docs.digicert.com
Open in
urlscan Pro
45.60.44.211
Public Scan
URL:
https://docs.digicert.com/en/certcentral/manage-certificates/dns-caa-resource-record-check.html
Submission: On December 17 via api from PH — Scanned from US
Submission: On December 17 via api from PH — Scanned from US
Form analysis 2 forms found in the DOM
<form autocomplete="off" class="site-sidebar-search"><input class="form-control search-field" id="aa-search-input" placeholder="Search" type="text"></form><form id="product-filter-form">
<label>
<input type="checkbox" id="select-all"> Select All </label>
<label>
<input type="checkbox" name="product-filter" value="certcentral" checked=""> CertCentral </label>
<label>
<input type="checkbox" name="product-filter" value="trust-lifecycle-manager"> Trust Lifecycle Manager </label>
<label>
<input type="checkbox" name="product-filter" value="software-trust-manager"> Software Trust Manager </label>
<label>
<input type="checkbox" name="product-filter" value="iot-trust-manager"> IoT Trust Manager </label>
<label>
<input type="checkbox" name="product-filter" value="document-trust-manager"> Document Trust Manager </label>
<label>
<input type="checkbox" name="product-filter" value="digicert-keylocker"> DigiCert KeyLocker </label>
<label>
<input type="checkbox" name="product-filter" value="digicert-one"> DigiCert ONE </label>
<label>
<input type="checkbox" name="product-filter" value="device-trust-manager"> Device Trust Manager </label>
</form>Text Content
Skip to main content
Toggle navigation
* Developers
* * English
* Deutsch
* Español
* Français
* Italiano
* 日本語
* 한국어
* Nederlands
* Português
* 中文(简体)
* 中文(繁體)
*
*
Toggle navigation
* What's new
* Change log
* CertCentral
* Older changes
* Change log: 2023
* Change log: 2022
* Change log: 2021
* Release notes
* Trust Lifecycle Manager
* Device Trust Manager
* IoT Trust Manager
* Document Trust Manager
* Software Trust Manager
* DigiCert KeyLocker
* Account Manager
* CA Manager
* Older releases
* Release notes: 2023
* Trust Lifecycle Manager
* IoT Trust Manager
* Document Trust Manager
* Software Trust Manager
* DigiCert KeyLocker
* Account Manager
* CA Manager
* Release notes: 2022
* December 21, 2022
* Account Manager
* Enterprise PKI Manager
* Secure Software Manager
* December 15, 2022
* Enterprise PKI Manager
* DigiCert ® IoT Trust Manager
* December 14, 2022
* DigiCert ® IoT Trust Manager
* Document Signing Manager
* CA Manager
* Secure Software Manager
* Enterprise PKI Manager
* December 8, 2022
* Account Manager
* CA Manager
* Document Signing Manager
* Secure Software Manager
* November 17, 2022
* Enterprise PKI Manager
* November 8, 2022
* Secure Software Manager
* November 2, 2022
* CA Manager
* Secure Software Manager
* DigiCert ® IoT Trust Manager
* October 12, 2022
* Account Manager
* CA Manager
* Document Signing Manager
* Enterprise PKI Manager
* Enterprise PKI Manager Patch: October 3, 2022
* Enterprise PKI Manager Patch: October 10, 2022
* Enterprise PKI Manager Patch: October 25, 2022
* DigiCert ® IoT Trust Manager
* Secure Software Manager
* September 8, 2022
* Account Manager
* Account Manager Patch: September 12, 2022
* Account Manager Patch: September 19, 2022
* CA Manager
* CA Manager Patch: September 26, 2022
* Document Signing Manager
* Enterprise PKI Manager
* Enterprise PKI Manager Patch: September 12, 2022
* DigiCert ® IoT Trust Manager
* Secure Software Manager
* Secure Software Manager Patch: September 19, 2022
* August 3, 2022
* Account Manager
* CA Manager
* Document Signing Manager
* Document Signing Manager Patch: August 16, 2022
* Enterprise PKI Manager
* DigiCert ® IoT Trust Manager
* DigiCert ® IoT Trust Manager Patch: August 9, 2022
* Secure Software Manager
* July 6, 2022
* Account Manager
* Account Manager Patch: July 8, 2022
* Account Manager Patch: July 12, 2022
* CA Manager
* Document Signing Manager
* Document Signing Manager Update: July 28, 2022
* Enterprise PKI Manager
* DigiCert ® IoT Trust Manager
* Secure Software Manager
* Secure Software Patch: July 15, 2022
* Secure Software Patch: July 19, 2022
* June 1, 2022
* Account Manager
* CA Manager
* CA Manager Patch: June 22, 2022
* Enterprise PKI Manager
* DigiCert ® IoT Trust Manager
* Secure Software Manager
* Secure Software Manager Patch: June 23, 2022
* Secure Software Manager Patch: June 10, 2022
* Secure Software Manager Patch: June 27, 2022
* May 4, 2022
* Account Manager
* CA Manager
* Document Signing Manager
* Secure Software Manager
* IoT Manager
* Enterprise PKI Manager
* Secure Software Manager Patch: May 26, 2022
* April 6, 2022
* Account Manager
* CA Manager
* Secure Software Manager
* DigiCert ® IoT Trust Manager
* Enterprise PKI Manager
* March 2, 2022
* DigiCert ONE Update: March 17, 2022
* Account Manager
* CA Manager
* Document Signing Manager
* Enterprise PKI Manager
* DigiCert ® IoT Trust Manager
* Secure Software Manager
* February 2, 2022
* Account Manager
* Account Manager Patch: February 9, 2022
* CA Manager
* CA Manager Patch: February 9, 2022
* CA Manager Patch: February 14, 2022
* Document Signing Manager Patch: February 3, 2022
* DigiCert ® IoT Trust Manager
* DigiCert ® IoT Trust Manager Patch: February 9, 2022
* Enterprise PKI Manager
* Secure Software Manager Patch: February 9, 2022
* Secure Software Manager Patch: February 16, 2022
* Secure Software Manager Patch: February 17, 2022
* January 12, 2022
* Account Manager
* CA Manager
* Document Signing Manager
* Secure Software Manager
* Release notes: 2021
* December 16, 2021
* Account Manager
* CA Manager
* Enterprise PKI Manager
* Secure Software Manager
* November 24, 2021
* Account Manager
* CA Manager
* Enterprise PKI Manager
* DigiCert ® IoT Trust Manager
* Secure Software Manager
* October 20, 2021
* Enterprise PKI Manager
* October 6, 2021
* Account Manager
* CA Manager
* Document Signing Manager
* Enterprise PKI Manager
* Secure Software Manager
* September 22, 2021
* Account Manager
* CA Manager
* Enterprise PKI Manager
* September 15, 2021
* CA Manager
* Enterprise PKI Manager
* September 1, 2021
* Account Manager
* CA Manager
* Secure Software Manager
* Enterprise PKI Manager
* August 18, 2021
* CA Manager
* Enterprise PKI Manager
* Secure Software Manager
* August 4, 2021
* Account Manager
* CA Manager
* Secure Software Manager
* Enterprise PKI Manager
* July 7, 2021
* Account Manager
* CA Manager
* Enterprise PKI Manager
* Secure Software Manager
* June 2, 2021
* Account Manager
* CA Manager
* Enterprise PKI Manager
* May 19, 2021
* Account Manager
* CA Manager
* Enterprise PKI Manager
* Secure Software Manager
* May 5, 2021
* Account Manager
* CA Manager
* Secure Software Manager
* April 7, 2021
* Account Manager
* CA Manager
* Enterprise PKI Manager
* Secure Software Manager
* Secure Software Manager Patch: April 7, 2021
* March 17, 2021
* Account Manager
* Enterprise PKI Manager
* March 3, 2021
* Account Manager
* CA Manager
* Secure Software Manager
* Enterprise PKI Manager
* February 3, 2021
* Account Manager
* CA Manager
* Enterprise PKI Manager
* Secure Software Manager
* Secure Software Manager Patch: February 18, 2021
* Release notes: 2020
* December 16, 2020
* Account Manager
* CA Manager
* Document Signing Manager
* DigiCert ONE Enterprise PKI Manager
* December 2, 2020
* Announcement
* Account Manager
* CA Manager
* Secure Software Manager
* Enterprise PKI Manager
* November 18, 2020
* Account Manager
* CA Manager
* Secure Software Manager
* Enterprise PKI Manager
* November 4, 2020
* Secure Software Manager
* Enterprise PKI Manager
* October 7, 2020
* Account Manager
* CA Manager
* Secure Software Manager
* DigiCert ® IoT Trust Manager
* Enterprise PKI Manager
* September 24, 2020
* Account Manager
* CA Manager
* Secure Software Manager
* September 9, 2020
* Account Manager
* CA Manager
* Secure Software Manager
* Enterprise PKI Manager
* September 2, 2020
* Account Manager
* CA Manager
* August 27, 2020
* Enterprise PKI Manager
* August 27, 2020
* Announcement
* Account Manager
* CA Manager
* Secure Software Manager
* DigiCert ® IoT Trust Manager
* Enterprise PKI Manager
* July 29, 2020
* Account Manager
* CA Manager
* Document Signing Manager
* DigiCert ® IoT Trust Manager
* Signing Manager
* July 1, 2020
* Account Manager
* CA Manager
* Signing Manager
* DigiCert ® IoT Trust Manager
* Enterprise PKI Manager
* June 1, 2020
* Announcement
* Account Manager
* CA Manager
* Signing Manager
* DigiCert ® IoT Trust Manager
* Enterprise PKI Manager
* Maintenance schedules
* DigiCert Global 2024 maintenance schedule
* DigiCert Europe 2024 maintenance schedule
* DigiCert 2024年メンテナンススケジュール
* DigiCert Europe 2025 maintenance schedule
* DigiCert Global 2025 maintenance schedule
* DigiCert 2025年メンテナンススケジュール
* Older maintenance schedules
* Maintenance schedules: 2023
* DigiCert Global 2023 maintenance schedule
* DigiCert Europe 2023 maintenance schedule
* DigiCert 2023年メンテナンススケジュール
* Maintenance schedules: 2022
* DigiCert 2022 maintenance schedule
* DigiCert 2022年メンテナンススケジュール
* DigiCert ONE
* Account Manager
* Get started
* Introduction
* Before you begin
* Step 1: Add accounts
* Step 2: DigiCert ONE access
* Step 3: DigiCert ONE API tokens and service users
* Create your API token
* Create a service user
* Account Manager
* Accounts
* Organizations
* Add an organization
* Update an organization
* Delete an organization
* Add organization contacts
* Update an organization contact
* Delete an organization contact
* Users and access
* Create a user
* Resend the account setup email
* Update a user
* Delete a user
* Allow user creation via SSO
* Automate user creation and deletion with the Account Manager REST API
* User roles
* Create a custom user role
* Clone a user role
* List of user roles
* Account Manager user roles
* CA Manager user roles
* Document Trust Manager user roles
* IoT Trust Manager user roles
* Software Trust Manager user roles
* Trust Lifecycle Manager user roles
* KeyLocker user roles
* Add and manage API tokens
* Create your API token
* Edit your API token
* Disable and enable your API token
* Disable your API token
* Enable your API token
* Delete your API token
* Service users
* Create a service user
* Disable a service user
* Enable a service user
* Create and manage authentication certificates
* API token authentication certificates
* Create your API token authentication certificate
* Disable or enable an API token authentication certificate
* Service user authentication certificates
* Create a service user authentication certificate
* Disable or enable a service user authentication certificate
* Audit logs
* Sign-in methods
* Username and password authentication
* Confirm your username
* Reset password
* Disable and enable password only
* Disable DigiCert ONE password authentication
* Enable DigiCert ONE password authentication
* Single sign-on with SAML
* Configure single sign-on with SAML
* Edit your single sign-on with SAML configuration
