GlobalSign API for SSL Certificates

GlobalSign API for SSL Certificates Implementation Guide and Definitions Version 4.3.5 Version Release Notes Version 4.3.5 Changes 08/26/2016 - Reorganized sections for readability and flow, added expanded derscriptions of the ordering process and ordering options for each of the products. - Identified new test system URLs - Identified new location for Random Value (meta-tag) for HTTP Domain Validation, per CA/B Forum Ballot 169 - Removed 4 and 5 year validity period options - Removed SHA-1 references as SHA-1 has been deprecated - Replaced list of ModificationEventName responses with new values - Updated list of error codes and descriptions - Clairifed the definition of Custom Validity Period. - Added new API field to request specific values for KeyUsage and Extended Key Usage Version 4.3.4 Changes 06/2/2014 - Replaced ValidateOrderParameters with DecodeCSR in recommended workflow - Added reference to hash algorithm specific product codes in addendum - Added reference to validity period constraints in addendum - Removed mention of obsolete TestOV product code - Updated BaseOptions to include correct GlobalIP syntax Version 4.3.3 Changes 03/14/2014 - Updated Reissue Function for Hash Algorithm SHA-256 - section 11.6 Copyright 2011-2016 GlobalSign, Inc. All rights reserved. GlobalSign, the GlobalSign logo and OneClickSSL are trademarks and registered trademarks of GlobalSign, Inc. or its affiliates in the United States and other countries. All other trademarks are the property of their respective owners.

Contents 1. Outline... 4 2. SSL Product Type Explanations... 4 2.1 AlphaSSL... 4 2.2 DomainSSL... 4 2.3 OrganizationSSL... 4 2.4 Extended SSL... 5 2.5 Summary of key SSL Product Features... 5 2.6 Anti-Phishing Checks Background... 6 2.7 Web Service Functions Workflow Overview... 6 2.8 SSL Functions... 6 2.9 Service/Query Functions... 7 2.10 Account Functions... 7 2.11 Delivery of Issued Certificates by Email... 7 2.12 WSDL & API URL s... 8 3. Ordering DomainSSL & AlphaSSL Certificates... 9 3.1 Ordering a DomainSSL or AlphaSSL Certificate Using email Validation... 9 3.2 Ordering DomainSSL or AlphaSSL Using HTTP (URL) Verification... 11 3.3 Ordering DomainSSL or AlphaSSL Using DNS Verification... 14 4. Ordering OrganizationSSL Certificates... 17 4.1 OrganizationSSL Certificate Request... 17 4.2 Ordering the OrganizationSSL Certificate... 18 5. Ordering ExtendedSSL Certificates... 22 5.1 Decode CSR... 22 5.2 Ordering the ExtendedSSL Certificate... 23 6. General SSL Functions... 26 6.1 Receive List of Approver Email Addresses and perform phishing DB check... 26 6.2 Changing the SubjectAltName in Certificate... 27 6.3 Change SubjectAltName... 28 6.4 Create Cert-Invites (CertInviteOrder)... 28 6.5 Change Approver Email (ChangeApproverEmail)... 30 6.6 Re-Send Approver Email (ResendEmail)... 30 6.7 Modify Existing Order (ModifyOrder)... 31 7. Service & Query API Calls... 32 7.1 Decode CSR... 32 7.2 Get Issued Certificate Single Certificate (GetOrderByOrderID)... 33 7.3 Query API to get Issued Certificate - Multiple Orders (GetOrderByDateRange). 35 7.4 Query API to Get Recently Modified Orders (GetModifiedOrders)... 38 7.5 Query to Determine Upcoming Renewals (GetOrderByExpirationDate)... 41 7.6 Query API to Get Certificate Orders (GetCertificateOrders)... 42 7.7 Query API to Reissue Certificates (ReIssue)... 43 7.8 ValidateOrderParameters... 43 7.9 ToggleRenewalNotice... 45 8. Account API Functions... 46 8.1 GetAccountSnapshot... 46 8.2 ResellerApplication... 46 8.3 AddResellerDeposit... 48 8.4 Query Invoices... 49 8.5 GetAgreement... 50 8.6 Code Examples:... 50 9. Certificate Order Entry Parameters... 52 9.1 Approver FQDN... 52 9.2 Approver URL... 52 9.3 Base Options... 53 9.4 Country... 53 9.5 CreditAgency/OrganizationCode... 56 GlobalSign API for SSL Certificates v4.3.5 Page 2 of 75

9.6 Custom Validity Period of the Certificate (by Not Before/Not After date)... 56 9.7 Date/Time Formatting... 56 9.8 Extensions... 57 9.9 KeyLength... 58 9.10 Licenses... 58 9.11 OptionName... 58 9.12 Order Type/Order Kind... 58 9.13 Product Codes... 59 9.14 Subject Alternative Names (SANs) Entry... 59 9.15 Validity Period... 60 10. Status Explanations... 61 10.1 Order/Certificate Status... 61 10.2 ModificationEventName... 61 10.3 ResendEmailType... 62 10.4 Success / Error Codes... 62 11. XML Field Definitions... 67 GlobalSign API for SSL Certificates v4.3.5 Page 3 of 75

1. Outline GlobalSign offers a Simple Object Access Protocol (SOAP) API for its partners and customers to directly order and manage certificates. Through this API, partners can perform functions such as ordering different products, cancelling and fulfilling orders, and querying for order data. The API supports applications for SSL Certificates placed by partners and by customers using the SSL Managed service platform. Partners may place orders for all certificate product types. 2. SSL Product Type Explanations 2.1 AlphaSSL AlphaSSL is a low cost domain validated certificate with separate branding from the rest of GlobalSign s SSL product line. This product can only be purchased in standard or wildcard options, 1-3 year validity periods. No value add options such as SANs are supported with this product. When placing an AlphaSSL order, the applicant must supply a CSR. Certificates requested by supplying a customer generated CSR are returned as standard certificate files. Note: in the API product code specification AlphaSSL is referenced as DV_LOW. 2.2 DomainSSL DomainSSL is a domain validated certificate from GlobalSign. DomainSSL supports both standard and wildcard configurations as well as specific SAN options with 1 3 year validity periods. SAN options include: Free Unified Communications support for owa, autodiscover, and mail Additional sub-domains When placing a DomainSSL order the applicant may supply a CSR, or use the AutoCSR option. AutoCSR is available to direct customers only and is not available on reseller accounts. Certificates requested by supplying a customer generated CSR are returned as standard certificate files. Note: the API product code specification DomainSSL is referenced as DV. 2.3 OrganizationSSL OrganizationSSL is a high assurance organization validated certificate. OrganizationSSL supports both standard and wildcard configurations as well as specific SAN options with 1 3 year validity periods. SAN options include: Free Unified Communications support for owa, autodiscover, and mail. Additional domains Additional sub-domains Public IP Addresses When placing an OrganizationSLL order, the applicant may supply a CSR, or use the AutoCSR option. AutoCSR is available to direct customers only and is not available on reseller accounts. Certificates requested by supplying a customer generated CSR are returned as standard certificate files. Note: the API product code specification OrganizationSSL is referenced as OV. GlobalSign API for SSL Certificates v4.3.5 Page 4 of 75

