FAQ
- All
- Business Validation
- Certificate Authorities
- Changes
- Code Signing (Sectigo/GoGetSSL)
- Configuration
- CPAC
- CSR Code
- CSR Decoder
- CSR Generation Tutorials
- CSR Generator
- DigiCert
- Domain Validation
- Extended Validation
- General
- Install SSL Certificates
- Installation
- IP Address
- LEI
- Multi Domain
- Payments
- Private Key
- Renewal
- S/MIME
- Types
- Updates
- Wildcard
Unfortunately, there are no Wildcard EV SSL Certificates on the market. The Certificate Authorities refuse to issue EV Wildcard SSL Certificates because of the security reasons, so as they want to have complete control over the subdomains that they issue an EV SSL to. That is why, your only solution is to buy a Multi-Domain EV SSL Certificate that secures multiple domains and subdomains.
In some cases, the CAs may require manual verification if your order fails any internal rules of Brand Validation. It takes around 24-48 hours to pass this manual check, and the CA will either issue or reject an order in such cases.
Here are the most common reasons why certificate authorities decide to do the brand validation for some orders:
- Orders from some countries are reviewed manually more often than others, for example: South Korea, North Korea, Japan;
- Restricted countries – Russia (RU), Belarus (BY) (since 2022), Afghanistan (AF), Crimea (Russia), Cote d’Ivoire (CI), Cuba (CU), Eritrea (ER), Guinea (GN), Iraq (IQ), Iran (IR), Democratic People’s Republic of Korea (KP), Liberia (LR), Myanmar (MM), Rwanda (RW), Sudan (SD), Sierra Leone (SL), South Sudan (SS), Syrian Arab Republic (SY), Venezuela (VE), Zimbabwe (ZW) – SSL are NOT issued for these countries: https://sectigo.com/knowledge-base/detail/Banned-Country-List-1527076085907/kA01N000000zFKI and https://knowledge.digicert.com/solution/Embargoed-Countries-and-Regions.html
- The domain name includes a brand name, such as: facebook-app.com, sony-shop.net, dellshop.com, etc;
- The domain name may have a hidden brand name. For example, your domain is “sibmama.com”, but the automated validation system may read it as “sIBMama” and flag the “IBM” brand. The certificate authority wants to check such orders manually;
- The domain name has “stop words”, such as: pay, online, secure, booking, shop, bank, transfer, money, e-payment, payment, protection, violence, terrorists, and others. These words and many others are set as triggering words inside the validation system, and make the certificate authority review such orders manually;
- Domain name is blacklisted OR has a bad reputation.
What you can do to speed up the process?
Please contact Sectigo and Thawte, RapidSSL, GeoTrust, DigiCert directly via live chat and discuss the situation with the CA’s representative.
Please mention your “Partner Order ID” in your message. You can find your “Partner Order ID” on the details page of your SSL Certificate inside your SSL Dragon account. See the screenshot on the right.
The subdomains that you can secure with one Wildcard SSL Certificate have to be either 1st level sub-domains (e.g.: *.example.com) or 2nd level sub-domains (*.mob.example.com). You cannot secure 1st and 2nd level sub-domains with one regular Wildcard SSL Certificate.
If you want to secure 1st level sub-domains and 2nd level sub-domains, you have to get a Multi-Domain Wildcard SSL Certificate, or 2 separate Wildcard SSL Certificates.
For example, a regular Wildcard SSL Certificate allows you to secure:
- One main domain name (example.com) and all its 1st level sub-domains (*.example.com):
- my.example.com
- test.example.com
- dev.example.com
- mail.example.com
- (etc)
- Or, one sub-domain (mob.example.com) and all 2nd level sub-domains (*.mob.example.com):
- my.mob.example.com
- test.mob.example.com
- dev.mob.example.com
- mail.mob.example.com
- (etc)
In order to secure one domain and all its sub-domains as shown in the first example, you have to include *.example.com as a common name (domain name) when creating a CSR (Certificate Signing Request). If you want to secure 2nd level sub-domains, then you have to enter *.mob.example.com as a common name (domain name) when creating a CSR (Certificate Signing Request).
The multi-domain certificate can be initially activated for the primary domain name.
If you wish to add more domains later, you need to reissue the certificate in your SSLDragon.com account, and add the SAN (additional domain) list in the SAN field, when reissuing.
If you need to add more domains than included by default, then please choose the Add More SANs option in order to pay for and activate the additional SANs.
Yes, you can change the company name that your SSL Certificate is issued to. The procedure involves the reconfiguration and reissue of your SSL Certificate, and there are some additional steps if you have a Business Validation or Extended Validation Certificate.
Domain Validation SSL Certificates
You can reissue your SSL Certificate from your SSL Dragon account by following the next steps:
1) Log into your SSL Dragon account;
2) Go to “SSL Certificates” -> “My SSL Certificates“;
3) You will see the list of products that you bought from SSL Dragon. Click on the SSL Certificate which you would like to reissue;
4) Click on the “Reissue certificate” button on the left side (see the screenshot on the right);
5) Reconfigure your SSL Certificate. As a part of the reconfiguration, please create a new CSR code and enter the new company name, locality (city or town), state or province, and country in it.
6) For Multi-Domain SSL – Don’t forget to include the SAN list in the SANs field;
7) After reconfiguring your SSL Certificate, you will have to pass the Domain Validation again.
For Domain Validation SSL Certificates, your SSL Certificate will be reissued for the new domain name after you pass the domain validation successfully.
Business Validation SSL Certificates
To change the company name in your Business Validation SSL Certificate, you have to go through the same reconfiguration and domain validation process as described under the “Domain Validation” section above. After that, you have to pass the entire Business Validation process again, so as the Certificate Authority needs to verify the legal existence of your new company, and your company’s phone number. You can read how to pass the Business Validation process at this link.
Your BV SSL Certificate will be reissued for the new company name after you pass the Business Validation process again.
Extended Validation SSL Certificates
To change the company name in your Extended Validation SSL Certificate, you have to go through the same reconfiguration and domain validation process as described under the “Domain Validation” section above. After that, you have to pass the entire Extended Validation process again, so as the Certificate Authority needs to verify the legal existence of your new company, and your company’s phone number. You can read how to pass the Extended Validation process at this link.
Your EV SSL Certificate will be reissued for the new company name after you pass the Extended Validation process again.
Yes, you can change the domain name that your SSL Certificate is issued to. The procedure involves the reconfiguration and reissue of your SSL Certificate, and there are some additional steps if you have a Business Validation or Extended Validation Certificate.
Domain Validation SSL Certificates
You can reissue your SSL Certificate from your SSL Dragon account by following the next steps:
1) Log into your SSL Dragon account;
2) Go to “SSL Certificates” -> “My SSL Certificates“;
3) You will see the list of products that you bought from SSL Dragon. Click on the SSL Certificate which you would like to reissue;
4) Click on the “Reissue certificate” button on the left side (see the screenshot on the right);
5) Reconfigure your SSL Certificate. As a part of the reconfiguration, please create a new CSR code and enter the new domain name in it.
6) For Multi-Domain SSL – Don’t forget to include the SAN list in the SANs field;
7) After reconfiguring your SSL Certificate, you will have to pass the Domain Validation again.
For Domain Validation SSL Certificates, your SSL Certificate will be reissued for the new domain name after you pass the domain validation successfully.
Business Validation SSL Certificates
To change the domain name in your Business Validation SSL Certificate, you have to go through the same reconfiguration and domain validation process as described under the “Domain Validation” section above. After that, you have to pass the entire Business Validation process again, so as the Certificate Authority needs to verify the legal existence of your domain name, company, and your company’s phone number. You can read how to pass the Business Validation process at this link.
Your BV SSL Certificate will be reissued for the new domain name after you pass the Business Validation process again.
Extended Validation SSL Certificates
To change the domain name in your Extended Validation SSL Certificate, you have to go through the same reconfiguration and domain validation process as described under the “Domain Validation” section above. After that, you have to pass the entire Extended Validation process again, so as the Certificate Authority needs to verify the legal existence of your domain name, company, and your company’s phone number. You can read how to pass the Extended Validation process at this link.
Your EV SSL Certificate will be reissued for the new domain name after you pass the Extended Validation process again.
Yes, you can decrypt a CSR with OpenSSL. OpenSSL is an open-source software suite that provides library-level support for secure communication and cryptography. You can use OpenSSL commands such as the ‘openssl req’ command to decrypt the CSR file.
Yes, you can read the text of a CSR in the command line. Use the ‘openssl req -text’ command to view the contents of the CSR file. This will display the encoded data in an easy-to-read format so that you can understand what each field stands for and what information is required for the SSL to be verified and accepted.
You can receive a refund ONLY for the additional domains (SANs) that you bought and NOT used.
If you have already activated the SAN (additional domain) for a particular domain name, then you cannot be refunded for that specific domain name.
Unfortunately, domain names that end with .local are not supported from November 1st, 2015. If you request an SSL Certificate for a domain or sub-domain that has .local as an extension, your SSL Certificate will be rejected by the Certificate Authority.
If you want to secure a domain or sub-domain on your localhost, you can create a self-signed SSL Certificate. There is plenty of documentation online on how to do that.
Yes, you can secure an IP address with an SSL Certificate. However, only some specific SSL Certificates will allow you to do that. Here are those SSL Certificates:
– Sectigo InstantSSL Premium
– GoGetSSL Public IP SAN
Please note that the Sectigo InstantSSL Premium is a Business Validation SSL Certificate, which means that you need to have a registered company in order to be issued this SSL certificate.
GeGetSSL Public IP SAN is a Domain Validation SSL Certificate which secures 2 IP addresses by default.
You can secure inexpensively and efficiently multiple domains and/or sub-domains with a Multi-Domain (SAN) SSL Certificate. Depending on the SSL Certificate brand and certificate product, the SAN cert will include a different number of additional domains at the price quoted on the SSL Certificate’s details page (see screenshot on the right).
You can find our full list of Multi-Domain (SAN) SSL Certificates at this link.
You can secure multiple subdomains by purchasing a Wildcard Certificate. This SSL was specifically designed for ensuring the security of your main domain, along with its multiple subdomains. For instance, if your site’s domain is ssldragon.com, then the Wildcard certificate for *.ssldragon.com will secure an unlimited number of your first-level subdomains like mail.ssldragon.com, account.ssldragon.com or login.ssldragon.com.
You can find our full list of Wildcard certificates at this link.
When you buy or configure your Multi-Domain (SAN) SSL Certificate, please note that most Multi-Domain Certificates do not secure the domains with and without “www”. With other words if you want to secure both, example.com and www.example.com under one single Multi-Domain Certificate, that will be considered as two different domain names. The screenshot on the right shows you where you can find the attribute that tells you if your Multi-Domain Certificate secures both “www” and “non-www” under one single domain (SAN), or not.
Anyway, that is not a problem so as you cannot have the same website open both as www.example.com and as example.com. All website owners only choose one of these options and make the other option automatically re-direct to the other. For example, you can choose your website to always open at www.example.com and anybody who enters on example.com is automatically redirected to www.example.com. In this way, you only have to secure one domain, and that is: www.example.com.
Yes, absolutely.
The Multi-Domain (UCC/SAN) SSL Certificate allows you to secure multiple domains or subdomains which are hosted either on one IP address or different IP addresses. This SSL Certificate type was particularly designed to secure multiple websites within one single SSL Certificate as an easy-to-use and cost-effective solution.
As of June 1, 2021, and in compliance with the CA/Browser Forum Code-signing Baseline Requirements, Sectigo will require RSA keys to be a minimum of 3072 bits in size.
When generating keys and CSRs for code-signing certificates, please ensure you choose an RSA key with a 3072- or 4096-bit key size.
Only the size of the keys is to change, the rest of the process remains the same. Existing RSA 2048 bit certificates will continue to work and no changes are needed to them.
Certificates requested with ECC (elliptic curve) keys are unaffected and Sectigo will still sign certificates with keys using the NIST P-256 and P-384 curves.
Source: Sectigo’s Knowledge Base
You have to pass the Business Validation when you buy a new or reissue/renew a BV SSL Certificate.
At the same time, the process of completing the Business Validation is easier the following years, so as the Certificate Authority has more information about your company in their system, based on your previous BV SSL Certificates requests.
Please check the Renew/Reissue BV instructions.
You have to pass the Extended Validation when you buy a new or reissue/renew an EV SSL Certificate.
At the same time, the process of completing the Extended Validation is easier the following years, so as the Certificate Authority has more information about your company in their system, based on your previous EV SSL Certificates requests.
Please check the Renew/Reissue EV instructions.
You can add sub-domains to your server and they will be covered by your Wildcard SSL Certificate automatically. You do not need to re-issue your Wildcard SSL Certificate each and every time when you add sub-domains to it. The newly added sub-domains will be automatically covered by your Wildcard SSL Certificate.
You have to purchase an SSL certificate if your website contains logins or web forms that require personal or credit card information from your customers. The SSL certificate will secure the personal data shared on your website and will make your clients feel safer while performing transactions, knowing that any information shared is within a secure environment and authenticated by a trusted Certificate Authority.
If you have an informative website, we still recommend you to purchase an SSL certificate. By having an HTTPS link, your website will be more trustworthy.
