Frequently Asked Questions
If You've Got SSL Questions, We've Got SSL Answers
SSL Renewals has been around for quite some time now, and with our age has come wisdom of the Industry. Together our team has formulated more than a hundred answers to the typical questions our customers ask either prior to purchase, during validation, and after issuance.
General Information regarding SSL
SSL is an abbreviation of Secure Sockets Layer. It's one of the technologies, which is used to establish a secured encrypted link between a browser & a web server. It's used to secure confidential data such as credit card numbers, passwords, user id, e-mail address etc. There are a number of ways to determine whether your website is secured or not. For example, "https" and the padlock icon you can see on the bar of the browser, you'll also get a site seal to go with your certificate, & if the website is using the premium certificate you will even get the green bar wrapped around the URL.
A Domain Validated (DV) Certificate is the easiest and simplest validation style, these types of certificates will allow you to get your site protected in just minutes. As the name states, the Vendor will verify that you've got ownership of the domain that you're wanting to protect. Well it does get the job done, we only recommended this option for websites who are wanting to get their site protected quickly and that don't are just wanting a certificate that will get the job done.
An Organization Validated (OV) Certificate is the next step up from a Domain Validated (DV) Certificate. With an Organization Validated Certificate the Certificate Authority (CA) will verify that the certificate is going to be issued out to a valid business or organization. The weight carried by an Organization Validated Certificate is heftier than that of the Domain Validated because visitors will know that the site they're browsing is ran by a recognized company in the location they operate.
An Extended Validation (EV) SSL Certificate is the top dog when it's compared to both Domain Validated and Organization Validated. With an Extended Validation Certificate the browser will showcase a "Green Bar" which will make the site stand out when compared to other competitors, and at the same time put the site in the same family such as PayPal and Twitter. The Extended Validation Certificate carries the most weight due to the vigorous verification process that the business goes through to prior to being issued the certificate.
There's only one way to get a green address bar on your website, and for that you'll have to go with the Extended Validation (EV) type of SSL certificate.
To get qualified for the EV certificate it's mandatory that your business is officially registered company by the government.
Note: Sole Partnership and Sole Proprietor registered company of U.K., cannot be qualified for any type of EV SSL certificate.
All single domain certificates offered by Sectigo automatically provide coverage for both www and non-www. With multi-domain certificates, you'll need to add a SAN for the www version and a SAN for the non-www version of the domain.
A Wildcard SSL Certificate will provide coverage for your domain (www.yourdomain.com), while at the same time providing coverage for unlimited subdomains such as mail.yourdomain.com, dev.yourdomain.com.
The certificate title says it all, a Multi-Domain (referred to as SAN) Certificate will allow you to extend your coverage across both other domains, and subdomains with just one certificate. Depending on your chosen brand you might have a limit on the amount of domains/subdomains you can cover, for example both Symantec and Thawte Multi-Domain Certificates will only allow up to 250 domains in a single certificate.
The main difference between the two is that a Wildcard SSL Certificates will provide coverage for one domain name (www.yourdomain.com) and an unlimited number of subdomains for that domain (login.yourdomain.com, dev.yourdomain.com, mail.yourdomain.com). As for a Multi-Domain (SAN) SSL Certificate, you're given the option to cover both multiple domains and subdomains in a single certificate (www.yourdomain.com, www.yourdomain.net, login.yourdomain.com).
To use 256-bit encryption you'll have to edit the configuration for the hosting platform you're using, there's no involvement on the certificate side. To know more about how to set this, you'll have to get in contact with your hosting provider.
The difference between 1024-bit and 2048-bit is the encoding strength of the Private Key. At the moment 1024-bit is becoming easier to decode which is why we recommend generating your Private Key in the 2048-bit length.
SHA (Signature Hashing Algorithm), is a type of cryptographic function which is like a proof for the authenticity of the certificate. SHA-1 & SHA-2 are the two different versions of which SHA-1 is older one and outdated. SHA-1 is not trusted these days by major web browsers or the experts, whereas SHA-2 is the latest version these days. Whether it's regarding to experts or web-browsers.