2.4 Extended SSL ExtendedSSL or Extended Validation (EV) SSL is the highest assurance SSL certificate available. EV SSL supports standard SSL configurations with 1 2 years of validity; no wildcard option is available with this product. The following SAN options are available with ExtendedSSL: Free Unified Communications support for owa, autodiscover, and mail Additional domains. Additional sub-domains Note: the API product code specification ExtendedSSL is referenced as EV. 2.5 Summary of key SSL Product Features This is a table with the key features for the suite of SSL products: Function EV OV DV Alpha Base Options Wildcard N Global IP N N N Private N N N N Validity Period in request (years) Up to 2 Up to 3 Up to 3 Up to 3 Maximum cert validity period (months) 27 39 39 39 Extra renewal Month Order Options (OptionName) SAN Option Renewal Extension Option Validity Period Customize Option Order Kind New Renewal Transfer SAN types: Unified Communications FQDN SubDomain GlobalIP Address Wildcard Internal SAN or Reserved IP address AutoCSR (RSA keys only, ECC is not supported) Extensions Extended Key Usage Key Usage TLS Feature Extension CSR Key Types supported RSA 2048-8192 ECC P-256 ECC P-384 N N N N N N N N N N N N N N N N [1] [1] N Future Future Future Future Post issuance: - Change SANs (Add/Delete) N/A - Cancel in 7 days - Revoke - Reissue Site Seal N N N N N N GlobalSign API for SSL Certificates v4.3.5 Page 5 of 75

[1] Note: AUTOCSR is not available for Partner accounts due to security concerns associated with the partner having access to their customer s private keys. It is available for Retail and Enterprise accounts. 2.6 Anti-Phishing Checks Background All domain validated certificates (DomainSSL and AlphaSSL) are automatically put through the GlobalSign anti-phishing checks. These checks involve a series of automated processes to help identify potential phishing risks. If flagged as high risk the certificate will not be issued until manually reviewed by a GlobalSign vetting agent. If an API based order is flagged for phishing an appropriate alert message is reported and a vetting agent will be assigned to review the order. All other types of orders have the same anit-phishing checks performed during the manual vetting process. 2.7 Web Service Functions Workflow Overview Order processing for SSL Certificates and web identity products is asynchronous. For these types of orders an API client places an order and then later checks the server for the completed order. The functions are broken into several categories SSL Functions: calls to place, modify, or cancel orders Service & Query Functions: calls searching for complete orders (such as getting issued Certificates), decoding CSRs, validating order parameters Account Functions: calls needed to perform account actions, such as checking balance and modified sub-accounts The general approach for ordering is to place orders using an SSL function, then periodically request the list of all orders that have changed status during a specified time interval (for example, the last four hours) using the Service/Query function of GetModifiedOrders. This returns a list of all orders and detailed order information for orders that have changed status in the specified time interval. The status of all returned orders can then be updated locally and used as necessary. An alternative to querying for a set of modified orders within a time period is to specifically request the status of a specific order. In this case the ordering flow consists of the following operations: place an order, and then periodically check the status of the specific order (GetOrderByOrderID). Once the order has been completed, the fulfillment information is returned with the GetOrderByOrderID operation. This approach is less efficient, but might be more appropriate when there is a low volume of certificates being managed. 2.8 SSL Functions Function Getting list of approver email addresses Getting list of approver email addresses and OrderID for DVOrder (DomainSSL and AlphaSSL only) Order AlphaSSL or DomainSSL Certificate with Approver Email validation Order AlphaSSL or DomainSSL Certificate with Metatag validation Order AlphaSSL or DomainSSl Certificate with DNS validation Order OrganizationSSL Certificate Order ExtendedSSL Certificate Changing certificate order status API Request GetApproverList GetDVApproverList DVOrder DVOrderWithoutCSR URLVerification & URLVerificationForIssue DVDNS OVOrder OVOrderWithoutCSR EVOrder ModifyOrder GlobalSign API for SSL Certificates v4.3.5 Page 6 of 75

Resend Approver Emails for AlphaSSL & DomainSSL orders Place an order using the cert invite functionality Change the email address that the approval request is sent to for domain validated products Change the SubjectAltName in certificate. ResendEmail CertInviteOrder ChangeApproverEmail ChangeSubjectAltName 2.9 Service/Query Functions Function Decoding a CSR Searching order information by Order ID Searching modified orders by modified date (from/to) Getting order list Searching orders by order date (from/to) Check upcoming expirations ReIssue Certificate Turn on/off Renewal notice Checking order parameter validity API DecodeCSR GetOrderByOrderID GetModifiedOrders GetCertificateOrders GetOrderByDateRange GetOrderByExpirationDate ReIssue ToggleRenewalNotice ValidateOrderParameters 2.10 Account Functions Function To view account balance and recent usage Add deposit to a sub reseller account Query outstanding invoices Create a sub-reseller account API AccountSnapshot AddResellerDeposit QueryInvoices ResellerApplication 2.11 Delivery of Issued Certificates by Email Issued certificates can be delivered directly to the customer specified in the appropriate 4.1 Order functions. In the DVOrder / OVOrder / EVOrder Request specify the end customer and their email address in the <ContactInfo> field. Note: To directly email the end customer your account must be configured on a specific template group. Contact your Account Manager or Tech Implementation Contact to arrange. GlobalSign API for SSL Certificates v4.3.5 Page 7 of 75

2.12 WSDL & API URL s WSDL URL s PROD Feature SSL Functions WSDL Service / Query WSDL Account WSDL Subscriber Agreement WSDL URL https://system.globalsign.com/kb/ws/v1/serversslservice?wsdl https://system.globalsign.com/kb/ws/v1/gasservice?wsdl https://system.globalsign.com/kb/ws/v1/accountservice?wsdl https://system.globalsign.com/qb/ws/gasquery?wsdl TEST SSL Functions WSDL Service / Query WSDL Account WSDL Subscriber Agreement WSDL https://test-gcc.globalsign.com/kb/ws/v1/serversslservice?wsdl https://test-gcc.globalsign.com/kb/ws/v1/gasservice?wsdl https://test-gcc.globalsign.com/kb/ws/v1/accountservice?wsdl N/A API URL s: PROD Feature SSL Functions Service / Query Account Subscriber Agreement URL https://system.globalsign.com/kb/ws/v1/serversslservice https://system.globalsign.com/kb/ws/v1/gasservice https://system.globalsign.com/kb/ws/v1/accountservice https://system.globalsign.com/qb/ws/gasquery TEST SSL Functions Service / Query Account Subscriber Agreement https://test-gcc.globalsign.com/kb/ws/v1/serversslservice https://test-gcc.globalsign.com/kb/ws/v1/gasservice https://test-gcc.globalsign.com/kb/ws/v1/accountservice N/A *Test system accounts are available to API customers upon request GlobalSign API for SSL Certificates v4.3.5 Page 8 of 75

