Subscription overview

Subscriptions are available in 1, 2, and 3-year terms.

The subscription term needs to be provided during ACME account pre-registration. This term determines the subscription expiry date beginning at the time the first domain is added, not at the time of pre-registration. You can specify the length of the extension term.

Only one active subscription can exist at a time per external account binding (EAB) credentials. Additionally, domains are available to any ACME account that share the same EAB credentials.

A certificate can only be issued within the subscription validity period. However, the certificate validity period will not be limited by the subscription expiry date.

We recommend extending the subscription before its expiry to ensure that when the ACME client requests a new certificate, it can be issued without interruption.

Starting and maintaining subscriptions

A subscription begins when you add your first domain to the ACME account (and so to all ACME accounts that share the same EAB details) and fees for your new subscription are immediately deducted from your Sectigo Reseller account. If a 2-year subscription is selected during ACME account pre-registration, the subscription expiration date is calculated as 730 days from the next calendar day.

The subscription term specified in the PREREGISTER request is automatically applied to calculate the subscription expiry date when the first domain is added under the associated EAB credentials.

Adding additional domains to your subscription does not affect the term of your subscription. These new domains inherit the existing subscription’s expiration date and are subject to pro-rated charges based on the number of full days remaining before subscription expiration.

For more information, see Add a domain.

You may need to remove a domain from your subscription if it is no longer required or was added by mistake. The removal process affects the associated domain in your subscription that was added free of charge.

The REMOVEDOMAIN action removes a specified Fully Qualified Domain Name (FQDN) or wildcard domain from your subscription. You can remove a domain from your subscription at any time during the subscription validity period or grace period.

Removing a domain name within 30 days from adding it will result in an automatic full refund of the order under which it was added.

Once the domain is removed, certificates can no longer be requested for the domain through associated ACME accounts.

For more information, see Remove a domain.

Extending subscriptions

A subscription must have at least one associated domain to be eligible for extension. Extensions can only be initiated within a window starting 100 days before the subscription’s expiration date and ending 30 days after the subscription’s expiration date (grace period).

Extending a subscription used by ACME accounts that share particular EAB details adds the specified number of additional years to the subscription period for all domains associated with the current subscription iteration, as indicated in your request. The maximum subscription term is 3 years.

The cost for 1, 2, or 3 year subscription, including each active domain, is immediately deducted from your Sectigo Reseller account.

When extending a subscription, any previously paid domain will continue to be charged, while any domain that was granted for free will continue to be free.

When an extension is completed, the subscription’s new expiry date will be calculated as follows:

New Subscription Expiry Date = Existing Subscription Expiry Date + Specified Duration

Before extending a subscription, any domain names that you do not want to renew should be removed.

Sample extension scenario

In the following scenario, prices are hypothetical and are used for illustrative purposes only:

  • You have two Fully-Qualified Domain Names (FQDNs) that are part of your active subscription.

  • ACME DV Domain is priced at $365 per year.

  • Subscription Expiry Timestamp is 28/08/2025 23:59:59 for both domains.

  • There are 5 days remaining until the subscription’s expiration.

After your subscription is extended:

  • The Subscription Expiry Timestamp is updated to 28/08/2026 23:59:59 for both domains.

  • Your account is charged $730 ($365 x 2 FQDNs).

  • There are 370 days remaining until the subscription’s expiration.

    Adding a new domain immediately after this will incur a pro-rated charge of $370 ($1 per day for 370 days) until the subscription’s expiration.

If the subscription is not extended before its expiration, or within the 30-day grace period, all domains from the expired subscription are also considered expired. These domains must be re-added to a new subscription in order for associated ACME clients to continue requesting certificates for them. If you start a new subscription without re-adding all expired domains, they will remain in your domains report but won’t be part of the subscription or incur charges.

For more information, see Extend subscriptions.

Organization pre-validations management

To enable OV SSL issuance via ACME, organization pre-validation is required. Organization pre-validation ensures that organization details are validated and automatically included in all Organization Validation (OV) SSL certificate requests for the domains linked to the organization during the pre-validation’s validity period.

For OV subscriptions, the domain can only be added if it is linked to a valid organization pre-validation.

If you already have an active organization pre-validation used outside of CaaS, you can also use it within CaaS.

We strongly recommend ensuring that the organization pre-validation has at least 30 days remaining before its expiration to avoid disruptions in OV SSL certificate issuance. This ensures that automated processes within CaaS, such as organization pre-validation renewal (if enabled), can continue seamlessly without requiring manual intervention.