* Single sign-on with OpenID Connect
* Configure single sign-on with OIDC
* Edit your single sign-on with OIDC configuration
* Disable single sign-on with OIDC
* Two-factor authentication
* Enable two-factor authentication (2FA)
* Disable two-factor authentication
* Set up two-factor authentication for your administrator account
* OAuth v2 integration
* CA Manager
* Get started
* CA Manager walkthrough
* Manage root and intermediate CAs
* Accounts
* Defaults: OCSP, CRL, AIA Issuer, and Certificate Policies
* CRLs
* Domains
* Create a root CA
* Create an intermediate CA
* Import a root CA
* Import an intermediate CA
* Download and export root CA certificates
* Download a root CA certificate
* Export a root CA certificate
* What's next
* Download and export intermediate CA certificates
* Download an intermediate CA certificate
* Export an intermediate CA certificate
* What's next
* Revoke an intermediate CA
* Download a signed CRL blob
* SafeNet Luna HSM
* Thales DPoD
* Set up OCSP responder
* Key management
* Allowlist IP addresses and URLs
* DigiCert support plans
* DigiCert support plans for partners
* CertCentral
* Get started
* Set up your CertCentral account
* Manage certificates
* Client certificates guide
* Secure Email Certificates
* Order your Secure Email for Individual certificate
* Order your Secure Email for Organization certificate
* Order your Secure Email for Business certificate
* Order your client certificate
* Reissue your client certificate
* Renew your client certificate
* Cancel pending client certificate orders
* Cancel pending client certificate reissues
* Client certificate revocation process
* Revoke a client certificate
* Approve client certificate revocation request (Admin)
* Resend the email validation for DigiCert client certificate email
* Resend the "create your DigiCert client certificate" email
* Turn on client certificate renewal notifications
* Configure the client certificate approval process
* Generate your client certificate
* Configure Outlook to use your Email Security Plus Personal ID
Certificate
* SAML admin certificate requests guide
* SAML certificate requests prerequisites
* SAML certificate requests service workflow
* SAML request a certificate workflow
* Configure SAML certificate requests
* SAML certificate requests: Get a copy of the XML file with DigiCert’s
SP metadata
* Turn off SAML certificate requests
* Restore access to SAML Certificate Requests accounts
* SAML: Request a client certificate
* SAML: Generate your client certificate
* SAML: Download a copy of your client certificate
* SAML: Submit a request to revoke a client certificate
* SAML: Resend the Create Your DigiCert Client Certificate email
* Allow access to SAML settings
* Add a manager with the SAML permission
* Edit a manager account and assign them the SAML permission
* Secure Site certificate benefits
* Access Secure Site priority support
* Access Secure Site site seals
* Access Secure Site malware check
* Revoke an issued TLS/SSL certificate
* Submit a request to revoke an TLS/SSL certificate
* Submit a request to revoke a single certificate on an order
* Approve (or reject) a certificate revocation request
* Get a copy of your TLS/SSL certificate
* Download a TLS/SSL certificate from your CertCentral account
* Email a TLS/SSL certificate from your CertCentral account
* Add or replace the CSR on a pending certificate order
* Order your TLS/SSL certificates
* Order an OV wildcard TLS/SSL certificate
* Order an OV single or multi-domain TLS/SSL certificate
* Order an EV single or multi-domain TLS/SSL certificate
* Organization and domain management
* Validation process
* Organization validation
* TLS certificate organization validation process
* Domain validation
* Manage organizations
* Add an organization to your CertCentral account
* Submit an organization for pre-validation
* Enable adding non-CertCentral account users as verified contacts
* Edit organization details
* Replace the organization contact
* Replace the technical contact
* CertCentral: Delete and deactivate organizations
* Deactivate organizations in your CertCentral account
* Delete organizations from your CertCentral account
* Manage domains
* Supported domain control validation (DCV) methods for domain
prevalidation
* Hide alternative domain control validation (DCV) methods
* Add a domain and validate it using the Email DCV method
* Validate a domain using a DNS CNAME
* Add a domain, authorize the domain for certificates, and use DNS TXT
as the validation method
* Add a domain and validate it using HTTP practical demonstration
* Add a domain and validate it using HTTP practical demonstration with
unique filename as the validation method
* Common mistakes: HTTP practical demonstration DCV method
* Change a domain's domain control validation (DCV) method
* Domain prevalidation: Revalidate your domain before validation
expires
* Domain prevalidation: Bulk domain revalidation
* CertCentral: Delete and deactivate domains
* Delete domains in your CertCentral account
* Deactivate domains in your CertCentral account
* Domain locking
* Manage certificate request approvals
* Approve a certificate request
* Remove the approval step from the certificate order process
* Enable automatic certificate request approvals
* Resend the verified contact approval email
* Grant a Limited user access to a certificate order
* Automatic certificate renewal
* Turn on automatic certificate renewals
* Turn off automatic certificate renewals
* Set default user for Auto-Renew certificate orders
* Turning on automatic renewals for a certificate
* Client Certificate: Turn on automatic renewals
* Code signing certificate: Turn on automatic renewals
* Turn off automatic renewals for a certificate
* Client Certificate: Turn Off Automatic Renewals
* Code signing certificates: Turn off automatic renewals
* Individual certificate renewal notifications
* Turn off renewal notifications for a certificate order
* Turn on renewal notifications for a certificate order
* Basic and business TLS/SSL certificate enrollment
* Supported DCV methods for validating the domains on OV/EV TLS/SSL
certificate orders
* Use Email verification to verify domain control on an OV or EV TLS
certificate
* Use DNS CNAME to validate a domain on a pending OV or EV TLS
certificate
* Use the DNS TXT validation method to verify domain control
* Use the HTTP Practical Demonstration DCV method to verify domain
control
* Use the HTTP Practical Demonstration with unique filename DCV method to
verify domain control
* Common mistakes: HTTP Practical Demonstration DCV method
* Edit common name and SANs on a pending TLS/SSL order: new, renewal, and
reissue
* Cancel a certificate order
* Choose the language preference for your account
* Logging public TLS/SSL certificates in to public CT logs
* Does DigiCert log all certificates to public CT logs?
* When and when not to log public TLS/SSL certificates
* Keeping TLS/SSL certificates out of public CT logs
* Methods for keeping TLS/SSL certificates out of CT logs
* Allow users to keep certificates out of CT logs
* CT logging certificate detail added
* Enable the CT log exclusion feature on your account
* See if a certificate was logged to CT logs
* Turn off CT logging for your account
* Check if CT logging is disabled for your account
* Add an unlogged TLS/SSL certificate to public CT logs
* DV TLS/SSL certificate enrollment
* Ordering DV certificates
* Order a RapidSSL Standard DV Certificate
* Order a RapidSSL Wildcard DV Certificate
* Order a GeoTrust DV SSL Certificate
* Canceling a DV certificate order
* Domain Control Validation (DCV) methods
* Use Email verification to validate a domain on a DV TLS certificate
* Use the DNS TXT DCV Method
* Use the HTTP Practical Demonstration (File) DCV method
* Use DNS CNAME to validate domains on a pending DV TLS certificate
* HTTP practical demonstration DCV method: Common mistakes
* Accessing a DV certificate
* Download a DV certificate
* Email a DV certificate from your CertCentral account
* Reissuing DV Certificates
* Reissue a RapidSSL Standard DV Certificate
* Reissue a RapidSSL Wildcard DV Certificate
* Reissue a GeoTrust Standard DV certificate
* Reissue a GeoTrust Wildcard DV certificate
* Reissue a GeoTrust Cloud DV certificate
* Canceling pending reissues on DV certificates
* Renewing DV certificates
* Renew a RapidSSL Standard DV certificate
* Renew a RapidSSL Wildcard DV certificate
* Renew a GeoTrust Standard DV certificate
* Renew a GeoTrust Wildcard DV certificate
* Renew a GeoTrust Cloud DV certificate
* Revoke an issued DV certificate
* Submit a request to revoke a DV certificate
* Approve (or reject) a certificate revocation request
* Restrictions on data entries for public certificates
* Certificate profile options
* Get your Signed HTTP Exchanges certificate
* Holen Sie sich Ihr Signed-HTTP-Exchange-Zertifikat
* Demande de certificat Signed HTTP Exchange
* SXG (Signed HTTP Exchanges)証明書を取得する
* Renew an SSL/TLS certificate
* Upgrade product on renewal settings
* Code signing certificates
* Protect private keys
* Order a Code Signing certificate
* Order an EV Code Signing certificate
* Get more KeyLocker signatures
* Reissue your Code Signing certificate
* Reissue an EV Code Signing certificate
* Renew your code signing certificate
* Resend the "Create Your DigiCert Code Signing Certificate" email
* Download a code signing certificate
* Revoke a code signing certificate
* Submit a request to revoke a Code Signing/EV Code Signing certificate
* Document signing certificates
* Order your document signing certificate
* Renew a document signing certificate
* Reissue an SSL/TLS certificate
* Add SANs to your multi-domain SSL/TLS certificate
* Duplicate a TLS/SSL certificate
* Flex certificates: Duplicate an SSL/TLS certificate
* DNS CAA resource record check
* Edit a domain's CAA resource record
* EV certificate countries
* Flex certificates
* Vouchers
* Automatic domain control validation checks
* Mark a migrated certificate order as renewed
* Multi-year Plans
* End of 2-Year DV, OV, and EV public SSL/TLS certificates
* ICA certificate chain selection feature for public TLS certificates
* Configure the ICA certificate chain feature for your public TLS
certificates
* Setting the "validTo" time on certificates
* DigiCert site seals
* Configure your DigiCert Smart Seal
* Configure your DigiCert brand site seal
* Install your DigiCert site seal
* Troubleshooting: Site seal installation
* Report Library
* Build and edit an Audit log report
* Build and edit a Balance history report
* Build and edit a Domains report
* Build and edit an FQDN report
* Build and edit an Orders Report
* Build and edit an Organizations report
* Downloading and viewing reports in the Report Library
* What are the most useful types of reports I can generate?
* What are some common reports and how do I generate them?
