Renewing a certificate

Use the /renew resource to renew a certificate. Renewing a certificate is similar to enrolling for a certificate. With a renewal transaction, the SSL/TLS certificate application also needs to provide the original certificate or its transaction ID.

Service endpoints

Pilot

https://pilot-certmanager-webservices.websecurity.symantec.com/vswebservices/​rest/services/renew

Production

https://certmanager-webservices.websecurity.symantec.com/vswebservices/​rest/services/renew

Parameters

Table: Renewal request parameters

Name

Data type

Required

Max Length

Description

firstName

Text

Y

240

Subscriber first name.

lastName

Text

Y

240

Subscriber last name.

email

Text

Y

240

Subscriber email address. For multiple email addresses, use a comma-separated list.

csr

Base64-encoded CSR

Y

The Base64-encoded PKCS#10 certificate request for the Enrollment transaction. The headers ("-----BEGIN..." and "-----END...") are optional.

To generate a CSR, use your server software. When you generate the CSR, you must supply a fully qualified domain name (FQDN) for the common name.

certProductType

Certificate type parameter

Y

Certificate product type. Allowed values:

  • HAServer - Standard Extended Validation SSL

  • HAGlobalServer - Premium Extended Validation SSL

  • Server - Standard SSL

  • GlobalServer - Premium SSL

  • IntranetServer - Standard Intranet SSL

  • IntranetGlobalServer - Premium Intranet SSL

  • PrivateServer - Private SSL

  • GeotrustServer - Rapid SSL Enterprise

  • PrivateServer - Private SSL

  • CodeSigning - Code Signing for Authenticode

  • JavaCodeSigning - Code Signing for Java

  • EVCodeSigning - Extended Validation (EV) Code Signing for Microsoft

Note:

Code signing certificates are returned in .p7b format.

serverType

Server type parameter

Y

Server software type. See serverType for more information.

This parameter is ignored for code signing certificates.

validityPeriod

1Y, 2Y, or 3Y

Y

2

Validity period. 3Y (3 years) valid only for Private SSL and code signing certificates.

specificEndDate

MM/DD/YYYY

N

10

The end date for the certificate. For all public SSL/TLS certificates, the end date must be 2 years or less from the start date. For Private SSL and code signing certificates, the end date must be 3 years or less from the start date.

For this parameter to take effect, you must enable an option the Control Center. Go to the Configuration tab, Enrollment page, Select Certificate Lifecycle Options section, and select Applicants can request a specific end date within the validity period.

original_certificate

Valid base-64 encoded certificate

  • Y, if original_transaction_id is not present

  • N, if original_transaction_id is present

The certificate to renew.

original_transaction_id

Text

  • Y, if original_certificate is not present

  • N, if original_certificate is present

32

The transaction ID of the certificate to renew.

original_challenge

Text

Y

32

The current challenge phrase for the certificate to renew.

challenge

Text

Y

32

The new challenge phrase for the requested certificate

subject_alt_names

Text

N

A comma-separated list of domain names. Enter up to 100 SANs. Example:

mail.example.com, blog.example.com, ftp.example.com

Note:

You can use either subject_alt_name# (the older format, limited to 20 SANs) or the new subject_alt_names format.

signatureAlgorithm

Text

N

32

The certificate's signature algorithm. Enter one of the following values:

  • sha1WithRSAEncryption

  • sha256WithRSAEncryption(default)

  • sha256WithRSAEncryptionFull

  • ECDSAwithSHA256

  • ECDSAwithSHA256andRSAroot

Note:

EV Code Signing certificates support only the sha256WithRSAEncryption signature algorithm.

ctLogOption

Text

N

Optional and case sensitive. Sets the Certificate Transparency logging level for the certificate. Defaults to public (full Certificate Transparency logging). public is the best choice for public websites.

Valid values:

  • public - Log domain names for best security. Provides the best browsing experience and helps you monitor certificates issued for your domains.

  • nolog - Don't log domain names. Intended for private domains to keep internal names hidden from public. However, Google Chrome disables the green address bar (EV only) and shows warnings when anyone connects to your site.

For certificates with private subdomains ("secretproject.example.com"), don't log your certificates. Apply the CT exemption policy on company devices so internal users don't see warnings in Chrome.

Learn more about Certificate Transparency

See Presenting Certificate Transparency logging options.

Sample request (POST)

java 
POST https://certmanager-webservices.websecurity.symantec.com/vswebservices/rest/services/renew HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 905

original_transaction_id=6b671d141321a8d743ab5616051d4ec&original_
certificate=&firstName=John&middleInitial=&lastName=Doe&email=
johndoe@aaa.com&employeeID=1234&serverType=Netscape

Sample response

The renewal transaction response returns a status code and message code that indicates success or failure.

java 
HTTP/1.0 200 OK
Content-Type: text/xml
Server: Apache/2.0.63
Date: Mon, 27 Nov 2006 23:22:49 GMT
Content-Length: 1256
Connection: Close

<Response xmlns="urn:symantec:api">
 <StatusCode>0x00</StatusCode>
  <Message>success</Message>
  <transaction_id>98345f3ebc1ba8d743ab5616051d4ff3</transaction_id>
  <Certificate>
-----BEGIN CERTIFICATE-----
2aqMj1qYBueyV/lx7py5lvEE+4FL/vRRO1qT......
-----END CERTIFICATE-----
  </Certificate>
</Response>

We use cookies to ensure that we give you the best experience on our website. By using this site, you agree to the Terms of Service.