Frequently Asked Questions
The most asked SSL certificate questions, answered.
SSL/TLS encryption is a business lifeline, but that doesn’t make it any less of a process that eats into your workday. That’s why our SSL experts put together a list of Q&A that’s in sequence with the SSL process. It’s easier to find your questions, faster to get a solution. Whether you’re just starting out or have been doing this for a while, you’ll find the answers you need right here.
Basics & General Questions
An SSL certificate is a file on your web server that encrypts online communications. When a browser connects to your secure site, the SSL certificate establishes an encrypted link, ensuring that data exchanged between your server and the browser is unreadable by outsiders.
SSL certificates build trust by verifying your website’s identity. They authenticate your web server for customers by providing identification information.
When you request an SSL certificate, the issuing Certificate Authority (such as RapidSSL) verifies your organization’s details and encodes them into the certificate. This authentication process assures customers they’re on a secure website when they see a green padlock and “HTTPS” (rather than HTTP with unsecure browser warnings) in the URL. SSL certificates can be used on web servers for Internet security and mail servers such as IMAP, pop3 and SMTP for mail collection / sending security.
RapidSSL Certificates offer low-cost single-domain SSL options, ideal for small businesses that need affordable security for websites with low levels of e-commerce.
See a RapidSSL Certificate in action - click here for a Secured by RapidSSL test page.
The RapidSSL Wildcard certificate can be used to secure an unlimited number of sub-domains at a specific level under one SSL certificate. For example, if generated with Common Name: *.mydomain.com, it will also protect mail.mydomain.com, help.mydomain.com, secure.mydomain.com, etc. The RapidSSL Wildcard allows web sites to conduct secure e-commerce and is ideal for managing multiple sub-domains under one SSL file.
The Rapid Wildcard Certificate secures unlimited subdomains under one SSL. For example, if generated with Common Name: “*.mydomain.com,” it also protects “mail.mydomain.com” and “help.mydomain.com.” It’s ideal for e-commerce and managing multiple subdomains with a single SSL.
When connecting to a web server over SSL, the visitor’s browser checks whether to trust the website’s SSL certificate by verifying the issuing certificate authority against its list of trusted CAs, provided by the browser vendor like Microsoft or Firefox.
SSL certificates from CAs like Digicert or RapidSSL are trusted because they use their own root CA certificates, which are already recognized by popular browsers. These are known as “single-root” SSL certificates, with RapidSSL as a subsidiary of its root CA.
Some CAs without a trusted root in browsers use a chained root for SSL certificates. A trusted root CA issues a chain certificate, which “inherits” browser recognition. These are called chained root SSL certificates and require extra installation steps, as the web server must also install the chained root. This isn’t needed for single-root certificates.
If your website has low traffic and brand recognition isn’t crucial to your customer confidence, RapidSSL is a great choice. While RapidSSL offers strong encryption, only you can decide if investing in a premium brand like DigiCert would significantly boost customer trust.
We define a low-volume site as one handling transactions under $50 USD and less than 50 transactions weekly. This is just a guideline, not a technical limit, as RapidSSL can handle more. However, for sites with over 50 transactions per week, we recommend a professional-level SSL certificate from a well-known, trusted brand, as customers may expect higher credibility.
A free SSL is a fully functional single-root trial certificate valid for 30 days and is the only trusted option for testing. It offers the same browser recognition as RapidSSL and Rapid Wildcard. While you can’t reissue an expiring free SSL, you can request a new one.
RapidSSL certificates are compatible with IE 11.0+, Firefox 129.0.1+, Safari, Chrome, and many newer Windows and Mac-based browsers.
We offer RapidSSL and RapidSSL Wildcard certificates with the goal of lowering the cost for companies needing to secure low-volume, low-value online transactions. These are the most affordable single-root SSL certificates available.
RapidSSL certificates are valid for one to six years.
Free SSL certificates are valid for 30 days.
Professional Level Certificates from Digicert are available for up to six years.
When your SSL certificate expires, we will email you instructions about renewing your certificate.
The three RapidSSL certificates we offer are all Domain Validated (DV) certificates and typically issued within minutes. Your quick response to demonstrate domain control verification, the faster your certificate can be issued.
There’s no limit on the number of RapidSSL or Rapid Wildcard certificates you can order. However, only one free certificate per domain is allowed, as it’s meant for temporary use.
