| ID | Role | Description |
|---|---|---|
| 1 | Administrator | Full administrative access, including create divisions and users, manage user access. |
| 2 | Limited user | Place and manage only their own orders. |
| 3 | Finance manager | Manage finances, place and manage orders. |
| 4 | Manager | Manage finances, create and approve requests, manage orders and domains, view and edit users. |
| 5 | Standard user | Place and manage orders. All changes require approval by a manager or administrator. |
| Role ID | Role name | Description |
|---|---|---|
| 0 | N/A |
No restrictions. Permissions are inherited from access role of the user that is assigned to the key. |
| 100 | Orders | Limits the key to these actions: Orders, Requests, and Certificates. |
| 101 | Orders, Domains, Organizations | Limits the key to these actions: Orders, Requests, Certificates, Organizations, and Domains. |
| 102 | View Only | Limits key to GET requests only. |
All returned certificates use PEM encoding, which includes header and footer lines.
| Format name | Content-Type | Certificate file extension | Description |
|---|---|---|---|
| default |
application/zip
|
.crt
|
ZIP archive containing individual root, intermediate, and end-entity certificate files. |
| apache |
application/zip
|
.crt
|
ZIP archive containing individual intermediate and end-entity certificate files. |
| default_cer |
application/zip
|
.cer
|
ZIP archive containing individual root, intermediate, and end-entity certificate files. |
| cer |
application/x-pkcs7-certificates
|
.cer
|
Single P7B bundle file containing root, intermediate, and end-entity certificates. |
| p7b |
application/x-pkcs7-certificates
|
.p7b
|
Single P7B bundle file containing root, intermediate, and end-entity certificates. |
| default_pem |
application/zip
|
.crt
|
ZIP archive containing individual root, intermediate, and end-entity certificate files. |
| pem_all |
application/x-pem-file
|
.pem
|
Single PEM bundle containing root, intermediate, and end-entity certificate entries. |
| pem_nointermediate |
application/x-pem-file
|
.pem
|
Single PEM file containing only end-entity certificate entry. |
| pem_noroot |
application/x-pem-file
|
.pem
|
Single PEM bundle containing intermediate and end-entity certificate entries. |
Certificate profiles allow you to do more with your certificates. Some options allow you to include an additional field in your certificate, while others allow you to include an additional x.509 extension.
These certificate profiles must be turned on for your account. They are not part of the default CertCentral configuration. To enable a certificate profile for your account, reach out to your account representative or contact our Support team.
| Name | Description |
|---|---|
| data_encipherment | Include Data Encipherment key usage extension in an OV, EV, or Private SSL/TLS certificate. |
| non_repudiation | Include Non-Repudiation key usage extension in an OV, EV, or Private SSL/TLS certificate. |
| non_repudiation_and_data_enciph | Include both Non-Repudiation and Data Encipherment key usage extensions in an OV, EV, or Private SSL/TLS certificate. |
| http_signed_exchange | Include CanSignHTTPExchanges extension in an OV or EV SSL/TLS certificate. |
| delegated_credentials | Include DelegationUsage extension in an OV or EV SSL/TLS certificate. |
| ocsp_must_staple | Include OCSP Must-Staple extension in an OV or EV SSL/TLS certificate. |
| intel_vpro_eku | Include Intel vPro EKU (Extended Key Usage) field in an OV SSL/TLS certificate. |
| kdc_smart_card | Include KDC/SmartCardLogon EKU (Extended Key Usage) field in an OV SSL/TLS certificate. |
The anything input type is never specified in the metadata response. Instead, the data_type parameter is simply omitted, indicating the custom order field uses the anything input type.
| Type | Description |
|---|---|
| anything |
No input validation. Uses the input html tag for the form field.
|
| text |
No input validation. Uses the textarea html tag for the form field.
|
| int |
Allows only integers as input. Uses the input html tag for the form field.
|
| email_address |
Allows only a single valid email address as input. Uses the input html tag for the form field.
|
| email_list |
Allows multiple valid email addresses as input. Does not allow duplicate email addresses. Uses the input html tag for each email address.
