Request

Endpoint: !AutoReplaceSSL

https://secure.trust-provider.com/products/!AutoReplaceSSL

Use the POST method for this endpoint.

Submit parameters in the x-www-form-urlencoded format.

When you call this API, it will not necessarily revoke any previous certificate(s) on the order.

If you want to make sure that the certificate being replaced is revoked, use the AutoRevokeSSL endpoint.

Request parameters

The following table displays the required, optional, and conditional parameters.

Parameter Requirement Type Max.Length Description

loginName

required

string

64 chars

Your account username.

This value is case sensitive.

loginPassword

required

string

128 chars

Your account password.

This value is case sensitive.

orderNumber

required

integer

The order number of certificate to be replaced.

The order number of a certificate ordered previously using !AutoApplySSL.

exactOrder

optional

char

1 char

Specifies whether Sectigo will use the orderNumber passed to the API, and ignore related orders.

The allowed values are:

  • Y — Sectigo will use only the orderNumber passed to the API, and ignore related orders.

  • N — Sectigo won’t use only the orderNumber passed to the API.

serverSoftware

optional

integer

Specifies the web server on which the SSL certificate will be installed.

The allowed values are:

  • 1 — AOL

  • 2 — Apache/ModSSL

  • 3 — Apache-SSL (Ben-SSL, not Stronghold)

  • 4 — C2Net Stronghold

  • 5 — Cobalt Raq

  • 6 — Covalent Server Software

  • 7 — IBM HTTP Server

  • 8 — IBM Internet Connection Server

  • 9 — iPlanet

  • 10 — Java Web Server (Javasoft/Sun)

  • 11 — Lotus Domino

  • 12 — Lotus Domino Go!

  • 13 — Microsoft IIS 1.x to 4.x

  • 14 — Microsoft IIS 5.x to 6.x

  • 15 — Netscape Enterprise Server

  • 16 — Netscape FastTrack

  • 17 — Novell Web Server

  • 18 — Oracle

  • 19 — Quid Pro Quo

  • 20 — R3 SSL Server

  • 21 — Raven SSL

  • 22 — RedHat Linux

  • 23 — SAP Web Application Server

  • 24 — Tomcat

  • 25 — Website Professional

  • 26 — WebStar 4.x and later

  • 27 — WebTen (from Tenon)

  • 28 — Zeus Web Server

  • 29 — Ensim

  • 30 — Plesk

  • 31 — WHM/cPanel

  • 32 — H-Sphere

  • 33 — Cisco 3000 Series VPN Concentrator

  • 34 — Citrix

  • 35 — Microsoft IIS 7.x and later

  • 36 — nginx

  • -1 — Other

domainNames

optional

string

32767 chars

(Multi-domain SSL and Unified Communications certificates only) A comma-separated or whitespace-separated list of domain names to be placed into multi-domain SSL certificates.

For non-EV certificates, IP addresses are also allowed.

If the CSR’s Subject Alternative Name (SAN) extension includes one or more domain names, and this domainNames parameter is omitted, then the domain names from the CSR will be used.

If the CSR’s SAN extension includes one or more domain names, and this domainNames parameter is specified, then the domain names from the CSR will be ignored.

If the CSR’s SAN extension is not present, or is present but includes zero domain names, then this domainNames parameter must be present.

Commas and/or whitespace may need to be manually URL-encoded (for example, %2C for a comma), depending on whether or not the calling environment does this automatically.

primaryDomainName

optional

string

64 chars

(Multi-domain SSL certificates and Unified Communications certificates only) Specifies the primary domain name.

One of the domain names listed in domainNames, which should appear as the Common Name (CN) in the Subject DN of the resulting EV multi-domain SSL certificate, multi-domain SSL certificate or Unified Communications certificate.

If this parameter is omitted for multi-domain certificates, no Common Names will be included in the resulting certificate.

If this parameter is omitted for Unified Communications certificates, the value of the CSR’s Common Name will be used as the primary domain name instead.

maxSubjectCNs

optional

integer

Specifies the number of Common Names.

This is optional for multi-domain SSL certificates and ignored for all other certificate types.

If omitted, the value defaults to 1, unless primaryDomainName is longer than 64 bytes in which case it defaults to 0.

If this parameter has the 1 value, there will only be one Common Name in the Subject DN of the resulting EV multi-domain SSL certificate, multi-domain SSL certificate, or Unified Communications certificates. This will have the value provided by primaryDomainName. In this case primaryDomainName must have a value.

If this parameter is equal to 0, no Common Names will be included in the resulting certificate.

