{"openapi":"3.1.0","info":{"title":"CERTInext API v2","description":"RESTful API for CERTInext certificate lifecycle management: issue, track, validate, renew, and revoke certificates programmatically.\n\n> Already have a token? Jump to **[Authentication](#tag/Authentication)**.\n\n## What you'll need\n\n| Term | What it is | Where it comes from | Lifetime |\n|---|---|---|---|\n| **`accountNumber`** | Your account ID, a 10-digit number | CERTInext portal → top-right **account-name button** | Permanent (per account) |\n| **`clientSecret`** | Long-lived API secret, 32 hex characters (shown in the portal as **Client Secret**) | CERTInext portal → **Integrations → APIs → + Create API Credentials** | Permanent until revoked |\n| **`access_token`** | Short-lived Bearer token used in the `Authorization` header | Returned by `POST /oauth/token` (Step 2) | **1 hour** |\n\n## Getting started\n\n\nStep 1: Get your two credentials from the CERTInext portal
\n\nYou need two values to talk to the API. Both come from the CERTInext web portal (the same site where you log in to manage certificates). They are *not* the Bearer token. Step 2 turns them into one.\n\n#### 1a. Find your `accountNumber`\n1. Log in to the CERTInext portal.\n2. In the top-right header, click the **account-name button** (the one showing your organization name).\n3. A popover opens showing **Account Manager** details and your **Account Number**, a 10-digit number, e.g. ``.\n4. Copy it. This is your `client_id` for Step 2.\n\n#### 1b. Generate a `clientSecret`\n1. From the left navigation, go to **Integrations → APIs**.\n2. Click **+ Create API Credentials**.\n3. A dialog opens. The form is conditional. Most fields appear only after you pick an **API Type**. Fill in:\n - **API Type**: pick **REST**. The remaining fields appear.\n - **Identifier**: a short label such as `QA Postman` or `Production CI` so you can recognize this credential later in the grid.\n - **User**: pick the user this credential is associated with.\n - **Auth Type**: **You MUST select `OAuth`** (the second radio button). The default `Access Key` mode is the legacy V1 protocol and will not work with `/api/certinext/v2/**`. Choosing it will give you `403 unauthorized_client` later.\n4. Click **Generate**. The new entry appears in the grid.\n5. Click the **View** link on its row. The modal displays the value as **Client Secret** — a 32-character hex string (e.g. ``).\n\n> **Copy the client secret now. It is shown only once.** Save it to a password manager immediately; it cannot be retrieved later. Anyone holding it can act as your account, so if it leaks, return to **Integrations → APIs**, click **Revoke** on the row, and generate a fresh one.\n\nYou now have both `accountNumber` and `clientSecret`. Continue to Step 2.\n\n \n\n\nStep 2: Exchange them for a Bearer access token
\n\nScroll down to **Authentication → `POST /oauth/token`**, click **Try it out**, fill in:\n\n| Field | What to put |\n|---|---|\n| `grant_type` | `client_credentials` |\n| `client_id` | your `accountNumber` from Step 1 |\n| `client_secret` | your `clientSecret` from Step 1 |\n\nClick **Execute**. A green `200 OK` response appears with a JSON body. Copy the value of **`access_token`** (a 43-character string of letters and numbers). That is the Bearer token. It is valid for **1 hour**.\n\n**cURL equivalent** *(test outside Swagger UI without retyping)*:\n```bash\n# Default = Sandbox — US (recommended for first-run integration testing).\n# Switch the host to https://us-api.certinext.io for production cutover.\ncurl -X POST https://sandbox-us-api.certinext.io/oauth/token \\\n -H 'Content-Type: application/x-www-form-urlencoded' \\\n -d 'grant_type=client_credentials' \\\n -d 'client_id={{accountNumber}}' \\\n -d 'client_secret={{clientSecret}}'\n```\n\n \n\n\nStep 3: Tell Swagger to use the token
\n\nClick the **Authorize** button at the top-right of this page, paste the `access_token` value into the input box (without the word `Bearer`; Swagger adds it automatically), then confirm and close the dialog.\n\nEvery endpoint on this page is now unlocked. The padlock icon next to each operation will look closed.\n\n \n\n\nStep 4: Confirm sign-in worked
\n\nOpen **Accounts → `GET /auth/me`** → **Try it out** → **Execute**. You should see a green `200` response with your `accountNumber` and `userId`, confirming both that the token is valid and that the API correctly identified you.\nIf you see a red `401` with a message about an invalid token, the most common cause is pasting the **client secret** from Step 1 instead of the **access token** from Step 2. Copy the right value and try again.\n\n> **Try it:** open **[Current authenticated identity](#/Accounts/me)**.\n\n \n\n\nStep 5: Place a real order
\n\nPick the certificate family you want (SSL / TLS, Document Signer, or Private PKI) and call its **Create** endpoint. You'll need:\n- A **product code**: look it up first by running **Catalog → List products**.\n\nThe response includes **next-step links** that point at the follow-up actions for that order (domain validation, submit signing request, accept the agreement, download the certificate). Just call them in the returned order.\n\n> **Pre-built request bodies for every SSL variant.** When you open **SSL/TLS Certificates → `POST /ssl-certificates`** in this Swagger UI, the request-body **Examples** dropdown carries one ready-to-paste body per variant: `DV`, `DV Wildcard`, `DV UCC`, `DV Wildcard UCC`, `OV`, `OV Wildcard`, `OV UCC`, `OV Wildcard UCC`. Each example name also shows the exact `X-Product-Code` to send. Pick the variant you need, paste the body, set the matching `X-Product-Code` header, and **Execute**.\n\n**Example: SSL/TLS DV for a US site (`example.com`)** (one of the 8 variants the dropdown ships with):\n\n```bash\n# Substitute {{token}} with the access_token from Step 2 and {{productCode}} with\n# the dv-ssl product code returned by GET /catalog/products.\ncurl -X POST https://sandbox-us-api.certinext.io/api/certinext/v2/ssl-certificates \\\n -H 'Authorization: Bearer {{token}}' \\\n -H 'Content-Type: application/json' \\\n -H 'X-Product-Code: {{productCode}}' \\\n -d '{\n \"productVariant\": \"dv\",\n \"emailNotifications\": \"all\",\n \"requestor\": {\n \"name\": \"Jane Doe\",\n \"email\": \"jane@example.com\",\n \"phone\": \"+14155551234\",\n \"designation\": \"IT Administrator\"\n },\n \"certificate\": {\n \"domain\": \"example.com\",\n \"autoSecureWww\": true\n },\n \"organization\": {\n \"country\": \"US\",\n \"state\": \"CA\",\n \"locality\": \"San Francisco\"\n },\n \"subscription\": { \"validityYears\": 1, \"autoRenew\": true },\n \"agreement\": { \"signerName\": \"Jane Doe\", \"signerPlace\": \"San Francisco\", \"accepted\": true }\n }'\n```\n\nWhen you're ready for live US traffic, swap the host for `https://us-api.certinext.io` (the default selection in the Servers dropdown above).\n\n \n\n## Reference\n\n\nTroubleshooting
\n\n| HTTP | Symptom | What it means |\n|---|---|---|\n| `404` | Not Found from any endpoint | Wrong server picked in the **Servers** dropdown at the top of the page. For US production traffic choose **Production - US**; for first-run testing choose **Sandbox - US**. |\n| `401` | Invalid token | You're sending the wrong value as Bearer. Most often the client secret instead of the minted token. Redo Step 2. |\n| `401` | Token expired | Your token is older than 1 hour. Redo Step 2 to mint a new one. |\n| `401` | Invalid client at sign-in | Your `client_id` or `client_secret` is wrong, or the credential was revoked in the portal. |\n| `401` | Works in Sandbox, fails in Production | Bearer tokens are environment-specific. A token minted against **Sandbox - US** will not work on **Production - US**. Re-mint against the correct server from the Servers dropdown. |\n| `403` | Unauthorized client | The client secret exists but wasn't generated in **OAuth mode**. Go back to **Integrations → APIs** and generate a new credential with the OAuth option selected. |\n| `5xx` | Server error | Transient infrastructure issue on our side. Wait for a definitive response before retrying — duplicate calls are not de-duplicated. |\n\n \n\n\nConventions