|
| Code | Currency |
|---|---|
| AUD | Australian dollar |
| CHF | Swiss franc |
| GBP | British pound sterling |
| EUR | Euro |
| HKD | Hong Kong dollar |
| JPY | Japanese yen |
| SGD | Singapore dollar |
| SEK | Swedish krona |
| TWD | Taiwan dollar |
| USD | US dollar |
| Code | Language | language_id |
|---|---|---|
| en | English | 1 |
| de | German | 5 |
| es | Spanish | 2 |
| fr | French | 3 |
| it | Italian | 6 |
| ja | Japanese | 13 |
| kr | Korean | 14 |
| nl | Dutch | 17 |
| pt_br | Portuguese | 4 |
| ru | Russian | 15 |
| zh_cn | Simplified Chinese | 11 |
| zh_tw | Traditional Chinese | 12 |
If you provision a code signing certificate using email or client_app, you must have a supported hardware token or a FIPS 140-2+ Level 2 or Common Criteria EAL4+ compliant HSM that supports ECC P-256 or RSA 3072-bit key sizes or larger. If you don't have a compatible hardware token or HSM, you will not be able to install the certificate on your device.
| Method | Description |
|---|---|
|
DigiCert emails the certificate to you. Install the certificate on your own supported hardware token or HSM device. |
|
| ship_token | DigiCert installs the certificate on a certified hardware token and ships the token to the address provided. |
| client_app |
Use the DigiCert Hardware Certificate Installer to install the certificate on an existing DigiCert provided, certified token. See also: Qualified Tokens for EV Code Signing Certificates |
| Certificate type | CSR |
|---|---|
| ssl_certificate | Required for all orders. |
| dv_ssl_certificate | Required for all orders. |
| client_certificate | Optional for all orders. |
| code_signing_certificate |
Required for these uses:
|
| Method | Description |
|---|---|
DigiCert sends domain validation emails to the following email addresses:
|
|
| dns‑cname‑token | Create a DNS CNAME record for the domain that contains a random value. |
| http-token |
Add a file that contains a random value and make it publicly available on the domain. DigiCert only supports the use of the file-based DCV method to demonstrate control over fully qualified domain names (FQDNs) exactly as named in the certificate request. To learn more, visit File-based domain control validation (http-token). |
| dns-txt-token | Create a DNS TXT record for the domain that contains a random value. |
|
(Deprecated) http-token-static |
A legacy value for file-based DCV. The http-token-static label has the same meaning as http-token.
|
| ID | Name |
|---|---|
| sha256 | SHA-256 |
| sha384 | SHA-384 |
| sha512 | SHA-512 |
| sha1 |
SHA-1 Note: Per industry standards, DigiCert does not support SHA-1 for publicly trusted certificates, including:
|
Headers are based on the RFC 2616 specification.
| Status | Description |
|---|---|
| 200 | General success response |
| 201 | Created: Useful for creation of requests, orders, etc |
| 204 | No Content: For successful requests that don't require a response |
| 301 | Moved Permanently: Returned in the unlikely event that a URL has changed. Will also return a LOCATION header with new URL. Clients should resubmit this request and submit future requests to this new URL |
| 302 | Moved Temporarily: Returned in the unlikely event that a URL has changed temporarily. Will also return a LOCATION header with new URL. Clients should resubmit this single request to this new URL |
| 304 | Content not modified: Useful when accessing a URL while waiting for a response. Only used if an IF-NONE-MATCH header was passed |
| 400 | General client error |
| 401 | Unauthorized: Returned if the page is accessed without a valid API Key |
| 403 | User doesn't have permission to perform the requested action |
| 404 | Returned if the page doesn't exist or the API doesn't have permission to interact with a particular item |
| 406 | If the client doesn't specify a valid acceptable content-type |
| 429 | Too many requests. The client has sent too many requests in a given amount of time. |
| 500 | Unexpected behavior that the API couldn't recover from |
| 503 | The system is currently unavailable |
| Status | Description |
|---|---|
| pending | Initial order status. |
| reissue_pending | Reissue was requested and is pending. |
| rejected | Order request was rejected. |
| processing | Order was approved and is being processed. |
| issued | Order was validated and certificate can be downloaded. |
| revoked | Order was revoked. |
| canceled | Order was canceled. |
| needs_csr | Order requires a CSR before it can be processed. |
| needs_approval | Order request requires approval before is can be processed. |
| expired | Order has expired. |
| Status |
|---|
| VALID |
| REVOKED |
| EXPIRED |
| UNDETERMINED |
| Rating |
|---|
| At risk |
| Not secure |
| Secure |
| Very secure |
| Vulnerability |
|---|
| BEAST |
| BREACH |
| CRIME |
| DROWN |
| FREEK |
| Heartbleed |
| LogJam |
| POODLE (SSLv3) |
| POODLE (TLS) |
| RC4 |
| SWEET32 |
| NO_VULNERABILITY_FOUND |
Allowed payment_method values when using the API to submit a certificate order request.
