GlobalSign API for SSL Certificates

Transcription

1 GlobalSign API for SSL Certificates Implementation Guide and Definitions Version Version Release Notes Version 4.0 Initial Release Version Changes - Added support for newer GCC2 type orders. Now orders place via the GUI can be modified via the API - Added function to change the approver after ordering - Added query functionality o Return CSR and OrderID used to place original order o To determine upcoming renewals - Added CSR Decoder and error checking function - Allow creation of Cert-Invites - Allow toggling of renewal notices by order Version 4.02 Changes - 06/20/ Fixed documentation typos and errors Version 4.1 Changes - 07/10/ Added Subscriber agreement request Version Changes 03/05/ Added Organization to Authorized Signer field for ExtendedSSL Version 4.2 Changes 03/28/ Added URLVerification methods which can be used for DomainSSL and AlphaSSL orders (Metatag Verification) Section 7.4 Version Changes 06/17/ Typo fixes for Jurisdiction Info & added definitions Version 4.3 Changes 06/25/ Add DNS txt record verification methods which can be used for DomainSSL and AlphaSSL orders Section 7.5 Version Changes 03/11/ Added timezone codes for creating sub reseller accounts - section 16.4 Version Changes 03/14/ Updated Reissue Function for Hash Algorithm SHA section 11.6 Version Changes 06/2/ Replaced ValidateOrderParameters with DecodeCSR in recommended workflow - Added reference to hash algorithm specific product codes in addendum - Added reference to validity period constraints in addendum - Removed mention of obsolete TestOV product code - Updated BaseOptions to include correct GlobalIP syntax Copyright GlobalSign, Inc. All rights reserved. GlobalSign, the GlobalSign logo and OneClickSSL are trademarks and registered trademarks of GlobalSign, Inc. or its affiliates in the United States and other countries. All other trademarks are the property of their respective owners.

2 Contents 1. Outline SSL Product Type Explanations Anti-Phishing Checks Background Web Service Functions Workflow Overview SSL Functions Service/Query Functions Account Functions Delivery of Issued Certificates by API URL s GlobalSign URL Test Account URLs WSDL Files GlobalSign URL Test account URLs Ordering DomainSSL & AlphaSSL Certificates Extract Common Name from the CSR Receive List of Approver Addresses and perform phishing DB check Ordering a DomainSSL or AlphaSSL Certificate Ordering DomainSSL or AlphaSSL Using Metatag Verification Ordering DomainSSL or AlphaSSL Using DNS Verification Ordering OrganizationSSL Certificates OrganizationSSL Certificate Request Ordering the OrganizationSSL Certificate Ordering ExtendedSSL Certificates ExtendedSSL Certificate Request Ordering the ExtendedSSL Certificate General SSL Functions Changing the SubjectAltName in Certificate Change SubjectAltName Create Cert-Invites (CertInviteOrder) Change Approver (ChangeApprover ) Re-Send Approver (Resend ) Modify Existing Order (ModifyOrder) Service & Query API Calls Get Issued Certificate Single Certificate (GetOrderByOrderID) Query API to get Issued Certificate - Multiple Orders (GetOrderByDateRange) Query API to Get Recently Modified Orders (GetModifiedOrders) Query to Determine Upcoming Renewals (GetOrderByExpirationDate) Query API to Get Certificate Orders (GetCertificateOrders) Query API to Reissue Certificates (ReIssue) Check Order Parameters and Phishing Database (ValidateOrderParameters) Turn Renewal Notice On/Off (ToggleRenewalNotice) Account API Functions Retrieve Account Snapshot (GetAccountSnapshot) Create Sub Reseller Account (ResellerApplication) Add Deposits to Sub Reseller Account (AddResellerDeposit) Query Invoices Get Subscriber Agreement Request (GetAgreement) Code Examples: Certificate Order Entry Parameters Product Codes Validity Period Date/Time Formatting Setting Validity Period of the Certificate (by Not before/not after date) GlobalSign API for SSL Certificates v4.3.4 Page 2 of 72

3 15.5 Order Type Base Options Licenses CreditAgency/OrganizationCode KeyLength OptionName Subject Alternative Names (SANs) Entry Metatag & DNS Valid Approver URL / FQDN Common Name Relationships Country Status Explanations Order/Certificate Status ModificationEventName Resend Type TimeZone Codes Success / Error Codes Client Error Codes Server Error Codes Server Error Responses by API Request Type XML Field Definitions GlobalSign API for SSL Certificates v4.3.4 Page 3 of 72

4 1. Outline GlobalSign offers a Simple Object Access Protocol (SOAP) API for its partners and customers to directly order and manage certificates. Through this API, partners can perform functions such as ordering the different products, cancelling and fulfilling orders, and querying for order data. The API supports applications for SSL Certificates placed by partners and by customer using the SSL Managed service platform. Partners may place orders for all certificate product types. 2. SSL Product Type Explanations AlphaSSL: AlphaSSL is a low end domain validated certificate and known to our resellers as AlphaSSL. This product can only be purchased in standard or wildcard options, 1-5 year validity periods. None of the other premium value add options are supported with this product. Note: in the API product code specification AlphaSSL is referenced as DV_LOW. DomainSSL: DomainSSL is a feature rich high value domain validated certificate. When placing a DomainSSL order the applicant must supply a CSR. Certificates requested by supplying a customer generated CSR are returned as standard certificate files. To our partners these two products are known as DomainSSL and DomainSSL. Both of these product codes can be ordered as not only a standard and wildcard option, but also with certain SAN options. For the DomainSSL, there are the following Subject Alternative Names options allowed: Unified Communications support for owa, autodiscover and mail Additional Subdomain support These options can be added through both the DomainSSL product code, in 1-5 year validity periods. Note: the API product code specification DomainSSL is referenced as DV. OrganizationSSL: OrganizationSSL is a feature rich high value organization validated certificate. When placing an OrganizationSSL order the applicant must supply a CSR. Certificates requested by supplying a customer generated CSR are returned as standard Certificate files. To our partners these are known as OrganizationSSL. This product code can be ordered as not only a standard and wildcard option, but also with certain SAN options. For the OrganizationSSL there are the following Subject Alternative Names options allowed: Unified Communications support for owa, autodiscover and mail Additional Subdomain support Internal Hostname support Public IP Address support Additional Fully Qualified Domain Name support These options can be added in 1-5 year validity periods. Note: the API product code specification OrganizationSSL is referenced as OV. Customers with SSL Managed Service accounts may obtain pre-vetted OrganizationSSL certificates by using the SSL Managed Service application calls. GlobalSign API for SSL Certificates v4.3.4 Page 4 of 72

