RESTful API for CERTInext certificate lifecycle management — issue, track, validate, renew, and revoke certificates programmatically.
\nappCode and accessKey environment variables. Both are generated in the CERTInext portal under Integration → REST APIs.tokenDetails.accessToken is auto-captured into After that, run any folder top-to-bottom. The test scripts auto-capture orderId, requestId, etc. so the next request in the flow works without editing.
1. Authentication → Get Bearer Token\n2. SSL/TLS → 1. Create Order → captures orderId\n3. SSL/TLS → 2. Get DCV Challenges → returns HTTP / DNS / email proofs\n4. (publish the challenge on your domain)\n5. SSL/TLS → 3. Verify DCV → CA re-checks\n6. SSL/TLS → 4. Submit CSR\n7. SSL/TLS → 5. Accept Agreement\n8. SSL/TLS → 6. Download Certificate\nOptional alternatives:
\n7. Cancel Order8. Revoke Certificate1. Authentication → Get Bearer Token\n2. Document Signer → 1. Create Order → captures orderId\n3. Document Signer → 2. Upload Documents (pending — use v1 /SubmitDocument)\n4. Document Signer → 3. Submit CSR\n5. Document Signer → 4. Accept Agreement\n6. Document Signer → 5. Download Certificate\n1. Authentication → Get Bearer Token\n2. Private PKI → 1. Create Order → captures orderId\n3. Private PKI → 2. Submit CSR\n4. Private PKI → 3. Download Certificate\nproductCode per family (use in X-Product-Code)Send any request with Send — all boilerplate (auth header, idempotency key, token refresh, state capture) runs automatically.
\n","schema":"https://schema.getpostman.com/json/collection/v2.0.0/collection.json","toc":[{"content":"CERTInext API v2 — Customer REST APIs","slug":"certinext-api-v2-customer-rest-apis"}],"owner":"40123569","collectionId":"ca7fc443-d7a0-4eec-b685-c167bb9d2298","publishedId":"2sBXqJJLFh","public":true,"customColor":{"top-bar":"FFFFFF","right-sidebar":"303030","highlight":"FF6C37"},"publishDate":"2026-04-28T03:13:17.000Z"},"item":[{"name":"Authentication","item":[{"name":"Get Bearer Token","event":[{"listen":"prerequest","script":{"type":"text/javascript","exec":["// Build ts + txn + SHA256(accessKey + ts + txn) → authKey.","// The v1 auth layer (which v2 reuses at the crypto level) expects this hashed form.","const ts = new Date().toISOString().replace(/\\.\\d{3}Z$/, '+00:00');","const txn = 'pm' + Date.now() + Math.floor(Math.random() * 1e6);","const accessKey = pm.environment.get('accessKey');","if (!accessKey || accessKey.startsWith('<')) {"," throw new Error('Set accessKey in the environment (CERTInext portal → Integration → REST APIs).');","}","const hash = CryptoJS.SHA256(accessKey + ts + txn).toString(CryptoJS.enc.Hex);","pm.variables.set('_ts', ts);","pm.variables.set('_txn', txn);","pm.variables.set('_hash', hash);"],"id":"67a650bf-1711-4e31-8716-e1d2755b53ac"}},{"listen":"test","script":{"type":"text/javascript","exec":["pm.test('200 OK', () => pm.response.to.have.status(200));","const body = pm.response.json();","const tok = body && body.tokenDetails ? body.tokenDetails.accessToken : null;","const ref = body && body.tokenDetails ? body.tokenDetails.refreshToken : null;","if (tok) {"," pm.collectionVariables.set('accessToken', tok);"," pm.collectionVariables.set('refreshToken', ref || '');"," pm.test('accessToken captured', () => pm.expect(tok).to.be.a('string').and.not.empty);"," console.log('Bearer token saved to — valid for', body.tokenDetails.expiresIn, 'seconds.');","} else {"," const err = (body && (body.meta || body)) || {};"," pm.test('Token request failed: ' + (err.errorMessage || err.error_description || err.error || JSON.stringify(err)), () => false);","}"],"id":"63bdb361-db3e-4665-8676-c4039d6fa5e4"}}],"id":"9d2a1764-1df6-40b8-95d7-805e76a342b3","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"POST","header":[{"key":"Content-Type","value":"application/json"}],"body":{"mode":"raw","raw":"{\n \"grant_type\": \"client_credentials\",\n \"accountNumber\": \"{{appCode}}\",\n \"authKey\": \"{{_hash}}\",\n \"ver\": \"1.0\",\n \"ts\": \"{{_ts}}\",\n \"txn\": \"{{_txn}}\"\n}","options":{"raw":{"language":"json"}}},"url":"{{v2BaseURL}}/oauth/token","description":"Exchanges your appCode + accessKey for a short-lived Bearer token.
