Request

Endpoint: CollectSSL

https://secure.trust-provider.com/products/download/CollectSSL

Use the POST method for this endpoint.

Submit parameters in the x-www-form-urlencoded format.

Do not make multiple concurrent calls to the CollectSSL endpoint.

Request parameters

The following table displays the required, optional, and conditional parameters.

Parameter Requirement Type Max.Length Description

loginName

required

string

64 chars

Your account username.

This value is case sensitive.

loginPassword

required

string

128 chars

Your account password.

This value is case sensitive.

orderNumber

optional

sting

128 chars

The order number previously returned to your account (for example, from the AutoApplySSL call).

certificateID

optional

integer

16 digits

The certificate ID previously returned by AutoApplySSL or AutoReplaceSSL or AutoApplyOrder.

baseOrderNumber

optional

integer

The base order number previously returned to the account.

queryType

required

integer

Specifies the type of query.

The possible values are:

  • 0 — Return status only.

  • 1 — Return status, certificate data, and intermediates/roots if ready for collection.

  • 2 — Return status and certificate only (no intermediates/roots) (crt).

  • 3 — Return status and intermediates/roots only (cabundle).

responseType

optional

integer

Specifies the format of the returned certificate data.

The possible values are:

  • 0 — ZIP archive. queryType must be 1.

  • 1 — Netscape Certificate Sequence. queryType must be 1.

  • 2 — PKCS7. queryType must be 1.

  • 3 — Individually encoded.

responseEncoding

optional

integer

Specifies the encoding of the returned certificate data.

The possible values are:

  • 0 — Base64-encoded.

  • 1 — Binary encoded. queryType must be 1 and responseType must be 0 or 2.

showValidityPeriod

optional

char

1 char

Specifies the validity period of the certificate.

The possible values are:

  • Y — Show the validity period.

  • N — Do not show the validity period.

If omitted, the value defaults to N.

showFQDN

optional

char

1 char

Specifies whether to show the fully qualified domain name (FQDN).

The possible values are:

  • Y — Show the fully qualified domain name.

  • N — Do not show the fully qualified domain name.

If omitted, the value defaults to N.

showExtStatus

optional

char

1 char

Specifies whether to include the certificate and validation statuses.

The possible values are:

  • Y — Include the certificate and validation statuses.

  • N — Do not include the certificate and validation statuses.

If omitted, the value defaults to N.

responseFormat

optional

char

1 char

Specifies the format of the response.

The possible values are:

  • 0 — Newline-delimited parameters.

  • 1 — URL-encoded parameters.

If omitted, the value defaults to 0.

Relevant when responseEncoding=0.

showMDCDomainDetails

optional

char

1 char

Specifies whether to include the paired information of domain name and DCV validation status.

The possible values are:

  • Y — Include the paired information of domain name and DCV validation status.

  • N — Do not include the paired information of domain name and DCV validation status.

If omitted, the value defaults to N.

Applicable for multi domain certificates.

showMDCDomainDetails2

optional

char

1 char

Specifies whether to include the paired list of domains and their DCV statuses, including domains awaiting brand validation status

The possible values are:

  • Y — Include the paired list of domains and their DCV statuses including domains awaiting brand validation status.

  • N — Do not include the paired list of domains and their DCV statuses including domain awaiting brand validation status.

If omitted, the value defaults to N.

Applicable for multi domain certificates.

showStatusDetails

optional

char

1 char

Specifies whether to include status details in the report.

The possible values are:

  • Y — Include the status details.

  • N — Do not include the status details.

If omitted, the value defaults to N.

behaviourVersion

optional

integer

Specifies the version of behavior for handling replaced certificates.

The possible values are:

  • 0 — The old version.

  • 1 — The new version with the new error code for the replaced state.