3. Ordering DomainSSL & AlphaSSL Certificates DomainSSL and AlphaSSL certificates can be ordered via 3 different validation methods: - DVOrder Approved via email - URLVerification Approved via meta-tag posted on the website of the domain being validated - DVDNS Order approved via placing a value in the DNS entry for the domain being validated 3.1 Ordering a DomainSSL or AlphaSSL Certificate Using email Validation Optional - Obtain Common Name from the CSR. (1) DecodeCSR Request DecodeCSR Response Obtain the list of approver e-mail addresses, OrderID and check phishing DB using Common Name. (2) GetDVApproverList Request GetDVApproverList Response Order DomainSSL certificate using Order ID and selected approver e- mail address. (3) DVOrder Request DVOrder Response Sending approver e-mail (Out of API) Approve (Out of API) 1. DecodeCSR: This decodes the CSR and returns the values (optional). 2. GetDVApproverList This returns a list of valid approver email addresses which can be specified in the DVorder below. If you use one of the following email addresses: admin@, administrator@, hostmaster@, postmaster@, or webmaster@example.com, then this API command is not necessary. If you want to use one of the email addresses from the WHOIS, then it s recommended you call this command to verify the email addresses are available for use. Getting list of approver emails and order ID for DVOrder and check CN against phishing database (when email approval is to be used) GlobalSign API for SSL Certificates v4.3.5 Page 9 of 75

3. DVorder Request This creates the Order in the system 4. Sending approver email (outside the API) 5. Approve (or deny) order (outside the API) 6. GetOrderByOrderID, or similar: Pick up the issued certificate DVOrder Request <DVOrder xmlns="http://stub.order.gasapiserver.esp.globalsign.com"> <Request> <OrderRequestHeader> <AuthToken> <UserName> 30 String <Password> 30 String </AuthToken> </OrderRequestHeader> <OrderRequestParameter> <ProductCode> DV, DV_LOW (<BaseOption>)? wildcard <OrderKind> new,renewal,transfer <Licenses> 1-99 (<Options> (<Option> <OptionName> VPC: ValidityPeriodCustomizeOption SAN: SANOption <OptionValue> true,false </Option>)+ <Options>)? <ValidityPeriod> <Months> 4 (<NotBefore>)? 25 -MM-DDTHH:MM:SS.000Z (<NotAfter>)? 25 -MM-DDTHH:MM:SS.000Z </ValidityPeriod> <CSR> 4000 String (<RenewalTargetOrderID)? 50 String (<TargetCERT>)? 4000 String (<SpecialInstructions>)? 4000 String (<Coupon>)? 50 String (<Campaign>)? 50 String </OrderRequestParameter> (<SubID>)? 50 String <OrderID> 50 String <ApproverEmail> 255 String <ContactInfo> <FirstName> 100 String <LastName> 100 String <Phone> 30 String <Email> 255 String </ContactInfo> <SecondContactInfo> <FirstName> 100 String <LastName> 100 String <Phone> 30 String <Email> 255 String </SecondContactInfo> (<SANEntries> (<SANEntry> <SANOptionType> 1:UC cert option 2:Subdomain option <SubjectAltName> 4000 String (<ModifyOperation>)? <!- N/A --> </SANEntry>)+ </SANEntries>)? </Request> </DVOrder> GlobalSign API for SSL Certificates v4.3.5 Page 10 of 75

DVOrder Response <DVOrder xmlns="http://stub.order.gasapiserver.esp.globalsign.com"> <Response> <OrderResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> -MM-DDTHH:MM:SS.000Z </OrderResponseHeader> <OrderID>? 50 String <!- Error empty message --> </Response> </DVOrder> If the response contains a success code of 0, GlobalSign will send out an email to the Approval Email contact. After the contact has given permission for the certificate to be issued, the certificate will be issued and sent via email to the reseller for forwarding to the end user. 3.2 Ordering DomainSSL or AlphaSSL Using HTTP (URL) Verification Using the following methods will allow you to order and approve DomainSSL and AlphaSSL Certificates by using a metatag for verification instead of the approver email method. After the order is placed, the API response will contain a metatag which needs to be placed in the applicable location on the domain that is being secured. Partner API Server Outside of API: Partner / End user installs MetaTag in the <head> of the index of the domain being secured 1 2 Creates new Order with URLVerification Return Metatag Requests that MetaTags are checked with the URLVerificationForIssue Request 3 Upon Success Returns Certificate 4 Outside of API: GlobalSign crawler verifies metatag URLVerification Order Request <URLVerification xmlns="http://stub.order.gasapiserver.esp.globalsign.com"> <Request> GlobalSign API for SSL Certificates v4.3.5 Page 11 of 75

<OrderRequestHeader> <AuthToken> <UserName> 30 String <Password> 30 String </AuthToken> </OrderRequestHeader> <OrderRequestParameter> <ProductCode> DV_HIGH_URL, DV_LOW_URL (<BaseOption>)? wildcard <OrderKind> new,renewal,transfer <Licenses> 1-99 (<Options> (<Option> <OptionName> VPC: ValidityPeriodCustomizeOption SAN: SANOption <OptionValue> true,false </Option>)+ <Options>)? <ValidityPeriod> <Months> 4 (<NotBefore>)? 25 -MM-DDTHH:MM:SS.000Z (<NotAfter>)? 25 -MM-DDTHH:MM:SS.000Z </ValidityPeriod> <CSR> 4000 String (<RenewalTargetOrderID)? 50 String (<TargetCERT>)? 4000 String (<SpecialInstructions>)? 4000 String (<Coupon>)? 50 String (<Campaign>)? 50 String </OrderRequestParameter> (<SubID>)? 50 String <OrderID> 50 String <ContactInfo> <FirstName> 100 String <LastName> 100 String <Phone> 30 String <Email> 255 String </ContactInfo> <SecondContactInfo> <FirstName> 100 String <LastName> 100 String <Email> 255 String </SecondContactInfo> (<SANEntries> (<SANEntry> <SANOptionType> 1:UC cert option 2:Subdomain option <SubjectAltName> 4000 String (<ModifyOperation>)? <!- N/A --> </SANEntry>)+ </SANEntries>)? </Request> </URLVerification> URLVerification Order Response The response contains both the metatag and a list of allowable domains on which we can verify the FQDN with. The metatag needs to be placed in the applicable location. <URLVerificationResponse xmlns="http://stub.order.gasapiserver.esp.globalsign.com"> <Response> <OrderResponseHeader> <SuccessCode> 2 GlobalSign API for SSL Certificates v4.3.5 Page 12 of 75

