Request

Endpoint: !AutoReplaceCS

https://secure.trust-provider.com/products/!AutoReplaceCS

Use the POST method for this endpoint.

Submit parameters in the x-www-form-urlencoded format.

Request parameters

The following table displays the required, optional, and conditional parameters.

Parameter Requirement Type Max.Length Description

loginName

required

string

64 chars

Your account username.

This value is case sensitive.

loginPassword

required

string

128 chars

Your account password.

This value is case sensitive.

orderNumber

required

string

128 chars

The order number of the certificate to replace.

contactEmailAddress

optional

string

255 chars

An email address to include in the SAN:rfc822Name field of the resulting certificate.

If specified with a value, the resulting certificate email address will be set to this value.

If specified with a blank value, no email address will be included in the resulting certificate.

If omitted, the resulting certificate email address defaults to the current certificate email address.

sanEmailAddress

optional

string

255chars

An email address to include in the SAN:rfc822Name field of the resulting certificate.

Equivalent to the contactEmailAddress parameter.

This parameter has been added only for usability of those partners who are requesting certificates through AutoApplyOrder API, where the sanEmailAddress parameter is used for the same purpose as the existing contactEmailAddress in this API.

This parameter follows the same rules given for the preceding contactEmailAddress.

If both email addresses are provided in the request, the contactEmailAddress prevails.

privateKeyFilename

optional

string

255 chars

The .pvk filename.

It should always be provided when .spc or .pvk files are being used instead of storing the certificate and private key in the CSP.

pkcs10

conditional

string

32767 chars

The PKCS#10, Base-64 encoded certificate signing request with or without the -----BEGIN xxxxx----- and -----END xxxxx----- header and footer.

Required if the spkac parameter is absent.

Do not use both parameters simultaneously.

spkac

conditional

string

32767 chars

A Netscape, Mozilla, Firefox 'SPKAC' public key.

Required if the pkcs10 parameter is absent.

Do not use both parameters simultaneously.

csr

conditional

string

32767 chars

The PKCS#10, Base64-encoded certificate signing request, with or without the -----BEGIN xxxxx----- and -----END xxxxx----- header and footer.

Required if spkac or pkcs10 parameters are absent.

Do not use both parameters simultaneously.

signatureHash

optional

string

64 chars

The preferred signature hash algorithm to be used when issuing the certificate.

The allowed values are:

NO_PREFERENCE — Let Sectigo decide.
INFER_FROM_CSR — If the CSR was signed using sha1WithRSAEncryption or md5WithRSAEncryption, then PREFER_SHA1. Otherwise,PREFER_SHA2 will be used.
PREFER_SHA2 — If a suitable SHA-2 capable Sub-CA is available, Sectigo will use SHA-2. Otherwise, PREFER_SHA1 will be used.
PREFER_SHA1 — If the current industry regulations and Sectigo policies permit, Sectigo will use SHA-1. Otherwise,REQUIRE_SHA2 will be used.
REQUIRE_SHA2 — If a suitable SHA-2 capable Sub-CA is available, Sectigo will use SHA-2. Otherwise, issuance of the certificate will be blocked until a suitable Sub-CA becomes available.

If omitted, the value defaults to NO_PREFERENCE.

caCertificateID

optional

integer

Specifies a particular CA certificate or key.

If specified, this parameter overrides Sectigo’s default choice of CA certificate or key to be used to issue this certificate.

This functionality is only available by special agreement with Sectigo.

organizationName

optional

string

64 chars

Specifies the organization name.

organizationalUnitName

optional

string

64 chars

The organizational department name.

postOfficeBox

optional

string

40 chars

The organization’s post office box.

streetAddress1

optional

string

128 chars

The street address where the organization operates.

streetAddress2

optional

string

128 chars

The second part of the company’s street address (if necessary).

streetAddress3

optional

string

128 chars

The third part of the company’s street address (if necessary).

localityName

optional

string

128 chars

The city in which the organization operates.

stateOrProvinceName

optional

string

128 chars

The state or province in which the organization operates.

postalCode

optional

string

40 chars

The organization’s postal code.

countryName

optional

string

2 chars

An ISO 3166 two-character country code.

hsmType

optional

string

20 chars

The hardware type used to generate the keypair in a non-exportable format, for CSR and key attestation.

The allowed values are:

YUBIKEY
LUNA
MARVELL_GOOGLE
FORTANIX
YUBIHSM2
NSHIELD

keyAttestation

optional

string

32767 chars

The Base64-encoded HSM-specific attestation package/blob proof that the keypair has been generated and stored in secure hardware.

showReplOrderNumber

optional

string

1 char

Specifies whether to show the replacement order number.

