AutoApplyOrder API

Version 3.0
2020
 https://secure.trust-provider.com/products/!AutoApplyOrder

One API for Multiple Products – Sectigo Product Integration has never been easier
Our new, single API – AutoApplyOrder – makes order request not only for our wide range of legacy SSL certificates, but also newer products such as Sectigo
Web Security Platform, SectigoSSL Pro, Premium and Enterprise SSL certificates, CodeGuard Website Backup & Restore, HackerGuardian PCI Compliance and
our other portfolio of products. This single API reduces Product Integration efforts for our Partners from weeks or months to hours or even minutes. It has
been never easier than now.

For existing Sectigo Partners

AutoApplyOrder is fully backward-compatible with AutoApplySSL, accepting all the same parameters and able to request all the same certificates.
Changing to AutoApplyOrder is a simple case of changing the API endpoint URL – all the parameters, values and authentication remain the same, and you now
have the capability to request a range of new Sectigo products with simple, minor changes to the API call.

For assistance with this or any API please contact: [email protected]

Version History
2.0. Added: Support of license products and bundling options by adding CodeGuard and HackerGuardian to AutoApplyOrder
Various modifications and simplifications of some parameters and values
Added a contents section and sections covering examples, push notification
Version history prior to 2.0 was removed – please refer to AutoApplySSL API documentation for historical version information
2.3. Added: Status Code for HackerGuardian and CodeGuard.
Required Request Parameters for HackerGuardian and CodeGuard.
2.4. Added: AutoRefund for Single and Wildcard SSL Certificates.
Error codes -54 and -69.
Error codes -70, -71.
2.5. Added: Document Signing Certificates (released 30-Sep-2019)
Multi-year subscription certificates
2.6. Update: List of required parameters for HackerProof
2.7. Update: List of required parameters for eToken Cost / Shipping Cost
2.8. Update: Added errorCode -47
2.9. Update: Section 8 added that describes the capability for getting information on SSL/TLS Certificates order status through API.
3.0 Update: Added New SectigoWeb Product Packages & new SectigoSSL Pro/Premium/Enterprise Certificate Products

Contents
1. API request parameters
2. API response (when return format is newline-separated - default)
3. API response (when return format is URL-encoded)
4. Parameters for new products available with AutoApplyOrder API
5. Example API calls
6. Push/webhook notification service information
7. Parameters for refunding SSL/TLS Certificates

1. Request
Required variables are in bold.
Optional variables are in italics.

Variable Name Type Max. Allowed Values Description

(case insensitive) Length
loginName string 64 Account Username
chars (case sensitive)
loginPassword string 128 Account Password
chars (case sensitive)
product string 64 This parameter is a comma-separated string of integers. There MUST be Product(s) required
chars exactly ONE of the following certificate values specified:

PositiveSSL:
291 = PositiveSSL Trial DV (30 day)
287 = PositiveSSL DV
289 = PositiveSSL Wildcard DV
279 = PositiveSSL Multi-Domain DV
556 = PositiveSSL EV
557 = PositiveSSL EV Multi-Domain
InstantSSL:
330 = InstantSSL DV
331 = InstantSSL Wildcard DV
7 = InstantSSL OV
35 = InstantSSL OV Wildcard
361 = InstantSSL UCC OV
567 = InstantSSL EV
568 = InstantSSL EV Multi-Domain

SectigoSSL:
488 = SectigoSSL DV
489 = SectigoSSL Wildcard DV
492 = SectigoSSL UCC DV
316 = SectigoSSL OV
322 = SectigoSSL OV Wildcard
583 = SectigoSSL OV Multi Domain
337 = SectigoSSL EV
410 = SectigoSSL EV Multi-Domain EV

SectigoSSL Pro:
720 = SectigoSSL Pro Trial DV
721 = SectigoSSL Pro DV
722 = SectigoSSL Pro Wildcard DV
723 = SectigoSSL Pro Multi-Domain DV
726 = SectigoSSL Pro OV
727 = SectigoSSL Pro OV Wildcard
728 = SectigoSSL Pro OV Multi-Domain
731 = SectigoSSL Pro EV
732 = SectigoSSL Pro EV Multi-Domain

SectigoSSL Premium:
734 = SectigoSSL Premium Trial DV
735 = SectigoSSL Premium DV
736 = SectigoSSL Premium Wildcard DV
737 = SectigoSSL Premium Multi-Domain DV
740 = SectigoSSL Premium OV
741 = SectigoSSL Premium OV Wildcard
742 = SectigoSSL Premium OV Multi-Domain
745 = SectigoSSL Premium EV
746 = SectigoSSL Premium EV Multi-Domain

Sectigo EnterpriseSSL:
748 = SectigoSSL Enterprise Trial DV
749 = SectigoSSL Enterprise DV
750 = SectigoSSL Enterprise Wildcard DV
751 = SectigoSSL Enterprise Multi-Domain DV
63 = SectigoSSL EnterpriseSSL OV
64 = SectigoSSL EnterpriseSSL Pro OV
65 = SectigoSSL EnterpriseSSL Pro Wildcard OV
335 = SectigoSSL EnterpriseSSL Pro Multi-Domain OV
562 = SectigoSSL EnterpriseSSL Pro EV
563 = SectigoSSL EnterpriseSSL Pro EV Multi-Domain

Sectigo Web Security Product:

1000 = Sectigo Web Monitor
1001 = Sectigo Web Remediate
1002 = Sectigo Web Perform
1003 = Sectigo Web Complete

TrustLogo
36 = EV or OV TrustLogo
Add this value to any OV or EV product code, separated by a comma, such as:
316,36 to include a Trustlogo on a ‘SectigoSSL OV’ certificate.

