OV SSL issuance

This page outlines the steps required to obtain OV SSL certificates using Certificates as a Service (CaaS). The OV workflow is very similar to the DV workflow.

The following illustration depicts this workflow, which is explained in more detail in the sections below.

How to start getting OV certificates

For more information on the topics covered in this section, see Related documentation.

Prerequisites

  • A Sectigo Reseller account with CaaS enabled

  • cURL

  • An ACME client that supports External Account Binding (EAB) and conforms to the RFC 8555 standard

  • A domain name

  • A DNS provider for the domain name that is supported by the ACME client

  • Organization pre-validation renewal mode (automatic or manual) set at the Sectigo Reseller account level once, applying to all OV subscriptions in CaaS

  • Organization pre-validation(s) setup

Step one: Create an ACME account for your customer

Call the PREREGISTER action API to create the customer’s ACME account.

Variable Name Type Max. Length Description

loginName

string

64 chars

Your account username.

This value is case sensitive.

loginPassword

string

128 chars

Your account password.

This value is case sensitive.

action

string

30 chars

The action to be taken.

In this case, the value is: PREREGISTER.

serverUrl

string

32 chars

The sectigo ACME server to be used.

Available ACME server URLs can be fetched using LISTSERVERS action.

years

integer

Specifies the subscription duration in years.

The possible values are: 1, 2, 3.

If not specified, the value defaults to 1 year.

days

integer

Specifies the subscription duration in days.

The possible values are: 365, 730, 1095.

This is an alternative to the years parameter. Either parameter may be used, but if both years and days are provided, only the years parameter is used.

Sample request

curl --location --request POST 'https://secure.trust-provider.com/products/!ACMEAdmin' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'loginName=loginName' \
--data-urlencode 'loginPassword=loginPassword' \
--data-urlencode 'action=PREREGISTER' \
--data-urlencode 'serverURL=https://acme.sectigo.com/v2/OV'

Success response

{
  "Accounts": [
    {
      "acmeAccountID": "ABc_123xYZ456",
      "accountStatus": "pending",
      "eabMACKeyb64url": "ghM4321abc_D8765xyZ",
      "eabMACIDb64url": "ZyX321_abc654DeF1"
    }
  ]
}

Step two: Add a domain to the subscription for the created ACME account

Call the ADDDOMAIN action API to link a Fully Qualified Domain Name (FQDN) or wildcard domain to the customer’s ACME account.

The request for OV is similar to the request for DV, except for one parameter: ovAnchorOrderNumber. This parameter must be specified to link it to an existing organization pre-validation.
Variable Name Type Max. Length Description

loginName

string

64 chars

Your account username.

This value is case sensitive.

loginPassword

string

128 chars

Your account password.

This value is case sensitive.

action

string

30 chars

The action to be taken.

In this case, the value is: ADDDOMAIN.

acmeAccountID

string

32 chars

Your Base64 url encoded ACME account ID.

domainName

string

255 chars

Your FQDN or wildcard domain name.

quoteOnly

string

1 char

Indicates whether to return a quote or perform the actual action.

The possible values are:

  • N — (Default) Performs the actual ADDDOMAIN action.

  • Y — Returns a quote for the requested action, valid at the time of request, but does not perform any action.

ovAnchorOrderNumber

string

128 chars

An Organization Pre-Validation ID to associate with the domains.

addAssociatedFQDN

string

1 char

Indicates whether to include an FQDN associated with the domain being added.

The possible values are:

  • N — (Default) Adds only the specified domain name, in which case a check is performed to determine whether it is eligible to be added for free.

  • Y — Also adds the domain name allowed for free based on the domain type being added.

    See Domain Details for more details.

The acmeAccountID should be set to the acmeAccountID value that you received in the response from step one when pre-registering this ACME account.

Sample request

curl --location --request POST 'https://secure.trust-provider.com/products/!ACMEAdmin' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'loginName=loginName' \
--data-urlencode 'loginPassword=loginPassword' \
--data-urlencode 'action=ADDDOMAIN' \
--data-urlencode 'acmeAccountID=ABc_123xYZ456' \
--data-urlencode 'domainName=domain.com'

Success responses

Success response
{
    "success": true,
    "orderNumber": 123456789,
    "cost": 200.00,
    // displayed price is for sample purposes only
    "currency": "USD",
    "domains": [
        {
            "domainName": "domain.com"
        }
    ]
}
Success response with quoteOnly set to Y
{
    "success": true,
    "cost": 200.00,
    // displayed price is for sample purposes only
    "currency": "USD",
    "domains": [
        {
            "domainName": "domain.com"
        }
    ]
}

Repeat this step to add additional domains.

Starting a subscription is not required to register an ACME account (step four). However, a subscription is necessary to request a certificate (step five). Since some ACME clients allow both account registration and certificate requests in a single command, we recommend completing both steps beforehand.

Step three: Provide your customer with ACME server URL and EAB details

Provide your customer with the ACME server URL and EAB credentials that you received in step one.

Step four: Customer registers an ACME account

The customer uses their EAB credentials to register an ACME account with the Sectigo ACME server. This step completes the creation of the ACME account, binding it to your Sectigo Partner account.

The exact command can be found in the ACME client’s vendor documentation.

Step five: Customer requests a certificate

The customer requests a certificate with the Sectigo ACME server.

The exact command can be found in the ACME client’s vendor documentation.

Once the command is run, the following process is handled automatically through communication between the ACME client and the ACME server.

  1. The ACME client sends a certificate request to Sectigo’s ACME server.

    1. Wildcard, single-domain, and multi-domain certificates are available.

    2. All required domain names must be added to the subscription before enrollment and explicitly included in the certificate request.

  2. Domain ownership is verified through Domain Control Validation (DCV) using the DNS-01 or HTTP-01 methods.

  3. Once validation is complete, the ACME client submits a Certificate Signing Request (CSR).

  4. The issued certificate is downloaded.

Some ACME clients also offer built-in functionality to automatically install the certificate on the server.

Step six: Ensure automatic renewal is set up

Most ACME clients support pre-configured automatic renewal mechanisms. To ensure certificates are renewed automatically and to prevent expiration, review your ACME client’s automatic renewal mechanisms to determine if you need to manually configure a cron job or scheduled task to run the renewal process at regular intervals. Exact instructions for setting up automatic renewal can be found in the ACME client’s vendor documentation.

Your choice of ACME client depends primarily on your operating system, server environment, and required features. Below is a list of the most commonly used ACME clients by our customers.