5 Extended SSL: ExtendedSSL is the product name for GlobalSign's Extended Validation (EV) SSL offering and is issued in strict adherence the published CA/B Forum EV SSL guidelines covering certificate profile format, vetting method and workflow. This product can be ordered as only a standard SSL Certificate with limited Subject Alternative Name support and does not support wildcard applications and globalip option, NOT as a wildcard option. This product can also work with all the SAN options. For the Extended SSL, the following SAN options allowed: Unified Communications support for owa, autodiscover and mail Additional Subdomain support Additional Fully Qualified Domain Name support This product can only be ordered in a 1-2 year validity period. Note: the API product code specification ExtendedSSL is referenced as EV. 3. Anti-Phishing Checks Background All domain validated certificates (DomainSSL and AlphaSSL) are automatically put through the GlobalSign anti-phishing checks. These checks involve a series of automated processes to help identify potential phishing risks. If flagged as high risk the certificate will not be issued until manually reviewed by a GlobalSign vetting agent. If an API based order is flagged for phishing an appropriate alert message is reported and a vetting agent will be assigned to review the order at the first convenience. 4. Web Service Functions Workflow Overview Order processing for SSL Certificates and web identity products is asynchronous. For these types of orders an API client places an order and then later checks the server for the completed order. The functions are broken into several categories SSL Functions: calls to place orders, modify or cancel orders Service & Query Functions: calls searching for complete orders (such as getting issued Certificates), decoding CSRs, validating order parameters Account Functions: calls needed to perform account actions, such as checking balance and modified sub-accounts The general approach for ordering is to place orders using an SSL functions, then periodically request the list of all orders that have changed status during a specified time interval (for example, the last four hours) using the Service/Query function of GetModifiedOrders. This returns a list of all orders and detailed order information for orders that have changed status in the specified time interval. The status of all returned orders can then be updated locally and used as necessary. An alternative to querying for a set of modified orders within a time period is to specifically request the status of a specific order. In this case the ordering flow consists of the following operations: place an order, and then periodically check the status of the specific order (GetOrderByOrderID). Once the order has been completed, the fulfillment information is returned with the GetOrderByOrderID operation. This approach is less efficient, but might be more appropriate when there is a low volume of certificates being managed. 4.1 SSL Functions Function Getting list of approver addresses Getting list of approver addresses and OrderID for DVOrder (DomainSSL and AlphaSSL only) API Request GetApproverList GetDVApproverList GlobalSign API for SSL Certificates v4.3.4 Page 5 of 72

6 Order AlphaSSL or DomainSSL Certificate with Approver validation Order AlphaSSL or DomainSSL Certificate with Metatag validation Order OrganizationSSL Certificate Order ExtendedSSL Certificate Changing certificate order status Resend Approver s for AlphaSSL & DomainSSL orders Place an order using the cert invite functionality Change the address that the approval request is sent to for domain validated products Change the SubjectAltName in certificate. DVOrder URLVerification & URLVerificationForIssue OVOrder EVOrder ModifyOrder Resend CertInviteOrder ChangeApprover ChangeSubjectAltName 4.2 Service/Query Functions Function Searching order information by Order ID Searching modified orders by modified date (from/to) Getting order list Searching orders by order date (from/to) Checking order parameter validity Decoding a CSR ReIssue Certificate Turn on/off Renewal notice Check upcoming expirations API GetOrderByOrderID GetModifiedOrders GetCertificateOrders GetOrderByDateRange ValidateOrderParameters DecodeCSR ReIssue ToggleRenewalNotice GetOrderByExpirationDate 4.3 Account Functions Function To view account balance and recent usage Add deposit to a sub reseller account Query outstanding invoices Create a sub-reseller account API AccountSnapshot AddResellerDeposit QueryInvoices ResellerApplication 4.4 Delivery of Issued Certificates by Issued certificates can be delivered directly to the customer specified in the appropriate 4.1 Order functions. In the DVOrder / OVOrder / EVOrder Request specify the end customer and their address in the <ContactInfo> field. GlobalSign API for SSL Certificates v4.3.4 Page 6 of 72

7 Note: to directly the end customer your account must be configured on a specific template group. Contact your Account Manager or Tech Implementation Contact to arrange. 5. API URL s 5.1 GlobalSign URL The following URL s should be used to access the GlobalSign live API: SSL Functions: Service/Query: Account: Subscriber Agreement: Test Account URLs The following URLs* should be used to access the GlobalSign Test API: SSL Functions: Service/Query: Account: Subscriber Agreement: N/A *Test system accounts are available to API customers upon request 6. WSDL Files 6.1 GlobalSign URL GlobalSign s WSDL files are available from: SSL Functions: Service/Query: Account: Subscriber Agreement: Test account URLs Test account WSDL files are available from: SSL Functions: Service/Query: Account: *Test system accounts are available to API customers upon request GlobalSign API for SSL Certificates v4.3.4 Page 7 of 72

8 7. Ordering DomainSSL & AlphaSSL Certificates Optional - Obtain Common Name from the CSR. (1) DecodeCSR Request DecodeCSR Response Obtain the list of approver addresses, OrderID and check phishing DB using Common Name. (2) GetDVApproverList Request GetDVApproverList Response Order DomainSSL certificate using Order ID and selected approver e- mail address. (3) DVOrder Request DVOrder Response Sending approver (Out of API) Approve (Out of API) 1. Parsing CSR. 2. Getting list of approver s and order ID for DVOrder and check CN against phishing database. 3. Submit order 4. Sending approver 5. Approve or deny order GlobalSign API for SSL Certificates v4.3.4 Page 8 of 72