CodeGuard Products:
700 = CodeGuard (Personal)
701 = CodeGuard (Professional)
702 = CodeGuard (Company)
703 = CodeGuard (Small Business)

HackerGuardian Products (Pairs):

341 = HackerGuardian Free PCI Scanning Service (45 days)
586,587 = HackerGuardian Lite (Retail Only)
346,329 = HackerGuardian Standard
349,259 = HackerGuardian Enterprise
357 = HackerGuardian HackerProof

HackerGuardian Additional IP pack for all HG packages:

 356 = HackerGuardian Additional IP Addresses Pack

Document Signing:
706 = Sectigo Document Signing Certificate (Organization)

eToken for Document Signing Certificates:

577 = eToken Cost
163 = eToken Shipping Cost

Add these value’s to any Document Signing product code, separated by a

comma, such as: 706,577,163 to include the eToken and eToken shipping for
a ‘Document Signing’ certificate.

days integer For certificate products: 30, 90, 365, 730 Validity Period (in
days)
Note: ‘years’ parameter is deprecated in favour of ‘days’

Multi-Year / SubscriptionSSL
Sectigo now allows purchase of a certificate bundle for multiple years.
3, 4 and 5 year certificates bundle can be placed by settings the ‘days’
parameter to: 1095, 1461 or 1826 respectively.
Note that the certificate itself will be issued with a maximum allowed
lifetime under industry guidelines. The certificate can be reissued (using
the AutoReplaceSSL API) and the expiry date of the certificate will be
increased each time, for the duration of the order.
 serverSoftware
domainNames
(only relevant for Multi-
Domain SSL Certificates and
Unified Communications
Certificates)
primaryDomainName
(only relevant for Multi-
Domain SSL Certificates and
Unified Communications
Certificates)
maxSubjectCNs
(optional for Multi-Domain SSL
Certificates; ignored for all
other certificate types)
csr
integer 2 = Apache
10 = Java-based servers
14 = Microsoft IIS 5.x to 6.x
35 = Microsoft IIS 7.x and later
36 = nginx
18 = Oracle
30 = Plesk
31 = WHM/cPanel
-1 = OTHER
Note: This parameter does not directly affect the certificate content. Please
use ‘-1’ as the default option.
string 32767 A comma-separated (or whitespace-separated) list of Domain Names / IP List of Domain Names
chars Addresses to be placed into the EV Multi-Domain SSL Certificate, Multi-
Domain SSL Certificate or Unified Communications Certificate.
If the CSR's Subject Alternative Name extension...
i) includes 1 or more Domain Names, and this “domainNames” parameter
is omitted, then the Domain Names from the CSR will be used.
ii) includes 1 or more Domain Names, and this “domainNames” parameter
is specified, then the Domain Names from the CSR will be ignored.
iii) is not present, or is present but includes 0 Domain Names, then this
“domainNames” parameter must be present.
NOTE: commas and/or whitespace may need to be manually URL-encoded
(e.g. %2C for a comma), depending on whether or not the calling
environment does this automatically.
string 64 One of the Domain Names listed in “domainNames”, which should appear Primary Domain
chars as the first Common Name in the Subject DN of the resulting EV Multi- Name
Domain SSL Certificate, Multi-Domain SSL Certificate or Unified
Communications Certificate.
For Multi-Domain Certificates: If this parameter is omitted, the Common
Names will be listed in alphabetical order within the certificate.
For Unified Communications Certificates: If this parameter is omitted, then
the value of the CSR's Common Name will be used as the primary domain
name instead.
integer If omitted, all of the Domain Names listed in “domainNames” will be Number of CNs
included as Common Names in the Subject DN of the resulting EV Multi-
Domain SSL Certificate or Multi-Domain SSL Certificate.
If 1, there will only be 1 Common Name in the resulting certificate. This
will have the value provided by “primaryDomainName” (so, in this case,
“primaryDomainName” must have a value).
If 0, no Common Names will be included in the resulting certificate.
Note that all of the Domain Names listed in “domainNames” will always be
included as dnsName components of the Subject Alternative Name
extension in the resulting Multi-Domain SSL Certificate or EV Multi-
Domain SSL Certificate.
This parameter need not be specified for Unified Communications
Certificates, since UCCs always have “maxSubjectCNs” set to 1.
string 32767 Version: 0 Certificate Signing
chars Subject: Request
The fields may be in any order (although multiple street addresses, if (Base-64 encoded,
present, should be in the correct order). with or without the
MUST include these fields: -----BEGIN xxxxx-----
and
MAY include these fields: -----END xxxxx-----
Note: DirectoryString is a choice of PrintableString, TeletexString, header and footer)
BMPString, UniversalString (ASCII only) or UTF8String.
Any other fields MAY be present but will be ignored.
Subject Public Key Info:
RSA: OID = rsaEncryption (PKCS#1); Size = 2048 to 8192 bits.
ECC: OID = id-ecPublicKey (RFC3279); Curve = P-256, P-384 or P-521.
Attributes:
Any attributes MAY be present but will be ignored.
Signature Algorithm:
md5WithRSAEncryption (PKCS#1)
or sha1WithRSAEncryption (PKCS#1)
or sha224WithRSAEncryption (PKCS#1)
or sha256WithRSAEncryption (PKCS#1)
or sha384WithRSAEncryption (PKCS#1)
or sha512WithRSAEncryption (PKCS#1)
or ecdsa-with-SHA1 (RFC3279)
or ecdsa-with-SHA224 (RFC5758)
or ecdsa-with-SHA256 (RFC5758)
or ecdsa-with-SHA384 (RFC5758)
or ecdsa-with-SHA512 (RFC5758)
For the HTTP_CSR_HASH, and CNAME_CSR_HASH dcvMethods we have
 introduced support for Request Tokens as defined in the CABF Baseline
Requirements (version 1.4.1 or later) and in the manner described in
Sectigo’s ‘Domain Control Validation’ document (version 1.09 or later).

From 20th July 2017, the use of unique Request Tokens, the new
/.well-known/pki-validation path, and the underscore prepended to the
NAME for the CNAME will be required for the HTTP_CSR_HASH and
CNAME_CSR_HASH dcvMethods.

Request tokens may be ensured to be unique by:

1) Generating a new CSR each time;

2) Provide a previously used CSR and omit the uniqueValue.