If the Sole Proprietors are not from the U.K. they can get qualified for both OV & EV certificates. Though Sole Proprietors of the U.K. cannot be qualified for EV certificates & for OV certificate they have to provide some additional documents.
A Certificate Authority (CA) is the issuer of SSL Certificates, GeoTrust, RapidSSL, Thawte and Symantec are all considered to be a CA. SSL Renewals falls into the equation as we're a platinum partner reseller of GeoTrust, RapidSSL, Thawte and Symantec. By being a platinum partner we're able to extend the same offerings as the Vendor, but at a lower cost and guidance throughout the entire SSL process.
All the Certificate Authorities (CAs) that we carry are leaders of the Industry and will be trusted world-wide. Symantec is the largest CA in the world and offers the Norton Trust Seal which is the most recognizable symbol across the web when it comes to trust and security. Both the Norton name and Symantec name carry the most weight in the Industry and is unparalleled by any other CA.
Yes, all of the Certificate Authorities (CAs) that we offer on our site have their root included with 99% of all browsers and mobile devices.
The warranty that is offered with your SSL certificate is coverage in case of any damage that is caused by any data breach or hack that is caused by any flaw in the certificate. As you move up the chain of validation types (DV, OV, and EV) your protection will increase to be more in line with the validation type.
Browser recognition or ubiquity is one of the terms which can be used to describe that how many browsers are able to recognize & trust an SSL certificate. So you can say, if the browser ubiquity is higher of an SSL certificate then more browsers will be able to accept and recognize it.
It depends on which SSL certificate you are choosing, usually our certificates comes with 1 to 2 years of validation. As per the Certificate Authority / Browser (CA/B) Forum, an EV, OV and DV certificates of Comodo are issued maximum for 2 years.
All certificates that we sell are capable of being purchased in increments ranging from 1 year up to the maximum amount of 2 years. However as per the guidelines set by the Certificate Authority / Browser (CA/B) Forum, an Extended Validation Certificate can only be issued out with the maximum amount of time of 2 years.
An Intermediate certificate is a file which helps the web browser to recognize who has issued the SSL certificate. It's not mandatory to have it, but it's advisable to install it along with your SSL certificate to enjoy the full compatibility among more browsers and mobile devices.
Yes, SSL can be used to cover an internal domain, but it has to be an official registered domain (FQDN which is publicly available). The Certificate won't be issued if it's not a registered domain.
If the hosting platform you are using or the company says you can only go for one certificate file, then another option is that you can combine your server certificate with the intermediate file into one file.
The difference is of key lengths which are used after an SSL connection has been made in the browser. Though 256-bit security key is bigger, but it's similar to 128-bit key when it comes to level of security. The reason behind using 256-bit key is only if it's mandatory by the policy of your company or industry.
All Multi-Domain certificates available on our site support up to 250 additional domains.
Unified Communications (UC) is a new type of SSL certificate which is designed especially for Microsoft products like Microsoft Exchange 2007 & Microsoft Office Communications Server 2007. The biggest difference between a UCC SSL and a standard Multi-Domain certificate is that UCC offers security for both internal networks as well as external domain names.
It's one of the certificates which offers security for both multiple domains and their related sub-domains.
SSL Order Process
Its name says it all, it should remain confidential. Apart from you only hosting company is the one who can know your private key & that also if they ask for it. It should not be deleted as it's mandatory to make your certificate work.
If you're looking towards getting your certificate urgently, you can get in contact with us with the details of your order with your request, and we'll work with you on getting it expedited for you.
If you are not aware about your Control Panel/Server, it's advisable to contact your IT department or your web hosting service provider to get this information.
If you want to change the method of Domain Control validation from file-based to email-based, you can do that with any of the SSL certificates we offer.
Validation/authentication of SSL
There's no need to provide any specific documents to purchase your Domain Validated (DV) certificate. What you all have to do is provide a confirmation through an email or by a simple file-based authentication that proves you own the domain for which you want the coverage for.
In order to purchase Organization Validated (OV) certificate you have to provide the information regarding your business registration. If the online verification is possible by Certificate Authority (CA) then there won't be any need for addition documents. If the online files are not correct or something is missing, then they will ask for the government based registered documents, which differently depends on the case. The Vendor will also attempt to search for a 3rd party telephone listing related to the domain to complete the telephone verification.