9 7.1 Extract Common Name from the CSR DecodeCSR Request <DecodeCSR> <Request > <QueryRequestHeader> <AuthToken> <UserName> 30 String <Password> 30 String </AuthToken> </QueryRequestHeader> <CSR> 50 String <ProductType> DV_LOW, DV </Request > </DecodeCSR> DecodeCSR Response <DecodeCSR> <Response> <OrderResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> </OrderResponseHeader> <CSRData> (<CommonName>)? 255 String (<Organization>)? 255 String (<OrganizationUnit>)? 255 String (<Locality>)? 255 String (<State>)? 255 String (<Country>)? 30 String (< Address>)? 255 String (<KeyLength>)? 30 String </CSRData> <CertificatePreview> (<CommonName>)? 255 String (<Organization>)? 255 String (<OrganizationUnit>)? 255 String (<Locality>)? 255 String (<State>)? 255 String (<Country>)? 30 String (< Address>)? 255 String (<KeyLength>)? 30 String </CertificatePreview> </Response> </DecodeCSR> 7.2 Receive List of Approver Addresses and perform phishing DB check The details from the DecodeCSR Response can now be used to continue with the request. The next step involves receiving the list of approver addresses and an OrderID to complete the order of the certificate. GlobalSign API for SSL Certificates v4.3.4 Page 9 of 72

10 GetDVApproverList Request <GetDVApproverList xmlns=" <Request> <QueryRequestHeader> <AuthToken> <UserName> 30 <Password> 30 </AuthToken> </QueryRequestHeader> <FQDN> 255 String* </Request> </GetDVApproverList> *FQDN is the CommonName from previous response GetDVApproverList Response <GetDVApproverList xmlns=" <Response> <QueryResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> <ReturnCount> 5 </QueryResponseHeader> (<Approvers> (<Approver> <ApproverType> 10 String Domain or Generic <Approver > 255 </Approver>)+ </Approvers>)? <OrderID>? 50 String </Response> </GetDVApproverList> This response will contain a success code, a list of approver contact details for the end user to choose from and an OrderID for continuing with the order. If the success code is -1, the request procedure will stop and the error code will have to be consulted. 7.3 Ordering a DomainSSL or AlphaSSL Certificate The final step in the order process is carried out using the information from GetDVApproverList together with the CSR and the user details of the requestor. DVOrder Request <DVOrder xmlns=" <Request> <OrderRequestHeader> <AuthToken> <UserName> 30 String <Password> 30 String </AuthToken> </OrderRequestHeader> <OrderRequestParameter> <ProductCode> DV, DV_LOW (<BaseOption>)? wildcard <OrderKind> new,renewal,transfer <Licenses> 1-99 (<Options> GlobalSign API for SSL Certificates v4.3.4 Page 10 of 72

11 (<Option> <OptionName> VPC: ValidityPeriodCustomizeOption SAN: SANOption <OptionValue> true,false </Option>)+ <Options>)? <ValidityPeriod> <Months> 4 (<NotBefore>)? 25 (<NotAfter>)? 25 </ValidityPeriod> <CSR> 4000 String (<RenewalTergetOrderID)? 50 String (<TargetCERT>)? 4000 String (<SpecialInstructions>)? 4000 String (<Coupon>)? 50 String (<Campaign>)? 50 String </OrderRequestParameter> (<SubID>)? 50 String <OrderID> 50 String <Approver > 255 String <ContactInfo> <FirstName> 100 String <LastName> 100 String <Phone> 30 String < > 255 String </ContactInfo> <SecondContactInfo> <FirstName> 100 String <LastName> 100 String < > 255 String </SecondContactInfo> (<SANEntries> (<SANEntry> <SANOptionType> 1:UC cert option 2:Subdomain option <SubjectAltName> 4000 String (<ModifyOperation>)? <!- N/A --> </SANEntry>)+ </SANEntries>)? </Request> </DVOrder> DVOrder Response <DVOrder xmlns=" <Response> <OrderResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> </OrderResponseHeader> <OrderID>? 50 String <!- Error empty message --> </Response> </DVOrder> If the response contains a success code of 0, GlobalSign will send out an to the Approval contact. After the contact has given his permission for the certificate to be issued, the certificate will be issued and the certificate sent via to the reseller for forwarding to the end user. GlobalSign API for SSL Certificates v4.3.4 Page 11 of 72

12 7.4 Ordering DomainSSL or AlphaSSL Using Metatag Verification Using the following methods will allow you to order and approve DomainSSL and AlphaSSL Certificates by using a metatag for verification instead of the approver method. After the order is placed, the API response will contain a metatag which needs to be placed in the index of the domain that is being secured. Partner API Server Outside of API: Partner / End user installs MetaTag in the <head> of the index of the domain being secured 1 2 Creates new Order with URLVerification Return Metatag Requests that MetaTags are checked with the URLVerificationForIssue Request 3 Upon Success Returns Certificate 4 Outside of API: GlobalSign crawler verifies metatag URLVerification Order Request <URLVerification xmlns=" <Request> <OrderRequestHeader> <AuthToken> <UserName> 30 String <Password> 30 String </AuthToken> </OrderRequestHeader> <OrderRequestParameter> <ProductCode> DV_HIGH_URL, DV_LOW_URL (<BaseOption>)? wildcard <OrderKind> new,renewal,transfer <Licenses> 1-99 (<Options> (<Option> <OptionName> VPC: ValidityPeriodCustomizeOption SAN: SANOption <OptionValue> true,false </Option>)+ <Options>)? <ValidityPeriod> <Months> 4 (<NotBefore>)? 25 (<NotAfter>)? 25 </ValidityPeriod> <CSR> 4000 String (<RenewalTargetOrderID)? 50 String (<TargetCERT>)? 4000 String (<SpecialInstructions>)? 4000 String GlobalSign API for SSL Certificates v4.3.4 Page 12 of 72

13 (<Coupon>)? 50 String (<Campaign>)? 50 String </OrderRequestParameter> (<SubID>)? 50 String <OrderID> 50 String <ContactInfo> <FirstName> 100 String <LastName> 100 String <Phone> 30 String < > 255 String </ContactInfo> <SecondContactInfo> <FirstName> 100 String <LastName> 100 String < > 255 String </SecondContactInfo> (<SANEntries> (<SANEntry> <SANOptionType> 1:UC cert option 2:Subdomain option <SubjectAltName> 4000 String (<ModifyOperation>)? <!- N/A --> </SANEntry>)+ </SANEntries>)? </Request> </URLVerification> URLVerification Order Response The response contains both the metatag and a list of allowable domains on which we can verify the FQDN with. The metatag needs to be placed on the index of the domain. <URLVerificationResponse xmlns=" <Response> <OrderResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> </OrderResponseHeader> <OrderID>? 50 String <!- Error empty message --> <Metatag>? 50 String <!- Error empty message --> <VerificationURLList> <VerificationURL> 1000 String <VerificationURLList> </Response> </ URLVerificationResponse> URL Verification for Issue Request After placing the metatag on one of the allowable domains, the following request is used to have our crawler verify the metatag. <ns2: URLVerificationForIssue xmlns:ns2=" GlobalSign API for SSL Certificates v4.3.4 Page 13 of 72

