Frequently Asked Questions
All kinds of SSL certificate FAQs with easy to understand answers
As the need & awareness for all types of online security concerns continues to rise, SSL/TLS encryption remains at the forefront. SSL is now a crucial part of any successful online business, but can sometimes get a bit overwhelming. Luckily our group of SSL experts put together a useful list of Q&A to help you understand the ins and outs of the SSL game.
Basics & General Questions
An SSL certificate is a special file on your web server that enables encrypted security for online communications. When a web browser contacts your secured web site, the SSL certificate enables an encrypted connection so that all of the data sent between your web server and the user's browser are encrypted and unreadable to an outsider, should anyone attempt to intercept the communication.
SSL certificates also inspire trust because each SSL certificate contains identification information that authenticates your web server for your customers. When you request an SSL certificate, the issuing Certificate Authority (such as RapidSSL) verifies your organization's certificate information and encodes that information within the SSL certificate. This is known as the authentication process.
Customers know they are on a secure web site when the URL window in their browser displays the little green padlock and the web address begins with https rather than http. SSL certificates can be used on web servers for Internet security and mail servers such as IMAP, pop3 and SMTP for mail collection / sending security.
The RapidSSL Certificates enable businesses to obtain low cost, single-domain SSL certificates. They are ideal for small business web sites conducting low levels of e-commerce.
The RapidSSL Wildcard certificate can be used to secure an unlimited number of sub-domains at a specific level under one SSL certificate. For example, if generated with Common Name: *.mydomain.com, it will also protect mail.mydomain.com, help.mydomain.com, secure.mydomain.com, etc. The RapidSSL Wildcard allows web sites to conduct secure e-commerce and is ideal for managing multiple sub-domains under one SSL file.
When connecting to a web server over SSL, the visitor's browser decides whether or not to trust the web site's SSL certificate based on which Certification Authority (CA) has issued the actual SSL certificate. To determine this, the browser looks at its list of trusted issuing authorities represented by a collection of Trusted Root CA certificates added into the browser by the browser vendor (such as Microsoft or Firefox).
Most SSL certificates are issued by CAs who own and use their own Trusted Root CA certificates, such as those issued by GeoTrust or RapidSSL. As GeoTrust and RapidSSL are known to browser vendors as trusted issuing authorities, their Trusted Root CA certificates has already been added to all popular browsers and, hence are already trusted. These SSL certificates are known as "single-root" SSL certificates. RapidSSL.com, a subsidiary of GeoTrust, owns the Equifax root used to issue its certificates.
Some CAs do not have a Trusted Root CA certificate present in browsers, or do not use the root they own but, instead use a "chained root" in order for their SSL certificates to be trusted. Essentially a CA with a Trusted Root CA certificate issues a "chained" certificate which "inherits" the browser recognition of the Trusted Root CA. These SSL certificates are known as "chained-root" SSL certificates.
Chained-root certificates require additional effort to install as the web server must also have the chained root installed. This is not necessary for single-root certificates.
If you have a low-volume web site and you decide that your customer's confidence is not affected at all by the brand behind the SSL certificate, or web traffic is low, then RapidSSL is the perfect answer.
It's all about customer confidence. While RapidSSL certificates offer the latest encryption, only you can really determine whether your customer's confidence will improve significantly if you purchase an established brand like GeoTrust.
As a guide, we define a low-volume, low-transaction site as one that handles a typical customer transaction value of $50 USD and less than 50 transactions per week. Note: The 50 transactions per week is simply a commercial guide and not a technical restriction. Technically the RapidSSL certificate is not restricted from conducting more than 50 transactions. It is still an industry standard 128 / 256 bit SSL certificate. However, it is our opinion that sites conducting more than 50 transactions will require a Professional-Level SSL certificate due to the increased likelihood that customers will expect SSL from a highly credible and established SSL provider with a well known internationally accepted SSL brand.
Free SSL is a FULLY FUNCTIONAL single-root test certificate valid for 30 days. It is the only fully trusted single-root trial certificate available. If you need to test your server, or require an SSL certificate for a short time, then Free SSL is an ideal solution.
Free SSL certificates have the same browser recognition rates as both our RapidSSL and RapidSSL Wildcard, and upgrading to either one of these certificates is easy. You cannot reissue Free SSL certificates, however you can request a new one to replace an expiring one.