Extended Validation certificates have a more strict verification process compared to OV certificates. You'll first want to review the process for getting an OV certificate verification. It's true that EV certificates ask for some extra steps which includes physical as well as operational existence & apart from that a telephone call has to be made directly to Certificate Authority (CA).
In this you will get two different types of validation methods. You can go for a certificate individually or you can even go as an organization. If you are applying as an organization name, it's better you check all the OV requirements which are mentioned in the above question. If you go as an individual developer, the simple procedure of completing a form to do your identity verification will be asked by the Certificate Authority (CA). Apart from that, it has to be notarized by an advocate, CPA or any public notary. Additionally you have to give a scanned government issued ID and additional documents can also be required depending upon the CA.
Some of the reasons which can be possible that you didn't receive your Domain Validation email are like you might have not done the proper verification of the Domain Control Validation email (Note: this email address is different from the contact information given during the process of registration.) Or else if you want to change your DCV email address, you can go for email which is given on Whois registration for the domain you want to or else you can even go for the pre-approved 5 email addresses which are given below -
Apart from that, do not forget to check for Spam or Junk folder of the provided email address.
I would like to change my certificate's common name. The only way possible to change the common name is to cancel and reorder the certificate again. Please note that you can do this only within the first thirty (30) days of purchase.
It is mandatory to upload the file in the correct directory. In order to check whether the authorization is successful or not, you have to check that file is viewable from at both the end i.e., yourdomain.com/file & subdomain.yourdomain.com/file.
For the rescheduling of the verification call, you have to get in contact with us and inform us of your availability so we can get in contact with the Vendor regarding scheduling the call. . Note that, all telephone numbers are accepted. The number you are providing should be verified by the Certificate Authority (CA). So, it is good enough to confirm the number on which the call of CA will be received.
It's mandatory that you get in contact with us regarding your telephone number so we can askwhere Certificate Authority (CA) has found the phone number from and then ask for the proper method to update the correct number or else a new listing. Your provider will be able to provide you proper guidance on how to make a correct listing.
It all depends upon the type of certificate you have chosen to buy and your response time also matters. Though whatever type of certificate you go for, it is for sure that the Certificate Authority (CA) will contact you directly and thereafter as per your response further steps will be taken. If you go for Domain Validated (DV) certificates, it can be issued anywhere within few minutes to one business day. If you look at Organization Validated (OV) certificate, it takes around 1 – 3 business days and lastly, if you go for Extended Validation (EV) certificates, it takes anywhere between 1 – 5 business days for the issuance.
If for some reason the Vendor isn't able to verify the information entered during the generation process they'll get in contact with the Administrator contact request the documents. You can directly attach the documents to that email, or if there's any issues or questions about the document you can get in touch with us directly and we'll explain the alternatives to you.
On a rare occasion you might find that your certificate is marked as "Failed Security Review", this is a status which the Certificate Authorities (CA) systems scan for keywords relating to bigger companies. Often the flag is a false positive and will be reviewed within twenty-four hours
After the completion of the validation process, you will receive the certificate from the Certificate Authority through email. It's the same email address which you have given as a technical contact. For some reason, if you did not receive it you can login to the client portal and download the certificate from the order detail page.
Of course you can, whether it's DV, EV or OV certificates, it doesn't matter.
If you don't recall your login details you can attempt to do a password reset request at the following link -> https://sectigostore.com/forgotpassword . If you don't remember the email address you signed up with please get in contact with us and we'll work on getting your account all situated.
Not to worry! You can generate a new certificate signing request (CSR) which will also generate a new private key and perform a reissue of the certificate. To go through the reissue process you'll want to login to your account and go into the order detail page for the certificate and at the bottom click the "Re-issue Certificate" button.
The easiest way to move a certificate is to generate a new certificate signing request (CSR) on the new machine and to go through the reissue process.
CSR Generation
A Certificate Signing Request (CSR) is a requirement to request a SSL Certificate. The CSR provides information to the Vendor about the requester such as their location, organization, and the domain they're wanting to protect.
To generate a Certificate Signing Request (CSR) you'll want to figure out what operating system you're using or if you have a control panel.