A data server provides a wide range of database services such as data storage, data manipulation, data analysis, and archiving. If your website offers Database-as-a-Service (DBaaS) solutions, you will need an SSL certificate to encrypt the sensitive information of your clients. Moreover, since Chrome and Firefox flag websites without SSL encryption as not secure, a valid SSL certificate will ensure that your site is accessible 24/7 from any browser.
No, you do not have to decrypt the CSR file to upload it to a CA. You can simply submit the encoded file directly to the Certificate Authority, as they will be able to decode the information and generate the SSL certificate.
We guarantee a 100% refund only for non-issued LEI codes. If the LEI code is issued and the user cancels it, there will be NO refund. Please note we do not guarantee a refund if the information provided during entity verification is fake and wrong.
You can contact the Certificate Authorities directly when you have any questions related to your SSL Certificates. You can contact them anytime, either by phone or email, or better – by using the Live Chat feature.
Please don’t forget to mention your Partner Order ID, which you can find on the SSL Certificate’s details page inside your SSL Dragon account (see screenshot on the right).
Here is the contact information of all Certificate Authorities we collaborate with:
Sectigo/GoGetSSL
Live Status Checker: https://secure.trust-provider.com/products/ORDERSTATUSCHECKER
Live Chat & Ticket System: https://sectigo.com/support
Phone (USA): +1 (888) 266-6361
Phone (International): +1 (914) SECTIGO (732-8446)
More contact information on Sectigo’s official website
Thawte
Online chat: https://www.thawte.com/chat/chat_sales.html
Phone (USA): +1 (888) 484 2983
Phone (UK): +44 203 450 5486
Phone (Australia & Asia Pacific): +61 3 9914 5641
More contact information on Thawte’s official website
GeoTrust
Online chat: https://www.geotrust.com/support/chat/
Phone (USA): +1 (866) 511-4141
Phone (UK): +44 203 0240907
Phone (Australia): +61 3 9914 5661
More contact information on GeoTrust’s official website
RapidSSL
Online chat: https://www.rapidssl.com/chat/intro.html
Phone (USA): +1 (866) 795-4669
Phone (Europe, UK, Australia): +44 203 024 0906
DigiCert
Phone (USA): +1 (801) 701-9600
More contact information on DigiCert’s official website
There are many different ways to install an SSL Certificate, and they all depend on your SSL Certificate brand, the webserver type, the operating system on your server, and the web hosting panel that you have on your server.
These being said, please check our Installation Articles to get detailed instructions on how to install your SSL Certificate on about 44 different server types, hosting panels, and operating systems.
Also, here are links to documentation on how to install your SSL Certificate on your server, based on the SSL Certificate brand that you have:
– Sectigo
– Thawte/RapidSSL/GeoTrust/DigiCert
– GoGetSSL
We always recommend you get specialized help with your SSL Certificate installation. If you have a web developer or a system engineer, then they would be the right people to help you with your SSL Certificate installation.
To renew your LEI code, log into your LEI account and select the renewal option. Submit the details of the legal entity which needs to be renewed, including the LEI Code. Wait for a renewal confirmation.
Sectigo Personal Authentication Certificate lets you easily sign any valuable and critical personal or company document, therefore ensuring compliance with industry requirements of digitally signed documents. By digitally signing the document, you identify yourself as the authentic document signer and certify its integrity by proving that your document hasn’t been altered since it was signed. In this way, CPAC SSL Certificates help you migrate from ink & paper to digital workflows of contracts, sign-offs, request forms and other important company documents, working in tandem with or replacing the visible signature feature in Microsoft® products such as Microsoft Office Suite, Open Office Suite, VBA Macros and more.
Sectigo Personal Authentication Certificate helps businesses reduce the risks and threats associated with using standard passwords by enabling the two-factor authentication of users. If you need a stronger guarantee that the person logging into your company network or account is your legitimate employee, CPAC SSL Certificates will allow you to secure your sensitive and private customer or corporate data by enabling the industry standard used by banks all over the world – two-factor authentication – seamlessly integrating the certificate as a second authentication element. In this way, you will protect your company access, including remote, from any hackers attempting to steal usernames and passwords.
Sectigo Personal Authentication Certificates provide you the highest level of protection by enabling end-to-end encryption of your email communications. By signing and encrypting your outgoing email messages, you protect them from Man-in-the-Middle attacks, https proxies, or packet-sniffers, therefore your messages can’t be intercepted and decrypted by a malicious third party.
Encrypting Email Messages guarantees their privacy and integrity, while digitally signing the messages authenticates you as being the genuine sender. In this way, you will secure yourself and your business from accidental or fraudulent data exposures, privacy breaches, and other potential security threats associated with business communication.
You need to go to your SSL Dragon account and check the “Expires” field for the SSL Certificates that you have with us. You can do that by following the next steps:
1) Log into your SSL Dragon account at: https://my.ssldragon.com/
2) Go to “SSL Certificates” -> “My SSL Certificates“;
3) You will see the list of SSL Certificates which you bought from us;
4) Click on the necessary SSL Certificate;
5) Find its “Expires” field on the SSL Certificate’s details page.
You may start the renewal process within 30 days before the “Expires” date by clicking on the “Renew” button.
Your new SSL Certificate will be connected with the old one. All remaining days from the previous SSL Certificate will be added to the new one.
The process of renewing your SSL Certificate is almost the same as placing a new order. You may start the renewal within 30 days before the expiration date.
Here are the steps on how to renew your Standard (Domain/IP address) SSL Certificate:
-
Click on the “Renew” button on the product page of your expiring SSL Certificate within your SSL Dragon account.- Complete the payment of the newly created invoice for the renewed SSL Certificate.
- Once the invoice for the renewed SSL Certificate is paid, click on “Back to Client Area” or go to “My SSL Certificates” section inside your SSL Dragon account.
- Click on the renewed SSL Certificate. Once you are on the SSL Certificate’s details page, scroll down and click on the green button that says “Configure Now”.
- Under the “Order Type” you should choose “Renewal”. This information will go to the Certificate Authority, and they will know that you had an SSL Certificate and you are renewing it. In this way, your new SSL Certificate will be connected to the old one. All remaining days from the previous SSL Certificate will be added to the new one. (An exception to this rule are – Code Signing and CPAC SSL Certificates – unfortunately, the CA’s SSL Certificate management portal for these SSL certificates is not technically capable to match the old and new SSL Certificates.)
- After that, you have to submit a CSR. You can use the old CSR from your previous SSL Certificate, or generate a new CSR. Either way is fine.
- Fill in the rest of the form information for your renewed SSL Certificate.
- Then pass the domain validation, or business validation, or extended validation, depending on what applies to your SSL Certificate.
- When your SSL Certificate is renewed, you need to reinstall the new SSL Certificate on your server. In other words, you need to replace your old/expiring SSL Certificate with the new one which you have just received. The old certificate will NOT get replaced, renewed, or continued automatically.
Please note:
- If you have a CPAC or Code Signing Certificate from GoGetSSL, Sectigo, Thawte, or DigiCert, then steps 4-5 do not apply to you. You will have to fill in the certificate request form for your CPAC/Code Signing Certificate on the certificate authority’s website further and let us know about the details you field in, as usual. Also, unfortunately, the CA’s SSL Certificate management portal for these SSL certificates is not technically capable to match the old and new SSL Certificates, thus the remaining days from the old SSL Certificate will not be added to the new SSL Certificate.
- If you are renewing a Business Validation SSL Certificate or an Extended Validation SSL Certificate, you will still have to pass the Business Validation or the Extended Validation again. Anyway, the Business Validation and Extended Validation processes are quicker when renewing an SSL Certificate than when getting it for the first time.
- If you own a Multi-Domain (SAN/UCC) SSL Certificate for which you have previously purchased & added additional SANs (domains), don’t forget to include all of them in the SANs field when configuring the renewed SSL.
- If you want to change the validity of the renewed SSL Certificate – e.g. you have a Sectigo PositiveSSL Multi-Domain with 4 SANs (5 Domains) for 2-year SSL, but you what to renew it for 3 years. Then you must order a 3-year SSL of the same type and configuration – a Sectigo PositiveSSL Multi-Domain with 4 SANs (5 Domains) for 3-years – complete the payment, and click on the newly purchased SSL. Then please follow Steps 5-9 from above.
A Multi-Domain Wildcard SSL Certificate is specifically created to allow users to secure multiple domains and sub-domains using one single SSL Certificate.
NOTE #1: Any Multi-Domain Wildcard SSL Certificate should start with a non-Wildcard domain. This means that anytime you configure and request a Multi-Domain Wildcard SSL Certificate, you need to generate a CSR (Certificate Signing Request) for a single domain (such as: example.com), without any asterisk sign “*”. This is a requirement that comes from the Certificate Authorities. All the additional SANs (2nd, 3rd, 4th domains) can be Wildcard domains.
For example, a Multi-Domain Wildcard SSL Certificate that has 3 SAN (4 domains) by default, allows you to secure the following:
- One main domain and multiple Wildcard domains:
- example.com – included in the CSR (Certificate Signing Request)
- *.example.com
- *.mysite.com
- *.abcxyz.com
- One main domain and multiple Wildcard domains (with both, 1st level and 2nd level sub-domains):
- example.com – included in the CSR (Certificate Signing Request)
- *.example.com
- *.mob.example.com
- *.mysite.com
- Several domains and multiple Wildcard domains (with both, 1st level and 2nd level sub-domains):
- example.com – included in the CSR (Certificate Signing Request)
- *.example.com
- mysite.com
- *.mob.mysite.com
NOTE #2: If you add a SAN item like *.domain.com, you will protect its unlimited sub-domains but not the main domain. For example, if you want to secure secure two domains and all their sub-domains, you have to configure your SSL in the following format:
- domain.com – included in the CSR (Certificate Signing Request)
- *.domain.com
- mysite.com
- *.mysite.com
You can add sub-domains to your server and they will be covered by your Wildcard SSL Certificate automatically. You do not need to re-issue your Wildcard SSL Certificate each and every time when you add sub-domains to it. The newly added sub-domains will be automatically covered by your Wildcard SSL Certificate.
A CSR decoder takes the encoded data from a Certificate Signing Request and translates it into plain text, allowing you to understand what each field means and what the encoded value represents.
An SSL Certificate takes the information that your users provide and encrypts it, so that only a web server can decrypt it and understand it. So as the information on the web is transmitted via HTTP language, your data is not protected, as HTTP itself is not secure. The SSL Certificate takes your information, encrypts it, and passes it securely to the server where the website is hosted, or directly to the payment processor. On the merchant’s server, or on the payment processor’s side, the SSL certificate receives the encrypted HTTP information, decodes it, and safely performs the action you requested (logging you in, processing a payment, etc).
In this way, the SSL Certificate turns your “HTTP” connection into an “HTTPS” (secured HTTP) connection and protects your data. With an SSL Certificate, your information is protected and safe.
Installing an SSL certificate is quite easy and can usually be done in a few simple steps. First, you will need to generate a Certificate Signing Request (CSR) file and submit it to the Certificate Authority. Once the SSL certificate is issued, you will then need to install it on the web server. Depending on the server, the installation process may vary, but the documentation provided by the hosting company or CA should make this straightforward.
The LEI online registration should take a few minutes, provided you have all the required information and documents. Preparing the required data and paperwork varies from company to company.
The CSR generation itself is instant. The only time you’ll spend is filling in the required CSR fields with your contact information.
Estimated LEI registration time varies by country. Applicants from Australia, the US, the UK, and European Union should receive the LEI code less than an hour after applying. For other countries, LEI processing may take between 1 and 36 hours.
The amount of time it takes to install an SSL certificate will depend on a few factors such as the web server platform, type of Certificate Authority, and complexity of the installation. Generally speaking, an SSL certificate can be installed in a few minutes if all of the necessary information is available. If additional steps are required, it may take longer to complete the installation.
The validation time of an SSL depends on the type of certificate you chose to buy.
Domain Validated certificates are issued within 3-5 minutes in 99% of the cases. Only when an SSL Certificate is requested for a domain name that contains a trademark or a brand name, then those SSL Certificates may pass brand validation, and can take up to a business day to be issued.
Business Validated certificates are usually issued within 1-3 business days.
Extended Validated certificates can take between 1-7 business days to be issued. The Certificate Authority does its part of the work very quickly. If all the information is provided to the Certificate Authority quickly and correctly, then the Certificate Authority can issue the EV certificate within 1 business day. We’ve seen situations when the EV Certificate was issued within a few hours. The 1-7 days period depends on how quickly the customer provides the required information to the Certificate Authority, and how quickly the customer responds to the Certificate Authority’s potential requests for additional information.
By doing the Validation process, the Certificate Authority’s is trying to confirm that you are the owner of the domain, and that the company that you are requesting a Business Validation or Extended Validation certificate for is active. That is why it is important that you keep your company’s records (address and phone number) up to date and you promptly respond to the Certificate Authority’s requests.
A Wildcard certificate will secure an unlimited number of subdomains.
LEI application cost starts at just $59 per year. But there’s more! You can save up to 17% when buying a multi-year option.
The cost of installing an SSL certificate on a website will vary depending on the type of certificate you choose and the Certificate Authority. To buy a certificate costs between $7 to hundreds of dollars per year.
The cost of having someone install an SSL certificate on your website will depend on their specific skills and the complexity of your particular installation. You can find web developers or IT professionals who specialize in SSL certificate installations and negotiate a fee with them based on their experience and project scope. Their costs will range from $20 to a few hundred dollars.