(<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> -MM-DDTHH:MM:SS.000Z </OrderResponseHeader> <OrderID>? 50 String <!- Error empty message --> <Metatag>? 50 String <!- Error empty message --> <VerificationURLList> <VerificationURL> 1000 String <VerificationURLList> </Response> </ URLVerificationResponse> URLVerification for Issue Request After placing the Random Value (meta-tag) on one of the allowable domains (see section 9.2), the following request is used to validate the domain. It's important to specify one of the valid URLs in the <ApproverURL> or domain validation will fail. See section 9.2 for the definition of ApproverURL. <ns2: URLVerificationForIssue xmlns:ns2="https://system.globalsign.com/bb/ws/"> <Request> <OrderRequestHeader> <AuthToken> <UserName> 30 String <Password> 30 String </AuthToken> </OrderRequestHeader> <OrderID> <ApproverURL> 64 String </Request> </URLVerificationForIssue > URL Verification for Issue Response <UrlVerificationForIssue> <Response> <OrderResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> -MM-DDTHH:MM:SS.000Z </OrderResponseHeader> (<UrlVerificationForIssue> (<CertificateInfo> <CertificateStatus> 5 <StartDate> -MM-DDTHH:MM:SS.000Z <EndDate> <CommonName> 64 String <SerialNumber> 64 String <SubjectName> 3000 String (<DNSNames>)? 300 String </CertficateInfo>)? (<Fulfillment> (<CACertificates> (<CACertificate> <CACertType> -MM-DDTHH:MM:SS.000Z Root, Inter GlobalSign API for SSL Certificates v4.3.5 Page 13 of 75

<CACert> 4000 String </CACertificate>)+ </CACertificates>)? (<ServerCertificate> <X509Cert> 4000 String <PKCS7Cert> 4000 String </ServerCertificate>)? </Fulfillment>)? </UrlVerificationForIssue>)? </Response> </UrlVerificationForIssue> 3.3 Ordering DomainSSL or AlphaSSL Using DNS Verification Using the following methods will allow you to order and approve DomainSSL and AlphaSSL Certificates by using a DNS txt record for verification instead of the approver email method. After the order is placed, the API response will contain a DNS txt record which needs to be placed in the index of the domain that is being secured. The DNS TXT record will resemble: globalsign-domain-verification=lhvopmzmfgzcazkqdnxxqkgylnwsj_ioc1cqq-nts Please note that the DNS TXT record check is case sensitive. Some DNS providers may automatically adjust the case of the TXT record. This scenario will cause a failure of the validation. Partner API Server Outside of API: Partner / End user creates DNS txt record for domain being secured 1 2 Creates new Order with DVDNSOrder Return TXT record value Requests that DNS txt record is checked with the DVDNSVerificationForIssue Request 3 Upon Success Returns Certificate 4 Outside of API: GlobalSign crawler verifies DNS txt record DVDNSOrder Request <DVDNSOrder xmlns="http://stub.order.gasapiserver.esp.globalsign.com"> <Request> <OrderRequestHeader> <AuthToken> <UserName> 30 String <Password> 30 String </AuthToken> </OrderRequestHeader> <OrderRequestParameter> <ProductCode> DV_HIGH_DNS, DV_LOW_DNS GlobalSign API for SSL Certificates v4.3.5 Page 14 of 75

(<BaseOption>)? wildcard <OrderKind> new,renewal,transfer <Licenses> 1-99 (<Options> (<Option> <OptionName> VPC: ValidityPeriodCustomizeOption SAN: SANOption <OptionValue> true,false </Option>)+ <Options>)? <ValidityPeriod> <Months> 4 (<NotBefore>)? 25 -MM-DDTHH:MM:SS.000Z (<NotAfter>)? 25 -MM-DDTHH:MM:SS.000Z </ValidityPeriod> <CSR> 4000 String (<RenewalTargetOrderID)? 50 String (<TargetCERT>)? 4000 String (<SpecialInstructions>)? 4000 String (<Coupon>)? 50 String (<Campaign>)? 50 String </OrderRequestParameter> (<SubID>)? 50 String <OrderID> 50 String <ContactInfo> <FirstName> 100 String <LastName> 100 String <Phone> 30 String <Email> 255 String </ContactInfo> <SecondContactInfo> <FirstName> 100 String <LastName> 100 String <Email> 255 String </SecondContactInfo> (<SANEntries> (<SANEntry> <SANOptionType> 1:UC cert option 2:Subdomain option <SubjectAltName> 4000 String (<ModifyOperation>)? <!- N/A --> </SANEntry>)+ </SANEntries>)? </Request> </DVDNSOrder> DVDNS Order Response The response contains both the DNS TXT and a list of allowable domains on which we can verify the requested FQDN. <DVDNSOrderResponse xmlns="http://stub.order.gasapiserver.esp.globalsign.com"> <Response> <OrderResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> -MM-DDTHH:MM:SS.000Z </OrderResponseHeader> GlobalSign API for SSL Certificates v4.3.5 Page 15 of 75

<OrderID>? 50 String <!- Error empty message --> <DNSTXT>? 50 String <!- Error empty message --> < VerificationFQDNList> < VerificationFQDN > 1000 String </VerificationFQDNList > </Response> </ DVDNSOrderResponse> DVDNS Order for Issue Request After placing the DNS TXT record on one of the allowable domains, the following request is used to have our validator verify the DNS TXT record. See section 9.1 <ns2: DVDNSVerificationForIssue xmlns:ns2="https://system.globalsign.com/bb/ws/"> <Request> <OrderRequestHeader> <AuthToken> <UserName> 30 String <Password> 30 String </AuthToken> </OrderRequestHeader> <OrderID> <ApproverFQDN> 64 String </Request> </DVDNSVerificationForIssue> DVDNS Order for Issue Response <DVDNSVerificationForIssueResponse> <Response> <OrderResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> -MM-DDTHH:MM:SS.000Z </OrderResponseHeader> (<DVDNSVerificationForIssue> (<CertificateInfo> <CertificateStatus> 5 <StartDate> -MM-DDTHH:MM:SS.000Z <EndDate> -MM-DDTHH:MM:SS.000Z <CommonName> 64 String <SerialNumber> 64 String <SubjectName> 3000 String (<DNSNames>)? 300 String </CertficateInfo>)? (<Fulfillment> (<CACertificates> (<CACertificate> <CACertType> Root, Inter <CACert> 4000 String </CACertificate>)+ </CACertificates>)? (<ServerCertificate> <X509Cert> 4000 String <PKCS7Cert> 4000 String </ServerCertificate>)? </Fulfillment>)? </DVDNSVerificationForIssue>)? </Response> </DVDNSVerificationForIssueResponse> GlobalSign API for SSL Certificates v4.3.5 Page 16 of 75

4. Ordering OrganizationSSL Certificates Obtaining Common Name from the CSR (1) DecodeCSR Request DecodeCSR Response Order OrganizationSSL certificate (2) OVOrder Request OVOrder Response 1. Parsing CSR 2. Submit order 4.1 OrganizationSSL Certificate Request Extracting Common Name from the CSR. DecodeCSR Request <DecodeCSR> <Request > <QueryRequestHeader> <AuthToken> <UserName> 30 String <Password> 30 String </AuthToken> </QueryRequestHeader> <CSR> 50 String <ProductType> OV </Request > </DecodeCSR> DecodeCSR Response <DecodeCSR> <Response> <OrderResponseHeader> <SuccessCode> 2 GlobalSign API for SSL Certificates v4.3.5 Page 17 of 75