14 <Request> <OrderRequestHeader> <AuthToken> <UserName> 30 String <Password> 30 String </AuthToken> </OrderRequestHeader> <OrderID> <ApproverURL> 64 String </Request> </ URLVerificationForIssue > URL Verification for Issue Response <UrlVerificationForIssue> <Response> <OrderResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> </OrderResponseHeader> (<UrlVerificationForIssue> (<CertificateInfo> <CertificateStatus> 5 <StartDate> <EndDate> <CommonName> 64 String <SerialNumber> 64 String <SubjectName> 3000 String (<DNSNames>)? 300 String </CertficateInfo>)? (<Fulfillment> (<CACertificates> (<CACertificate> <CACertType> Root, Inter <CACert> 4000 String </CACertificate>)+ </CACertificates>)? (<ServerCertificate> <X509Cert> 4000 String <PKCS7Cert> 4000 String </ServerCertificate>)? </Fulfillment>)? </UrlVerificationForIssue>)? </Response> </UrlVerificationForIssue> 7.5 Ordering DomainSSL or AlphaSSL Using DNS Verification Using the following methods will allow you to order and approve DomainSSL and AlphaSSL Certificates by using a DNS txt record for verification instead of the approver method. After the order is placed, the API response will contain a DNS txt record which needs to be placed in the index of the domain that is being secured. Currently this function is only available via the API (no GUI implementation). The DNSTXT record will resemble: globalsign-domain-verification=ylhvopmzmfgzcazkqdnxxqkgylnwsj_ioc1cqq-nts Please note that the DNS txt record check is case sensitive. Some DNS providers may automatically adjust the case of the txt record. This scenario will cause a failure of the validation. GlobalSign API for SSL Certificates v4.3.4 Page 14 of 72

15 Partner API Server Outside of API: Partner / End user creates DNS txt record for domain being secured 1 2 Creates new Order with DVDNSOrder Return TXT record value Requests that DNS txt record is checked with the DVDNSVerificationForIssue Request 3 Upon Success Returns Certificate 4 Outside of API: GlobalSign crawler verifies DNS txt record DVDNSOrder Request <DVDNSOrder xmlns=" <Request> <OrderRequestHeader> <AuthToken> <UserName> 30 String <Password> 30 String </AuthToken> </OrderRequestHeader> <OrderRequestParameter> <ProductCode> DV_HIGH_DNS, DV_LOW_DNS (<BaseOption>)? wildcard <OrderKind> new,renewal,transfer <Licenses> 1-99 (<Options> (<Option> <OptionName> VPC: ValidityPeriodCustomizeOption SAN: SANOption <OptionValue> true,false </Option>)+ <Options>)? <ValidityPeriod> <Months> 4 (<NotBefore>)? 25 (<NotAfter>)? 25 </ValidityPeriod> <CSR> 4000 String (<RenewalTargetOrderID)? 50 String (<TargetCERT>)? 4000 String (<SpecialInstructions>)? 4000 String (<Coupon>)? 50 String (<Campaign>)? 50 String </OrderRequestParameter> (<SubID>)? 50 String <OrderID> 50 String <ContactInfo> <FirstName> 100 String <LastName> 100 String <Phone> 30 String GlobalSign API for SSL Certificates v4.3.4 Page 15 of 72

16 < > 255 String </ContactInfo> <SecondContactInfo> <FirstName> 100 String <LastName> 100 String < > 255 String </SecondContactInfo> (<SANEntries> (<SANEntry> <SANOptionType> 1:UC cert option 2:Subdomain option <SubjectAltName> 4000 String (<ModifyOperation>)? <!- N/A --> </SANEntry>)+ </SANEntries>)? </Request> </DVDNSOrder> DVDNS Order Response The response contains both the DNSTXT and a list of allowable domains on which we can verify the FQDN with by placing a DNS txt record. The DNSTXT needs to be place on the index of the domain. <DVDNSOrderResponse xmlns=" <Response> <OrderResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> </OrderResponseHeader> <OrderID>? 50 String <!- Error empty message --> <DNSTXT>? 50 String <!- Error empty message --> < VerificationFQDNList> < VerificationFQDN > 1000 String </VerificationFQDNList > </Response> </ DVDNSOrderResponse> DVDNS Order for Issue Request After placing the DNS txt record on one of the allowable domains, the following request is used to have our crawler verify the DNS txt record. <ns2: DVDNSVerificationForIssue xmlns:ns2=" <Request> <OrderRequestHeader> <AuthToken> <UserName> 30 String <Password> 30 String </AuthToken> </OrderRequestHeader> <OrderID> <ApproverFQDN> 64 String </Request> </DVDNSVerificationForIssue> GlobalSign API for SSL Certificates v4.3.4 Page 16 of 72

17 DVDNS Order for Issue Response <DVDNSVerificationForIssueResponse> <Response> <OrderResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> </OrderResponseHeader> (<DVDNSVerificationForIssue> (<CertificateInfo> <CertificateStatus> 5 <StartDate> <EndDate> <CommonName> 64 String <SerialNumber> 64 String <SubjectName> 3000 String (<DNSNames>)? 300 String </CertficateInfo>)? (<Fulfillment> (<CACertificates> (<CACertificate> <CACertType> Root, Inter <CACert> 4000 String </CACertificate>)+ </CACertificates>)? (<ServerCertificate> <X509Cert> 4000 String <PKCS7Cert> 4000 String </ServerCertificate>)? </Fulfillment>)? </DVDNSVerificationForIssue>)? </Response> </DVDNSVerificationForIssueResponse> GlobalSign API for SSL Certificates v4.3.4 Page 17 of 72