\n\n- **Retry safety**: this API does not de-duplicate calls. For `create` / `cancel` / `revoke` actions, wait for a definitive response before retrying; do not assume a timeout means the request did not land.\n- **Phone numbers** use international format with country code, e.g. `+14155551234` (US).\n- **IDs** in URLs and responses are opaque strings: copy them verbatim, don't parse or guess them.\n- **Standard ISO formats throughout**: 8601 timestamps (e.g. `2026-05-08T13:00:00Z` UTC), 3166 country codes (`US`, `CA`, `GB`), 4217 currency codes (`USD`, `EUR`, `INR`).\n- **Errors** include a plain-English description. Internal support codes (`EMS-918` etc.) are written to audit logs only and are not echoed in the response body.\n\n \n\n\nCertificate families
\n\n| Family | Domain validation needed? | Identity documents needed? | Subscriber Agreement needed? |\n|---|---|---|---|\n| **SSL / TLS** (public-trust certificates for websites; CA/Browser Forum BR-compliant) | Yes | No | Yes |\n| **Document Signer** (PDF / code signing, commonly used for AATL workflows in US enterprises) | No | Yes | Yes |\n| **Private PKI** (certificates from your own private CA) | No | No | No |\n\n \n\n\nEnvironments
\n\n| Server | Use it for |\n|---|---|\n| **Production - US** *(default)* | Live US production traffic. Backed by US-anchored CA roots. |\n| **Sandbox - US** | Recommended for first-run integration testing. Same shape as US production but no billing or live issuance. |\n| QA | Internal QA only. Credentials issued by the QA team. |\n| Demo | Demos and trials. |\n| Production - India | Live India production traffic. |\n| Current host | Local / IDE testing. Points at whatever host is serving this Swagger page. |\n\nSwitch the active environment using the **Servers** dropdown at the top of the page. Bearer tokens are minted per-environment and do not cross over.\n\n \n","contact":{"name":"CERTInext Platform Team","email":"support@certinext.io"},"version":"2.0.0"},"servers":[{"url":"https://us-api.certinext.io","description":"Production - US (default for US customers)"},{"url":"https://sandbox-us-api.certinext.io","description":"Sandbox - US (recommended for integration testing)"},{"url":"https://qa-api.certinext.io","description":"QA"},{"url":"https://demo-api.certinext.io","description":"Demo"},{"url":"https://api.certinext.io","description":"Production - India"},{"url":"/WrapperAPI","description":"Current host (local / IDE / on-prem)"}],"security":[{"BearerAuth":[]},{"BearerAuth":[]}],"tags":[{"name":"Authentication","description":"**Start here.** Exchange your `client_id` (account number) and `client_secret` for a 1-hour Bearer access token. Every other endpoint requires this token in the `Authorization` header."},{"name":"Accounts","description":"Verify who you are (`/auth/me`), list the organizations you can issue certificates for, and the billing groups you belong to. Useful as a smoke-test right after authenticating."},{"name":"Catalog","description":"List the certificate products entitled to your account and look up the custom-field requirements for each. The `productCode` you discover here is required by every order-creation endpoint."},{"name":"Domains","description":"Pre-register and validate domains (Domain Control Validation). For SSL/TLS certificates, the domains on your order must be DCV-validated before issuance. You can add domains here in advance or let the order-creation flow add them on the fly."},{"name":"SSL/TLS Certificates","description":"Full lifecycle for public-trust SSL/TLS certificates: DV, OV, EV, wildcard, UCC. Typical flow: **create → DCV → submit CSR → accept agreement → download**. Use `/cancel` to withdraw before issuance and `/revoke` after. Issuance from US-anchored roots follows the CA/Browser Forum Baseline Requirements."},{"name":"Document Signer Certificates","description":"Lifecycle for individual / organization document-signing certificates. Typical flow: **create → submit CSR → accept agreement → download**. No DCV step (these aren't tied to a domain). Commonly used for Adobe-trusted PDF signing (AATL) and code-signing workflows in US enterprises."},{"name":"Private PKI Certificates","description":"Lifecycle for certificates issued from your private CA hierarchy. No public DCV, no Subscriber Agreement, no documents. Just **create → submit CSR → download**."},{"name":"Reports","description":"Read-only historical lookups. Pull your orders report or your billing-ledger statement, with date-range and pagination filters. Safe to call as often as you like; no state change."}],"paths":{"/api/certinext/v2/ssl-certificates/{orderId}/csr":{"put":{"tags":["SSL/TLS Certificates"],"summary":"Submit a CSR for the order","description":"Attach a PEM-encoded Certificate Signing Request generated on the subscriber system. Required before the CA can issue the certificate.\n\nSet `attested=true` if the CSR was produced by an attested/HSM-backed key to avoid re-attestation.","operationId":"submitCsr","parameters":[{"name":"orderId","in":"path","description":"Opaque order ID.","required":true,"schema":{"type":"string"},"example":"ord_abc123"}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/CsrSubmitRequest"}}},"required":true},"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/signature-certificates/{orderId}/csr":{"put":{"tags":["Document Signer Certificates"],"summary":"Submit a CSR","description":"Attach a PEM-encoded CSR. Required before the CA can issue the signature certificate.","operationId":"submitCsr_1","parameters":[{"name":"orderId","in":"path","description":"Opaque order ID.","required":true,"schema":{"type":"string"},"example":"ord_abc123"}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/CsrSubmitRequest"}}},"required":true},"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/private-pki-certificates/{orderId}/csr":{"put":{"tags":["Private PKI Certificates"],"summary":"Submit a CSR","description":"Attach a PEM-encoded CSR to trigger issuance from the customer CA.","operationId":"submitCsr_2","parameters":[{"name":"orderId","in":"path","description":"Opaque order ID.","required":true,"schema":{"type":"string"},"example":"ord_abc123"}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/CsrSubmitRequest"}}},"required":true},"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/oauth/token":{"post":{"tags":["Authentication"],"summary":"Sign in — exchange your client secret for a Bearer token","description":"**Step 1 of every integration.** Exchange your account number and client secret (generated in the CERTInext portal under **Integration → API → REST**, in **OAuth** mode) for a short-lived Bearer access token. The token is what every other endpoint actually checks.\n\n### Fields to fill in\n- **`grant_type`** — pick `client_credentials` (use `refresh_token` only when refreshing an existing token).\n- **`client_id`** — your account number from the portal (a 10-digit number).\n- **`client_secret`** — your client secret from the portal (a 32-character string).\n- **`refresh_token`** — leave empty unless you're refreshing a token.\n- **`scope`** — leave empty (reserved for future use).\n- **`Authorization`** — leave empty. *(Advanced: you can supply credentials here as a Basic auth header instead of in the form fields below — most users won't need this.)*\n\n### What you get back\nA JSON response containing an **`access_token`** value (the Bearer token you actually use), its `expires_in` lifetime in seconds (3600 = 1 hour), and a `refresh_token` you can use later to mint a new access token without re-sending your client secret.\n\n### Next step\nCopy the `access_token` value from the response, click the **Authorize** button at the top-right of this page, and paste it into the input box. Do **not** type the word `Bearer` — Swagger adds it for you. Once that's done, every endpoint on this page is unlocked for the next hour.","operationId":"oauth2Token","parameters":[{"name":"Authorization","in":"header","description":"RFC 6749 §2.3.1 — preferred way to send credentials. Format: `Basic base64(client_id:client_secret)`. If supplied, `client_id` and `client_secret` form parameters are ignored.","required":false,"schema":{"type":"string"}}],"requestBody":{"content":{"application/x-www-form-urlencoded":{"schema":{"type":"object","properties":{"grant_type":{"type":"string","description":"RFC 6749 grant type. Supported: `client_credentials`, `refresh_token`.","enum":["client_credentials","refresh_token"]},"client_id":{"type":"string","description":"Your account number (the `appCode`). Omit if using HTTP Basic auth."