{\n \"meta\": { \"status\": \"1\", \"ts\": \"...\", \"txn\": \"...\" },\n \"tokenDetails\": {\n \"accessToken\": \"<JWT>\",\n \"tokenType\": \"Bearer\",\n \"expiresIn\": 3600,\n \"refreshToken\": \"<opaque>\"\n }\n}\nThe test script captures accessToken into — every downstream request uses it automatically.
→ Pick a product family folder (SSL/TLS, Document Signer, Private PKI) and call its 1. Create Order request.
\n400 EMS-2028 — meta field missing. Check appCode is set in the environment.401 EMS-2037 — access key mismatch. Regenerate in portal if needed.403 EMS-2022 — OAuth2 not enabled on this client. Contact support.Exchanges a refreshToken for a fresh accessToken — no need to re-hash your accessKey from scratch.
When is close to expiry (default TTL is 3600 seconds) but is still valid. Use this to avoid interactive re-auth.
Same shape as Get Bearer Token. The test script replaces both and .
401 EMS-2038 — refresh token expired or revoked. Call Get Bearer Token to re-authenticate.Run Get Bearer Token once at the start of every session. The test script captures the JWT into so every other request can use it via Authorization: Bearer . Tokens expire in 1 hour — either re-run Get Bearer Token or use Refresh Token.
Auto-generated — same key + body replays the original response.
\n"},{"key":"X-Product-Code","value":"{{productCodeSslDv}}","description":"842=DV, 846=OV, 850=EV. Discover via Catalog → List Products.
\n"}],"body":{"mode":"raw","raw":"{\n \"productVariant\": \"dv\",\n \"emailNotifications\": \"all\",\n \"requestor\": {\n \"name\": \"John Smith\",\n \"email\": \"john@example.com\",\n \"phone\": \"+19481081094\",\n \"designation\": \"IT Administrator\"\n },\n \"certificate\": {\n \"domain\": \"example.com\",\n \"autoSecureWww\": true\n },\n \"subscription\": {\n \"validityYears\": 1,\n \"autoRenew\": true,\n \"renewBeforeDays\": 30\n },\n \"agreement\": {\n \"signerName\": \"John Smith\",\n \"signerIp\": \"10.24.108.199\",\n \"signerPlace\": \"New York\",\n \"accepted\": true\n },\n \"remarks\": \"Postman test run\"\n}","options":{"raw":{"language":"json"}}},"url":"{{v2BaseURL}}/api/certinext/v2/ssl-certificates","description":"Creates a new SSL/TLS certificate order.
\nAt the very start of every new SSL issuance.
\nX-Product-Code — which variant (842 DV, 846 OV, 850 EV, etc.)Idempotency-Key — safe retriesproductVariant — dv, ov, or evrequestor — who to contact about this ordercertificate.domain — primary domain; autoSecureWww adds www.<domain> automaticallysubscription.validityYears — 1, 2, or 3agreement.accepted — must be true to place a public-CA order{\n \"orderId\": \"ord_abc123\",\n \"requestId\": \"req_def456\",\n \"status\": \"pending-dcv\",\n \"productVariant\": \"dv\",\n \"domain\": \"example.com\",\n \"_links\": {\n \"self\": { \"href\": \"/api/certinext/v2/ssl-certificates/ord_abc123\" },\n \"dcv\": { \"href\": \"/api/certinext/v2/ssl-certificates/ord_abc123/dcv\" },\n \"csr\": { \"href\": \"/api/certinext/v2/ssl-certificates/ord_abc123/csr\" },\n \"agreement\": { \"href\": \"/api/certinext/v2/ssl-certificates/ord_abc123/agreement\" },\n \"certificate\": { \"href\": \"/api/certinext/v2/ssl-certificates/ord_abc123/certificate\" },\n \"cancel\": { \"href\": \"/api/certinext/v2/ssl-certificates/ord_abc123/cancel\" },\n \"revoke\": { \"href\": \"/api/certinext/v2/ssl-certificates/ord_abc123/revoke\" }\n }\n}\norderId is auto-captured into — next requests use it.