All the domain names listed in domainNames will always be included as DNS name related components of the SAN extension in the resulting multi-domain SSL certificate, EV Multi-Domain SSL certificate or Unified Communications certificates.

commonName

optional

string

64 chars

(Single Domain SSL certificates) Specifies the domain name.

If a Common Name is specified here and in the csr, the value of this parameter will be used.

csr

optional

string

32767 chars

The Base64-encoded certificate signing request, with or without the -----BEGIN xxxxx----- and -----END xxxxx----- header and footer. For more information, see CSR parameter structure.

If this parameter is omitted, the CSR from the original order will be used instead. A uniqueValue will be generated and returned unless one is supplied.

For the HTTP_CSR_HASH and CNAME_CSR_HASH dcvMethods we have introduced support for Request Tokens as defined in the CABF Baseline Requirements (version 1.4.1 or later) and as described in Domain Control Validation. From 20th July 2017, the use of unique Request Tokens, the new /.wellknown/pki‐validation path, and the underscore prepended to the NAME for the CNAME will be required for the HTTP_CSR_HASH and CNAME_CSR_HASH dcvMethods.

Request tokens may be ensured to be unique by:

  • Generating a new CSR each time.

  • Providing a previously used CSR and omitting the uniqueValue parameter. Sectigo will generate a uniqueValue and this will be returned.

  • Passing in the uniqueValue parameter in addition to the CSR. This will allow the re-use of a CSR.

uniqueValue

optional

string

20 chars

Specifies a unique alphanumeric value.

The uniqueValue is incorporated into the Request Token used with the HTTP_CSR_HASH, and CNAME_CSR_HASH dcvMethods.

uniqueValue is used to ensure that the Request Token for this certificate is unique.

Request Tokens are as defined in the CABF Baseline Requirements (version 1.4.1 or later) and used in the manner described in Domain Control Validation. If the uniqueValue parameter is omitted, and if the same CSR has previously been passed to Sectigo as part of a certificate order, Sectigo will generate uniqueValue and return it in the response from this API call.

If the uniqueValue parameter is provided, and if the same CSR has previously been passed to Sectigo as part of a certificate order, an error code -55 will be returned if you are attempting to reuse the same combination of CSR and uniqueValue.

An error code -55 is returned if this parameter is provided with a CSR that have previously been passed to Sectigo as part of a certificate order. The user cannot reuse the same combination of CSR and uniqueValue.

prioritiseCSRValues

optional

char

1 char

Specifies which values to use if there are duplicates. For example, if a Postal Code is specified in both the CSR and as a separate variable.

The allowed values are:

  • Y — Prioritise CSR values.

  • N — Do not prioritise CSR values.

If omitted, the value defaults to Y.

signatureHash

optional

string

64 chars

The preference for the signature hash algorithm to be used when issuing the certificate.

The allowed values are:

  • NO_PREFERENCE — Let Sectigo decide.

  • INFER_FROM_CSR — If the CSR was signed using sha1WithRSAEncryption or md5WithRSAEncryption, then PREFER_SHA1. Otherwise, the value is PREFER_SHA2.

  • PREFER_SHA2 — If a suitable SHA-2 capable Sub-CA is available, Sectigo will use SHA-2. Otherwise, the value is PREFER_SHA1.

  • PREFER_SHA1 — If the current industry regulations and Sectigo policies permit, Sectigo will use SHA-1. Otherwise, the value is REQUIRE_SHA2.

  • REQUIRE_SHA2 — If a suitable SHA-2 capable Sub-CA is available, Sectigo will use SHA-2. Otherwise, the issuance of the certificate will be blocked until a suitable Sub-CA becomes available.

If omitted, the value is NO_PREFERENCE.

organizationName

optional

string

64 chars

The organization name.

If the organizational name is specified here and prioritiseCSRValues is set to N, this value will be used instead of the organization name in the CSR.

organizationalUnitName

optional

string

64 chars

The organizational unit name.

If an organizational unit name is specified here and in the CSR, prioritiseCSRValues indicates which value will be used.

postOfficeBox

optional

string

40 chars

The organization post office box.

If a post office box is specified here and in the CSR, prioritiseCSRValues indicates which value will be used.

streetAddress1

optional

string

128 chars

The street address where the organization is incorporated.

If a street address is specified here and in the CSR, prioritiseCSRValues indicates which value will be used.

streetAddress2

optional

string

128 chars

The second part of the company’s street address (if necessary).