* Troubleshooting reports
* Review all OV domains affected by the reduced 397-day validity period
* Verified Mark Certificate (VMC)
* Common Mark Certificate (CMC)
* Update DNS records when DigiCert hosts your files
* Image and file hosting for Verified Mark Certificates and Common Mark
Certificates
* VMCs for government marks
* コモンマーク証明書(CMC)
* EU (eIDAS) products
* Order your EU Qualified Personal certificate
* Order your EU Qualified Personal Organisation certificate
* Order your EU Qualified eSeal certificate
* Order your EU Qualified eSeal PSD2 certificate
* Order your EU Qualified Website Authentication Certificate
* Order your EU Qualified Website Authentication Certificate PSD2
* Advisory: 8 March 2023 Intermediate Certificate Authorities (ICA)
certificates expired
* Certificate tools
* Discovery cloud scan service
* Run a single cloud scan
* Discovery user guide
* Discovery prerequisites
* Discovery workflow and permissions
* Discovery troubleshooting
* Sensor installation requirements
* Install a sensor
* Linux: Install a sensor
* Microsoft Windows: Install a sensor
* Docker: Install a sensor
* Kubernetes: Install a sensor
* Sensor file structure
* Configure a sensor to use a proxy server for communications
* Change sensor proxy settings
* Retrieve sensor proxy settings
* Activate a sensor
* Linux: Activate a sensor
* Microsoft Windows: Activate or start a sensor
* Docker: Activate or start a sensor
* Stop a sensor
* Linux: Stop a sensor
* Windows: Stop a sensor
* Docker: Stop a sensor
* Update a sensor
* Docker: Update a sensor
* Kubernetes: Update a sensor
* Windows and Linux: Update a sensor
* Restart a sensor
* Linux: Restart a sensor
* Microsoft Windows: Restart a sensor
* Docker: Restart a sensor
* Suspend a sensor
* Void a sensor
* Uninstall a sensor
* Linux: Uninstall a sensor
* Windows: Uninstall a sensor
* Docker: Uninstall a sensor
* Kubernetes: Uninstall a sensor
* Rename a sensor
* Set up and run a scan
* Edit a scan
* Sensor troubleshooting
* Add public and private root and intermediate CAs
* Blocklist IP addresses and FQDNs
* Manually upload certificates
* Delete all scan records from scan results
* Discovery renewal notices
* Enable Discovery renewal notifications
* Disable Discovery renewal notifications
* Renewal notification per discovered certificate
* Enable renewal notices for a discovered certificate
* Disable renewal notices for a discovered certificate
* TLS/SSL certificate vulnerabilities
* Certificate name mismatch
* Internal names
* Missing or misconfigured fields and values
* SHA-1 hashing algorithm
* Weak hashing algorithm
* Weak keys
* TLS/SSL endpoint vulnerabilities
* BEAST
* BREACH
* CRIME
* FREAK
* Heartbleed bug
* Logjam attack
* RC4 cipher enabled
* DROWN
* POODLE (SSLv3)
* Sweet32
* POODLE (TLS)
* Cross-site scripting (XSS)
* SQL injection
* Cross-domain policy
* CSRF
* Supported endpoint configuration
* Replace a certificate
* SSH keys
* Certificate lifecycle automation guides
* Automation service overview
* Automation actions
* Deployment options
* CertCentral automation menus
* Automation workflows
* CertCentral managed automation
* Get started with managed automation
* Managed automation workflow
* Set up ACME agent-based automation for hosts
* System and network requirements
* Install and activate an ACME automation agent
* Configure an ACME automation agent
* Use a proxy or sensor with host automations
* Set up managed automation for a custom application
* Manage blocked agent ports
* Next steps
* Set up sensor-based automation for network appliances
* System and network requirements
* Install and activate a sensor
* Configure a sensor for automation
* Verify and finalize sensor configuration
* Sensor configuration examples
* Create a DNS integration to automate DV certificates on load
balancers
* High availability on F5 BIG-IP load balancers
* Next steps
* Automation profiles
* Schedule automation events
* Configure automatic renewal of certificates
* Request duplicate certificates
* Certificates eligible for retry
* Get multiple TLS/SSL certificates using SNI automation
* Common Name (CN) for a wildcard certificate
* Discovery service integration with automation
* Install DigiCert agents in silent mode
* Overview of silent mode installation
* Prepare for silent mode installation
* Windows agent silent mode preparation
* Linux agent silent mode preparation
* Install Windows agents in silent mode
* Group Policy Object (GPO) installation method
* PsExec installation method
* Install Linux agents in silent mode
* Installation commands
* Use Ansible to automate installation
* Third-party ACME integration
* ACME automation workflow
* Add ACME credentials in CertCentral
* Enterprise and non-subscription accounts
* Subscription accounts
* Install third-party ACME client software
* Request and manage certificates with ACME
* ACME automation actions
* Certbot: Issue and install certificate for Apache
* Certbot: Issue and install certificate for NGINX using DNS-01
domain validation
* Certbot: Issue and install certificate for Apache using HTTP-01
domain validation
* Certbot: Renew, reissue, or duplicate certificate using ACME URL
query parameters
* Use legacy CertCentral ACME credentials
* Use Ansible with CertCentral ACME
* Use Kubernetes cert-manager with CertCentral ACME
* Troubleshoot automation issues
* Known issues for managed automation
* Known issues for third-party ACME clients
* Troubleshooting scenarios for third-party ACME clients
* CertCentral users cannot perform automation tasks
* Azure Key Vault integration guide
* Order an SSL/TLS certificate from Key Vault account
* CT log monitoring service
* Enable CT log monitoring
* Disable CT log monitoring
* Enable CT log monitoring urgent notification
* Disable CT log monitoring urgent notification
* Vulnerability assessment service
* Enable vulnerability assessment service
* Disable vulnerability assessment service
* Configure the vulnerability assessment service email notifications
* Manage account
* OIDC Single Sign-On guide
* OIDC certificate requests prerequisites
* Configure OpenID Connect (OIDC) Single Sign-On
* Sign in using OIDC
* Update OIDC settings
* Delete OIDC settings
* SAML Admin Single Sign-On Guide
* SAML Single Sign-On prerequisites
* SAML service workflow
* Configure SAML Single Sign-On
* SAML SSO: Get a copy of the XML file with DigiCert’s SP metadata
* Turn off SAML Single Sign-on
* Restore SAML Single Sign-on for CertCentral accounts
* Allow access to SAML Settings permission
* Add a manager with the SAML permission
* Edit a manager account and assign them the SAML permission
* Managing SAML Single Sign-on (SSO) users
* Administrators and managers: SAML SSO-only versus SAML SSO account
* SAML SSO account users versus SAML SSO-only users
* Difference when converting SAML SSO-only and SAML SSO account users
* Add a SAML SSO-only or a SAML SSO account user
* Convert a SAML SSO-only or SAML SSO account user
* SAML SSO: Invite users to join your account
* Unlock a "locked" CertCentral account
* Add a credit card to your CertCentral account
* Deactivate an account credit card
* Set up account credit
* Add a value added or goods and services tax number to your CertCentral
account
* Generate certificate price quotes in CertCentral
* Add a new user to your CertCentral account
* Resend the "DigiCert User Account Created – Action Required" email
* User roles in your CertCentral account
* CertCentral user roles and account access
* Unrestricted versus restricted
* Roles and account access
* Subroles
* Manage users
* Add a user to your CertCentral account
* Resend the create account instructions to a new user
* Invite users to join your CertCentral account
* Create your CertCentral user account
* Approve a new user's account
* Unlock a locked account
* CertCentral and DigiCert account user management guide
* User management tasks: CertCentral versus DigiCert account
* CertCentral: Add a user
* CertCentral: Approve the new user and assign permission
* Update a user's CertCentral access
* Delete a user from CertCentral or disable their CertCentral access
* Configure the process for adding users to CertCentral from DigiCert
account
* Division management
* Create a division
* Customize your certificate request forms
* Manage custom order form fields
* Custom order forms fields features
* Add a custom field to your request forms
* Deactivate a custom order form field
* Activate a custom order form field
* Pending requests: Finish required and optional custom fields
* Use your custom fields to search for specific orders
* Limit who can add new organizations from request forms
* Limit who can add new contacts from request forms
* Guest URLs
* Create a Guest URL
* Send a Guest URL to non-CertCentral account holders
* Edit a Guest URL
* Delete a Guest URL
* View Guest URLs
* CertCentral notifications
* Add emergency contacts to your account
* Set up account notification recipients
* Certificate renewal notifications
* Configure escalation renewal notifications
* Configure renewal notifications
* Configure certificate lifecycle recipient settings
* Set the language for CertCentral email notifications
* Customize email templates
* CertCentral account DCV settings
* CertCentral DCV methods settings
* CertCentral DCV verification email recipient settings
* CertCentral Domain validation scope settings
* Configure Private SSL certificate products
* CertCentral account balance and PO process changes
* Subaccount management
* Create and configure a subaccount
* Managed subaccounts
* Subaccount orders
* Send subaccount invitations
* Commissions
* Configure bill-to-parent subaccount spending limits
* DigiCert support plans
* DigiCert support plans for partners
* DigiCert user and account deactivation and deletion policy
* CertCentral two-factor authentication
* CertCentral account configuration settings for two-factor
authentication
* Configure two-factor authentication requirements for your CertCentral
account
* Enable 30-day computer verification for OTP app authentication
* CertCentral: Customize your account password settings
* Set up and reset the second factor of your two-factor authentication
* Generate your client certificate for two-factor authentication
* Set up your one-time password application
* Set up your one-time password verification email
* Reset your OTP app or verification email or your client certificate
* Guest access
* Add approved user email domains
* CertCentral subscriptions
* Common questions about CertCentral subscriptions
* Cancel a service from your subscription
* Restart a canceled service
* Cancel your CertCentral subscription
* Restart your CertCentral subscription
* Keep valid certificates after your subscription ends
* What happens when a certificate is revoked?
* How DigiCert Subscriptions affect CertCentral Services API integrations
* Upgrade to CertCentral
* Welcome QuoVadis users
* Before you begin
* Get started
* Validation
* Discovery
* Reporting
* Support and training
* Common tasks
* Order from a guest URL
* Trust Lifecycle Manager
* What do you want to learn about?