RapidSSL certificates are compatible with IE 5.01+, Netscape 4.7+, Mozilla 1+, AOL 5+, Firefox, Safari, Chrome and many newer Windows and Mac-based browsers. They are single-root install certificates, meaning that they are compatible with SSLv2 and SSLv3. However, these are very old outdated insecure versions of SSL.
By providing RapidSSL and RapidSSL Wildcard certificates, we are lowering the barrier of entry for companies that need to secure their low-volume and low-value online transactions and data with the lowest cost single-root install certificates available.
RapidSSL certificates are valid for one to three years.
Free SSL certificates are valid for 30 days.
Professional Level Certificates from GeoTrust are available for up to three years.
When your SSL certificate expires, we will email you instructions about renewing your certificate.
The three RapidSSL certificates we offer are all Domain Validated (DV) certificates that are typically issued in a matter of minutes. After placing your order, the faster you respond to the RapidSSL's requirement to demonstrate control of your website domain, the faster your certificate can be issued.
We do not limit the number of RapidSSL or RapidSSL Wildcard certificates that can be ordered. Go ahead and get as many as you need!
We do limit one Free SSL certificate per domain, since Free SSL is intended only as an interim solution to your SSL requirements.
Browser ubiquity is the term used in the industry to describe the estimated percentage of Internet users that will inherently trust an SSL certificate. The lower the browser ubiquity, the less people will trust your certificate. Clearly, if you are operating a commercial site you require as many people as possible to trust your SSL certificate. As a general rule, any SSL certificate with over 95% browser ubiquity is acceptable for a commercial site.
However, ubiquity is not the only consideration in deciding whether one SSL certificate is better than another. Companies running high-transaction-volume web sites need to maximize customer confidence. They do this by purchasing certificates from well-known, stable security vendors and primarily use the major players such as GeoTrust and Symantec™ that are all WebTrust compliant.
If you have a low-volume web site and you decide that your customer's confidence is not affected at all by the brand behind the SSL certificate, or the volume of customers that would have an issue is very low, then RapidSSL or RapidSSL Wildcard certificates are ideal.
Yes, your browser contains a Trusted CA root certificate store. You can view them by looking at the certificate tab within your web browser. For example, if you use Internet Explorer, go to Tools, select Internet Options, select the Content tab, click Certificates, then select the Trusted Root Certification Authorities tab. You will then see a dialog box presenting a list of all Certification Authorities who own their own Trusted CA roots (you can examine the root certificate by double-clicking it). Other web browsers offer similar views but may navigate differently than IE.
A RapidSSL Wildcard certificate will secure an unlimited number of subdomains at a specific level under one certificate.
All SSL certificates are issued to what is called a Fully Qualified Domain Name (FQDN). This means that a single-domain SSL certificate issued to the FQDN secure.mysite.com cannot be used to secure other sub-domains such as mail.mysite.com nor can it be used to secure the root domain of mysite.com. But a wildcard SSL certificate that is issued to the FQDN *.mysite.com (the asterisk indicates the wildcard feature) will protect all subdomains of mysite.com. Wildcard certificates allow you to secure unlimited subdomains of one domain, saving you time and money by using just one certificate to secure all subdomains.
We offer telephone, live chat, email, and help desk ticket support to our RapidSSL customers 24 hours a day, 7 days a week, 365 days a year.
We value our customers, so we provide a $10,000 warranty on our RapidSSL and RapidSSL Wildcard certificates. A warranty is the protection against any type of misuse of the SSL certificate on the Internet.
Order Process Questions
As the name indicates, the Private Key is meant to remain private and stored server-side. This file is essential during installation and if lost or deleted, you cannot install the corresponding SSL certificate. If this happens, please make a new Private Key, save it on your server or PC, and re-issue your active SSL Certificate.
As an added-value service, your SSL Provider has experts 24/7/365 that can assist with expediting any order or assistance with checking validation statuses on pending certificates. You can contact the appropriate department via Live Chat, Email, or Phone.
Before you process an order, please consult with your Web Hosting Provider on what OS/Panel/Server you currently use. Once you have a better understanding on what platform you are using, our Support Department can provide you with detail instructions on how to navigate the SSL process.
Yes. Depending on the Certificate Authority, you can change the domain authentication method from Email to File and File to Email. To do this, please contact Support and ask if this is possible for your certificate.
