Contact us at |support@ssldragon.com
Home / Contact / FAQ

Unfortunately, there are no Wildcard EV SSL Certificates on the market. The Certificate Authorities refuse to issue EV Wildcard SSL Certificates because of the security reasons, so as they want to have complete control over the subdomains that they issue an EV SSL to. That is why, your only solution is to buy a Multi-Domain EV SSL Certificate that secures multiple domains and subdomains.

 

In some cases, the CAs may require manual verification if your order fails any internal rules of Brand Validation. It takes around 24-48 hours to pass this manual check, and the CA will either issue or reject an order in such cases.

Here are the most common reasons why certificate authorities decide to do the brand validation for some orders:

  1. Orders from some countries are reviewed manually more often than others, for example:  South Korea, North Korea, Japan;
  2. Restricted countriesRussia (RU), Belarus (BY) (since 2022), Afghanistan (AF), Crimea (Russia), Cote d’Ivoire (CI), Cuba (CU), Eritrea (ER), Guinea (GN), Iraq (IQ), Iran (IR), Democratic People’s Republic of Korea (KP), Liberia (LR), Myanmar (MM), Rwanda (RW), Sudan (SD), Sierra Leone (SL), South Sudan (SS), Syrian Arab Republic (SY), Venezuela (VE), Zimbabwe (ZW) – SSL are NOT issued for these countries: https://sectigo.com/knowledge-base/detail/Banned-Country-List-1527076085907/kA01N000000zFKI and https://knowledge.digicert.com/solution/Embargoed-Countries-and-Regions.html
  3. The domain name includes a brand name, such as: facebook-app.com, sony-shop.net, dellshop.com, etc;
  4. The domain name may have a hidden brand name. For example, your domain is “sibmama.com”, but the automated validation system may read it as “sIBMama” and flag the “IBM” brand. The certificate authority wants to check such orders manually;
  5. The domain name has “stop words”, such as: pay, online, secure, booking, shop, bank, transfer, money, e-payment, payment, protection, violence, terrorists, and others. These words and many others are set as triggering words inside the validation system, and make the certificate authority review such orders manually;
  6. Domain name is blacklisted OR has a bad reputation.
    partner-order-id

What you can do to speed up the process?

Please contact Sectigo and Thawte, RapidSSL, GeoTrust, DigiCert directly via live chat and discuss the situation with the CA’s representative.

Please mention your “Partner Order ID” in your message.  You can find your “Partner Order ID” on the details page of your SSL Certificate inside your SSL Dragon account. See the screenshot on the right.

The subdomains that you can secure with one Wildcard SSL Certificate have to be either 1st level sub-domains (e.g.: *.example.com) or 2nd level sub-domains (*.mob.example.com). You cannot secure 1st and 2nd level sub-domains with one regular Wildcard SSL Certificate.

If you want to secure 1st level sub-domains and 2nd level sub-domains, you have to get a Multi-Domain Wildcard SSL Certificate, or 2 separate Wildcard SSL Certificates.

For example, a regular Wildcard SSL Certificate allows you to secure:

  1. One main domain name (example.com) and all its 1st level sub-domains (*.example.com):
    1. my.example.com
    2. test.example.com
    3. dev.example.com
    4. mail.example.com
    5. (etc)
  2. Or, one sub-domain (mob.example.com) and all 2nd level sub-domains (*.mob.example.com):
    1. my.mob.example.com
    2. test.mob.example.com
    3. dev.mob.example.com
    4. mail.mob.example.com
    5. (etc)

In order to secure one domain and all its sub-domains as shown in the first example, you have to include *.example.com as a common name (domain name) when creating a CSR (Certificate Signing Request). If you want to secure 2nd level sub-domains, then you have to enter *.mob.example.com as a common name (domain name) when creating a CSR (Certificate Signing Request).

The multi-domain certificate can be initially activated for the primary domain name.

If you wish to add more domains later, you need to reissue the certificate in your SSLDragon.com account, and add the SAN (additional domain) list in the SAN field, when reissuing.
due-date-2
due-date-2
If you need to add more domains than included by default, then please choose the Add More SANs option in order to pay for and activate the additional SANs.

Yes, you can change the company name that your SSL Certificate is issued to. The procedure involves the reconfiguration and reissue of your SSL Certificate, and there are some additional steps if you have a Business Validation or Extended Validation Certificate.

Domain Validation SSL Certificates

You can reissue your SSL Certificate from your SSL Dragon account by following the next steps:
1) Log into your SSL Dragon account;
2) Go to “SSL Certificates” -> “My SSL Certificates“;
3) You will see the list of products that you bought from SSL Dragon. Click on the SSL Certificate which you would like to reissue;
4) Click on the “Reissue certificate” button on the left side (see the screenshot on the right);
5) Reconfigure your SSL Certificate. As a part of the reconfiguration, please create a new CSR code and enter the new company name, locality (city or town), state or province, and country in it.
6) For Multi-Domain SSL – Don’t forget to include the SAN list in the SANs field;
7) After reconfiguring your SSL Certificate, you will have to pass the Domain Validation again.

For Domain Validation SSL Certificates, your SSL Certificate will be reissued for the new domain name after you pass the domain validation successfully.

Business Validation SSL Certificates

To change the company name in your Business Validation SSL Certificate, you have to go through the same reconfiguration and domain validation process as described under the “Domain Validation” section above. After that, you have to pass the entire Business Validation process again, so as the Certificate Authority needs to verify the legal existence of your new company, and your company’s phone number. You can read how to pass the Business Validation process at this link.

Your BV SSL Certificate will be reissued for the new company name after you pass the Business Validation process again.

Extended Validation SSL Certificates

To change the company name in your Extended Validation SSL Certificate, you have to go through the same reconfiguration and domain validation process as described under the “Domain Validation” section above. After that, you have to pass the entire Extended Validation process again, so as the Certificate Authority needs to verify the legal existence of your new company, and your company’s phone number. You can read how to pass the Extended Validation process at this link.

Your EV SSL Certificate will be reissued for the new company name after you pass the Extended Validation process again.

Yes, you can change the domain name that your SSL Certificate is issued to. The procedure involves the reconfiguration and reissue of your SSL Certificate, and there are some additional steps if you have a Business Validation or Extended Validation Certificate.

Domain Validation SSL Certificates

You can reissue your SSL Certificate from your SSL Dragon account by following the next steps:
1) Log into your SSL Dragon account;
2) Go to “SSL Certificates” -> “My SSL Certificates“;
3) You will see the list of products that you bought from SSL Dragon. Click on the SSL Certificate which you would like to reissue;
4) Click on the “Reissue certificate” button on the left side (see the screenshot on the right);
5) Reconfigure your SSL Certificate. As a part of the reconfiguration, please create a new CSR code and enter the new domain name in it.
6) For Multi-Domain SSL – Don’t forget to include the SAN list in the SANs field;
7) After reconfiguring your SSL Certificate, you will have to pass the Domain Validation again.

For Domain Validation SSL Certificates, your SSL Certificate will be reissued for the new domain name after you pass the domain validation successfully.

Business Validation SSL Certificates

To change the domain name in your Business Validation SSL Certificate, you have to go through the same reconfiguration and domain validation process as described under the “Domain Validation” section above. After that, you have to pass the entire Business Validation process again, so as the Certificate Authority needs to verify the legal existence of your domain name, company, and your company’s phone number. You can read how to pass the Business Validation process at this link.

Your BV SSL Certificate will be reissued for the new domain name after you pass the Business Validation process again.

Extended Validation SSL Certificates

To change the domain name in your Extended Validation SSL Certificate, you have to go through the same reconfiguration and domain validation process as described under the “Domain Validation” section above. After that, you have to pass the entire Extended Validation process again, so as the Certificate Authority needs to verify the legal existence of your domain name, company, and your company’s phone number. You can read how to pass the Extended Validation process at this link.

Your EV SSL Certificate will be reissued for the new domain name after you pass the Extended Validation process again.

You can receive a refund ONLY for the additional domains (SANs) that you bought and NOT used.

If you have already activated the SAN (additional domain) for a particular domain name, then you cannot be refunded for that specific domain name.

Unfortunately, domain names that end with .local are not supported from November 1st, 2015. If you request an SSL Certificate for a domain or sub-domain that has .local as an extension, your SSL Certificate will be rejected by the Certificate Authority.

If you want to secure a domain or sub-domain on your localhost, you can create a self-signed SSL Certificate. There is plenty of documentation online on how to do that.

Yes, you can secure an IP address with an SSL Certificate. However, only some specific SSL Certificates will allow you to do that. Here are those SSL Certificates:

– Sectigo InstantSSL Premium
– GoGetSSL Public IP SAN

Please note that the Sectigo InstantSSL Premium is a Business Validation SSL Certificate, which means that you need to have a registered company in order to be issued this SSL certificate.

GeGetSSL Public IP SAN is a Domain Validation SSL Certificate which secures 2 IP addresses by default.

multi-domainYou can secure inexpensively and efficiently multiple domains and/or sub-domains with a Multi-Domain (SAN) SSL Certificate. Depending on the SSL Certificate brand and certificate product, the SAN cert will include a different number of additional domains at the price quoted on the SSL Certificate’s details page (see screenshot on the right).

You can find our full list of Multi-Domain (SAN) SSL Certificates at this link.