Browser ubiquity refers to the percentage of internet users who inherently trust an SSL certificate. The lower the browser ubiquity, the fewer people will trust your certificate. For commercial sites, it’s important to have as many users as possible trust your SSL certificate. Generally, a browser uniquity of over 95% is acceptable for such sites.
Ubiquity isn’t the only factor in choosing a certificate. High-transaction websites often boost customer confidence by using certificates from well-known, stable security vendors like Digicert, that are WebTrust compliant.
If you have a low-volume website that isn’t affected by the brand (or only a few customers might have issues), RapidSSL or RapidSSL Wildcard certificates are ideal.
Yes, your browser contains a Trusted CA root certificate store. You can view them by looking at the certificate tab within your web browser. For example, if you use Internet Explorer, go to Tools, select Internet Options, select the Content tab, click Certificates, then select the Trusted Root Certification Authorities tab. You will then see a dialog box presenting a list of all Certification Authorities who own their own Trusted CA roots (you can examine the root certificate by double-clicking it). Other web browsers offer similar views but may navigate differently than IE.
A RapidSSL Wildcard certificate will secure an unlimited number of subdomains at a specific level under one certificate.
All SSL certificates are issued to a Fully Qualified Domain Name (FQDN). This means that a single-domain SSL certificate issued to the FQDN secure.mysite.com cannot be used to secure other sub-domains such as mail.mysite.com nor can it be used to secure the root domain of mysite.com. However, a wildcard SSL certificate that is issued to the FQDN *.mysite.com (the asterisk indicates the wildcard feature) will protect all subdomains of mysite.com. Wildcard certificates can secure unlimited subdomains of one domain, saving you time and money by using just one certificate to secure all subdomains.
You can contact us via telephone, live chat, email, and help desk ticket support. Expert help is available and ready for RapidSSL customers 24 hours a day, 7 days a week, 365 days a year.
We value our customers, so we offer a $10,000 warranty on our RapidSSL and RapidSSL Wildcard certificates to protect against misuse. For higher coverage, professional level certificates from brands like Digicert come with a warranty up to $2,000,000 on select products.
Order Process Questions
The private key should remain secure and stored server-side. SSL installation relies on your private key, and if lost, you must generate a new one, save it, and re-issue your SSL certificate.
Your SSL Provider offers 24/7/365 expert support for expediting orders and checking the status of pending certificates. Contact them via live chat, email, or phone.
Before ordering, consult your web hosting provider about your OS, panel, or server. Once you know your platform, our support team can guide you through the SSL process.
Yes. Depending on the Certificate Authority, you can change the domain authentication method between Email to File and File to Email. Contact support to see if this is possible for your certificate.
Validation Questions
DV certificates are the most basic SSL type, requiring applicants to prove domain control to the Certificate Authority. This can be done through email-based or file-based authentication.
In addition to verifying domain control, the vendor must validate the applicant’s business information, including legal name, registry number, locality, and phone number. This is usually done through public databases like government business registries or Dun & Bradstreet. If online validation fails, the application will be asked for additional documentation.
EV certificates require the highest level of SSL certificate validation. The vendor verifies domain control and extensive business details, often using Dun & Bradstreet or government databases. If online verification isn’t possible, a professional opinion letter signed by a lawyer or Certified Public Accountant (CPA) in the business’s locality can be submitted.
Code Signing Certificates have two validation types: individual and organization. Individual applicants must submit a notarized ID form with a valid government-issued photo ID, verified by a lawyer, accountant, or notary. For organizations, vendors usually validate through online business registries; otherwise, applicants must provide business registry documents.
If you choose email as your method to demonstrate control of your website domain, the vendor will send the DCV to the email that’s in your domain’s WHO.IS record, or one of these five authorized domain alias email addresses:
Note: Make sure to check the spam and junk mail folders, too; depending upon your email filter, the vendor DCV email may land in there.
The Common Name cannot be changed in an issued SSL certificate, so you will need to cancel the certificate and re-order another certificate with a new Common Name.
Double check the file is in the root director and remove any redirects, as the vendor’s automated system checks this file. If issues persist, contact us via live chat or phone for assistance.
The best way is to hop on live chat or call us. We can help you reschedule the phone call.