→ 2. Get DCV Challenges (for public DV/OV/EV SSL)
\nEMS-915 invalid product codeEMS-916 missing requestor infoEMS-917 missing certificate infoEMS-918 missing additional infoReturns the three DCV methods — HTTP file, DNS TXT, email — with the exact artifact to publish.
\nImmediately after 1. Create Order for public DV/OV/EV SSL.
\ndomain — required. Use the same domain from your create request.{\n \"domains\": [{\n \"domain\": \"example.com\",\n \"methods\": {\n \"http-url\": {\n \"path\": \"/.well-known/pki-validation/emudhra-<token>.txt\",\n \"expectedContent\": \"<random-hex>\"\n },\n \"dns-txt\": {\n \"host\": \"_emudhra-challenge.example.com\",\n \"expectedValue\": \"emudhra-dcv-<random>\"\n },\n \"email\": {\n \"sendTo\": [\"admin@example.com\", \"webmaster@example.com\"]\n }\n }\n }]\n}\n→ Publish the challenge on your server (host the file, create the TXT record, or reply to the email)\n→ Then call 3. Verify DCV
\n","urlObject":{"path":["api","certinext","v2","ssl-certificates","","dcv"],"host":["{{v2BaseURL}}"],"query":[{"description":{"content":"Required. Domain on the order to fetch challenges for.
\n","type":"text/plain"},"key":"domain","value":"example.com"}],"variable":[]}},"response":[],"_postman_id":"acb2c1a1-35cd-4204-9b53-420a450f12b3"},{"name":"3. Verify DCV","id":"ebb9da7f-eff7-4ec7-8638-aa9dd385d437","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"POST","header":[{"key":"Authorization","value":"Bearer "},{"key":"Content-Type","value":"application/json"}],"body":{"mode":"raw","raw":"{\n \"domain\": \"example.com\",\n \"method\": \"http-url\"\n}","options":{"raw":{"language":"json"}}},"url":"{{v2BaseURL}}/api/certinext/v2/ssl-certificates//dcv/verify","description":"Asks the CA to re-check the DCV artifact you just published.
\ndomain — same domain as on the ordermethod — http-url, dns-txt, or email (match what you actually published)204 No Content — DCV passed; order advances to pending-csr422 — CA couldn't find / match the artifact; check the file path or DNS propagation→ 4. Submit CSR
\n","urlObject":{"path":["api","certinext","v2","ssl-certificates","","dcv","verify"],"host":["{{v2BaseURL}}"],"query":[],"variable":[]}},"response":[],"_postman_id":"ebb9da7f-eff7-4ec7-8638-aa9dd385d437"},{"name":"4. Submit CSR","id":"550f5832-7676-4010-8132-b5372ab25c54","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"PUT","header":[{"key":"Authorization","value":"Bearer "},{"key":"Content-Type","value":"application/json"}],"body":{"mode":"raw","raw":"{\n \"csr\": \"-----BEGIN CERTIFICATE REQUEST-----\\nAttaches a PEM-encoded Certificate Signing Request to the order.
\ncsr — full PEM including the BEGIN/END markers. Generate with openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out csr.pem.attested — true only when the key was produced by an attested/HSM-backed generator.204 No Content — CSR accepted422 — CSR malformed, or order not in a state that accepts a CSR→ 5. Accept Agreement
\n","urlObject":{"path":["api","certinext","v2","ssl-certificates","","csr"],"host":["{{v2BaseURL}}"],"query":[],"variable":[]}},"response":[],"_postman_id":"550f5832-7676-4010-8132-b5372ab25c54"},{"name":"5. Accept Agreement","id":"57242ca2-f319-4c2b-8a8d-b1a579636f8b","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"POST","header":[{"key":"Authorization","value":"Bearer "},{"key":"Content-Type","value":"application/json"}],"body":{"mode":"raw","raw":"{\n \"agreement\": {\n \"signerName\": \"John Smith\",\n \"signerIp\": \"10.24.108.199\",\n \"signerPlace\": \"New York\",\n \"accepted\": true\n }\n}","options":{"raw":{"language":"json"}}},"url":"{{v2BaseURL}}/api/certinext/v2/ssl-certificates//agreement","description":"Records the Subscriber Agreement acceptance.
