AutoApplyOrder
This is the main API for requesting certificates. To it you will pass your login credentials (either a username/password pair, or via a client-authentication certificate) and a CSR. In addition, you will pass a series of other parameters to determine the certificate type, duration, domain names in the certificate, and the information requested within the certificate. You will also pass details of the DCV (Domain Control Validation) process to confirm control over the domain the certificate is requested for.
(https://sectigo.com/uploads/audio/AutoApplyOrder-3.0.pdf)
Notes
AutoApplyOrder has a lot of parameters, though of course not all are required. A simple DV certificate request can be completed with a smaller number of required parameters than, say, an EV certificate request.
At a minimum, you’ll need to pass:
• Authentication
• Product type and duration
• Server software
• CSR
• DCV
• isCustomerValidated (see below)
isCustomerValidated should always be set to ‘N’, unless you’re advised otherwise by Sectigo.
serverSoftware is largely for our own support purposes, and has no effect on the certificate itself. Using ‘-1’ for all requests is acceptable, as the format you receive the signed certificate in can be controlled with the CollectSSL API, or manipulated with other tools.
The days parameter should be used in preference over years. This also allows for some additional flexibility in that a certificate can be requested with additional ‘free’ days – which can be used to incentivise customers to renew certificates ahead of time, or to allow co-ordination of expiry dates.
Generally partners can apply up to 90 additional days. Please contact your Sectigo Account Manager for further information.
The test parameter must be enabled explicitly on your account – your Sectigo Account Manager can do so. Test orders are not billed to your account, and are signed from a non-trusted CA chain. They also do not appear visible to Validation staff, so testing OV and EV orders will not automatically mean they are validated and issued.
CSR contents can be ‘overridden’ by specifying names or Subject address information as separate parameters. Be sure to use the ‘prioritiseCSRValues’ parameter correctly in this case.
For multi-domain/UCC certificates, the CSR does not have to contain the additional domain names. Of course if the generating software can do so, that will work – but as the additional names can be specified in the ‘domainNames’ and ‘primaryDomainName’ parameters, the CSR could contain only a single name and still be used to request a multi-domain certificate.
If you are planning to use email-based DCV, please read the documents on the DCV process later in this document.
Using email addresses that appear on WHOIS records mean that you must call the ‘GetDCVEmailAddressList’ parameter at most 24 hours before making the AutoApplyOrder call. This is so our system can perform, scrape and cache a WHOIS lookup for the domain name and determine if your email address for DCV is acceptable.