If the second part of the company’s street address is specified here and in the CSR, prioritiseCSRValues indicates which value will be used.

streetAddress3

optional

string

128 chars

The third part of the company’s street address (if necessary).

If the third part of the company’s street address is specified here and in the CSR, prioritiseCSRValues indicates which value will be used.

localityName

optional

string

128 chars

The city in which the organization is incorporated.

If the locality name is specified here and in the CSR, prioritiseCSRValues indicates which value will be used.

stateOrProvinceName

optional

string

128 chars

The state or province in which the organization operates.

If a state or province name is specified here and in the CSR, prioritiseCSRValues indicates which value will be used.

postalCode

optional

string

40 chars

The company’s postal code.

If a postal code is specified here and in the CSR, prioritiseCSRValues indicates which value will be used.

countryName

optional

string

2 chars

The company’s country name.

Ths parameter should be specified using the ISO 3166 two-character code.

If a country name is specified here and prioritiseCSRValues is set to N, this value will be used instead of the country name in the CSR.

dunsNumber

optional

string

20 chars

DUNS number — a unique nine-digit identifier for businesses, provided by the company Dun & Bradstreet.

companyNumber

optional

string

64 chars

The company registration number.

joiLocalityName

optional

string

128 chars

(EV certificates only) The jurisdiction of the city in which the organization is incorporated.

joiStateOrProvinceName

optional

string

128 chars

(EV certificates only) The jurisdiction of the state or province in which the company is incorporated.

joiCountryName

optional

string

2 chars

(EV certificates only) The jurisdiction of the country in which the company is incorporated.

assumedName

optional

string

64 chars

(EV certificates only) An optional name under which the organization operates that is different from its legal name. This is a so-called DBA (doing business as) name for the company (if any).

dateOfIncorporation

optional

string

10 chars

(EV certificates only) The date of incorporation (YYYY-MM-DD) of the company. This is useful information for validation purposes.

dcvMethod

optional

string

32 chars

The Domain Control Validation method.

The allowed values are:

  • EMAIL

  • HTTP_CSR_HASH

  • HTTPS_CSR_HASH

  • CNAME_CSR_HASH

  • DNSTXT_RANDOM_VALUE

If omitted, the value defaults to EMAIL.

For more information, see Domain Control Validation.

Continued use of email-based DCV methods is discouraged. In line with CA/B Forum Ballot SC-090, all email-based DCV methods are on a deprecation path, with full industry deprecation expected by early 2028.

Plan for earlier enforcement and migrate to DNS-based or HTTP-based validation methods in advance.

dcvEmailAddress

optional

string

255 chars

(Single-domain SSL certificates only) Domain Control Validation for an email address.

If specified, this email address must be an acceptable email address with which to perform Domain Control Validation (DCV) for this certificate.

For more information, see GetDCVEmailAddressList.

Continued use of email-based DCV methods is discouraged. In line with CA/B Forum Ballot SC-090, all email-based DCV methods are on a deprecation path, with full industry deprecation expected by early 2028.

Plan for earlier enforcement and migrate to DNS-based or HTTP-based validation methods in advance.

Alternative DCV mechanisms are now available. For more information, see Domain Control Validation.

dcvEmailAddresses

conditional

string

32767 chars

(Multi-domain SSL certificates and Unified Communications certificates only) The comma or white-space separated list of DCV email addresses to be used to perform Domain Control Validation for each domain in this certificate.

The order in which these email addresses are listed must be exactly the same as the order of the domain names in the certificate request. For more information, see the preceding domainNames parameter.

Alternative DCV mechanisms are now available. For more information, see Domain Control Validation

The allowed values for each domain:

  • HTTPCSRHASH

  • CNAMECSRHASH

  • DNSTXTRNDVAL

The allowed magic tokens if all domains in the order need to be set to the same alternative DCV method:

  • ALLHTTPCSRHASH

  • ALLCNAMECSRHASH

  • ALLDNSTXTRNDVAL

The magic token must be the only value passed to the parameter for it to work.

If dcvEmailAddresses is specified, validationTokens is not required.

dcvTemplateID

optional

integer

Specifies whether to override Sectigo’s default choice of DCV email template to be used to validate the called certificate.

Contact your account manager to arrange the creation of one or more custom DCV email templates that can be referenced through this parameter.

Continued use of email-based DCV methods is discouraged. In line with CA/B Forum Ballot SC-090, all email-based DCV methods are on a deprecation path, with full industry deprecation expected by early 2028.