18 8. Ordering OrganizationSSL Certificates Obtaining Common Name from the CSR (1) DecodeCSR Request DecodeCSR Response Order OrganizationSSL certificate (2) OVOrder Request OVOrder Response 1. Parsing CSR 2. Submit order 8.1 OrganizationSSL Certificate Request Extracting Common Name from the CSR. DecodeCSR Request <DecodeCSR> <Request > <QueryRequestHeader> <AuthToken> <UserName> 30 String <Password> 30 String </AuthToken> </QueryRequestHeader> <CSR> 50 String <ProductType> OV </Request > </DecodeCSR> DecodeCSR Response <DecodeCSR> <Response> <OrderResponseHeader> <SuccessCode> 2 GlobalSign API for SSL Certificates v4.3.4 Page 18 of 72

19 (<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> </OrderResponseHeader> <CSRData> (<CommonName>)? 255 String (<Organization>)? 255 String (<OrganizationUnit>)? 255 String (<Locality>)? 255 String (<State>)? 255 String (<Country>)? 30 String (< Address>)? 255 String (<KeyLength>)? 30 String </CSRData> <CertificatePreview> (<CommonName>)? 255 String (<Organization>)? 255 String (<OrganizationUnit>)? 255 String (<Locality>)? 255 String (<State>)? 255 String (<Country>)? 30 String (< Address>)? 255 String (<KeyLength>)? 30 String </CertificatePreview> </Response> </DecodeCSR> 8.2 Ordering the OrganizationSSL Certificate OVOrder Request <OVOrder xmlns=" <Request> <OrderRequestHeader> <AuthToken> <UserName> 30 String <Password> 30 String </AuthToken> </OrderRequestHeader> <OrderRequestParameter> <ProductCode> OV (<BaseOption>)? wildcard, GIP <OrderKind> new,renewal,transfer <Licenses> 1-99 (<Options> (<Option> <OptionName> VPC: ValidityPeriodCustomizeOption SAN: SANOption <OptionValue> true,false </Option>)+ <Options>)? <ValidityPeriod> <Months> 4 (<NotBefore>)? 25 (<NotAfter>)? 25 </ValidityPeriod> <CSR> 4000 String (<RenewalTergetOrderID)? 50 String (<TargetCERT>)? 4000 String (<SpecialInstructions>)? 4000 String (<Coupon>)? 50 String GlobalSign API for SSL Certificates v4.3.4 Page 19 of 72

20 (<Campaign>)? 50 String </OrderRequestParameter> (<SubID>)? 50 String <OrganizationInfo> <OrganizationName> 255 String (<CreditAgency>)? 1:DUNS, 2:TDB (<OrganizationCode>)? 50 String <OrganizationAddress> <AddressLine1> 100 String (<AddressLine2>)? 100 String (<AddressLine3>)? 100 String <City> 200 String <Region> 255 String <PostalCode> 20 String <Country> 30 String <Phone> 30 String (<Fax>)? 30 String </OrganizationAddress> </OrganizationInfo> <ContactInfo> <FirstName> 100 String <LastName> 100 String <Phone> 30 String < > 255 String </ContactInfo> (<SANEntries> (<SANEntry> <SANOptionType> 1:UC cert option 2:Subdomain SAN option 3:GIP SAN option 4:Internal SAN option 7:FQDN SAN option <SubjectAltName> 4000 String (<ModifyOperation>)? ADDITION, UNCHANGED, DELETE </SANEntry>)+ </SANEntries>)? </Request> </OVOrder> OVOrder Response <OVOrder xmlns=" <Response> <OrderResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> </OrderResponseHeader> <OrderID>? 50 String <!- Error empty message --> </Response> </OVOrder> GlobalSign API for SSL Certificates v4.3.4 Page 20 of 72

21 9. Ordering ExtendedSSL Certificates (1) DecodeCSR Request Obtaining Common Name from the CSR DecodeCSR Response (2) EVOrder Request Order ExtendedSSL certificate EVOrder Response 1. Parsing CSR and Phishing check 2. Request an order 9.1 ExtendedSSL Certificate Request Extracting Common Name from the CSR. DecodeCSR Request <DecodeCSR> <Request > <QueryRequestHeader> <AuthToken> <UserName> 30 String <Password> 30 String </AuthToken> </QueryRequestHeader> <CSR> 50 String <ProductType> EV </Request > </DecodeCSR> DecodeCSR Response <DecodeCSR> <Response> <OrderResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String GlobalSign API for SSL Certificates v4.3.4 Page 21 of 72

22 <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> </OrderResponseHeader> <CSRData> (<CommonName>)? 255 String (<Organization>)? 255 String (<OrganizationUnit>)? 255 String (<Locality>)? 255 String (<State>)? 255 String (<Country>)? 30 String (< Address>)? 255 String (<KeyLength>)? 30 String </CSRData> <CertificatePreview> (<CommonName>)? 255 String (<Organization>)? 255 String (<OrganizationUnit>)? 255 String (<Locality>)? 255 String (<State>)? 255 String (<Country>)? 30 String (< Address>)? 255 String (<KeyLength>)? 30 String </CertificatePreview> </Response> </DecodeCSR> 9.2 Ordering the ExtendedSSL Certificate EVOrder Request <EVOrder xmlns=" <Request> <OrderRequestHeader> <AuthToken> <UserName> 30 String <Password> 30 String </AuthToken> </OrderRequestHeader> <OrderRequestParameter> <ProductCode> EV (<BaseOption>)? wildcard,globalip <OrderKind> new,renewal,transfer <Licenses> 1-99 (<Options> (<Option> <OptionName> VPC: ValidityPeriodCustomizeOption SAN: SANOption <OptionValue> true,false </Option>)+ <Options>)? <ValidityPeriod> <Months> 4 (<NotBefore>)? 25 (<NotAfter>)? 25 </ValidityPeriod> <CSR> 4000 String (<RenewalTergetOrderID)? 50 String (<TargetCERT>)? 4000 String (<SpecialInstructions>)? 4000 String (<Coupon>)? 50 String (<Campaign>)? 50 String </OrderRequestParameter> (<SubID>)? 50 String GlobalSign API for SSL Certificates v4.3.4 Page 22 of 72