},"client_secret":{"type":"string","description":"Your client secret. Omit if using HTTP Basic auth."},"refresh_token":{"type":"string","description":"Required only when `grant_type=refresh_token`."},"scope":{"type":"string","description":"Optional space-delimited scope list (reserved for future use)."}}}}}},"responses":{"200":{"description":"Token issued. Use `access_token` on every v2 call.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/OAuth2TokenResponse"},"example":{"access_token":"cybsqhmJqxHPC2B3GR2YVsbuViKAjBJz753RGkAmYLU","token_type":"Bearer","expires_in":3600,"refresh_token":"f8e6d1..."}}}},"401":{"description":"Your account number or client secret is wrong (or the credential was revoked in the portal). Response `error` field: `invalid_client`.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/OAuth2ErrorResponse"}}}},"400":{"description":"A required field is missing or has an unsupported value. The response `error` field will be one of: `invalid_request`, `unsupported_grant_type`, `invalid_grant`, `invalid_scope`.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/OAuth2ErrorResponse"}}}},"403":{"description":"The client secret exists but was not generated in **OAuth** mode in the portal. Generate a new credential with the OAuth radio button selected. Response `error` field: `unauthorized_client`.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/OAuth2ErrorResponse"}}}}}}},"/api/certinext/v2/ssl-certificates":{"post":{"tags":["SSL/TLS Certificates"],"summary":"Create an SSL/TLS certificate order","description":"**When to call:** at the start of every new certificate issuance.\n\n**What happens:** the order is created in the CA backend. For OV/EV variants it enters organization vetting; for DV it becomes ready for Domain Control Validation. The response includes `orderId`, `status`, `productVariant`, `domain`, `createdAt`, and `resolvedProductCode`. Use `orderId` on every follow-up call (`/dcv`, `/csr`, `/agreement`, track, cancel, revoke, reissue).\n\n**Product code resolution:** the wrapper picks the right product code from your account's catalog based on `productVariant` (`dv`/`ov`/`ev`) and the shape of `certificate.domain` (wildcard if it starts with `*.`) and `certificate.additionalDomains` (UCC if non-empty). You do not need to manage numeric product codes on the client side.\n\n**Headers (optional):**\n- `X-Product-Code` — explicit override. Set only when you need to disambiguate between multiple matching products in your catalog (e.g. different emSign CA profiles for the same variant).\n\n**CSR:** the `csr` field accepts either a Base64-encoded CSR string or the complete PEM-formatted CSR (including the `-----BEGIN CERTIFICATE REQUEST-----` / `-----END CERTIFICATE REQUEST-----` header and footer). It is optional here — if omitted, submit it later via `PUT /{id}/csr`.\n\n**Common errors:** `EMS-915` (no matching product entitled to this account), `EMS-916` (requestor info missing), `EMS-917` (certificate info missing), `EMS-918` (additional info missing).","operationId":"create","parameters":[{"name":"X-Product-Code","in":"header","description":"**Optional override.** Normally the wrapper resolves the right product code from your account's catalog based on `productVariant` + whether `certificate.domain` is a wildcard + whether `certificate.additionalDomains` is non-empty. Set this header explicitly to bypass that resolution — useful when your account has multiple matching products under different emSign CA profiles and you want to force a specific one.","required":false,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SslOrderCreateRequest"},"examples":{"DV — single domain (X-Product-Code: 842)":{"summary":"DV SSL Certificate","description":"DV — single domain (X-Product-Code: 842)","value":{"productVariant":"dv","emailNotifications":"all","requestor":{"name":"John Smith","email":"john@example.com","phone":"+19481081094","designation":"IT Administrator"},"certificate":{"domain":"example.com","autoSecureWww":true},"subscription":{"validityYears":1,"autoRenew":true,"renewBeforeDays":30},"agreement":{"signerName":"John Smith","signerPlace":"New York","accepted":true},"remarks":"DV — single domain","csr":"MIICljCCAX4CAQAwUTEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMQkwBwYDVQQLDAAxCTAHBgNVBAoMADEJMAcGA1UEBwwAMQkwBwYDVQQIDAAxCTAHBgNVBAYTADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALZstzgwy2x1MWGVvNv3N02IZ+JoQjF/pzpv7C3F/E0sCv+kIB47jQfnDyu7XN+9qF6cLfasv2ZVG20azzgfudXLH8RmH+VN+Y0ESv0BTEggdJkH3LQkHNL0Bop5O2fjQANaknowSeD+e35R6Oo0Oc5RNSRlSXEWKsUiu5JvByNUVWJhbyIQaNNR9H/fnfgfSEulRuPJ0r4jVCDIt0V7yBV8Gau3yIyUSJ5P6JcEgQUyEhExGXWQoRn97PU7PswEugUkU5APD9oWDHPaWD0B9OCbbmR04BTY9EbrHm4llIkFY6gPVcCBLjhU2ZsFT9BIg9thNxumn0/DQZT4+yTGxWUCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAgcN1SFZBeIopqHxVt4F7W3Yll655M6oGlKzCQK9zYwLmhwLqPx1rFSzM1bmlXN6KRwp4Ol0Trkmm6IzwDXDwIhIDjmO/y/wYhADrEFQPs5JABPN+J8lsYulztNk5+J12pY4s1S+aZ8a+Q50Ab4yeze18Fj6bMq5vamNwfxxiHTDvZMiBadio/1vV+2rFXKsdWNKreSLtLg/z3CLe0cqH4dEexo1Lno2WVRG0bvJtVJnch+1u8EXUVwnQuRf9+RdtADbHgzQzV/ctKqj3EY3lfw4wm2/7Eu7BU2BeimvXpKdgqqknyirAnYtfbSVQ/QgAEfg6nurFanHCrj3HDJmIF"}},"DV Wildcard (X-Product-Code: 843)":{"summary":"DV SSL Wildcard","description":"DV Wildcard (X-Product-Code: 843)","value":{"productVariant":"dv","requestor":{"name":"John Smith","email":"john@example.com","phone":"+19481081094"},"certificate":{"domain":"*.example.com","autoSecureWww":false},"subscription":{"validityYears":1},"agreement":{"signerName":"John Smith","signerPlace":"New York","accepted":true},"remarks":"DV Wildcard — covers every direct subdomain of example.com","csr":"MIICljCCAX4CAQAwUTEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMQkwBwYDVQQLDAAxCTAHBgNVBAoMADEJMAcGA1UEBwwAMQkwBwYDVQQIDAAxCTAHBgNVBAYTADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALZstzgwy2x1MWGVvNv3N02IZ+JoQjF/pzpv7C3F/E0sCv+kIB47jQfnDyu7XN+9qF6cLfasv2ZVG20azzgfudXLH8RmH+VN+Y0ESv0BTEggdJkH3LQkHNL0Bop5O2fjQANaknowSeD+e35R6Oo0Oc5RNSRlSXEWKsUiu5JvByNUVWJhbyIQaNNR9H/fnfgfSEulRuPJ0r4jVCDIt0V7yBV8Gau3yIyUSJ5P6JcEgQUyEhExGXWQoRn97PU7PswEugUkU5APD9oWDHPaWD0B9OCbbmR04BTY9EbrHm4llIkFY6gPVcCBLjhU2ZsFT9BIg9thNxumn0/DQZT4+yTGxWUCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAgcN1SFZBeIopqHxVt4F7W3Yll655M6oGlKzCQK9zYwLmhwLqPx1rFSzM1bmlXN6KRwp4Ol0Trkmm6IzwDXDwIhIDjmO/y/wYhADrEFQPs5JABPN+J8lsYulztNk5+J12pY4s1S+aZ8a+Q50Ab4yeze18Fj6bMq5vamNwfxxiHTDvZMiBadio/1vV+2rFXKsdWNKreSLtLg/z3CLe0cqH4dEexo1Lno2WVRG0bvJtVJnch+1u8EXUVwnQuRf9+RdtADbHgzQzV/ctKqj3EY3lfw4wm2/7Eu7BU2BeimvXpKdgqqknyirAnYtfbSVQ/QgAEfg6nurFanHCrj3HDJmIF"}},"DV UCC / multi-SAN (X-Product-Code: 844)":{"summary":"DV SSL UCC","description":"DV UCC / multi-SAN (X-Product-Code: 844)","value":{"productVariant":"dv","requestor":{"name":"John Smith","email":"john@example.com","phone":"+19481081094"},"certificate":{"domain":"example.com","autoSecureWww":true,"additionalDomains":["shop.example.com","portal.example.com","example.net"]},"subscription":{"validityYears":1},"agreement":{"signerName":"John Smith","signerPlace":"New York","accepted":true},"remarks":"DV UCC — multi-SAN, primary + 3 additional domains","csr":"MIICljCCAX4CAQAwUTEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMQkwBwYDVQQLDAAxCTAHBgNVBAoMADEJMAcGA1UEBwwAMQkwBwYDVQQIDAAxCTAHBgNVBAYTADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALZstzgwy2x1MWGVvNv3N02IZ+JoQjF/pzpv7C3F/E0sCv+kIB47jQfnDyu7XN+9qF6cLfasv2ZVG20azzgfudXLH8RmH+VN+Y0ESv0BTEggdJkH3LQkHNL0Bop5O2fjQANaknowSeD+e35R6Oo0Oc5RNSRlSXEWKsUiu5JvByNUVWJhbyIQaNNR9H/fnfgfSEulRuPJ0r4jVCDIt0V7yBV8Gau3yIyUSJ5P6JcEgQUyEhExGXWQoRn97PU7PswEugUkU5APD9oWDHPaWD0B9OCbbmR04BTY9EbrHm4llIkFY6gPVcCBLjhU2ZsFT9BIg9thNxumn0/DQZT4+yTGxWUCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAgcN1SFZBeIopqHxVt4F7W3Yll655M6oGlKzCQK9zYwLmhwLqPx1rFSzM1bmlXN6KRwp4Ol0Trkmm6IzwDXDwIhIDjmO/y/wYhADrEFQPs5JABPN+J8lsYulztNk5+J12pY4s1S+aZ8a+Q50Ab4yeze18Fj6bMq5vamNwfxxiHTDvZMiBadio/1vV+2rFXKsdWNKreSLtLg/z3CLe0cqH4dEexo1Lno2WVRG0bvJtVJnch+1u8EXUVwnQuRf9+RdtADbHgzQzV/ctKqj3EY3lfw4wm2/7Eu7BU2BeimvXpKdgqqknyirAnYtfbSVQ/QgAEfg6nurFanHCrj3HDJmIF"}},"DV Wildcard UCC (X-Product-Code: 845)":{"summary":"DV SSL Wildcard UCC","description":"DV