Plan for earlier enforcement and migrate to DNS-based or HTTP-based validation methods in advance.

callBackTemplateID

optional

integer

An account can contain multiple callback email templates.

Contact Support for the callback template.

If specified, this overrides Sectigo’s default choice of callback email template to be used to validate this certificate.

Contact your account manager to arrange one or more custom callback email templates that can be referenced through this parameter.

callBackTemplateID prevails over languageName if both of these parameters are provided.

languageName

conditional

string

2 chars

The language name, specified using ISO639-1 two-character language code.

If omitted, the default language is English.

An account can contain multiple email templates in different languages for the callback and Enterprise Authentication for the instant issuance.

Contact Support for the email templates.

If callBackTemplateID is specified, languageName parameter is ignored in the callback template selection.

If maCreationTemplateID is specified, languageName parameter is ignored in the template selection for Enterprise Authentication for the instant issuance.

You may specify exactly one of the following values:

  • en — English

  • zh — Chinese-Mandarin

  • da — Danish

  • nl — Dutch

  • fr — French

  • de — German

  • it — Italian

  • ja — Japanese

  • ko — Korean

  • pt — Portuguese

  • ru — Russian

  • es --Spanish

  • sv — Swedish

  • tr — Turkish

validationTokens

conditional

string

32767 chars

(Multi-Domain SSL and Unified Communications certificates only) Specifies validation tokens used to perform Domain Control Validation (DCV) for each domain.

You can use one of the following magic tokens:

  • ALLHTTPCSRHASH

  • ALLCNAMECSRHASH

  • ALLDNSTXTRNDVAL

The magic token must be the only value passed to the parameter for it to work.

The comma or whitespace separated list of validation tokens can be used to perform Domain Control Validation for each domain in request.

The order of tokens must exactly match the order of the domain names specified in the domainNames parameter.

Alternative DCV mechanisms are now available. For more information, see Domain Control Validation.

The allowed values for each domain:

  • HTTPCSRHASH

  • CNAMECSRHASH

  • DNSTXTRNDVAL

If validationTokens is specified, dcvEmailAddresses is not required.

caCertificateID

optional

integer

Specifies a particular CA certificate and key to be used for certificate issuance.

If specified, the caCertificateID parameter overrides Sectigo’s default choice of CA certificate and key to be used to issue this certificate.

This functionality is only available by special agreement with Sectigo.

isCustomerValidated

optional

char

1 char

Specifies whether the customer has already been validated by the Web Host.

The allowed values are:

  • Y — The Web Host has validated the customer.

  • N — Sectigo will validate the customer.

If omitted, the value defaults to N.

showCertificateID

optional

char

1 char

Specifies whether to include the SSL certificate generated by the order in the response.

The allowed values are:

  • Y — The certificate ID of the SSL certificate generated by the order is also part of the resultSet.

  • N — The certificate ID is not part of the resultSet.

If omitted, the value defaults to N.

foreignOrderNumber

optional

char

64 chars

The external order number.

This identifier can be returned by some of our other APIs to aid in integration with partner systems.

If foreignOrderNumber has been assigned to this order on a previous occasion, it will be updated with this new value.

checkFONIsUnique

optional

char

1 char

Specifies whether to check the uniqueness of the foreignOrderNumber parameter.

The allowed values are:

  • Y — The foreignOrderNumber parameter (if specified) must have not already been used for any order placed by this account.

  • N — No check of uniqueness is performed for the foreignOrderNumber parameter.

responseFormat

optional

char

1 char

Specifies the response format.

The allowed values are:

  • 0 — Newline-delimited parameters.

  • 1 — URL-encoded parameters.

If omitted, the value defaults to 0.

appRepForename

optional

string

64 chars

(OV certificates only) The applicant representative’s name which is used for a callback.

This parameter is required when Sectigo performs the organizational callback.

appRepSurname

optional

string

64 chars

(OV certificates only) The applicant representative’s surname which is used for a callback.

This parameter is required when Sectigo performs the organizational callback.

appRepEmailAddress

optional

string

255 chars

(OV certificates only) The applicant representative’s email address which is used for a callback.

This parameter is required when Sectigo performs the organizational callback.

appRepTelephone

optional

string

32 chars

(OV certificates only) The applicant representative’s phone number which is used for a callback.

This parameter is required when Sectigo performs the organizational callback.

appRepTitle

optional

string

64 chars

(OV certificates only) The applicant representative’s title which is used for a callback.

appRepFax

optional

string

32 chars

(OV certificates only) The applicant representative’s fax number which is used for a callback.

appRepOrganizationName

optional

string

255 chars

(OV certificates only) The applicant representative’s organization name.