\n204 No Content — recorded; the CA now issues→ Poll Track Order until status=issued, then 6. Download Certificate
Use application/x-pem-file for PEM text, application/pkix-cert for DER bytes.
\n"}],"url":"{{v2BaseURL}}/api/certinext/v2/ssl-certificates//certificate","description":"Returns the issued certificate.
\n{\n \"orderId\": \"ord_abc123\",\n \"serialNumber\": \"0A1B2C3D4E...\",\n \"subject\": \"CN=example.com\",\n \"issuer\": \"CN=CERTInext TLS Intermediate\",\n \"notBefore\": \"2026-04-24T10:00:00Z\",\n \"notAfter\": \"2027-04-24T10:00:00Z\",\n \"certificatePem\": \"-----BEGIN CERTIFICATE-----\\n...\\n-----END CERTIFICATE-----\"\n}\n422 if the order is not yet issued. Poll Track Order first.
Returns the current state of an SSL order.
\npending-dcv → pending-csr → pending-agreement → issued (or cancelled / revoked)
Poll this between lifecycle steps. Use the _links in the response to discover the next allowed operation.
Withdraw an order before it has been issued. Once issued, use Revoke Certificate instead.
\n204 No Content — cancelled422 — order is in a state that cannot be cancelled (e.g. already revoked)The order remains visible via Track Order with status=cancelled.
Only for draft requests (saveAsDraft=true) that returned a requestId but no orderId. If the draft has been promoted to a real order, use Cancel Order with the orderId instead.
Permanently revoke an issued certificate.
\nunspecifiedkeyCompromisecaCompromiseaffiliationChangedsupersededcessationOfOperationprivilegeWithdrawn204 No Content — revocation queued; CRL / OCSP reflect this on next publish.422 — order not yet issued, or already revoked.Public SSL/TLS certificate lifecycle — DV, OV, EV, plus wildcard and UCC variants.
\nTypical flow: Create → Get DCV → Verify DCV → Submit CSR → Accept Agreement → Download Certificate.
\nUse Cancel to withdraw before issuance and Revoke to invalidate an already-issued cert.
\nThe first request (Create Order) captures the into the collection so every subsequent request uses it without editing.
819=NP 1Y, 822=LP 1Y, 825=LE 1Y.
\n"}],"body":{"mode":"raw","raw":"{\n \"subjectType\": \"natural-person\",\n \"emailNotifications\": \"all\",\n \"requestor\": {\n \"name\": \"Jane Doe\",\n \"email\": \"jane@example.com\",\n \"phone\": \"+19481081094\",\n \"designation\": \"Signer\"\n },\n \"subject\": {\n \"givenName\": \"Jane\",\n \"surname\": \"Doe\",\n \"email\": \"jane@example.com\",\n \"countryCode\": \"IN\"\n },\n \"subscription\": { \"validityYears\": 1, \"autoRenew\": false },\n \"agreement\": {\n \"signerName\": \"Jane Doe\",\n \"signerIp\": \"10.24.108.199\",\n \"signerPlace\": \"Bangalore\",\n \"accepted\": true\n }\n}","options":{"raw":{"language":"json"}}},"url":"{{v2BaseURL}}/api/certinext/v2/signature-certificates","description":"Creates a Document Signer order.
\nsubjectType valuesnatural-person — individual signerlegal-person — employee signing on behalf of an orglegal-entity — the org itself→ 2. Upload Documents (currently pending, use v1 /emSignHub-API/SubmitDocument until v2 ships)
Returns the current state. Expected sequence: pending-documents → pending-vetting → pending-csr → pending-agreement → issued.
PAN / Aadhaar / passport scan.
\n","value":null},{"key":"addressProof","type":"file","description":"Utility bill, bank statement, etc.
\n","value":null}]},"url":"{{v2BaseURL}}/api/certinext/v2/signature-certificates//documents","description":"Currently returns 501 Not Implemented. Workaround until v2 multipart forwarder ships: use v1 POST /emSignHub-API/SubmitDocument with the same account credentials.
Attaches a PEM-encoded CSR to the Document Signer order so the CA can issue the certificate against it.