Wildcard UCC (X-Product-Code: 845)","value":{"productVariant":"dv","requestor":{"name":"John Smith","email":"john@example.com","phone":"+19481081094"},"certificate":{"domain":"*.example.com","autoSecureWww":false,"additionalDomains":["*.example.net","example.com","example.net"]},"subscription":{"validityYears":1},"agreement":{"signerName":"John Smith","signerPlace":"New York","accepted":true},"remarks":"DV Wildcard UCC — wildcard primary plus extra wildcard / apex SANs","csr":"MIICljCCAX4CAQAwUTEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMQkwBwYDVQQLDAAxCTAHBgNVBAoMADEJMAcGA1UEBwwAMQkwBwYDVQQIDAAxCTAHBgNVBAYTADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALZstzgwy2x1MWGVvNv3N02IZ+JoQjF/pzpv7C3F/E0sCv+kIB47jQfnDyu7XN+9qF6cLfasv2ZVG20azzgfudXLH8RmH+VN+Y0ESv0BTEggdJkH3LQkHNL0Bop5O2fjQANaknowSeD+e35R6Oo0Oc5RNSRlSXEWKsUiu5JvByNUVWJhbyIQaNNR9H/fnfgfSEulRuPJ0r4jVCDIt0V7yBV8Gau3yIyUSJ5P6JcEgQUyEhExGXWQoRn97PU7PswEugUkU5APD9oWDHPaWD0B9OCbbmR04BTY9EbrHm4llIkFY6gPVcCBLjhU2ZsFT9BIg9thNxumn0/DQZT4+yTGxWUCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAgcN1SFZBeIopqHxVt4F7W3Yll655M6oGlKzCQK9zYwLmhwLqPx1rFSzM1bmlXN6KRwp4Ol0Trkmm6IzwDXDwIhIDjmO/y/wYhADrEFQPs5JABPN+J8lsYulztNk5+J12pY4s1S+aZ8a+Q50Ab4yeze18Fj6bMq5vamNwfxxiHTDvZMiBadio/1vV+2rFXKsdWNKreSLtLg/z3CLe0cqH4dEexo1Lno2WVRG0bvJtVJnch+1u8EXUVwnQuRf9+RdtADbHgzQzV/ctKqj3EY3lfw4wm2/7Eu7BU2BeimvXpKdgqqknyirAnYtfbSVQ/QgAEfg6nurFanHCrj3HDJmIF"}},"OV — single domain (X-Product-Code: 846)":{"summary":"OV SSL Certificate","description":"OV — single domain (X-Product-Code: 846)","value":{"productVariant":"ov","emailNotifications":"all","groupNumber":"3215269294","requestor":{"name":"Jane Doe","email":"jane@example.com","phone":"+14155551234","designation":"PKI Manager"},"organization":{"organizationNumber":"2969772","preVetted":true},"certificate":{"domain":"example.com","autoSecureWww":true},"subscription":{"validityYears":1,"autoRenew":true},"agreement":{"signerName":"Jane Doe","signerPlace":"San Francisco","accepted":true},"remarks":"OV — single domain, pre-vetted organization","csr":"MIICljCCAX4CAQAwUTEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMQkwBwYDVQQLDAAxCTAHBgNVBAoMADEJMAcGA1UEBwwAMQkwBwYDVQQIDAAxCTAHBgNVBAYTADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALZstzgwy2x1MWGVvNv3N02IZ+JoQjF/pzpv7C3F/E0sCv+kIB47jQfnDyu7XN+9qF6cLfasv2ZVG20azzgfudXLH8RmH+VN+Y0ESv0BTEggdJkH3LQkHNL0Bop5O2fjQANaknowSeD+e35R6Oo0Oc5RNSRlSXEWKsUiu5JvByNUVWJhbyIQaNNR9H/fnfgfSEulRuPJ0r4jVCDIt0V7yBV8Gau3yIyUSJ5P6JcEgQUyEhExGXWQoRn97PU7PswEugUkU5APD9oWDHPaWD0B9OCbbmR04BTY9EbrHm4llIkFY6gPVcCBLjhU2ZsFT9BIg9thNxumn0/DQZT4+yTGxWUCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAgcN1SFZBeIopqHxVt4F7W3Yll655M6oGlKzCQK9zYwLmhwLqPx1rFSzM1bmlXN6KRwp4Ol0Trkmm6IzwDXDwIhIDjmO/y/wYhADrEFQPs5JABPN+J8lsYulztNk5+J12pY4s1S+aZ8a+Q50Ab4yeze18Fj6bMq5vamNwfxxiHTDvZMiBadio/1vV+2rFXKsdWNKreSLtLg/z3CLe0cqH4dEexo1Lno2WVRG0bvJtVJnch+1u8EXUVwnQuRf9+RdtADbHgzQzV/ctKqj3EY3lfw4wm2/7Eu7BU2BeimvXpKdgqqknyirAnYtfbSVQ/QgAEfg6nurFanHCrj3HDJmIF"}},"OV Wildcard (X-Product-Code: 847)":{"summary":"OV SSL Wildcard","description":"OV Wildcard (X-Product-Code: 847)","value":{"productVariant":"ov","groupNumber":"3215269294","requestor":{"name":"Jane Doe","email":"jane@example.com","phone":"+14155551234"},"organization":{"organizationNumber":"2969772","preVetted":true},"certificate":{"domain":"*.example.com","autoSecureWww":false},"subscription":{"validityYears":1},"agreement":{"signerName":"Jane Doe","signerPlace":"San Francisco","accepted":true},"remarks":"OV Wildcard — pre-vetted organization, wildcard primary","csr":"MIICljCCAX4CAQAwUTEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMQkwBwYDVQQLDAAxCTAHBgNVBAoMADEJMAcGA1UEBwwAMQkwBwYDVQQIDAAxCTAHBgNVBAYTADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALZstzgwy2x1MWGVvNv3N02IZ+JoQjF/pzpv7C3F/E0sCv+kIB47jQfnDyu7XN+9qF6cLfasv2ZVG20azzgfudXLH8RmH+VN+Y0ESv0BTEggdJkH3LQkHNL0Bop5O2fjQANaknowSeD+e35R6Oo0Oc5RNSRlSXEWKsUiu5JvByNUVWJhbyIQaNNR9H/fnfgfSEulRuPJ0r4jVCDIt0V7yBV8Gau3yIyUSJ5P6JcEgQUyEhExGXWQoRn97PU7PswEugUkU5APD9oWDHPaWD0B9OCbbmR04BTY9EbrHm4llIkFY6gPVcCBLjhU2ZsFT9BIg9thNxumn0/DQZT4+yTGxWUCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAgcN1SFZBeIopqHxVt4F7W3Yll655M6oGlKzCQK9zYwLmhwLqPx1rFSzM1bmlXN6KRwp4Ol0Trkmm6IzwDXDwIhIDjmO/y/wYhADrEFQPs5JABPN+J8lsYulztNk5+J12pY4s1S+aZ8a+Q50Ab4yeze18Fj6bMq5vamNwfxxiHTDvZMiBadio/1vV+2rFXKsdWNKreSLtLg/z3CLe0cqH4dEexo1Lno2WVRG0bvJtVJnch+1u8EXUVwnQuRf9+RdtADbHgzQzV/ctKqj3EY3lfw4wm2/7Eu7BU2BeimvXpKdgqqknyirAnYtfbSVQ/QgAEfg6nurFanHCrj3HDJmIF"}},"OV UCC / multi-SAN (X-Product-Code: 848)":{"summary":"OV SSL UCC","description":"OV UCC / multi-SAN (X-Product-Code: 848)","value":{"productVariant":"ov","groupNumber":"3215269294","requestor":{"name":"Jane Doe","email":"jane@example.com","phone":"+14155551234"},"organization":{"organizationNumber":"2969772","preVetted":true},"certificate":{"domain":"example.com","autoSecureWww":true,"additionalDomains":["shop.example.com","portal.example.com","example.net"]},"subscription":{"validityYears":1},"agreement":{"signerName":"Jane Doe","signerPlace":"San Francisco","accepted":true},"remarks":"OV UCC — pre-vetted organization, multi-SAN","csr":"MIICljCCAX4CAQAwUTEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMQkwBwYDVQQLDAAxCTAHBgNVBAoMADEJMAcGA1UEBwwAMQkwBwYDVQQIDAAxCTAHBgNVBAYTADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALZstzgwy2x1MWGVvNv3N02IZ+JoQjF/pzpv7C3F/E0sCv+kIB47jQfnDyu7XN+9qF6cLfasv2ZVG20azzgfudXLH8RmH+VN+Y0ESv0BTEggdJkH3LQkHNL0Bop5O2fjQANaknowSeD+e35R6Oo0Oc5RNSRlSXEWKsUiu5JvByNUVWJhbyIQaNNR9H/fnfgfSEulRuPJ0r4jVCDIt0V7yBV8Gau3yIyUSJ5P6JcEgQUyEhExGXWQoRn97PU7PswEugUkU5APD9oWDHPaWD0B9OCbbmR04BTY9EbrHm4llIkFY6gPVcCBLjhU2ZsFT9BIg9thNxumn0/DQZT4+yTGxWUCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAgcN1SFZBeIopqHxVt4F7W3Yll655M6oGlKzCQK9zYwLmhwLqPx1rFSzM1bmlXN6KRwp4Ol0Trkmm6IzwDXDwIhIDjmO/y/wYhADrEFQPs5JABPN+J8lsYulztNk5+J12pY4s1S+aZ8a+Q50Ab4yeze18Fj6bMq5vamNwfxxiHTDvZMiBadio/1vV+2rFXKsdWNKreSLtLg/z3CLe0cqH4dEexo1Lno2WVRG0bvJtVJnch+1u8EXUVwnQuRf9+RdtADbHgzQzV/ctKqj3EY3lfw4wm2/7Eu7BU2BeimvXpKdgqqknyirAnYtfbSVQ/QgAEfg6nurFanHCrj3HDJmIF"}},"OV Wildcard UCC (X-Product-Code: 849)":{"summary":"OV SSL Wildcard UCC","description":"OV Wildcard UCC (X-Product-Code: 849)","value":{"productVariant":"ov","groupNumber":"3215269294","requestor":{"name":"Jane Doe","email":"jane@example.com","phone":"+14155551234"},"organization":{"organizationNumber":"2969772","preVetted":true},"certificate":{"domain":"*.example.com","autoSecureWww":false,"additionalDomains":["*.example.net","example.com","example.net"]},"subscription":{"validityYears":1},"agreement":{"signerName":"Jane Doe","signerPlace":"San Francisco","accepted":true},"remarks":"OV Wildcard UCC — pre-vetted organization, wildcard primary plus mixed SANs","csr":"MIICljCCAX4CAQAwUTEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tMQkwBwYDVQQLDAAxCTAHBgNVBAoMADEJMAcGA1UEBwwAMQkwBwYDVQQIDAAxCTAHBgNVBAYTADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALZstzgwy2x1MWGVvNv3N02IZ+JoQjF/pzpv7C3F/E0sCv+kIB47jQfnDyu7XN+9qF6cLfasv2ZVG20azzgfudXLH8RmH+VN+Y0ESv0BTEggdJkH3LQkHNL0Bop5O2fjQANaknowSeD+e35R6Oo0Oc5RNSRlSXEWKsUiu5JvByNUVWJhbyIQaNNR9H/fnfgfSEulRuPJ0r4jVCDIt0V7yBV8Gau3yIyUSJ5P6JcEgQUyEhExGXWQoRn97PU7PswEugUkU5APD9oWDHPaWD0B9OCbbmR04BTY9EbrHm4llIkFY6gPVcCBLjhU2ZsFT9BIg9thNxumn0/DQZT4+yTGxWUCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAgcN1SFZBeIopqHxVt4F7W3Yll655M6oGlKzCQK9zYwLmhwLqPx1rFSzM1bmlXN6KRwp4Ol0Trkmm6IzwDXDwIhIDjmO/y/wYhADrEFQPs5JABPN+J8lsYulztNk5+J12pY4s1S+aZ8a+Q50Ab4yeze18Fj6bMq5vamNwfxxiHTDvZMiBadio/1vV+2rFXKsdWNKreSLtLg/z3CLe0cqH4dEexo1Lno2WVRG0bvJtVJnch+1u8EXUVwnQuRf9+RdtADbHgzQzV/ctKqj3EY3lfw4wm2/7Eu7BU2BeimvXpKdgqqknyirAnYtfbSVQ/QgAEfg6nurFanHCrj3HDJmIF"}}}}},"required":true},"responses":{"401":{"description":"Missing or invalid Bearer token.","content":{"application/problem+json":{"schema":{"$ref":"#/components/schemas/ProblemDetail"}}}},"201":{"description":"Order created. `Location` header points at the order resource.","content":{"application/json":{"schema":{"type":"object"}}}},"422":{"description":"Business-rule validation failed (`EMS-xxx` code in `detail`).","content":{"application/problem+json":{"schema":{"$ref":"#/components/schemas/ProblemDetail"}}}},"400":{"description":"Malformed body or missing `X-Product-Code`.","content":{"application/problem+json":{"schema":{"$ref":"#/components/schemas/ProblemDetail"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/ssl-certificates/{orderId}/revoke":{"post":{"tags":["SSL/TLS Certificates"],"summary":"Revoke an issued SSL certificate","description":"Permanently marks an issued certificate as revoked with an RFC 5280 reason code (`keyCompromise`, `affiliationChanged`, `superseded`, `cessationOfOperation`, etc.). Revocation is reflected in CRL/OCSP once the CA publishes the next delta.","operationId":"revoke","parameters":[{"name":"orderId","in":"path","description":"Opaque order ID.","required":true,"schema":{"type":"string"},"example":"ord_abc123"}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/RevokeRequest"}}},"required":true},"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/ssl-certificates/{orderId}/reissue":{"post":{"tags":["SSL/TLS Certificates"],"summary":"Reissue an SSL/TLS certificate","description":"Reissue an already-issued certificate without creating a new order. Two modes:\n- `rekey` — supply a new CSR; the existing certificate is replaced.