Do not specify this field unless the applicant representative’s organization name or address details are different from the organization name or address details that have been requested to appear in the certificate.

appRepOrganizationalUnitName

conditional

string

64 chars

(OV certificates only) The applicant representative’s organizational unit name.

If appRepOrganizationName is not specified, this parameter will be ignored.

appRepStreetAddress1

conditional

string

128 chars

(OV certificates only) The applicant representative’s street address.

If appRepOrganizationName is not specified, this parameter will be ignored.

appRepStreetAddress2

conditional

string

128 chars

(OV certificates only) The second part of the applicant representative’s street address (if necessary).

If appRepOrganizationName is not specified, this parameter will be ignored.

appRepStreetAddress3

conditional

string

128 chars

(OV certificates only) The third part of the applicant representative’s street address (if necessary).

If appRepOrganizationName is not specified, this parameter will be ignored.

appRepPostOfficeBox

conditional

string

128 chars

(OV certificates only) The applicant representative’s post office box.

If appRepOrganizationName is not specified, this parameter will be ignored.

appRepLocalityName

conditional

string

128 chars

(OV certificates only) The city in which the applicant representative operates.

If appRepOrganizationName is not specified, this parameter will be ignored.

appRepStateOrProvinceName

conditional

string

128 chars

(OV certificates only) The applicant representative’s state or province.

If appRepOrganizationName is not specified, this parameter will be ignored.

appRepPostalCode

conditional

string

40 chars

(OV certificates only) The applicant representative’s postal code.

If appRepOrganizationName is not specified, this parameter will be ignored.

appRepCountryName

conditional

char

2 chars

The applicant representative’s country code. It must be an ISO 3166 two-character country code.

If appRepOrganizationName is not specified, appRepCountryName will be ignored.

callbackMethod

optional

char

1 char

The callback method for verification of applicant representative’s identity.

The allowed values are:

  • T — The appRepTelephone number will be called to communicate a callback verification code which will be used to confirm the identity of the applicant representative.

  • L — A letter, containing a callback verification code, will be posted to the applicant representative.

isAppRepValidated

optional

char

1 char

Specifies who is accountable for the verification of the applicant representative’s contact details before the callback is performed.

The allowed values are:

  • Y — The Web Host Reseller has verified that the applicant representative’s contact details are legitimate, using a data source other than the applicant. Only Web Host Resellers with sufficient RA privileges may specify Y.

  • N — Sectigo will verify the applicant representative’s contact details before performing the callback using the method specified by callbackMethod.

isCallbackCompleted

optional

char

1 char

Specifies who is accountable for performing the callback.

The allowed values are:

  • Y — The Web Host has completed the callback and verified the identity of the applicant representative. Only Web Host Resellers with sufficient RA privileges may specify Y. If isCallbackCompleted=Y is specified, then isAppRepValidated=Y must also be specified.

  • N — Sectigo will perform the callback using the method specified by callbackMethod.

showCertificateState

optional

char

1 char

Specifies whether to show the certificate state.

The allowed values are:

  • Y — The state of the SSL certificate generated by the order is also part of the result set.

  • N — The state of the certificate generated by the order isn’t included in the part of the result set.

omitAdditionalFQDN

optional

char

1 char

(Single-domain SSL certificates only) Specifies whether to omit additional FQDNs from the certificate.

The allowed values are:

  • N — Sectigo will add an additional FQDN for www.<domain> if the certificate was requested for <domain>. If the certificate was requested for www.<domain>, then <domain> will be added as an additional FQDN.

  • Y — An additional FQDN will not be added.

If omitted, the value defaults to N.

ignoreLateOrgDetailsChanges

optional

char

1 char

(OV/EV certificates only) Specifies whether to ignore late changes to organization details. This parameter is applicable only outside of the refund eligibility period.

The allowed values are:

  • Y — Sectigo will ignore the organizationName parameter, the various address parameters (for example, localityName, countryName), and the corresponding Subject fields in csr. The organization name and address from the previous certificate will be used instead.

  • N — Sectigo will use the organizationName parameter, the various address parameters (for example, localityName, countryName), and the corresponding Subject fields in csr, as specified elsewhere in this document.

If omitted, the value defaults to N.

IgnoreMasterAccount

optional

char

1 char

(OV/EV certificates only) Specifies whether to ignore the master account settings.

The allowed values are:

  • Y — Enterprise Authentication for the instant issuance will not be applied to this order.

