Replacing a certificate

Use the /replace resource to replace a valid certificate when its security has been compromised.

The request should contain the original certificate or transaction ID to retrieve the original transaction information for the certificate.

Service endpoints

Pilot

https://pilot-certmanager-webservices.websecurity.symantec.com/vswebservices/​rest/services/replace

Production

https://certmanager-webservices.websecurity.symantec.com/vswebservices/​rest/services/replace

Parameters

Table: Replacement request parameters (required)

Name

Data type

Required

Max Length

Description

original_certificate

Valid base-64 encoded certificate

Required if original_transaction_id is not present

Base-64 encoded X.509 certificate from the original enrollment

original_transaction_id

Text

Required if original_certificate is not present.

32

Transaction id from the original enrollment

original_challenge

Text

Y

32

The challenge phrase from the original enrollment

challenge

Text

Y

32

A new challenge phrase for the requested certificate

reason

Text

Y

32

Reason for replacing the certificate.

csr

Base-64

Y

Base-64 PKCS#10 formatted certificate signing request.

specificEndDate

MM/DD/YYYY

N

10

The end date for the replacement certificate. For all public SSL/TLS certificates, the end date must be 2 years or less from the start date of the original certificate. For Private SSL and code signing certificates, the end date must be 3 years or less from the start date of the original certificate.

For this parameter to take effect, you must enable an option the Control Center. Go to the Configuration tab, Enrollment page, Select Certificate Lifecycle Options section, and select Applicants can request a specific end date within the validity period.

The following are optional. The system uses the information from the original certificate enrollment if they are not present. If you supply the following information, the new data overwrites the existing data.

Table: Replacement request parameters (optional)

Name

Data type

Required

Max Length

Description

firstName

Text

N

240

Subscriber's first name

middleInitial

Text

N

1

Subscriber's middle initial

lastName

Text

N

240

Subscriber's last name

email

Text

N

Subscriber's email address

serverType

Text

Y

64

Server software type. See serverType for more information.

This parameter is ignored for code signing certificates.

comment/addtional_field3

T61

N

512

Comments from the subscriber.

jobTitle

T61

N

64

Job title. This field is configured as either required or optional in the Control Center, but is overwritten by the API value.

employeeID

T61

N

64

Employee ID. This field is configured as either required or optional in the Control Center, but is overwritten by the API value.

serverIP /additional_field10

T61

N

64

Server IP. This field is configured as either required or optional in the Control Center, but is overwritten by the API value.

mailStop

T61

N

64

Mail Stop. This field is configured as either required or optional in the Control Center, but is overwritten by the API value.

additional_field#0

T61

N

64

Enter up to 10 additional fields. # indicates 1-10.

subject_alt_name#

Text

N

50

The subject alternative names (SANs). One certificate can secure the common name in the CSR and additional domains that are entered as SANs (also known as subjectAltName). Each SAN must be an FQDN.

Enter up to 20 SANs. # indicates 1-20. The newer format, subject_alt_names, supports up to 100 SANs.

subject_alt_names

Text

N

A comma-separated list of domain names. Enter up to 100 SANs. Example:

mail.example.com, blog.example.com, ftp.example.com

Note:

You can use either subject_alt_name# (the older format, limited to 20 SANs) or the new subject_alt_names format.

signatureAlgorithm

Text

N

32

The certificate's signature algorithm. Enter one of the following values:

  • sha1WithRSAEncryption

  • sha256WithRSAEncryption(default)

  • sha256WithRSAEncryptionFull

  • ECDSAwithSHA256

  • ECDSAwithSHA256andRSAroot

Note:

EV Code Signing certificates support only the sha256WithRSAEncryption signature algorithm.

ctLogOption

Text

N

Optional and case sensitive. Sets the Certificate Transparency logging level for the certificate. Defaults to public (full Certificate Transparency logging). public is the best choice for public websites.

Valid values:

  • public - Log domain names for best security. Provides the best browsing experience and helps you monitor certificates issued for your domains.

  • nolog - Don't log domain names. Intended for private domains to keep internal names hidden from public. However, Google Chrome disables the green address bar (EV only) and shows warnings when anyone connects to your site.

For certificates with private subdomains ("secretproject.example.com"), don't log your certificates. Apply the CT exemption policy on company devices so internal users don't see warnings in Chrome.

Learn more about Certificate Transparency

See Presenting Certificate Transparency logging options.