You can secure multiple subdomains by purchasing a Wildcard Certificate. This SSL was specifically designed for ensuring the security of your main domain, along with its multiple subdomains. For instance, if your site’s domain is ssldragon.com, then the Wildcard certificate for *.ssldragon.com will secure an unlimited number of your first-level subdomains like mail.ssldragon.com, account.ssldragon.com or login.ssldragon.com.

You can find our full list of Wildcard certificates at this link.

multi-domain2When you buy or configure your Multi-Domain (SAN) SSL Certificate, please note that most Multi-Domain Certificates do not secure the domains with and without “www”. With other words if you want to secure both, example.com and www.example.com under one single Multi-Domain Certificate, that will be considered as two different domain names. The screenshot on the right shows you where you can find the attribute that tells you if your Multi-Domain Certificate secures both “www” and “non-www” under one single domain (SAN), or not.

Anyway, that is not a problem so as you cannot have the same website open both as www.example.com and as example.com. All website owners only choose one of these options and make the other option automatically re-direct to the other. For example, you can choose your website to always open at www.example.com and anybody who enters on example.com is automatically redirected to www.example.com. In this way, you only have to secure one domain, and that is: www.example.com.

Yes, absolutely.

The Multi-Domain (UCC/SAN) SSL Certificate allows you to secure multiple domains or subdomains which are hosted either on one IP address or different IP addresses. This SSL Certificate type was particularly designed to secure multiple websites within one single SSL Certificate as an easy-to-use and cost-effective solution. 

As of June 1, 2021, and in compliance with the CA/Browser Forum Code-signing Baseline Requirements, Sectigo will require RSA keys to be a minimum of 3072 bits in size.

When generating keys and CSRs for code-signing certificates, please ensure you choose an RSA key with a 3072- or 4096-bit key size.

Only the size of the keys is to change, the rest of the process remains the same. Existing RSA 2048 bit certificates will continue to work and no changes are needed to them.

Certificates requested with ECC (elliptic curve) keys are unaffected and Sectigo will still sign certificates with keys using the NIST P-256 and P-384 curves.

Source: Sectigo’s Knowledge Base

You have to pass the Business Validation when you buy a new or reissue/renew a BV SSL Certificate.

At the same time, the process of completing the Business Validation is easier the following years, so as the Certificate Authority has more information about your company in their system, based on your previous BV SSL Certificates requests.
Please check the Renew/Reissue BV instructions.

You have to pass the Extended Validation when you buy a new or reissue/renew an EV SSL Certificate.

At the same time, the process of completing the Extended Validation is easier the following years, so as the Certificate Authority has more information about your company in their system, based on your previous EV SSL Certificates requests.
Please check the Renew/Reissue EV instructions.

You can add sub-domains to your server and they will be covered by your Wildcard SSL Certificate automatically. You do not need to re-issue your Wildcard SSL Certificate each and every time when you add sub-domains to it. The newly added sub-domains will be automatically covered by your Wildcard SSL Certificate.

You have to purchase an SSL certificate if your website contains logins or web forms that require personal or credit card information from your customers. The SSL certificate will secure the personal data shared on your website and will make your clients feel safer while performing transactions, knowing that any information shared is within a secure environment and authenticated by a trusted Certificate Authority.

If you have an informative website, we still recommend you to purchase an SSL certificate. By having an HTTPS link, your website will be more trustworthy.

A data server provides a wide range of database services such as data storage, data manipulation, data analysis, and archiving. If your website offers Database-as-a-Service (DBaaS) solutions, you will need an SSL certificate to encrypt the sensitive information of your clients. Moreover, since Chrome and Firefox flag websites without SSL encryption as not secure, a valid SSL certificate will ensure that your site is accessible 24/7 from any browser.

partner-order-idYou can contact the Certificate Authorities directly when you have any questions related to your SSL Certificates. You can contact them anytime, either by phone or email, or better – by using the Live Chat feature.

Please don’t forget to mention your Partner Order ID, which you can find on the SSL Certificate’s details page inside your SSL Dragon account (see screenshot on the right).

Here is the contact information of all Certificate Authorities we collaborate with:

Sectigo/GoGetSSL

Live Status Checker: https://secure.trust-provider.com/products/ORDERSTATUSCHECKER

Live Chat & Ticket System: https://sectigo.com/support

Phone (USA): +1 (888) 266-6361
Phone (International): +1 (914) SECTIGO (732-8446)

More contact information on Sectigo’s official website

Thawte

Online chat: https://www.thawte.com/chat/chat_sales.html

Phone (USA): +1 (888) 484 2983
Phone (UK): +44 203 450 5486
Phone (Australia & Asia Pacific): +61 3 9914 5641

More contact information on Thawte’s official website

GeoTrust

Online chat: https://www.geotrust.com/support/chat/

Phone (USA): +1 (866) 511-4141
Phone (UK): +44 203 0240907
Phone (Australia): +61 3 9914 5661

More contact information on GeoTrust’s official website

RapidSSL

Online chat: https://www.rapidssl.com/chat/intro.html

Phone (USA): +1 (866) 795-4669
Phone (Europe, UK, Australia): +44 203 024 0906

DigiCert

Phone (USA): +1 (801) 701-9600
More contact information on DigiCert’s official website

There are many different ways to install an SSL Certificate, and they all depend on your SSL Certificate brand, the webserver type, the operating system on your server, and the web hosting panel that you have on your server.

These being said, please check our Installation Articles to get detailed instructions on how to install your SSL Certificate on about 44 different server types, hosting panels, and operating systems.

Also, here are links to documentation on how to install your SSL Certificate on your server, based on the SSL Certificate brand that you have:
Sectigo
Thawte/RapidSSL/GeoTrust/DigiCert
GoGetSSL

We always recommend you get specialized help with your SSL Certificate installation. If you have a web developer or a system engineer, then they would be the right people to help you with your SSL Certificate installation.

Sectigo Personal Authentication Certificate lets you easily sign any valuable and critical personal or company document, therefore ensuring compliance with industry requirements of digitally signed documents. By digitally signing the document, you identify yourself as the authentic document signer and certify its integrity by proving that your document hasn’t been altered since it was signed. In this way, CPAC SSL Certificates help you migrate from ink & paper to digital workflows of contracts, sign-offs, request forms and other important company documents, working in tandem with or replacing the visible signature feature in Microsoft® products such as Microsoft Office Suite, Open Office Suite, VBA Macros and more.

SaveSave

SaveSaveSaveSave

 Sectigo Personal Authentication Certificate helps businesses reduce the risks and threats associated with using standard passwords by enabling the two-factor authentication of users. If you need a stronger guarantee that the person logging into your company network or account is your legitimate employee, CPAC SSL Certificates will allow you to secure your sensitive and private customer or corporate data by enabling the industry standard used by banks all over the world – two-factor authentication – seamlessly integrating the certificate as a second authentication element. In this way, you will protect your company access, including remote, from any hackers attempting to steal usernames and passwords. 

Sectigo Personal Authentication Certificates provide you the highest level of protection by enabling end-to-end encryption of your email communications. By signing and encrypting your outgoing email messages, you protect them from Man-in-the-Middle attacks, https proxies, or packet-sniffers, therefore your messages can’t be intercepted and decrypted by a malicious third party.

Encrypting Email Messages guarantees their privacy and integrity, while digitally signing the messages authenticates you as being the genuine sender. In this way, you will secure yourself and your business from accidental or fraudulent data exposures, privacy breaches, and other potential security threats associated with business communication. 

SaveSaveSaveSave

You need to go to your SSL Dragon account and check the “Expires” field for the SSL Certificates that you have with us. You can do that by following the next steps:

due-date-21) Log into your SSL Dragon account at: https://my.ssldragon.com/
2) Go to “SSL Certificates” -> “My SSL Certificates“;
3) You will see the list of SSL Certificates which you bought from us;
4) Click on the necessary SSL Certificate;
5) Find its “Expires” field on the SSL Certificate’s details page.

You may start the renewal process within 30 days before the “Expires” date by clicking on the “Renew” button.

Your new SSL Certificate will be connected with the old one. All remaining days from the previous SSL Certificate will be added to the new one.

The process of renewing your SSL Certificate is almost the same as placing a new order. You may start the renewal within 30 days before the expiration date.

Here are the steps on how to renew your Standard (Domain/IP address) SSL Certificate:

    1. renew-buttonClick on the “Renew” button on the product page of your expiring SSL Certificate within your SSL Dragon account.
    2. Complete the payment of the newly created invoice for the renewed SSL Certificate.
    3. Once the invoice for the renewed SSL Certificate is paid, click on “Back to Client Area” or go to “My SSL Certificates” section inside your SSL Dragon account.
    4. Click on the renewed SSL Certificate. Once you are on the SSL Certificate’s details page, scroll down and click on the green button that says “Configure Now”.renew-order
    5. Under the “Order Type” you should choose “Renewal”. This information will go to the Certificate Authority, and they will know that you had an SSL Certificate and you are renewing it. In this way, your new SSL Certificate will be connected to the old one. All remaining days from the previous SSL Certificate will be added to the new one. (An exception to this rule are – Code Signing and CPAC SSL Certificates – unfortunately, the CA’s SSL Certificate management portal for these SSL certificates is not technically capable to match the old and new SSL Certificates.)
    6. After that, you have to submit a CSR. You can use the old CSR from your previous SSL Certificate, or generate a new CSR. Either way is fine.
    7. Fill in the rest of the form information for your renewed SSL Certificate.
    8. Then pass the domain validation, or business validation, or extended validation, depending on what applies to your SSL Certificate.
    9. When your SSL Certificate is renewed, you need to reinstall the new SSL Certificate on your server. In other words, you need to replace your old/expiring SSL Certificate with the new one which you have just received. The old certificate will NOT get replaced, renewed, or continued automatically.