Sample request

curl --location 'https://secure.trust-provider.com/products/download/CollectSSL' \
--data-urlencode 'loginName=login_name' \
--data-urlencode 'loginPassword=login_password' \
--data-urlencode 'orderNumber=order_number' \
--data-urlencode 'queryType=0' \
--data-urlencode 'showStatusDetails=Y' \
--data-urlencode 'responseType=3' \
--data-urlencode 'responseFormat=1' \
--data-urlencode 'showExtStatus=Y' \
--data-urlencode 'showValidityPeriod=Y'

Response

The request is successful when the server returns a response with the status code is greater than or equal to 0:

  • 2 — Certificates attached.

  • 1 — Certificates available.

  • 0 — Being processed by Sectigo.

Any status code less than 0 indicates an error condition.

The list of codes and their descriptions can be found in Error codes.

The response format depends on the value of the responseFormat parameter in the request.

The response can be in the following formats:

  • Newline-delimited parameters.

  • URL-encoded parameters.

Newline-delimited parameters response format

The MIME type will be text/plain, if the responseFormat=0 (by default).

The first line of the response represents the status code.

If the status code is less than 0, the second line is a textual representation of an error message.

If the status code is greater than 0 and showValidityPeriod=Y, the second line is the certificate validity period in the format not before DD/MM/YYYY and not after DD/MM/YYYY with a space between the dates.

14/05/2013 13/05/2014

Certificates issued by Sectigo always have a 'not before' time of 00:00:00 GMT and a 'not after' time of 23:59:59 GMT.

If the status code equals 0 and showFQDN=Y, the response contains the fully qualified domain name of the SSL certificate.

If the status code equals 2, the response contains the encoded certificate(s):

----- BEGIN CERTIFICATE -----
Encoded Root Certificate
----- END CERTIFICATE -----
----- BEGIN CERTIFICATE -----
Encoded Intermediate Certificate
----- END CERTIFICATE -----
----- BEGIN CERTIFICATE -----
Encoded End Entity Certificate
---- END CERTIFICATE -----

If the request has showExtStatus=Y parameter, the response contains the certificate status and the validation status.

The possible values for the certificate status are:

  • Awaiting Validation.

  • Issued.

  • Revoked.

  • NO STATUS.

The possible values for the validation status are:

  • Complete.

  • Awaiting Legal Documents.

  • Awaiting Document Translation.

  • Awaiting private WHOIS entry release.

  • Awaiting Brand Validation.

If the status code equals 0 and showMDCDomainDetails=Y, the response contains the MDC domain details in the format domain name and DCV valid status with a space between them. The values are comma-separated.

domain1.com VALIDATED, domain2.com NOTVALIDATED

Response parameters

If the request has showStatusDetails=Y parameter, the response contains the following information:

Parameter Possible Value

csrStatus

  • -1 = Not required.

  • 0 = Not completed.

  • 1 = Completed.

  • 2 = In progress.

dcvStatus

  • -1 = Not required.

  • 0 = Not completed.

  • 1 = Completed.

  • 2 = In progress.

ovCallbackStatus

  • -1 = Not required.

  • 0 = Not completed.

  • 1 = Completed.

  • 2 = In progress.

organizationValidationStatus

  • -1 = Not required.

  • 0 = Not completed.

  • 1 = Completed.

  • 2 = In progress.

freeDVUPStatus

  • -1 = Not applicable.

  • 0 = Not completed.

  • 1 = Completed.

  • 2 = In progress.

evClickThroughStatus

  • -1 = Not applicable.

  • 0 = Not completed.

  • 1 = Completed.

  • 2 = In progress.

brandValStatus

  • -1 = Not applicable.

  • 1 = Completed.

  • 2 = In progress.

evLegalExistence

  • -1 = Irrelevant.

  • 0 = Not completed.

  • 1 = Completed.

evAssumedName

  • -1 = Irrelevant.

  • 0 = Not completed.

  • 1 = Completed.

evPhysicalExistence

  • -1 = Irrelevant.

  • 0 = Not completed.

  • 1 = Completed.

evOperationalExistence

  • -1 = Irrelevant.

  • 0 = Not completed.