\n- `update-sans` — add SAN domains to the existing certificate.\n\nOptionally revoke the previous certificate as part of the reissue by setting `revokePrevious=true` and providing `revokeReason`.","operationId":"reissue","parameters":[{"name":"orderId","in":"path","description":"Opaque order ID returned by create.","required":true,"schema":{"type":"string"},"example":"ord_abc123"}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/ReissueRequest"}}},"required":true},"responses":{"404":{"description":"Order not found under this account.","content":{"application/problem+json":{"schema":{"$ref":"#/components/schemas/ProblemDetail"}}}},"201":{"description":"Reissue request accepted. `Location` points at the order resource.","content":{"application/json":{"schema":{"type":"object"}}}},"422":{"description":"Business-rule validation failed (e.g. SAN limit exceeded, missing CSR).","content":{"application/problem+json":{"schema":{"$ref":"#/components/schemas/ProblemDetail"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/ssl-certificates/{orderId}/dcv/verify":{"post":{"tags":["SSL/TLS Certificates"],"summary":"Trigger DCV verification for a domain on the order","description":"Call this **after** you have published the challenge artifact (file / DNS record / replied to email). The CA re-checks the artifact; on success the order moves to the next lifecycle state.","operationId":"verifyDcv","parameters":[{"name":"orderId","in":"path","description":"Opaque order ID.","required":true,"schema":{"type":"string"},"example":"ord_abc123"}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SslDcvVerifyRequest"}}},"required":true},"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/ssl-certificates/{orderId}/cancel":{"post":{"tags":["SSL/TLS Certificates"],"summary":"Cancel an SSL order","description":"Withdraws an order that has not yet been issued. After issuance, use `/revoke` instead. The order remains visible via `GET /{id}` in `cancelled` status.","operationId":"cancel","parameters":[{"name":"orderId","in":"path","description":"Opaque order ID.","required":true,"schema":{"type":"string"},"example":"ord_abc123"}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/CancelRequest"}}}},"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/ssl-certificates/{orderId}/agreement":{"post":{"tags":["SSL/TLS Certificates"],"summary":"Accept the Subscriber Agreement","description":"Records signer identity, timestamp, and IP for the terms-of-use acceptance. Required for public SSL issuance; the CA will not release the certificate until this is done.","operationId":"acceptAgreement","parameters":[{"name":"orderId","in":"path","description":"Opaque order ID.","required":true,"schema":{"type":"string"},"example":"ord_abc123"}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/AgreementAcceptRequest"}}},"required":true},"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/ssl-certificates/requests/{requestId}/cancel":{"post":{"tags":["SSL/TLS Certificates"],"summary":"Reject a draft request before it becomes an order","description":"Use for `saveAsDraft=true` requests that returned a `requestId` instead of an `orderId`. Once the draft has been promoted to a real order, use `/{orderId}/cancel` instead.","operationId":"rejectRequest","parameters":[{"name":"requestId","in":"path","description":"Opaque draft request ID.","required":true,"schema":{"type":"string"},"example":"req_def456"}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/CancelRequest"}}}},"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/signature-certificates":{"post":{"tags":["Document Signer Certificates"],"summary":"Create a Document Signer certificate order","description":"**When to call:** to start issuing a signature certificate for an individual, an employee (legal person), or an organization (legal entity).\n\n**What happens:** the order is created and enters vetting state.\n\n**Product code resolution:** the wrapper picks the right product code from your account's catalog based on `subjectType` (`natural-person` / `legal-person` / `legal-entity`) and `subscription.validityYears`. You do not need to manage numeric product codes on the client side.\n\n**Headers (optional):**\n- `X-Product-Code` — explicit override. Set only when you need to disambiguate between multiple matching products in your catalog.","operationId":"create_1","parameters":[{"name":"X-Product-Code","in":"header","description":"**Optional override.** The wrapper resolves the product code from your account's catalog based on `subjectType` + `subscription.validityYears`. Set this header explicitly only to disambiguate between multiple matching products.","required":false,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignatureOrderCreateRequest"},"examples":{"Natural Person (1-year)":{"description":"Natural Person (1-year)","value":{"subjectType":"natural-person","emailNotifications":"all","requestor":{"name":"Jane Doe","email":"jane@example.com","phone":"+19481081094","designation":"Signer"},"subject":{"givenName":"Jane","surname":"Doe","email":"jane@example.com","countryCode":"IN"},"subscription":{"validityYears":1,"autoRenew":false},"agreement":{"signerName":"Jane Doe","signerPlace":"Bangalore","accepted":true}}}}}},"required":true},"responses":{"422":{"description":"Business-rule validation failed.","content":{"application/problem+json":{"schema":{"$ref":"#/components/schemas/ProblemDetail"}}}},"201":{"description":"Order created. `Location` points at the order resource.","content":{"application/json":{"schema":{"type":"object"}}}},"400":{"description":"Malformed body or missing `X-Product-Code`.","content":{"application/problem+json":{"schema":{"$ref":"#/components/schemas/ProblemDetail"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/signature-certificates/{orderId}/revoke":{"post":{"tags":["Document Signer Certificates"],"summary":"Revoke an issued Document Signer certificate","description":"Permanently marks an issued certificate as revoked with an RFC 5280 reason code.","operationId":"revoke_1","parameters":[{"name":"orderId","in":"path","description":"Opaque order ID.","required":true,"schema":{"type":"string"},"example":"ord_abc123"}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/RevokeRequest"}}},"required":true},"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/signature-certificates/{orderId}/cancel":{"post":{"tags":["Document Signer Certificates"],"summary":"Cancel a Document Signer order","description":"Withdraws an order that has not yet been issued. After issuance, use `/revoke` instead.","operationId":"cancel_1","parameters":[{"name":"orderId","in":"path","description":"Opaque order ID.","required":true,"schema":{"type":"string"},"example":"ord_abc123"}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/CancelRequest"}}}},"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/signature-certificates/{orderId}/agreement":{"post":{"tags":["Document Signer Certificates"],"summary":"Accept the Subscriber Agreement","description":"Records signer identity, timestamp, and IP for the terms-of-use acceptance.","operationId":"acceptAgreement_1","parameters":[{"name":"orderId","in":"path","description":"Opaque order ID.","required":true,"schema":{"type":"string"},"example":"ord_abc123"}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/AgreementAcceptRequest"}}},"required":true},"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/private-pki-certificates":{"post":{"tags":["Private PKI Certificates"],"summary":"Create a Private PKI certificate order","description":"**When to call:** to issue a certificate from your Private PKI CA (Intranet TLS, IGTF Host).