The vendor must call a phone number verified through online sources other than your company website. Ensure your phone number is up to date on these listings, such as Yellow Pages.
Validation time depends on your certificate type– DV, OV, or EV. The certificate authority will contact you to start the process, so check your email frequently. When you respond promptly, the process goes faster. Typical times for validation are:
- Domain Validation (DV) SSL certificate – 10 minutes to 1 hour
- Organization Validation (OV) SSL certificate – 1 to 3 working days
- Extended Validated (EV) SSL certificate – 1 to 5 working days
Please email the documents directly to the Certificate Authority using the correct address they provide. Snail mail addresses will also be given.
Don't panic. Contact us via live chat, helpdesk ticket, or phone, and we’ll work with you and the vendor to resolve the issue. Most cases involve automated flagging that can be quickly fixed.
After validation, the Certificate Authority will email the certificate to the technical contact listed in your order. You can also download it from your storefront account by logging in, selecting the order ID, and clicking the “download certificate” button at the bottom of the details page.
Please contact us by live chat, open a helpdesk ticket, or phone and we will work with you.
If you lose your private key, you can re-issue the SSL certificate. You will need to generate a new Certificate Signing Request (CSR) on your server, which will also generate a new private key. Use that new CSR to re-issue your certificate within your storefront account. Install the new certificate on your server after reissuing.
Technically yes, you could, but it’s easier to generate a new Certificate Signing Request (CSR) on the new server and re-issue your certificate within your storefront account. Reissuing an existing, valid SSL is free.
CSR Generation Questions
To obtain an SSL certificate, generate a certificate signing request (CSR), which includes your public key and details about your company or personal website. It’s best to generate the CSR on the server where the certificate will be installed, as it will also create the private key in a separate file.
Generate the CSR by filling out a simple form with required details. Consult your systems administrator or your server software documentation for guidance.
In this situation you simply create a new CSR for your certificate with the correct information.
Decoding a CSR means checking the contents of the unencrypted CSR code block. Our free CSR decoder can be found at https://www.rapidsslonline.com/ssl-tools/csr-decoder.php Decoding the CSR will show you the CSR contents in a plain-text format.
If you receive a CSR invalid error, the CSR information may not match the certificate generation details. Check if the Common Name (domain name) matches the domain name being entered. Make sure no special characters are used in the form fields. If errors persist, generate a new CSR with the correct information.
Note: for a Wild card certificate, the Common Name (domain name) must begin with an asterisk: Ex, *.mysite.com
The Public and Private key pair consists of two related cryptographic keys. The public key is available to everyone, while the private key must remain confidential and is stored on the server with the SSL certificate. Data encrypted with the public key can only be decrypted by its corresponding private key, and vice versa.
Certificate Management Questions
To add additional domains, you must reissue your active certificate and enter in the desired domain(s). Also, during this process, you can purchase additional SAN support, edit existing domains, or delete any domain (besides your Common Name) from the list.
If the common name is incorrect, please Cancel & Reorder the certificate and paste in a new CSR with the correct spelling.
You must re-issue your active certificate with a new CSR and save the corresponding private key on your server.
Yes, all Certificate Authorities offer technical support, but it’s best to contact your SSL provider directly. They have better communication with the CA and can better assist you with generation, validation, or installation issues.
Installation Help
Definitely. We know SSL inside and out. Here are your two options:
- You can contact our support team, and we can answer any questions you may have regarding installation.
- You can purchase our SSL Installation Service for ONLY $89.99 and we will perform the install for you. Learn more about our SSL Installation Service offering or simply purchase it here.
After validation is completed, the Certificate Authority (CA) will send the Technical Contact an email containing the SSL & Intermediate Certificates. Or you can download a copy of these files directly in your user account.
Yes. If you have unlimited or additional server licenses, you can install your single certificate on multiple web servers. If you're not sure if you have additional server licenses, please contact Technical Support.
There are two methods that you can use to install a single certificate on multiple servers:
- You can import your SSL Certificate, Private Key, and Intermediate files into server #2, #3, etc.
- You can create a new CSR and Private Key on server #2, #3, etc., and re-issue your active certificate within your user account. The new SSL will match up with the newly generated Private Key and installation should be a breeze.
The issue might be an incorrect or outdated intermediate certificate. If the wrong certificate chain is used, visitors won’t connect to the trusted root. Installing the correct intermediate certificates will fix the problem and prevent errors.