DV certificates are the most basic level of SSL certificate. To issue a DV certificates, certificate applicants must demonstrate to the certificate authority (CA) that they have authorization or control of the domain name contained in the SSL certificate. The certificate applicant can chose to demonstrate domain control using either an email-based or a file-based authentication methods.
In addition to determining that the applicant can demonstrate control of the website domain contained in the SSL certificate order, the vendor is required to independently validate certain pieces of information about the applicant's business entity contained in the certificate order, including legal business name and registry number, business locality and phone number. This validation process is most often completed by the vendor using publicly-available third-party websites such as government business registration databases, the Dun & Bradstreet registry, and/or acceptable online telephone directories. If the vendor is unable to validate the information using these online resources, the applicant will be contacted and asked to provide acceptable documentation to the vendor.
EV certificates involve the highest level of SSL certificate validation. To issue EV certificates, the vendor is required to determine domain control, and to independently validate extensive information about the applicant's business entity and the employment status of the certificate applicant. Dun & Bradstreet records and online government databases are typically used. If the applicant's business does not have verifiable online business information, a Professional Opinion Letter (POL) can be submitted to the vendor, which need to contain all the specified information and be signed by a lawyer or certified public accountant located in the business entity's locality. Among the features of EV certificates is the Green Address Bar within the web browser's URL window, containing the name of the company for easy customer reference and assurance.
Code Signing Certificates have two types of validation: individual and organization. Individual code signing certificates require the certificate applicant to submit a notarized ID form with acceptable forms of governmentally-issued photo identification which must be attested by a lawyer, professional accountant, or public notary. The vendor is often able to validate organization code signing certificate applicants using online business registry databases; otherwise the applicant must submit business registry documentation.
If you chose email as your method to demonstrate control of your website domain, the vendor will send the DCV email to either the registrant email address contained in your domain's WHO.IS record, or one of these five authorized domain alias email addresses:
Note: Make sure to check the spam and junk mail folders, too; depending upon your email filter, the vendor DCV email may land in there.
The Common Name cannot be changed in an issued SSL certificate, so you will need to cancel the certificate and re-order another certificate with a new Common Name.
Make sure the file has been copied to the root directory. Remove any re-directs on your root directory address, as the vendor uses an automated ping system to view your authentication file. If you continue to have a problem, contact us using online chat or telephone and we will resolve the issue with you.
The best way is to hop on live chat or call us. We will be able to assist you in rescheduling the phone call.
The vendor is required to call a phone number that they are able to validate using acceptable online sources other than your company website. You will need to update your phone number in the online listing used by the vendor. For example, if your number in yellowpages.com is outdated, you will need to contact yellow pages and have the number updated.
Validation turnaround time depends first upon the type of certificate you purchased – DV, OV, or EV. The Certificate Authority will contact you when they view your order to initiate the validation process, so check your email frequently! If you respond quickly to the emails and promptly follow the instructions provided or supply the documents being requested, the process will go quickly. The typical times for validation are:
- Domain Validation (DV) SSL certificate – 10 minutes to 1 hour
- Organization Validation (OV) SSL certificate – 1 to 3 working days
- Extended Validated (EV) SSL certificate – 1 to 5 working days
Please email the documents directly to the Certificate Authority. They will provide the correct email address to you. Snail mail addresses are also provided.
Don't panic! Please contact us via live chat, open a helpdesk ticket, or call us and we will work to resolve the issue with you and the vendor. In most cases, the order was flagged by an automated system for review, and the security issue can be quickly resolved.
Once the validation process has finished, the Certificate Authority (CA) will email the certificate to the technical contact email address as listed in your order. You can always download the certificate in your storefront account by logging in, clicking on the certificate order ID, and clicking the "Download Certificate" button towards the bottom of the order details page.
Don't panic! Please contact us by live chat, open a helpdesk ticket, or phone and we will work with you.
Don't panic! If you lose your private key, you can re-issue the SSL certificate. You will need to generate a new Certificate Signing Request (CSR) on your server, which will also generate a new private key. Use that new CSR to re-issue your certificate within your storefront account. When the SSL certificate has been re-issued, install it on your server. There is no cost or fee to re-issue an existing, valid SSL certificate.
Technically yes, you could, but we have learned that the easiest solution is to generate a new Certificate Signing Request (CSR) on the new server and re-issue your certificate within your storefront account. There is no cost or fee to re-issue an existing, valid SSL certificate.