| Name | Description |
|---|---|
| balance | Pay with account balance. |
| card | Pay with a new credit card. |
| profile | Pay with default credit card saved to the account. |
Actual product list will vary by account. Use the Get product list endpoint to see available products.
| Name ID | Group name | Name |
|---|---|---|
| ssl_dv_geotrust | dv_ssl_certificate | GeoTrust Standard DV SSL Certificate |
| ssl_dv_rapidssl | dv_ssl_certificate | RapidSSL Standard DV SSL Certificate |
| ssl_dv_thawte | dv_ssl_certificate | Thawte SSL123 DV |
| ssl_dv_ee | dv_ssl_certificate | Encryption Everywhere DV |
| wildcard_dv_geotrust | dv_ssl_certificate | GeoTrust Wildcard DV SSL Certificate |
| wildcard_dv_rapidssl | dv_ssl_certificate | RapidSSL Wildcard DV SSL Certificate |
| cloud_dv_geotrust | dv_ssl_certificate | GeoTrust Cloud DV |
| ssl_dv_geotrust_flex | dv_ssl_certificate | Geotrust DV SSL |
| ssl_plus | ssl_certificate | Standard SSL Certificate |
| ssl_multi_domain | ssl_certificate | SSL Multi Domain Certificates |
| ssl_wildcard | ssl_certificate | Wildcard Certificate |
| ssl_ev_plus | ssl_certificate | EV SSL Certificate |
| ssl_ev_multi_domain | ssl_certificate | SSL EV Multi Domain Certificate |
| ssl_cloud_wildcard | ssl_certificate | SSL Cloud Certificates |
| ssl_basic | ssl-certificate | Basic OV |
| ssl_ev_basic | ssl-certificate | Basic EV |
| ssl_thawte_webserver | ssl_certificate | Thawte SSL Webserver OV |
| ssl_ev_thawte_webserver | ssl_certificate | Thawte SSL Webserver EV |
| ssl_geotrust_truebizid | ssl_certificate | GeoTrust TrueBusiness ID OV |
| ssl_ev_geotrust_truebizid | ssl_certificate | GeoTrust TrueBusiness ID EV |
| ssl_securesite_pro | securesite_ssl_certificate | Secure Site Pro SSL |
| ssl_ev_securesite_pro | securesite_ssl_certificate | Secure Site Pro EV SSL |
| ssl_securesite | securesite_ssl_certificate | Secure Site SSL |
| ssl_securesite_multi_domain | securesite_ssl_certificate | Secure Site Multi-Domain SSL |
| ssl_securesite_wildcard | securesite_ssl_certificate | Secure Site Wildcard SSL |
| ssl_ev_securesite | securesite_ssl_certificate | Secure Site EV SSL |
| ssl_ev_securesite_multi_domain | securesite_ssl_certificate | Secure Site EV Multi-Domain SSL |
| ssl_securesite_flex | securesite_ssl_certificate | Secure Site OV |
| ssl_ev_securesite_flex | securesite_ssl_certificate | Secure Site EV |
| client_premium | client_certificate | Client Premium Certificate |
| client_email_security_plus | client_certificate | Client Email Security Plus Certificate |
| client_digital_signature_plus | client_certificate | Client Digital Signature Plus Certificate |
| client_authentication_plus | client_certificate | Client Authentication Plus Certificate |
| class1_smime | client_certificate | Class 1 S/Mime Certificate |
| client_grid_premium | grid_certificate | GRID Client Premium Certificate |
| grid_host_ssl | grid_certificate | GRID Host SSL Plus Certificate |
| grid_host_ssl_multi_domain | grid_certificate | GRID Host SSL Multi Domain Certificates |
| client_grid_robot_fqdn | grid_certificate | GRID Robot FQDN Certificate |
| client_grid_robot_name | grid_certificate | GRID Robot Name Certificate |
| client_grid_robot_email | grid_certificate | GRID Robot Email Certificate |
| private_ssl_plus | private_ssl_certificate | Private SSL Plus Certificate |
| private_ssl_wildcard | private_ssl_certificate | Private SSL Wildcard Certificate |
| private_ssl_multi_domain | private_ssl_certificate | Private SSL Multi Domain Certificate |
| private_ssl_flex | private_ssl_certificate | Private SSL OV |
| code_signing | code_signing_certificate | Code Signing Certificate |
| code_signing_ev | code_signing_certificate | EV Code Signing Certificate |
| document_signing_org_1 | document_signing | Document Signing Organization (2000) Certificate |
| document_signing_org_2 | document_signing | Document Signing Organization (5000) Certificate |
| vmc_basic | verified_mark_certificate | Verified Mark Certificate |
| Type |
|---|
| client_certificate |
| code_signing_certificate |
| dv_ssl_certificate |
| ssl_certificate |
| verified_mark_certificate |
When downloading a certificate, the server platform determines in which format the certificate should be sent.