\n\n**Product code resolution:** the wrapper picks the right product code from your catalog based on `variant` (`intranet-ssl` / `igtf-host`). You do not need to manage numeric codes client-side.\n\n**Headers (optional):**\n- `X-Product-Code` — explicit override. Set only to disambiguate when multiple matching products exist.\n\n**No DCV, no agreement** — the CA is under your control.","operationId":"create_2","parameters":[{"name":"X-Product-Code","in":"header","description":"**Optional override.** The wrapper resolves the product code from your catalog based on `variant`. Set explicitly only to disambiguate between matching products.","required":false,"schema":{"type":"string"}}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/PrivatePkiOrderCreateRequest"},"examples":{"Intranet SSL":{"description":"Intranet SSL","value":{"variant":"intranet-ssl","caProfileId":"internal-web-tier","masterProductId":"pki_master_001","hostname":"intranet.example.local","additionalHosts":["portal.example.local"],"emailNotifications":"all","subscription":{"validityYears":1},"requestor":{"name":"Ops Team","email":"ops@example.com","phone":"+19481081094","designation":"Infra"}}}}}},"required":true},"responses":{"422":{"description":"Business-rule validation failed.","content":{"application/problem+json":{"schema":{"$ref":"#/components/schemas/ProblemDetail"}}}},"201":{"description":"Order created.","content":{"application/json":{"schema":{"type":"object"}}}},"400":{"description":"Malformed body or missing `X-Product-Code`.","content":{"application/problem+json":{"schema":{"$ref":"#/components/schemas/ProblemDetail"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/private-pki-certificates/{orderId}/revoke":{"post":{"tags":["Private PKI Certificates"],"summary":"Revoke an issued Private PKI certificate","description":"Revokes a certificate issued from the customer CA with an RFC 5280 reason.","operationId":"revoke_2","parameters":[{"name":"orderId","in":"path","description":"Opaque order ID.","required":true,"schema":{"type":"string"},"example":"ord_abc123"}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/RevokeRequest"}}},"required":true},"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/private-pki-certificates/{orderId}/cancel":{"post":{"tags":["Private PKI Certificates"],"summary":"Cancel a Private PKI order","description":"Withdraws an order before issuance.","operationId":"cancel_2","parameters":[{"name":"orderId","in":"path","description":"Opaque order ID.","required":true,"schema":{"type":"string"},"example":"ord_abc123"}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/CancelRequest"}}}},"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/domains":{"get":{"tags":["Domains"],"summary":"List domains","description":"Filter / paginate the account's domains. All filter parameters are optional. `sortBy` is restricted to a whitelist (see DomainSortField); unknown values return 400.","operationId":"list","parameters":[{"name":"filter","in":"query","required":true,"schema":{"$ref":"#/components/schemas/DomainListFilter"}}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]},"post":{"tags":["Domains"],"summary":"Add a domain","description":"**When to call:** before placing an order for a domain that is not already verified in the account.\n\n**What you get back:**\n- 201 with the new domain id and DCV instructions on success\n- 409 with `existingDomainId` populated when the same domain is already verified in another organization of this account (account-guard, §4.1)\n- 422 with per-perspective `diagnostics` when CAA pre-check disagrees","operationId":"create_3","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/DomainCreateRequest"},"examples":{"Add example.com via dns-txt":{"description":"Add example.com via dns-txt","value":{"domainName":"example.com","organizationId":"8K9mQ2vR8nP4bL","dcvMethod":"dns-txt","skipCAA":false}}}}},"required":true},"responses":{"201":{"description":"Domain added.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/DomainCreateResponse"}}}},"422":{"description":"CAA / DCV pre-check failed; see diagnostics.","content":{"application/problem+json":{"schema":{"$ref":"#/components/schemas/ProblemDetail"}}}},"409":{"description":"Domain already verified in another organization of this account.","content":{"application/problem+json":{"schema":{"$ref":"#/components/schemas/ProblemDetail"}}}},"400":{"description":"Malformed body.","content":{"application/problem+json":{"schema":{"$ref":"#/components/schemas/ProblemDetail"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/domains/{domainId}/deactivate":{"post":{"tags":["Domains"],"summary":"Deactivate a domain","description":"Soft-deactivates the domain (sets {@code domainStatus=INACTIVE}). Existing certificates remain valid; future orders for this domain are blocked until it is re-added. Hard-delete is not supported through this API — by design, BR §5.4.1 requires audit retention.","operationId":"deactivate","parameters":[{"name":"domainId","in":"path","description":"Opaque domain ID.","required":true,"schema":{"type":"string"},"example":"dom_abc123"}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/domains/{domainId}/dcv/verify":{"post":{"tags":["Domains"],"summary":"Trigger DCV verification","description":"Runs the per-perspective MPIC verification immediately. On success the domain flips to {@code VERIFIED} and the response carries the diagnostics block. On consensus failure the response is 422 with the same diagnostics block under {@code ProblemDetail.diagnostics}.","operationId":"verifyDcv_1","parameters":[{"name":"domainId","in":"path","description":"Opaque domain ID.","required":true,"schema":{"type":"string"},"example":"dom_abc123"}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/DcvVerifyRequest"}}}},"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/domains/{domainId}/dcv/method":{"patch":{"tags":["Domains"],"summary":"Change the DCV method for a domain","description":"Switches the DCV method and returns the freshly-issued challenge. The previous method's tokens are invalidated; verifying again must use the new method.","operationId":"changeDcvMethod","parameters":[{"name":"domainId","in":"path","description":"Opaque domain ID.","required":true,"schema":{"type":"string"},"example":"dom_abc123"}],"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/DcvMethodChangeRequest"}}},"required":true},"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/ssl-certificates/{orderId}":{"get":{"tags":["SSL/TLS Certificates"],"summary":"Track an SSL order","description":"Returns the current state of the SSL order, plus enrichment blocks:\n- `requestor` — who placed the order (name / email / phone / designation).\n- `csrSubmitted` — has the CSR been POSTed yet.\n- `subscription` — billing entitlement window (`validityYears`, `endDate`, `status`).\n- `subscriberAgreement` — Subscriber Agreement state (`signed`, `signerName`, `signedAt`, `signedPlace`).\n- `revocation` — RFC 5280 revocation details, populated only when `status = revoked`.\n- `interimDvIssued` — OV/EV only; `true` once the interim DV cert has been issued.\n\nPoll this every 30 - 60 seconds while the CA processes DCV, vetting, and issuance. `status` transitions: `pending-dcv` -> `pending-csr` -> `pending-agreement` -> `pending-approval` -> `issued` (or `cancelled` / `revoked` / `expired`). Stop polling once `status` reaches a terminal state.","operationId":"track","parameters":[{"name":"orderId","in":"path","description":"Opaque order ID returned by create.","required":true,"schema":{"type":"string"},"example":"ord_abc123"}],"responses":{"404":{"description":"Order not found under this account.","content":{"application/problem+json":{"schema":{"$ref":"#/components/schemas/ProblemDetail"}}}},"200":{"description":"Current order state.","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/ssl-certificates/{orderId}/dcv":{"get":{"tags":["SSL/TLS Certificates"],"summary":"Get the DCV challenge for a domain on the order","description":"Returns the challenge artefact (DNS TXT record value for `dns-txt`, or `.well-known` file token + path for `http-url`) for the chosen Domain Control Validation method. Publish the artefact, then call `POST /{id}/dcv/verify` with the same `method` so the CA re-checks it.