\ncsr — full PEM with -----BEGIN CERTIFICATE REQUEST----- / -----END CERTIFICATE REQUEST----- markers. Generate with openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out csr.pem.attested — true only when the key was generated by an attested/HSM-backed module.204 No Content — CSR accepted; order advances to pending-agreement.422 — CSR malformed or order not in a CSR-acceptable state.→ 4. Accept Agreement
\n","urlObject":{"path":["api","certinext","v2","signature-certificates","","csr"],"host":["{{v2BaseURL}}"],"query":[],"variable":[]}},"response":[],"_postman_id":"fc2152c6-5c88-44f0-bd05-fca7ac7a2384"},{"name":"4. Accept Agreement","id":"202e1315-1270-40a1-b1c8-dfefa5ee9c8b","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"POST","header":[{"key":"Authorization","value":"Bearer "},{"key":"Content-Type","value":"application/json"}],"body":{"mode":"raw","raw":"{\n \"agreement\": {\n \"signerName\": \"Jane Doe\",\n \"signerIp\": \"10.24.108.199\",\n \"signerPlace\": \"Bangalore\",\n \"accepted\": true\n }\n}","options":{"raw":{"language":"json"}}},"url":"{{v2BaseURL}}/api/certinext/v2/signature-certificates//agreement","description":"Records the Subscriber Agreement acceptance for the Document Signer order. Required before the CA will issue the certificate.
\n204 No Content — recorded; order advances toward issuance.422 — order not in a state that accepts an agreement yet.→ Poll Track Order until status=issued, then 5. Download Certificate
Withdraw a Document Signer order before issuance. Use Revoke after issuance.
\n","urlObject":{"path":["api","certinext","v2","signature-certificates","","cancel"],"host":["{{v2BaseURL}}"],"query":[],"variable":[]}},"response":[],"_postman_id":"99c19b26-ac06-43d2-8257-60f952d3d591"},{"name":"Revoke Certificate","id":"bae9b905-7c8d-44f5-865b-8db36eedd80a","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"POST","header":[{"key":"Authorization","value":"Bearer "},{"key":"Content-Type","value":"application/json"},{"key":"Idempotency-Key","value":"09882081-d6dd-4456-83c9-b1cdc0ba9fd5"}],"body":{"mode":"raw","raw":"{\n \"reason\": \"keyCompromise\",\n \"note\": \"Private key reported leaked\"\n}","options":{"raw":{"language":"json"}}},"url":"{{v2BaseURL}}/api/certinext/v2/signature-certificates//revoke","description":"Permanently revoke an issued Document Signer certificate. Revoked certs surface in CRL / OCSP on the next publication cycle.
\nunspecified, keyCompromise, affiliationChanged, superseded, cessationOfOperation, privilegeWithdrawn
204 No Content — revocation queued.422 — order not issued yet, or already revoked.Download the issued signature certificate. JSON / PEM / DER via Accept header.
Digital-signature certificates for Natural Person (individuals), Legal Person (employees), and Legal Entity (organizations).
\nTypical flow: Create → Upload Documents → Submit CSR → Accept Agreement → Download Certificate.
\nUnlike SSL there is no DCV step — instead the CA vets uploaded identity documents.
\n","_postman_id":"2e01710c-33b9-4ecd-8dd7-604739dfb839"},{"name":"Private PKI Certificates","item":[{"name":"1. Create Order","event":[{"listen":"test","script":{"type":"text/javascript","exec":["const body = pm.response.json();","if (pm.response.code === 201 && body.orderId) {"," pm.collectionVariables.set('orderId', body.orderId);"," pm.collectionVariables.set('requestId', body.requestId || '');"," pm.test('PKI order created, orderId=' + body.orderId, () => pm.expect(body.orderId).to.be.a('string'));"," console.log('Next: run \"2. Submit CSR\".');","} else {"," pm.test('Create FAILED: ' + (body.detail || body.title || JSON.stringify(body)), () => false);","}"],"id":"6e105734-b5cb-4136-93d5-6de942f72910"}}],"id":"0583dfec-5754-4ba2-ad4f-5269d2fb5879","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"POST","header":[{"key":"Authorization","value":"Bearer "},{"key":"Content-Type","value":"application/json"},{"key":"Idempotency-Key","value":"35967bdb-8089-4e71-b562-be8b32fcef16"},{"key":"X-Product-Code","value":"{{productCodePkiIntranet}}","description":"From your private catalog.