(<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> -MM-DDTHH:MM:SS.000Z </OrderResponseHeader> <CSRData> (<CommonName>)? 255 String (<Organization>)? 255 String (<OrganizationUnit>)? 255 String (<Locality>)? 255 String (<State>)? 255 String (<Country>)? 30 String (<EmailAddress>)? 255 String (<KeyLength>)? 30 String </CSRData> <CertificatePreview> (<CommonName>)? 255 String (<Organization>)? 255 String (<OrganizationUnit>)? 255 String (<Locality>)? 255 String (<State>)? 255 String (<Country>)? 30 String (<EmailAddress>)? 255 String (<KeyLength>)? 30 String </CertificatePreview> </Response> </DecodeCSR> 4.2 Ordering the OrganizationSSL Certificate OVOrder Request Note: the Extensions data element is new as of August 2016 <OVOrder xmlns="http://stub.order.gasapiserver.esp.globalsign.com"> <Request> <OrderRequestHeader> <AuthToken> <UserName> 30 String <Password> 30 String </AuthToken> </OrderRequestHeader> <OrderRequestParameter> <ProductCode> OV (<BaseOption>)? wildcard, GIP <OrderKind> new,renewal,transfer <Licenses> 1-99 (<Options> (<Option> <OptionName> VPC: ValidityPeriodCustomizeOption SAN: SANOption <OptionValue> true,false </Option>)+ <Options>)? <ValidityPeriod> <Months> 4 (<NotBefore>)? 25 -MM-DDTHH:MM:SS.000Z (<NotAfter>)? 25 -MM-DDTHH:MM:SS.000Z </ValidityPeriod> <CSR> 4000 String (<RenewalTargetOrderID)? 50 String (<TargetCERT>)? 4000 String GlobalSign API for SSL Certificates v4.3.5 Page 18 of 75

(<SpecialInstructions>)? 4000 String (<Coupon>)? 50 String (<Campaign>)? 50 String </OrderRequestParameter> (<SubID>)? 50 String <OrganizationInfo> <OrganizationName> 255 String (<CreditAgency>)? 1:DUNS, 2:TDB (<OrganizationCode>)? 50 String <OrganizationAddress> <AddressLine1> 100 String (<AddressLine2>)? 100 String (<AddressLine3>)? 100 String <City> 200 String <Region> 255 String <PostalCode> 20 String <Country> 30 String <Phone> 30 String (<Fax>)? 30 String </OrganizationAddress> </OrganizationInfo> <ContactInfo> <FirstName> 100 String <LastName> 100 String <Phone> 30 String <Email> 255 String </ContactInfo> (<SANEntries> (<SANEntry> <SANOptionType> 1:UC cert option 2:Subdomain SAN option 3:GIP SAN option 4:Internal SAN option 7:FQDN SAN option <SubjectAltName> 4000 String (<ModifyOperation>)? ADDITION, UNCHANGED, DELETE </SANEntry>)+ </SANEntries>)? (<Extensions> (<Extension> <Name> See section Error! Reference source not found. <Value> </Extension>)+ </Extensions>)? </Request> </OVOrder> OVOrder Response <OVOrder xmlns="http://stub.order.gasapiserver.esp.globalsign.com"> <Response> <OrderResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> -MM-DDTHH:MM:SS.000Z </OrderResponseHeader> <OrderID>? 50 String <!- Error empty message --> </Response> </OVOrder> GlobalSign API for SSL Certificates v4.3.5 Page 19 of 75

OVOrderWithoutCSR Request Depending on the GCC account type, customers may request GlobalSign to generate the keys for the certifciates instead of supplying a CSR. Partner accounts do not have this enabled due to security concerns ith the partner having access to the end users private keys; however this is generally permitted for Enterprise and Retail accounts. Note: The Extension field is a new field as of August 2016 <OVOrder xmlns="http://stub.order.gasapiserver.esp.globalsign.com"> <Request> <OrderRequestHeader> <AuthToken> <UserName> 30 String <Password> 30 String </AuthToken> </OrderRequestHeader> <OrderRequestWithoutCSR> <ProductCode> OV (<BaseOption>)? wildcard, GIP <OrderKind> new,renewal,transfer <Licenses> 1-99 (<Options> (<Option> <OptionName> VPC: ValidityPeriodCustomizeOption SAN: SANOption <OptionValue> true,false </Option>)+ <Options>)? <ValidityPeriod> <Months> 4 (<NotBefore>)? 25 -MM-DDTHH:MM:SS.000Z (<NotAfter>)? 25 -MM-DDTHH:MM:SS.000Z </ValidityPeriod> <PIN> <KeyLength> (<RenewalTargetOrderID)? 50 String (<TargetCERT>)? 4000 String (<DNSNames>)? (<SpecialInstructions>)? 4000 String (<Coupon>)? 50 String (<Campaign>)? 50 String </OrderRequestWithoutCSR> (<SubID>)? 50 String <OrganizationInfo> <OrganizationName> 255 String (<CreditAgency>)? 1:DUNS, 2:TDB (<OrganizationCode>)? 50 String <OrganizationAddress> <AddressLine1> 100 String (<AddressLine2>)? 100 String (<AddressLine3>)? 100 String <City> 200 String <Region> 255 String <PostalCode> 20 String <Country> 30 String <Phone> 30 String (<Fax>)? 30 String </OrganizationAddress> </OrganizationInfo> <ContactInfo> <FirstName> 100 String <LastName> 100 String <Phone> 30 String <Email> 255 String </ContactInfo> (<SANEntries> (<SANEntry> GlobalSign API for SSL Certificates v4.3.5 Page 20 of 75

<SANOptionType> 1:UC cert option 2:Subdomain SAN option 3:GIP SAN option 4:Internal SAN option 7:FQDN SAN option <SubjectAltName> 4000 String (<ModifyOperation>)? ADDITION, UNCHANGED, DELETE </SANEntry>)+ </SANEntries>)? (<Extensions> (<Extension> <Name> See Section Error! Reference source not found. <Value> </Extension>)+ </Extensions>)? </Request> </OVOrder> OVOrder Response <OVOrder xmlns="http://stub.order.gasapiserver.esp.globalsign.com"> <Response> <OrderResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> -MM-DDTHH:MM:SS.000Z </OrderResponseHeader> <OrderID>? 50 String <!- Error empty message --> </Response> </OVOrder> GlobalSign API for SSL Certificates v4.3.5 Page 21 of 75

5. Ordering ExtendedSSL Certificates (1) DecodeCSR Request Obtaining Common Name from the CSR DecodeCSR Response (2) EVOrder Request Order ExtendedSSL certificate EVOrder Response 1. Parsing CSR and Phishing check 2. Request an order 5.1 Decode CSR Extracting Common Name from the CSR. DecodeCSR Request <DecodeCSR> <Request > <QueryRequestHeader> <AuthToken> <UserName> 30 String <Password> 30 String </AuthToken> </QueryRequestHeader> <CSR> 50 String <ProductType> EV </Request > </DecodeCSR> DecodeCSR Response <DecodeCSR> <Response> <OrderResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String GlobalSign API for SSL Certificates v4.3.5 Page 22 of 75

<ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> -MM-DDTHH:MM:SS.000Z </OrderResponseHeader> <CSRData> (<CommonName>)? 255 String (<Organization>)? 255 String (<OrganizationUnit>)? 255 String (<Locality>)? 255 String (<State>)? 255 String (<Country>)? 30 String (<EmailAddress>)? 255 String (<KeyLength>)? 30 String </CSRData> <CertificatePreview> (<CommonName>)? 255 String (<Organization>)? 255 String (<OrganizationUnit>)? 255 String (<Locality>)? 255 String (<State>)? 255 String (<Country>)? 30 String (<EmailAddress>)? 255 String (<KeyLength>)? 30 String </CertificatePreview> </Response> </DecodeCSR> 5.2 Ordering the ExtendedSSL Certificate EVOrder Request <EVOrder xmlns="http://stub.order.gasapiserver.esp.globalsign.com"> <Request> <OrderRequestHeader> <AuthToken> <UserName> 30 String <Password> 30 String </AuthToken> </OrderRequestHeader> <OrderRequestParameter> <ProductCode> EV (<BaseOption>)? wildcard,globalip <OrderKind> new,renewal,transfer <Licenses> 1-99 (<Options> (<Option> <OptionName> VPC: ValidityPeriodCustomizeOption SAN: SANOption <OptionValue> true,false </Option>)+ <Options>)? <ValidityPeriod> <Months> 4 (<NotBefore>)? 25 -MM-DDTHH:MM:SS.000Z (<NotAfter>)? 25 -MM-DDTHH:MM:SS.000Z </ValidityPeriod> <CSR> 4000 String (<RenewalTargetOrderID)? 50 String (<TargetCERT>)? 4000 String (<SpecialInstructions>)? 4000 String (<Coupon>)? 50 String (<Campaign>)? 50 String </OrderRequestParameter> (<SubID>)? 50 String GlobalSign API for SSL Certificates v4.3.5 Page 23 of 75

<OrganizationInfoEV> (<CreditAgency>)? 1:DUNS, 2:TDB (<OrganizationCode>)? 50 String (<BusinessAssumedName>)? 255 String <BusinessCategoryCode> PO:Private Organization GE:Government Entity BE:BusinessEntity <OrganizationAddress> <AddressLine1> 100 String (<AddressLine2>)? 100 String (<AddressLine3>)? 100 String <City> 200 String <Region> 255 String <PostalCode> 20 String <Country> 30 String ISO 3166-1 <Phone> 30 String (<Fax>)? 30 String </OrganizationAddress> </OrganizationInfoEV> <RequestorInfo> <FirstName> 100 String <LastName> 100 String (<Function>)? 255 String <OrganizationName> 255 String (<OrganizationUnit>)? 100 String <Phone> 30 String <Email> 255 String </RequestorInfo> <ApproverInfo> <FirstName> 100 String <LastName> 100 String (<Function>)? 255 String <OrganizationName> 255 String (<OrganizationUnit>)? 100 String <Phone> 30 String <Email> 255 String </ApproverInfo> <AuthorizedSignerInfo> <OrganizationName> 255 String <FirstName> 100 String <LastName> 100 String (<Function>)? 255 String <Phone> 30 String <Email> 255 String </AuthorizedSignerInfo> <JurisdictionInfo> <JurisdictionCountry> 30 String ISO 3166-1 <StateOrProvince> 255 String <Locality> 200 String <IncorporatingAgencyRegistrationNumber> 100 String </JurisdictionInfo> <ContactInfo> <FirstName> 100 String <LastName> 100 String <Phone> 30 String <Email> 255 String </ContactInfo> (<SANEntries> (<SANEntry> <SANOptionType> 1:UC cert option 2:Subdomain SAN option 3:GIP SAN option 4:Internal SAN option 7:FQDN SAN option <SubjectAltName> 4000 String (<ModifyOperation>)? <!- N/A --> </SANEntry>)+ </SANEntries>)? </Request> </EVOrder> GlobalSign API for SSL Certificates v4.3.5 Page 24 of 75

EVOrder Response <EVOrder xmlns="http://stub.order.gasapiserver.esp.globalsign.com"> <Response> <OrderResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> 25 -MM-DDTHH:MM:SS.000Z </OrderResponseHeader> <OrderID>? 50 String <!- Error empty message --> </Response> </EVOrder> GlobalSign API for SSL Certificates v4.3.5 Page 25 of 75

6. General SSL Functions 6.1 Receive List of Approver Email Addresses and perform phishing DB check The details from the DecodeCSR Response can now be used to continue with the request. The next step involves receiving the list of approver email addresses and an OrderID to complete the order of the certificate. This is only required when the order approval method is set to email validation. GetDVApproverList Request <GetDVApproverList xmlns="http://stub.query.gasapiserver.esp.globalsign.com"> <Request> <QueryRequestHeader> <AuthToken> <UserName> 30 <Password> 30 </AuthToken> </QueryRequestHeader> <FQDN> 255 String* </Request> </GetDVApproverList> *FQDN is the CommonName from previous response GetDVApproverList Response <GetDVApproverList xmlns="http://stub.query.gasapiserver.esp.globalsign.com"> <Response> <QueryResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> -MM-DDTHH:MM:SS.000Z <ReturnCount> 5 </QueryResponseHeader> (<Approvers> (<Approver> <ApproverType> 10 String Domain or Generic <ApproverEmail> 255 </Approver>)+ </Approvers>)? <OrderID>? 50 String </Response> </GetDVApproverList> This response will contain a success code, a list of approver contact details for the end user to choose from, and an OrderID for continuing with the order. If the success code is -1, the request procedure will stop and the error code will have to be consulted. GlobalSign API for SSL Certificates v4.3.5 Page 26 of 75

6.2 Changing the SubjectAltName in Certificate DomainSSL Set the Common Name and get approver email list and OrderId (1) GetDVApproverList Request GetDVApproverList Response Order ChangeSubjectAltName using OrderID and selected approver email address (2) ChangeSubjectAltName Request ChangeSubjectAltName Response 1. Getting list of approver email and OrderID for ChangeSubjectAltName(with Phishing check) 2. Request an SAN Order 3. Sending approver email 4. Approve or deny order OrganizationalSSL, Extended SSL Set SubjectAltName information and order certificate (1) ChangeSubjectAltName Request ChangeSubjectAltName Response GlobalSign API for SSL Certificates v4.3.5 Page 27 of 75