* Overview
* Platform components
* Initial setup
* Key concepts
* Account
* Dashboard
* Users and access
* User roles
* Access permissions
* API access
* Business units
* Default business unit
* Create business units
* Change business unit names
* Change seat types allocated to business units
* Manage admins for business units
* Seats
* Seat types
* Seat consumption
* Seat management
* Create seats
* Enroll seats
* Edit seats
* Delete seats
* View audit trails for seats
* Settings
* Admin contact
* Branding
* Self-service portal
* Automation
* Discovery
* CA certificates
* Notifications
* Scripts
* Inventory
* View inventory
* Manage inventory
* Certificate statuses
* Certificate attributes and extensions
* Subject Distinguished Name (DN) attributes
* Subject Alternative Name (SAN) attributes
* Unique attributes
* Key usage
* Extended key usage
* Certificate renewals
* Standard renewal flow
* CSR
* Browser PKCS12
* SCEP
* EST
* DigiCert Trust Assistant
* DigiCert Desktop Client
* View certificate issues
* Connectors
* Certificate authorities
* AWS Private CA
* DigiCert CertCentral
* DigiCert PKI Platform 8
* Entrust discovery
* Let's Encrypt
* Microsoft CA
* Legacy Microsoft CA connectors
* Step CA
* DNS integrations
* Supported DNS providers
* Add a DNS integration for domain validation
* Create a customized DNS script
* Assign an existing DNS integration to automate domain validation on
more systems
* Infrastructure automation
* Ansible
* Chef
* ACME-based enrollment
* API-based enrollment
* Istio
* Puppet
* ACME-based enrollment
* API-based enrollment
* SaltStack
* ACME-based enrollment
* API-based enrollment
* IT service management
* ServiceNow
* Network appliances and cloud services
* Supported systems
* Connect to a network appliance or cloud service
* Manage connected network appliances and cloud services
* Authentication methods for AWS connectors
* Minimum required permissions for AWS unified connectors
* Scan solutions
* Qualys
* Tenable
* Unified endpoint management
* Microsoft Intune
* Vaults
* Azure Key Vault
* HashiCorp Vault
* HashiCorp Vault setup - Common environment
* HashiCorp Vault setup - Kubernetes and cert-manager
* HashiCorp Vault configuration and certificate operations
* Configuration APIs
* Role APIs
* Certificate APIs
* View connectors data
* Manage connectors
* Connector statuses
* Certificate profiles
* Base templates
* Create certificate profiles
* View certificate profiles
* Manage certificate profiles
* Download certificate profile configurations (JSON)
* Edit certificate profiles
* Clone certificate profiles
* Suspend certificate profiles
* Activate suspended certificate profiles
* Delete certificate profiles
* Add allowed list for server profiles
* Enrollments
* Create enrollments
* View enrollments
* Manage enrollments
* Enrollment statuses
* Request new certificates with automated delivery
* Discovery tools
* System scans
* Prerequisites
* Enable system scans
* Manage system scans
* View discovered assets
* Network scans
* Enable network scans
* Manage network scans
* View scan details and results
* Certificate lifecycle automation
* Supported systems
* Prerequisites
* Managed automation workflow
* Create certificate automation profiles
* Manage certificate deployments
* Install a new certificate on an unsecured IP/port
* Manage an existing certificate deployment
* Bulk manage multiple certificate deployments
* Track status of certificate automation requests
* Set up managed automation for custom applications
* Post-quantum cryptography (PQC)
* Issue PQC Dilithium certificates
* Issue PQC Falcon certificates
* Issue PQC SPHINCS+ certificates
* Issue PQC composite certificates
* Reporting and auditing
* Report library (advanced custom reporting)
* Create custom reports
* View custom reports
* Manage custom reports
* Audit logs
* Client tools
* Deploy and manage agents
* System and network requirements
* Install and activate agents
* Install DigiCert agents in silent mode
* Overview of silent mode installation
* Prepare for silent mode installation
* Windows agent silent mode preparation
* Linux agent silent mode preparation
* Install Windows agents in silent mode
* Group Policy Object (GPO) installation method
* PsExec installation method
* Install Linux agents in silent mode
* Installation commands
* Use Ansible to automate installation
* View agent details
* Configure agents
* Manual agent approval process
* Agent groups
* Agent scripts
* Script types
* Add scripts
* Assign scripts to an agent
* Bulk assign scripts to multiple agents
* Agent statuses
* Manage agents
* Deploy and manage sensors
* System and network requirements
* Install and activate sensors
* Configure a sensor to use a proxy server for communications
* Sensor statuses
* Update sensor name
* Suspend sensors
* Delete sensors
* Suspend or delete multiple sensors
* Update a sensor
* Sensor debug mode
* Download sensor reports
* User permissions for sensor automation
* DigiCert Trust Assistant
* DigiCert Trust Assistant Admin Guide
* Overview
* Prerequisites
* Network requirements
* Supported algorithms
* DigiCert ONE login using DigiCert Trust Assistant
* Authenticate users with AD FS and DigiCert ® account
* DigiCert ONE Login - Supplying claims using Okta
* Create a certificate profile with DigiCert Trust Assistant
* About DigiCert ONE login profile
* Prerequisites for DigiCert ONE Login
* IdP attribute mapping
* Create a DigiCert ONE Login profile
* Deliver DigiCert ONE login URL to the users
* Test user creation and certificate issuance
* About device certificate
* Post-processing scripts
* System scripts
* Custom scripts
* Install DigiCert Trust Assistant
* Download the DigiCert Trust Assistant installer
* Install the DigiCert Trust Assistant in silent mode
* Deliver DigiCert Trust Assistant using Group Policies
* Issue test certificate from DigiCert Trust Lifecycle using DigiCert
Trust Assistant
* DigiCert Trust Assistant User Guide
* Overview
* Prerequisites
* Supported browsers
* Supported hardware tokens
* Using Yubico tokens
* Install
* Taskbar
* Dashboard
* DigiCert Software KeyStore
* Key storage management
* Token session
* View info
* Certificate management
* Certificate Details
* Generate key and CSR
* Import a certificate
* Export certificates
* Generate signature hash
* Delete certificates
* Post-processing scripts
* Configure post-processing script timeout in DigiCert Trust
Assistant
* Rerun failed post-processing scripts in DigiCert Trust Assistant
* Notifications
* Signing in with DigiCert ONE
* Login using DigiCert ONE
* Auto-enrollment and renewal of a certificate
* Manual certificate enrollment and renewal
* Certificate profiles
* Issued certificates
* Sync user
* Re-authenticate device certificate
* Log management
* Advanced mode
* Devices
* Diagnostics
* Update application
* Uninstall DigiCert Trust Assistant
* Files created by DigiCert Trust Assistant
* Configuration
* Issue certificate from DigiCert ® Trust Lifecycle Manager using
DigiCert Trust Assistant
* Troubleshooting
* Troubleshoot post-processing scripts
* Integration guides
* Autoenrollment Server
* Introduction
* Prerequisites
* Install and Deploy
* Install Autoenrollment Server
* Configure DCOM access rights
* Set permissions
* Configure firewall settings
* Configure Group Policies
* Install Certification Authority management tools
* Allow publishing to Active Directory
* Configure Autoenrollment Server
* Obtain an API token
* Obtain a client authentication certificate
* Set the Autoenrollment Configuration utility
* Log properties configuration options
* Create the autoenrollment certificate profile
* Import the autoenrollment configuration file
* Configure Autoenrollment Server for high availability
* SafeNet HSM installation and configuration
* SafeNet Network HSM
* SafeNet DPoD Cloud HSM
* Use Autoenrollment Server
* Files written by the autoenrollment process
* Preparing certificate templates
* Replicating certificate templates and policies
* Test certificate enrollments
* Monitor enrollment activities
* Troubleshooting
* Citrix FAS
* Configure Microsoft DCOM permissions
* Add certificate profiles in Trust Lifecycle Manager
* Configure DigiCert Autoenrollment Server
* Set up the Citrix registration authority
* Test the Citrix FAS integration
* Renewing the Citrix RA certificate
* Microsoft CA server
* Configure Microsoft CA server to prepare for integration
* Add Microsoft CA connector in Trust Lifecycle Manager
* Add certificate profiles to enroll new certificates via Microsoft CA
connector
* Microsoft Intune SCEP
* Introduction
* Prerequisites
* Intune device profile and DigiCert certificate profile configurations
for certificate use cases
* Intune trusted certificate profile
* SCEP certificate configuration
* Device authentication
* User client authentication
* Joining a device to Intune MDM
* Verify certificate issuance details in Trust Lifecycle Manager
* Revocation of certificates in Intune
* ServiceNow
* DigiCert® Trust Lifecycle Manager app installation guide
* Install DigiCert Trust Lifecycle Manager on ServiceNow
* Add users and assign roles
* Create certificate profiles
* Sync certificate profiles
* Request a certificate
* Approve or reject a certificate request
* Configuration management database (CMDB) integration
* FAQ
* Third-party ACME clients
* Introduction
* Prerequisites
* Architecture
* ACME external account binding (EAB)
* ACME automation workflow
* Install and configure third-party ACME clients
* Create ACME-based certificate profiles
* Create an ACME-based profile for private CA Manager certificates
* Create an ACME-based profile for private Microsoft certificates
* Create an ACME-based profile for private AWS certificates
* Create an ACME-based profile for private CertCentral certificates
* Create an ACME-based profile for public CertCentral certificates
* Initiate certificate lifecycle automation events
* ACME automation actions
* Certbot: Issue and install private CA Manager certificate for Apache,
values supplied as command options
* Certbot: Issue and install private CA Manager certificate for NGINX,
values read from CSR file
* Certbot: Issue and install public trust certificate for NGINX using
DNS-01 domain validation
* Certbot: Issue and install public trust certificate for Apache using
HTTP-01 domain validation
* Certbot: Renew, reissue, or duplicate certificate using ACME URL
query parameters
* Managing your ACME-based certificates
* View ACME-based certificates
* Manage ACME-based certificates
* Managing your ACME-based certificate profiles
* View ACME-based certificate profiles
* Manage ACME-based certificate profiles
* Regenerate the ACME credentials for a certificate profile
* Use cert-manager and DigiCert ACME service with Kubernetes
* Troubleshooting
* Windows Hello for Business
* Introduction
* Prerequisites
* Setting Up Windows Hello for Business with Autoenrollment Server
* Creating Certificate Profiles
* Downloading and Importing Autoenrollment Configuration File
* Assigning Group/User Access for Each Template
* Issuing Domain Controller Certificates
* Setting Up Active Directory Federation Services
* Adding User Principal Name to Service Account
* Provisioning
* Windows Hello for Business Authentication Certificate Lifecycle
* Troubleshooting
* Known issue
* How-to guides
* Access certificates with LDAP
* Enable or disable access to LDAP with searches
* Test your LDAP connection
* Search fields and recommendations
* Supported searches and examples
* Configure a profile to authenticate requests via SAML 2.0 using Microsoft
Azure AD SAML IdP
* SAML enrollment flow
* Check for issuing CAs
* Create business units
* Create certificate profiles for SAML IdP authentication
* Create SAML IdP applications in Azure AD portal