Please note:

  1. If you have a CPAC or Code Signing Certificate from GoGetSSL, Sectigo, Thawte, or DigiCert, then steps 4-5 do not apply to you. You will have to fill in the certificate request form for your CPAC/Code Signing Certificate on the certificate authority’s website further and let us know about the details you field in, as usual. Also, unfortunately, the CA’s SSL Certificate management portal for these SSL certificates is not technically capable to match the old and new SSL Certificates, thus the remaining days from the old SSL Certificate will not be added to the new SSL Certificate.
  2. If you are renewing a Business Validation SSL Certificate or an Extended Validation SSL Certificate, you will still have to pass the Business Validation or the Extended Validation again. Anyway, the Business Validation and Extended Validation processes are quicker when renewing an SSL Certificate than when getting it for the first time.
  3. If you own a Multi-Domain (SAN/UCC) SSL Certificate for which you have previously purchased & added additional SANs (domains), don’t forget to include all of them in the SANs field when configuring the renewed SSL.
  4. If you want to change the validity of the renewed SSL Certificate – e.g. you have a Sectigo PositiveSSL Multi-Domain with 4 SANs (5 Domains) for 2-year SSL, but you what to renew it for 3 years. Then you must order a 3-year SSL of the same type and configuration – a Sectigo PositiveSSL Multi-Domain with 4 SANs (5 Domains) for 3-years – complete the payment, and click on the newly purchased SSL. Then please follow Steps 5-9 from above.

SaveSave

A Multi-Domain Wildcard SSL Certificate is specifically created to allow users to secure multiple domains and sub-domains using one single SSL Certificate.

NOTE #1: Any Multi-Domain Wildcard SSL Certificate should start with a non-Wildcard domain. This means that anytime you configure and request a Multi-Domain Wildcard SSL Certificate, you need to generate a CSR (Certificate Signing Request) for a single domain (such as: example.com), without any asterisk sign “*”. This is a requirement that comes from the Certificate Authorities. All the additional SANs (2nd, 3rd, 4th domains) can be Wildcard domains.

For example, a Multi-Domain Wildcard SSL Certificate that has 3 SAN (4 domains) by default, allows you to secure the following:

  1. One main domain and multiple Wildcard domains:
    1. example.com – included in the CSR (Certificate Signing Request)
    2. *.example.com
    3. *.mysite.com
    4. *.abcxyz.com
  2. One main domain and multiple Wildcard domains (with both, 1st level and 2nd level sub-domains):
    1. example.com – included in the CSR (Certificate Signing Request)
    2. *.example.com
    3. *.mob.example.com
    4. *.mysite.com
  3. Several domains and multiple Wildcard domains (with both, 1st level and 2nd level sub-domains):
    1. example.com – included in the CSR (Certificate Signing Request)
    2. *.example.com
    3. mysite.com
    4. *.mob.mysite.com

NOTE #2: If you add a SAN item like *.domain.com, you will protect its unlimited sub-domains but not the main domain. For example, if you want to secure secure two domains and all their sub-domains, you have to configure your SSL in the following format:

  1. domain.com – included in the CSR (Certificate Signing Request)
  2. *.domain.com
  3. mysite.com
  4. *.mysite.com

You can add sub-domains to your server and they will be covered by your Wildcard SSL Certificate automatically. You do not need to re-issue your Wildcard SSL Certificate each and every time when you add sub-domains to it. The newly added sub-domains will be automatically covered by your Wildcard SSL Certificate.

 

An SSL Certificate takes the information that your users provide and encrypts it, so that only a web server can decrypt it and understand it. So as the information on the web is transmitted via HTTP language, your data is not protected, as HTTP itself is not secure. The SSL Certificate takes your information, encrypts it, and passes it securely to the server where the website is hosted, or directly to the payment processor. On the merchant’s server, or on the payment processor’s side, the SSL certificate receives the encrypted HTTP information, decodes it, and safely performs the action you requested (logging you in, processing a payment, etc).

In this way, the SSL Certificate turns your “HTTP” connection into an “HTTPS” (secured HTTP) connection and protects your data. With an SSL Certificate, your information is protected and safe.

The validation time of an SSL depends on the type of certificate you chose to buy.

Domain Validated certificates are issued within 3-5 minutes in 99% of the cases. Only when an SSL Certificate is requested for a domain name that contains a trademark or a brand name, then those SSL Certificates may pass brand validation, and can take up to a business day to be issued.

Business Validated certificates are usually issued within 1-3 business days.

Extended Validated certificates can take between 1-7 business days to be issued. The Certificate Authority does its part of the work very quickly. If all the information is provided to the Certificate Authority quickly and correctly, then the Certificate Authority can issue the EV certificate within 1 business day. We’ve seen situations when the EV Certificate was issued within a few hours. The 1-7 days period depends on how quickly the customer provides the required information to the Certificate Authority, and how quickly the customer responds to the Certificate Authority’s potential requests for additional information.

By doing the Validation process, the Certificate Authority’s is trying to confirm that you are the owner of the domain, and that the company that you are requesting a Business Validation or Extended Validation certificate for is active. That is why it is important that you keep your company’s records (address and phone number) up to date and you promptly respond to the Certificate Authority’s requests.

A Wildcard certificate will secure an unlimited number of subdomains.

The main differences between Sectigo/GoGetSSL EV Code Signing and a regular code signing certificate from Sectigo/GoGetSSL are the following two major features:

Extended Validation – offers the highest level of trust since Sectigo verifies the publisher’s authenticity rigorously

Two-factor authentication – the main requirement to store the private key on an external hardware token, provided by mail by Sectigo/GoGetSSL in order to avoid any unauthorized access or malicious usage. Since the private key is stored only on this token, this feature drastically reduces the number of people who can access it, therefore protecting the key from being compromised. 

A CSR is generated immediately. It will be generated to you as soon as you fill in the CSR Generator form.

To add your Company Name and TAX/VAT number, you have to login into your SSL Dragon Account and follow these steps:

  1. Click on the “Hello, *Your Name*” button on the right top side of your account dashboard and select “Edit Account Settings”;
  2. On the ‘My Details’ page, you will find the ‘Company Name’ and ‘Company TAX/VAT ID’ field;
  3. Fill in these fields with the necessary information then click on ’Save Changes’. 

After you perform the above steps, your SSL Dragon account and all your invoices will be automatically updated with this information.

SaveSave

How to buy an SSL Certificate

  1. Choose the SSL Certificate, then select the period (1, 2, or 3 years) and number of domains (only for Multi-Domain SSL Certificates), and click “Buy Now”;
  2. You’ll be redirected to your Shopping Cart, where you need to confirm the period and, for Multi-Domain SSL Certificates, the number of additional domains. Review your Order Summary then click “Continue”;
  3. On the Review & Checkout page, you’ll find the “New Customer” fillable form which you need to complete to create your SSL Dragon account. Afterward, insert your Promotional Code (if you have it), any Additional Information (if necessary), select the desired Payment Method,  confirm that you’ve read and accepted our Terms of Service, and click on “Checkout”;
  4. You’ll be redirected to your Invoice which you need to pay using your selected Payment Method. Once the payment is done, you will see your order number and additional details on your Order Confirmation page. You will find your SSL Certificate in “My Account” at “SSL Certificates” -> “My SSL Certificates“.

Valid only for Sectigo and GoGetSSL Certificates:

Please go through the next steps in order to change the domain validation type for your SSL Certificate:

  1. Log into your SSL Dragon account;
  2. Go to “SSL Certificates” -> “My SSL Certificates“;
  3. You will see the list of products that you bought from SSL Dragon. Click on the SSL Certificate which you would like to change the domain validation type for;
  4. Click on the “Change DV Method” button which you can find towards the bottom on the page;
  5. Choose the new domain validation method for your domain(s); You can read more about what each validation type means at this link; (Important: HTTP validation method is no longer available for Wildcard SSL Certificates).
  6. Click “Submit” to make the new validation method go into effect.

Yes, you can look what information your CSR includes, by doing a process which is opposite to encrypting it. You can use our CSR Decoder tool in order to see what information is included in your CSR. You can do that our CSR Decoder page.

bv2bv1You can check whether your SSL Certificate requires Domain Validation, Business Validation or Extended Validation by looking at the attributes of your SSL Certificate. Please open the two screenshots on the right in order to see where you can find the information about the validation type of your SSL Certificate.

 

  1. Sign in to “My Account” on our SSL Dragon website;
  2. Once you are logged in, go to the main menu, select “SSL Certificates” -> “My SSL Certificates“;
  3. You will see the list of SSL Certificates which you bought on our website. Click on the SSL Certificate which you have just ordered, to enter its details page;
  4. When you are on the details page of the SSL certificate which you bought, go towards the bottom of the page, and click on the green button which says “Configure Now”;
  5. Fill in the form, by entering your order type, web server type, CSR and your company information;
  6. The second thing that you will be asked about on this form is the CSR (Certificate Signing Request). Insert your CSR (if you already have one), or use our CSR Generator tool to generate your CSR and your Private Key, based on the information which you will introduce in the CSR form. Copy and paste your CSR code in the text area which asks you for your CSR.