  • N — Sectigo will apply Enterprise Authentication for the instant issuance to this order. An email requesting for confirmation will be sent to the applicant representative.

Enterprise Authentication should be enabled for your account.

If omitted, the value defaults to N.

showValidityPeriod

optional

char

1 char

Specifies the validity period of the certificate.

The possible values are:

  • Y — Show the validity period.

  • N — Do not show the validity period.

If omitted, the value defaults to N.

organizationIdentifier

optional

char

100 chars

(eIDAS certificates only) The organization identifier or the PSD2 authorization identifier recognized by the National Competent Authority.

Required for QWAC-legal, including for PSD2, Qualified Certificate Profiles. For more information, see organizationIdentifier parameter structure.

For certificates issued under PSD2, this parameter must contain information using the following structure in the presented order:

  • 'PSD' as a three-character legal person identity type reference.

  • The two-character ISO 3166-1 [8] country code representing the NCA country.

  • The hyphen-minus '-' (0x2D (ASCII), U+002D (UTF-8)).

  • 2-8 character NCA identifier without country code, A-Z uppercase only, no separator.

  • The hyphen-minus '-' (0x2D (ASCII), U+002D (UTF-8)).

  • PSP identifier — authorization number as specified by the NCA. There are no restrictions on the characters used.

For example, PSDFI-FINFSA-1234567-8.

For non-PSD2 certificate profiles, this parameter must contain information using the following structure in the presented order:

  • The three-character legal person identity type reference.

  • The two -character ISO 3166 [2] country code.

  • The hyphen-minus '-' (0x2D (ASCII), U+002D (UTF-8)).

  • The identifier, according to the country and identity type reference.

For example, VATBE-0876866142.

semanticsIdentifier

optional

char

100 chars

(eIDAS certificates only) The semantics information for the attributes stored in the subject field related to natural person.

Required for QWAC Natural Qualified Certificate Profiles – product IDs 791, 792.

This parameter must contain information using the following structure in the presented order:

  • The three-character natural person identity type reference.

  • The two-character ISO 3166 [2] country code.

  • The hyphen-minus '-' (0x2D (ASCII), U+002D (UTF-8)).

  • The identifier, according to country and identity type reference.

ncaIdentifier

optional

char

100 chars

(eIDAS certificates only) The abbreviated unique identifier of the National Competent Authority. For more information, see ncaIdentifier parameter structure.

Required for PSD2 Qualified Certificate Profiles with product IDs 788 and 789.

This parameter must contain information using the following structure in the presented order:

  • The two-character ISO 3166-1 [8] country code representing the NCA country.

  • The hyphen-minus '-' (0x2D (ASCII), U+002D (UTF-8)).

  • 2-8 character NCA identifier without country code, A-Z uppercase only, no separator.

accountServicingRole

optional

char

1 char

(eIDAS certificates only) Specifies one of possible roles of the payment service provider.

Required for PSD2 Qualified Certificate Profiles.

The allowed values are:

  • Y — Assign the role.

  • N — Do not assign the role.

paymentInitiationRole

optional

char

1 char

(eIDAS certificates only) Specifies one of possible roles of the payment service provider.

Required for PSD2 Qualified Certificate Profiles.

The allowed values are:

  • Y — Assign the role.

  • N — Do not assign the role.

accountInformationRole

optional

char

1 char

(eIDAS certificates only) Specifies one of possible roles of the payment service provider.

Required for PSD2 Qualified Certificate Profiles.

The allowed values are:

  • Y — Assign the role.

  • N — Do not assign the role.

paymentServiceRole

optional

char

1 char

(eIDAS certificates only) Specifies one of possible roles of the payment service provider.

Required for PSD2 Qualified Certificate Profiles.

The allowed values are:

  • Y — Assign the role.

  • N — Do not assign the role.

showReplOrderNumber

optional

char

1 char

(Multi-domain SSL certificates only) Specifies whether to show the replacement order number.

The allowed values are:

  • Y — Include the replacement order number.

  • N — Do not include the replacement order number.

If omitted, the value defaults to N.

ncaName

optional

char

100 chars

The name of National Competent Authority (NCA) in English that registered the payment service provider.

Required for PSD2 Qualified Certificate Profiles.

If the ncaName parameter is omitted, the value is defined automatically based on the given ncaIdentifier. For more information, see ncaIdentifier parameter structure.

