Order your PKIo Private Services Server Certificate

In CertCentral, in the left menu, go to Request a Certificate > PKIOVERHEID > PKIo Private Services Server Certificate.

On the Request PKIo Private Services Server Certificate page, in the For menu, select the division to manage the certificate.

The For menu only appears if using Divisions in your CertCentral account.

Add your CSR

We use the information in your CSR to auto-populate corresponding values in the order form: Common Name, SANs, and Organization. If you leave any of this information out of the CSR, the corresponding field in the form is left blank.

Additionally, if using an organization from your CertCentral account, we auto-populate the Organization Contact card using the contact assigned to that organization.

Under Certificate Settings, upload your CSR or paste it into the Add Your CSR box. Your CSR must include the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags.

Note: Your CSR must use the RSA algorithm, as the ECC algorithm is unsupported. For certificates to remain secure, the CSR must use keys at least 2048 bits in length.

Common name and subject alternative names (SANs)

After adding your CSR, we auto-populate the Common name and SANs (optional) boxes with the common name and SANs included in the CSR.You can still change the common name and reorder, add, or remove additional SANs as needed.

Note: The PKIo Private Services Server Certificate only supports fully qualified domain names. You cannot include a wildcard domain or IP address in your certificate.

1. Use a DigiCert-controlled domain—qvtl.nl

   If company policy allows it, you can use a DigiCert-controlled domain name instead. With a PKIo Private Services Server certificate, the Subject.Serialnumber is the important certificate content, not the domain name.

   To use a DigiCert-controlled domain, select Use a DigiCert qvtl.nl domain.

   DigiCert validates your organization and authorizes it to use the DigiCert-provided domain name—{organisation_name}.qvtl.nl.

Validity period (optional)

Select a validity period for the certificate:

Domain control validation (DCV)

Using a DigiCert-controlled domain? You can skip this step. DigiCert handles the domain validation by validating your organization and authorizing it to use the DigiCert-provided domain name. You can only complete the domain validation for a domain you control.

Before DigiCert can issue your certificate, you must demonstrate control over the domains included in your certificate. While placing the order, you can only select one DCV method for all domains on the order.

After submitting your order, view the domains you must validate on the certificate's pending Order # details page. You can use the DCV method selected while placing the order or use a different one per domain if required.

1. DCV method

   Use the default DCV method. Or, in the DCV method menu, select your preferred DCV method to demonstrate control over the domains.

   DigiCert-supported DCV methods:

   • DNS TXT Record (DNS Change)

     Use this method if you can modify the domain's DNS Record to include a TXT record. To demonstrate control over the domain, you must be able to add a DigiCert-generated random value to the domain’s DNS as a TXT record.

   • Using the Verification Email DCV methods

     DigiCert sends two sets of DCV emails for this validation method: DNS TXT-based and constructed. To demonstrate control over the domain, an email recipient follows the instructions in a confirmation email sent for the domain.

     • Email to DNS TXT contact

       Use this method if you can modify the domain's DNS Record to include an email address. To learn more about what you must do to use this DCV method, see Email to DNS TXT contact.

     • Email to Constructed email addresses

       Use this method if you created a pre-approved email alias for the domain, such as admin@{domain_name}. To learn more about what you must do to use this DCV method, see Constructed email.

   • DNS CNAME Record

     Use this method if you can modify the DNS Record to include a CNAME record. To demonstrate control over the domain, you must be able to add a DigiCert-generated random value to the domain's DNS as a CNAME record.

   • Using the HTTP Practical Demonstration DCV methods

     You can only use the HTTP Practical Demonstration DCV methods to demonstrate control over fully qualified domain names (FQDNs) exactly as named. To learn more, see HTTP Practical Demonstration and HTTP Practical Demonstration with unique filename DCV methods.

     Per industry regulations, you must use the HTTP Practical Demonstration DCV methods to demonstrate control over IPv4 and IPv6 addresses.

     • HTTP Practical Demonstration

       Use this method if you can host a file containing a DigiCert-generated random value at a predetermined location on your website: http://{domain-name}/.well-known/pki-validation/fileauth.txt.

     • HTTP Practical Demonstration with unique file name

       Use this method if you need to host a file with a DigiCert-generated filename that contains a DigiCert-generated random value at a predetermined location on your website: http://{domain-name}/.well-known/pki-validation/{unique-filename}.txt.

2. Email language

   Use the default language. Or, in the Email language menu, select your preferred language for the email. This option only appears when you select the Verification email DCV method.

3. DCV scope

   Use the default DCV Scope setting that aligns with your CertCentral Domain validation scope settings. Or, in the DCV Scope menu, select the scope for demonstrating control over the domains on the request.

   Note: CertCentral administrators can go to the Preferences page to configure their Domain validation scope settings (in the left menu, go to Settings > Preferences).

   Domain scope: Submit base domains versus Submit exact domain names

   • Submit base domains, for example, subdomain.example.com

     When submitting subdomain.example.com, you must complete domain validation for the base domain, example.com. Validating the base domain also validates all subdomains of the base domain, such as subdomain.example.com and sub2subdomain.example.com.

   • Submit exact domain names, for example, subdomain.example.com

     When submitting subdomain.example.com, you must complete domain validation for the domain exactly as named—subdomain.example.com. Exact domain name validation only applies to that domain.