    Important: Please make sure to insert the entire CSR code, including the following two lines:
    —–BEGIN CERTIFICATE REQUEST—–
    (your CSR code)
    —–END CERTIFICATE REQUEST—–
  7. Only for Multi-Domain SSL: In the SANs Field, insert your additional domain name list, space-separated, e.g.:
    yourdomain.com
    yourseconddomain.com
  8. Once the form is completed in full, click on “Click to Continue”;
  9. You’ll be redirected to the domain validation page, where you need to choose your Domain Validation Method (email, HTTP/HTTPS, or DNS) then click on “Click to Continue”;
  10. The configuration of your SSL Certificate is completed now, and your order will be submitted to the Certificate Authority. If you have a Business Validation, Organization Validation, or Extended Validation SSL Certificate, you will find directions to the next steps on this page.

Some servers and hosting companies may require you to submit your SSL Certificate in a different format than the original format in which your SSL Certificate was provided to you. Here are some links with instructions on how to convert an SSL Certificate to different file formats:

  1. SSL convertor – various formats
  2. Guide to convert SSL into various formats

CRT to PFX format conversion

1. Get PFX from CRT and txt containing private key for Azure
2. Bind an existing custom SSL certificate to Azure Web Apps
3. Exporting the SSL Certificate as a PFX file from IIS server
4. Convert your certificate to PFX

Convert .CRT to.CER file

It is easy to switch from .CRT format to .CER format. They are basically interchangeable. You can change the SSL Certificate extension/format by going with the steps written below:

  1. Copy and paste the CRT code which you got from your SSL Certificate’s details page in your SSL Dragon account and use Notepad to create a mywebsite.crt file from it;
  2. Double click on the mywebsite.crt file to open it and see the certificate being displayed;
  3. Click on the “Details” button, and then click on the button that says “Copy to File”;
  4. When you are on the Certificate Wizard, click “Next”;
  5. Then select Base-64 encoded X.509 (.CER), then click “Next” again;
  6. Click on “Browse” to choose the location where you want to save the converted file, and enter the desired name for your file (e.g.: mywebsite.cer);
  7. Finally, click “Save”, and you will have the .CRT to .CER conversion complete;
  8. You can get the mywebsite.cer file from the folder where you selected to save it to.

To confirm you are the owner of the domain name using the HTTP method, you’ll have to upload a TXT file to a location on your website and server that looks like this:

http://mywebiste.com/.well-known/pki-validation/HashFileName.txt

We will provide instructions on how to create the .well-known folder for various server types:

Linux based servers (Ubuntu, Debian, CentOS)

  1. Go to the root directory of your website
  2. Create a directory called “.well-known“
  3. Inside it, create another folder called “pki-validation“
  4. Upload the TXT file inside the “pki-validation” directory

cPanel

  1. Log into WHM, or skip this step if you don’t have WHM
  2. Locate and log into the cPanel account for your domain name
  3. Click on “File Manager”
  4. Choose the “Web Root (public_html/www)” option and click “Go.”
  5. Create a new folder called .well-known
  6. Inside that folder create another folder called: pki-validation
  7. Upload your TXT file inside the pki-validation folder

IIS

Windows based servers do not allow you to place a dot in a folder name, therefore you need to follow these steps:

  1. Go to the C: drive
  2. Create a new folder called well-known
  3. Inside the well-known folder, create another folder named pki-validation
    so far, your folders should look like this: C:\well-known\pki-validation
  4. Upload the TXT file in the pki-validation folder
  5. Open the IIS Manager on your server
  6. Do a right click on your website and select Add Virtual Directory
  7. In the Alias section write .well-known
  8. In the Psychical Path area enter the path to the well known folder. For example:
    C:\well-known
  9. Press OK to create this alias

For all server types, if you did everything correctly, you should be able open the following URL and see the hash code along with “comodoca.com” in any web browser:

http://mywebsite.com/.well-known/pki-validation/HashFileName.txt

 

To export a S/MIME certificate from firefox follow the instructions below:

  1. Open the Firefox browser and click the Options Menu button at the top-right corner, then select Settingssmime export
  2. Select Privacy & Security from the menu on the left
  3. On the Privacy & Security tab, scroll down to the Certificates section, and click View Certificates
  4. In the Certificate Manager window, select the Your Certificates tab, then select the certificate you wish to back up. Click Backupcertificate manager
  5. Your certificate will be exported to a PKCS12 file. To learn more about certificate formats, check our comprehensive SSL formats guide. Please create a name for this file and specify where you want to save it.save certificate
  6. Next, you must create a password to protect your PKCS12 file. Remember this password because you need it if you import the certificate into another browser or mail client.create password
  7. Click OK to export your Sectigo Personal Authentication certificate.success alert

Source: Sectigo’s Knowledge Base

To export your certificate from Internet Explorer follow the steps below:

  1. Open Internet Explorer, then navigate to Tools > Internet Options.
  2. From the Internet Options window, select the Content tab and then Certificates.cotent tab
  3. In the Certificates window, select the Personal tab.
  4. Select the certificate you wish to export, then click Export…
    export
  5. In the Certificate Export Wizard, depending on your needs, select one of the following options:
    1. Yes, export the private key. Pick this option if you want to import the certificate into another browser/email client or mobile device.
    2. No, do not export the private key. Select this option if you need to export the certificate for other purposes such as archiving your public key.
      certificate expor wizard
  6. For this demonstration we’ll pick the first option – Yes, export the private key.
  7. After you click Next, from the formats presented, click the Personal Information Exchange radio button and select Include all certificates in the certification path if possible and Enable certificate privacy. Click Next to continue.

    export wizard

  8. Now, create a password for your certificate. You will need it to import the certificate into another browser/mail client.

    password

  9. Click Browse and go to the location where the certificate was saved. Click Next.

    file to export

  10. Double-check your select settings, and click Finish to complete the Certificate Export process.

    certiicate wizard

Source: Sectigo’s Knowledge Base

code-signing3The Private Key was generated on your machine when you configured your Sectigo/GoGetSSL Code Signing Certificate initially. The screenshot from the right shows the page where you configured your Sectigo/GoGetSSL Code Signing Certificate initially. As you can see in the screenshot, you were given instructions on how to check and backup your Private Key.

If you lost your Private Key, then you have to reissue your Sectigo/GoGetSSL Code Signing Certificate. You can do that by following the next steps:

1) Login at https://secure.trust-provider.com/products/frontpage?area=ssl using the username and password that you used when you configured your Sectigo/GoGetSSL Code Signing Certificate initially;
2) Once you are logged in, find the “Replace” button and click on it;
3) You will start the reissue process for your Sectigo/GoGetSSL Code Signing SSL.
4) Follow the steps and instructions that come next, until you complete the Sectigo/GoGetSSL Code Signing Certificate reissue.

When you configure or re-configure your Sectigo/GoGetSSL Code Signing SSL Certificate, it is best to use some specific browsers for that. Here is an article that describes which browsers are best to use for configuring a Sectigo/GoGetSSL Code Signing Certificate.

Follow the steps below to export your CPAC (which was already installed on Keychain into a PKCS12 file).

  1. Navigate to Applications > Utilities > Keychain Access
  2. In the Keychains options (on the left), select Login and click My certificates in the Category panel.

    keychain access

  3. Next, select the certificate you want to export ad click File then Export Items:

    export items

  4. Now, for the File Format, select Personal Information Exchange (.p12). Name it as you wish, and save it in a directory of your choice.

    file format

  5. Next, create a password for the exported file. It will be requested if/when you import the certificate into another browser/mail client or device.

    password

  6. Click OK. You have successfully exported your Sectigo Personal Authentication certificate.

Once you’ve exported the Email;/Personal Authentication certificate into P12 format, you can import it into a MAC OC using Keychain Access. To complete the process, follow the steps below:

  1.  Go to Applications > Utilities > Keychain Access
  2. In the Keychains panel on the left, select Login > File > Import Items…

    Import Items

  3.  Now, locate your saved certificate file and click Open.

    enter password
    Note: If prompted to trust certificates issued by your CA automatically, select the Always Trust option to trust and install your certificate.

  4.  You can view the installed certificate by clicking Category > My Certificates in the Keychain Access window.

Source: Sectigo’s Knowledge Base

You can install your Sectigo CPAC Certificate as soon as it has been issued to you.

Here are installation instructions for different browsers, email clients, and mobile devices provided by Sectigo:

Here are several links with instructions on how to install a Sectigo or a GoGetSSL Code Signing Certificate:

bv2bv1You can check if you have a Business Validation SSL Certificate by looking at the attributes of your SSL Certificate. Please open the two screenshots on the right in order to see where you can find the information about the validation type of your SSL Certificate.

Different SSL Certificate brands have different Business Validation procedures. Please read the section that applies to your SSL Certificate brand below.

DigiCert (including Thawte & GeoTrust)

If you bought a Business Validation SSL Certificate with Thawte, GeoTrust, DigiCert, then the certificate authority will work on validating the legal existence of your organization via local public databases, as a part of the Business Validation process. This may take between 1-3 working days. Please wait until one of the certificate authority representatives contacts you about any additional information that they may need you to provide them.

partner-order-idIf you do not hear from the Certificate Authority representatives in the next 5-7 days, then please call +1 (520) 477-3152 (Ext 2) to check the status of your SSL Certificate with the Certificate Authority. Please note that Thawte, GeoTrust, DigiCert are all owned by DigiCert, and they all have the same phone number provided above.  When you talk to them, you will need to provide the “Partner Order ID”, which you can find on the details page of your SSL Certificate inside your SSL Dragon account. See the screenshot on the right.