Sectigo will generate a uniqueValue and this will be returned;
or
3) Passing in the uniqueValue variable (see below) in addition to the CSR.
This will allow the re-use of a CSR.

uniqueValue string 20 An alphanumeric value.

chars
This uniqueValue is incorporated into the Request Token used with the
HTTP_CSR_HASH, and CNAME_CSR_HASH dcvMethods.

This uniqueValue is used to ensure that the Request Token for this
certificate is unique.
Request Tokens are as defined in the CABF Baseline Requirements
(version 1.4.1 or later) and used in the manner described in Sectigo’s
‘Domain Control Validation’ document (version 1.09 or later)

If this uniqueValue parameter is omitted, and if the same CSR has

previously been passed to Sectigo as part of a certificate order,
Sectigo will generate a uniqueValue and return it in the response from
this API call.

If this uniqueValue parameter is provided, and if the same CSR has

previously been passed to Sectigo as part of a certificate order,
an error code (-55) will be returned if you are attempting to re-use the
same combination of CSR and uniqueValue.
prioritiseCSRValues char 1 char Y or N. This specifies which
values to use if there
If omitted, it’s value defaults to Y. are duplicates (e.g. if
a Postal Code is
specified in both the
CSR and as a separate
variable).
organizationName string 64 If an Organization Name is specified here and prioritiseCSRValues is set Organization Name
organizationName (if there is chars to N, this value will be used instead of the Organization Name in the CSR.
an Organization Name in the
CSR)
organizationalUnitName string 64 If an Organizational Unit Name is specified here and in the csr, Organizational Unit
chars prioritiseCSRValues indicates which value will be used. Name (e.g. Company
Department)
postOfficeBox string 40 If a Post Office Box is specified here and in the csr, prioritiseCSRValues Post Office Box
chars indicates which value will be used.
streetAddrжess1 string 128 If a Street Address is specified here and in the csr, prioritiseCSRValues Street Address 1
streetAddress1 (if there is a chars indicates which value will be used.
Street Address in the CSR)
streetAddress2 string 128 If a second Street Address is specified here and in the csr, Street Address 2
chars prioritiseCSRValues indicates which value will be used.
streetAddress3 string 128 If a third Street Address is specified here and in the csr, Street Address 3
chars prioritiseCSRValues indicates which value will be used.
localityName string 128 If a Locality Name is specified here and in the csr, prioritiseCSRValues Locality Name
localityName (if there is a chars indicates which value will be used.
Locality Name in the CSR)
stateOrProvinceName string 128 If a State or Province Name is specified here and in the csr, State or Province
stateOrProvinceName (if there chars prioritiseCSRValues indicates which value will be used. Name
is a State or Province Name in
the CSR)
postalCode string 40 If a Postal Code is specified here and in the csr, prioritiseCSRValues Postal Code
postalCode (if there is a Postal chars indicates which value will be used.
Code in the CSR)
countryName string 2 chars If a Country Name is specified here and prioritiseCSRValues is set to N, Country Name
countryName (if there is a this value will be used instead of the Country Name in the CSR. (ISO3166 2-character
Country Name in the CSR) country code)
 dunsNumber string 20 DUN and Bradstreet
chars Number
companyNumber string 25 Company
chars Registration Number
joiLocalityName string 128 Only for EV Certificates: The City or Town (if any) in which the company is Jurisdiction of
chars incorporated or registered. Incorporation:
Locality
joiStateOrProvinceName string 128 Only for EV Certificates: The State or Province (if any) in which the Jurisdiction of
chars company is incorporated or registered. Incorporation: State
joiCountryName string 2 chars Only for EV Certificates: The Country in which the company is Jurisdiction of
joiCountryName (for EV incorporated or registered. Incorporation:
Certificate orders) Country
dateOfIncorporation string 10 Only for EV Certificates: The date of incorporation (YYYY-MM-DD) of the Date of Incorporation
chars company. This is useful information for Validation purposes.
assumedName string 64 Only for EV Certificates: The d/b/a (does business as) name (if any) for the d/b/a Name
chars company.
businessCategory char 1 char b = Private Organization. Business Category
c = Government Entity. (see Clause 5 of the
d = Business Entity. EV Guidelines V1.0)
emailAddress string 255 If specified, the certificate will be emailed to this email address rather than the Alternative issuance
chars applicant’s admin email address. email address
If the value specified is “none”, no certificate issuance email will be sent at all
(this is probably only useful if you intend to collect the certificate with
CollectSSL).
validationEmailAddress string 255 If specified, Comodo will validate that this is the email address of the end Validation Email
chars customer. Sectigo will not send any emails to this email address; instead Address
Sectigo will trust you, the Partner, to forward emails to this end customer as
appropriate.
contactEmailAddress string 255 If specified, this email address will be the only email address that Sectigo Contact Email
chars Validation Staff will correspond with during the processing of this order. Address
dcvMethod string 32 Selected method for Domain Control Validation. Permitted values are: Domain Control
chars EMAIL Validation Method
HTTP_CSR_HASH
CNAME_CSR_HASH
IP_ADDRESS_PRE

(If omitted, the default value is “EMAIL”).

For more information, see the “Domain Control Validation” document (version
1.09 or later).
dcvEmailAddress string 255 If specified, this email address must be an acceptable email address with Domain Control
(only relevant for single- chars which to perform Domain Control Validation (DCV) for this certificate. See the Validation Email
domain SSL certificates) documentation for the GetDCVEmailAddressList API for more information. Address

dcvEmailAddresses string
(only relevant for Multi-
Domain SSL Certificates and
Unified Communications
Certificates)
Alternative DCV mechanisms are now available. See the “Domain Control
Validation” document for full details.
32767 A comma (or white-space)-separated list of DCV Email Addresses to be List of DCV Email
chars used to perform Domain Control Validation for each domain in this Addresses
certificate. The order in which these email addresses are listed must be
exactly the same as the order of the domain names in the certificate
request (see ‘domainNames’ variable, above).

Alternative DCV mechanisms are now available – see the “Domain Control
Validation” document for full details. You can pass the following values for
each domain:
HTTPCSRHASH or CNAMECSRHASH or IPADDRESSPRE

You can use one of the following magic tokens if all the domains in the
order are to be set to the same alternative DCV method:
ALLHTTPCSRHASH or ALLCNAMECSRHASH or ALLIPADDRESSPRE

Note: The magic token must be the only value passed to the parameter for
it to work.