  • 1 = Completed.

evSignerApproverRequester

  • -1 = Irrelevant.

  • 0 = Not completed.

  • 1 = Completed.

evSignerSecondApproval

  • -1 = Irrelevant.

  • 0 = Not completed.

  • 1 = Completed.

maStatus

  • -1 = Not required. For example, no matching record found for the Enterprise Authentication for Instant Issuance to apply.

  • 0 = Not completed. For example, no confirmation followed to apply the matching record for Enterprise Authentication for Instant Issuance and manual organization validation has started.

  • 1 = Completed. For example, the organization has been automatically validated through Enterprise Authentication for Instant Issuance.

  • 2 = In progress. For example, the matching record for Enterprise Authentication for Instant Issuance has been found and the request for its confirmation is awaiting the customer’s action to apply.

  • 3 = Rejected. For example, the request for confirmation to apply the matching record for the Enterprise Authentication for Instant Issuance has been rejected).

If the status code = 0 and showMDCDomainDetails2=Y, the response contains the MDC domain details in the format domain name and DCV valid status with a space between them. The values are comma-separated.

domain1.com VALIDATED, domain2.com NOTVALIDATED

If CAA Check status is not empty, the response can contain the following values for this parameter:

  • Authorized.

  • Not Authorized.

  • Unrecognized Critical Tag.

  • Empty.

  • Malformed Response.

  • Timeout.

  • ERROR.

  • Awaiting Completion.

  • Error xxx (numeric value of CAA Check status).

If the status code > 0 and showValidityPeriod=Y, the response includes the timestamp of the product term start and the product term separated with space.

The timestamp is expressed as a UNIX time value.

The following example illustrates the timestamp between 29/10/2025 and 29/10/2026.

1761696000 1793232000

URL-encoded parameters response format

Most of Sectigo’s newer APIs always use URL-encoding for responses.

CollectSSL can be instructed to return responses in the same format, simply by specifying responseFormat=1 in the request.

The MIME type will be application/x-www-form-urlencoded, if the responseFormat=1.

The list of response parameters are outlined in the following table.

Parameter Description

errorCode

A numeric code that identifies the type of the error.

The parameter is an integer.

For more information, see Error codes.

errorMessage

A description of the error.

The parameter is a string.

This parameter is not present when errorCode >= 0.

notBefore

The timestamp indicates when the certificate became valid. It is expressed as a UNIX time value.

This parameter is only present when showValidityPeriod=Y.

notAfter

The timestamp indicates when the certificate will become invalid. It is expressed as a UNIX time value.

This parameter is only present when showValidityPeriod=Y.

certificateDuration

The certificate duration in days.

This parameter is only present when showValidityPeriod=Y.

productTermStartDate

The timestamp indicates when the product term began. It is expressed as a UNIX time value.

This parameter is only present when showValidityPeriod=Y.

productTermEndDate

The timestamp indicates when the product term will end. It is expressed as a UNIX time value.

This parameter is only present when showValidityPeriod=Y.

productTermDuration

The product duration in days.

This parameter is only present when showValidityPeriod=Y.

fqdn

The fully qualified domain name of this SSL certificate.

This parameter is only present when showFQDN=Y.

zipFile

Base64-encoded and then URL-encoded ZIP file.

This parameter is only present when responseType=0.

netscapeCertificateSequence

Base64-encoded and then URL-encoded Netscape Certificate Sequence.

This parameter is only present when responseType=1.

pkcs7

Base64-encoded and then URL-encoded PKCS#7.

This parameter is only present when responseType=2.

caCertificate

Base64-encoded and then URL-encoded CA Certificate.

This parameter is only present when responseType=3.

This parameter will appear multiple times –- once for each CA Certificate in the certificate chain.

certificate

Base64-encoded and then URL-encoded End-entity Certificate.

This parameter is only present when responseType=3 and queryType is equal 1 or 2.

certificateStatus

A string describing the current status of the certificate.

validationStatus

A string describing the current validation status of the order or account.

mdcDomainDetails

A URL-encoded string containing the paired information of domain name and DCV Validation Status.