Sectigo/GoGetSSL

Please send the necessary forms described below to Sectigo by opening a ticket with Sectigo Validation Center at https://sectigo.com/support. Click on “Submit a ticket”, select Validation Department, and submit your request. Please mention your “Partner Order ID” in your message.

partner-order-idYou can find your “Partner Order ID” on the details page of your SSL Certificate inside your SSL Dragon account. See the screenshot on the right.

I. New Orders

STEP 1: Business Validation
To pass Business validation, you may have to provide an official registration document, such as Business License, Article of Incorporation, and or Registration application.
Here are the BV options:

A. No paperwork. Your company’s legal existence will be checked via public government database using your company name and your unique Registration/Identification number OR via verified public 3rd party databases, such as GLEIF, Duns & Bradstreet, Hoovers, Companies House GOV.UK.

B. Paperwork. Your company will be verified using:

  • an official registration document, such as Articles of Incorporation, Government Issued Business License, or
  • a copy of a recent: company bank statement, company phone bill, or major company utility bill  (i.e. power bill, water bill, etc.).

STEP 2: Callback process
The last step is a callback process called Phone Validation. Sectigo will call you and asks to confirm your name and order to validate the official company’s phone number.
Below are the 4 callback options. You don’t have to do all four things from below. Doing just one of them will be enough.

A. Yellow Pages Databases. Sectigo verifies your phone number via public Yellow pages Databases.

B. DUNS. The second way is to provide your DUNS number to Sectigo. You can get your company’s DUNS number from this website: https://www.dandb.com/. If Sectigo gets back to you and says that your DUNS listing does not contain a phone number, then you need to contact Dun & Bradstreet (at https://www.dandb.com/) and ask them to “add your company’s phone number to their business directory and on the report”.

C. Local phone database. If you don’t have a DUNS number, then the other thing you can do is to provide your company’s registration number for Sectigo to check your company with your country’s governmental directories (e.g.: Corporation Division, Companies House, Department of State, etc). Please note that Sectigo will be looking to see your company’s phone number listed there as well. Not all governmental directories have the companies’ phone numbers. If the governmental directory allows you to call them, email them, or use their website to add your phone number, then please go ahead and do that.

D. Legal OpinionIf the above two options (2.1 and 2.2) don’t work for you, then the third and last option to validate your phone number is to ask a CPA (Certified Public Accountant), or a Latin Notary, or an Attorney (Lawyer) to write, sign and send a letter to Sectigo where they confirm your company name, address, and phone number. You can find the sample letters below:

– Sample Accountant Letter
– Sample Legal Opinion Letter


II. Renewal/Reissue Orders

For reissues and renewal order, instead of Step 1 and 2, you must contact Sectigo Validation Center at https://sectigo.com/support. Click on “Submit a ticket”, or choose Live Chat, select Validation Department and submit the following request (please replace [] fields with the corresponding info):

Reason for the ticket: Validation
Order number: [Your Partner Order ID]
Subject: Business Validation 

Dear Sectigo!
Please validate order [Partner Order ID] using the company name [Your Company Name], with [Registration/ID number] and [DUNS number].

Sectigo will then contact you for Step 2 or any necessary updates to the Step 1.

 

A code signing SSL certificate can be issued to an organization or an individual. The Sectigo validation requirements vary depending on who requests the code signing certificate.

Organization Validation Requirements according to Sectigo:

Organization validation verifies the following:

  • Operational existence
  • Physical existence
  • Government-issued photo ID of the requestor
  • Business phone number
  • Order Authenticity

Operational Existence:

The Certificate Authority (CA) will verify your organization’s legal status and or DBA (doing business as) via your legal registration and other third-party trusted sources such as GLEIF, Duns & Bradstreet, Hoovers, Companies House GOV.UK.

Physical Existence:

The CA will verify your business address using the same procedure and trusted sources as during the operational existence verification.

Government-Issued Photo ID:

A copy of a government-issued photo ID is required to verify the requestor (admin contact) on the order. For the verification, you need to provide two documents:

  • A copy of a government-issued photo ID such as a valid driver’s license, passport, national ID, or military ID that includes the name which matches the name on the order.
  • A photo of the requestor holding the government-issued photo ID. The photo must clearly show the face and the government photo ID that is readable and can be compared to the copy provided in the document.

Phone Number:

The CA will verify your phone number via trusted third-party databases. 

Order Validation

To validate your information, a validation agent will attempt a callback. A person of authority to request the certificate must confirm the order. If the validation agent can’t complete any of these requirements, an email will be sent explaining the issue and offering additional details for a resolution.

Individual Validation Requirements:

Individual Validation differs from organizational validation because you’re not proving business credentials but personal identity. Two options are available for individual validation:

Option 1 documents:

  • Prove identity via a government-issued photo ID that includes an address that matches the name and address on the order.
  • A photo of you holding the government-issued photo ID. The photo must clearly show your face and the government photo ID that is readable and can be compared to the copy provided in the document.

Option 2 documents:

  • A Face to Face document explaining the specific instructions and requiring a notary to attest to and notarize the forms.
  • A notarized copy of a valid driver’s license, passport, national ID, or military ID that includes your name and matches the name on the order.
  • The Face to Face personal declaration statement
  • The Face to Face confirming person statement

Note: The face-to-face verification form should be filled and signed by a Notary authorized to conduct business in your area/country. 

How to submit documents

You can submit the documents to Sectigo by using one of the following methods:

  • Upload directly to your order
  • Use the Validation Manager (Your confirmation email contains a link to your order called the Validation Manager.)
  • Upload documents as attached files to a case that you create via a ticket at Sectigo.

ev2ev1You can check if you have an Extended Validation SSL Certificate by looking at the attributes of your SSL Certificate. Please open the two screenshots on the right in order to see where you can find the information about the validation type of your SSL Certificate.

Different SSL Certificate brands have different Extended Validation procedures. Please read the section that applies to your SSL Certificate brand below.

DigiCert (including Thawte & GeoTrust)

The validation team would send you an agreement by email, during the verification process. Then the certificate authority will work on validating the legal existence of your company via local public databases, as a part of the Extended Validation process. This may take between 1-3 working days. Please wait until one of the certificate authority representatives contacts you about any additional information that they may need you to provide them.

partner-order-idIf you do not hear from the Certificate Authority representatives in the 5-7 days, then please call +1 (520) 477-3152 (Ext 2) to check the status of your SSL Certificate with the Certificate Authority. Please note that Thawte, GeoTrust, DigiCert are all owned by DigiCert, and they all have the same phone number provided above.  When you talk to them, you will need to provide the “Partner Order ID”, which you can find on the details page of your SSL Certificate inside your SSL Dragon account. See the screenshot on the right.

Sectigo/GoGetSSL

Please send the necessary forms described below to Sectigo by opening a ticket with Sectigo Validation Center at https://sectigo.com/support. Click on “Submit a ticket”, select Validation Department, and submit your request. Please mention your “Partner Order ID” in your message.

partner-order-idYou can find your “Partner Order ID” on the details page of your SSL Certificate inside your SSL Dragon account. See the screenshot on the right.

I. New Orders

STEP 1: Agreement signing
In a few hours after the order is placed, you will receive an email from Sectigo with a click-through link called the “Validation Manager link“.
Please use this click-through link to access the Validation form and sign the agreement using a digital signature and upload it directly to Sectigo.

If you didn’t receive the email with the link and/or can’t sign the agreement digitally, please fill these 2 forms  – Certificate Request Form and EV SSL Subscriber Agreement – and send them to Sectigo (see above instructions).

You can also download the Sectigo EV forms from their knowledge-base.

STEP 2: Business Validation
To pass Business validation, you may have to provide an official registration document, such as Business License, Article of Incorporation, and or Registration application.
Here are the BV options:

A. No paperwork. Your company’s legal existence will be checked via public government database using your company name and your unique Registration/Identification number OR via verified public 3rd party databases, such as GLEIF, Duns & Bradstreet, Hoovers, Companies House GOV.UK.

B. Paperwork. Your company will be verified using:

  • an official registration document, such as Articles of Incorporation, Government Issued Business License, or
  • a copy of a recent: company bank statement, company phone bill, or major company utility bill  (i.e. power bill, water bill, etc.).

STEP 3: Callback process
The last step is a callback process called Phone Validation. Sectigo will call you and asks to confirm your name and order to validate the official company’s phone number.
Below are the 4 callback options. You don’t have to do all four things from below. Doing just one of them will be enough.

A. Yellow Pages Databases. Sectigo verifies your phone number via public Yellow pages Databases.

B. DUNS. The second way is to provide your DUNS number to Sectigo. You can get your company’s DUNS number from this website: https://www.dandb.com/. If Sectigo gets back to you and says that your DUNS listing does not contain a phone number, then you need to contact Dun & Bradstreet (at https://www.dandb.com/) and ask them to “add your company’s phone number to their business directory and on the report”.