| Platform | Certificate format | ID |
|---|---|---|
| Apache | apache | 2 |
| Barracuda | default | 41 |
| Bea Weblogic 7 and older | pem_all | 29 |
| BEA Weblogic 8 & 9 | p7b | 42 |
| Cisco | default | 30 |
| Citrix (Other) | pem_noroot | 39 |
| Citrix Access Essentials | default | 46 |
| Citrix Access Gateway 4.x | pem_noroot | 50 |
| Citrix Access Gateway 5.x and higher | apache | 58 |
| cPanel | apache | 43 |
| F5 Big-IP | apache | 31 |
| F5 FirePass | apache | 32 |
| IBM HTTP Server | default_cer | 7 |
| Java Web Server (Javasoft / Sun) | p7b | 10 |
| Juniper | default | 33 |
| Lighttpd | apache | 44 |
| Lotus Domino | default | 11 |
| Mac OS X Server | apache | 49 |
| Microsoft Exchange Server 2003 | cer | 47 |
| Microsoft Exchange Server 2007 | cer | 36 |
| Microsoft Exchange Server 2010 | cer | 48 |
| Microsoft Exchange Server 2013 | cer | 68 |
| Microsoft Exchange Server 2016 | cer | 71 |
| Microsoft Forefront Unified Access Gateway | cer | 66 |
| Microsoft IIS 1.x to 4.x | default | 13 |
| Microsoft IIS 10 | cer | 70 |
| Microsoft IIS 5 or 6 | cer | 14 |
| Microsoft IIS 7 | cer | 40 |
| Microsoft IIS 8 | cer | 67 |
| Microsoft Live Communications Server 2005 | cer | 37 |
| Microsoft Lync Server 2010 | cer | 59 |
| Microsoft Lync Server 2013 | cer | 69 |
| Microsoft OCS R2 | p7b | 60 |
| Microsoft Office Communications Server 2007 | cer | 38 |
| Microsoft Small Business Server 2008 & 2011 | default | 62 |
| Netscape Enterprise Server | default | 15 |
| Netscape iPlanet | default | 9 |
| nginx | pem_noroot | 45 |
| Novell iChain | default | 65 |
| Novell NetWare | cer | 17 |
| Oracle | default | 18 |
| Qmail | pem_all | 34 |
| SunOne | default | 35 |
| Tomcat | p7b | 24 |
| WebStar | default | 26 |
| Zeus Web Server | default | 28 |
| Other | default | -1 |
| Platform | ID |
|---|---|
| Adobe AIR | 52 |
| Apple OS X | 53 |
| Microsoft Authenticode | 51 |
| Microsoft Office VBA | 54 |
| Mozilla | 56 |
| Sun Java | 55 |
| Other | 57 |
| Platform | Device type | Supported key sizes | ID |
|---|---|---|---|
| SafeNet eToken 5110 CC | Token |
|
23 |
| SafeNet eToken 5110 FIPS | Token |
|
20 |
|
Other Must be a FIPS 140-2 Level 2 or Common Criteria EAL4+ compliant device. |
HSM |
|
-1 |
| Permission action |
|---|
| add_domains |
| create_child_enterprise |
| create_child_reseller |
| create_child_retail |
| create_containers |
| create_discovery_report |
| create_discovery_scan |
| create_discovery_sensor |
| create_domains |
| create_guest_keys |
| create_organizations |
| create_users |
| delete_account_scans |
| delete_scan |
| edit_container |
| edit_domains |
| edit_guest_keys |
| edit_organizations |
| edit_users |
| manage_account_metadata |
| manage_api_access |
| manage_discovery_report |
| manage_discovery_scan |
| manage_discovery_sensor |
| manage_finances |
| manage_guest_keys |
| manage_ip_access |
| manage_order_user_access |
| manage_orders |
| manage_org_container_assignments |
| manage_requests |
| manage_settings |
| manage_tfa |
| manage_user_container_assignments |
| place_orders |
| review_requests |
| saml_attribute_mapping |
| saml_manage_idp |
| saml_map_idp |
| saml_organization_mapping |
| saml_sso |
| tools_links |
| update_scan |
| view_api_access |
| view_child_account |
| view_container |
| view_discovery_report |
| view_discovery_scan |
| view_discovery_sensor |
| view_domains |
| view_finances |
