These terms apply to each digital certificate (“Certificate”) issued by DigiCert, Inc., a Utah corporation (“DigiCert”) to an entity or person (“Customer”), as identified in the Account or issued Certificates. By accepting an agreement that incorporates these terms, (such agreement, together with these terms, collectively, the “Agreement”), the signer is entering Customer into a legally valid and enforceable agreement to obtain a form of digital identity for the Customer. The signer acknowledges that he/she has the authority to obtain the digital equivalent of a company stamp, seal, or officer’s signature to establish the authenticity of Customer’s website, and that Customer is responsible for all uses of the Certificate. By accepting an Agreement on behalf of Customer, the signer represents that he/she (i) is acting as an authorized representative of Customer, (ii) is expressly authorized by Customer to sign the Agreement and approve Certificate requests on Customer’s behalf, and (iii) has or will confirm Customer’s exclusive right to use the domain(s) to be included in any issued Certificates. Customer and DigiCert agree as follows:
- Requests. Customer may request SSL Certificates only for domain names registered to Customer, an affiliate of Customer, or an entity that expressly authorizes DigiCert to allow Customer to obtain and manage Certificates for the domain name. DigiCert may limit the number of domain names that Customer may include in a single Certificate in its sole discretion.
- Verification. After receiving a request for a Certificate through the Account, DigiCert will review the request and attempt to verify the relevant information in accordance with the DigiCert CPS and industry standards. “Account” means a DigiCert system account and API. Verification is subject to DigiCert’s sole discretion, and DigiCert may refuse to issue a Certificate for any reason. DigiCert will notify Customer if a Certificate request is refused but DigiCert is not required to provide a reason for the refusal. “Certificate Practices Statement” or “CPS” means DigiCert’s written statements of the policies and practices used to operate its PKI . DigiCert’s CPS documents are available at https://www.digicert.com/legal-repository.
- Certificate Life Cycle. The lifecycle of an issued Certificate depends on the selection made by Customer when ordering the Certificate, the requirements in the CPS, and the intended use of the Certificate. DigiCert may modify Certificate lifecycles for unissued Certificates as necessary to comply with requirements of (i) the Agreement, (ii) industry standards, (iii) DigiCert’s auditors, or (iv) an Application Software Vendor. Customer agrees to cease using a Certificate and its related Private Key after the Certificate’s expiration date. “Application Software Vendors” means an entity that displays or uses Certificates in connection with a distributed root store in which DigiCert participates or will participate.
- Issuance. If verification is completed to DigiCert’s satisfaction, DigiCert will issue and deliver the requested Certificate to Customer. DigiCert may deliver the Certificate using any reasonable means of delivery. Typically, DigiCert will deliver Certificates via email to an address specified by Customer as an electronic download in the Account or in response to an API call made by Customer. Certificates are issued from a DigiCert root or intermediate Certificate selected by DigiCert. DigiCert may change which root or intermediate certificate is used to issue Certificates at any time and without notice to Customer. Customer will abide by all applicable laws, regulations and industry standards when ordering and using Certificates, including United States export laws. Customer acknowledges that the Certificates are not available in countries restricted by the Office of Foreign Assets Control.
- Certificate License. Effective immediately after delivery and continuing until the Certificate expires or is revoked, Customer may use, for the benefit of the Certificate’s subject, each issued Certificate and corresponding Key Set for the purposes described in the CPS, in accordance with all applicable laws, regulations, industry standards, and with the terms herein. “Key Set” means a set of two or more mathematically related keys, referred to as Private Keys or key shares along with a Public Key, wherein (i) the Public Key can encrypt a message which only the Private Key(s) can decrypt, and (ii) even knowing the Public Key, it is computationally infeasible to discover the Private Key(s). Customer will promptly inform DigiCert if it becomes aware of any misuse of a Certificate, Private Key, or the Account. Customer is responsible for obtaining and maintaining any authorization or license necessary to order, use, and distribute a Certificate to end users and systems, including any license required under United States’ export laws.
- Certificate Transparency. To ensure Certificates function properly throughout their lifecycle, DigiCert may log SSL Certificates with a public certificate transparency database. Because this will become a requirement for Certificate functionality, Customer cannot opt out of this process. Log server information is publicly accessible. Once submitted, information cannot be removed from a log server.
