Umm.. again, I have said something that caused confusion. I did not quote enough... The FileMaker product is a database server, and attempting to secure communications with a SSL certificate is the goal. It works just fine if we manually generate the certificate utilizing the Sectigo/InCommon web portal with a CSR, selecting the certificate type needed. We can install that manually generated certificate and all is well.
HOWEVER - the ultimate goal is to automate the certificate renewal process utilizing the various tools such as CertBot or other ACME protocol based tools. We do not want to continue to do this manually.
Well, Certbot was developed by EFF and is supported at their github. We often deal with questions about that here to assist getting Let's Encrypt certs (by ISRG). They are often confused as being from the same org.
That Comodo Elite cert is "business validated" which is probably not supported by the ACME protocol with is domain validation. But, perhaps Sectigo offers a REST interface.
The main things that an ACME client (like Certbot) can send to the server, to influence the properties of the certificates that it requests, that I can think of off the top of my head, are:
Putting something in the CSR (like Let's Encrypt does with handling a request for the must_staple extension)
Binding to an external account, where the CA has a separate interface for controlling preferences
Using separate ACME server directory endpoints
Adding some sort of custom HTTP header somewhere in the process (which Certbot probably doesn't handle out-of-the-box)
I suppose you could do something really crazy like use the account registration email address to convey other preferences too.
But in terms of which of those a specific CA might use to pick certain options they provide, you'd have to look at that specific CA's documentation.
Yes, the CA offers a REST API, have we have successfully use that.. just requires lots of internal development to work with it.. were as Certbot is a out-of-the-box solution and I was hoping that it would support this capability.
Yes, they have an ACME endpoint, and before you run me off the cliff, yes, I know ACME and REST are very different, and Certbot can not do REST. We have been issuing certificates via ACME and Certbot via our CA very successfully.. just trying to choose a specific certificate type. I will be honest, I too am a bit confused as the difference. But since it is required, this is why I asked.
Can Sectigo offer all those types of certificates using their ACME API? That's probably an important question. It might be as simple that they have multiple ACME API endpoints to "select" a certain type of certificate.
Those certificates in essence are probably nothing different than regular certificates. Probably only their issuer and perhaps some content of the Subject field are different.
It really depends on how their ACME API would "choose" one of the thousands types they offer if Certbot can be used for that.
Every Elite SSL certificate undergo a two-factor validation process of the domain name and company details before issuance. This enhances and builds credibility and trust.
Validation Required
Please note: This product requires you to complete Organization Verification, including Telephone Verification. Your organization must be publicly listed on a third-party business directory site (Dun and Bradstreet, Yellow Pages, OpenCorporates, etc.) or you must be prepared to submit a Professional Opinion Letter to verify all required details. Comodo must be able to complete a telephone call with you to complete verification for your certificate. For more information, please review our Organization Validation Knowledgebase article.
Pretty sure Sectigo does not offer ACME for this type of certificate. So no, that won't work with certbot.
Maybe they use external account bindings and couple a verification to a certain account? Verify once, issue many? Although I'm not sure what the BR would say about that.
I'm pretty sure this is indeed a thing. I recall users mentioning something like this about Digicert previously. They have different directory endpoints for different types of certs...perhaps even custom generated endpoints per account/organization.
Bottom line though. Specifying a certificate type beyond the private key type/size is not something that ACME directly supports. If there's an answer specific to Sectigo, they'd have to be the ones to provide it.
well there is select-your-alternative-root in LE but it was a hack for android root store not updating fiasco and pretty sure it wouldn't be supported if it didn't happened
Nah, that is directly supported in the spec in section 7.4.2. It's only intended for alternate chains, not alternate certs. Though the wording is "SHOULD", so technically open to interpretation.
The server MAY provide one or more link relation header fields [RFC8288] with relation "alternate". Each such field SHOULD express an alternative certificate chain starting with the same end-entity certificate. This can be used to express paths to various trust anchors. Clients can fetch these alternates and use their own heuristics to decide which is optimal.
It's most certainly a thing. My workplace, a university, has a contract with Sectigo that allows us to obtain as many OV validated certificates as we want, as long as the names are within our university domain. External Account Binding makes this possible. There's probably some kind of annual vetting going on in the background to make sure that the university is still a university, but that doesn't matter to the automation.
But I only really use those certs when people insist on it. They're valid for a whole year, which means that the automation isn't exercised often enough to prove that it still works, and you can't combine university and non-university domains into a single cert, and they're big bulky things with all the unnecessary extra crap.