OV/EV certificate immediate issuance

This workflow guide is only for OV/EV certificate orders. To used immediate certificate issuance for DV orders, see DV certificate immediate issuance.

When using the API to order certificates, too often time is spent just waiting for the certificate to be issued. By following the steps in this workflow guide, you'll be able to take advantage of our immediate issuance feature, allowing you to get your certificate issued immediately and reduce your API calls by up to 70%.

Overview

In order to take advantage of immediate issuance, these prerequisites must be met:

  • Your account is configured to auto approve requests or skip the request process.
  • Organization associated with certificate is prevalidated.
  • All domains to be secured by the certificate are prevalidated.
  • API key used to submit the order has permissions to approve certificate requests.

When all of these prerequisites are met, your issued certificate is returned in the response body. If any of these prerequisites are missing, immediate issuance cannot happen.

Approval step settings

By default, your CertCentral account is configured for one-step certificate request approvals. For immediate certificate issuance to work, the approval step needs to be bypassed. This can be done in one of two ways:

  • Automatically approve certificate requests: Orders still go through the request process and appear in your requests list.
  • Skip approval step: Orders skip the approval step entirely and do not appear in the request list.

Because the above configuration changes are mutually exclusive, you'll need to decide which one you want to make based on your specific integration and organizational needs.

Both configurations allow Administrators and Managers to bypass the approval step for OV certificate requests. However, to bypass the EV certificate approval step, the user linked to the API key being used must also be designated as an EV approver.

Configure settings

  1. In your account, in the sidebar menu, click Settings > Preferences.

  2. On the Division Preferences page, scroll down and click + Advanced Settings.

  3. Under Certificate Requests, find the Approval Steps options.

  4. To bypass the approval step, choose one of these approval step options:

    • Select One step: certificate requests must be approved, then check Automatically approve certificate requests when the requester is also an approver.
    • Select Skip approval step: remove the approval step from your certificate order processes.
  5. When you are finished, click Save Settings.

With the Auto Approve Request feature enabled, the next step is to prevalidate the organization and domains on your certificate.

If your organization and domains have already been prevalidated, you can skip to Submit your certificate order.

Prevalidate organization and domains

Add an organization

Before you can submit an organization for validation, you need to add one to your CertCentral account. This is done using the Create organization endpoint.

This example request body adds the organization to your account using the Create organization endpoint.

Request body
{
    "name": "DigiCert, Inc.",
    "assumed_name": "DigiCert",
    "country": "us",
    "address": "2801 North Thanksgiving Way",
    "address2": "Suite 500",
    "city": "Lehi",
    "state": "ut",
    "zip": "84043",
    "telephone": "801-701-9600",
    "container": {
        "id": 123456
    },
    "organization_contact": {
        "first_name": "John",
        "last_name": "Smith",
        "job_title": "IT Admin",
        "email": "john.smith@digicert.com",
        "telephone": "801-701-9600"
    }
}
201 Created
{
  "id": 112236
}

The id parameter in the response body contains the ID of the newly added organization. You'll use this number in the next step when you submit the organization for validation.

Validate an organization

With the organization added, you're ready to submit it for validation using the Organization – Submit for validation endpoint.

Replace the {{organization_id}} placeholder in the endpoint URL with the ID that was returned in the response body when you added the organization.

This example request body submits the organization for OV and EV certificate validation.

Request body
{
  "validations": [
    {
      "type": "ov"
    },
    {
      "type": "ev",
      "verified_users": [
        {
          "id": 112233
        }
      ]
    }
  ]
}
204 No Content
// empty

Add and validate a domain

Repeat this step for each domain to be secured by the certificate.

Now you're ready to add your domain and submit it for validation. To prevalidate a domain, use the Add domain endpoint.

This example request body adds a domain, assigns it to an organization, and submits it for OV and EV certificate validation. It also specifies the DCV method you want to use to demonstrate control over the domain.

Request body
{
    "name": "example.com",
    "organization": {
        "id": 112233
    },
    "validations": [
        {
            "type": "ov"
        },
        {
            "type": "ev"
        }
    ],
    "dcv_method": "email"
}
201 Created
{
    "id": 123356,
    "validation_emails": {
        "name_scope": "example.com",
        "base_emails": [
            "postmaster@example.com",
            "administrator@example.com",
            "hostmaster@example.com",
            "admin@example.com",
            "webmaster@example.com"
        ],
        "whois_emails": [
            "domain-management@example.com"
        ]
    }
}

After submitting your domain for validation, you'll need to complete the domain's DCV before immediate issuance can occur.

Submit your certificate order

All submit order endpoints support immediate certificate issuance (Order EV/OV SSL, Order Secure Site SSL, Order DV SSL).

This example request body sends a certificate request using the Order EV/OV SSL endpoint. Because all immediate issuance requirements have been met, the full certificate chain is returned in the response body.

When using the Skip approval step setting, make sure to include the skip_approval parameter with a value of true. See Best practices – Always include skip_approval parameter for more info.

If any of the prerequisites are missing, immediate issuance won't happen. Instead of receiving the full certificate chain, you'll receive the standard Submit order response body.

Request body
{
  "certificate": {
    "common_name": "example.com",
    "dns_names": [
      "sub.example.com",
      "app.example.com"
    ],
    "csr": "<csr>",
    "server_platform": {
      "id": 45
    },
    "signature_hash": "sha256",
    "organization_units": [
      "Accounting department"
    ]
  },
  "validity_years": 2,
  "comments": "Message for the approver",
  "disable_renewal_notifications": true,
  "dcv_method": "email",
  "locale": "en",
  "payment_method": "balance",
  "skip_approval": true,
  "organization": {
    "id": 112233
  },
  "custom_fields": [
    {
      "metadata_id": 11,
      "value": "Invoice #00001"
    }
  ]
}
201 Created
{
  "id": 112339,
  "certificate_id": 132345,
  "certificate_chain": [
    {
      "subject_common_name": "example.com",
      "pem": "<pem_certificate>"
    },
    {
      "subject_common_name": "DigiCert SHA2 Secure Server CA",
      "pem": "<pem_certificate>"
    },
    {
      "subject_common_name": "DigiCert Global Root CA",
      "pem": "<pem_certificate>"
    }
  ]
}