- Client Certificates. “Client Certificate” means a Certificate that contains any extendedKeyUsage other than codeSigning, timestamping or serverAuthentication. The Certificate uses are varied and are defined by the Client Certificate profile. Some of the possible uses defined in a Client Certificate profile may include, digital signature, email encryption, and cryptographic authentication. If Customer wishes to request Client Certificates, Customer must (i) confirm the identity and affiliation of the requester using appropriate internal documentation as prescribed the CPS and (ii) confirm that the information provided and representations related to or incorporated in any Client Certificate are true, complete, and accurate in all material respects.
- Key Sets. A “Private Key” means the key that is kept secret by Customer that is used to create digital signatures and/or decrypt electronic records or files that were encrypted with the corresponding Public Key. A “Public Key” means Customer’s publicly‐disclosed key that is contained in Customer’s Certificate and corresponds to the secret Private Key that Customer uses. Customer must (i) generate Key Sets using trustworthy systems, (ii) use Key Sets that are at least the equivalent of RSA 2048 bit keys, and (iii) keep all Private Keys confidential. Customer is solely responsible for any failure to protect its Private Keys. Customer represents that it will only generate and store Key Sets for Adobe Signing Certificates and EV Code Signing Certificates on a FIPS 140‐2 Level 2 device. All other Certificate types may be stored on secure software or hardware systems.
- Management. DigiCert will generally issue, manage, renew, and revoke a Certificate in accordance with any instructions submitted by Customer through the Account and may rely on such instructions as accurate. Customer will provide accurate and complete information when communicating with DigiCert and will notify DigiCert within 5 business days if any information relating to the Account changes. Customer will review and verify the Certificate data prior to using the Certificate for accuracy. Certificates are considered accepted 30 days after the Certificate’s issuance, or earlier upon use of the Certificate when evidence exists that the Customer used the Certificate. Although DigiCert may send a reminder about expiring Certificates DigiCert is under no obligation to do so and Customer is solely responsible for ensuring Certificates are renewed prior to expiration.
- Security and Use of Key Sets. Customer will securely generate and protect the Key Sets associated with a Certificate and take all steps necessary to prevent the compromise, loss, or unauthorized use of a Private Key associated with a Certificate. Customer will use passwords that are randomly generated with at least 16 characters containing uppercase letters, lowercase letters, numbers, and symbols to transport Private Keys. To minimize internal risk of Private Key compromise, Customer will only allow employees, agents, and contractors to access or use Private Keys if the employee, agent, or contractor has undergone a background check by Customer (to the extent allowed by law) and has training or experience in PKI and other information security fields. Customer will notify DigiCert, request revocation of a Certificate and its associated Private Key, cease using such Certificate and its associated Private Key, and remove the Certificate from all devices where it is installed if (i) any information in the Certificate is or becomes incorrect or inaccurate, (ii) there is any actual or suspected misuse or compromise of the Private Key associated with the Public included in the Certificate. For code signing Certificates Customer will promptly cease using a Certificate and its associated Private Key and promptly request revocation of the Certificate if Customer believes that (a) any information in the Certificate is, or becomes, incorrect or inaccurate, (b) the Private Key associated with the Public Key contained in the Certificate was misused or compromised, or (c) there is evidence that the Certificate was used to sign Suspect Code. “Suspect Code” means code that contains malicious functionality or serious vulnerabilities, including spyware, malware and other code that installs without the user’s consent and/or resists its own removal, and code that can be exploited in ways not intended by its designers to compromise the trustworthiness of the platforms on which it executes. Customer will respond to DigiCert’s instructions concerning Key Set compromise or Certificate misuse within 7 days. Customer will promptly cease using the Key Set corresponding to a Certificate upon the earlier of (I) revocation of the Certificate and (II) the date when the allowed usage period for the Key Set expires. After revocation, Customer must cease using the Certificate.
- Defective Certificates. Customer’s sole remedy for a defect in a Certificate is to require DigiCert to use commercially reasonable efforts to cure the defect after receiving notice from Customer. DigiCert is not obligated to correct a defect if (i) Customer misused, damaged, or modified the Certificate, (ii) Customer did not promptly report the defect to DigiCert, or (iii) Customer has breached any provision of the Agreement.
- Relying Party Warranty. Customer acknowledges that the Relying Party Warranty is only for the benefit of Relying Parties. Customer does not have rights under the warranty, including any right to enforce the terms of the warranty or make a claim under the warranty. “Relying Party” means an entity other than Customer that acts in reliance on a Certificate or a digital signature. An Application Software Vendor is not a Relying Party when the software distributed by the Application Software Vendor merely displays information regarding a Certificate or facilitates the use of the Certificate or digital signature. “Relying Party Warranty” means a warranty offered to a Relying Party that meets the conditions found in the Relying Party Warranty Agreement posted on DigiCert’s website at /docs/agreements/DigiCert_RPA.pdf.