If this parameter is specified, “validationTokens” should not be specified.

dcvTemplateID integer An account can contain multiple DCV templates (in different languages, for If specified, this
example). overrides Sectigo's
Please contact Support for the DCV template default choice of DCV
email template to be
used to validate this
certificate.
Talk to your account
manager if you would
like to set up one or
more of your own
DCV email templates
that can be

validationTokens
(only relevant for Multi-
Domain SSL Certificates and
Unified Communications
Certificates)
referenced by this
parameter
string 32767 A comma (or white-space)-separated list of DCV Email Addresses to be List of Validation
chars used to perform Domain Control Validation for each domain in this Tokens
certificate. The order in which these email addresses are listed must be
exactly the same as the order of the domain names in the certificate
request (see ‘domainNames’ variable, above).

Alternative DCV mechanisms are now available – see the “Domain Control
Validation” document for full details. You can pass the following values for
each domain:
HTTPCSRHASH or CNAMECSRHASH or IPADDRESSPRE

You can use one of the following magic tokens if all the domains in the
order are to be set to the same alternative DCV method:
ALLHTTPCSRHASH or ALLCNAMECSRHASH or ALLIPADDRESSPRE

Note: The magic token must be the only value passed to the parameter for
it to work.

If this parameter is specified, “dcvEmailAddresses” should not be specified.

caCertificateID integer If specified, this overrides Sectigo’s default choice of CA certificate/key to Use particular CA
be used to issue this certificate. certificate/key
This functionality is only available by special agreement with Sectigo.
isCustomerValidated char 1 char N
showCertificateID char 1 char Y or N. If this value is set to
Y, the certificateID of
If omitted, it’s value defaults to N. the SSL certificate
generated by the
order is also part of
the resultSet.
foreignOrderNumber char 64 This identifier can be returned by some of our other APIs to aid in An identifier for this
charact integration with partner systems. order.
ers
checkFONIsUnique char 1 char Y or N. If Y, the
“foreignOrderNumber
” parameter (if
specified) must have
not already been
used for any order
placed by this
account.
responseFormat char 1 char 0 = New-line delimited parameters. Explained in sections
1 = URL-encoded parameters. 2 and 3 below.

If omitted, its value defaults to 0.

test char 1 char Y or N. If Y (or y), the
account will not be
charged and the order
will be processed as a
test order. If omitted,
its value defaults to N.
idaEmailAddress string 255 An Email Address to add to IdAuthority, for display in TrustLogo popups. An Email Address to
chars (Only applicable if a TrustLogo is being ordered). add to IdAuthority.
idaTelephoneNumber string 32 A Telephone Number to add to IdAuthority, for display in TrustLogo A Telephone Number
chars popups. to add to IdAuthority.
(Only applicable if a TrustLogo is being ordered)
idaFaxNumber string 32 A Fax Number to add to IdAuthority, for display in TrustLogo popups. An Fax Number to
chars (Only applicable if a TrustLogo is being ordered) add to IdAuthority.
appRepForename string 64 Required when Sectigo will perform the Organizational callback. Applicant
(only relevant for OV and EV chars Representative's
Certificates, HackerGuardian, Name to be used for
HackerProof) callback.
appRepSurname string 64 Required when Sectigo will perform the Organizational callback. Applicant
(only relevant for OV and EV chars Representative's
Certificates, HackerGuardian, Name to be used for
HackerProof) callback.
appRepEmailAddress string 255 Used for critical customer communications. Such as for validation for OV & Customer contact
(Required for all products) chars EV Certificates. For communicating account setup instructions for email address.
HackerGuardian, Sectigo Web and CodeGuard products. Communicating
any warnings regarding platform alerts, malware alerts and blacklist
monitoring.

appRepTelephone string 32 Required when Sectigo will perform the Organizational callback. Applicant
(only relevant for OV and EV chars Representative's
Certificates) phone number for
callback.
appRepTitle string 64 Applicant
 (only relevant for OV and EV chars Representative's title
Certificates) to be used for
callback.
appRepFax string 32 Applicant
(only relevant for OV and EV chars Representative's fax
Certificates) number to be used for
callback.
appRepOrganization string 255 DO NOT specify this field unless the Applicant Representative's Applicant
Name chars Organization Name/Address details are different to the Organization Representative's
(only relevant for OV and EV Name/Address details that have been requested to appear in the Organization Name
Certificates) certificate.
appRepOrganizationalUnitNa string 64 If appRepOrganizationName is not specified, then this field is ignored. Applicant
me chars Representative's
(only relevant for OV and EV Organizational Unit
Certificates) Name
appRepStreetAddress1 string 128 If appRepOrganizationName is not specified, then this field is ignored. Applicant
(only relevant for OV and EV chars Representative's
Certificates) street address 1
appRepStreetAddress2 string 128 If appRepOrganizationName is not specified, then this field is ignored. Applicant
(only relevant for OV and EV chars Representative's
Certificates) street address 2
appRepStreetAddress3 string 128 If appRepOrganizationName is not specified, then this field is ignored. Applicant
(only relevant for OV and EV chars Representative's
Certificates) street address 3
appRepPostOfficeBox string 128 If appRepOrganizationName is not specified, then this field is ignored. Applicant
(only relevant for OV and EV chars Representative's post
Certificates) office box #
appRepLocalityName string 128 If appRepOrganizationName is not specified, then this field is ignored. Applicant
(only relevant for OV and EV chars Representative's
Certificates) locality name
appRepStateOr string 128 If appRepOrganizationName is not specified, then this field is ignored. Applicant
ProvinceName chars Representative's state
(only relevant for OV and EV
Certificates)
appRepPostalCode string 40 If appRepOrganizationName is not specified, then this field is ignored. Applicant
(only relevant for OV and EV chars Representative's Zip
Certificates)
appRepCountryName char 2 chars If appRepOrganizationName is not specified, then this field is ignored. Applicant
(only relevant for OV and EV Representative's
Certificates) country code
(ISO3166 2-character
country code)
callbackMethod char 1 char T = The appRepTelephone number will be called to communicate a callback Callback method for
verification code which will be used to confirm the identity of the verification of
Applicant Representative. Applicant
L = A letter, containing a callback verification code, will be posted to the Representative's
Applicant Representative. identity
isAppRepValidated char 1 char Y = The Partner Reseller has verified that the Applicant Representative's Who will verify the
contact details are legitimate, using a data source other than the Applicant. Applicant
(Only Partner Resellers with sufficient RA privileges may specify Y). Representative's
N = Sectigo will verify the Applicant Representative's contact details before contact details before
performing the callback using the method specified by callbackMethod. the callback is
performed?
isCallbackCompleted char 1 char Y = The Partner has completed the callback and verified the identity of the Who will perform the
Applicant Representative. (Only Partner Resellers with sufficient RA callback?
privileges may specify Y. If isCallbackCompleted=Y is specified, then
isAppRepValidated=Y must also be specified).
N = Sectigo will perform the callback using the method specified by
callbackMethod.
showCertificateState char 1 char Y or N. If this value is set to
Y, the state of the SSL
certificate generated
by the order is also
part of the resultSet.
omitAdditionalFQDN char 1 char N = Sectigo will add an additional FQDN, either for www.<domain> (if the If omitted, its value
(only relevant for single-domain certificate was requested for <domain>) or for <domain> (if the certificate defaults to N.
SSL certificates) was requested for www.<domain>).