You must generate a CSR code every time you apply for a new certificate or are renewing your expiring cert. The CA uses the up-to-date data from your CSR to validate and issue your SSL certificate.
The main differences between Sectigo/GoGetSSL EV Code Signing and a regular code signing certificate from Sectigo/GoGetSSL are the following two major features:
Extended Validation – offers the highest level of trust since Sectigo verifies the publisher’s authenticity rigorously
Two-factor authentication – the main requirement to store the private key on an external hardware token, provided by mail by Sectigo/GoGetSSL in order to avoid any unauthorized access or malicious usage. Since the private key is stored only on this token, this feature drastically reduces the number of people who can access it, therefore protecting the key from being compromised.
A CSR is generated immediately. It will be generated to you as soon as you fill in the CSR Generator form.
A CSR is issued immediately. It will be issued to you as soon as you fill in the SSL CSR Generator from above.
To add your Company Name and TAX/VAT number, you have to login into your SSL Dragon Account and follow these steps:
- Click on the “Hello, *Your Name*” button on the right top side of your account dashboard and select “Edit Account Settings”;
- On the ‘My Details’ page, you will find the ‘Company Name’ and ‘Company TAX/VAT ID’ field;
- Fill in these fields with the necessary information then click on ’Save Changes’.
After you perform the above steps, your SSL Dragon account and all your invoices will be automatically updated with this information.
- Choose the SSL Certificate, then select the period (1, 2, or 3 years) and number of domains (only for Multi-Domain SSL Certificates), and click “Buy Now”;
- You’ll be redirected to your Shopping Cart, where you need to confirm the period and, for Multi-Domain SSL Certificates, the number of additional domains. Review your Order Summary then click “Continue”;
- On the Review & Checkout page, you’ll find the “New Customer” fillable form which you need to complete to create your SSL Dragon account. Afterward, insert your Promotional Code (if you have it), any Additional Information (if necessary), select the desired Payment Method, confirm that you’ve read and accepted our Terms of Service, and click on “Checkout”;
- You’ll be redirected to your Invoice which you need to pay using your selected Payment Method. Once the payment is done, you will see your order number and additional details on your Order Confirmation page. You will find your SSL Certificate in “My Account” at “SSL Certificates” -> “My SSL Certificates“.
Valid only for Sectigo and GoGetSSL Certificates:
Please go through the next steps in order to change the domain validation type for your SSL Certificate:
- Log into your SSL Dragon account;
- Go to “SSL Certificates” -> “My SSL Certificates“;
- You will see the list of products that you bought from SSL Dragon. Click on the SSL Certificate which you would like to change the domain validation type for;
- Click on the “Change DV Method” button which you can find towards the bottom on the page;
- Choose the new domain validation method for your domain(s); You can read more about what each validation type means at this link; (Important: HTTP validation method is no longer available for Wildcard SSL Certificates).
- Click “Submit” to make the new validation method go into effect.
Yes, you can look what information your CSR includes, by doing a process which is opposite to encrypting it. You can use our CSR Decoder tool in order to see what information is included in your CSR. You can do that our CSR Decoder page.
Yes, you can look at what information your CSR includes, by using our CSR Decoder tool. It is doing a process which is opposite to encrypting it.
You can check whether your SSL Certificate requires Domain Validation, Business Validation or Extended Validation by looking at the attributes of your SSL Certificate. Please open the two screenshots on the right in order to see where you can find the information about the validation type of your SSL Certificate.
- Sign in to “My Account” on our SSL Dragon website;
- Once you are logged in, go to the main menu, select “SSL Certificates” -> “My SSL Certificates“;
- You will see the list of SSL Certificates which you bought on our website. Click on the SSL Certificate which you have just ordered, to enter its details page;
- When you are on the details page of the SSL certificate which you bought, go towards the bottom of the page, and click on the green button which says “Configure Now”;
- Fill in the form, by entering your order type, web server type, CSR and your company information;
- The second thing that you will be asked about on this form is the CSR (Certificate Signing Request). Insert your CSR (if you already have one), or use our CSR Generator tool to generate your CSR and your Private Key, based on the information which you will introduce in the CSR form. Copy and paste your CSR code in the text area which asks you for your CSR.
Important: Please make sure to insert the entire CSR code, including the following two lines:
—–BEGIN CERTIFICATE REQUEST—–
(your CSR code)
—–END CERTIFICATE REQUEST—– - Only for Multi-Domain SSL: In the SANs Field, insert your additional domain name list, space-separated, e.g.:
yourdomain.com
yourseconddomain.com
- Once the form is completed in full, click on “Click to Continue”;
- You’ll be redirected to the domain validation page, where you need to choose your Domain Validation Method (email, HTTP/HTTPS, or DNS) then click on “Click to Continue”;
- The configuration of your SSL Certificate is completed now, and your order will be submitted to the Certificate Authority. If you have a Business Validation, Organization Validation, or Extended Validation SSL Certificate, you will find directions to the next steps on this page.
Some servers and hosting companies may require you to submit your SSL Certificate in a different format than the original format in which your SSL Certificate was provided to you. Here are some links with instructions on how to convert an SSL Certificate to different file formats:
CRT to PFX format conversion
1. Get PFX from CRT and txt containing private key for Azure
2. Bind an existing custom SSL certificate to Azure Web Apps
3. Exporting the SSL Certificate as a PFX file from IIS server
4. Convert your certificate to PFX
Convert .CRT to.CER file
It is easy to switch from .CRT format to .CER format. They are basically interchangeable. You can change the SSL Certificate extension/format by going with the steps written below:
- Copy and paste the CRT code which you got from your SSL Certificate’s details page in your SSL Dragon account and use Notepad to create a mywebsite.crt file from it;
- Double click on the mywebsite.crt file to open it and see the certificate being displayed;
- Click on the “Details” button, and then click on the button that says “Copy to File”;
- When you are on the Certificate Wizard, click “Next”;
- Then select Base-64 encoded X.509 (.CER), then click “Next” again;
- Click on “Browse” to choose the location where you want to save the converted file, and enter the desired name for your file (e.g.: mywebsite.cer);
- Finally, click “Save”, and you will have the .CRT to .CER conversion complete;
- You can get the mywebsite.cer file from the folder where you selected to save it to.
To create the well-known folder, you’ll need access to your server via an SFTP client, a web hosting control panel, or any other appropriate means. Here’s how to create the .well-known folder on the most popular platforms:
How to create the .well-known folder on Linux-based servers?
The instructions below are valid for Ubuntu, Debian, and CentOS servers.
- Go to the root directory of your website
- Create a directory called “.well-known“
- Inside it, create another folder called “pki-validation“
- Upload the TXT file inside the “pki-validation” directory
How to create the .well-known folder in cPanel?
- Log into WHM, or skip this step if you don’t have WHM
- Locate and log into the cPanel account for your domain name
- Click on “File Manager”
- Choose the “Web Root (public_html/www)” option and click “Go.”
- Create a new folder called .well-known
- Inside that folder create another folder called: pki-validation
- Upload your TXT file inside the pki-validation folder
How to Create the .well-known folder in Plesk?
- Use the File Manager option and go to the Files section in the right-side menu.
- You should create the .well-known folder in the default document root folder for your domain, which in Plesk is httpdocs.
- To create the folder, select New, then Create Directory.
- Inside the .well-known folder, create the pki-validation subfolder.
- Use the Upload button to add the validation TXT file into the pki-validation folder.
How to create the .well-known folder in Windows IIS servers?
Windows-based servers do not allow you to place a dot in a folder name, therefore you need to follow these steps:
- Go to the C: drive
- Create a new folder called well-known
- Inside the well-known folder, create another folder named pki-validation.
So far, your folders should look like this: C:\well-known\pki-validation - Upload the TXT file in the pki-validation folder
- Open the IIS Manager on your server
- Do right-click on your website and select Add Virtual Directory
- In the Alias section write .well-known
- In the Psychical Path area enter the path to the well-known folder. For example:
C:\well-known - Press OK to create this alias
How to create a .well-known folder in WordPress?
You can create a .well-known folder in WordPress in three different ways.
- Using a special plugin
- Through your web-hosting panel
- Via an SFTP Client such as FileZilla
We don’t recommend using a plugin as it may cause compatibility and security issues over time. Instead, use our instructions above to create the .well-known folder in cPanel, the most popular hosting panel.
If you don’t have cPanel, use an SFTP client. Connect to your server and inside your ~/public folder look for the .well-knwon directory. If it’s not there, right-click on the public folder, choose Create directory, and name the new directory .well-known.
How to create a .well-known folder in AWS?
- Use the bash command to create the .well-known.folder in the AWS EC2 instance:
mkdir -p .well-known/pki-validation - Put your validation file in the pki-validation subfolder:
nano .well-known/pki-validation/HashFileName.txt
How to Create the .well-known in macOS X Server?
Connect to your server via the built-in FTP client or the Command Line Interface.
FTP
- Press Command+K
- In the Connect to Server window, enter the address of the FTP server. For example, ftp://ftp.yourdomain.com. Click connect.
- Next, enter your FTP username and password and hit Connect again.
- Find the root directory of your domain.
- Create a directory called .well-known
- Inside the. well-known folder, create another folder called pki-validation.
- Upload the TXT file inside the pki-validation directory
Command Line Interface
You can use SSH and the Secure Copy protocol to upload the TXT file.
scp AC3E5D6I8G12935LSJEIK.txt
[email protected]:tld://Library/WebServer/Documents/.well-known/pki-validation
Where ‘AC3E5D6I8G12935LSJEIK.txt’ is the validation file name, ‘your_username’ is the username of your server account, ‘hostname.tld’ is your Mac OSX server hostname, and ‘/Library/WebServer/Documents/’ is the default directory of the document root folder.
For all server types, if you did everything correctly, you should be able open the following URL and see the hash code along with “comodoca.com” in any web browser:
http://mywebsite.com/.well-known/pki-validation/HashFileName.txt
To export a S/MIME certificate from firefox follow the instructions below:
- Open the Firefox browser and click the Options Menu button at the top-right corner, then select Settings
- Select Privacy & Security from the menu on the left
- On the Privacy & Security tab, scroll down to the Certificates section, and click View Certificates
- In the Certificate Manager window, select the Your Certificates tab, then select the certificate you wish to back up. Click Backup…
- Your certificate will be exported to a PKCS12 file. To learn more about certificate formats, check our comprehensive SSL formats guide. Please create a name for this file and specify where you want to save it.
- Next, you must create a password to protect your PKCS12 file. Remember this password because you need it if you import the certificate into another browser or mail client.
- Click OK to export your Sectigo Personal Authentication certificate.
Source: Sectigo’s Knowledge Base
To export your certificate from Internet Explorer follow the steps below:
- Open Internet Explorer, then navigate to Tools > Internet Options.
- From the Internet Options window, select the Content tab and then Certificates.
- In the Certificates window, select the Personal tab.
- Select the certificate you wish to export, then click Export…
- In the Certificate Export Wizard, depending on your needs, select one of the following options:
- Yes, export the private key. Pick this option if you want to import the certificate into another browser/email client or mobile device.
- No, do not export the private key. Select this option if you need to export the certificate for other purposes such as archiving your public key.
- For this demonstration we’ll pick the first option – Yes, export the private key.
- After you click Next, from the formats presented, click the Personal Information Exchange radio button and select Include all certificates in the certification path if possible and Enable certificate privacy. Click Next to continue.
- Now, create a password for your certificate. You will need it to import the certificate into another browser/mail client.
- Click Browse and go to the location where the certificate was saved. Click Next.
- Double-check your select settings, and click Finish to complete the Certificate Export process.
Source: Sectigo’s Knowledge Base
The Private Key was generated on your machine when you configured your Sectigo/GoGetSSL Code Signing Certificate initially. The screenshot from the right shows the page where you configured your Sectigo/GoGetSSL Code Signing Certificate initially. As you can see in the screenshot, you were given instructions on how to check and backup your Private Key.
If you lost your Private Key, then you have to reissue your Sectigo/GoGetSSL Code Signing Certificate. You can do that by following the next steps:
1) Login at https://secure.trust-provider.com/products/frontpage?area=ssl using the username and password that you used when you configured your Sectigo/GoGetSSL Code Signing Certificate initially;
2) Once you are logged in, find the “Replace” button and click on it;
3) You will start the reissue process for your Sectigo/GoGetSSL Code Signing SSL.
4) Follow the steps and instructions that come next, until you complete the Sectigo/GoGetSSL Code Signing Certificate reissue.
When you configure or re-configure your Sectigo/GoGetSSL Code Signing SSL Certificate, it is best to use some specific browsers for that. Here is an article that describes which browsers are best to use for configuring a Sectigo/GoGetSSL Code Signing Certificate.
When generating a CSR for a Wildcard SSL certificate, you must add an asterisk (*) in front of the domain name you want to secure. For example, you would enter *.yourdomain.com in the Common Name field.
It’s not recommended to use an existing CSR when applying for a new SSL certificate, as re-using the same key over very long periods may compromise website security.
When you generate a CSR via an external tool such as a CSR generator, you should enter one single domain name or sub-domain. The rest of the domains or sub-domains, known as SANs (2nd, 3rd, 4th domains or sub-domains), should be included in the fields for additional domains. You will find the additional domain fields on the SSL Certificate configuration form.
