQwEYjBgoV6gXDBaMFgwVhYJaW1hZ2UvZ2lmMCEwHzAHBgUrDgMCGgQU
S2u5KJYGDLvQUjibKaxLB4shBRgwJhYkaHR0cDovL2xvZ28udmVyaXNpZ24uY29t
L3ZzbG9nbzEuZ2lmMA0GCSqGSIb3DQEBBQUAA4GBACHw9a71HM78FWM9PNvh8ahy
7JKaJfw1UnIqc2CgfrNBSE9EqZvum28+rT04ubaee/g9jkoyW/69hKoZxmgHMvbH
Y/YxgGPFAEe74qXrt3kILKfF80vWgtr/IqvSuhTTCnZ0tI7xk+zBpiKTLZMAKHrG
hDqbPLayiUTol1iahCslMIICdDCCAh6gAwIBAgIQLEsSHFvppgrNXe8sU4IPiDAN
BgkqhkiG9w0BAQQFADBCMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24s
IEluYy4xGjAYBgNVBAsTEUNsYXNzIDMgVEVTVCBST09UMB4XDTk4MDEwNjAwMDAw
MFoXDTI1MDEwNjIzNTk1OVowgboxHzAdBgNVBAoTFlZlcmlTaWduIFRydXN0IE5l
dHdvcmsxFzAVBgNVBAsTDlZlcmlTaWduLCBJbmMuMTMwMQYDVQQLEypWZXJpU2ln
biBJbnRlcm5hdGlvbmFsIFNlcnZlciBDQSAtIENsYXNzIDMxSTBHBgNVBAsTQHd3
dy52ZXJpc2lnbi5jb20vQ1BTIEluY29ycC5ieSBSZWYuIExJQUJJTElUWSBMVEQu
KGMpOTcgVmVyaVNpZ24wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMlJVsro
1Div4jlqkZKSqs8Yw/jdw0+9zBYk9d9T8+sImZCJqIrDnGVPbhBJWwiPL48U6ZlQ
2ALaKLz1D1C898GYoyXuB5LnZzFWgeEV3DWTpkzDpgT6EGD0vusWQ83e+6NG6/b2
fupnMVpi1IZ6Q+RE+LsFoqoIJ7JpZIiuSYt9AgMBAAGjMzAxMBEGCWCGSAGG+EIB
AQQEAwICBDAPBgNVHRMECDAGAQH/AgEAMAsGA1UdDwQEAwIBBjANBgkqhkiG9w0B
AQQFAANBAPD3kw9bU1xRbZK+7K7SbBWNMq26iRbx9+wTAK2jpBH9WywDgC0nOrAY
R5BieNf+4BNXKEwPqUJnhymMssZuuvUAADEAAAAAAAAA
-----END CERTIFICATE-----
</Certificate>
<Transaction_ID>87d1adc3f1f262409092ec31fb09f4c7</Transaction_ID>
</Response>

We use cookies to ensure that we give you the best experience on our website. By using this site, you agree to the Terms of Service.