Sample request

curl --location 'https://secure.trust-provider.com/products/!AutoReplaceSSL' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'loginName=login_name' \
--data-urlencode 'loginPassword=login_password' \
--data-urlencode 'serverSoftware=-1' \
--data-urlencode 'domainNames=test.com,example.com' \
--data-urlencode 'primaryDomainName=test.com,example.com' \
--data-urlencode 'prioritiseCSRValues=N' \
--data-urlencode 'organizationName=AppRep Org' \
--data-urlencode 'organizationalUnitName=Legal' \
--data-urlencode 'postOfficeBox=654' \
--data-urlencode 'streetAddress1=5 AppRep St' \
--data-urlencode 'localityName=AppRepville' \
--data-urlencode 'stateOrProvinceName=CA' \
--data-urlencode 'postalCode=54321' \
--data-urlencode 'countryName=US' \
--data-urlencode 'dcvMethod=EMAIL' \
--data-urlencode '[email protected]' \
--data-urlencode '[email protected],[email protected]' \
--data-urlencode 'isCustomerValidated=Y' \
--data-urlencode 'showCertificateID=Y' \
--data-urlencode 'orderNumber=1234567890' \
--data-urlencode 'isCallbackCompleted=Y' \
--data-urlencode 'uniqueValue=1234567890qwertyuop' \
--data-urlencode 'csr=-----BEGIN NEW CERTIFICATE REQUEST-----
MIIbWQYJKoZIhvcNAQcCoIIbSjCCG0YCAQExDTALBglghkgBZQMEAgEwDwYJKoZI
hvcNAQcBoAIEAKCCGHEwggzyMIILWqADAgECAhBLVWcU36fkE8Hi/55APse9MA0G
...
Hi4ZaP9ok+JrTdy01WOmCnuAIaOUdM+w3wb+DSNLh9MoqqeM2mBZdC7EGthYeg+O
RhZWrKZng/nCi4Pt0PQrKEFNaMdscl+0rnrQA+U6llop7fmztjhKtOwDR6bQ
-----END NEW CERTIFICATE REQUEST-----'

Response

The request is successful when the server returns a response with the status code equals 0.

Any status code less than 0 indicates an error condition.

The list of codes and their descriptions can be found in Error codes.

The format of the response depends on the responseFormat value in the request.

Response parameters

Response with responseFormat=0

The MIME type will be text/plan for responseFormat=0 (by default).

The first line of the response contains the status code.

If the status code is less than 0, the second line of the response contains a textual description of the error.

If the status code equals 0, the response will be formatted like one of the following:

Line Content Possible Values

Line 1

Status code

The list of codes and their descriptions can be found in Error codes.

Line 2

Expected delivery time

The expected number of hours before the certificate will be reissued:

  • 0 — This order has been automatically validated and the certificate was issued immediately.

The '0' feature has not been implemented yet.

  • 1 — The order has been automatically validated and the certificate will be issued as soon as possible. Usually within one hour.

  • 24 — The order, although marked as validated by the Web Host, is awaiting final approval by an account manager.

  • 48 — The order was not marked as validated by the Web Host and could not be automatically validated by Sectigo. The 48 hours starts when Sectigo has received various documents from the end-user.

  • 240 — The order is for an EV Certificate. The validation process generally takes a lot longer for EV, compared to other SSL certificates.

Line 3

SSL certificate ID

The ID can consist of up to 16 digits and it can be returned if showCertificateID=Y.

The internal certificate ID of the SSL certificate generated by this replacement.

If the certificate being replaced was never issued, this ID will be the same as before.

Line 3 or 4

SSL certificate state

The status of the SSL certificate generated by this replacement.

Returned if showCertificateState=Y.

Line 3, 4 or 5

Unique value

A unique alphanumeric value up to 20 characters long.

Returned if a uniqueValue parameter is passed in to this API, or if a uniqueValue has been generated by Sectigo for this order.

Next line

Product term start and end timestamps

The product term start timestamp and product term end timestamp with a space between the dates.

The timestamp is expressed as a UNIX time value.

1052870400 1084406400

Returned if showValidityPeriod=Y.

Next line

SSL replacement order number

The order number of the multi-domain SSL certificate generated by this replacement.

Returned if showReplacedOrderNumber=Y.

Response with responseFormat=1

Most of Sectigo’s newer API endpoints use URL-encoding for responses.

!AutoReplaceSSL can now be instructed to return responses in the same format by specifying responseFormat=1 in the request.

The MIME type is application/x-www-form-urlencoded for responseFormat=1.

The response can contain the following parameters:

Parameter Possible Value

errorCode

An integer specifying the error code.

Always present in the response.