\n\nBoth query parameters are optional:\n- `domain` defaults to the order's primary domain (the `certificate.domain` you supplied at create time, also returned by `GET /{orderId}`).\n- `method` defaults to `dns-txt` (BR-recommended). Set to `http-url` for HTTP-based validation.","operationId":"getDcv","parameters":[{"name":"orderId","in":"path","description":"Opaque order ID.","required":true,"schema":{"type":"string"},"example":"ord_abc123"},{"name":"domain","in":"query","description":"Domain name to fetch DCV challenges for. Optional — defaults to the order's primary domain.","required":false,"schema":{"type":"string"},"example":"example.com"},{"name":"method","in":"query","description":"DCV method (`dns-txt` / `http-url`). Optional — defaults to `dns-txt`.","required":false,"schema":{"type":"string","enum":["dns-txt","http-url"]},"example":"dns-txt"}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/ssl-certificates/{orderId}/certificate":{"get":{"tags":["SSL/TLS Certificates"],"summary":"Download the issued certificate","description":"Returns the issued certificate in the format requested via the `Accept` header:\n- `application/json` — JSON envelope with PEM + metadata (serial, validity, thumbprint)\n- `application/x-pem-file` — PEM text\n- `application/pkix-cert` — DER bytes\n\nOnly callable after issuance (`status=issued`).","operationId":"downloadCertificate","parameters":[{"name":"orderId","in":"path","description":"Opaque order ID.","required":true,"schema":{"type":"string"},"example":"ord_abc123"},{"name":"Accept","in":"header","description":"Response format: JSON / PEM / DER.","required":false,"schema":{"type":"string","enum":["application/json","application/x-pem-file","application/pkix-cert"]}},{"name":"format","in":"query","description":"Convenience override: `pem`, `der`, or `pkcs7` (alias of der). Wins over Accept when set.","required":false,"schema":{"type":"string","enum":["pem","der","pkcs7"]}}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}},"application/x-pem-file":{"schema":{"type":"object"}},"application/pkix-cert":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/signature-certificates/{orderId}":{"get":{"tags":["Document Signer Certificates"],"summary":"Track a Document Signer order","description":"Returns the current state of the order, plus enrichment blocks:\n- `requestor` — who placed the order (name / email / phone / designation).\n- `csrSubmitted` — has the CSR been POSTed yet.\n- `subscription` — billing entitlement window.\n- `subscriberAgreement` — Subscriber Agreement state.\n- `revocation` — populated only when `status = revoked`.\n\nPoll while documents are vetted and the certificate is issued. `status` typically walks `pending-documents` -> `pending-csr` -> `pending-agreement` -> `pending-approval` -> `issued`. Legal Entity certs may also pass through `pending-organization-verification`.","operationId":"track_1","parameters":[{"name":"orderId","in":"path","description":"Opaque order ID.","required":true,"schema":{"type":"string"},"example":"ord_abc123"}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/signature-certificates/{orderId}/certificate":{"get":{"tags":["Document Signer Certificates"],"summary":"Download the issued certificate","description":"JSON / PEM / DER via `Accept` header negotiation.","operationId":"downloadCertificate_1","parameters":[{"name":"orderId","in":"path","description":"Opaque order ID.","required":true,"schema":{"type":"string"},"example":"ord_abc123"},{"name":"Accept","in":"header","required":false,"schema":{"type":"string","default":"application/json"}}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}},"application/x-pem-file":{"schema":{"type":"object"}},"application/pkix-cert":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/reports/orders":{"get":{"tags":["Reports"],"summary":"Orders report","description":"Filterable, paginated list of orders for the authenticated account. Supports date-range, status, and group filters. Returns `{ orders: [...], page, pageSize, totalResults, totalPages }`.","operationId":"orders","parameters":[{"name":"groupNumber","in":"query","description":"Optional group filter.","required":false,"schema":{"type":"string"},"example":"GRP-001"},{"name":"status","in":"query","description":"Filter by order status. Allowed values: `pending-dcv`, `pending-organization-verification`, `pending-csr`, `pending-documents`, `pending-agreement`, `pending-approval`, `issued`, `revoked`, `cancelled`, `rejected`, `expired`. Unknown values return 422 with the allowed list.","required":false,"schema":{"type":"string","enum":["pending-dcv","pending-organization-verification","pending-csr","pending-documents","pending-agreement","pending-approval","issued","revoked","cancelled","rejected","expired"]},"example":"issued"},{"name":"from","in":"query","description":"Start date (inclusive). Format: YYYY-MM-DD.","required":false,"schema":{"type":"string"},"example":"2026-01-01"},{"name":"to","in":"query","description":"End date (inclusive). Format: YYYY-MM-DD; the wrapper expands a date-only value to end-of-day before forwarding.","required":false,"schema":{"type":"string"},"example":"2026-12-31"},{"name":"page","in":"query","description":"Page number, 1-based.","required":false,"schema":{"type":"integer","format":"int32","default":1},"example":1},{"name":"size","in":"query","description":"Page size (max 100).","required":false,"schema":{"type":"integer","format":"int32","default":50},"example":50}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/reports/ledger":{"get":{"tags":["Reports"],"summary":"Ledger statement","description":"Billing and balance movements for the authenticated account — paginated. Page is 1-based, matching /reports/orders.","operationId":"ledger","parameters":[{"name":"groupNumber","in":"query","description":"Optional group filter.","required":false,"schema":{"type":"string"},"example":"GRP-001"},{"name":"page","in":"query","description":"Page number, 1-based.","required":false,"schema":{"type":"integer","format":"int32","default":1},"example":1},{"name":"size","in":"query","description":"Page size (max 100).","required":false,"schema":{"type":"integer","format":"int32","default":50},"example":50}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/private-pki-certificates/{orderId}":{"get":{"tags":["Private PKI Certificates"],"summary":"Track a Private PKI order","description":"Returns the current state of the order, plus enrichment blocks:\n- `requestor` — who placed the order (name / email / phone / designation).\n- `csrSubmitted` — has the CSR been POSTed yet.\n- `subscription` — billing entitlement window.\n- `subscriberAgreement` — Subscriber Agreement state (when the product requires it).\n- `revocation` — populated only when `status = revoked`.