Sample request (POST)

java
POST https://certmanager-webservices.websecurity.symantec.com/
vswebservices/rest/services/replace HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 1846

original_transaction_id=8b8ffe85bfe70af2db47cc58bc4b0e4b
&original_certificate=&signatureAlgorithm=sha256WithRSAE
ncryption&reason=Key+compromise&firstName=john&middleIni
tial=&lastName=doe&email=john_doe@symantec.com&employeeI
D_req=N&employeeID_label=Employee+ID&employeeID=1234&Che
ckWeakKey=yes&serverType=Netscape&additional_field9=&csr
choice=text&csr=-----BEGIN+NEW+CERTIFICATE+REQUEST-----%
0D%0AMIICvjCCAaYCAQAweTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkN
hbGlmb3JuaWEx%0D%0AFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxCzAJB
gNVBAsTAnNzMQ4wDAYDVQQKEwVt%0D%0AY2VscDEgMB4GA1UEAxMXMDg
yNTIwMTUtMS52ZXJpc2lnbi5jb20wggEiMA0GCSqG%0D%0ASIb3DQEBA
QUAA4IBDwAwggEKAoIBAQCGZJ5TZmBLvdq1wm5nKqSzmkOzM5sbwn2a%
0D%0AQU7uCb48ZYRECad%2B4f%2BOpGXrq6clnhOuILL3gd0IBjFWrHf
YqGQmHf0a%2FWMtLrqI%0D%0AtMZoYW6nKZMjUxnxUQ1AibueGCaBvx7
58%2BSYMfv2j%2F5EsRcjP1xT7KB2WN4lPbAn%0D%0AhMGv2AXP3SpFx
zMSam0r2h3ZTMtcO3ULAZZX1lzOF%2BSAbaMw0RPIcR6%2BMmNBkc7o%
0D%0AwOzBUyvZANbAawAlrJxrYGiJMRdx0qe%2Bm8uXTwE2JSCljQAL4
nozXzNGQNLdS8Z7%0D%0AqN36vqb%2Buq9LDV8aP%2BZsjQnsb3arjp1
PrVCpqLhNlt3bWGYHT1L3AgMBAAGgADAN%0D%0ABgkqhkiG9w0BAQsFA
AOCAQEATgDiuswLTdusSqk5Cr4nAZ6Jz9%2BtBsZytPTc%2BH%2BY%0D
%0AGcHzGzDok8YqfmP7TWYcsiQHiIzXzEhS6DzVMkktUCxR8gtACblsI
I%2BrLakwiYLn%0D%0AkTgtl4ZrBS3Z1TXexWMC%2FNreYzT1mHJ1UJ%
2BKp6G3oTjo55qbAu8D%2FoqweoqXgj1O%0D%0AUZ6%2FlCXvpV6Rluz
qzoW9ZGKlgbT3I0dODucH0ymdOAo73%2BU%2F5Uvo3t4ZPzo3Qt01%0D
%0Aghu1c%2Bp8H%2BMmwbVTVq4ibqHoKRE1qY1aY0ZYaJljzCjHAWJx9
oZrmOxjP%2FmaBUFg%0D%0ASXgmsoExEr0O3Yii3E3v2I%2BJ8TykP2E
Ibb8LTAiWiC55%2Fg%3D%3D%0D%0A-----END+NEW+CERTIFICATE+RE
QUEST-----%0D%0A&specificEndDate=&additionalField1=&addi
tionalField2=&additionalField3=&additionalField4=&additi
onalField5=&additionalField6=&additionalField7=&addition
alField8=&additionalField9=&additionalField10=&subject_a
lt_names=&challenge=%60%60%60%60&original_challenge=%60%
60%60%60&comment=&subAgreementID=&subAgreementVersion=

Sample response

The replacement response returns a status code and message code that indicates success or failure.

java
HTTP/1.0 200 OK
Content-Type: text/xml
Server: Apache/2.0.63
Date: Mon, 27 Nov 2006 23:22:49 GMT
Content-Length: 1256
Connection: Close

<Response xmlns="urn:symantec:api">
 <StatusCode>0x00</StatusCode>
  <Message>success</Message>
  <transaction_id>98345f3ebc1ba8d743ab5616051d4ff3</transaction_id>
  <Certificate>
-----BEGIN CERTIFICATE-----
2aqMj1qYBueyV/lx7py5lvEE+4FL/vRRO1qT......
-----END CERTIFICATE-----
  </Certificate>
</Response>

We use cookies to ensure that we give you the best experience on our website. By using this site, you agree to the Terms of Service.