This parameter is only present when the status code = 0 and showMDCDomainDetails=Y.

mdcDomainDetails2

A URL-encoded string containing the paired information of domain name and DCV Validation Status.

This parameter is only present when the status Code = 0 and showMDCDomainDetails2=Y.

csrStatus

The CSR status of the certificate.

The possible values are:

  • -1 = Not required.

  • 0 = Not completed.

  • 1 = Completed.

  • 2 = In progress.

This parameter is only present when showStatusDetails=Y.

dcvStatus

The DCV status of the certificate.

The possible values are:

  • -1 = Not required.

  • 0 = Not completed.

  • 1 = Completed.

  • 2 = In progress.

This parameter is only present when showStatusDetails=Y.

ovCallBackStatus

The OV callback status of the account.

The possible values are:

  • -1 = Not applicable.

  • 0 = Not completed.

  • 1 = Completed.

  • 2 = In progress.

This parameter is only present when showStatusDetails=Y.

organizationValidationStatus

A string describing the current status of account validation (OV).

The possible values are:

  • -1 = Not applicable.

  • 0 = Not completed.

  • 1 = Completed.

  • 2 = In progress.

This parameter is only present when showStatusDetails=Y.

freeDVUPStatus

The status of Free DV Upgrade.

The possible values are:

  • -1 = Not applicable.

  • 0 = Not completed.

  • 1 = Completed.

  • 2 = In progress.

This parameter is only present when showStatusDetails=Y.

evClickThroughStatus

The status of EV ClickThrough Acceptance.

The possible values are:

  • -1 = Not applicable.

  • 0 = Not completed.

  • 1 = Completed.

  • 2 = In progress.

This parameter is only present when showStatusDetails=Y.

brandValStatus

The brand validation status.

The possible values are:

  • -1 = Not applicable.

  • 1 = Completed.

  • 2 = In progress.

This parameter is only present when showStatusDetails=Y.

caaStatus

A string describing the CAA Check status.

The possible values are:

  • Authorized.

  • Not Authorized.

  • Unrecognized Critical Tag.

  • Empty.

  • Malformed Response.

  • Timeout.

  • ERROR.

  • Awaiting Completion.

  • Error xxx. The numeric value of CAA Check status.

Sample success response

errorCode=0&certificateDuration=720&productTermDuration=720&certificateStatus=Awaiting+Validation+%28Full%29&csrStatus=1&dcvStatus=0&freeDVUPStatus=-1&brandValStatus=-1&ovCallbackStatus=0&organizationValidationStatus=2&maStatus=0

Sample error response

-16
Incorrect login details, account is locked, password has expired or your source IP is blocked.

Error codes

The following table outlines error responses returned by the CollectSSL API endpoint. Each error response consists of an errorCode and an errorMessage indicating why the request failed.

Error Code Error Message Description

-1

Request was not made over https!

The request must use HTTPS protocol.

-2

Unrecognised argument!

The provided argument is not recognized.

-3

The 'xxxx' argument is missing!

The required argument is missing from the request.

-4

The value of the 'xxxx' argument is invalid!

The provided value for the 'xxxx' argument is invalid.

-14

An unknown error occurred!

An unknown error occurred.

-16

Incorrect login details, account is locked, password has expired or your source IP is blocked.

Authentication has failed due to one of the specified reasons.

Verify your login credentials or check account restrictions.

-17

Request used GET rather than POST!

The request method should be POST.

-20

The certificate request has been rejected!

The requested certificate is in the rejected state.

-21

The certificate has been revoked!

The requested certificate is in the revoked state.

-22

Still awaiting payment!

The payment for the order is still pending.

-90

Permission denied for using “voucher” with ‘xxxx’

The user does not have permission to use the voucher with the specified parameter.

-91

Permission Denied. Not allowed to use the AUTO-Apply service.

The user does have the permission to perform the specified action.