Y = An additional FQDN will not be added.

appRepLoginName 50 Required for HackerGuardian license account
chars
AppRepLoginPassword
(only for HackerProof)
IP Addresses integer Sectigo HackerGuardian Additional IP Addresses Pack

For HG additional IP Addresses Pack available values are

1,5,10,50,100,500,1000
 previousOrderNumber integer Order number of the previous license (HackerGuardian/CodeGuard)
using with SSL or DocumentSigning producs will return an error -68 !

includeIndividual char Y = Change certificate type from Organizational to Individual within

Organization for product 706
N = Default value, use basic product 706
offerType integer 22 = Standard Shipping
(only for Document Signing 23 = Expedited Shipping
Products + Shipping Cost) 24 = International Shipping
2. Response (when responseFormat=0, the default)
2.1 MIME Type and first line

Line Possible Value(s)

Mime-Type
Line 1:
Status Code
NOTE: Whether 0 or 1 is returned for Successful orders depends on how your
account is configured with Sectigo. Usually, you will take payment from your
customer and Sectigo will debit your account funds when you place the order.
However, in special circumstances it can be arranged for Sectigo to take payment
from your customer on your behalf.
text/plain
1 = Successful, Payment Required
0 = Successful
-1 = Request was not made over https!
-2 = ‘xxxx’ is an unrecognised argument!
-3 = The ‘xxxx’ argument is missing!
-4 = The value of the ‘xxxx’ argument is invalid!
-5 = The CSR’s Common Name may NOT contain a wildcard!
-6 = The CSR’s Common Name MUST contain ONE wildcard!
-7 = ‘xx’ is not a valid ISO-3166 country!
-8 = The CSR is missing a required field!
-9 = The CSR is not valid Base-64 data!
-10 = The CSR cannot be decoded!
-11 = The CSR uses an unsupported algorithm!
-12 = The CSR has an invalid signature!
-13 = The CSR uses an unsupported key size!
-14 = An unknown error occurred!
-15 = Not enough credit!
-16 = Permission denied! Contact Sectigo Support to have your account
enabled for the !AutoApplyOrder API.
-17 = Request used GET rather than POST!
-18 = The CSR's Common Name may not be a Fully-Qualified Domain Name!
-19 = The CSR's Common Name may not be an Internet-accessible IP Address!
-35 = The CSR's Common Name may not be an IP Address!
-40 = The CSR uses a key that is believed to have been compromised!
-45 = You can not renew trial license!
-47 = domainName is already validated!
-53 = Incorrect duration for main HG license or/and Additional IP addresses pack!
-54 = The order can have one main license only!
-55 = This Request Token is not unique!
-56 = Your current license expires on <EXPIRATION_DATE> . Licenses can only be
renewed up to 30 days prior to the expiry of your existing license.
<EXPIRATION_DATE> in format 'YYYY-MM-DD'
-57 = The company name already exists in the service Qualys!
-58 = Additional IP Addresses pack is not available for trial license!
-59 = Additional IP Address Packs may only be purchased for an existing
HackerGuardian account!
-60 = To renew your access to the PCI portal you must purchase enough IP
Addresses to support those currently setup. Previously you have purchased
<NUM_IPS_PURCHASED> IP addresses.
-63 = The e-mail already exists in the service CodeGuard
-64 = Unknown partner for the service CodeGuard
-65 = PlanID for this product not found.
-66 = CodeGuard partner is not activated.
-67 = The order can have one CodeGuard license only!
-68 = Argument ‘xxxx’ can be used just with License products!
-69 = CodeGuard sync service disabled!
-70 = Invalid Email Address!
-71 = The previous order must have a license of the same type!
-81 = The order must have a Document-Signing Certificate!
-82 = The order must have only one Web Package product!

Note: We reserve the right to define additional error codes/messages in the future.

2.2.1 If Status Code < 0

Line Possible Value(s)

Line 2: See Status Code Possible Value(s)
Error Message

2.2.2 If Status Code >= 0

Line Possible Value(s)

Line 2: Integer
Order Number
Line 3: Amount, in your account's native currency, without a currency symbol (e.g. $)
(If Status Code = 0): Amount Debited
(If Status Code = 1): Amount Required (not including UK VAT, if required)
Line 4: This value can be ignored and has been deprecated.
Expected Delivery Time
 Line 5: The internal Certificate ID of the SSL certificate purchased by this order.
SSL Certificate ID 240 – this order is for an EV Certificate. The validation process generally
(up to 16 digits; only returned if showCertificateID=Y) takes a lot longer for EV, compared to other SSL Certificates.
Line 5 or 6: The status of the SSL certificate purchased by this order.
SSL Certificate State
(only returned if showCertificateState=Y)
Line 5, 6 or 7: A unique alphanumeric value up to 20 characters long.
Unique Value
(only returned if a uniqueValue parameter was passed in to this API, or if a
uniqueValue has been generated by Sectigo for this order)
3. Response (when responseFormat=1)
Most of Sectigo's newer APIs always use URL-encoding for responses. !AutoApplyOrder can now be instructed to return responses in the same format, simply
by specifying responseFormat=1 in the request.