Additional certificate options

1. Signature hash

   By default, DigiCert issues RSA certificates with a SHA-256 signature hash and RSA signing algorithm. We recommend using the default RSA settings unless you have specific reasons for using a different key size or signing algorithm (for example, company policy requires an RSASSA-PSS signature).

   In the Signature hash menu, select the signature hash and signing algorithm you want DigiCert to use for your certificate:

   • sha256WithRSA

   • sha256WithRSAPSS

2. Server platform

   In the Server platform menu, select the server or system on which you generated the CSR. When we email your certificate, the certificate format aligns with the format supported by the server or system.

   After we issue the certificate, you can change the format by downloading the certificate from the certificate's Order # details page in CertCentral. See Download a TLS/SSL certificate from your CertCentral account.

Organization

Add the information about the organization. Only specific details on the organization will be included on the certificate, such as the organization's name.

Add organization

You can add an existing organization from your account or a new organization. If you add a new organization, it gets added to your account.

Select Add an organization, and in the Add Organization window, complete the following task as needed:

1. Add an existing organization

   1. Select Existing organization, in the Organization menu, select the organization, and then select Add.

      If you choose an organization not validated for PKIo Private Services Server certificate or the organization's validation has expired, DigiCert must validate the organization before we issue your certificate.

   2. Organization and technical contacts

      DigiCert automatically adds the contacts assigned to the organization to the request form. Under Contacts, you can see the organization and technical contacts.

2. Add a new organization

   DigiCert must validate the new organizations before we can issue your certificate. Learn more about organization validation.

   1. Select New organization and enter the following information as needed.

      Legal name	Organization name exactly as it appears in corporate registries, such as local government registration records.
      Assumed name	Assumed name or doing business as name. Adding an assumed name requires additional validation, which may delay organization validation and certificate issuance.
      Country	Country where the organization is legally located.
      Address 1	The address where the organization is legally located.
      Address 2 (optional)	Additional address in formation, such as a Suite #.
      City	City where the organization is legally located.
      State/ Province/ Region	State, province, region where the organization is legally located.
      Zip/ Postal Code	Zip or postal code where the organization is legally located.
      Organization phone number	This should be a number we can check against an online third-party address listing. DigiCert must call a verified organization phone number to confirm your authority to order a certificate for the organization. We verify this phone number against online third-party address listing sources like Google Business. Learn how we confirm your authority.

   2. When ready, select Add.

Organisation Identification Number (OIN) or Dutch KvK-number (HRN)

After adding an organization, you can include a serial number (OIN/HRN) in your certificate.

Contacts – authorized representative

You can add an existing authorized representative or a new one. You must add an authorized representative to your certificate request.

Under Contacts, select Add authorized representative. In the Add authorized representative window, complete the following task as needed:

1. Add an existing authorized representative

   1. Select Existing contact and in the Contacts menu, select the contact you want to use as the authorized representative for this request.

      Note: If you select a contact who is not an authorized representative, we must validate them.

   2. When ready, select Add.

2. Add a new authorized representative

   1. Select New contact and enter the contact's first and last name, job title, email address, and phone number.

   2. When ready, select Add.

Contacts – Organization Contact

The organization contact is the person we contact when validating the organization and verifying your authority to order a DigiCert certificate for the organization. They may also receive the following notifications: Order status updates for certificates requested for their organization and Domain status updates for domains associated with their organization.

Items to note about adding an organization:

To use a different organization contact

1. To delete the organization, contact automatically populated for you, select the trashcan image.

2. Select Add contact.

   If you've already added a technical contact, select Add Organization Contact.

3. In the Add Contact window, in the Contact Type menu, select Organization Contact.

4. Add the contact:

   1. Add an existing contact.

      Select Existing Contact, in the Contacts menu, select a contact, and select Add.

   2. Add new contact.

      Select New Contact, enter the contact's first and last name, job title, email address, and phone number, and when ready, select Add.

Contacts – Technical Contact

We may contact the technical contact for inquiries regarding certificate orders for the organization. They may receive the certificate lifecycle-related emails: certificate issued, reissued, and expiring.

When adding an existing organization, DigiCert automatically adds the technical contact assigned to the organization to the request form. If one doesn’t exist, you can add one if needed. Adding a technical contact is optional and not required to issue your certificate.

To use a technical contact or different technical contact

1. To delete the existing technical contact populated automatically for you, select the trashcan image.

2. Select Add Technical Contact.

3. In the Add Contact window, in the Contact Type menu, select Technical Contact.

4. Add the contact:

   1. Add an existing contact.

      Select Existing Contact, in the Contacts menu, select a contact, and when ready, select Add.

   2. Add a new contact.

      Select New Contact, enter the contact's first and last name, job title, email address, and phone number, and when ready, select Add.

Additional emails (optional)

Enter the email addresses of the people you want to receive the certificate issuance, expiring certificate, and expiring order emails. Use a comma to separate addresses or enter them on separate lines.

These recipients cannot manage the order. They only receive all the certificate-related emails.

Additional order options – Order Specific Renewal Message

To create a renewal message for this certificate, enter a renewal message with information that might be relevant to the certificate’s renewal. Comments and renewal messages are not included in the certificate.

Select payment method

Under Payment information, select a payment method to pay for the certificate.

Master Services Agreement and Qualified Certificate Terms of Use

Read the Master Services Agreement and the Qualified Certificate Terms of Use and select the following options to continue:

Select Submit request.