\n"}],"body":{"mode":"raw","raw":"{\n \"variant\": \"intranet-ssl\",\n \"caProfileId\": \"{{caProfileId}}\",\n \"masterProductId\": \"{{masterProductId}}\",\n \"hostname\": \"intranet.example.local\",\n \"additionalHosts\": [\"portal.example.local\"],\n \"emailNotifications\": \"all\",\n \"subscription\": { \"validityYears\": 1 },\n \"requestor\": {\n \"name\": \"Ops Team\",\n \"email\": \"ops@example.com\",\n \"phone\": \"+19481081094\",\n \"designation\": \"Infra\"\n }\n}","options":{"raw":{"language":"json"}}},"url":"{{v2BaseURL}}/api/certinext/v2/private-pki-certificates","description":"Creates an order against your own PKI CA.
\nvariant — intranet-ssl or igtf-hostcaProfileId — CA template (set in portal)masterProductId — subscription slothostname — primary CNadditionalHosts[] — SANs (DNS names or IPs)→ 2. Submit CSR
\n","urlObject":{"path":["api","certinext","v2","private-pki-certificates"],"host":["{{v2BaseURL}}"],"query":[],"variable":[]}},"response":[],"_postman_id":"0583dfec-5754-4ba2-ad4f-5269d2fb5879"},{"name":"Track Order","id":"f8b84179-c720-4f0e-8fdb-6f17dd05d070","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"GET","header":[{"key":"Authorization","value":"Bearer "}],"url":"{{v2BaseURL}}/api/certinext/v2/private-pki-certificates/","description":"Returns the current state of a Private PKI order.
\npending-csr → issued (or cancelled / revoked). Private PKI orders usually skip long vetting stages because the CA is customer-owned.
Poll this between Submit CSR and Download Certificate to confirm issuance.
\n","urlObject":{"path":["api","certinext","v2","private-pki-certificates",""],"host":["{{v2BaseURL}}"],"query":[],"variable":[]}},"response":[],"_postman_id":"f8b84179-c720-4f0e-8fdb-6f17dd05d070"},{"name":"2. Submit CSR","id":"2d2c863e-4335-43dc-a1ed-f6810ba4473a","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"PUT","header":[{"key":"Authorization","value":"Bearer "},{"key":"Content-Type","value":"application/json"}],"body":{"mode":"raw","raw":"{\n \"csr\": \"-----BEGIN CERTIFICATE REQUEST-----\\nAttach a PEM CSR. The customer CA signs immediately. 204 No Content on success.
Withdraw a Private PKI order before issuance. After issuance, use Revoke Certificate.
\n204 No Content — cancelled; order remains visible via Track Order with status=cancelled.422 — order already issued / revoked / cancelled.Permanently revoke an issued Private PKI certificate.
\nunspecified, keyCompromise, affiliationChanged, superseded, cessationOfOperation, privilegeWithdrawn
204 No Content — revocation recorded on the customer CA.422 — order not issued yet, or already revoked.Download the issued Private PKI cert. JSON / PEM / DER via Accept.
Certificates issued from a customer-owned PKI CA — Intranet SSL and IGTF Host variants.
\nTypical flow: Create → Submit CSR → Download Certificate.
\nNo DCV (CA is yours) and no Subscriber Agreement.
\n","_postman_id":"28ea7a1c-47a4-45e4-8da0-32b253de21c9"},{"name":"Accounts","item":[{"name":"Who am I (from token)","id":"d3bd8ef6-0f0a-4510-bc1e-1e3e915e22aa","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"GET","header":[{"key":"Authorization","value":"Bearer "}],"url":"{{v2BaseURL}}/api/certinext/v2/auth/me","description":"Returns the account context the Bearer token resolves to — appCode, internal accountId, accountUserId, authType.
As a post-login sanity check, or to confirm the token you're about to use is still valid.
\n","urlObject":{"path":["api","certinext","v2","auth","me"],"host":["{{v2BaseURL}}"],"query":[],"variable":[]}},"response":[],"_postman_id":"d3bd8ef6-0f0a-4510-bc1e-1e3e915e22aa"},{"name":"List Groups","id":"45fb8128-2f37-4aea-ae1c-86223e8b9f6f","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"GET","header":[{"key":"Authorization","value":"Bearer "}],"url":"{{v2BaseURL}}/api/certinext/v2/groups","description":"Billing groups accessible to your account. Use a groupNumber from here in order bodies to charge a specific cost centre.