3.1 MIME Type

Line Possible Value(s)

Mime-Type application/x-www-form-urlencoded

3.2 Parameters

bold when always present.

italic when not always present.
Name Possible Value(s)
errorCode An integer (see section 2.1 - “Status Code” - for the possible values).
errorMessage A string (see section 2.1 - “Status Code” - for the possible values). This
parameter is not present when errorCode=0.
orderNumber An integer. This parameter is only present when errorCode=0.
totalCost Amount, in your account's native currency, without a currency symbol (e.g.
$). This parameter is only present when errorCode=0.
expectedDeliveryTime Expected number of hours before this order will be completed (0, 1, 24, 48 or
240). This parameter is only present when errorCode=0.
certificateID The internal Certificate ID of the SSL certificate purchased by this order. This
parameter is only present when showCertificateID=Y and errorCode=0.
certificateStatus The status of the SSL certificate purchased by this order. This parameter is
only present when showCertificateState=Y and errorCode=0.
uniqueValue A unique alphanumeric value up to 20 characters long.
Only returned if a uniqueValue parameter was passed in to this API, or if a
uniqueValue has been generated by Sectigo for this order.
4. Parameters for new products available with !AutoApplyOrder

4.1 CodeGuard

Parameter Possible Value(s)

days Integer
appRepEmailAddress String
appRepForename String, not required
appRepSurname String, not required

4.2 HackerGuardian
Notes:
parameters ‘appRepLoginName’, ‘organizationName’, ’appRepSurname’, ‘appRepSurname’ has a length limit of 50 Unicode characters
parameter ‘appRepEmailAddress’ has a length limit of 128 Unicode characters

Name Possible Value(s)

days Integer
appRepLoginName String
IP Addresses Integer
organizationName String
appRepForename String
appRepSurname String
appRepEmailAddress String
appRepCountryName String

4.3 HackerProof
Notes:
parameters ‘appRepLoginName’, ‘organizationName’, ’appRepSurname’, ‘appRepSurname’ has a length limit of 50 Unicode characters
parameter ‘appRepEmailAddress’ has a length limit of 128 Unicode characters

Name Possible Value(s)

days Integer
appRepLoginName String
IP Addresses Integer
organizationName String
appRepForename String
appRepSurname String
appRepEmailAddress String
appRepCountryName String
appRepLoginPassword String

4.4 DocumentSigning

Name Possible Value(s)

includeIndividual Integer
5. Example API Calls

5.1 DV certificate

Request
Parameter Value Details
loginName mypartnerusername
loginPassword th15ISNOTas3ns!blePassW0rd!
isCustomerValidated N Required
serverSoftware -1 Required, used ‘OTHER’
days 365 365 days = 1 year
product 488 Code for SectigoSSL DV single cert
csr <full base64 encoded CSR> CSR for ‘sectigo.com’
dcvEmailAddress [email protected] Acceptable email address for DCV

Response

Output Details
0 Successful!
123456789 Sectigo OrderNumber
35.00 Amount debited to account - $35.00
1 (Ignore, deprecated ‘Estimated Delivery Time’)
ImWhh1J1 (Optional) A ‘uniqueValue’ returned as one was not provided and the CSR has
been re-used.

5.2 OV Multi-Domain Certificate

Request
Parameter Value Details
loginName mypartnerusername
loginPassword th15ISNOTas3ns!blePassW0rd!
isCustomerValidated N Required
serverSoftware -1 Required, used ‘OTHER’
days 730 730 days = 2 years
product 583 Code for SectigoSSL OV MDC cert
appRepEmailAddress [email protected] Email address of the customer to action the callback
organizationName Sectigo Company name and information
streetAddress1 5 Becker Farm Road
localityName Roseland
stateOrProvinceName NJ
countryName US ISO-3166 2-letter country code for United States
potsalCode 07068
csr <full base64 encoded CSR> CSR for ‘sectigo.com’
domainNames sectigo.com,www.sectigo.com,secure.sectigo.com List of FQDNs
primaryDomainName sectigo.com Name for the Subject CN
validationTokens ALLCNAMECSRHASH Single token indicating all names to be DCV’d by DNS
method

Response

Output Details
0 Successful!
987654321 Sectigo OrderNumber
210.00 Amount debited to account - $210.00
1 (Ignore, deprecated ‘Estimated Delivery Time’)
5.3 EV Certificate

Request
Parameter Value Details
loginName mypartnerusername
loginPassword th15ISNOTas3ns!blePassW0rd!
isCustomerValidated N Required
serverSoftware -1 Required, used ‘OTHER’
days 365 365 days = 1 year
product 562 Code for EnterpriseSSL EV Pro certificate
appRepEmailAddress [email protected] Email address of the customer to action the callback
appRepForename John Name of representative of organisation
appRepSurname Smith
organizationName Sectigo Company name and information
streetAddress1 5 Becker Farm Road
localityName Roseland
stateOrProvinceName NJ
countryName US ISO-3166 2-letter country code for United States
potsalCode 07068
csr <full base64 encoded CSR> CSR for ‘sectigo.com’
domainNames sectigo.com,www.sectigo.com,secure.sectigo.com List of FQDNs
primaryDomainName sectigo.com Name for the Subject CN
validationTokens ALLCNAMECSRHASH Single token indicating all names to be DCV’d by DNS
method

Response

Output Details
0 Successful!
987654321 Sectigo OrderNumber
210.00 Amount debited to account - $210.00
1 (Ignore, deprecated ‘Estimated Delivery Time’)