* Complete profile configurations using Azure AD SAML IdP metadata
* Test your SAML IdP
* Additional information
* Troubleshoot SAML errors
* Configure a profile to authenticate requests via SAML 2.0 using Okta SAML
IdP
* SAML enrollment flow overview
* Check for issuing CAs
* Assign seats to business units
* Create certificate profiles for SAML IdP authentication
* Create your Okta SAML application
* Complete your profile configuration with Okta SAML IdP data
* Enroll for certificates using your SAML IdP for authentication
* Additional information
* Troubleshoot SAML errors
* Configure and test EST
* Prerequisites
* Create certificate profiles for EST
* Prepare seats and enrollment codes
* Enroll certificates via EST
* Create the CSR
* Enroll using cURL
* Enroll using Postman
* Renew certificates via EST
* Troubleshoot EST
* Configure and test SCEP
* Create root and issuing CAs
* Create profiles
* Create seats in bulk and enroll against your profile
* Test via the DigiCert SCEP client
* Create OpenSSL configuration files
* Create key pairs
* Generate CSRs
* Convert CSRs from PEM to DER
* Call SCEP services with the enroll operation
* Convert issued certificates to PEM format
* SCEP renewals
* Call SCEP services with the renew operation
* Troubleshoot SCEP
* Configure iOS/iPadOS enrollment via SCEP
* Configure Jamf to issue certificates with SCEP
* Configure Postman to authenticate with an API key
* Checking for root and issuing CAs
* Create service users
* Create business units
* Create certificate profiles for REST API
* Configure Postman for API key authentications
* Test API requests via Postman
* Configure Postman to authenticate with client certificates
* Create authentication certificates
* Create profiles
* Configure Postman for certificate authentications
* Test via Postman
* Create a certificate profile for CMP
* Create a certificate profile for REST API
* Cross-forest trust to allow Autoenrollment Server enrollments across a
multi-domain forest network structure
* Trust between two forests (Using DNS stub zone)
* Import externally issued certificates using the API
* Assigned seat types
* Before you begin
* Prerequisites and workflow to use "Imported seat" licenses
* Upload certificates with REST API
* Configure custom email notifications for certificate expiration
* Troubleshooting
* Issue Adobe AATL certificates via CertCentral
* Issue private CA certificates for TLS inspection
* Create root and issuing CAs
* Create business units
* Create service users
* Create profiles
* Test issuance of private CA certificates via Postman
* Issue private certificates with custom extensions
* Create certificate profiles with custom extensions
* Data types and example templates for custom extensions
* Use the REST API to request certificates with custom extensions
* Issue public S/MIME certificates from CertCentral using the Trust
Lifecycle Manager REST API and Postman
* Introduction
* Prerequisites
* Create a service user
* Assign seats to a business unit
* Create a CertCentral CA connector
* Create a certificate profile for REST API
* Configure postman for API key authentication
* Test API requests via postman
* Issue public S/MIME certificates from CertCentral using the GBS iQ.Suite
KeyManager software
* Introduction
* Prerequisites
* Create a certificate profile for CMP
* Configure the GBS iQ.Suite KeyManager software
* Test certificate enrollments
* Test certificate revocations
* Issue S/MIME certificates using DigiCert ® Trust Lifecycle Manager and
PKI Platform 8
* Troubleshooting
* Troubleshoot SAML
* Known issues for managed automation
* Troubleshoot DigiCert sensors
* Other troubleshooting links
* Device Trust Manager
* Overview
* System architecture
* User roles and permissions
* Get started
* Part 1: Initial access and setup
* Part 2: Configure Device Trust Manager
* Part 3: Set up device management
* Part 4: Connect a Linux device
* Part 5: Deploy a device update
* Concepts
* Account
* Artifact
* Attributes
* Authentication
* Authentication policy
* Bootstrap credential
* Certificate management policy
* Certificate profile
* Certificates
* Certificate template
* Deployment
* Device
* Device group
* Division
* Issuing CA
* Jobs
* Provisioning
* Registration
* Release
* Rendezvous
* Tags
* TrustEdge agent
* How-to guides
* Division management
* Create a division
* Manage division users
* Disable and enable a division
* Delete and restore a division
* Device management
* Device groups
* Create a device group
* Update a device group
* Clone a device group
* Disable a device group
* Enable a device group
* Devices
* Register single device
* Register many devices
* Update a device
* View device details
* Disable a device
* Update management
* Create an artifact
* Create a release
* Create a deployment
* Abort a deployment
* Certificate management
* Certificate profiles
* Create a certificate profile
* Clone a device group
* Disable a certificate profile
* Enable a certificate profile
* Delete a certificate profile
* Undelete a certificate profile
* Certificate management policies
* Create a certificate management policy
* Authentication policy management
* Create an authentication policy
* View authentication policy details
* Add credentials to an authentication policy
* Disable an authentication policy
* Enable an authentication policy
* Tutorials
* Build and package a software update
* Troubleshoot
* References
* CSV format for batch certificate enrollment
* CSV format for registering many devices
* Licensing and plans
* IoT Trust Manager
* Get started
* Users, API tokens, and service users
* Create divisions
* Assign users to divisions
* Request your first certificate for an IoT device
* Configure SCEP enrollment
* Divisions
* Create a division
* Edit a division
* Disable and enable a division
* Delete and restore a division
* Assign a user to a division
* Remove a user from a division
* Assign issuing CA to a division
* Customizable certificate issuance process
* Five-step certificate issuance process
* Step 1: Create your certificate templates
* Step 2: Create your device profiles
* Step 3: Create your certificate profiles
* Step 4: Create your enrollment profiles
* Step 5: Request a certificate
* Certificate templates
* Certificate template structure
* Create JSON formatted certificate templates
* Certificate structure
* Signature algorithms
* Key types
* Subject
* Subject order
* Subject attributes
* Supported subject attribute types
* Extensions
* Extensions order
* Key usage
* Extended key usages
* SAN
* Certificate policies
* Subject directory attribute
* SKI extension
* Basic constraints
* Renewal settings
* Serial number size
* Validity
* Example templates
* Create a certificate template
* Edit a certificate template
* Clone a certificate template
* Disable and enable a certificate template
* Delete and restore a certificate template
* Certificate profiles
* Create a certificate profile
* Edit a certificate profile
* Clone a certificate profile
* Disable and enable a certificate profile
* Delete and restore a certificate profile
* Certificate requests
* Before you begin
* Request a certificate for an IoT device
* Submit batch certificate request with CSRs
* Submit certificate batch request with DigiCert ONE-generated keys
* Pick up a certificate batch
* Trust bundles
* Get started with trust bundles
* Manage trust bundles
* Download a trust bundle
* Registered values
* Get started with registered values
* Manage registered values
* Device profiles
* Create a device profile
* Edit a device profile
* Delete and restore a device profile
* Devices
* Create a device
* Edit a device
* Disable and enable a device
* Delete and restore a device
* Enrollment profiles
* Enrollment methods
* Create enrollment profiles
* Before you begin
* Create an enrollment profile
* What's next
* Edit an enrollment profile
* Edit enrollment profile
* What's next
* Edit enrollment profile device field mappings
* Edit an enrollment profile's device field mappings
* What's next
* Add device authentication to an enrollment profile
* Upload an authentication CA
* Create an authentication CA template
* Add an authentication certificate
* Disable and enable enrollment profiles
* Disable an enrollment profile
* Enable an enrollment profile
* Delete and restore enrollment profiles
* Delete an enrollment profile
* Restore an enrollment profile
* Enrollment passcodes
* Create enrollment passcodes
* Before you begin
* Create an enrollment passcode
* What's next
* Edit enrollment passcodes
* Edit an enrollment passcode
* What's next
* Disable and enable enrollment passcodes
* Disable an enrollment passcode
* Enable an enrollment passcode
* Delete and restore enrollment passcodes
* Delete an enrollment passcode
* Restore an enrollment profile
* Reports
* Download table data as a report
* Create a report
* Update a report
* Pick up a report
* Run a report now
* View audit logs
* Integrations
* Set up a DigiCert gateway
* Set up a CA connector for CertCentral
* Add a CA connector for CertCentral
* Create a certificate profile for a CertCentral CA connector
* Create an enrollment profile for a CertCentral CA connector
* Set up a CA connector for EJBCA
* Add a CA connector for EJBCA
* Create a certificate profile for an EJBCA CA connector
* Create an enrollment profile for an EJBCA CA connector
* Document Trust Manager
* Signer's guide
* Create your DigiCert ONE digital ID
* Set up your DigiCert ONE account
* Set up two-factor authentication (2FA)
* Reset PIN
* Update mobile number, email and/or generate QR code for 2FA
* Verify your identity
* Common questions
* Document acceptance list for remote identity verification
* Sign a document
* Administrator's guide
* Create a signup link
* Create a report
* Validations
* Create a validation
* Delete a validation
* Explanations for rejected validations
* Credentials
* Credentials
* Revoke a credential
* Organizations
* Create organization
* Edit organization
* Disable organization
* Add organization contacts
* Edit an organization contact
* Delete an organization contact
* Users
* Types of users
* User
* Service user
* User roles
* DTM document signer (AS)
* Client admin (AS)
* Organization approver (AS)
* Client admin (SS)
* Registration officer (SS)
* Security officer (SS)
* Support admin (SS)
* System auditor (SS)
* Validation specialist (SS)
* Revoke user access
* Seats
* Update mobile number, email and/or generate QR code for 2FA
* View audit logs
* Dashboard
* Client tools
* true-Sign V
* Configure true-Sign V
* Configure true-Sign V on Windows
* Configure true-Sign V on macOS
* Sign a PDF with true-Sign V and Adobe Acrobat Reader
* SealSign 2.0
* Configure SealSign 2.0
* Configure SealSign 2.0 on Windows
* Configure SealSign 2.0 on Linux
* Bulk signing documents with SealSign 2.0
* Go>Sign Mobile
* PDF Service 2.0
* Configure PDF Service 2.0
* Authentication methods
* API token
* Client credential flow
* Authorization code flow
* Sign with PDF Service 2.0 and Document Trust Manager API
* Hash sign PDFs with first run of API calls
* Sign subsequent PDFs
* Performance options
* Signing multiple hashes in Postman with one SAD
* Run multiple PDF Service instances with one Nginx in Docker
* Frequently asked questions
* Third-party signing tools
* Adobe
* Adobe Acrobat Sign
* Configure Adobe Acrobat Sign for DigiCert as qualified trust service
provider (QTSP)
* Request eSignatures in Adobe Acrobat Sign
* Sign a document in Adobe Acrobat Sign
* Adobe Acrobat Reader
* Configure signature and timestamp in Adobe Acrobat Reader
* DocuSign
* Sign a document in DocuSign
* SigningHub
* Request eSignatures in SigningHub
* Upgrade QuoVadis Signing Service to Document Trust Manager
* QVSS Enterprise customers
* Before you begin