For possible values, see Error codes.

errorMessage

A string specifying the error message.

This parameter is absent when errorCode=0.

expectedDeliveryTime

The expected number of hours before this order will be completed.

The possible values are:

  • 0

  • 1

  • 24

  • 48

  • 240

This parameter is only present when errorCode=0.

certificateID

The internal certificate ID of the SSL certificate generated by this replacement.

This parameter is only present when showCertificateID=Y and errorCode=0.

certificateStatus

The status of the SSL certificate generated by this replacement.

This parameter is only present when showCertificateState=Y and errorCode=0.

uniqueValue

A unique alphanumeric value up to 20 characters long.

Returned if the uniqueValue parameter was passed in to this API endpoint, or if the uniqueValue has been generated by Sectigo for this order.

productTermStartDate

The timestamp when the product term has started.

It is expressed as a UNIX time value.

This parameter is only present when showValidityPeriod=Y.

productTermEndDate

Timestamp when the product term will end.

It is expressed as a UNIX time value.

This parameter is only present when showValidityPeriod=Y.

productTermDuration

The product duration, in days.

This parameter is only present when showValidityPeriod=Y.

replOrderNumber

The order number of the multi-domain SSL certificate generated by this replacement.

This parameter is only present when showReplOrderNumber=Y and errorCode=0.

Sample success response

errorCode=0&expectedDeliveryTime=48

Sample error response

errorCode=-4&errorMessage=The+value+of+the+%27uniqueValue%27+argument+is+invalid%21

Error codes

The following table outlines error responses returned by the AutoReplaceSSL API endpoint. Each error response consists of an errorCode and an errorMessage indicating why the request failed.

Error Code Error Message Description

-1

Request was not made over https!

The request must use HTTPS protocol.

-2

Unrecognised argument!

The provided argument is not recognized.

-3

The 'xxxx' argument is missing!

The required argument is missing from the request.

-4

The value of the 'xxxx' argument is invalid!

The argument value does not meet validation requirements.

-5

The CSR’s Common Name may NOT contain a wildcard!

The Common Name in the certificate signing request (CSR) must not include a wildcard character.

-6

The CSR’s Common Name MUST contain ONE wildcard!

The Common Name in the CSR must include exactly one wildcard character.

-7

'xx' is not a valid ISO-3166 country!

The specified country code is not valid according to the ISO-3166 standard.

-8

The CSR is missing a required field!

The CSR does not include all required fields.

-9

The CSR is not valid Base-64 data!

The CSR must be encoded in valid Base-64 format.

-10

The CSR cannot be decoded!

The CSR could not be decoded properly.

-11

The CSR uses an unsupported algorithm!

The CSR’s algorithm is not supported.

-12

The CSR has an invalid signature!

The signature on the CSR is invalid.

-13

The CSR uses an unsupported key size!

The key size in the CSR is not supported.

-14

An unknown error occurred!

An unknown error occurred.

-15

Not enough credit!

The account does not have sufficient credit.

-16

Incorrect login details, account is locked, password has expired or your source IP is blocked.

Authentication has failed due to one of the specified reasons.

Verify your login credentials or check account restrictions.

-17

Request used GET rather than POST!

The request method should be POST.

-18

The Intranet Server Name may not be a Fully-Qualified Domain Name!

Domain names must not be fully qualified domain names (FQDNs).

-19

The Intranet Server Name may not be an Internet-accessible IP Address!

Domain names must not be Internet-accessible IP addresses.

-26

The certificate is currently being issued!

The certificate is in the process of being issued and cannot be replaced at this time.

-36

The certificate has already expired!

The certificate cannot be replaced because it has expired.

-40

The CSR uses a key that is believed to have been compromised!

The CSR’s key is on the compromised key list.

-55

This Request Token is not unique!

The provided request token has already been used.

-83

'xxxx' is not applicable to this order!

The specified argument is not applicable for the current order.

-90

Permission denied for using “voucher” with 'xxxx'

The user does not have permission to use a voucher with the specified context.

-91

Permission denied 'xxxx'

The user does not have permission for the specified context.

-120

"Role" arguments are missing for PSD2 certificate type!

The required role arguments for PSD2 certificate type are missing.

-121

"TAX" value is deprecated. The value "TIN" should be used instead'

Semantic error. TAX is no longer a valid value; use TIN instead.

-121

Wrong format of 'xxxx' identifier.

Semantic error. The format of the provided identifier is incorrect.

-121

Wrong country code value in 'xxxx' identifier.

Semantic error. The country code in the provided identifier is incorrect.