5.4 HackerGuardian
Request:
Parameter Value Details
loginName mypartnerusername
loginPassword th15ISNOTas3ns!blePassW0rd!
days 365 365 days = 1 year
product 586,587
appRepEmailAddress [email protected] Email address of the customer to action the callback
organizationName Sectigo Company name and information
streetAddress1 5 Becker Farm Road
localityName Roseland
countryName US ISO-3166 2-letter country code for United States
appRepLoginName myhackerguardianusername
appRepForename John
appRepSurname Smith

Response:
Output Details
0 Successful!
987654321 Sectigo OrderNumber
210.00 Amount debited to account - $210.00
1 (Ignore, deprecated ‘Estimated Delivery Time’)

5.5 HackerProof
Request:
Parameter Value Details
loginName mypartnerusername
loginPassword th15ISNOTas3ns!blePassW0rd!
days 365 365 days = 1 year
product 346,329 Sectigo HackerGuardian Standard
appRepEmailAddress [email protected] Email address of the customer to action the callback
organizationName Sectigo Company name and information
streetAddress1 5 Becker Farm Road
localityName Roseland
 countryName US ISO-3166 2-letter country code for United States
appRepLoginName myhackerguardianusername
appRepForename John
appRepSurname Smith
appRepLoginPassword myhackerguardianpassword

Response:
Output Details
0 Successful!
987654321 Sectigo OrderNumber
210.00 Amount debited to account - $210.00
1 (Ignore, deprecated ‘Estimated Delivery Time’)

5.6 HackerGuardian + Additional IP Addresses Pack

Request:
Parameter Value Details
loginName mypartnerusername
loginPassword th15ISNOTas3ns!blePassW0rd!
days 365 365 days = 1 year
product 586, 587, 356
appRepEmailAddress [email protected] Email address of the customer to action the callback
organizationName Sectigo Company name and information
streetAddress1 5 Becker Farm Road
localityName Roseland
countryName US ISO-3166 2-letter country code for United States
appRepLoginName myhackerguardianusername
appRepForename John
appRepSurname Smith
IP Addresses 10

Response:
Output Details
0 Successful!
987654321 Sectigo OrderNumber
210.00 Amount debited to account - $210.00
1 (Ignore, deprecated ‘Estimated Delivery Time’)
6. Push Notification / Webhook API

Sectigo has the ability to 'push' information about issued certificates to your system when the certificates are signed.
The signed certificate and certificate chain can optionally also be pushed to your system.

This 'push' mechanism allows us to notify you when your certificates change status or are signed and available. The signed certificate itself can also optionally be
included along with the certificate chain, or you can choose not to have the certificate sent and use the status push to trigger a call to the CollectSSL API.

This system helps alleviate the requirement for frequent polling of order status.

Notes:
• Changes in state are communicated, when triggered by completion of various actions – e.g. DCV completed, OV or EV validation completed.

• We only push the details of signed SSL (server) certificates. Client/email and code signing certificates are not supported at this time.

• There is a ‘failed’ status that can be pushed. It should never occur. Please handle this error, but we would suggest notifying your Account Manager if this
occurs.

• You should ensure that the endpoint URL to which we call is available as much as possible. Should there be a problem communicating the call to your
system, we will log as a failure within our system. The call will be attempted three (3) times only. A ‘failure’ can be defined as: a network connectivity
issue; verification failure of your SSL certificate; an authentication failure (if provided); a protocol error or server-issued error (HTTP error codes).

• While this system alleviates the need for frequent polling of CollectSSL for status, we understand it does not remove it altogether. We advise that if you
do wish to continue with polling for status of your certificate orders you do so no more frequently than once every 3 hours.

• If you choose to have the signed certificate and chain pushed, our system will make a POST call instead of GET – including for status changes without
certificates attached.

• The reason in a ‘failed’ status (code 3) could include:

CAA: Not authorized to issue - the CAA DNS record does not authorise us to issue.

• For use of the verificationCode – this applies to both OV and EV certificates.

OV Callback Link:
https://secure.trust-provider.com/products/EnterCallbackCode?orderNumber={orderNumber}&code2={verificationCode}

EV Click-through and Callback Link:

https://secure.trust-provider.com/products/ExecuteAgreementsWithCode?orderNumber={orderNumber}&code2={verificationCode}

Setup:
To setup the certificate issuance push, you should setup a system to receive HTTP or HTTPS calls.

The system should accept all the parameters from the IP listed below. You do not need to utilise both orderNumber and certificateID unless you wish to.

The URL must be visible on the public internet, although you may wish to add IP-restrictions to only allow the call to be made from our system.

‘Basic Authentication’ is supported.

Call Information:
Sectigo will make a call to a URL which you delegate.

WITHOUT certificate push:

These parameters will be passed as a HTTP(S) GET to your URL, as follows:

Parameter Type Description Example

orderNumber string Sectigo order number. 1234567repl#1
certificateID integer Sectigo certificate ID. 1234567890
Status string Certificate status. issued
statusCode integer Certificate status as an integer value. 6
statusDesc string Brief description of the status. Valid
verificationCode string Will be present just for statuses (verified and click- mdtBfVzq0MIaiGg8
through)

WITH certificate push:

The above parameters are sent, with two additions. All parameters are POSTed to your URL.

Parameter Type Description Example

certificate string PEM (Base64 with PEM headers) encoded certificate.
caCertificate string PEM encoded certificate chain.

A list of the ‘status’, ‘statusCode’ and ‘statusDesc’ parameters:

statusCode status statusDesc

6 issued Valid
9 issued Issued but not yet collected
8 revoked Revoked
14 replaced Replaced
12 awaitingbrandvalidation Awaiting Validation (Brand)
5 failed POST-SIGN FAILED
3 failed PRE-SIGN FAILED: reason
7 rejected Rejected: reason
Any of above depending on certificate state verified Phone number verified
Any of above depending on certificate state click-through EV click-through e-mail sent

The call will be made from:

91.199.212.132

Once you have your endpoint URL setup, please contact your Account Manager or [email protected] with both your account number or username and
the URL (including basic authentication credentials if necessary).