If you generate the CSR with OpenSSL, you need to create a new file named req.conf and add more DNS entries. Here’s the command line to request the CSR:
openssl req -new -out request_name.csr -newkey rsa:2048 -nodes -sha256 -keyout request_name.key -config req.conf
LEI number registration is a four-step process:
- Choose the LEI plan that suits your budget
- Complete our intuitive LEI application form
- Submit your LEI form and payment
- Wait for the LEI code to arrive by e-mail.
Follow the steps below to export your CPAC (which was already installed on Keychain into a PKCS12 file).
- Navigate to Applications > Utilities > Keychain Access
- In the Keychains options (on the left), select Login and click My certificates in the Category panel.
- Next, select the certificate you want to export ad click File then Export Items:
- Now, for the File Format, select Personal Information Exchange (.p12). Name it as you wish, and save it in a directory of your choice.
- Next, create a password for the exported file. It will be requested if/when you import the certificate into another browser/mail client or device.
- Click OK. You have successfully exported your Sectigo Personal Authentication certificate.
Once you’ve exported the Email;/Personal Authentication certificate into P12 format, you can import it into a MAC OC using Keychain Access. To complete the process, follow the steps below:
- Go to Applications > Utilities > Keychain Access
- In the Keychains panel on the left, select Login > File > Import Items…
- Now, locate your saved certificate file and click Open.
Note: If prompted to trust certificates issued by your CA automatically, select the Always Trust option to trust and install your certificate.
- You can view the installed certificate by clicking Category > My Certificates in the Keychain Access window.
Source: Sectigo’s Knowledge Base
You can install your Sectigo CPAC Certificate as soon as it has been issued to you.
Here are installation instructions for different browsers, email clients, and mobile devices provided by Sectigo:
Here are several links with instructions on how to install a Sectigo or a GoGetSSL Code Signing Certificate:
To install the SSL certificate on a server, you must upload the SSL certificate files, including the root and intermediate certificates (usually included in a CA Bundle file), from your device to the server of the website you want to encrypt. As there isn’t a universal process for SSL certificate installation, the quickest way to enable HTTPS on any server is by following our SSL installation guides.
To install the SSL certificate on your website, you must get it from a valid CA by submitting the Certificate Signing Request. After the CA validates your application, you will receive the installation files via email. Your next step is to download them on your local computer and then upload the files to the website server. This is a brief explanation of how to enable SSL.
You can check if you have a Business Validation SSL Certificate by looking at the attributes of your SSL Certificate. Please open the two screenshots on the right in order to see where you can find the information about the validation type of your SSL Certificate.
Different SSL Certificate brands have different Business Validation procedures. Please read the section that applies to your SSL Certificate brand below.
DigiCert (including Thawte & GeoTrust)
If you bought a Business Validation SSL Certificate with Thawte, GeoTrust, DigiCert, then the certificate authority will work on validating the legal existence of your organization via local public databases, as a part of the Business Validation process. This may take between 1-3 working days. Please wait until one of the certificate authority representatives contacts you about any additional information that they may need you to provide them.
If you do not hear from the Certificate Authority representatives in the next 5-7 days, then please call +1 (877) 438-8776 to check the status of your SSL Certificate with the Certificate Authority. Please note that Thawte, GeoTrust, DigiCert are all owned by DigiCert, and they all have the same phone number provided above. When you talk to them, you will need to provide the “Partner Order ID”, which you can find on the details page of your SSL Certificate inside your SSL Dragon account. See the screenshot on the right.
Sectigo/GoGetSSL
Please send the necessary forms described below to Sectigo by opening a ticket with Sectigo Validation Center at https://sectigo.com/support. Click on “Submit a ticket”, select Validation Department, and submit your request. Please mention your “Partner Order ID” in your message.
You can find your “Partner Order ID” on the details page of your SSL Certificate inside your SSL Dragon account. See the screenshot on the right.
I. New Orders
STEP 1: Business Validation
To pass Business validation, you may have to provide an official registration document, such as Business License, Article of Incorporation, and or Registration application.
Here are the BV options:
A. No paperwork. Your company’s legal existence will be checked via public government database using your company name and your unique Registration/Identification number OR via verified public 3rd party databases, such as GLEIF, Duns & Bradstreet, Hoovers, Companies House GOV.UK.
B. Paperwork. Your company will be verified using:
- an official registration document, such as Articles of Incorporation, Government Issued Business License, or
- a copy of a recent: company bank statement, company phone bill, or major company utility bill (i.e. power bill, water bill, etc.).
STEP 2: Callback process
The last step is a callback process called Phone Validation. Sectigo will call you and asks to confirm your name and order to validate the official company’s phone number.
Below are the 4 callback options. You don’t have to do all four things from below. Doing just one of them will be enough.
A. Yellow Pages Databases. Sectigo verifies your phone number via public Yellow pages Databases.
B. DUNS. The second way is to provide your DUNS number to Sectigo. You can get your company’s DUNS number from this website: https://www.dandb.com/. If Sectigo gets back to you and says that your DUNS listing does not contain a phone number, then you need to contact Dun & Bradstreet (at https://www.dandb.com/) and ask them to “add your company’s phone number to their business directory and on the report”.
C. Local phone database. If you don’t have a DUNS number, then the other thing you can do is to provide your company’s registration number for Sectigo to check your company with your country’s governmental directories (e.g.: Corporation Division, Companies House, Department of State, etc). Please note that Sectigo will be looking to see your company’s phone number listed there as well. Not all governmental directories have the companies’ phone numbers. If the governmental directory allows you to call them, email them, or use their website to add your phone number, then please go ahead and do that.
D. Legal Opinion. If the above two options (2.1 and 2.2) don’t work for you, then the third and last option to validate your phone number is to ask a CPA (Certified Public Accountant), or a Latin Notary, or an Attorney (Lawyer) to write, sign and send a letter to Sectigo where they confirm your company name, address, and phone number. You can find the sample letters below:
– Sample Accountant Letter
– Sample Legal Opinion Letter
II. Renewal/Reissue Orders
For reissues and renewal order, instead of Step 1 and 2, you must contact Sectigo Validation Center at https://sectigo.com/support. Click on “Submit a ticket”, or choose Live Chat, select Validation Department and submit the following request (please replace [] fields with the corresponding info):
Reason for the ticket: Validation
Order number: [Your Partner Order ID]
Subject: Business Validation
Dear Sectigo!
Please validate order [Partner Order ID] using the company name [Your Company Name], with [Registration/ID number] and [DUNS number].
Sectigo will then contact you for Step 2 or any necessary updates to the Step 1.
A code signing SSL certificate can be issued to an organization or an individual. The Sectigo validation requirements vary depending on who requests the code signing certificate.
Organization Validation Requirements according to Sectigo:
Organization validation verifies the following:
- Operational existence
- Physical existence
- Government-issued photo ID of the requestor
- Business phone number
- Order Authenticity
Operational Existence:
The Certificate Authority (CA) will verify your organization’s legal status and or DBA (doing business as) via your legal registration and other third-party trusted sources such as GLEIF, Duns & Bradstreet, Hoovers, Companies House GOV.UK.
Physical Existence:
The CA will verify your business address using the same procedure and trusted sources as during the operational existence verification.
Government-Issued Photo ID:
A copy of a government-issued photo ID is required to verify the requestor (admin contact) on the order. For the verification, you need to provide two documents:
- A copy of a government-issued photo ID such as a valid driver’s license, passport, national ID, or military ID that includes the name which matches the name on the order.
- A photo of the requestor holding the government-issued photo ID. The photo must clearly show the face and the government photo ID that is readable and can be compared to the copy provided in the document.
Phone Number:
The CA will verify your phone number via trusted third-party databases.
Order Validation
To validate your information, a validation agent will attempt a callback. A person of authority to request the certificate must confirm the order. If the validation agent can’t complete any of these requirements, an email will be sent explaining the issue and offering additional details for a resolution.
Individual Validation Requirements:
Individual Validation differs from organizational validation because you’re not proving business credentials but personal identity. Two options are available for individual validation:
Option 1 documents:
- Prove identity via a government-issued photo ID that includes an address that matches the name and address on the order.
- A photo of you holding the government-issued photo ID. The photo must clearly show your face and the government photo ID that is readable and can be compared to the copy provided in the document.
Option 2 documents:
- A Face to Face document explaining the specific instructions and requiring a notary to attest to and notarize the forms.
- A notarized copy of a valid driver’s license, passport, national ID, or military ID that includes your name and matches the name on the order.
- The Face to Face personal declaration statement
- The Face to Face confirming person statement
Note: The face-to-face verification form should be filled and signed by a Notary authorized to conduct business in your area/country.
How to submit documents
You can submit the documents to Sectigo by using one of the following methods:
- Upload directly to your order
- Use the Validation Manager (Your confirmation email contains a link to your order called the Validation Manager.)
- Upload documents as attached files to a case that you create via a ticket at Sectigo.
You can check if you have an Extended Validation SSL Certificate by looking at the attributes of your SSL Certificate. Please open the two screenshots on the right in order to see where you can find the information about the validation type of your SSL Certificate.
Different SSL Certificate brands have different Extended Validation procedures. Please read the section that applies to your SSL Certificate brand below.
DigiCert (including Thawte & GeoTrust)
The validation team would send you an agreement by email, during the verification process. Then the certificate authority will work on validating the legal existence of your company via local public databases, as a part of the Extended Validation process. This may take between 1-3 working days. Please wait until one of the certificate authority representatives contacts you about any additional information that they may need you to provide them.
If you do not hear from the Certificate Authority representatives in the 5-7 days, then please call +1 (877) 438-8776 to check the status of your SSL Certificate with the Certificate Authority. Please note that Thawte, GeoTrust, DigiCert are all owned by DigiCert, and they all have the same phone number provided above. When you talk to them, you will need to provide the “Partner Order ID”, which you can find on the details page of your SSL Certificate inside your SSL Dragon account. See the screenshot on the right.
Sectigo/GoGetSSL
Please send the necessary forms described below to Sectigo by opening a ticket with Sectigo Validation Center at https://sectigo.com/support. Click on “Submit a ticket”, select Validation Department, and submit your request. Please mention your “Partner Order ID” in your message.
You can find your “Partner Order ID” on the details page of your SSL Certificate inside your SSL Dragon account. See the screenshot on the right.
I. New Orders
STEP 1: Agreement signing
In a few hours after the order is placed, you will receive an email from Sectigo with a click-through link called the “Validation Manager link“.
Please use this click-through link to access the Validation form and sign the agreement using a digital signature and upload it directly to Sectigo.
If you didn’t receive the email with the link and/or can’t sign the agreement digitally, please fill these 2 forms – Certificate Request Form and EV SSL Subscriber Agreement – and send them to Sectigo (see above instructions).
You can also download the Sectigo EV forms from their knowledge-base.
STEP 2: Business Validation
To pass Business validation, you may have to provide an official registration document, such as Business License, Article of Incorporation, and or Registration application.
Here are the BV options:
A. No paperwork. Your company’s legal existence will be checked via public government database using your company name and your unique Registration/Identification number OR via verified public 3rd party databases, such as GLEIF, Duns & Bradstreet, Hoovers, Companies House GOV.UK.
B. Paperwork. Your company will be verified using:
- an official registration document, such as Articles of Incorporation, Government Issued Business License, or
- a copy of a recent: company bank statement, company phone bill, or major company utility bill (i.e. power bill, water bill, etc.).
STEP 3: Callback process
The last step is a callback process called Phone Validation. Sectigo will call you and asks to confirm your name and order to validate the official company’s phone number.
Below are the 4 callback options. You don’t have to do all four things from below. Doing just one of them will be enough.
A. Yellow Pages Databases. Sectigo verifies your phone number via public Yellow pages Databases.
B. DUNS. The second way is to provide your DUNS number to Sectigo. You can get your company’s DUNS number from this website: https://www.dandb.com/. If Sectigo gets back to you and says that your DUNS listing does not contain a phone number, then you need to contact Dun & Bradstreet (at https://www.dandb.com/) and ask them to “add your company’s phone number to their business directory and on the report”.
C. Local phone database. If you don’t have a DUNS number, then the other thing you can do is to provide your company’s registration number for Sectigo to check your company with your country’s governmental directories (e.g.: Corporation Division, Companies House, Department of State, etc). Please note that Sectigo will be looking to see your company’s phone number listed there as well. Not all governmental directories have the companies’ phone numbers. If the governmental directory allows you to call them, email them, or use their website to add your phone number, then please go ahead and do that.
D. Legal Opinion. If the above two options (2.1 and 2.2) don’t work for you, then the third and last option to validate your phone number is to ask a CPA (Certified Public Accountant), or a Latin Notary, or an Attorney (Lawyer) to write, sign and send a letter to Sectigo where they confirm your company name, address and phone number. You can find the sample letters below:
– Sample Accountant Letter
– Sample Legal Opinion Letter
II. Renewal/Reissue Orders
For reissues and renewal order, instead of Step 1 and 2, you must contact Sectigo Validation Center at https://sectigo.com/support. Click on “Submit a ticket”, or choose Live Chat, select Validation Department and submit the following request (please replace [] fields with the corresponding info):
Reason for the ticket: Validation
Order number: [Your Partner Order ID]
Subject: Extended Validation
Dear Sectigo!
Please validate order [Partner Order ID] using the company name [Your Company Name], with [Registration/ID number] and [DUNS number].