23 <OrganizationInfoEV> (<CreditAgency>)? 1:DUNS, 2:TDB (<OrganizationCode>)? 50 String (<BusinessAssumedName>)? 255 String <BusinessCategoryCode> PO:Private Organization GE:Government Entity BE:BusinessEntity <OrganizationAddress> <AddressLine1> 100 String (<AddressLine2>)? 100 String (<AddressLine3>)? 100 String <City> 200 String <Region> 255 String <PostalCode> 20 String <Country> 30 String ISO <Phone> 30 String (<Fax>)? 30 String </OrganizationAddress> </OrganizationInfoEV> <RequestorInfo> <FirstName> 100 String <LastName> 100 String (<Function>)? 255 String <OrganizationName> 255 String (<OrganizationUnit>)? 100 String <Phone> 30 String < > 255 String </RequestorInfo> <ApproverInfo> <FirstName> 100 String <LastName> 100 String (<Function>)? 255 String <OrganizationName> 255 String (<OrganizationUnit>)? 100 String <Phone> 30 String < > 255 String </ApproverInfo> <AuthorizedSignerInfo> <OrganizationName> 255 String <FirstName> 100 String <LastName> 100 String (<Function>)? 255 String <Phone> 30 String < > 255 String </AuthorizedSignerInfo> <JurisdictionInfo> <JurisdictionCountry> 30 String ISO <StateOrProvince> 255 String <Locality> 200 String <IncorporatingAgencyRegistrationNumber> 100 String </JurisdictionInfo> <ContactInfo> <FirstName> 100 String <LastName> 100 String <Phone> 30 String < > 255 String </ContactInfo> (<SANEntries> (<SANEntry> <SANOptionType> 1:UC cert option 2:Subdomain SAN option 3:GIP SAN option 4:Internal SAN option 7:FQDN SAN option <SubjectAltName> 4000 String (<ModifyOperation>)? <!- N/A --> </SANEntry>)+ </SANEntries>)? </Request> </EVOrder> GlobalSign API for SSL Certificates v4.3.4 Page 23 of 72

24 EVOrder Response <EVOrder xmlns=" <Response> <OrderResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> 25 </OrderResponseHeader> <OrderID>? 50 String <!- Error empty message --> </Response> </EVOrder> 10. General SSL Functions 10.1 Changing the SubjectAltName in Certificate DomainSSL Set the Common Name and get approver list and OrderId (1) GetDVApproverList Request GetDVApproverList Response Order ChangeSubjectAltName using OrderID and selected approver address (2) ChangeSubjectAltName Request ChangeSubjectAltName Response 1. Getting list of approver and OrderID for ChangeSubjectAltName(with Phishing check) 2. Request an SAN Order 3. Sending approver 4. Approve or deny order OrganizationalSSL, Extended SSL GlobalSign API for SSL Certificates v4.3.4 Page 24 of 72

25 Set SubjectAltName information and order certificate (1) ChangeSubjectAltName Request ChangeSubjectAltName Response 10.2 Change SubjectAltName Use the ChangeSubjectAltName API to change (add or delete) SubjectAltName(s) of issued certificate. <SANEntries> parameters should be set as how SubjectAltName(s) would be after this change. GetDVApproverList API should be requested beforehand for DomainSSL. New certificate with requested SubjectAltName will be issued after the vetting is completed and be able to get using Query APIs. ChangeSubjectAltName Request <ChangeSubjectAltName xmlns=" "> <Request> <OrderRequestHeader> <AuthToken> <UserName> <Password> </AuthToken> </OrderRequestHeader> (<OrderID>)? 50 String <TargetOrderID> 50 String (<Approver >)? (<SANEntries> (<SANEntryArray> <SANOptionType> 1:UC cert option 2:Subdomain SAN option 3:GIP SAN option 4:Internal SAN option 7:FQDN SAN option <SubjectAltName> 64 String </SANEntryArray>)+ </SANEntries>)? <PIN>? String </Request> </ChangeSubjectAltName> ChangeSubjectAltName Response <ChangeSubjectAltName xmlns=" <Response> <OrderResponseHeader> <SuccessCode> (<Errors> (<Error> <ErrorCode> 5 GlobalSign API for SSL Certificates v4.3.4 Page 25 of 72

26 (<ErrorField>)? 1000 String <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> </OrderResponseHeader> <OrderID>? 50 String (<TargetOrderID>)? 50 String </Response> </ChangeSubjectAltName> 10.3 Create Cert-Invites (CertInviteOrder) Request which allows the ordering and creation of Cert-Invites. CertInviteOrder Request <CertInviteOrder > <Request> <OrderRequestHeader> <AuthToken> <UserName> 30 String <Password> 30 String </AuthToken> </OrderRequestHeader> <OrderRequestParameter> <ProductCode> DV_LOW, DV,OV,EV (<BaseOption>)? Wildcard <OrderKind> new,renewal,transfer (<Options> (<Option> <OptionName> EXP: ExpressOption INS: InsuranceOption GSS: GSSupportOption REX: RenewalExtentionOption VPC: ValidityPeriodCustomizeOption SAN: SANOption true,false <OptionValue> </Option>)+ <Options>)? <ValidityPeriod> <Months> 4 (<NotBefore>)? 25 (<NotAfter>)? 25 </ValidityPeriod> (<RenewalTergetOrderID)? 50 String (<Coupon>)? 50 String (<Campaign>)? 50 String </OrderRequestParameter> (<SANEntries> (<SANEntry> <SANOptionType> 1:UC cert option 2:Subdomain SAN option 3:GIP SAN option 4:Internal SAN option 7:FQDN SAN option </SANEntry>)+ </SANEntries>)? <CertInviteExpirationDate> 25 YYYY-MM- DDTHH:MM:SS.000Z <RecipientDeliveryOption> true,false <CertInviteRecipient > 255 String </Request> </ CertInviteOrder > GlobalSign API for SSL Certificates v4.3.4 Page 26 of 72

27 CertInviteOrder Response <CertInviteOrder> <Response> <OrderResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> </OrderResponseHeader> <PIN> 255 String </Response> </CertInviteOrder> 10.4 Change Approver (ChangeApprover ) A request which allows the API user to change the approver for the order. When request is submitted a new approval request will be sent to the approver provided. The user may optionally use a get approver list request before submitting the change approver request. ChangeApprover Request <ChangeApprover > <Request> <OrderRequestHeader> <AuthToken> <UserName> 30 String <Password> 30 String </AuthToken> </OrderRequestHeader> <OrderID> 50 String <Approver > 255 String <FQDN> 255 String </Request> </ChangeApprover > ChangeApprover Response <ChangeApprover > <Response> <OrderResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> </OrderResponseHeader> <OrderID>? 50 String </Response> </ChangeApprover > GlobalSign API for SSL Certificates v4.3.4 Page 27 of 72