6.3 Change SubjectAltName Use the ChangeSubjectAltName API to change (add or delete) SubjectAltName(s) of issued certificate. <SANEntries> parameters should be set as how SubjectAltName(s) would be after this change. GetDVApproverList API should be requested beforehand for DomainSSL. New certificate with requested SubjectAltName will be issued after the vetting is completed and be able to get using Query APIs. ChangeSubjectAltName Request <ChangeSubjectAltName xmlns=" http://stub.order.gasapiserver.esp.globalsign.com "> <Request> <OrderRequestHeader> <AuthToken> <UserName> <Password> </AuthToken> </OrderRequestHeader> (<OrderID>)? 50 String <TargetOrderID> 50 String (<ApproverEmail>)? (<SANEntries> (<SANEntryArray> <SANOptionType> 1:UC cert option 2:Subdomain SAN option 3:GIP SAN option 4:Internal SAN option 7:FQDN SAN option <SubjectAltName> 64 String </SANEntryArray>)+ </SANEntries>)? <PIN>? String </Request> </ChangeSubjectAltName> ChangeSubjectAltName Response <ChangeSubjectAltName xmlns="http://stub.order.gasapiserver.esp.globalsign.com"> <Response> <OrderResponseHeader> <SuccessCode> (<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> -MM-DDTHH:MM:SS.000Z </OrderResponseHeader> <OrderID>? 50 String (<TargetOrderID>)? 50 String </Response> </ChangeSubjectAltName> 6.4 Create Cert-Invites (CertInviteOrder) Request which allows the ordering and creation of Cert-Invites. CertInviteOrder Request <CertInviteOrder > <Request> GlobalSign API for SSL Certificates v4.3.5 Page 28 of 75

<OrderRequestHeader> <AuthToken> <UserName> 30 String <Password> 30 String </AuthToken> </OrderRequestHeader> <OrderRequestParameter> <ProductCode> DV_LOW, DV,OV,EV (<BaseOption>)? Wildcard <OrderKind> new,renewal,transfer (<Options> (<Option> <OptionName> EXP: ExpressOption INS: InsuranceOption GSS: GSSupportOption REX: RenewalExtentionOption VPC: ValidityPeriodCustomizeOption SAN: SANOption true,false <OptionValue> </Option>)+ <Options>)? <ValidityPeriod> <Months> 4 (<NotBefore>)? 25 -MM-DDTHH:MM:SS.000Z (<NotAfter>)? 25 -MM-DDTHH:MM:SS.000Z </ValidityPeriod> (<RenewalTargetOrderID)? 50 String (<Coupon>)? 50 String (<Campaign>)? 50 String </OrderRequestParameter> (<SANEntries> (<SANEntry> <SANOptionType> 1:UC cert option 2:Subdomain SAN option 3:GIP SAN option 4:Internal SAN option 7:FQDN SAN option </SANEntry>)+ </SANEntries>)? <CertInviteExpirationDate> 25 -MM- DDTHH:MM:SS.000Z <RecipientDeliveryOption> true,false <CertInviteRecipientEmail> 255 String </Request> </ CertInviteOrder > CertInviteOrder Response <CertInviteOrder> <Response> <OrderResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> -MM-DDTHH:MM:SS.000Z </OrderResponseHeader> <PIN> 255 String </Response> </CertInviteOrder> GlobalSign API for SSL Certificates v4.3.5 Page 29 of 75

6.5 Change Approver Email (ChangeApproverEmail) A request which allows the API user to change the approver email for the order. When request is submitted a new approval request will be sent to the approver email provided. The user may optionally use a get approver list request before submitting the change approver email request. ChangeApproverEmail Request <ChangeApproverEmail > <Request> <OrderRequestHeader> <AuthToken> <UserName> 30 String <Password> 30 String </AuthToken> </OrderRequestHeader> <OrderID> 50 String <ApproverEmail> 255 String <FQDN> 255 String </Request> </ChangeApproverEmail > ChangeApproverEmail Response <ChangeApproverEmail> <Response> <OrderResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> -MM-DDTHH:MM:SS.000Z </OrderResponseHeader> <OrderID>? 50 String </Response> </ChangeApproverEmail > 6.6 Re-Send Approver Email (ResendEmail) If the user did not receive or lost the Approver Email message you can use the ResendEmail API to resend this email. ResendEmail Request <ResendEmail xmlns="http://stub.order.gasapiserver.esp.globalsign.com"> <Request> <OrderRequestHeader> <AuthToken> <UserName> 30 <Password> 30 </AuthToken> </OrderRequestHeader> <OrderID> 50 String <ResendEmailType> 20 String APPROVEREMAIL </Request> </ResendEmail > GlobalSign API for SSL Certificates v4.3.5 Page 30 of 75

ResendEmail Response <ResendEmail xmlns="http://stub.order.gasapiserver.esp.globalsign.com"> <Response> <OrderResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> -MM-DDTHH:MM:SS.000Z </OrderResponseHeader> <OrderID>? 50 String </Response> </ResendEmail> 6.7 Modify Existing Order (ModifyOrder) Using the ModifyOrder API you can Approve, Cancel or Revoke a Certificate or Certificate Request by using the OrderID of the Order. It s not currently possible to change the validation method of the order (email, HTTP, DNS), so the original order should be cancelled and a new order created with the updated validation method. ModifyOrder Request <ModifyOrder xmlns="http://stub.order.gasapiserver.esp.globalsign.com"> <Request > <OrderRequestHeader> <AuthToken> <UserName> <Password> </AuthToken> </OrderRequestHeader> <OrderID> 50 String <ModifyOrderOperation> APPROVE,CANCEL,REVOKE </Request > </ModifyOrder> ModifyOrder Response <ModifyOrder xmlns="http://stub.order.gasapiserver.esp.globalsign.com"> <Response> <OrderResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> -MM-DDTHH:MM:SS.000Z </OrderResponseHeader> <OrderID>? 50 String </Response> </ModifyOrder> GlobalSign API for SSL Certificates v4.3.5 Page 31 of 75

7. Service & Query API Calls 7.1 Decode CSR DecodeCSR Request <DecodeCSR> <Request > <QueryRequestHeader> <AuthToken> <UserName> 30 String <Password> 30 String </AuthToken> </QueryRequestHeader> <CSR> 50 String <ProductType> DV_LOW, DV </Request > </DecodeCSR> DecodeCSR Response <DecodeCSR> <Response> <OrderResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 (<ErrorField>)? 1000 String <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> -MM-DDTHH:MM:SS.000Z </OrderResponseHeader> <CSRData> (<CommonName>)? 255 String (<Organization>)? 255 String (<OrganizationUnit>)? 255 String (<Locality>)? 255 String (<State>)? 255 String (<Country>)? 30 String (<EmailAddress>)? 255 String (<KeyLength>)? 30 String </CSRData> <CertificatePreview> (<CommonName>)? 255 String (<Organization>)? 255 String (<OrganizationUnit>)? 255 String (<Locality>)? 255 String (<State>)? 255 String (<Country>)? 30 String (<EmailAddress>)? 255 String (<KeyLength>)? 30 String </CertificatePreview> </Response> </DecodeCSR> GlobalSign API for SSL Certificates v4.3.5 Page 32 of 75