- Representations. For each requested Certificate, Customer represents to DigiCert that:
a. Customer has the right to use or is the lawful owner of (i) any domain name(s) specified in the Certificate and (ii) any common name or organization name specified in the Certificate
b. the individual accepting the Agreement is expressly authorized by Customer to enter into an Agreement on behalf of Customer,
c. Customer will use the Certificate only for authorized and legal purposes, including not using the Certificate to sign Suspect Code and to use the Certificate and Private Key solely in compliance with all applicable laws and solely in accordance with the Certificate purpose, the CPS, any applicable certificate policy, and the Agreement,
d. Customer has read, understands, and agrees to the CPS, and
e. the organization included in the Certificate and the registered domain name holder is aware of and approves of each Certificate request.
- Restrictions. Customer will only use a TLS/SSL Certificate on the servers accessible at the domain names listed in the issued Certificate. Additionally, Customer will not:
a. modify, sublicense, or create a derivative work of any Certificate (except as required to use the Certificate for its intended purpose) or Private Key,
b. upload or distribute any files or software that may damage the operation of another’s computer,
c. make representations about or use a Certificate except as allowed in the CPS,
d. impersonate or misrepresent Customer’s affiliation with any entity,
e. use the Certificate or any related software (such as the Account) in a manner that could reasonably result in a civil or criminal action being taken against Customer or DigiCert,
f. use the Certificate or any related software to breach the confidence of a third party or to send or receive unsolicited bulk correspondence,
g. use code signing Certificates to sign Suspect Code,
h. apply for a code signing Certificate if the Public Key in the Certificate is or will be used with a non-code signing Certificate
i. interfere with the proper functioning of the DigiCert website or with any transactions conducted through the DigiCert website,
j. attempt to use a Certificate to issue other Certificates, or
k. intentionally create a Private Key that is substantially similar to a DigiCert or third party Private Key.
- Certificate Revocation. DigiCert may revoke a Certificate without notice for the reasons stated in the CPS, including if DigiCert reasonably believes that:
a. Customer requested revocation of the Certificate or did not authorize the issuance of the Certificate,
b. Customer has breached the Agreement or an obligation it has under the CPS,
c. any provision of an agreement with Customer containing a representation or obligation related to the issuance, use, management, or revocation of the Certificate terminates or is held invalid,
d. Customer is added to a government prohibited person or entity list or is operating from a prohibited destination under the laws of the United States,
e. the Certificate contains inaccurate or misleading information,
f. the Certificate was used without authorization, outside of its intended purpose or used to sign Suspect Code,
g. the Private Key associated with the Certificate was disclosed or compromised,
h. the Certificate was (i) misused, (ii) used or issued contrary to law, the CPS, or industry standards, or (iii) used, directly or indirectly, for illegal or fraudulent purposes, such as phishing attacks, fraud, or the distribution of malware or other illegal or fraudulent purposes,
i. industry standards or DigiCert’s CPS require Certificate revocation, or revocation is necessary to protect the rights, confidential information, operations, or reputation of DigiCert or a third party.
- Sharing of Information. Customer acknowledges and accepts that if (i) the Certificate or Customer is identified as a source of Suspect Code, (ii) the authority to request the Certificate cannot be verified, or (iii) the Certificate is revoked for reasons other than Customer request (e.g. as a result of private key compromise, discovery of malware, etc.), DigiCert is authorized to share information about Customer, the signed application, the Certificate, and the surrounding circumstances with other certification authorities or industry groups, including the CA/Browser Forum.
- Industry Standards. Both parties will comply with all industry and privacy standards that apply to the Certificates. If a law or industry standard changes and that change affects the Certificates or other services provided under the Agreement, then DigiCert may amend the Agreement to the extent necessary to comply with the change.
- Equipment. Customer is responsible, at Customer’s expense, for (i) all computers, telecommunication equipment, software, access to the Internet, and communications networks (if any) required to use the Certificates and related DigiCert software or services, and (ii) Customer’s conduct and its website maintenance, operation, development, and content.
- Certificate Beneficiaries. Relying Parties and Application Software Vendors are express third party beneficiaries of Customer’s obligations and representations related to the use or issuance of a Certificate. The Relying Parties and Application Software Vendors are not express third party beneficiaries with respect to any DigiCert software.
Last updated January 30, 2017