C. Local phone database. If you don’t have a DUNS number, then the other thing you can do is to provide your company’s registration number for Sectigo to check your company with your country’s governmental directories (e.g.: Corporation Division, Companies House, Department of State, etc). Please note that Sectigo will be looking to see your company’s phone number listed there as well. Not all governmental directories have the companies’ phone numbers. If the governmental directory allows you to call them, email them, or use their website to add your phone number, then please go ahead and do that.

D. Legal OpinionIf the above two options (2.1 and 2.2) don’t work for you, then the third and last option to validate your phone number is to ask a CPA (Certified Public Accountant), or a Latin Notary, or an Attorney (Lawyer) to write, sign and send a letter to Sectigo where they confirm your company name, address and phone number. You can find the sample letters below:

– Sample Accountant Letter
– Sample Legal Opinion Letter


II. Renewal/Reissue Orders

For reissues and renewal order, instead of Step 1 and 2, you must contact Sectigo Validation Center at https://sectigo.com/support. Click on “Submit a ticket”, or choose Live Chat, select Validation Department and submit the following request (please replace [] fields with the corresponding info):

Reason for the ticket: Validation
Order number: [Your Partner Order ID]
Subject: Extended Validation 

Dear Sectigo!
Please validate order [Partner Order ID] using the company name [Your Company Name], with [Registration/ID number] and [DUNS number].

Sectigo will then contact you for Step 3 or any updates of Step 1 or 2 described above.

 

bv2bv1You can check if you have an Organization Validation SSL Certificate by looking at the attributes of your SSL Certificate. Business Validation equals to Organization Validation. This being said, wherever you see “Business Validation” it also means “Organization Validation”. Please open the two screenshots on the right in order to see where you can find the information about the validation type of your SSL Certificate.

Different SSL Certificate brands have different Organization Validation procedures. Please read the section that applies to your SSL Certificate brand below.

DigiCert (including Thawte & GeoTrust)

If you bought an Organization Validation SSL Certificate with Thawte, GeoTrust, DigiCert, then the certificate authority will work on validating the legal existence of your organization via local public databases, as a part of the Organization Validation process. This may take between 1-3 working days. Please wait until one of the certificate authority representatives contacts you about any additional information that they may need you to provide them.

partner-order-idIf you do not hear from the Certificate Authority representatives in the next 5-7 days, then please call +1 (520) 477-3152 (Ext 2) to check the status of your SSL Certificate with the Certificate Authority. Please note that Thawte, GeoTrust, DigiCert are all owned by DigiCert, and they all have the same phone number provided above.  When you talk to them, you will need to provide the “Partner Order ID”, which you can find on the details page of your SSL Certificate inside your SSL Dragon account. See the screenshot on the right.

Sectigo/GoGetSSL

Please send the necessary forms described below to Sectigo by opening a ticket with Sectigo Validation Center at https://sectigo.com/support. Click on “Submit a ticket”, select Validation Department, and submit your request. Please mention your “Partner Order ID” in your message.

partner-order-idYou can find your “Partner Order ID” on the details page of your SSL Certificate inside your SSL Dragon account. See the screenshot on the right.

I. New Orders

STEP 1: Organization Validation
To pass Organization validation, you may have to provide an official registration document, such as Business License, Article of Incorporation, and or Registration application.
Here are the BV options:

A. No paperwork. Your company’s legal existence will be checked via public government database using your company name and your unique Registration/Identification number OR via verified public 3rd party databases, such as GLEIF, Duns & Bradstreet, Hoovers, Companies House GOV.UK.

B. Paperwork. Your company will be verified using:

  • an official registration document, such as Articles of Incorporation, Government Issued Business License, or
  • a copy of a recent: company bank statement, company phone bill, or major company utility bill  (i.e. power bill, water bill, etc.).

STEP 2: Callback process
The last step is a callback process called Phone Validation. Sectigo will call you and asks to confirm your name and order to validate the official company’s phone number.
Below are the 4 callback options. You don’t have to do all four things from below. Doing just one of them will be enough.

A. Yellow Pages Databases. Sectigo verifies your phone number via public Yellow pages Databases.

B. DUNS. The second way is to provide your DUNS number to Sectigo. You can get your company’s DUNS number from this website: https://www.dandb.com/. If Sectigo gets back to you and says that your DUNS listing does not contain a phone number, then you need to contact Dun & Bradstreet (at https://www.dandb.com/) and ask them to “add your company’s phone number to their business directory and on the report”.

C. Local phone database. If you don’t have a DUNS number, then the other thing you can do is to provide your company’s registration number for Sectigo to check your company with your country’s governmental directories (e.g.: Corporation Division, Companies House, Department of State, etc). Please note that Sectigo will be looking to see your company’s phone number listed there as well. Not all governmental directories have the companies’ phone numbers. If the governmental directory allows you to call them, email them, or use their website to add your phone number, then please go ahead and do that.

D. Legal OpinionIf the above two options (2.1 and 2.2) don’t work for you, then the third and last option to validate your phone number is to ask a CPA (Certified Public Accountant), or a Latin Notary, or an Attorney (Lawyer) to write, sign and send a letter to Sectigo where they confirm your company name, address, and phone number. You can find the sample letters below:

– Sample Accountant Letter
– Sample Legal Opinion Letter


II. Renewal/Reissue Orders

For reissues and renewal order, instead of Step 1 and 2, you must contact Sectigo Validation Center at https://sectigo.com/support. Click on “Submit a ticket”, or choose Live Chat, select Validation Department and submit the following request (please replace [] fields with the corresponding info):

Reason for the ticket: Validation
Order number: [Your Partner Order ID]
Subject: Organization Validation 

Dear Sectigo!
Please validate order [Partner Order ID] using the company name [Your Company Name], with [Registration/ID number] and [DUNS number].

Sectigo will then contact you for Step 2 or any necessary updates to the Step 1.

 

Here are the steps that you need to do in order to pass OV (Organization Validation) for your S/MIME Class 2 email SSL Certificate:

Open a ticket with us and let us know the following info:

A. Your Company Info:

  • Legal Company Name
  • Organization Phone Number – This should be a number that can be verified against an online third-party address listing (e.g. Google business). DigiCert will call your verified organization phone number to confirm your organization for your SSL.
  • Company Address – Address, City, State, Country, Zip Code

B. Your Company Contact Info:

  • First Name
  • Last Name
  • Email
  • Phone Number

C. The Email address, First Name, and Last Name the SSL will be issued for.

All DigiCert SSL Certificates require customers to pass the Business Validation or Extended Validation process. On DigiCert SSL Certificates, these two validation processes are identical. As a part of the Business Validation or Extended Validation process, you need to provide information about your company and your company’s phone number.

DUNS number

You need to provide your DUNS number to DigiCert, and your DUNS profile needs to display your phone number. You can check your company’s DUNS number/profile on this website: https://www.dandb.com/. If you see that your DUNS listing does not contain a phone number, then you need to contact Dun & Bradstreet (at https://www.dandb.com/) and ask them to add your phone number to their “business directory and on the report”.

Please note that after asking DNB (Dun & Bradstreet) to add your phone number to your DUNS listing, it will take them a few days to do this update. You should expect to receive an email message from DNB saying that your DUNS profile has been updated successfully. Your phone number will start appearing on your DUNS profile on the https://www.dandb.com/ website only after you get that confirmation message from DNB.

partner-order-idAt that point, you should contact DigiCert at +1 (877) 438-8776 (select option #1 and then option #2), and provide them your DigiCert Order ID and your DUNS number. You can find your DigiCert Order ID on your SSL Certificate’s details page inside your SSL Dragon account. See the screenshot on the right.

DigiCert will proceed with the callback verification process to verify your phone number. Once that is completed, your DigiCert SSL Certificate will be issued to you.

Legal letter

If adding your phone number to your DUNS listing takes too long, you can ask DigiCert to tell you what alternatives you have for passing the Business Validation or Extended Validation. DigiCert can send you an email message with information about a legal letter which you can write, then take it to a notary for them to sign it, and then scan and send it back to DigiCert by email. The letter will have your company name, address, and phone number. Once DigiCert receives it, they will do the callback on the number which you provide in the legal letter and will issue your DigiCert SSL Certificate shortly after that. Other certificate authorities have this practice too, so providing a legal letter is a common method for passing the Business Validation and Extended Validation.

When requesting an SSL Certificate you have to prove that you own or you have management rights over the domain or sub-domain that you are requesting an SSL Certificate for.

Important! As of June 16, 2021, Sectigo no longer accepts WHOIS-based email addresses for Domain Control Validation (DCV).

STEP 1: Domain Validation (DV)

A. EMAIL

If you have an SSL Certificate issued by Sectigo, GoGetSSL, GeoTrust, Thawte, DigiCert, and RapidSSL, then you can complete the domain validation is by responding to an automated domain validation message sent to your email address. You will be given a list of emails to choose from, and the automated domain validation message will be sent to the email address that you choose.

Always check your email address (including your Spam folder) so as you should receive an email message from the Certificate Authority with instructions on how to validate (prove the ownership of) your domain name. The email message will ask you to copy a unique code and paste it on a specific link provided in the same email message.

Important: Only 5 e-mail addresses are allowed for domain validation: [email protected], [email protected], [email protected], [email protected], and [email protected]
In some cases, the Certificate Authority may allow your administrative e-mail from WHOIS, too, but ONLY IF the Private registration is disabled.