Once CSR has been created, it's not possible to do any editing in any of its field. It's better to generate a new CSR with correct information.
It's better you are aware that you have copied the correct file and not your self-signed certificate, your earlier SSL or even if it's bundled as PKCS7 or PKCS12 or it's even possible if you have a pass-phrase without alpha-numeric character or the characters which are invalid. In these types of scenarios you have to generate new CSR in the proper way. Use only English alphabet and number from 0 to 9. Let's say, if your Company Name have "&," write "and."
If this is the case, then you might have not formatted the common name properly for the type of certificate you have (For eg. *.domain.com should be used in wildcard SSL certificate) or it's possible you might have used invalid characters in some of the fields. The only option you have is to create a new CSR which uses only English alphabet and numbers from 0 to 9.
Its name says it all. Private Key should remain confidential and should not be shared with anyone unless it is asked by your web host during the installation process, as it's used for server-side exchange for making a secured connection. If you have lost your private key or it's been deleted the choice you are left with is to create a new CSR and private key for your server. Private Key is not provided by your SSL provider or Certificate Authority (CA).
It's possible one or more required field is missing or CSR might have non-alphanumeric characters in the mandatory fields.
Management of Certificate
By reissuing you can add additional domains to the certificate once it's active.
To solve this problem you'll have to reissue your certificate and new CSR has to be generated.
You'll want to check if you have any backups of the private key first, but if you're not able to find any you'll want to generate a new certificate signing request and perform a reissue of the certificate.
If the original private key is available to you on the active server, then you can install it to your new server or you can give it to your new web host. If you don't have the private key, then you'll have to generate a new certificate signing request and perform a reissue of the certificate.
Generally all technical support mattes relating to your SSL Certificate will be handled by us if the need arises. If you were to get in contact with the Certificate Authority, you'll be informed to get in contact with us to handle your issues. However if you're contacting relating to the validation of your certificate they'll be able to assist for this process.
Installation process
When you generated your certificate you entered information for a Technical Contact. The Technical Contact will receive an email containing both the certificate and the certificate authority bundle which will both be needed to install the certificate.
To install the certificate on more than one server, you'll want to gather together both your private key, intermediate bundle, and the certificate. Once you've managed to get them all together you'll then want to install the certificate on the new server. If you want documentation on how to install you check our knowledge base for documentation on installation.
Yes, it is mandatory to use a static IP address in order to use your SSL certificate. If you don't have that, then the only option you are left with is like to assign one through your webserver or you can even buy one from your web host service provider if you are having your own webserver which is usually around about few dollars a month.
You cannot predict what could be the exact issue as there are several reasons related to it. Here are four of the most common ones -
- Content is not secured, which means there are some of the HTML elements on the website which is inappropriately linked up to use HTTP and not HTTPS. For this you have to update your website codding to switch the links.
- If your certificate has been issued via intermediate file, then there is a possibility that intermediate chain is missing or it's invalid. It's better you look for installing with your certificate on your server and if you don't have it you can refer back to the email you received from the Vendor.
- If your certificate is currently issued out as SHA-1, that could also be a problem. Major browsers are beginning to push away from SHA-1 as it's growing more and more insecure each and every day. To fix this you'll need to reissue your certificate in the client portal.
- The last problem could be that you're loading an incorrect certificate on the website. Sometimes an expired certificate and maybe even a default certificate will be loaded and when you install the certificate it doesn't update for the server. In order to address this problem, you'll want to check your configuration and if you're not able to resolve it get in contact with your hosting provider.
There are several reasons why you'd receive this kind of error message, majority of them actually don't relate to the certificate at all, but more so the server you're using. To diagnosis this issue you'll want to conduct a SSL Labs (https://www.ssllabs.com/) test to see where the issue is coming from and how you need to address the issue.
What this error means is that the domain which the browser is attempting to visit is pull a certificate for another domain name that isn't tied to the one being pulled up. Another reason for this is that your site could be using the default certificate that's provided by either the host or self-signed by the server. To correct this you'll want to make sure that the certificate is installed on the correct domain that you've gotten the certificate issued to.