Pre-vetted organizations available for OV/EV SSL. Reference an organizationNumber in order bodies to skip re-vetting.
Optional — filter to a group.
\n","type":"text/plain"},"key":"groupNumber","value":""}],"variable":[]}},"response":[],"_postman_id":"46ff8a12-ec9e-435d-b276-4eff0eb64639"},{"name":"Get Organization","id":"7e49fb0f-ab56-4a72-bf52-9c97f6d01840","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"GET","header":[{"key":"Authorization","value":"Bearer "}],"url":"{{v2BaseURL}}/api/certinext/v2/organizations/{{organizationNumber}}","description":"Full details for a single organization: address, representatives, linked domains, agreement status.
\n","urlObject":{"path":["api","certinext","v2","organizations","{{organizationNumber}}"],"host":["{{v2BaseURL}}"],"query":[],"variable":[]}},"response":[],"_postman_id":"7e49fb0f-ab56-4a72-bf52-9c97f6d01840"},{"name":"List Domains","id":"147dcd5f-6ca9-437b-b526-fae90fd5fc25","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"GET","header":[{"key":"Authorization","value":"Bearer "}],"url":"{{v2BaseURL}}/api/certinext/v2/domains","description":"Domains already pre-validated under your account — DCV does not need to be repeated for these.
\n","urlObject":{"path":["api","certinext","v2","domains"],"host":["{{v2BaseURL}}"],"query":[],"variable":[]}},"response":[],"_postman_id":"147dcd5f-6ca9-437b-b526-fae90fd5fc25"}],"id":"4375aa7d-fa38-4fa4-959d-5cc4da1a4584","description":"Cross-cutting reads — identity, billing groups, pre-vetted organizations, and registered domains. Call these before placing orders to discover your entitlements.
\n","_postman_id":"4375aa7d-fa38-4fa4-959d-5cc4da1a4584"},{"name":"Catalog","item":[{"name":"List Products","id":"89f1055c-be02-4d8d-9592-3c12bb8410ca","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"GET","header":[{"key":"Authorization","value":"Bearer "}],"url":"{{v2BaseURL}}/api/certinext/v2/catalog/products","description":"Returns every SSL / Document Signer / Private PKI product your account can order. Each entry has a stable productCode + productType + variant metadata.
Optional — scope to a billing group.
\n","type":"text/plain"},"key":"groupNumber","value":""}],"variable":[]}},"response":[],"_postman_id":"89f1055c-be02-4d8d-9592-3c12bb8410ca"},{"name":"Get Custom Fields for Product","id":"3f5c1802-c105-48f9-b237-a90ed81b6d3c","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"GET","header":[{"key":"Authorization","value":"Bearer "}],"url":"{{v2BaseURL}}/api/certinext/v2/catalog/products/{{productCodeSslDv}}/custom-fields","description":"Returns mandatory + optional customFields for the given product. Include these in the customFields[] array on order creation.
Optional — scope to an organization.
\n","type":"text/plain"},"key":"organizationNumber","value":"{{organizationNumber}}"}],"variable":[]}},"response":[],"_postman_id":"3f5c1802-c105-48f9-b237-a90ed81b6d3c"}],"id":"74deaa60-90de-4ab2-a01a-63c504f609fa","description":"Products you are entitled to order + their custom-field definitions. Call List Products once per integration build and cache the productCode values — they are the source of truth for the X-Product-Code header.
Paginated, filterable order history. Note: currently returns 501 Not Implemented. Use v1 POST /emSignHub-API/GetOrderReport meanwhile.
ssl | signature | private-pki
\n","type":"text/plain"},"key":"productType","value":"ssl"},{"disabled":true,"description":{"content":"Filter by order status.
\n","type":"text/plain"},"key":"status","value":"issued"},{"disabled":true,"description":{"content":"Start date (RFC 3339).
\n","type":"text/plain"},"key":"from","value":"2026-01-01T00:00:00Z"},{"disabled":true,"description":{"content":"End date (RFC 3339).
\n","type":"text/plain"},"key":"to","value":"2026-04-24T23:59:59Z"},{"key":"page","value":"0"},{"key":"size","value":"50"}],"variable":[]}},"response":[],"_postman_id":"8707e240-f277-4780-9fd7-1041e6de33d6"},{"name":"Ledger Statement","id":"062d05e0-0a98-4309-a74b-0a13edeeb203","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"GET","header":[{"key":"Authorization","value":"Bearer "}],"url":"{{v2BaseURL}}/api/certinext/v2/reports/ledger?page=0&size=50","description":"Debit / credit ledger movements for the account, with pagination. Pair with groupNumber to isolate a cost centre.