B. HTTP / HTTPS method

This method is Not Available for Wildcard SSL Certificates.

The HTTP validation consists of uploading a TXT validation file to a pre-defined location on your website. You have to make sure that you can access this file and link from any web browser. Once you proceed with this domain validation method, the CA will run a scan of your website and will look particularly for this file at the given link. Your SSL Certificate will pass the domain validation within a few minutes after the CA’s crawler system finds the TXT file on your website.

The HTTPS validation method is the same validation method as described above. You should choose the HTTPS option if you already have an SSL Certificate installed on your website.

C. DNS method

You can also add a pre-defined domain record to your domain registrar (the website where you registered your domain name). Make sure that your firewall doesn’t block the CA’s validation robot.

Sectigo and GoGetSSL require CNAME DNS type, which looks like:

_b2013ea8353c9760c0221c49dc3e8ca7.yourwebsite.com CNAME
165b83449f4fdf83021de4e6f6ee795a.4ae75dbefe3r7bb8a1878616d8b5ae4.5r4r46855d28f6903.comodoca.com

while DigiCert (Thawte, GeoTrust, RapidSSL) require TXT DNS type, which looks like:

yourwebsite.com TXT “w34f54t4t45t354eer98rn4jf4449nfrf”

or

dnsauth.yourwebsite.com TXT “w34f54t4t45t354eer98rn4jf4449nfrf”

Please note that newly added DNS records take between 10-48 minutes to propagate. This means that you will have to wait up to 48 hours to pass the domain validation if you go with this method. That is why we recommend the Email, HTTP, and HTTPS methods better because they would allow you to pass the domain validation instantly.

STEP 2: CAA Check

As of 8th September 2017, all Certificate Authorities (CAs) are obliged to respect your CAA policy, as a security measure.

The CAA record should allow the CA to issue the SSL for your domain name, otherwise, the order would be set as Pending until you update the record.

By default, if no CAA record found, any CA may issue SSL for your domain name. Otherwise, you should update your CAA record.

Here is how to do it:
– https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000zFMO
– https://docs.digicert.com/manage-certificates/dns-caa-resource-record-check/

Here is how to test the record:
– https://toolbox.googleapps.com/apps/dig/#CAA/
– https://caatest.co.uk/scan.org.ua

Optional (Rare) – Brand Validation (Manual Check)

In some cases, the CAs may require manual verification if your order fails any internal rules of Brand Validation.

It takes around 24-48 hours to pass this manual check, and the CA will either issue or reject an order in such cases.

Here are the reasons why your order is under Brand Validation.


How to change the domain validation method?

If you chose one of these domain validation methods described above, and you see that your domain doesn’t get validated, then you can always change your domain validation method. Please go to this link to learn how to do that.

Certain SSL Certificates allow you to secure an IP address, only if it is a public IP address. The validation process for IP addresses is similar to validating a domain name, but it has its particularities. That is why we encourage you to follow the guidelines below.

GoGetSSL

STEP 1 First of all, you have to configure your SSL Certificate by filling in the configuration form inside your SSL Dragon account.

Important! When configuring your certificate, you will be asked to generate a CSR with NO Common Name. Here is how to do it.

STEP 2 Mention your IP address / IP addresses in the SANs field.

If you have just 1 IP address, just insert it in the SANs field, with no extra spaces or characters, e.g.:

123.34.34.234

If you have 2 or more IP addresses (if you purchased additional SANs), insert your IP address list in the SANs field, with each IP address space-separated, e.g.:

123.34.34.234
124.34.24.234

Important! This step is mandatory. Since the CSR has no IP address included in its fields, it’s important to mention your IP address / IP addresses in the SANs field. Otherwise, if you leave the SANs field blank, the SSL Certificate won’t be further configured and you’ll see an error message.

NOTE: if you need to secure an IP address and a domain name, GoGetSSL PublicIP SAN allows you to do that, but it needs manual configuration. Please open a ticket with us, send us the CSR (with No Common Name), the IP address, and the domain name. We’ll configure the SSL manually and provide you the instructions for further validation.

STEP 3 Once your certificate is configured, you have to prove the ownership or right to use that IP address. To do that, you have to pass the HTTP/HTTPS validation for your SSL Certificate. Email or DNS validation are not available for IP validation. To pass the HTTP/HTTPS validation, you have to create a .TXT file that contains the validation code provided on the “Content” field on the details page of your SSL Certificate page. The “Content” that you have to add to the .TXT file looks similar to this:

38622319C755B5952FA4CD590655F05000C4951C2EF07BFFCB2BBA23623BE9D6
COMODOCA.COM
t0520161001553133275

Then you have to upload the TXT file at a location on your server that looks like this:
http://127.0.0.1/.well-known/pki-validation/B34037F1D9BFE9F5936AFEA9798174AB.txt

127.0.0.1 should be replaced by the IP address that you are trying to validate. You can read the information on how to create the .well-known folder at this link: https://www.ssldragon.com/faq-category/domain-validation/#collapse-13950

Make sure that you can access this file and link from any web browser. Inform us when you uploaded the attached TXT file on your server so that we could run a scan of your website and look particularly for this file at this given link.

If you follow these steps exactly, you will get your IP address validated successfully.

NOTE: If you have a router to secure instead of a server, there is no way to upload the TXT file on your router. The solution to getting the IP addresses validated is to reroute the IP address to a server, put the TXT file on that server, pass the IP validation, and then reroute the IP address back to the router.

Sectigo

STEP 1 First of all, you have to configure your SSL Certificate by filling in the configuration form inside your SSL Dragon account. When configuring your certificate, you will be asked to generate a CSR or enter an existing CSR.

Please make sure you include your IP address as a “common name” (domain/IP that you want to secure) in your CSR.

STEP 2 Once your certificate is configured, you have to prove the ownership or right to use that IP address. To do that, you have to pass the HTTP/HTTPS validation for your SSL Certificate. Email or DNS validation are not available for IP validation. To pass the HTTP/HTTPS validation, you have to create a .TXT file that contains the validation code provided on the “Content” field on the details page of your SSL Certificate page. The “Content” that you have to add to the .TXT file looks similar to this:

38622319C755B5952FA4CD590655F05000C4951C2EF07BFFCB2BBA23623BE9D6
COMODOCA.COM
t0520161001553133275

Then you have to upload the TXT file at a location on your server that looks like this:
http://127.0.0.1/.well-known/pki-validation/B34037F1D9BFE9F5936AFEA9798174AB.txt

127.0.0.1 should be replaced by the IP address that you are trying to validate. You can read the information on how to create the .well-known folder at this link: https://www.ssldragon.com/blog/faq_category/domain-validation/#collapse-13950

Make sure that you can access this file and link from any web browser. Inform us when you uploaded the attached TXT file on your server so that we could run a scan of your website and look particularly for this file at this given link.

If you follow these steps exactly, you will get your IP address validated successfully.

NOTE: If you have a router to secure instead of a server, there is no way to upload the TXT file on your router. The solution to getting the IP addresses validated is to reroute the IP address to a server, put the TXT file on that server, pass the IP validation, and then reroute the IP address back to the router.

STEP 3 The last step towards getting the SSL Certificate for your IP address is to pass the Business Validation. You can find detailed instructions on how to do that at this link: https://www.ssldragon.com/contacts/faq/#collapse-3176

Sectigo/GoGetSSL Code Signing Certificates can be configured for a Business or for an Individual. If you configured your certificate as an individual, then you can go directly to the middle of this article, to the section called “Validation for Individuals”, where you will find detailed information about how to pass the validation as an individual. If you configured your certificate as company, then please continue reading.

Business Validation

Please send the necessary forms described below to Sectigo/GoGetSSL by opening a ticket with Sectigo/GoGetSSL Validation Center at https://sectigo.com/support. Click on “Submit a ticket”, select Validation Department and submit your request. Please mention your “Partner Order ID” in your message.

partner-order-idYou can find your “Partner Order ID” on the details page of your SSL Certificate inside your SSL Dragon account. See screenshot on the right.

I. New Orders

STEP 1: Business Validation
To pass Business validation, you may have to provide an official registration document, such as Business License, Article of Incorporation, and or Registration application.
Here are the BV options:

A. No paperwork. Your company’s legal existence will be checked via public government database using your company name and your unique Registration/Identification number OR via verified public 3rd party databases, such as GLEIF, Duns & Bradstreet, Hoovers, Companies House GOV.UK.

B. Paperwork. Your company will be verified using:

  • an official registration document, such as Articles of Incorporation, Government Issued Business License, or
  • a copy of a recent: company bank statement, company phone bill, or major company utility bill  (i.e. power bill, water bill, etc.).

STEP 2: Callback process
The last step is a callback process called Phone Validation. Sectigo/GoGetSSL will call you and asks to confirm your name and order to validate the official company phone number.
Below are the 4 callback options. You don’t have to do all four things from below. Doing just one of them will be enough.

A. Yellow Pages Databases. Sectigo verifies your phone number via public Yellow pages Databases.

B. DUNS. The second way is to provide your DUNS number to Sectigo/GoGetSSL. You can get your company’s DUNS number from this website: https://www.dandb.com/. If Sectigo/GoGetSSL gets back to you and says that your DUNS listing does not contain a phone number, then you need to contact Dun & Bradstreet (at https://www.dandb.com/) and ask them to “add your company’s phone number to their business directory and on the report”.