7.2 Get Issued Certificate Single Certificate (GetOrderByOrderID) GetOrderByOrderID Request <GetOrderByOrderID xmlns="http://stub.query.gasapiserver.esp.globalsign.com"> <Request> <QueryRequestHeader> <AuthToken> <UserName> 30 String <Password> 30 String </AuthToken> </QueryRequestHeader> <OrderID> 50 String (<OrderQueryOption> (<OrderStatus>)? <!- N/A --> (<ReturnOrderOption>)? 5 String true, false (<ReturnCertificateInfo>)? 5 String true, false (<ReturnFulfillment>)? 5 String true, false (<ReturnCACerts>)? 5 String ReturnFulfillment true </OrderQueryOption>)? </Request> </GetOrderByOrderID> GetOrderByOrderID Response GetOrderByOrderID xmlns="http://stub.query.gasapiserver.esp.globalsign.com"> <Response> <QueryResponseHeader> <SuccessCode> 2 (<Errors> (<Error> <ErrorCode> 5 <ErrorMessage> 1000 String </Error>)+ </Errors>)? <Timestamp> 25 -MM-DDTHH:MM:SS.000Z <ReturnCount> 5 </QueryResponseHeader> <OrderID>? 50 String (<Pkcs12File>)? 4000 String (<OrderDetail> <OrderInfo> <OrderID> 50 String <ProductCode> 20 String (<BaseOption>)? 20 String <OrderKind> 10 String <Licenses> 3 (<ExpressOption>)? 5 String (<ValidityPeriodCustomizeOption>)? 5 String (<InsuranceOption>)? 5 String (<GSSupportOption>)? 5 String (<RenewalExtentionOption>)? 5 String <DomainName> 255 String <OrderDate> 25 -MM-DDTHH:MM:SS.000Z (<OrderCompleteDate>)? 25 -MM-DDTHH:MM:SS.000Z (<OrderCanceledDate>)? 25 -MM-DDTHH:MM:SS.000Z (<OrderDeactivatedDate>)? 25 -MM- DDTHH:MM:SS.000Z <OrderStatus> 5 1: INITIAL 2: Waiting for phishing check 3: Cancelled - Not Issued 4: Issue completed 5: Cancelled - Issued 6: Waiting for revocation 7: Revoked <Price> 10 <Currency> 10 String <ValidityPeriod> GlobalSign API for SSL Certificates v4.3.5 Page 33 of 75

DDTHH:MM:SS.000Z <Months> 4 (<NotBefore>)? 25 -MM-DDTHH:MM:SS.000Z (<NotAfter>)? 25 -MM-DDTHH:MM:SS.000Z </ValidityPeriod> (<SpecialInstructions>)? 4000 String </OrderInfo> <OrderSubInfo> <CSRSkipOrderFlag> 5 String true,false <DNSOrderFlag> 5 String true,false <TrustedOrderFlag> 5 String true,false (<P12DeleteStatus>)? 5 (<P12DeleteDate>)? 25 -MM-DDTHH:MM:SS.000Z (<VerificationUrl>)? 300 String <SubId> 50 String </OrderSubInfo> (<OrderOption> <ApproverNotifiedDate>? 25 -MM- <ApproverConfirmDate>? 25 -MM-DDTHH:MM:SS.000Z <ApproverEmailAddress>? 255 String <OrganizationInfo> <OrganizationName> 255 String (<CreditAgency>)? 50 String (<OrganizationCode>)? 50 String (<BusinessAssumedName>)? 255 String (<BusinessCategoryCode>)? 20 String <OrganizationAddress> <AddressLine1> 100 String (<AddressLine2>)? 100 String (<AddressLine3>)? 100 String <City> 200 String <Region> 255 String <PostalCode> 20 String <Country> 30 String <Phone> 30 String (<Fax>)? 30 String </OrganizationAddress> </OrganizationInfo> (<RequestorInfo> <FirstName> 100 String <LastName> 100 String <Function> 255 String <OrganizationName> 255 String <OrganizationUnit> 100 String <Phone> 30 String <Email> 255 String </RequestorInfo>)? (<ApproverInfo> <FirstName> 100 String <LastName> 100 String <Function> 255 String <OrganizationName> 255 String (<OrganizationUnit>)? 100 String <Phone> 30 String <Email> 255 String </ApproverInfo>)? (<AuthorizedSignerInfo> <FirstName> 100 String <LastName> 100 String <Function> 255 String <Phone> 30 String <Email> 255 String </AuthorizedSignerInfo>)? (<JurisdictionInfo> < JurisdictionCountry> 30 String <StateOrProvince> 255 String <Locality> 200 String <IncorporatingAgencyRegistrationNumber> 100 String </JurisdictionInfo>)? (<ContactInfo> <FirstName> 100 String GlobalSign API for SSL Certificates v4.3.5 Page 34 of 75

<LastName> 100 String <Phone> 30 String <Email> 255 String </ContactInfo>)? </OrderOption>)? (<CertificateInfo> <CertificateStatus> 5 1: INITIAL 2: Waiting for phishing check 3: Cancelled - Not Issued 4: Issue completed 6: Waiting for revocation 7: Revoked <StartDate> 25 -MM-DDTHH:MM:SS.000Z <EndDate> 25 -MM-DDTHH:MM:SS.000Z <CommonName> 64 String <SerialNumber> 64 String <SubjectName> 3000 String (<DNSNames>)? 300 String </CertificateInfo>)? (<Fulfillment> (<CACertificates> (<CACertificate> <CACertType> 15 String Root,Inter <CACert> 4000 String </CACertificate>)+ </CACertificates>)? (<ServerCertificate> <X509Cert> 4000 String <PKCS7Cert> 4000 String </ServerCertificate>)? </Fulfillment>)? <ModificationEvents> (<ModificationEvent> <ModificationEventName> 50 <ModificationEventTimestamp>25 -MM- DDTHH:MM:SS.000Z </ModificationEvent>)+ </ModificationEvents>? </OrderDetail>)? </Response> </GetOrderByOrderID> 7.3 Query API to get Issued Certificate - Multiple Orders (GetOrderByDateRange) GetOrderByDateRange Request <GetOrderByDateRange xmlns="http://stub.query.gasapiserver.esp.globalsign.com"> <Request> <QueryRequestHeader> <AuthToken> <UserName> 30 <Password> 30 </AuthToken> </QueryRequestHeader> <FromDate> -MM-DDTHH:MM:SS.000Z <ToDate> -MM-DDTHH:MM:SS.000Z (<OrderQueryOption> (<OrderStatus>)? 5 String true, false (<ReturnOrderOption>)? 5 String true, false (<ReturnCertificateInfo>)? 5 String true, false (<ReturnFulfillment>)? 5 String true, false (<ReturnCACerts>)? 5 String </OrderQueryOption>)? </Request> </GetOrderByDataRange> GetOrderByDateRange Response <GetOrderByDateRange xmlns="http://stub.query.gasapiserver.esp.globalsign.com"> GlobalSign API for SSL Certificates v4.3.5 Page 35 of 75