28 10.5 Re-Send Approver (Resend ) If the user did not receive or lost his Approver message you can use the Resend API to resend this . Resend Request <Resend xmlns=" <Request> <OrderRequestHeader> <AuthToken> <UserName> 30 <Password> 30 </AuthToken> </OrderRequestHeader> <OrderID> 50 String <Resend Type> 20 String APPROVER </Request> </Resend > Resend Response <Resend xmlns=" <Response> <OrderResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> </OrderResponseHeader> <OrderID>? 50 String </Response> </Resend > 10.6 Modify Existing Order (ModifyOrder) Using the ModifyOrder API you can Approve, Cancel or Revoke a Certificate or Certificate Request by using the OrderID of the Order. ModifyOrder Request <ModifyOrder xmlns=" <Request > <OrderRequestHeader> <AuthToken> <UserName> <Password> </AuthToken> </OrderRequestHeader> <OrderID> 50 String <ModifyOrderOperation> APPROVE,CANCEL,REVOKE </Request > </ModifyOrder> GlobalSign API for SSL Certificates v4.3.4 Page 28 of 72

29 ModifyOrder Response <ModifyOrder xmlns=" <Response> <OrderResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> </OrderResponseHeader> <OrderID>? 50 String </Response> </ModifyOrder> 11. Service & Query API Calls 11.1 Get Issued Certificate Single Certificate (GetOrderByOrderID) GetOrderByOrderID Request <GetOrderByOrderID xmlns=" <Request> <QueryRequestHeader> <AuthToken> <UserName> 30 String <Password> 30 String </AuthToken> </QueryRequestHeader> <OrderID> 50 String (<OrderQueryOption> (<OrderStatus>)? <!- N/A --> (<ReturnOrderOption>)? 5 String true, false (<ReturnCertificateInfo>)? 5 String true, false (<ReturnFulfillment>)? 5 String true, false (<ReturnCACerts>)? 5 String ReturnFulfillment true </OrderQueryOption>)? </Request> </GetOrderByOrderID> GetOrderByOrderID Response GetOrderByOrderID xmlns=" <Response> <QueryResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> 25 <ReturnCount> 5 </QueryResponseHeader> <OrderID>? 50 String (<Pkcs12File>)? 4000 String GlobalSign API for SSL Certificates v4.3.4 Page 29 of 72

30 (<OrderDetail> <OrderInfo> <OrderID> 50 String <ProductCode> 20 String (<BaseOption>)? 20 String <OrderKind> 10 String <Licenses> 3 (<ExpressOption>)? 5 String (<ValidityPeriodCustomizeOption>)? 5 String (<InsuranceOption>)? 5 String (<GSSupportOption>)? 5 String (<RenewalExtentionOption>)? 5 String <DomainName> 255 String <OrderDate> 25 (<OrderCompleteDate>)? 25 (<OrderCanceledDate>)? 25 (<OrderDeactivatedDate>)? 25 YYYY-MM- DDTHH:MM:SS.000Z <OrderStatus> 5 1: INITIAL 2: Waiting for phishing check 3: Cancelled - Not Issued 4: Issue completed 5: Cancelled - Issued 6: Waiting for revocation 7: Revoked <Price> 10 <Currency> 10 String <ValidityPeriod> <Months> 4 (<NotBefore>)? 25 (<NotAfter>)? 25 </ValidityPeriod> (<SpecialInstructions>)? 4000 String </OrderInfo> <OrderSubInfo> <CSRSkipOrderFlag> 5 String true,false <DNSOrderFlag> 5 String true,false <TrustedOrderFlag> 5 String true,false (<P12DeleteStatus>)? 5 (<P12DeleteDate>)? 25 (<VerificationUrl>)? 300 String <SubId> 50 String </OrderSubInfo> (<OrderOption> <ApproverNotifiedDate>? 25 YYYY-MM- DDTHH:MM:SS.000Z <ApproverConfirmDate>? 25 <Approver Address>? 255 String <OrganizationInfo> <OrganizationName> 255 String (<CreditAgency>)? 50 String (<OrganizationCode>)? 50 String (<BusinessAssumedName>)? 255 String (<BusinessCategoryCode>)? 20 String <OrganizationAddress> <AddressLine1> 100 String (<AddressLine2>)? 100 String (<AddressLine3>)? 100 String <City> 200 String <Region> 255 String <PostalCode> 20 String <Country> 30 String <Phone> 30 String (<Fax>)? 30 String </OrganizationAddress> </OrganizationInfo> (<RequestorInfo> <FirstName> 100 String <LastName> 100 String <Function> 255 String <OrganizationName> 255 String GlobalSign API for SSL Certificates v4.3.4 Page 30 of 72

31 <OrganizationUnit> 100 String <Phone> 30 String < > 255 String </RequestorInfo>)? (<ApproverInfo> <FirstName> 100 String <LastName> 100 String <Function> 255 String <OrganizationName> 255 String (<OrganizationUnit>)? 100 String <Phone> 30 String < > 255 String </ApproverInfo>)? (<AuthorizedSignerInfo> <FirstName> 100 String <LastName> 100 String <Function> 255 String <Phone> 30 String < > 255 String </AuthorizedSignerInfo>)? (<JurisdictionInfo> < JurisdictionCountry> 30 String <StateOrProvince> 255 String <Locality> 200 String <IncorporatingAgencyRegistrationNumber> 100 String </JurisdictionInfo>)? (<ContactInfo> <FirstName> 100 String <LastName> 100 String <Phone> 30 String < > 255 String </ContactInfo>)? </OrderOption>)? (<CertificateInfo> <CertificateStatus> 5 1: INITIAL 2: Waiting for phishing check 3: Cancelled - Not Issued 4: Issue completed 6: Waiting for revocation 7: Revoked <StartDate> 25 <EndDate> 25 <CommonName> 64 String <SerialNumber> 64 String <SubjectName> 3000 String (<DNSNames>)? 300 String </CertificateInfo>)? (<Fulfillment> (<CACertificates> (<CACertificate> <CACertType> 15 String Root,Inter <CACert> 4000 String </CACertificate>)+ </CACertificates>)? (<ServerCertificate> <X509Cert> 4000 String <PKCS7Cert> 4000 String </ServerCertificate>)? </Fulfillment>)? <ModificationEvents> (<ModificationEvent> <ModificationEventName> 5 <ModificationEventTimestamp>25 YYYY-MM- DDTHH:MM:SS.000Z </ModificationEvent>)+ </ModificationEvents>? </OrderDetail>)? </Response> </GetOrderByOrderID> GlobalSign API for SSL Certificates v4.3.4 Page 31 of 72