Sectigo will then contact you for Step 3 or any updates of Step 1 or 2 described above.
You can check if you have an Organization Validation SSL Certificate by looking at the attributes of your SSL Certificate. Business Validation equals to Organization Validation. This being said, wherever you see “Business Validation” it also means “Organization Validation”. Please open the two screenshots on the right in order to see where you can find the information about the validation type of your SSL Certificate.
Different SSL Certificate brands have different Organization Validation procedures. Please read the section that applies to your SSL Certificate brand below.
DigiCert (including Thawte & GeoTrust)
If you bought an Organization Validation SSL Certificate with Thawte, GeoTrust, DigiCert, then the certificate authority will work on validating the legal existence of your organization via local public databases, as a part of the Organization Validation process. This may take between 1-3 working days. Please wait until one of the certificate authority representatives contacts you about any additional information that they may need you to provide them.
If you do not hear from the Certificate Authority representatives in the next 5-7 days, then please call +1 (877) 438-8776 to check the status of your SSL Certificate with the Certificate Authority. Please note that Thawte, GeoTrust, DigiCert are all owned by DigiCert, and they all have the same phone number provided above. When you talk to them, you will need to provide the “Partner Order ID”, which you can find on the details page of your SSL Certificate inside your SSL Dragon account. See the screenshot on the right.
Sectigo/GoGetSSL
Please send the necessary forms described below to Sectigo by opening a ticket with Sectigo Validation Center at https://sectigo.com/support. Click on “Submit a ticket”, select Validation Department, and submit your request. Please mention your “Partner Order ID” in your message.
You can find your “Partner Order ID” on the details page of your SSL Certificate inside your SSL Dragon account. See the screenshot on the right.
I. New Orders
STEP 1: Organization Validation
To pass Organization validation, you may have to provide an official registration document, such as Business License, Article of Incorporation, and or Registration application.
Here are the BV options:
A. No paperwork. Your company’s legal existence will be checked via public government database using your company name and your unique Registration/Identification number OR via verified public 3rd party databases, such as GLEIF, Duns & Bradstreet, Hoovers, Companies House GOV.UK.
B. Paperwork. Your company will be verified using:
- an official registration document, such as Articles of Incorporation, Government Issued Business License, or
- a copy of a recent: company bank statement, company phone bill, or major company utility bill (i.e. power bill, water bill, etc.).
STEP 2: Callback process
The last step is a callback process called Phone Validation. Sectigo will call you and asks to confirm your name and order to validate the official company’s phone number.
Below are the 4 callback options. You don’t have to do all four things from below. Doing just one of them will be enough.
A. Yellow Pages Databases. Sectigo verifies your phone number via public Yellow pages Databases.
B. DUNS. The second way is to provide your DUNS number to Sectigo. You can get your company’s DUNS number from this website: https://www.dandb.com/. If Sectigo gets back to you and says that your DUNS listing does not contain a phone number, then you need to contact Dun & Bradstreet (at https://www.dandb.com/) and ask them to “add your company’s phone number to their business directory and on the report”.
C. Local phone database. If you don’t have a DUNS number, then the other thing you can do is to provide your company’s registration number for Sectigo to check your company with your country’s governmental directories (e.g.: Corporation Division, Companies House, Department of State, etc). Please note that Sectigo will be looking to see your company’s phone number listed there as well. Not all governmental directories have the companies’ phone numbers. If the governmental directory allows you to call them, email them, or use their website to add your phone number, then please go ahead and do that.
D. Legal Opinion. If the above two options (2.1 and 2.2) don’t work for you, then the third and last option to validate your phone number is to ask a CPA (Certified Public Accountant), or a Latin Notary, or an Attorney (Lawyer) to write, sign and send a letter to Sectigo where they confirm your company name, address, and phone number. You can find the sample letters below:
– Sample Accountant Letter
– Sample Legal Opinion Letter
II. Renewal/Reissue Orders
For reissues and renewal order, instead of Step 1 and 2, you must contact Sectigo Validation Center at https://sectigo.com/support. Click on “Submit a ticket”, or choose Live Chat, select Validation Department and submit the following request (please replace [] fields with the corresponding info):
Reason for the ticket: Validation
Order number: [Your Partner Order ID]
Subject: Organization Validation
Dear Sectigo!
Please validate order [Partner Order ID] using the company name [Your Company Name], with [Registration/ID number] and [DUNS number].
Sectigo will then contact you for Step 2 or any necessary updates to the Step 1.
Here are the steps that you need to do in order to pass OV (Organization Validation) for your S/MIME Class 2 email SSL Certificate:
Open a ticket with us and let us know the following info:
A. Your Company Info:
- Legal Company Name
- Organization Phone Number – This should be a number that can be verified against an online third-party address listing (e.g. Google business). DigiCert will call your verified organization phone number to confirm your organization for your SSL.
- Company Address – Address, City, State, Country, Zip Code
B. Your Company Contact Info:
- First Name
- Last Name
- Phone Number
C. The Email address, First Name, and Last Name the SSL will be issued for.
All DigiCert SSL Certificates require customers to pass the Business Validation or Extended Validation process. On DigiCert SSL Certificates, these two validation processes are identical. As a part of the Business Validation or Extended Validation process, you need to provide information about your company and your company’s phone number.
DUNS number
You need to provide your DUNS number to DigiCert, and your DUNS profile needs to display your phone number. You can check your company’s DUNS number/profile on this website: https://www.dandb.com/. If you see that your DUNS listing does not contain a phone number, then you need to contact
Please note that after asking DNB (Dun & Bradstreet) to add your phone number to your DUNS listing, it will take them a few days to do this update. You should expect to
At that point, you should contact DigiCert at +1 (877) 438-8776 and provide them your DigiCert Order ID and your DUNS number. You can find your DigiCert Order ID on your SSL Certificate’s details page inside your SSL Dragon account. See the screenshot on the right.
DigiCert will proceed with the callback verification process to verify your phone number. Once that is completed, your DigiCert SSL Certificate will be issued to you.
Legal letter
If adding your phone number to your DUNS listing takes too long, you can ask DigiCert to tell you what alternatives you have for passing the Business Validation or Extended Validation. DigiCert can send you an email message with information about a legal letter which you can write, then take it to a notary for them to sign it, and then scan and send it back to DigiCert by email. The letter will have your company name, address, and phone number. Once DigiCert receives it, they will do the callback on the number which you provide in the legal letter and will issue your DigiCert SSL Certificate shortly after that. Other certificate authorities have this practice too, so providing a legal letter is a common method for passing the Business Validation and Extended Validation.
When requesting an SSL Certificate you have to prove that you own or you have management rights over the domain or sub-domain that you are requesting an SSL Certificate for.
Important! As of June 16, 2021, Sectigo no longer accepts WHOIS-based email addresses for Domain Control Validation (DCV).
STEP 1: Domain Validation (DV)
A. EMAIL
If you have an SSL Certificate issued by Sectigo, GoGetSSL, GeoTrust, Thawte, DigiCert, and RapidSSL, then you can complete the domain validation is by responding to an automated domain validation message sent to your email address. You will be given a list of emails to choose from, and the automated domain validation message will be sent to the email address that you choose.
Always check your email address (including your Spam folder) so as you should receive an email message from the Certificate Authority with instructions on how to validate (prove the ownership of) your domain name. The email message will ask you to copy a unique code and paste it on a specific link provided in the same email message.
Important: Only 5 e-mail addresses are allowed for domain validation: admin@, administrator@, hostmaster@, webmaster@, and postmaster@.
In some cases, the Certificate Authority may allow your administrative e-mail from WHOIS, too, but ONLY IF the Private registration is disabled.
B. HTTP / HTTPS method
This method is Not Available for Wildcard SSL Certificates.
The HTTP validation consists of uploading a TXT validation file to a pre-defined location on your website. You have to make sure that you can access this file and link from any web browser. Once you proceed with this domain validation method, the CA will run a scan of your website and will look particularly for this file at the given link. Your SSL Certificate will pass the domain validation within a few minutes after the CA’s crawler system finds the TXT file on your website.
The HTTPS validation method is the same validation method as described above. You should choose the HTTPS option if you already have an SSL Certificate installed on your website.
C. DNS method
You can also add a pre-defined domain record to your domain registrar (the website where you registered your domain name). Make sure that your firewall doesn’t block the CA’s validation robot.
Sectigo and GoGetSSL require CNAME DNS type, which looks like:
_b2013ea8353c9760c0221c49dc3e8ca7.yourwebsite.com CNAME
165b83449f4fdf83021de4e6f6ee795a.4ae75dbefe3r7bb8a1878616d8b5ae4.5r4r46855d28f6903.comodoca.com
while DigiCert (Thawte, GeoTrust, RapidSSL) require TXT DNS type, which looks like:
yourwebsite.com TXT “w34f54t4t45t354eer98rn4jf4449nfrf”
or
dnsauth.yourwebsite.com TXT “w34f54t4t45t354eer98rn4jf4449nfrf”
Please note that newly added DNS records take between 10-48 minutes to propagate. This means that you will have to wait up to 48 hours to pass the domain validation if you go with this method. That is why we recommend the Email, HTTP, and HTTPS methods better because they would allow you to pass the domain validation instantly.
STEP 2: CAA Check
As of 8th September 2017, all Certificate Authorities (CAs) are obliged to respect your CAA policy, as a security measure.
The CAA record should allow the CA to issue the SSL for your domain name, otherwise, the order would be set as Pending until you update the record.
By default, if no CAA record found, any CA may issue SSL for your domain name. Otherwise, you should update your CAA record.
Here is how to do it:
– https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000zFMO
– https://docs.digicert.com/manage-certificates/dns-caa-resource-record-check/
Here is how to test the record:
– https://toolbox.googleapps.com/apps/dig/#CAA/
– https://caatest.co.uk/scan.org.ua
Optional (Rare) – Brand Validation (Manual Check)
In some cases, the CAs may require manual verification if your order fails any internal rules of Brand Validation.
It takes around 24-48 hours to pass this manual check, and the CA will either issue or reject an order in such cases.
Here are the reasons why your order is under Brand Validation.
How to change the domain validation method?
If you chose one of these domain validation methods described above, and you see that your domain doesn’t get validated, then you can always change your domain validation method. Please go to this link to learn how to do that.
Certain SSL Certificates allow you to secure an IP address, only if it is a public IP address. The validation process for IP addresses is similar to validating a domain name, but it has its particularities. That is why we encourage you to follow the guidelines below.
GoGetSSL
STEP 1. First of all, you have to configure your SSL Certificate by filling in the configuration form inside your SSL Dragon account.
Important! When configuring your certificate, you will be asked to generate a CSR with NO Common Name. Here is how to do it.
STEP 2. Mention your IP address / IP addresses in the SANs field.
If you have just 1 IP address, just insert it in the SANs field, with no extra spaces or characters, e.g.:
123.34.34.234
If you have 2 or more IP addresses (if you purchased additional SANs), insert your IP address list in the SANs field, with each IP address space-separated, e.g.:
123.34.34.234
124.34.24.234
Important! This step is mandatory. Since the CSR has no IP address included in its fields, it’s important to mention your IP address / IP addresses in the SANs field. Otherwise, if you leave the SANs field blank, the SSL Certificate won’t be further configured and you’ll see an error message.
NOTE: if you need to secure an IP address and a domain name, GoGetSSL PublicIP SAN allows you to do that, but it needs manual configuration. Please open a ticket with us, send us the CSR (with No Common Name), the IP address, and the domain name. We’ll configure the SSL manually and provide you the instructions for further validation.
STEP 3. Once your certificate is configured, you have to prove the ownership or right to use that IP address. To do that, you have to pass the HTTP/HTTPS validation for your SSL Certificate. Email or DNS validation are not available for IP validation. To pass the HTTP/HTTPS validation, you have to create a .TXT file that contains the validation code provided on the “Content” field on the details page of your SSL Certificate page. The “Content” that you have to add to the .TXT file looks similar to this:
38622319C755B5952FA4CD590655F05000C4951C2EF07BFFCB2BBA23623BE9D6
COMODOCA.COM
t0520161001553133275
Then you have to upload the TXT file at a location on your server that looks like this:
http://127.0.0.1/.well-known/pki-validation/B34037F1D9BFE9F5936AFEA9798174AB.txt
127.0.0.1 should be replaced by the IP address that you are trying to validate. You can read the information on how to create the .well-known folder at this link: https://www.ssldragon.com/faq-category/domain-validation/#collapse-13950
Make sure that you can access this file and link from any web browser. Inform us when you uploaded the attached TXT file on your server so that we could run a scan of your website and look particularly for this file at this given link.
If you follow these steps exactly, you will get your IP address validated successfully.
NOTE: If you have a router to secure instead of a server, there is no way to upload the TXT file on your router. The solution to getting the IP addresses validated is to reroute the IP address to a server, put the TXT file on that server, pass the IP validation, and then reroute the IP address back to the router.
Sectigo
STEP 1. First of all, you have to configure your SSL Certificate by filling in the configuration form inside your SSL Dragon account. When configuring your certificate, you will be asked to generate a CSR or enter an existing CSR.
Please make sure you include your IP address as a “common name” (domain/IP that you want to secure) in your CSR.