| view_guest_keys |
| view_orders |
| view_organizations |
| view_reports |
| view_scan |
| view_users |
When you set up a bill-to-parent subaccount, you can choose to display prices in the subaccount's preferred currency. This is for display only. Parent accounts and subaccounts that DigiCert bills directly always receive invoices in the DigiCert-supported currency associated with the account. For officially supported currencies, see DigiCert currencies.
| Code | Currency |
|---|---|
| ARS | Argentine peso |
| AUD | Australian dollar |
| BRL | Brazilian real |
| GBP | British pound sterling |
| BND | Brunei dollar |
| KHR | Cambodia riel |
| CAD | Canadian dollar |
| CNY | Chinese yuan renminbi |
| COP | Colombian peso |
| EUR | Euro |
| HKD | Hong Kong dollar |
| INR | Indian rupee |
| IDR | Indonesia rupiah |
| JPY | Japanese yen |
| LAK | Lao kip |
| MYR | Malaysian ringgit |
| MXN | Mexican peso |
| MMK | Myanmar kyat |
| NZD | New Zealand dollar |
| NOK | Norwegian krone |
| PHP | Philippine peso |
| RUB | Russian ruble |
| SGD | Singapore dollar |
| ZAR | South African rand |
| KRW | South Korean won |
| SEK | Swedish krona |
| CHF | Swiss franc |
| TWD | Taiwan dollar |
| THB | Thailand baht |
| TRY | Turkish lira |
| USD | US dollar |
| VND | Vietnam dong |
| Type | Description |
|---|---|
| retail | CertCentral Basic account |
| enterprise | CertCentral Enterprise account |
| reseller | CertCentral Reseller account |
| managed | API only account (no CertCentral UI access) |
| Status | Description |
|---|---|
| active | Normal user status. |
| incomplete | User has not completed the sign up process. |
| inactive | User profile and settings exist, but user cannot sign in. |
| Type |
|---|
| cs |
| ds |
| ev |
| ev_cs |
| grid |
| ov |
| private_grid |
| private_ssl |
| ra_ev |
| ra_ov |
| wfa |
The status property for an organization describes whether the organization is active or inactive in your CertCentral account.
The status property for an organization is not related to the validation status for the organization. To get the validation status for an organization, use the Validation details endpoint.
| Status | Description |
|---|---|
| active |
Organization is active. This means:
|
| inactive |
Organization is inactive. This means:
|
| Status | Description |
|---|---|
| pending | The validation is pending. |
| active | The validation is active. |
| rejected |
DigiCert's validation agents have removed or rejected the validation. To re-submit an organization for validation, use the Submit for validation endpoint. |
| expired | The validation has expired. |
The is_active property for a domain describes whether the domain is active or inactive in your CertCentral account.
The is_active property for a domain is not related to the validation status for the domain. To get the validation status for a domain, use the Domain info endpoint.
| Description | |
|---|---|
"is_active": true (active)
|
Domain is active. This means:
|
"is_active": false (inactive)
|
Domain is inactive. This means:
|
| Status | Description |
|---|---|
| pending | The domain validation is pending. |
| approved | The domain validation is approved and on file. |
| rejected |
DigiCert's validation agents have removed or rejected the validation. To re-submit a domain for validation, use the Submit for validation endpoint. |
| expired | The validation has expired. |