Please also specify if you wish to have the signed certificate and chain pushed or not.

7. Parameters for refunding SSL/TLS Certificates

Sectigo has the ability to refund via this API only Single and Wildcard SSL Certificates at this time. Multi-Domain certificates can currently only be refunded by
submitting a ticket to https://sectigo.com/support-ticket
The request should be POSTed (NOT GETed) to the below URL.
Required variables are in bold.
Optional variables are in italics.
https://secure.trust-provider.com/products/!AutoRefund
Request

Variable Name Type Max Length Allowed Values Description

(case insensitive)

loginName string 64 chars 64 chars Account Username (case sensitive)

loginPassword string 128 chars 128 chars Account Password (case sensitive)

orderNumber string The Order Number for which you want a

refund.

refundReasonCode integer 1 = Unable to validate Certificate Reason for the refund.

2 = Domain or Organization no longer active
3 = Would like to get another type of certificate
4 = Failed Brand Validation
 5 = Comodo rejected certificate request
6 = Certificate revoked due to malware
7 = Certificate revoked due to phishing
8 = Certificate revoked due to Google safe browsing
9 = Moving to another Certificate Authority
10 = Found the certificate for a better price
11 = Other

Response
The MIME type will be application/x-www-form-urlencoded, because the format of the response will be the same “URL-encoded” format as the request (e.g.
name1=value1&name2=value2).
Here are the names of the various variables that will or may appear in the response:

Variable Name Type Description

(case insensitive)

errorCode integer Error code (see list below for possible values)

errorMessage string Explanation of error

Here are the possible values for “errorCode” and “errorMessage”:

errorCode errorMessage
0 Successful
-1 Request was not made over HTTPS!
-2 ‘xxxx’ is an unrecognized argument!
-3 The ‘xxxx’ argument is missing!
-4 The value of the ‘xxxx’ argument is invalid!
-14 An unknown error occurred!
-16 Permission denied!
-17 Request used GET rather than POST!
-18 Text explaining why the refund was unsuccessful.

8. Parameters for getting information on the status of order for SSL/TLS Certificates / HackerGuardian Products /
CodeGuard Products

Sectigo provides the ability to fetch the order status via this API.
The request should be POSTed (NOT GETed) to the below URL.
Required variables are in bold.
Optional variables are in italics.
https://secure.trust-provider.com/products/!GetDetailedOrderStatus
Request

Variable Name Type Max. Allowed Values Description

(case insensitive) Length

loginName string 64 chars Account Username (case sensitive)

loginPassword string 128 chars Account Password (case sensitive)

orderNumber Integer Any incomplete order number of the webhost Any incomplete order number of the
(either “orderNumber” or account. webhost account.
“certificateID” must be provided)

certificateID
(either “orderNumber” or
“certificateID” must be provided)
queryType
Integer 16 digits A Certificate ID. The internal Certificate ID of the SSL
certificate.
0 = return status only
1 = return status and detailed status information
Integer
2=return status and detailed status information as for
queryType =1 and also include information about
replacement orders (if any)
Response
The MIME type will be application/x-www-form-urlencoded.
Here are the names of the various variables that will or may appear in the response:

Name Possible Value(s)

Integer .
0 = Successful
errorCode
-1 = Request was not made over https!
-2 = ‘xxxx’ is an unrecognised argument!
-3 = The ‘xxxx’ argument is missing
-4 = The value of the ‘xxxx’ argument is invalid!
-14 = An unknown error occurred!
-16 = Permission denied!
-17 = Request used GET rather than POST!
String
(see “Error Code” - for the possible values). This
errorMessage
parameter is not present when errorCode = 0

X_orderNumber

X_orderDateTime Timestamp when this certificate was created.

X_orderStatus A string describing the current status of the Order.

X_orderStatusReason
X_suggestedOrgDetails
A string describing the reason of status (only relevant for rejected orders)
If Auto Organizational validation was requested for this order – this parameter will include status of such
validation as well as details of matching organizations (if found). Will include following parameters:
Status . Indicates status of Auto Organizational Validation. Possible values:
Found - match found (additional parameters will be added as detailed below)
NotFound – match not found
NotYetCompleted – the process is not completed yet
NotApplicable – Organizational validation is not required or was already completed

If status=found Sectigo will return following details of matching organizations:

X_organizationName – Company Name
X_streetAddress - Street
X_localityName - City
X_stateOrProvinceName – State or Province
X_postalCode – Postal/ZIP code
X_countryName – Country 2-char code ( ISO 3166-1 Alpha-2 )
X_dunsNumber - Duns number
X_telephoneNumber – Phone number

X_Y_serialNumber SSL certificate serial number

X_Y_objectType Certificate Type

X_Y_FQDN The Fully-Qualified Domain Name of this SSL Certificate.

X_Y_certificateStatus A string describing the current status of the certificate.

X_Y_certificateStatusReason
X_Y_csrStatus
X_Y_dcvStatus
X_Y_ovCallBackStatus
X_Y_organizationValidationStatus
A string describing the reason of status (only relevant for rejected or revoked certificates)
CSR Status of certificate (if queryType = 1 or 2)
-1 - not-required
0 - not-completed
1 - completed
2 - in-progress
DCV Status of certificate (if queryType = 1 or 2)
-1 - not-required
0 - not-completed
1 - completed
2 - in-progress
OV CallBack Status of account (if queryType = 1 or 2)
-1 - not-required
0 - not-completed
1 - completed
2 - in-progress
A string describing the current status of account validation (OV) (if queryType = 1 or 2)
-1 - not-required
0 - not-completed
1 - completed
2 - in-progress
 Status of Free DV Upgrade (if queryType = 1 or 2)
-1 - not-required
X_Y_freeDVUPStatus
0 - not-completed
1 - completed
2 - in-progress
Status of EV ClickThrough Acceptance (if queryType = 1 or 2)
-1 - not-required
X_Y_evClickThroughStatus
0 - not-completed
1 - completed
2 - in-progress
Status of CAA Check (if queryType = 1 or 2)
-1 - not-required
X_Y_caaStatus
0 - not-completed
1 - completed
2 - in-progress