* Get started
* Common questions
* SealSign customers
* Before you begin
* Get started
* Common questions
* QVSS users
* Client authentication certificate users
* Upgrade Document Signing Service for API customers to Document Trust
Manager
* Key concepts
* Signatures
* Identity
* Legality
* User types
* Software Trust Manager
* Get started
* Lead guide
* Team lead guide
* Build engineer guide
* Developer guide
* Signer guide
* Overview
* Benefits
* Architecture
* Licensing
* Compatible operating systems
* Compatible signing tools and file types
* Users
* Create a user
* Create a service user
* Existing user roles
* Lead (AS)
* Team Lead (AS)
* Build engineer (AS)
* Developer (AS)
* Signer (AS)
* Admin (SS)
* Support (SS)
* System auditor (SS)
* Custom user roles
* Create a custom role
* Clone a user role
* User permissions
* Account scope (AS) user permissions
* System scope (SS) user permissions
* Requirements
* Secure credentials
* Credential setup for Windows
* Windows Credential Manager (recommended)
* Properties file for Windows
* Session-based credentials for Windows
* Persistent environment variables for Windows
* Credential setup for Linux
* Pass
* Properties file for Linux
* Session-based environment variables for Linux
* Persistent environment variables for Linux
* Credential setup for macOS
* Keychain Access
* Properties file for macOS
* Session-based environment variables for macOS
* Persistent environment variables for macOS
* Credential setup for AIX
* Properties file for AIX
* Session-based environment variables for AIX
* Persistent environment variables for AIX
* Platform URL
* Dashboard
* Account
* Account settings
* Keypair preferences
* Release preferences
* CSV report preferences
* Signature metadata preferences
* Teams
* Enable Teams
* Create team
* Team approvals workflows
* Manage teams
* Add or remove team resources
* Update or remove signing limit
* Manage team and member permissions
* Team user critical operations
* Delete team
* Notifications
* User groups
* Create user group
* Update user group
* Projects
* Create a project
* Project statuses
* View Threat detection scans and releases from project
* Manage projects
* Update a project
* Add releases
* Add threat detection scans
* Move to different project
* Delete from project
* Delete project
* Trust anchor certificates
* Prerequisites
* Manage trust anchor certificates
* Trust anchor certificate statuses
* Unlock trust anchor certificate
* Approve trust anchor certificate
* Reject trust anchor certificate
* Update trust anchor certificate
* Import trust anchor certificate
* Download trust anchor certificate
* Deactivate trust anchor certificate
* Trust anchor errors and solutions
* Connectors
* Enable connectors
* CertCentral integration
* Link Software Trust Manager and CertCentral
* Create a CertCentral API key
* Update certificate chain in CertCentral
* Software Trust actions for CertCentral integration
* ReversingLabs integration
* FOSSA integration
* Create a FOSSA API key
* Certificates
* Types of certificates
* Private code signing certificates
* Public code signing certificates
* Certificate templates
* Certificate profiles
* CertCentral orders
* View CertCentral orders
* Sync certificates
* Manage certificates
* View certificates
* Generate a certificate
* Certificate auto-issuance
* Certificate auto-renewal
* Enable auto-renewal
* Enable auto-renewal for a certificate
* Edit certificate
* Locate certificate alias
* Locate certificate fingerprint/thumbprint
* Download certificate
* Import code signing certificate
* Revoke certificate
* Delete certificate
* Sync certificate
* Bulk actions
* Certificate troubleshooting
* Keypairs
* Keypairs
* Dynamic keypairs
* Create a dynamic keypair
* Refresh dynamic key
* Dynamic keys in signature logs
* Dynamic keys in Audit logs
* Create keypair
* Import keypair
* Update keypair
* View keypair
* Delete keypair
* Locate keypair ID
* Assign a default certificate to a keypair
* Generate CSR
* Locate keypair alias
* Set a keypair expiry date
* Download public key
* Key rotations
* Create a key rotation
* View key rotation details
* Rotate key
* Key rotations in signature logs
* Keypair profiles
* Enable keypair profiles
* Create keypair profiles
* GPG keypairs
* Enable GPG keys
* GPG algorithms and key strengths
* Create a GPG master key
* Create a GPG subkey
* GPG keyring
* Import and export a GPG secring
* Delete a GPG key
* Releases
* Create a release
* Update a release
* Approval procedure for offline releases
* Release comparison and baselines
* Threat detection
* Apple notarization
* Notarize Apple binaries
* Software Binary Analysis
* Download and install Static Binary Analysis scanning tool (rl-deploy)
* Scan your software with Software Binary Analysis
* Review scan results
* Deployment risks
* Software binary analysis (SBA) features
* Software Composition Analysis
* Review scan results
* Perform a Software Composition Analysis scan
* Upload and analyze an SBOM file
* Best practices for Common Vulnerabilities and Exposures (CVE)
* Assess severity of a vulnerability
* Prioritize vulnerabilities
* Resolve vulnerabilities
* Remediation options
* Signing Manager Controller (SMCTL) command manual
* Healthcheck commands
* Check user credentials
* Check integrated third-party tools
* Check user credentials and tools
* Healthcheck errors and solutions
* Certificates commands
* Describe certificate
* Download certificate
* Certificate profile
* Import certificate
* List certificates
* Credential commands
* Save credentials
* Delete credentials
* Standard keypair commands
* Describe keypair
* Generate keypair
* Generate a keypair by specifying the algorithm
* Generate a key and certificate with different aliases
* Generate key and certificate with shared alias
* Generate a keypair on a specific HSM
* Generate key using a keypair profile ID
* Generate certificate for existing keypair
* Generate a certificate
* Generate a test certificate
* Generate a key and certificate with different aliases
* Generate a key and certificate with shared alias
* Import keypair
* List keypairs
* List or describe keypair profiles
* Suspend keypair
* Unsuspend keypair
* Update keypair
* Update keypair access
* GPG keypair commands
* Generate GPG keypair
* List GPG keypairs
* Describe GPG keypair
* Download GPG keyring
* Suspend GPG keypair
* Unsuspend GPG keypair
* Update GPG keypair
* Update access to GPG keypair
* Update UIDs of GPG keypair
* Delete GPG keypair
* HSM commands
* Sign binary commands
* Sign binaries using a keypair alias and configuration file
* Sign binaries using a keypair alias
* Verify signed binary
* Remove signature from binary
* Update access to GPG keypair
* Sign in-toto commands
* Sign-hash commands
* Verify-hash commands
* Apple notarization commands for macOS
* Describe notarization
* List notarization
* Get notarization log
* Notarize
* Notarization status
* Save Apple credentials to Keychain
* Staple
* Threat detection commands
* Install ReversingLabs
* Create project
* Scan software with ReversingLabs
* Scan software with FOSSA
* List scans
* Describe scan
* Download scan
* Delete scan
* Release commands
* Create release
* Approve release
* Reject release
* Set release as baseline
* Close release
* Compare releases
* Describe release
* List releases
* Audit log commands
* User account commands
* List all accounts associated with user
* Set or change your primary account
* Windows store and KSP commands
* Client tools
* Cryptographic libraries and frameworks
* CSP library
* KSP library
* JCE library
* PKCS11 library
* CryptoTokenKit (CTK)
* CryptoTokenKit CLI command manual
* GPG smart card daemon (SCD)
* Signing tools
* Signing Manager Controller (SMCTL)
* Files supported for signing
* Third-party signing tool integrations
* Apksigner
* Configure OpenSSL for signing with PKCS11 integration
* Jarsigner
* Jsign
* Mage
* NuGet
* Osslsigncode
* SignTool
* DigiCert ® Click-to-sign
* Tool packages
* Windows clients installer (recommended)
* Linux clients (recommended)
* AIX clients (recommended)
* Command line interface
* Signing Manager Controller (SMCTL)
* Client tool compatibility
* Customize tool settings
* Code signing
* Sign with DigiCert signing tools
* Sign binaries with SMCTL
* Sign hashes with SMCTL
* Sign SBOMs with SMCTL
* Sign Apple binaries with SMCTL using CryptoTokenKit
* Sign with DigiCert ® Click-to-sign
* Test signing
* Sign with third-party signing tools
* Android applications
* Sign Android files with Apksigner using PKCS11 library
* Apple applications
* Apple certificate procedure
* Apple commands, certificate types, and troubleshooting
* Sign Apple binaries with productsign and codesign using
CryptoTokenKit
* Windows applications (Authenticode)
* Sign Authenticode files with Osslsigncode using OpenSSL PKCS11 engine
* Sign Authenticode files with SignTool using KSP library
* Sign Authenticode files with Visual Studio using KSP library
* Sign Authenticode with Sign4j using PKCS11 library
* Sign Azure apps with SignTool using KSP library
* Sign ClickOnce manifests with Visual Studio using KSP library
* Sign Excel macro projects with SignTool using KSP library
* Sign executables with Electron builder using KSP library
* Sign strong name assemblies with SignTool using CSP library
* Sign Windows packages with NuGet using KSP library
* OpenSSL
* Sign software artifacts with OpenSSL using PKCS11 library
* Verify signature with OpenSSL pkeyutl using PKCS11 library
* System and container files
* Sign hardware drivers to the HLK and HCK standard using KSP library
* Sign Mender Artifacts with mender-artifact and OpenSSL using PKCS11
library
* Sign Secure Boot V2 images with OpenSSL and Esptool from Espressif
using PKCS11 library
* Sign Secure Boot V2 images with Esptool from Espressif using PKCS11
library
* Java applications and libraries
* Sign Java files with Jarsigner using JCE library
* Sign Java files with Jarsigner using PKCS11 library
* Sign Java files with Jarsigner using KSP library
* Sign Java files with Jarsigner using Java code and PKCS11 integration
* Sign Java with electron-builder using PKCS11 library
* JavaScript and web tokens
* Sign JSON Web Tokens (JWT) with Java using PKCS11 library
* Sign JSON Web Tokens (JWT) with jwt.io
* Linux packages
* Sign Debian files with dpkg using GPG Smartcard Daemon (SCD)
* General packages
* Sign Authenticode with jSign using PKCS11 library
* Sign Manifest files with Mage using KSP library
* Tools that support EdDSA algorithm signing
* Container images
* Sign OVA and OVF files with ovftool using PKCS11 library
* Sign containers with CoSign from Sigstore using PKCS11 library
* Sign containers with Docker Notary using PKCS11 library
* Sign containers with Podman using GPG Smart Card Daemon (SCD)
* GPG signing
* Prerequisites for GPG signing
* Install GPG tools
* GnuPG PKCS11 SCD
* GPG Smart Card Daemon (recommended)
* Install GPG tools
* GPG Smart Card Daemon (recommended)
* GnuPG PKCS11 SCD
* Sign with GPG using Software Trust Manager Smartcard Daemon (SCD)
* Sign with GPG using GnuPG PKCS11
* Sign RPM files with GPG and RPM signing tool using Smartcard Daemon
(SCD)
* Documents and configuration files
* Sign XML files with Xmlsectool using PKCS11 library
* Sign XML files with OpenSSL using PKCS11 library for detached
signature
* Integrate InstallShield for custom signing
* CI/CD integrations
* Plugins
* Azure
* Install client tools for standard keypair signing on Azure DevOps
* GitHub custom actions
* Install client tools for standard keypair signing on GitHub
* Install client tools for GPG keypair signing on GitHub
* Jenkins
* Jenkins plugin for keypair signing
* Install client tools for GPG keypair signing on Jenkins
* Script integrations
* Ant