You can always look on our SSL checker tool in order to make a test that your SSL certificate is installed correctly. Here is the link - Click here to verify your SSL installation.
Renewals of SSL
A renewal is nothing but purchasing all over again. The word "renewal" is simply an industry word which is used by all providers in the Industry. To renew your certificate you have to go through all the same process. Whenever you get an access for "renewal" option while buying SSL certificate, be sure to get the remaining time carried forward from the certificate which is about to get expired to your new renewal certificate.
We recommend generating a new CSR at the time of renewal for security reasons, however you're capable of using the original CSR if you decide.
It all depends upon the information provided at time of renewal. The Certificate Authority (CA) can use some of the earlier parts of the information which was confirmed. If the order is of EV, it's mandatory to have valid documents of more than 13 months for the completion of business validation again. Whereas if you go for OV, then CA can make use of the earlier valid data for up to 27 months from the date of original order. Most importantly, if any of the information regarding your organization changes, you have to provide those documents as well.
When you go through the renewal process it's similar to how you purchased your certificate the first time, most often people forget the fact that they have to generate the certificate again. If you've already generated the certificate, you'll want to check that you've completed all the validation steps for the certificate. After the certificate is issued, you'll need to install new one over the old existing certificate. The reason for having to install it again is because the certificate is hard coded and can't be edited, so you'll have to upload the newest one with the additional time.
When you go through the renewal process it's similar to how you purchased your certificate the first time, most often people forget the fact that they have to generate the certificate again. If you've already generated the certificate, you'll want to check that you've completed all the validation steps for the certificate. After the certificate is issued, you'll need to install new one over the old existing certificate. The reason for having to install it again is because the certificate is hard coded and can't be edited, so you'll have to upload the newest one with the additional time.
All about Code Signing
A code signing certificate is one type of digital signature algorithm as a certificate which verifies that code has not been changed or it's not malicious as it is signed by the author. You can say that it's one kind of "digital shrink-wrap" which assures that the code can be trusted and there's nothing wrong with it which eventually increase the trust of clients and willingness will also be there to download and install the same. All the major type of operating systems such as Windows, Apple OS X, & Linux supports this certificate and they also use it for their own to make sure that malicious code does not get distributed, if it's there any.
To generate a Code Signing you'll want to be using FireFox as your browser, and you'll want to make sure that when you do the process, you're on a computer that you'll be able to access again. If you can't get access to the computer later when the certificate is issued, you won't be able to collect the certificate. When generating you'll be given browser controls to get your certificate generated and once generated your private key will be stored in FireFox's file system.
After the completion of all the validation, the CA will issue the certificate and it will send as 'collection' or which is even said as 'pick-up' link to the provided email address. In order to download the certificate it's essential to use the same PC which was used in generating the order & Firefox should be used as a browser. After all this, Firefox will pull out the previously stored private key and it will install the code signing certificate on its own. It's advisable to export code signing certificate and private key into a PFX (.p12) file from the browser after the completion of download.
The reason why you can't download your code signing certificate is probably going to be caused by you're not using FireFox as your web browser to generate or export the certificate. Along with you're not using the same computer which was used to generate the certificate. You'll want to make sure you're on the same computer and using FireFox for all steps of the Code Signing process.
Before going to the following steps be sure that you are using Firefox browser as it tends to be the most compatible browser with both Generation and Exportation. . Below the steps which should be used to export your code signing certificate and private key in Firefox -
- Click "Open" menu
- Go to "Options"
- After you'll want to go to "Advanced" or "Encryption".
- Now, select "View Certificates" from the certificate tab.
- After that, click the name of your certificate which is under Your Certificates.
- After it's highlighted, select "back up all" and then enter your passphrase.
Your Developers should know how to sign the code using their development platform, however if they're unfamiliar they can reference to the official documentation provided by the platform.
Below are some of the platforms that be signed for -
- Windows 8
- Any Microsoft format (32 and 64 bit), EXE, OCX, MSI, CAB, DLL, and kernel software
- Adobe AIR applications
- JAVA applets
- Mozilla Object files
- MS Office Macro or VBA (Visual Basic for Applications) files
- Apple Mac software for MacOS 9 and OSX
- Microsoft Silverlight applications or XAF files