STEP 2. Once your certificate is configured, you have to prove the ownership or right to use that IP address. To do that, you have to pass the HTTP/HTTPS validation for your SSL Certificate. Email or DNS validation are not available for IP validation. To pass the HTTP/HTTPS validation, you have to create a .TXT file that contains the validation code provided on the “Content” field on the details page of your SSL Certificate page. The “Content” that you have to add to the .TXT file looks similar to this:
38622319C755B5952FA4CD590655F05000C4951C2EF07BFFCB2BBA23623BE9D6
COMODOCA.COM
t0520161001553133275
Then you have to upload the TXT file at a location on your server that looks like this:
http://127.0.0.1/.well-known/pki-validation/B34037F1D9BFE9F5936AFEA9798174AB.txt
127.0.0.1 should be replaced by the IP address that you are trying to validate. You can read the information on how to create the .well-known folder at this link: https://www.ssldragon.com/blog/faq_category/domain-validation/#collapse-13950
Make sure that you can access this file and link from any web browser. Inform us when you uploaded the attached TXT file on your server so that we could run a scan of your website and look particularly for this file at this given link.
If you follow these steps exactly, you will get your IP address validated successfully.
NOTE: If you have a router to secure instead of a server, there is no way to upload the TXT file on your router. The solution to getting the IP addresses validated is to reroute the IP address to a server, put the TXT file on that server, pass the IP validation, and then reroute the IP address back to the router.
STEP 3. The last step towards getting the SSL Certificate for your IP address is to pass the Business Validation. You can find detailed instructions on how to do that at this link: https://www.ssldragon.com/contacts/faq/#collapse-3176
Sectigo/GoGetSSL Code Signing Certificates can be configured for a Business or for an Individual. If you configured your certificate as an individual, then you can go directly to the middle of this article, to the section called “Validation for Individuals”, where you will find detailed information about how to pass the validation as an individual. If you configured your certificate as company, then please continue reading.
Business Validation
Please send the necessary forms described below to Sectigo/GoGetSSL by opening a ticket with Sectigo/GoGetSSL Validation Center at https://sectigo.com/support. Click on “Submit a ticket”, select Validation Department and submit your request. Please mention your “Partner Order ID” in your message.
You can find your “Partner Order ID” on the details page of your SSL Certificate inside your SSL Dragon account. See screenshot on the right.
I. New Orders
STEP 1: Business Validation
To pass Business validation, you may have to provide an official registration document, such as Business License, Article of Incorporation, and or Registration application.
Here are the BV options:
A. No paperwork. Your company’s legal existence will be checked via public government database using your company name and your unique Registration/Identification number OR via verified public 3rd party databases, such as GLEIF, Duns & Bradstreet, Hoovers, Companies House GOV.UK.
B. Paperwork. Your company will be verified using:
- an official registration document, such as Articles of Incorporation, Government Issued Business License, or
- a copy of a recent: company bank statement, company phone bill, or major company utility bill (i.e. power bill, water bill, etc.).
STEP 2: Callback process
The last step is a callback process called Phone Validation. Sectigo/GoGetSSL will call you and asks to confirm your name and order to validate the official company phone number.
Below are the 4 callback options. You don’t have to do all four things from below. Doing just one of them will be enough.
A. Yellow Pages Databases. Sectigo verifies your phone number via public Yellow pages Databases.
B. DUNS. The second way is to provide your DUNS number to Sectigo/GoGetSSL. You can get your company’s DUNS number from this website: https://www.dandb.com/. If Sectigo/GoGetSSL gets back to you and says that your DUNS listing does not contain a phone number, then you need to contact Dun & Bradstreet (at https://www.dandb.com/) and ask them to “add your company’s phone number to their business directory and on the report”.
C. Local phone database. If you don’t have a DUNS number, then the other thing you can do is to provide your company’s registration number for Sectigo/GoGetSSL to check your company with your country’s governmental directories (e.g.: Corporation Division, Companies House, Department of State, etc). Please note that Sectigo/GoGetSSL will be looking to see your company’s phone number listed there as well. Not all governmental directories have the companies’ phone numbers. If the governmental directory allows you to call them, email them, or use their website to add your phone number, then please go ahead and do that.
D. Legal Opinion. If the above two options (2.1 and 2.2) don’t work for you, then the third and last option to validate your phone number is to ask a CPA (Certified Public Accountant), or a Latin Notary, or an Attorney (Lawyer) to write, sign and send a letter to Sectigo/GoGetSSL where they confirm your company name, address and phone number. You can find the sample letters below:
– Sample Accountant Letter
– Sample Legal Opinion Letter
II. Renewal/Reissue Orders
For reissues and renewal order, instead of Step 1 and 2, you must contact Sectigo/GoGetSSL Validation Center at https://sectigo.com/support. Click on “Submit a ticket”, or choose Live Chat, select Validation Department and submit the following request (please replace [] fields with the corresponding info):
Reason for the ticket: Validation
Order number: [Your Partner Order ID]
Subject: Business Validation
Dear Sectigo!
Please validate order [Partner Order ID] using the company name [Your Company Name], with [Registration/ID number] and [DUNS number].
Sectigo will then contact you for Step 2 or any necessary updates to the Step 1.
Validation for Individuals
There are a few things that you need to do to pass the Individual Validation for your Sectigo/GoGetSSL Code Signing Certificate.
STEP 1: (Optional) The first thing that you need to do is to provide your individual DUNS number to Sectigo/GoGetSSL. You can get your individual DUNS number from this website: https://www.dandb.com/. Make sure that your DUNS listing contains your full name, address and phone number. If it doesn’t, then you need to contact Dun & Bradstreet (at https://www.dandb.com/) and ask them to “add your full name, address and mobile phone number to their business directory and on the report”.
Duns and Bradstreet is an international company and they have a database with individuals and companies from all countries (USA, Canada, United Kingdom, Australia, New Zealand, South Africa, Germany, Israel, etc). So, they work with international customers, too.
STEP 2: You need to provide the following documents to Sectigo/GoGetSSL:
a) Government-issued photo ID (driver’s license or passport);
b) One financial institution document (a bank statement or credit card statement less than six months old);
c) One non-financial document (gas bill, water bill, power bill).
STEP 3: You need to get attested by a legal authority by filling out the face-to-face verification form. You can download the form at this link. The face-to-face verification letter should be signed by a Notary, Latin Notary, registered Attorney, Certified Public Accountant (CPA), or a Justice Of The Peace. The legal authority should have accreditation and a license number that is available online.
If you decide to go with a Legal Attorney, he or she must be registered with the BAR, and the BAR should have the Attorney’s full name and license number. You can find an attorney in your country by looking into these worldwide legal directories: http://www.hg.org/legal.html
STEP 4: You need to provide all this information to Sectigo/GoGetSSL Validation Department by contacting Sectigo/GoGetSSL at https://sectigo.com/support. Click on “Submit a ticket”, select Validation Department and submit your request. Please include your Sectigo/GoGetSSL Order ID in the subject and in the body of the message that you send to Sectigo/GoGetSSL so that they know which order you are writing them about. You can find your Sectigo/GoGetSSL Order ID on your SSL Certificate’s details page inside your SSL Dragon account. See the screenshot on the right.
If you don’t see your Sectigo/GoGetSSL Order ID, then please open a ticket with us, or email us and let us know the name of the company or the name of the individual that you included in the SSL configuration form, so that we could provide you your Sectigo/GoGetSSL Order ID.
If your Credit / Debit Card payment via our default payment processor (Stripe) fails, you can always pay using a Credit/ Debit Card via PayPal. Here is how to do that:
Please go to “My Invoices” page inside your SSL Dragon account to see the unpaid invoice for your order: https://my.ssldragon.com/clientarea.php?action=invoices- Click on your unpaid invoice to open it;
- Select PayPal as a payment method and click the orange “PayPal Checkout” button on the top right of the screen;
- When you are on the PayPal payment page, you can click on the “Pay with Debit or Credit Card” button (see screenshot on the right).
To read a CSR file, you can use an SSL Certificate decoder. The decoder will take the encoded data from the CSR file and translate it into plain text so that you can understand what each field represents. Additionally, with the decoded information you can determine the exact information necessary for the SSL to be verified and accepted.
Here are the steps that you need to do in order to reissue your Sectigo CPAC Certificate:
1) Login at https://secure.trust-provider.com/products/frontpage?area=ssl using the username and password that you used when you configured your Sectigo CPAC initially;
2) Once you are logged in, find the “Replace” button and click on it;
3) You will start the reissue process for your Sectigo CPAC SSL.
4) Follow the steps and instructions that come next, until you complete the Sectigo CPAC Certificate reissue.
Here are the steps that you need to do in order to reissue your Sectigo/GoGetSSL Code Signing Certificate:
1) Login at https://secure.trust-provider.com/products/frontpage?area=ssl using the username and password that you used when you configured your Sectigo/GoGetSSL Code Signing Certificate initially;
2) Once you are logged in, find the “Replace” button and click on it;
3) You will start the reissue process for your Sectigo/GoGetSSL Code Signing SSL.
4) Follow the steps and instructions that come next, until you complete the Sectigo/GoGetSSL Code Signing Certificate reissue.
How to reissue an SSL Certificate? (Except CPAC and Code Signing)
We allow you to reissue your SSL Certificate for various reasons, including Multi-Year SSL Subscriptions.
But also, you need to reissue your SSL if you:
- want to change your domain name,
- want to change your company name,
- want to change your CSR,
- use a new CSR,
- lost your Private Key, etc.
Domain Validation SSL Certificates
You can reissue your SSL Certificate from your SSL Dragon account by following the next steps:
- Log into your SSL Dragon account;
- Go to SSL Certificates” -> “My SSL Certificates“;
- You will see the list of products that you bought from SSL Dragon. Click on the SSL Certificate which you would like/need to reissue;
- Click on the “Reissue” button in the Actions section;
- Reconfigure your SSL Certificate – select the Server Type and CSR. As a part of the reconfiguration, your existing CSR code is auto-pasted, in case you need another CSR, please replace it;
- For Multi-Domain SSL – The existing SANs are auto-pasted in the SANs field, if you need to change a SAN or add a new one – please update the SAN list;
- After reconfiguring your SSL Certificate, you will have to pass the Domain Validation again.
For Domain Validation SSL Certificates, your SSL Certificate will be reissued after you pass the domain validation successfully.
Business Validation SSL Certificates
To reissue a Business Validation SSL Certificate, you have to go through the same reconfiguration and domain validation process as described under the “Domain Validation” section above. After that, you have to pass the entire Business Validation process again, so the Certificate Authority needs to recheck the legal existence of your domain name, company, and your company’s phone number. You can read how to pass the Business Validation process at this link.
Your BV SSL Certificate will be reissued after you pass the Business Validation process again.
Extended Validation SSL Certificates
To reissue an Extended Validation SSL Certificate, you have to go through the same reconfiguration and domain validation process as described under the “Domain Validation” section above. After that, you have to pass the entire Extended Validation process again, so the Certificate Authority needs to recheck the legal existence of your domain name, company, and your company’s phone number. You can read how to pass the Extended Validation process at this link.
Your EV SSL Certificate will be reissued after you pass the Extended Validation process again.
When you configure your Sectigo/GoGetSSL Code Signing Certificate as an individual, you need to enter your first and last name in the “Company Name” field. This will tell Sectigo/GoGetSSL that you are requesting a Code Signing Certificate for an individual instead of a company.
If your router has a public IP address, you can still validate that IP address.
HTTP/HTTPS validation is the only method available for IP address validation. The HTTP/HTTPS validation method consists of adding a TXT file on your IP address and having Sectigo scan that IP address and validate it. There is no way to upload a TXT file on your router. The solution to get the IP address validated is to reroute the IP address to a server, put the TXT file on that server, pass the IP validation, and then reroute the IP addresses back to the router.
You can read more information on what the TXT file should include and where to upload it in the following FAQ item: https://www.ssldragon.com/contacts/faq/#collapse-14363
You can verify the integrity of an SSL certificate and private key pair with the OpenSSL utility and its command lines.
The process consists of four steps:
- Verify that the private key has not been altered.
- Verify the modulus value matching with Private Key and SSL certificate pair
- Successfully perform encryption with the public key from certificate and decryption with the private key
- Confirm the integrity of the file, which is signed with the private key
Verify the private key integrity
Run the following command: openssl rsa -in [key-file.key] -check -noout
Here’s an example of a corrupt private key:
Other errors resulting from an altered/forged key are listed below:
- RSA key error: p not prime
- RSA key error: n does not equal p q
- RSA key error: d e not congruent to 1
- RSA key error: dmp1 not congruent to d
- RSA key error: iqmp not inverse of q
If you encountered any of the above errors, your private key has been tampered with and may not work with your public key. Consider creating a new private key and requesting a replacement certificate.
Here’s an example of the private key which meets the integrity:
Verify the modulus value matching with Private Key and SSL certificate pair
Note: The modulus of the private key and certificate must match exactly.
To view the certificate Modulus run the command:
openssl x509 -noout -modulus -in [certificate-file.cer]
To view the private key Modulus run the command:
openssl rsa -noout -modulus -in [key-file.key]
Encrypt with the public key from and decrypt with the private key
1. Get the public key from certificate:
openssl x509 -in [certificate-file.cer] -noout -pubkey > certificatefile.pub.cer
2. Encrypt test.txt file content using public key
Create a new file called test.txt file (you can use Notepad) with the content “message test”. Perform the following command to create an encrypted message to cipher.txt file.
openssl rsautl -encrypt -in test.txt -pubin -inkey certificatefile.pub.cer -out cipher.txt
3. Decrypt from cipher.txt using the private key
Perform the following command to decrypt cipher.txt content.
openssl rsautl -decrypt -in cipher.txt -inkey [key-file.key]
Ensure that you can decrypt your cipher.txt file content to your terminal. The output from the terminal must match the content on the test.txt file.