* Scripts for signing using PKCS11 library on Ant
* Azure
* Scripts for Docker container signing using PKCS11 library on Azure
DevOps
* Scripts for signing using PKCS11 library on Azure pipeline
* Scripts for signing using KSP library on Azure pipeline
* CircleCI
* CircleCI script integration with PKCS11
* Scripts for signing using KSP library on CircleCI
* GitHub Actions
* Scripts for Apple signing using CryptoTokenKit (CTK) on GitHub
* Scripts for signing using PKCS11 library on GitHub
* Scripts for signing using KSP library on GitHub
* GitLab
* Scripts for signing using KSP library on GitLab
* Scripts for signing using PKCS11 library on GitLab
* Gradle
* Scripts for signing using PKCS11 library on Gradle
* Jenkins
* Scripts for Docker integration with Jenkins using PKCS11 library
* Scripts for signing using KSP library on Jenkins
* Scripts for signing using PKCS11 library on Jenkins
* Maven
* Scripts for signing using PKCS11 library on Maven
* Oracle Cloud
* Scripts for signing using PKCS11 library on Oracle Cloud
Infrastructure
* Logs
* Audit logs
* Signature logs
* Manage logs
* Filter logs
* Locate error message in logs
* Download logs (less than 10,000)
* Download logs (more than 10,000)
* Troubleshoot
* Identify general errors
* Identify signing errors
* Healthcheck errors and solutions
* Apksigner errors and solutions
* Common errors and solutions
* Apple signing errors and solutions
* Podman errors and solutions
* Docker errors and solutions
* GPG errors and solutions
* Jarsigner errors and solutions
* JCE errors and solutions
* Jenkins errors and solutions
* Mage errors and solutions
* Nuget errors and solutions
* SBOM signing errors and solutions
* SignTool errors and solutions
* Threat detection errors and solutions
* DigiCert KeyLocker
* Get started
* Lead guide
* Signer guide
* Overview
* Benefits
* Licensing
* Buy and request a DigiCert ® KeyLocker certificate
* Compatible operating systems
* Compatible signing tools and file types
* Users
* Create a user
* Create a service user
* Account scope (AS) user permissions
* User roles
* KeyLocker lead
* KeyLocker signer
* Custom user roles
* Create a custom role
* Clone a user role
* Requirements
* Secure credentials
* Credential setup for Windows
* Windows Credential Manager (recommended)
* Properties file for Windows
* Session-based credentials for Windows
* Persistent environment variables for Windows
* Credential setup for Linux
* Pass
* Properties file for Linux
* Session-based environment variables for Linux
* Persistent environment variables for Linux
* Credential setup for macOS
* Keychain Access
* Properties file for macOS
* Session-based environment variables for macOS
* Persistent environment variables for macOS
* Platform URL
* Certificates
* View certificates
* Identify designated signer for the certificate
* Add signer
* Update signer
* Download certificate
* Locate certificate fingerprint/thumbprint
* Revoke certificate
* Sync certificate
* Bulk actions
* Assign KeyLocker certificate signer
* Keypairs
* Keypair generation
* View keypair
* Locate keypair alias
* KeyLocker signatures
* Buy more KeyLocker signatures
* Client tools
* Client tool compatibility
* Cryptographic libraries and frameworks
* KSP library
* JCE library
* PKCS11 library
* Signing tools
* Signing Manager Controller (SMCTL)
* DigiCert ® Click-to-sign
* Tool packages
* Windows clients installer (recommended)
* Linux clients (recommended)
* macOS clients (recommended)
* Command line interface
* Signing Manager Controller (SMCTL)
* Files supported for signing
* Third-party signing tool integrations
* Jarsigner
* Jsign
* Mage
* NuGet
* Osslsigncode
* SignTool
* Configure OpenSSL for signing with PKCS11 integration
* Customize tool settings
* Code signing
* Sign with DigiCert signing tools
* Sign binaries with SMCTL
* Sign with DigiCert ® Click-to-sign
* Sign with third-party signing tools
* Windows applications (Authenticode)
* Sign Authenticode files with Osslsigncode using OpenSSL PKCS11 engine
* Sign Authenticode files with SignTool using KSP library
* Sign Authenticode files with Visual Studio using KSP library
* Sign Authenticode with Sign4j using PKCS11 library
* Sign Azure apps with SignTool using KSP library
* Sign ClickOnce manifests with Visual Studio using KSP library
* Sign Excel macro projects with SignTool using KSP library
* Sign executables with Electron builder using KSP library
* Sign Windows packages with NuGet using KSP library
* General packages
* Sign Authenticode with jSign using PKCS11 library
* Sign Manifest files with Mage using KSP library
* Java applications and libraries
* Sign Java files with Jarsigner using JCE library
* Sign Java files with Jarsigner using PKCS11 library
* Sign Java files with Jarsigner using KSP library
* Sign Java with electron-builder using PKCS11 library
* OpenSSL
* Sign software artifacts with OpenSSL using PKCS11 library
* Integrate InstallShield for custom signing
* CI/CD integrations
* Plugins
* Azure
* Install client tools for standard keypair signing on Azure DevOps
* GitHub custom actions
* Install client tools for standard keypair signing on GitHub
* Jenkins
* Jenkins plugin for keypair signing
* Script integrations
* Ant
* Scripts for signing using PKCS11 library on Ant
* Azure
* Scripts for signing using KSP library on Azure pipeline
* Scripts for signing using PKCS11 library on Azure pipeline
* CircleCI
* CircleCI script integration with PKCS11
* Scripts for signing using KSP library on CircleCI
* GitHub Actions
* Scripts for signing using KSP library on GitHub
* Scripts for signing using PKCS11 library on GitHub
* GitLab
* Scripts for signing using PKCS11 library on GitLab
* Scripts for signing using KSP library on GitLab
* Gradle
* Scripts for signing using PKCS11 library on Gradle
* Jenkins
* Scripts for signing using PKCS11 library on Jenkins
* Scripts for signing using KSP library on Jenkins
* Maven
* Scripts for signing using PKCS11 library on Maven
* Signing Manager Controller (SMCTL) command manual
* Healthcheck commands
* Check user credentials
* Check integrated third-party tools
* Check user credentials and tools
* Healthcheck errors and solutions
* Certificates commands
* Describe certificate
* Download certificate
* Credential commands
* Save credentials
* Delete credentials
* Standard keypair commands
* Describe keypair
* List keypairs
* Update keypair
* Sign binary commands
* Sign binaries using a keypair alias and configuration file
* Sign binaries using a keypair alias
* Verify signed binary
* Remove signature from binary
* User account commands
* List all accounts associated with user
* Set or change your primary account
* Windows store and KSP commands
* Troubleshoot
* Identify general errors
* Identify signing errors
* Healthcheck errors and solutions
* Common errors and solutions
* Docker errors and solutions
* GPG errors and solutions
* Jarsigner errors and solutions
* JCE errors and solutions
* Mage errors and solutions
* Nuget errors and solutions
* SignTool errors and solutions
* DigiCert account
* Account
* View account details
* Users
* Create user
* Create your credentials
* Enable services for a user
* Disable services for a user
* Default user roles for DigiCert services
* Update user roles
* Update CertCentral user roles and account access
* Update user role for DigiCert ONE managers
* Commonly used authenticator applications
* Reset two-factor authentication (2FA)
* Reset password
* Confirm your username
* Delete user
* DigiCert services
* Service integrations
* Enable services for a user
* Disable services for a user
* Access your DigiCert services
* Access new services
* Link existing services
* Transition to DigiCert ® account
* Page not found
print
Toggle navigation
* Developers
* * English
* Deutsch
* Español
* Français
* Italiano
* 日本語
* 한국어
* Nederlands
* Português
* 中文(简体)
* 中文(繁體)
*
*
* Prev
* Next
* DigiCert product docs
* CertCentral
* Manage certificates
* DNS CAA resource record check
DNS CAA RESOURCE RECORD CHECK
CERTIFICATE AUTHORITIES ARE REQUIRED TO CHECK THE CAA RESOURCE RECORDS PRIOR TO
ISSUING CERTIFICATES
Before a Certificate Authority (CA) can issue an TLS/SSL certificate for your
domain, they must check, process, and abide by the domain's DNS Certification
Authority Authorization (CAA) resource records (RRs). See Ballot 125 – CAA
Records [PASSED], RFC 6844, and Ballot 219: Clarify handling of CAA Record Sets
with no "issue"/"issuewild" property tag.
IMPORTANT
A CAA resource record is NOT REQUIRED for DigiCert to issue TLS/SSL certificates
for your domains. The information provided here is only important if you are in
one of these situations:
* Have CAA resource records set up for your domains
* Plan to add CAA resource records for your domains
For information about the benefits of CAA, see our blog, The Security Benefits
of CAA.
HOW THE CAA RR PROCESS WORKS
Before issuing a TLS/SSL certificate for a domain, a CA (such as DigiCert)
checks the domain’s CAA RRs to verify that they are authorized to issue that
certificate. A CA can issue a certificate for a domain if one of the following
conditions is met:
* They do not find a CAA RR for your domain.
* They find a CAA RR for your domain authorizing them to issue that
certificate.
* They only find CAA RRs for your domain without the "issue" or "issuewild"
property tags.
sidebar. Power of a single CAA RR
After creating a CAA resource record (RR) that authorizes DigiCert to issue
TLS/SSL certificates for a domain, you have effectively deauthorized all other
Certificate Authorities (CAs) from issuing a certificate for that domain. The
only way to authorize another CA to issue certificates for that domain is to
create another CAA RR for that CA.
In this way, CAA resource records enable precise control over certificate
issuance for the domain. This control prevents unauthorized Certificate
Authorities from issuing certificates for your domain.
IMPORTANT
If you don’t have a CAA RR for your domain, then any CA can issue TLS/SSL
certificates for it.
If you have one CAA RR authorizing a specific CA to issue certificates for your
domain, then all other CAs must find a CAA RR that specifically authorizes them
to issue a TLS/SSL certificate for it. If they don’t find one, they cannot issue
the certificate.
Remember, when using CAA RRs for your domains, to create enough CAA RRs to
support your organization's TLS/SSL certificate requirements.
CA AUTHORIZATION FOR DIGICERT, THAWTE, GEOTRUST, AND RAPIDSSL BRAND CERTIFICATES
With the acquisition of Symantec's Website Security and related PKI solutions,
DigiCert brought together the industry’s leading certificate brands under one
Certificate Authority – DigiCert. When creating a CAA RR for yourdoman.com that
authorizes DigiCert to issue TLS/SSL certificates for it (yourdomain CAA 0 issue
"digicert.com"), you authorize DigiCert to issue DigiCert, Thawte, GeoTrust, and
RapidSSL brand TLS/SSL certificates for that domain.
sidebar. Valid CAA resource record values
Below are valid CAA RR values that you can currently use in your CAA records to
authorize DigiCert to issue your TLS/SSL certificate:
* digicert.com
* www.digicert.com
* digicert.ne.jp
* cybertrust.ne.jp
* thawte.com
* geotrust.com
* rapidssl.com
* volusion.digitalcertvalidation.com
* stratossl.digitalcertvalidation.com
* intermediatecertificate.digitalcertvalidation.com
* 1and1.digitalcertvalidation.com
* symantec.com
All values listed above are equivalent. In other words, you can use any of these
values to allow DigiCert to issue TLS/SSL certificates for all the DigiCert
certificate brands.
sidebar. Verify your CAA RRs are properly configured
Do you have or are you planning to create DNS CAA RRs for your domains? Make
sure that your records are up-to-date and accurate.