The allowed values are:

Y — Include the replacement order number.
N — Do not include the replacement order number.

If omitted, the value defaults to N.

Sample request

curl --location 'https://secure.trust-provider.com/products/!AutoReplaceCS' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'loginName=login_name' \
--data-urlencode 'loginPassword=login_password' \
--data-urlencode 'orderNumber=1234567' \
--data-urlencode 'csr=-----BEGIN NEW CERTIFICATE REQUEST-----
MIIEjDCCAnQCAQAwRzELMAkGA1UEBhMCQ0ExDzANBgNVBAcTBk90dGF3YTEVMBMG
A1UEChMMU0FTUFNwYWNlT3JnMRAwDgYDVQQDEwdMdW5hLTAyMIICIjANBgkqhkiG
...
qe591+WtJ7VKT/VUhGuu8vVqaxI09880/xOW9giuDQnNCAfo1/Mxz3vVAF42XsxT
8rKEA6jy/TKX947DJHV5yg==
-----END NEW CERTIFICATE REQUEST-----' \
--data-urlencode 'keyAttestation=MIIZsAYJKoZIhvcNAQcCoIIZoTCCGZ0CAQExADALBgkqhkiG9w0BBwGgghmFMIIErTCCA5WgAwIB
AgIBADANBgkqhkiG9w0BAQsFADB2MQswCQYDVQQGEwJDQTEWMBQGA1UEChMNQ2hyeXNhbGlzLUlU
...
zScxMWU3nK4lWVnL//Iungn5q9CzuHHXP/MDwDitexNoPYM/FRrvp9oQybzK2VihJGfa83KwvJjH
aEvaGOU8Yg2k1cirvlTznE5nLNcWxm4xAA==' \
--data-urlencode 'hsmType=LUNA'

Response

The request is successful when the server returns a response with the status code 0.

Any status code less than 0 indicates an error condition.

The list of codes and their descriptions can be found in Error codes.

If the status code is less than 0, the output wil be displayed as the text/plain.

The first line contains the error code, and the second line contains the error description.

Sample successful response

Success response with the code 0.

Sample error response

-20
The Certificate has already been Revoked!

Error codes

The following table outlines error responses returned by the AutoReplaceCS API endpoint. Each error response consists of an errorCode and an errorMessage indicating why the request failed.

Error Code Error Message Description

Error Code	Error Message	Description
`-1`	`Request was not made over HTTPS!`	The request must use HTTPS protocol.
`-2`	`'xxxx' is an unrecognized argument!`	The provided argument is not recognized.
`-3`	`The 'xxxx' argument is missing!`	The required argument is missing from the request.
`-4`	`The value of the 'xxxx' argument is invalid!`	The argument value does not meet validation requirements.
`-14`	`An unknown error occurred!`	An unknown error occurred.
`-16`	`Incorrect login details, account is locked, password has expired or your source IP is blocked. Permission denied!`	Authentication has failed due to one of the specified reasons. Verify your login credentials or check account restrictions.
`-17`	`Request used GET rather than POST!`	The request method should be `POST`.
`-20`	`The Certificate has already been Revoked!`	The certificate has already been revoked.
`-21`	`The Certificate has already been Replaced!`	The certificate has already been replaced.
`-22`	`The Certificate is currently being Issued!`	The required certificate is in the process of being issued.
`-31`	`Either provide pkcs10 or spkac. Do not provide both.`	The request must include either `pkcs10` or `spkac`, but not both.
`-32`	`Unsupported key size!`	The key size is not supported.
`-129`	`Error in key attestation verification 'Context'`	The provided key attestation could not be verified.

-1

Request was not made over HTTPS!

The request must use HTTPS protocol.

-2

'xxxx' is an unrecognized argument!

The provided argument is not recognized.

-3

The 'xxxx' argument is missing!

The required argument is missing from the request.

-4

The value of the 'xxxx' argument is invalid!

The argument value does not meet validation requirements.

-14

An unknown error occurred!

An unknown error occurred.

-16

Incorrect login details, account is locked, password has expired or your source IP is blocked. Permission denied!

Authentication has failed due to one of the specified reasons.

Verify your login credentials or check account restrictions.

-17

Request used GET rather than POST!

The request method should be POST.

-20

The Certificate has already been Revoked!

The certificate has already been revoked.

-21

The Certificate has already been Replaced!

The certificate has already been replaced.

-22

The Certificate is currently being Issued!

The required certificate is in the process of being issued.

-31

Either provide pkcs10 or spkac. Do not provide both.

The request must include either pkcs10 or spkac, but not both.

-32

Unsupported key size!

The key size is not supported.

-129

Error in key attestation verification 'Context'

The provided key attestation could not be verified.