If the content does not match, the private key has been tampered with and may not work with your public key. Consider creating a new private key and requesting a replacement certificate. Here’s an example of a decrypted message:
4. Confirm the file integrity signed with the private key
Run the following command to sign the test.sig and test.txt file with your private key:
openssl dgst -sha256 -sign [key-file.key] -out test.sig test.txt
Now, verify the signed files with your public key extracted from step 1.
openssl dgst -sha256 -verify certificatefile.pub.cer -signature test.sig test.txt
Make sure that the output from the terminal is exactly like in the example below:
If your private key is tampered with, you will receive the following message:
In this case, you should create a new private key and request a replacement certificate.
Some Certificate Authorities (especially Sectigo and DigiCert) may ask you to update or add your phone number to your company’s DUNS listing, as a part of your Business or Extended Validation process.
After you have contacted Dun & Bradstreet and added your phone number to your company’s DUNS listing, it may take between 5 and 40 days for Dun & Bradstreet to make your DUNS listing update available to the public. When you talk to Dun & Bradstreet over the phone, they may tell you that they added or updated your phone number. However, they only initiated process. Your phone number will appear on the Dun & Bradstreet website (https://www.dandb.com/) in about 5 to 40 days after that.
You will know that your DUNS listing has been truly updated, only when you get an email message from Dun & Bradstreet saying that your DUNS profile has been updated successfully. Your phone number will start appearing on your DUNS listing only after you get this email from them. Also, Certificates Authorities (such as Sectigo and DigiCert) can verify your phone number based on your DUNS listing only when your phone number is publicly available. That’s why you or we should contact the Certificate Authority requesting them to check your DUNS listing only after you get that confirmation by email.
In the past, we asked the Validation Department representatives from Sectigo and DigiCert to contact Dun & Bradstreet directly, and check our customer’s phone number with Dun & Bradstreet. We did that after our customers told us that they added or updated their phone number on their DUNS listing. Each time, Sectigo and DigiCert were told by the Dun & Bradstreet representatives that our customers’ DUNS listing update is “in progress” and “has not been completed yet”, and were advised to get back to Dun & Bradstreet when the customers receive an email message from Dun & Bradstreet which confirms them that their DUNS listing was updated.
If 5-40 days is too much to wait, we recommend you to go with other methods of validating your company and phone numbers, such as providing a legal letter written by a notary, an attorney, or a certified public accountant. This method will allow you to pass the Business or Extended Validation within 1-2 days.
When configuring, reissuing, or renewing your SSL Certificate, if you cannot choose the domain validation method, or you encounter an error message, it means there is a CSR error. Here are the most common CSR errors, and the ways to fix them:
- If you have a Wildcard SSL Certificate (for multiple sub-domains), then the common name in your CSR should start with an asterisk and a dot (*.) as in this example *.website.com. For regular, non-wildcard SSL Certificates, the common name should have one of the following formats: website.com, www.website.com or my.website.com.
- Wrong Key Encryption (e.g. 4096 bit). Please make the Key Encryption 2048 bit.
- Your CSR is password protected. Please disable the password so that the Certificate Authority issuing the SSL Certificate can read the CSR code.
- The CSR code is missing some required fields or information. You can find the complete list of fields on our CSR Generator.
- Your CSR may have other information that is incorrect or not allowed. Please see this FAQ article with details on allowed information and formatting.
To fix your CSR code you need to generate a new one. After that, try configuring or reissuing your SSL Certificate with the new CSR code. If the problem persists, please open a ticket with us and send us your the CSR code. We will decode the CSR and tell you what the problem is, so that you can fix it.
When configuring your SSL Certificate, you are asked to choose your webserver type.
If you don’t know which server type you have, simply choose “Other” and your SSL Certificate will work on any server type for sure. For certificate authorities, the webserver type question is more a statistics question than an attribute which your SSL Certificate will be configured by. Certificate authorities needs to know what are the most used server types in order to build their certificates compatible with all these server types.
Once you got your CSR code and Private Key, you can enter your CSR when ordering an SSL Certificate. Here is where you need to enter your CSR code:
- Sign in to “My Account” on our SSL Dragon website;
- Once you are logged in, go to the main menu, select “SSL Certificates” -> “My SSL Certificates“;
- You will see the list of SSL Certificates which you bought on our website. Click on the SSL Certificate which you have just ordered, to enter its details page;
- When you are on the details page of the SSL certificate which you bought, go towards the bottom of the page, and click on the green button which says “Configure Now”;
- Fill in the 2 or 3 steps form, by entering your personal and your company information. The second thing that you will be asked about on this form is the CSR. Copy and paste your CSR code in the text area which asks you for your CSR;
- Once the 2 or 3 steps form is completed in full, your SSL Certificate order will be submitted to the Certificate Authority;
- A message will come on the email address which you selected on Step 2. You need to go to your email address, and confirm that you are the owner of the domain name which you asked for an SSL Certificate for;
- Once these are done successfully, you will receive your SSL Certificate in anything between 5 minutes (for a Domain Validation SSL Certificate) and 7-10 days (for an Extended Validation SSL Certificate).
- One of the most common reasons why a website which has an SSL Certificate installed continues to show as insecure, is that your website continues to pull content, images or videos from unsecured HTTP links. You need to change all the links that you are pulling content from to HTTPS links, and your website will start showing as secure immediately.
- The second most common reason why a website may show insecure although you installed an SSL Certificate on it is that your server is outdated and/or doesn’t support the latest TLS settings requirements.
- The third most common reason why a website may show as insecure although you installed an SSL Certificate on it, is that you and other visitors continue to open your website through an unsecured HTTP link. You should put a redirect in the server configuration file or in the site’s htaccess file, so that whoever enters your website by typing “www.mywebiste.com” should be automatically redirected to https://www.mywebsite.com. With other words, you should put a redirect that sends all users to your secured site. Here are some articles on how to do this.
- You also might be missing the CA-bundle/Intermediate/Root SSL Certificates.
- Another problem might be the incorrect SSL installation.
All 5 reasons and any other can be revealed by checking how well was your SSL installed using these tools: SSL Server Test and Why No Padlock?
They will offer you a free report on your SSL Certificate installation along with detailed information on how to fix any vulnerabilities.
Also, we recommend you to read our article called: How to move your website from HTTP to HTTPS easily and with no pain. The article goes even further and comes with many more recommendations on what to check and do to have your website open from an HTTPS link correctly.
Certificate revocation is the process of invalidating a code signing certificate before its scheduled expiration date. It’s software industry-standard best practice to revoke any code signing certificate associated with a security breach, as that certificate could potentially contain compromised code.
Sectigo’s Certificate Practices Statement and license agreement require the company to revoke any certificate that to its knowledge may be used for illegal or dishonest activities.
Since the same certificate could be used for both right and wrong purposes, Sectigo relies on credible third parties to provide correct information about Sectigo certificates used for malware.
Sectigo may revoke the code signing certificate in the following instances:
- A cybercriminal steals or alters a valid code signing certificate
- A contractor or employee uses a valid certificate for deceptive purposes without the company’s knowledge.
- The company’s code, website, or software is infected with malware or other cyber attacks.
As a Certificate Authority, Sectigo cannot rely on self-reporting of false positives by code signing certificate owners because they may not know that their certificates or digital goods are compromised.
Source: Sectigo’s Knowledge Base
As of June 16, 2021, Sectigo no longer accepts WHOIS-based email addresses for Domain Control Validation (DCV) when the WHOIS requires a human lookup for domain information. Whois is a widely used Internet record listing that identifies who owns a domain and how to get in contact with them.
The change won’t affect emails that can be found on WHOIS via automated lookups. These emails will be presented to you during the certificate request process, or via the ‘GetDCVEmailAddressList’ API. The ‘constructed’ email addresses will still be available.
If the email address you need is not displayed or offered during the DCV process, you will need to use one of the alternative methods for the Domain Control Validation below:
- A pre-determined email address such as-admin@, administrator@, hostmaster@,postmaster@, webmaster@
- HTTP(s) or DNS based Domain Control Validation
Source: Sectigo’s Knowledge Base
Currently, SSL certificates of any type CAN NOT be issued to individuals or business entities in the following countries, websites, or the following country-code-top-level domains (TLDs). The following jurisdictions are restricted by US Export restriction laws:
- AF – AF – Afghanistan
- BY – BLR – The Republic of Belarus
- CU – CUB – Cuba
- ER – ERI – Eritrea
- GN – GIN – Guinea
- IR – IRN – Iran, Islamic Republic of
- KP – PRK – Korea, Democratic People’s Republic of
- LR – LBR – Liberia
- RU – RUS – The Russian Federation – as of March 2022
- SS – SSD – South Sudan
- SY – SYR – Syrian Arab Republic
- ZW – ZWE – Zimbabwe.
Source: Sectigo’s Knowledge Base
When dealing with SSL certificates, you’ll come across different certificate extensions. A file extension is a designation at the end of a file. For example, a certificate named “yourdomain.crt” has a certificate extension of “.crt” The”*” we put in front means that the name before the period could be anything. It’s only what is after the period that matters for identification of extension type.
Below is a list of certificate extensions:
*.CSR – Certificate Signing Request – a block of encoded text with your contact data you must generate and submit to the CA during the SSL ordering process.
*CER or *CRT – Base64-encoded X.509 Certificate – stores a single certificate. This format does not support the storage of private keys.
*.PFX or *.P12 – Personal Information Exchange Format – stores private and public keys and all certificates in the path. Used to export a certificate and retain full private key functionality.
*.DER – DER-encoded binary X.509 Certificate – stores a single certificate. This format does not support the storage of private keys.
*.P7B or *.P7R or *.SPC – Cryptographic Message Syntax Standard – storage of all certificates in the path and does not store private keys.
*PEM – Privacy-Enhanced Mail – concatenated (combined) certificate containers frequently used in certificate installations when multiple certificates that form a complete chain are being imported as a single file.
*.CRL – Certificate Revocation List – designates a certificate that has been revoked.
Learn more about certificate formats and conversion tools with our detailed guide.
You can order a Sectigo Personal Authentication Certificate (SPAC) for any valid email address. Below are the validation requirements for each type of Personal Authentication Certificate:
SPAC Basic
Validation requires a challenge-response from you, which is sent to the email address you provide. Once you have followed the instructions in the challenge email, the certificate is issued.
SPAC Pro
To obtain a SPAC Pro certificate, you need to complete the following steps:
- Provide a government-issued photo ID such as; a driver’s license, passport, national ID card, or military ID. The name on the government-issued photo ID must match the name of the certificate. You must provide a legible and readable copy of the photo ID.
- Verify your email address by responding to a challenge sent to the email address listed on the certificate.
After you complete the instructions in the challenge email, the certificate is issued.
SPAC Enterprise
Validation for an Enterprise requires the following:
- Business Identity verification using a QIIS, QGIS, or QTIS document (the definitions of these acronyms are at the end of this FAQ).
- Authenticating the identity of the applicant (listed as the admin contact on the order). The name on the government-issued photo ID (driver’s license, passport, national ID card, or military ID) must match the name of the admin contact. Sectigo requires applicants to provide a legible and readable copy of the photo ID.
- Physical address verification via QIIS QGIS or QTIS document.
- Order authentication via a callback process using the business telephone number included in a QIIS, QGIS, or QTIS document.
Once the above steps are completed, the certificate is issued.
Definitions:
QIIS stands for Qualified Independent Information Source – an up-to-date public database that provides reliable and accurate information for which it is consulted. Examples of QIIS are local phone directories or third-party commercial credit services such as Dun and Brandsheet.
QTIS (Qualified Tax Information Source) is a governmental database that contains tax information relating to Private Organizations, Business Entities, or Individuals. Employer Identification Number (EIN) is considered a QTIS.
QGIS stands for Qualified Government Information Source – a database maintained by a Government Entity that contains legal business registration, corporate filing, trademarks, and patents.
Source: Sectigo’s Knowledge Base
To generate the CSR on your server, you need access to your control panel or secure shell terminal. You can also create the CSR externally via a CSR generator tool directly from your browser.
What are Multi-Year SSL Subscription Plans?
Starting with August 19th, 2020, the maximum duration of publicly-trusted SSL/TLS certificates issued by all Certificate Authorities (CAs) has been set to a maximum of 13 months.
However, in order to make your SSL Management process time-saving and cost-effective, the CAs and SSL Dragon are offering you the 2 Year and 3 Year SSL Subscription Plans.
This means that you can still buy a 2 or 3 year SSL Certificate and continue to benefit from multi-year discounting, while still remaining compliant with the CAB Forum SSL requirements.
How the Multi-Year SSL works?
Due to security reasons, your SSL certificate is initially issued with a maximum 1-year validity.
30 days before the expiration of your certificate, SSL Dragon, on behalf of the CA, will notify you and ask you to reissue your SSL, in order to get the additional (replacement) 1-year certificate, according to your Subscription Plan.
This FAQ explains to you how to reissue your SSL Certificate, step by step.