Note: If the correct intermediates are installed, but the security indicators (i.e. Green Address Bar, Padlock, HTTPS, etc.) are not appearing, please review the site's configuration and make sure all content/images are being loaded over HTTPS; not HTTP.
The following sources contain information regarding Intermediate Certificate Installation.
- https://www.digicert.com/kb/digicert-root-certificates.htm
- https://knowledge.digicert.com/general-information/digicert-g5-root-and-intermediate-ca-certificate-update
- https://docs.digicert.com/en/digicert-one/ca-manager/download-and-export-intermediate-ca-certificates/download-an-intermediate-ca-certificate.html
Yes. If you want to use SSL on your domain, you must have your own dedicated or static IP address for SSL on your domain. If you don’t have one, contact your web hosting provider to get or pay for an IP.
It's hard to pin-point the exact reasoning behind this error. To help locate a solution, click the "Detail" button in the browser and review the provided information.
This error message occurs due to a common name mismatch between the certificate and URL (i.e. WWW is missing), or if the installed certificate doesn’t cover the specific sub-domain/domain, like searching for secure.example-site.com while the certificate only covers www.example-site.com.
Your web server may have an invalid or missing intermediate certificate, thus why a secure connection could not be established with the CAs Trust Root. To fix this, obtain the correct intermediate file(s) from your CA or SSL Provider and install them on your server(s).
Here are a few Intermediate Installation guides:
Luckily, there are plenty of third-party SSL tools that allow you to check your SSL Certificate installation. We recommend using: https://www.sslshopper.com/ssl-checker.html
Renewal Process & Procedure
To renew your SSL, purchase a new certificate, generate an order, complete validation, and install the updated SSL on your server. This process is like the original application. You may even come across some incentives and discounts for renewing. To give yourself enough time, we recommend renewing it 30 days from the original expiration date.
We recommend generating a new CSR and private key during renewal to avoid mismatches or errors. If the original CSR and private key are missing, you may encounter errors and need to reissue the certificate.
Renewal orders vary by case. For OV certificates renewed within 39 months (about 3 and a half years), the CA can use most of the previously validated information and proceed with a final verification call. For EV certificates, if renewal isn’t completed within 13 months, the CA requires full reauthentication.
After purchasing a renewal certificate, you must complete the generation, validation, and installation steps. Treat the renewal as a new order; without completing these steps, your site will use the old certificate and display a warning when it expires.
Code Signing Certificate Questions
A code signing certificate verifies that your app or code hasn’t been altered since it was signed, giving users confidence and trust when running it on their computers.
Yes. The CSR needs to be generated on a personal computer using Firefox as your default web browser. During this process, the private key will also be created and stored within the Firefox browser which will be important during the downloading process.
After validation, the Certificate Authority (CA) will email you a link to verify the email address you used for the order. Using the same Firefox browser and computer used for the order, follow the link to the download certificate. Firefox will install the certificate and private key automatically. After downloading, back up the certificate and export it as a PFX (.p12) file.
Make sure you are using the safe Firefox browser on the same personal computer that was used to generate the code signing order.
Using the Firefox browser, follow the following steps:
- Click the "Open" menu
- Select "Options"
- Click on "Advanced" or "Encryption"
- Under the certificate tab, select "View Certificates"
- Under Your Certificates, click your code signing certificate name
- Once highlighted, select "back up all" and enter in your passphrase
Platforms are used by developers to sign their applications using specific tools. Since each platform is different, refer to the official instructions for your platform. Common platforms include ==Microsoft, JAVA, Adobe, etc.
- Windows
- Any Microsoft format (32 and 64 bit), EXE, OCX, MSI, CAB, DLL, and kernel software
- Adobe AIR applications
- JAVA applets
- Mozilla Object files
- MS Office Macro or VBA (Visual Basic for Applications) files
- Apple Mac software
- Microsoft Silverlight applications or XAF files
Why Choose Us?
As an SSL Pioneer, there have been 400,000+ site owners that love our convenient selection of the world’s most popular solutions, streamlined support, awesome experts and unlimited resources & tools to get the job done right at an EXTREMELY AFFORDABLE RATE!
Our certs are supported on 99.9% of web browsers, iPhones & mobile devices