CSR Generation Questions
If you would like to obtain an SSL certificate from a certificate authority (CA), you must generate a certificate signing request (CSR). A CSR is an encrypted file that consists the public key of a key pair, and some additional information. Whenever you generate a CSR, you will be prompted to provide information regarding your company name (or your personal name for a personal web site) and details about the certificate you wish to generate. We strongly recommend that you generate your CSR on the server where the SSL certificate will be installed, because at the same time your CSR is generated, the private key for your SSL certificate is also generated in a separate file.
The CSR is generated using a simple form-filling process that asks for the required details. Consult your systems administrator or your server software documentation.
In this situation you simply create a new CSR for your certificate with the correct information.
Decoding a CSR means checking the contents of the unencrypted CSR code block. Our free CSR decoder can be found at https://www.rapidsslonline.com/ssl-tools/csr-decoder.php Decoding the CSR will show you the CSR contents in a plain-text format.
If you are receiving the "CSR invalid" error, some piece of information within the CSR is not agreeing with the information being provided in the certificate generation process. Sometimes the Common Name (domain name) does not match the domain name being entered in the certificate generating form. Another issue could be the use of disallowed special characters in one of the form fields within the CSR. If the error is within the CSR, then a new CSR containing the corrected information needs to be generated.
Note: for a Wild card certificate, the Common Name (domain name) must begin with an asterisk: Ex, *.mysite.com
The Public and Private key pair is two uniquely related cryptographic keys (basically long random numbers) that make SSL work. The Public Key is what its name suggests - public. It is made available to everyone via a publicly accessible repository or directory. On the other hand, the Private Key must remain confidential to its respective owner and is stored on the server where the SSL certificate is installed. Because the key pair is mathematically related, whatever is encrypted with a Public Key may only be decrypted by its corresponding Private Key, and vice versa.
Certificate Management Questions
To add additional domains, you must reissue your active certificate and enter in the desired domain(s). Also, during this process, you can purchase additional SAN support, edit existing domains, or delete any domain (besides your Common Name) from the list.
If the common name is incorrect, please Cancel & Reorder the certificate and paste in a new CSR with the correct spelling.
In case as such, you must re-issue your active certificate with a new CSR and save the corresponding private key on your server.
Yes, all Certificate Authorities offer technical support with any SSL Certificate placed with their brand. However, it's recommended that you contact your SSL Provider who you purchased through. Your SSL Provider will have better lines of communication with the CA and can better assist you with any generation, validation, or installation inquiries.
Of course we can, we are the SSL experts. You have 2 options:
- You can contact our support team and we can answer any questions you may have regarding installation.
- You can purchase our SSL Installation Service for ONLY $29.99 and we will actually perform the install for you. Learn more about our SSL Installation Service offering or simply purchase it here.
After validation is completed, the Certificate Authority (CA) will send the Technical Contact an email containing the SSL & Intermediate Certificates. Or, you can download a copy of these files directly in your user account.
Yes. If you have unlimited or additional server licenses, you can install your single certificate on multiple web servers. If you're not sure if you have additional server licenses, please contact Technical Support.
There are two methods that you can use to install a single certificate on multiple servers:
- You can import your SSL Certificate, Private Key, and Intermediate files into server #2, #3, etc…
- You can create a new CSR and Private Key on server #2, #3 etc… and re-issue your active certificate within your user account. The new SSL will match up with the newly generated Private Key and installation should be a breeze.
The following issue could be related to an incorrect or outdated intermediate certificate. If the wrong certificate chain is established, visitors will not be able to connect to the Certificate Authorities Trusted Root. Once the correct intermediate certificates are installed, the correct trusted chain is be established and visitors will not receive a certificate error.
Note: If the correct intermediates are installed, but the security indicators (i.e. Green Address Bar, Padlock, HTTPS, etc...) are not appearing, please review the sites configuration and make sure all content/images is being loaded over HTTPS; not HTTP.
The following sources contain information regarding Intermediate Certificate Installation.
Yes. If you want to use SSL on your domain, you must have your own dedicate or static IP address. If you do not have a dedicated or static IP, please contact your web hosting provider and they'll either assigned you an IP or you can pay for an IP on a monthly bases.
There are several reasons why this may occur. The list below contains the most common problems or mistakes that happen with SSL installation:
- The site may have insecure content or images being loaded over HTTP and not HTTPS. To modify this, have your system administrator or web developer edit your sites code.