To ensure uninterrupted issuance of OV SSL certificates during the subscription period, organization pre-validations must be renewed and re-assigned to domain names prior to expiration. This can be done manually or automatically through CaaS.

  • Manual renewal: Organization pre-validations can be renewed and re-assigned to domain names from your side. This approach requires you to track the expiration dates of all organization pre-validations, place orders for new ones, and re-assign them to the relevant domain names. While this method provides full control over the renewal process, it may involve significant administrative effort.

  • Auto-renewal: Automation streamlines the renewal process by eliminating your need to track expiration dates, place orders, or re-assign pre-validations. The system autonomously maintains the validity of organization pre-validations, ensuring seamless operation during the subscription period and throughout the post-expiration grace period. This approach reduces administrative overhead and ensures continuous validation of organizations without manual intervention.

Key benefits of auto-renewal include:

  • Continuous validation of organizations without manual intervention.

  • Seamless OV SSL certificate issuance for domains linked to validated organizations.

  • Reduced administrative overhead for managing organization validations.

Auto-renewal functionality is applied to all organizations used for the active subscription and remains operational for the duration of the subscription’s validity and grace period. The renewal mode, manual or auto-renewal, is configured at the account level, enforcing a uniform renewal strategy for all pre-validations associated with the Sectigo Partner account.

If the pre-validation associated with domain(s) added to CaaS is designated for EV or OV+S/MIME issuance, the automatic renewal process will downgrade it to OV issuance only during the next auto-renewal cycle.

If EV or S/MIME issuance is required, you may configure a separate organization pre-validation specifically for that to leverage the auto-renewal mode. Alternatively, you can opt for manual renewal within CaaS to retain the needed issuance type.

These approaches ensure that the required validation type is preserved based on your operational needs.

Auto-renewal is designed to renew only the data that was initially provided, validated, and configured, such as company information, applicant details, and assignment to the same domains originally linked to the pre-validation.

However, the UPDATEDOMAINS action must still be implemented, even if auto-renewal is configured for pre-validations.

For those rare cases when, for instance, organization details change, requiring re-validation of the organization and performing an out-of-cycle update for the domains, your actions will be needed to initiate re-validation providing the updated details and to re-assign the new organization pre-validation to the domain names, even if auto-renewal is configured.

For more information, see Update domains.

Domain details

The domain name added must be one of the following:

  • Fully-Qualified Domain Name (FQDN) — A complete, unambiguous, non-wildcard domain name that specifies the exact location of network resources.

  • Wildcard Domain Name — A domain record specified by using a * as the leftmost label of a domain name, allowing it to cover any subdomain at a single level under the specified domain, but not extending to subdomains of the higher levels.

For more information on FQDNs and Wildcards, see RFC 9499 - DNS Terminology.

In some instances, domain names may be eligible to be added to the subscription free of charge if they are associated with another domain in the subscription that is paid for. However, these domains must still be explicitly added to the subscription. The addition of domains may be free of charge in the following scenarios:

  • If there’s a wildcard domain in the current active subscription, adding its FQDN equivalent (i.e., removing the *.) will be free of charge, but not vice versa.

    Adding the www subdomain or any other subdomain covered by an existing wildcard domain in the subscription (i.e., replacing *. in the wildcard domain with www. or another label) will incur normal charges.

  • If there’s an FQDN in the current active subscription that has been paid for, adding its single www subdomain will be free of charge, but not vice versa.

    This does not apply if a wildcard domain is already present in the subscription.
Examples:

  • If domain.brand.com is added, www.domain.brand.com can be added for free thereafter.

  • If *.domain.brand.com is added, then domain.brand.com can be added for free, but adding brand.com will incur a charge.

  • If *.domain.brand.com is added, adding www.domain.brand.com, or subdomain.domain.brand.com later will incur a charge.

  • If www.domain.brand.com is added first, domain.brand.com will incur a charge.

  • If domain.brand.com is added first, *.domain.brand.com will incur a charge.

If a domain is erroneously removed from a subscription, adding it back will incur charges unless another domain in the subscription, which was paid for, can overwrite this behavior according to the above rules. For instance, if it is a single www subdomain of a registrable domain name that is still active in the subscription.

If the same domain is added to multiple EABs, the ADDDOMAIN and EXTENDDOMAINS actions will be chargeable for each domain instance.

For more details on adding a domain or extending a subscription, see Add a domain or Extend a subscription.