You will need to validate & install the replacement SSL:
a. If you have a Domain Validation SSL Certificate, a short verification of your domain name will be required via Email, HTTP, or DNS in order to issue the 1-yr replacement SSL.
b. If you have a Business or Extended SSL Certificate – an additional Business Validation/Extended Validation recheck and callback process will also be required.
You can still reissue your certificate at any time and as many times as you like during your Multi-Year SSL Subscription Plan.
On your SSL Certificate’s page within the SSL Dragon account, you will find all the details regarding your Subscription Plan:
- Valid From – Shows the date when your SSL was issued and became active
- Expires – Shows the date when your SSL expires and needs to be reissued (not Renewed).
- Subscription Starts – The date when the first SSL was issued and the subscription period activated
- Subscription Ends – The date when the subscription ends and SSL needs to be Renewed (not Reissued)
- Next Reissue – shows the number of days left of your SSL. The Certificate should be reissued 30-days prior to this date.
You can find detailed documentation about the SSL Certificates’ best installation practices at SSL Labs.
If you are still wondering what are the main benefits of each validation type (Domain Validation (DV), Business Validation (BV), and Extended Validation (EV)) and why you should choose one vs. another, then this is the right FAQ for you. Each of these SSL Certificate types was created having in mind a certain customer trust level:
- Basic – Domain Validation SSL Certificates – created for customers who aren’t interested in showing their company name and address in the SSL Certificate – either because they don’t need/want to or simply because they just don’t have a company. They only need to get the SSL Certificate very quickly in order to secure their domain name with HTTPS and have all web and mobile browsers display their website as “Secure”.
- Medium – Business Validation SSL Certificates – designed for clients who want to display their company’s name in their SSL Certificate’s details in order to ensure their customers that their business is real and trustworthy. BV SSL Certificates also allows you to display on your website a site seal provided by the third party Certificate Authority which proves that your SSL Certificate was issued to your company’s name and address.
- Top – Extended Validation SSL Certificates – developed for clients for whom users’ trust is highly important. EV SSL Certificates also provide the site seal which proves that your SSL Certificate was issued to your website, company’s name and address but these certificates have the topmost trust level because they show your customers, prospectors, and visitors that your website is highly secure and that their information is always protected.
Now that you know the main differences between Domain Validation (DV), Business Validation (BV), and Extended Validation (EV) SSL Certificates, it should be much easier for you choose the one that fits you the best.
Here are the LEI number registration requirements:
- Entity’s Legal name.
- Registered address.
- Address of headquarters.
- Registration number and governing authority.
- Entity type.
- Parent company relationship information.
A Multi-Domain (SAN) SSL Certificate is specifically created to allow users to secure multiple domains and/or multiple sub-domains with one single SSL Certificate. Depending on the SSL Certificate product and brand, the certificate will include a different number of additional domains (called SANs) at the price quoted on the SSL Certificate’s details page (see screenshot on the right).
For example, a Multi-Domain (SAN) SSL Certificate that has 4 domains by default allows you to secure:
- Four different domains:
- mysite.com
- example.com
- abcxyz.com
- demo123.com
- Four different subdomains:
- my.example.com
- mail.example.com
- test.mysite.com
- account.mysite.com
- Four different domains and subdomains:
- example.com
- my.example.com
- abcxyz.com
- mail.demo123.com
NOTE: Here is how you should configure your Multi-Domain SSL Certificate on our website: When you generate a CSR (Certificate Signing Request), please include one single domain name or sub-domain in it, such as: www.example.com. The rest of the domains or sub-domains, which are called SANs (2nd, 3rd, 4th domains or sub-domains) should be included in the fields for additional domains. You will see the fields for additional domains on the SSL Certificate configuration form, right under the text area for the CSR (see screenshot on the right).
Sectigo Personal Authentication Certificates were designed for individuals and businesses who are looking at implementing the best web security practices, such as email & document encryption and user two-factor authentication. However, each CPAC SSL Certificate was designed to fit a particular need. Just like DV, BV, and EV SSL Certificates, CPAC SSL Certificates come with different validation requirements which enable certain certificate fields:
- CPAC Basic – requires Domain Control and displays only your email in the SSL Certificate
- CPAC Pro – requires Domain Control and Identity Verification in order to display your email, First and Last Name in the SSL Certificate
- CPAC Enterprise – requires Domain Control, Identity Verification, and Organization Validation in order to display your email, First and Last Name, as well as Company Name and Address in the SSL Certificate.
Based on your actual needs, you can now decide which Sectigo Personal Authentication Certificate is the best option for you, providing you an enhanced web security of your business activity.
For more info about validation requirements for each type of certificate, check this FAQ section.
In order to buy a Domain Validated certificate, you do not need to provide any documentation. You will have to confirm the domain ownership through a simple email, DNS record, or file-based authentication (except wildcard SSL certificates). Following completion of one of these elements, the DV certificate will be signed and released to you.
Your current SSL Certificate will expire as soon as the “Expires” date for your SSL Certificate passes. If you keep your old and expired SSL Certificate on your website, then all the web and mobile browsers will show your website as insecure and will prompt users that your website has a major security problem, and will not let visitors enter your website unless visitors explicitly accept to enter your website on their own risk. You can see an example of these security alerts that visitors will see on your website if you keep an expired SSL Certificate.
The solution to prevent that is to renew your SSL Certificate, and install the newly renewed SSL Certificate on your website. In that case your website will continue to show as secure.
The other, less preferable solution, is to uninstall the SSL Certificate from your website. In that case, visitors will be able to see your website. They will not be stopped from viewing your website as shown in the screenshot from above. However, so as your website will not have an SSL Certificate in general, then visitors will see the “Not secure” message in the browser’s URL bar next to the name of the website.
You must renew your LEI code annually to keep the LEI status ACTIVE. Failure to do so will display your LEI as LAPSED in the Global Lei Index. An expired LEI may incur non-compliance fines and block financial transactions.
The system or platform on which you generate the CSR will create two text files. The file with the .csr extension will contain your CSR code, while the file with the .key extension will include your private key.
Whether you accidentally or purposefully enter some incorrect information while using the CSR generation tool, the CSR and the Private Key will still be issued to you immediately. However, once you use the CSR code to apply for an SSL Certificate, you may or may not be issued an SSL Certificate. It is solely at the Certificate Authority’s discretion to approve or decline your SSL Certificate issuance if you entered incorrect information about you and your company.
If you realize that you entered incorrect information while generating the CSR, you simply have to put aside, ignore or delete your existing CSR and Private Key. After that, you should generate a new CSR code (which will automatically generate a new Private Key too), using correct information about yourself and your company. Use the newer CSR when applying for an SSL Certificate, and then your newer Private Key when installing your SSL Certificate on your website and server.
In order to prevent the situation when you lose your CSR code and Private Key, we automatically send them to the email which you provided when using the SSL CSR Generator from above. Please check your email, and look for a message from SSL Dragon ([email protected]).
However, if you lost or cannot find the email message from us, and you did not save a copy of your CSR code and Private Key, then you will not be able to apply for an SSL Certificate, and you will not be able to install your SSL Certificate on your website and server. But, that is easy to solve by generating a new CSR code and a new Private Key by using the SSL CSR Generator from above.
Whether you accidentally or purposefully enter some incorrect information during the CSR generation process, the CSR and the Private Key will still be issued to you immediately. However, once you use the CSR code to apply for an SSL Certificate, you may or may not be issued an SSL Certificate. It is solely at the Certificate Authority’s discretion to approve or decline your SSL Certificate issuance if you entered incorrect information about you and your company.
If you found out that the CSR is wrong and you already configured the SSL, please open a ticket with us and provide the correct CSR.
If you realized that you entered incorrect information in the CSR while generating it, you simply have to put aside, ignore or delete your existing CSR and Private Key. After that, you should generate a new CSR code (which will automatically generate a new Private Key too), using correct information about yourself and your company. Use the newer CSR when applying for an SSL Certificate, and then your newer Private Key when installing your SSL Certificate on your website and server.
The CSR contains the following encrypted information: your country, state, city/town, name of the organization, department from your organization, the domain name that you want the SSL Certificate to be issued for, and the email address where your CSR code and the Private Key will be sent to once they are both generated.
The CSR must contain the following mandatory encrypted information: your Country, State, City/Town, Name of the company, Department from your company, and the Domain name or IP address that you want the SSL Certificate to be issued for.
It may also contain this optional information: the email address where your CSR code and the Private Key will be sent to once they are both generated.
To avoid any errors, please make sure that:
- You DO NOT enter “http://” or “https://” along with your domain name as a common name when generating the CSR. Please enter only “www.domain.com” or “domain.com” as a common name. Also, make sure you don’t have any extra spaces before or after your domain name.
- When generating the CSR code you were given a CSR code and a Private Key. Make sure that you only enter the CSR code in the SSL Configuration form. DO NOT enter the Private Key, but save it and keep it in a safe location on your computer or email, because you will need it when installing the SSL Certificate on your website/server.
- The CSR that you enter in the SSL Configuration form should include the following two lines: “—–BEGIN CERTIFICATE REQUEST—–” header and “—–END CERTIFICATE REQUEST—–” footer.
- For Wildcard SSL Certificates – When generating the CSR code for a Wildcard SSL Certificate, you have to include an asterisk and dot (*.) before your domain name. In other words, you should fill in *.yourdomain.com as a common name in your CSR.
- For Multi-Domain Wildcard SSL Certificates – Any Multi-Domain Wildcard SSL Certificate should start with a non-Wildcard domain. This means that you need to generate the CSR for a single domain – example.com – without any asterisk sign “*.”. Please read more in this FAQ.
- For IP Address SSL Certificates – For Sectigo InstantSSL Premium, the common name should be your IP address. For GoGetSSL Public IP SAN SSL Certificate, you will be asked to generate a CSR with NO Common Name. Here is how to do it.
- Your CSR is not configured for the following countries:
- AF – AF – Afghanistan
- BY – BLR – The Republic of Belarus
- CU – CUB – Cuba
- ER – ERI – Eritrea
- GN – GIN – Guinea
- IR – IRN – Iran, Islamic Republic of
- KP – PRK – Korea, Democratic People’s Republic of
- LR – LBR – Liberia
- RU – RUS – The Russian Federation
- SS – SSD – South Sudan
- SY – SYR – Syrian Arab Republic
- ZW – ZWE – Zimbabwe
You can see an up-to-date list of prohibited countries for Sectigo and DigiCert at the links below:
https://sectigo.com/knowledge-base/detail/Banned-Country-List-1527076085907/kA01N000000zFKI and https://knowledge.digicert.com/solution/Embargoed-Countries-and-Regions.html
You must provide the following information:
- Country Name
- State or Province Name
- Locality Name
- Organization Name
- Common Name (the FQDN -Fully Qualified Domain Name you want to secure)
It is the information that you filled in your SSL Certificate request: your country, state, city/town, name of the organization, department of your organization, the domain name that you want the SSL Certificate to be issued for, and your email address where your CSR code and the Private Key are sent to once they are both generated.
The Business Validation (BV), also called Organization Validation (OV), SSL certificate is recommended if you have an e-commerce website that is a registered business. Besides the domain validation performed through e-mail, you will have to provide company documentation to receive business authentication. During this authentication process, the Certificate Authority (CA) will verify if your business is carried out by a legitimate, good faith company operating at the provided location. Since the validation is done manually and involves paperwork, you will receive your Business Validation SSL certificate within 1-3 business days.
After receiving Business Validation, the “https” and padlock icon will be displayed on your website’s address bar. These signs will make customers more willing to entrust you with their personal and financial information. Yet, if your website’s purpose is to perform large sales, offer specific products/services or execute financial transactions, you should consider buying our Extended Validation (EV) certificate.
The CodeSigning certificate was specifically developed for increasing the trustworthiness of your software products. This type of certificate protects your digital downloadable goods, like scripts or codes, by signing them and guaranteeing their authenticity and integrity. This certification brings a greater level of your customers’ trust, by ensuring them that your content is safe and it belongs to your company. Moreover, the Authenticode Technology guarantees that if the code will be damaged after being signed, the digital signature will break and alert the client that the software is no longer credible.
CodeSigning certificates are Business Validation (BV) and Personal Validation SSL certificates. The Business Validation SSLs require Certificate Authority’s (CA’s) authentication through providing your company’s documents, along with performing domain validation by email. The Personal Validation requires personal identification verification of the owner. The entire validation process may take up to 2 or 3 business days to issue your CodeSigning certificate that will serve as a third party guarantee for the authenticity of your digital goods.
You can find our full list of CodeSigning certificates at this link.
A CSR decoder is a type of software tool that is used to decode a Certificate Signing Request’s encoded data into plain text. The decoded data reveals what each field in the certificate represents, allowing you to understand what information is required for the SSL to be verified and accepted.
CSR stands for “Certificate Signing Request”. The CSR code represents an encrypted text message which a person or a company sends to the Certificate Authority as a part of applying for an SSL Certificate. The CSR code contains information about you and your company, which will be included in the SSL Certificate that will be issued to you.
“CSR” stands for “Certificate Signing Request”. The CSR code represents an encrypted text message which a person or a company sends to the Certificate Authority through SSL Dragon as a part of applying for an SSL Certificate. The CSR code contains information about you and your company, which will be included in the SSL Certificate that will be issued to you.
A CSR or Certificate Signing