32 11.2 Query API to get Issued Certificate - Multiple Orders (GetOrderByDateRange) GetOrderByDateRange Request <GetOrderByDateRange xmlns=" <Request> <QueryRequestHeader> <AuthToken> <UserName> 30 <Password> 30 </AuthToken> </QueryRequestHeader> <FromDate> <ToDate> (<OrderQueryOption> (<OrderStatus>)? 5 String true, false (<ReturnOrderOption>)? 5 String true, false (<ReturnCertificateInfo>)? 5 String true, false (<ReturnFulfillment>)? 5 String true, false (<ReturnCACerts>)? 5 String </OrderQueryOption>)? </Request> </GetOrderByDataRange> GetOrderByDateRange Response <GetOrderByDateRange xmlns=" <Response> <QueryResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> 25 <ReturnCount> 5 </QueryResponseHeader> <FromDate>? 25 <ToDate>? 25 (<OrderDetails> (<OrderDetail> <OrderInfo> <OrderID> 50 String <ProductCode> 20 String (<BaseOption>)? 20 String <OrderKind> 10 String <Licenses> 3 (<ExpressOption>)? 5 String (<ValidityPeriodCustomizeOption>)?5 String (<InsuranceOption>)? 5 String (<GSSupportOption>)? 5 String (<RenewalExtentionOption>)?5 String <DomainName> 255 String <OrderDate> 25 (<OrderCompleteDate>)? 25 (<OrderCanceledDate>)? 25 (<OrderDeactivatedDate>)? 25 YYYY-MM- DDTHH:MM:SS.000Z <OrderStatus> 5 1: INITIAL 2: Waiting for phishing check 3: Cancelled - Not Issued 4: Issue completed 5: Cancelled - Issued 6: Waiting for revocation 7: Revoked <Price> 10 <Currency> 10 String <ValidityPeriod> <Months> 4 GlobalSign API for SSL Certificates v4.3.4 Page 32 of 72

33 DDTHH:MM:SS.000Z (<NotBefore>)? 25 (<NotAfter>)? 25 </ValidityPeriod> (<SpecialInstructions>)? 4000 String </OrderInfo> <OrderSubInfo> <CSRSkipOrderFlag> 5 String true,false <DNSOrderFlag> 5 String true,false <TrustedOrderFlag> 5 String true,false (<P12DeleteStatus>)? 5 (<P12DeleteDate>)? 25 (<VerificationUrl>)? 300 String <SubId> 50 String </OrderSubInfo> (<OrderOption> <ApproverNotifiedDate>? 25 YYYY-MM- <ApproverConfirmDate>? 25 <Approver Address>? 255 String <OrganizationInfo> <OrganizationName> 255 String (<CreditAgency>)? 50 String (<OrganizationCode>)? 50 String (<BusinessAssumedName>)? 255 String (<BusinessCategoryCode>)? 20 String <OrganizationAddress> (<AddressLine1>)? 100 String (<AddressLine2>)? 100 String (<AddressLine3>)? 100 String <City> 200 String <Region> 255 String (<PostalCode>)? 20 String <Country> 30 String <Phone> 30 String (<Fax>)? 30 String </OrganizationAddress> </OrganizationInfo> (<RequestorInfo> <FirstName> 100 String <LastName> 100 String <Function> 255 String <OrganizationName> 255 String <OrganizationUnit> 100 String <Phone> 30 String < > 255 String </RequestorInfo>)? (<ApproverInfo> <FirstName> 100 String <LastName> 100 String <Function> 255 String <OrganizationName> 255 String (<OrganizationUnit>)? 100 String <Phone> 30 String < > 255 String </ApproverInfo>)? (<AuthorizedSignerInfo> <FirstName> 100 String <LastName> 100 String <Function> 255 String <Phone> 30 String < > 255 String </AuthorizedSignerInfo>)? (<JurisdictionInfo> < JurisdictionCountry> 30 String <StateOrProvince> 255 String <Locality> 200 String <IncorporatingAgencyRegistrationNumber>100 String </JurisdictionInfo>)? (<ContactInfo> <FirstName> 100 String <LastName> 100 String GlobalSign API for SSL Certificates v4.3.4 Page 33 of 72

34 <Phone> 30 String < > 255 String </ContactInfo>)? </OrderOption>)? (<CertificateInfo> <CertificateStatus> 5 1: INITIAL 2: Waiting for phishing check 3: Cancelled - Not Issued 4: Issue completed 6: Waiting for revocation 7: Revoked <StartDate> 25 <EndDate> 25 <CommonName> 64 String <SerialNumber> 64 String <SubjectName> 3000 String (<DNSNames>)? 300 String </CertificateInfo>)? (<Fulfillment> (<CACertificates> (<CACertificate> <CACertType> 15 String Root,Inter <CACert> 4000 String </CACertificate>)+ </CACertificates>)? (<ServerCertificate> <X509Cert> 4000 String <PKCS7Cert> 4000 String </ServerCertificate>)? </Fulfillment>)? <ModificationEvents> (<ModificationEvent> <ModificationEventName> 5 <ModificationEventTimestamp>25 YYYY-MM- DDTHH:MM:SS.000Z </ModificationEvent>)+ </ModificationEvents>? </OrderDetail>)+ </OrderDetails>)? </Response> </GetOrderByDataRange> 11.3 Query API to Get Recently Modified Orders (GetModifiedOrders) As mentioned above the GetModifiedOrders API will return a list of orders modified within a specified time frame. GetModifiedOrders Request <GetModifiedOrders xmlns=" <Request> <QueryRequestHeader> <AuthToken> <UserName> <Password> </AuthToken> </QueryRequestHeader> <FromDate> <ToDate> (<OrderQueryOption> (<OrderStatus>)? 5 1: INITIAL 2: Waiting for phishing check 3: Cancelled - Not Issued 4: Issue completed 5: Cancelled - Issued 6: Waiting for revocation 7: Revoked (<ReturnOrderOption>)? true,false GlobalSign API for SSL Certificates v4.3.4 Page 34 of 72