DigiCert recommends checking your domains' existing DNS CAA RRs before you order
TLS/SSL certificates. Verify that you have the records for each CA authorized to
issue TLS/SSL certificates for your domains. We also recommend understanding the
process before creating new DNS CAA RRs for a domain. Don't let a misconfigured
CAA RR accidentally prevent a CA from issuing a certificate needed as soon as
possible.
See Edit a domain's CAA resource record.
WHAT IS A DNS CAA RESOURCE RECORD?
Certification Authority Authorization (CAA) resource records (RRs) allow domain
owners to create policies that authorize specific Certificate Authorities (CAs)
to issue TLS/SSL certificates for their associated domains. Domain owners can
use CAA RRs to create security policies for an entire domain (e.g., example.com)
or a specific hostname (e.g., mail.example.com).
When you create a CAA RR for your base domain, you create an umbrella policy for
its subdomains in that policy unless you create a separate CAA RR for a specific
subdomain. Do you have a CAA RR for example.com but want to create a different
security policy for mail.example.com? Create an additional CAA RR specifically
for the mail subdomain.
With this record created, when you order a TLS/SSL certificate for
mail.example.com, the CA queries your DNS for CAA RRs for that subdomain. If the
CA finds a record for mail.example.com, then the search stops, and they apply
that policy to the certificate order. If the CA doesn't find a record for
mail.example.com, they continue their DNS query for CAA RRs at its parent
domain, example.com. If the CA finds a record for example.com, they apply the
parent domain's policy to the certificate order for mail.example.com.
sidebar. DNS CAA resource record syntax
A Certification Authority Authorization (CAA) resource record (RR) consists of a
single-byte flag and a tag-value pair referred to as a property, see RFC 6844
sections 3, 5.1.
The flag is an unassigned integer between 0-255. The tag in the tag-value pair
may consist of US-ASCII letters and numbers, while the value is an octet string
representing the value of the tag-value property.
CAA RR PROPERTY TAGS
You can associate multiple properties with the same domain by publishing
multiple CAA RRs for that domain name. However, each CAA RR can only authorize
one CA to issue certificates (or, in some instances, one type of certificate)
for your domain.
To allow multiple CAs to issue certificates for your domain, you need to create
at least one CAA RR for each CA (in some instances, two CAA RRs). For help
setting up your CAA RRs, visit CAA Record Helper.
sidebar. "issue" property tag
Use this property tag to authorize a CA (such as DigiCert) to issue certificates
for yourdomain and *.yourdomain. When processing a certificate order for
yourdomain or *.yourdomain, the CA queries the domain's DNS for CAA RRs
containing the "issue" property tag. If the CA finds only an "issue" property
tag and that tag that authorizes them to issue a certificate for the yourdomain,
they can issue a certificate for yourdomain and *.yourdomain.
To authorize multiple CAs to issue certificates for yourdomain and *.yourdomain,
you must create a unique CAA RR for each CA.
Example 1. "issue"
yourdomain CAA 0 issue "digicert.com"
yourdomain CAA 0 issue "ca2.example.com"
sidebar. "issuewild" property tag
Use this property tag to authorize a CA (such as DigiCert) to issue a
certificate for *.yourdomain. When processing a certificate order for
*.yourdomain, the CA queries the domain's DNS for CAA RRs containing the
"issuewild" property tag.
* If the CA finds an "issuewild" property tag, they check to see if it
authorizes them to issue a certificate for *.yourdomain.
* If the CA doesn’t find an "issuewild" property tag, they look for an “issue”
property tag authorizing them to issue a certificate for yourdomain and
*.yourdomain.
To authorize multiple CAs to issue certificates for *.yourdomain, you must
create a unique CAA RR for each CA.
Example 2. "issuewild"
yourdomain CAA 0 issuewild "digicert.com"
yourdomain CAA 0 issuewild “ca2.example.com”
sidebar. How the "issuewild" property tag works
The "issuewild" property tag authorizes a CA to issue a certificate for a
*.yourdomain, *.sub.yourdomain, *.sub.sub.yourdomain, etc. It does not
specifically authorize or prevent a CA from issuing a certificate for
yourdomain, sub.yourdomain, sub.sub.yourdomain, etc.
sidebar. Using the "issuewild" property tag
When correctly used, the "issuewild" property can be an effective tool for
creating certificate issuance policies.
For example, you create three "issue" CAA RRs for yourdomain. Later, you decide
you only want one of those CAs to issue certificates for *.yourdomain. So, you
create an "issuewild" CAA RR authorizing that CA to issue a certificate for
*.yourdomain. All three CAs can continue to issue certificate for yourdomain,
but now only one CA can issue a certificate for *.yourdomain.
AUTHORIZE DIGICERT TO ISSUE WILDCARD CERTIFICATES FOR A DOMAIN
When you order a certificate for *.yourdomain, DigiCert includes yourdomain in
the certificate at no extra cost. This poses a problem when creating “issue” and
“issuewild” CAA RRs for your domains using multiple CAs.
For example, DigiCert includes yourdomain with your certificate order for
*.yourdomain. Therefore, if you authorize multiple CAs to issue certificates for
yourdomain, use one of the options below so that DigiCert can issue your
certificates.
1. Only use the “issue” property tag and create an “issue” CAA RR for DigiCert
Unless you have a specific reason for creating an "issuewild" CAA RR for
yourdomain, don’t. Managing only "issue" CAA RRs is much simpler:
Example 3. "issue"
yourdomain CAA 0 issue "digicert.com"
2. Create an “issue” CAA RR and an “issuewild” for DigiCert
If organization policy permits it and you must create separate CAA RRs for
yourdomain and *.yourdomain.com, create two rules:
* One authorizing DigiCert to issue certificates for yourdomain
* One authorizing DigiCert to issue certificates for *.yourdomain
Example 4. "issue" and "issuewild"
yourdomain CAA 0 issue "digicert.com"
yourdomain CAA 0 issuewild "digicert.com"
3. Contact Us
If organization policy prevents you from authorizing DigiCert to issue
certificates for yourdomain, contact us. We will work to find a solution to
the problem so we can issue your certificate for *.yourdomain.
HOW CAA RR AND CNAME WORK TOGETHER
When requesting a TLS/SSL certificate for a domain (e.g., my.blog.example.com)
that contains a CNAME record pointing to another domain (e.g.,
my.blog.example.net), the Certificate Authority (CA) follows a specific process
(laid out in the Baseline Requirements [BRs]) to locate a CAA RR authorizing
them to issue your certificate.
IMPORTANT
CNAME targets
As a preventative measure against resource exhaustion attacks, a CA is only
required to follow up to 8 CNAME targets (8 or fewer CNAME records:
blog.example.com is a CNAME for blog.example.net, which is a CNAME for
blog.example.org, and so on, eight levels deep).
The process starts at the domain name on the certificate request and continues
to the top-level domain. The process will stop at any point along the way if CAA
RRs are found. The CAA RRs determine whether the CA is authorized to issue your
certificate.
sidebar. Example of CAA RR check workflow with CNAME present
1. Step 1: CA checks the CAA RRs for the domain name on the certificate
request–my.blog.example.com
The search stops if the CA finds a CAA record for the domain on the
certificate request. The CA checks to see if a CAA record authorizes them to
issue your certificate. If they find the record, the CA issues the
certificate. If they don't find the record, the CA cannot issue the
certificate.
If the CA doesn't find a CAA record for the domain on the certificate
request, the CAA record search continues.
2. Step 2: CA checks the CAA RRs for the CNAME target
domain–my.blog.example.net
The search stops if the CA finds a CAA record for the CNAME target domain.
The CA checks to see if a CAA record authorizes them to issue your
certificate. If they find the record, the CA issues the certificate. If they
don't find the record, the CA cannot issue the certificate.
If the CA doesn't find a CAA record for the domain on the certificate
request, the CAA record search continues.
3. Step 3: CA checks the CAA RRs for the original domain's parent
domain–blog.example.com
The search stops if the CA finds a CAA record for the original domain's
parent domain. The CA checks to see if a CAA record authorizes them to issue
your certificate. If they find the record, the CA issues the certificate. If
they don't find the record, the CA cannot issue the certificate.
If the CA doesn't find a CAA record for the original domain's parent
domain, the CAA record search continues.
4. Step 4: CA checks the CAA RRs for the original domain's base
domain–example.com.
The search stops if the CA finds a CAA record for the original domain's base
domain. The CA checks to see if a CAA record authorizes them to issue your
certificate. If they find the record, the CA issues the certificate. If they
don't find the record, the CA cannot issue the certificate.
If the CA doesn't find a CAA record for the original domain's base
domain, the CAA record search continues.
5. Step 5: CA checks the CAA RRs for the original domain's top-level
domain–com.
The search stops.
* If the CA finds a CAA record for the original domain's top-level domain.
The CA checks to see if a CAA record authorizes them to issue your
certificate. If they find the record, the CA issues the certificate. If
they don't find the record, the CA cannot issue the certificate.
* If the CA doesn't find a CAA record for the original domain's top-level
domain, the CA issues the certificate.
sidebar. Additional information
* Ballot 214 – CAA Discovery CNAME Errata
* RFC 6844, "DNS Certification Authority Authorization (CAA) Resource Record",
January 2013
* RFC 6844 Errata ID:5065
In this section:
* Edit a domain's CAA resource record
SEARCH RESULTS FOR "":
Showing results from:
Select each product you want to include in your search:
Select All CertCentral Trust Lifecycle Manager Software Trust Manager IoT Trust
Manager Document Trust Manager DigiCert KeyLocker DigiCert ONE Device Trust
Manager
Apply filters close
Searching...
x
* DNS CAA resource record check
* How the CAA RR process works
* CA authorization for DigiCert, Thawte, GeoTrust, and RapidSSL brand
certificates
* What is a DNS CAA resource record?
* CAA RR property tags
* Authorize DigiCert to issue wildcard certificates for a domain
* How CAA RR and CNAME work together
SEARCH RESULTS
Searching...
x
Was this page helpful?
YesNo
Provide feedback
* Prev
* Next
© 2024 DigiCert, Inc.
Publication date:
ABOUT
DigiCert is the world's leading provider of scalable TLS/SSL, IoT and PKI
solutions for identity and encryption. The most innovative companies, including
89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for
its expertise in identity and encryption for web servers and Internet of Things
devices. DigiCert supports TLS and other digital certificates for PKI
deployments at any scale through its certificate lifecycle management solution,
CertCentral®. The company is recognized for its enterprise-grade certificate
management platform, fast and knowledgeable customer support, and market-leading
security solutions. For the latest DigiCert news and updates, visit
digicert.com or follow @digicert.
©2024 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are
registered trademarks of DigiCert, Inc. Other names may be trademarks of their
respective owners.
COMPANY
About UsNewsroomContact Us
LEGAL
Terms of UsePrivacy PolicyCookie SettingsLegal RepositoryWebTrust Audits
RESOURCES
SupportToolsBlogFAQs