Optional — filter to a billing group.
\n","type":"text/plain"},"key":"groupNumber","value":""},{"key":"page","value":"0"},{"key":"size","value":"50"}],"variable":[]}},"response":[],"_postman_id":"062d05e0-0a98-4309-a74b-0a13edeeb203"}],"id":"9b659a27-344e-4920-9f48-aea74a95714b","description":"Operational + financial reports.
\n","_postman_id":"9b659a27-344e-4920-9f48-aea74a95714b"},{"name":"Reference","item":[{"name":"Error Codes","id":"2b03b4a9-2b51-4fce-8765-2feb17cdd04d","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"GET","header":[],"url":"about:reference/error-codes","description":"Every error response follows RFC 7807 and carries an EMS-xxxx code in detail. Use this table to diagnose failures quickly.
/oauth/token)POST /{product}-certificates){\n \"type\": \"https://api.certinext.io/errors/<slug>\",\n \"title\": \"Human-readable title\",\n \"status\": 422,\n \"detail\": \"[EMS-918] Additional information cannot be empty\",\n \"instance\": \"/api/certinext/v2/ssl-certificates\",\n \"errors\": [\n { \"field\": \"certificate.domain\", \"message\": \"must not be blank\" }\n ]\n}\nThe numeric productCode goes in the X-Product-Code header on every order-create request. The canonical source is Catalog → List Products — these values match most environments but are authoritative only in the catalog response.
Private PKI product codes vary per customer catalog. Query Catalog → List Products with your token; the entries with productType=private-pki will list the codes available to your account.
The environment files expose these as {{productCodeSslDv}}, {{productCodeDocSignerNp1Y}}, etc. — the requests in the lifecycle folders already reference them so you don't have to edit headers.
All countryCode fields in request bodies use ISO 3166-1 alpha-2 (two-letter uppercase). Common values:
The full ISO 3166-1 alpha-2 list: https://www.iso.org/obp/ui/#search
\n","urlObject":{"port":"reference","path":["country-codes"],"host":["about"],"query":[],"variable":[]}},"response":[],"_postman_id":"9fe4fe24-be69-4ea1-b6dd-fb4563092261"},{"name":"Migration Guide — v1 → v2","id":"576d3717-081a-4fff-ab1b-e536f94e455a","protocolProfileBehavior":{"disableBodyPruning":true},"request":{"method":"GET","header":[],"url":"about:reference/migration-v1-to-v2","description":"/emSignHub-API/*) to v2 (/api/certinext/v2/*)The v1 endpoints remain live — v2 is additive. Every v1 response now carries Deprecation: true and Link: rel=\"successor-version\" headers pointing at its v2 equivalent.
meta envelope. Requests carry business fields at the top level. Successful responses return the resource directly, not wrapped.true/false (v1 used \"0\"/\"1\"). Enums are lowercase-hyphenated (dv, natural-person, intranet-ssl). Product code is a header (X-Product-Code), not a body field.+919481081094) — no more isdCode/mobileNumber split.application/problem+json with type, title, status, detail, instance, code, errors[].?page=0&size=50.Every unsafe POST accepts an Idempotency-Key header. Re-sending the same key with the same body returns the original response. Different body with the same key returns 409 Conflict with code=idempotency_conflict.
POST /oauth/token call at session start.meta envelope out of every request body./emSignHub-API/<Verb> to /api/certinext/v2/<resource>/<id>/<sub>.\"0\"/\"1\" booleans to true/false and numeric product codes to the X-Product-Code header.meta.errorCode / meta.errorMessage.Idempotency-Key per logical retry._links map in responses to drive the next lifecycle step.Read-only reference material. The requests in this folder are not real HTTP calls — they're stubs that exist to anchor the detailed tables in their descriptions. Open any item to see the reference content.
\n","_postman_id":"671fcd9f-adaa-4fcf-97fb-090593339a35"}],"variable":[{"key":"accessToken","value":""},{"key":"refreshToken","value":""},{"key":"orderId","value":""},{"key":"requestId","value":""}]}