- Your web server may have an invalid or missing intermediate certificate, thus why a secure connection could not be established with the CAs Trusted Root. To fix this, obtain the correct intermediate file(s) from your CA or SSL Provider and install them on your server(s).
- If your certificate is using SHA1 as the hashing algorithm and the validity period surpasses January 1, 2016, your web browser will not display any trusted security indicators. To fix this, you must re-issue your active certificate, select SHA2 as your hashing algorithm, and upload the new SSL certificate onto your web server.
- The original certificate expired or you're using a self-signed certificate on your web server. To resolve these issues, renew your SSL or implement SSL for the first time and disable the self-signed certificate.
It's hard to pin-point the exact reasoning behind this error. To help locate a solution, click the "Detail" button in the browser and review the provided information.
This error message may appear because there is a possible common name mismatch in the certificate and the URL (i.e. WWW is missing). Also, the installed certificate may not cover the specific sub-domain/domain name you're searching in your browser. For example, you could be searching secure.example-site.com and the site points to a certificate on the server that ONLY covers www.example-site.com.
Your web server may have an invalid or missing intermediate certificate, thus why a secure connection could not be established with the CAs Trust Root. To fix this, obtain the correct intermediate file(s) from your CA or SSL Provider and install them on your server(s).
Here are a few Intermediate Installation guides:
Renewal Process & Procedure
To successfully renew your SSL, you must purchase another certificate, generate the order, complete validation, and install the updated SSL certificate onto your web server. In essence, you are repeating the exact same process as the original application, however, there are some incentives with renewals (i.e. discounts, additional time, etc...). To give yourself an ample amount of time, we recommend starting the renewal process any time within 90 days of the original expiration date.
As an SSL expert, we suggest you create a new CSR and Private Key during the renewal process. This reduces any mismatches or errors during installation. If the original CSR is used and the corresponding Private Key is missing, you'll encounter an error during configuration and have to re-issue the active certificate.
Each renewal order is case-by-case and validation is still dependent on your current business registration details. However, if an OV certificate is renewed within 39 months of the original certificate, the CA can roll over the majority of the previously validated information and proceed with the final verification call. As for EV orders, if the renewal certificate is not generated within 13 months of the original certificate, the CA cannot roll over previously validated information and will require the applicant to re-authenticate the entire order.
With renewal certificates, you must proceed with the generation, validation, and installation steps after completing the checkout process. During the renewal process, please treat the renewal certificate as an entirely separate order since you'll obtain a completely new file to install. If you only purchase the renewal certificate and fail to complete the additional steps, your site will continue to use the original file and display a warning once expiration occurs.
Code Signing Certificate Questions
A code signing certificate is a "digital shrink-wrap" that assures your customers and users that an app or other code set hasn't been altered between the time it was signed by your software publisher and the time they receive it over the Internet. Code signing certificates give the user a sense of trust and confidence in running the app or code on their computer.
Yes. The CSR needs to be generated on a personal computer using Firefox as your default web browser. During this process, the private key will also be created and stored within the Firefox browser which will be important during the downloading process.
Once the validation process is completed, the Certificate Authority (CA) will send you an email with a 'collection' or 'pick-up' link to verify the email address which you used while ordering. Using the same Firefox web browser on the same personal computer used to generate the code signing order, follow the provided link and download the certificate. Firefox web browser will automatically trigger the existing stored private key and install the code signing certificate. Once, the download process is completed, backup the code signing certificate and export the code signing certificate and private key from the browser into a PFX (.p12) file.
Make sure you are using the same Firefox browser on the same personal computer that was used to generate the code signing order.
Using the Firefox browser, follow the following steps:
- Click the "Open" menu
- Select "Options"
- Click on "Advanced" or "Encryption"
- Under the certificate tab, select "View Certificates"
- Under Your Certificates, click your code signing certificate name
- Once highlighted, select "back up all" and enter in your passphrase
Platforms are used by developers to sign their applications using specific tools. Since each platform is different, please reference official instructions for your particular platform. The most common platforms are Microsoft, JAVA, Adobe, etc…
- Windows 8
- Any Microsoft format (32 and 64 bit), EXE, OCX, MSI, CAB, DLL, and kernel software
- Adobe AIR applications
- JAVA applets
- Mozilla Object files
- MS Office Macro or VBA (Visual Basic for Applications) files
- Apple Mac software for MacOS 9 and OSX
- Microsoft Silverlight applications or XAF files