\n\nPrivate PKI orders skip DCV; typical walk is `pending-csr` -> `pending-approval` -> `issued`.","operationId":"track_2","parameters":[{"name":"orderId","in":"path","description":"Opaque order ID.","required":true,"schema":{"type":"string"},"example":"ord_abc123"}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/private-pki-certificates/{orderId}/certificate":{"get":{"tags":["Private PKI Certificates"],"summary":"Download the issued Private PKI certificate","description":"JSON / PEM / DER via `Accept` header negotiation.","operationId":"downloadCertificate_2","parameters":[{"name":"orderId","in":"path","description":"Opaque order ID.","required":true,"schema":{"type":"string"},"example":"ord_abc123"},{"name":"Accept","in":"header","required":false,"schema":{"type":"string","default":"application/json"}}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}},"application/x-pem-file":{"schema":{"type":"object"}},"application/pkix-cert":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/organizations":{"get":{"tags":["Accounts"],"summary":"List pre-vetted organizations","description":"Pre-vetted organizations may be referenced in OV/EV certificate orders without re-verification. Optionally scope to a specific group.","operationId":"listOrganizations","parameters":[{"name":"groupNumber","in":"query","description":"Optional group filter.","required":false,"schema":{"type":"string"},"example":"GRP-001"}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/organizations/{orgNumber}":{"get":{"tags":["Accounts"],"summary":"Get a single organization","description":"Returns organization name, address, representatives, linked domains, and agreement status.","operationId":"getOrganization","parameters":[{"name":"orgNumber","in":"path","description":"Organization number.","required":true,"schema":{"type":"string"},"example":2368754851}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/groups":{"get":{"tags":["Accounts"],"summary":"List billing groups","description":"Every order can be charged to a specific billing group. Use this to discover the `groupNumber` values available to your account.","operationId":"listGroups","responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/domains/{domainId}":{"get":{"tags":["Domains"],"summary":"Get a domain","description":"Returns the full domain row including current DCV instructions and lifecycle dates.","operationId":"view","parameters":[{"name":"domainId","in":"path","description":"Opaque domain ID.","required":true,"schema":{"type":"string"},"example":"dom_abc123"}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/domains/{domainId}/dcv":{"get":{"tags":["Domains"],"summary":"Get DCV instructions for the current method","description":"Returns the DNS TXT record value (for `dns-txt`) or the .well-known file token + path (for `http-url`) appropriate for the domain's current DCV method.","operationId":"getDcv_1","parameters":[{"name":"domainId","in":"path","description":"Opaque domain ID.","required":true,"schema":{"type":"string"},"example":"dom_abc123"}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/domains/{domainId}/dcv/attempts":{"get":{"tags":["Domains"],"summary":"Paginated DCV attempt history","operationId":"getDcvAttemptHistory","parameters":[{"name":"domainId","in":"path","description":"Opaque domain ID.","required":true,"schema":{"type":"string"},"example":"dom_abc123"},{"name":"offset","in":"query","description":"Page offset (0-based).","required":false,"schema":{"type":"integer","format":"int32","default":0},"example":0},{"name":"limit","in":"query","description":"Page size (max 50).","required":false,"schema":{"type":"integer","format":"int32","default":20},"example":20}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/domains/{domainId}/dcv/attempts/{attemptId}":{"get":{"tags":["Domains"],"summary":"Get a specific DCV attempt by ID","operationId":"getDcvAttemptDetails","parameters":[{"name":"domainId","in":"path","description":"Opaque domain ID.","required":true,"schema":{"type":"string"},"example":"dom_abc123"},{"name":"attemptId","in":"path","description":"Attempt ID (logs_dcvrecords.ID).","required":true,"schema":{"type":"string"},"example":12345}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/domains/{domainId}/dcv/attempts/last":{"get":{"tags":["Domains"],"summary":"Get the most recent DCV attempt","description":"Returns the diagnostics block for the most recent DCV attempt — per-perspective results, DNSSEC chain, failure class, and recommended next steps.","operationId":"getLastDcvAttempt","parameters":[{"name":"domainId","in":"path","description":"Opaque domain ID.","required":true,"schema":{"type":"string"},"example":"dom_abc123"}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/catalog/products":{"get":{"tags":["Catalog"],"summary":"List entitled products","description":"Returns every product (SSL, S/MIME, Document Signer, Private PKI) your account can order. Each entry exposes a stable `productCode` + `productType` + variant metadata — cache these client-side instead of hard-coding regional numeric codes.","operationId":"listProducts","parameters":[{"name":"groupNumber","in":"query","description":"Optional group filter.","required":false,"schema":{"type":"string"},"example":"GRP-001"}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/catalog/products/{productCode}/custom-fields":{"get":{"tags":["Catalog"],"summary":"Custom-field definitions for a product","description":"Some products require organization-specific custom fields (e.g. cost-center tags). Call this to discover field IDs, labels, validation rules, and which are mandatory before composing the order body.","operationId":"listCustomFields","parameters":[{"name":"productCode","in":"path","description":"Product code from `GET /catalog/products`.","required":true,"schema":{"type":"string"},"example":842}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}},"/api/certinext/v2/auth/me":{"get":{"tags":["Accounts"],"summary":"Current authenticated identity","description":"Returns the `accountNumber` and `authType` bound to the Bearer token. Useful as a health-check after obtaining a token.","operationId":"me","responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"type":"object"}}}}},"security":[{"BearerAuth":[]}]}}},"components":{"schemas":{"CsrSubmitRequest":{"type":"object","properties":{"csr":{"type":"string"},"attested":{"type":"boolean"}},"required":["csr"]},"OAuth2TokenResponse":{"type":"object","properties":{"access_token":{"type":"string"},"token_type":{"type":"string"},"expires_in":{"type":"integer","format":"int64"},"refresh_token":{"type":"string"},"scope":{"type":"string"}}},"OAuth2ErrorResponse":{"type":"object","properties":{"error":{"type":"string"},"error_description":{"type":"string"},"error_uri":{"type":"string"}}},"Agreement":{"type":"object","properties":{"signerName":{"type":"string","maxLength":100,"minLength":0},"signerPlace":{"type":"string","maxLength":100,"minLength":0},"accepted":{"type":"boolean"}},"required":["signerName","signerPlace"]},"Contact":{"type":"object","properties":{"name":{"type":"string","maxLength":100,"minLength":0},"email":{"type":"string","maxLength":254,"minLength":0},"phone":{"type":"string","pattern":"^\\+[1-9]\\d{1,14}$"},"designation":{"type":"string","maxLength":100,"minLength":0}}},"CustomField":{"type":"object","properties":{"fieldId":{"type":"string"},"value":{"type":"string"}},"required":["fieldId","value"]},"Requestor":{"type":"object","properties":{"name":{"type":"string","maxLength":100,"minLength":0},"email":{"type":"string","maxLength":254,"minLength":0},"phone":{"type":"string","pattern":"^\\+[1-9]\\d{1,14}$"},"designation":{"type":"string","maxLength":100,"minLength":0}},"required":["email","name"]},"SslCertificateInfo":{"type":"object","properties":{"domain":{"type":"string","pattern":"^(?!-)[A-Za-z0-9-]{1,63}(? poll the resource; `noEligibleAncestor` -> manual verify required; `ineligible` -> method is HTTP/wildcard.","enum":["scheduled","noEligibleAncestor","ineligible"]},"createdAt":{"type":"string","format":"date-time"}}},"DcvVerifyRequest":{"type":"object"},"DcvMethodChangeRequest":{"type":"object","properties":{"dcvMethod":{"type":"string","description":"New DCV method.","enum":["dns-txt","http-url"]}},"required":["dcvMethod"]},"DomainListFilter":{"type":"object","properties":{"search":{"type":"string"},"domainStatus":{"type":"array","items":{"type":"string","enum":["ACTIVE","INACTIVE","EXPIRED"]}},"dcvStatus":{"type":"array","items":{"type":"string","enum":["PENDING","VERIFIED","REJECTED"]}},"dcvMethod":{"type":"array","items":{"type":"string","enum":["dns-txt","http-url"]}},"organizationId":{"type":"string"},"groupNumber":{"type":"string"},"fromDate":{"type":"string","format":"date"},"toDate":{"type":"string","format":"date"},"includePending":{"type":"boolean"},"limit":{"type":"integer","format":"int32"},"offset":{"type":"integer","format":"int32"},"sortBy":{"type":"string"},"sortDir":{"type":"string"}}}},"securitySchemes":{"BearerAuth":{"type":"http","description":"Short-lived Bearer access token (valid for 1 hour) obtained by signing in via **Authentication → POST /oauth/token**. Paste only the `access_token` value from the response. Do **not** include the word `Bearer` (Swagger adds it automatically). Do **not** paste your client secret here. That is the long-lived secret used to obtain the token, not the token itself.","scheme":"bearer"}}}}