C. Local phone database. If you don’t have a DUNS number, then the other thing you can do is to provide your company’s registration number for Sectigo/GoGetSSL to check your company with your country’s governmental directories (e.g.: Corporation Division, Companies House, Department of State, etc). Please note that Sectigo/GoGetSSL will be looking to see your company’s phone number listed there as well. Not all governmental directories have the companies’ phone numbers. If the governmental directory allows you to call them, email them, or use their website to add your phone number, then please go ahead and do that.

D. Legal OpinionIf the above two options (2.1 and 2.2) don’t work for you, then the third and last option to validate your phone number is to ask a CPA (Certified Public Accountant), or a Latin Notary, or an Attorney (Lawyer) to write, sign and send a letter to Sectigo/GoGetSSL where they confirm your company name, address and phone number. You can find the sample letters below:

– Sample Accountant Letter
– Sample Legal Opinion Letter


II. Renewal/Reissue Orders

For reissues and renewal order, instead of Step 1 and 2, you must contact Sectigo/GoGetSSL Validation Center at https://sectigo.com/support. Click on “Submit a ticket”, or choose Live Chat, select Validation Department and submit the following request (please replace [] fields with the corresponding info):

Reason for the ticket: Validation
Order number: [Your Partner Order ID]
Subject: Business Validation 

Dear Sectigo!
Please validate order [Partner Order ID] using the company name [Your Company Name], with [Registration/ID number] and [DUNS number].

Sectigo will then contact you for Step 2 or any necessary updates to the Step 1.

Validation for Individuals

There are a few things that you need to do to pass the Individual Validation for your Sectigo/GoGetSSL Code Signing Certificate.

STEP 1: (Optional) The first thing that you need to do is to provide your individual DUNS number to Sectigo/GoGetSSL. You can get your individual DUNS number from this website: https://www.dandb.com/. Make sure that your DUNS listing contains your full name, address and phone number. If it doesn’t, then you need to contact Dun & Bradstreet (at https://www.dandb.com/) and ask them to “add your full name, address and mobile phone number to their business directory and on the report”.

Duns and Bradstreet is an international company and they have a database with individuals and companies from all countries (USA, Canada, United Kingdom, Australia, New Zealand, South Africa, Germany, Israel, etc). So, they work with international customers, too.

STEP 2: You need to provide the following documents to Sectigo/GoGetSSL:

a) Government-issued photo ID (driver’s license or passport);
b) One financial institution document (a bank statement or credit card statement less than six months old);
c) One non-financial document (gas bill, water bill, power bill).

STEP 3: You need to get attested by a legal authority by filling out the face-to-face verification form. You can download the form at this link. The face-to-face verification letter should be signed by a Notary, Latin Notary, registered Attorney, Certified Public Accountant (CPA), or a Justice Of The Peace. The legal authority should have accreditation and a license number that is available online.

If you decide to go with a Legal Attorney, he or she must be registered with the BAR, and the BAR should have the Attorney’s full name and license number. You can find an attorney in your country by looking into these worldwide legal directories: http://www.hg.org/legal.html

partner-order-idSTEP 4: You need to provide all this information to Sectigo/GoGetSSL Validation Department by contacting Sectigo/GoGetSSL at https://sectigo.com/support. Click on “Submit a ticket”, select Validation Department and submit your request. Please include your Sectigo/GoGetSSL Order ID in the subject and in the body of the message that you send to Sectigo/GoGetSSL so that they know which order you are writing them about. You can find your Sectigo/GoGetSSL Order ID on your SSL Certificate’s details page inside your SSL Dragon account. See the screenshot on the right.

If you don’t see your Sectigo/GoGetSSL Order ID, then please open a ticket with us, or email us and let us know the name of the company or the name of the individual that you included in the SSL configuration form, so that we could provide you your Sectigo/GoGetSSL Order ID.

SaveSave

If your Credit / Debit Card payment via our default payment processor (Stripe) fails, you can always pay using a Credit/ Debit Card via PayPal. Here is how to do that:

  1. partner-order-idPlease go to “My Invoices” page inside your SSL Dragon account to see the unpaid invoice for your order: https://my.ssldragon.com/clientarea.php?action=invoices
  2. Click on your unpaid invoice to open it;
  3. Select PayPal as a payment method and click the orange “PayPal Checkout” button on the top right of the screen;
  4. When you are on the PayPal payment page, you can click on the “Pay with Debit or Credit Card” button (see screenshot on the right).

 

Here are the steps that you need to do in order to reissue your Sectigo CPAC Certificate:

1) Login at https://secure.trust-provider.com/products/frontpage?area=ssl using the username and password that you used when you configured your Sectigo CPAC initially;
2) Once you are logged in, find the “Replace” button and click on it;
3) You will start the reissue process for your Sectigo CPAC SSL.
4) Follow the steps and instructions that come next, until you complete the Sectigo CPAC Certificate reissue.

Here are the steps that you need to do in order to reissue your Sectigo/GoGetSSL Code Signing Certificate:

1) Login at https://secure.trust-provider.com/products/frontpage?area=ssl using the username and password that you used when you configured your Sectigo/GoGetSSL Code Signing Certificate initially;
2) Once you are logged in, find the “Replace” button and click on it;
3) You will start the reissue process for your Sectigo/GoGetSSL Code Signing SSL.
4) Follow the steps and instructions that come next, until you complete the Sectigo/GoGetSSL Code Signing Certificate reissue.

How to reissue an SSL Certificate? (Except CPAC and Code Signing)

We allow you to reissue your SSL Certificate for various reasons, including Multi-Year SSL Subscriptions.

But also, you need to reissue your SSL if you:

  • want to change your domain name,
  • want to change your company name,
  • want to change your CSR,
  • use a new CSR,
  • lost your Private Key, etc.

Domain Validation SSL Certificates

You can reissue your SSL Certificate from your SSL Dragon account by following the next steps:

  1. Log into your SSL Dragon account;
  2. Go to SSL Certificates” -> “My SSL Certificates“;
  3. You will see the list of products that you bought from SSL Dragon. Click on the SSL Certificate which you would like/need to reissue;
  4. Click on the “Reissue” button in the Actions section;
  5. Reconfigure your SSL Certificate – select the Server Type and CSR. As a part of the reconfiguration, your existing CSR code is auto-pasted, in case you need another CSR, please replace it;
  6. For Multi-Domain SSL –  The existing SANs are auto-pasted in the SANs field, if you need to change a SAN or add a new one – please update the SAN list;
  7. After reconfiguring your SSL Certificate, you will have to pass the Domain Validation again.

For Domain Validation SSL Certificates, your SSL Certificate will be reissued after you pass the domain validation successfully.

Business Validation SSL Certificates

To reissue a Business Validation SSL Certificate, you have to go through the same reconfiguration and domain validation process as described under the “Domain Validation” section above. After that, you have to pass the entire Business Validation process again, so the Certificate Authority needs to recheck the legal existence of your domain name, company, and your company’s phone number. You can read how to pass the Business Validation process at this link.

Your BV SSL Certificate will be reissued after you pass the Business Validation process again.

Extended Validation SSL Certificates

To reissue an Extended Validation SSL Certificate, you have to go through the same reconfiguration and domain validation process as described under the “Domain Validation” section above. After that, you have to pass the entire Extended Validation process again, so the Certificate Authority needs to recheck the legal existence of your domain name, company, and your company’s phone number. You can read how to pass the Extended Validation process at this link.

Your EV SSL Certificate will be reissued after you pass the Extended Validation process again.

code-signingWhen you configure your Sectigo/GoGetSSL Code Signing Certificate as an individual, you need to enter your first and last name in the “Company Name” field. This will tell Sectigo/GoGetSSL that you are requesting a Code Signing Certificate for an individual instead of a company.

If your router has a public IP address, you can still validate that IP address.

HTTP/HTTPS validation is the only method available for IP address validation. The HTTP/HTTPS validation method consists of adding a TXT file on your IP address and having Sectigo scan that IP address and validate it. There is no way to upload a TXT file on your router. The solution to get the IP address validated is to reroute the IP address to a server, put the TXT file on that server, pass the IP validation, and then reroute the IP addresses back to the router.

You can read more information on what the TXT file should include and where to upload it in the following FAQ item: https://www.ssldragon.com/contacts/faq/#collapse-14363

 

You can verify the integrity of an SSL certificate and private key pair with the OpenSSL utility and its command lines. 

The process consists of four steps:

  1. Verify that the private key has not been altered.
  2. Verify the modulus value matching with Private Key and SSL certificate pair
  3. Successfully perform encryption with the public key from certificate and decryption with the private key
  4. Confirm the integrity of the file, which is signed with the private key

Verify the private key integrity

Run the following command: openssl rsa -in [key-file.key] -check -noout

Here’s an example of a corrupt private key:

private key error

Other errors resulting from an altered/forged key are listed below:

  • RSA key error: p not prime
  • RSA key error: n does not equal p q
  • RSA key error: d e not congruent to 1
  • RSA key error: dmp1 not congruent to d
  • RSA key error: iqmp not inverse of q

If you encountered any of the above errors, your private key has been tampered with and may not work with your public key. Consider creating a new private key and requesting a replacement certificate.

Here’s an example of the private key which meets the integrity:

rsa key ok

Verify the modulus value matching with Private Key and SSL certificate pair

Note: The modulus of the private key and certificate must match exactly.

To view the certificate Modulus run the command:

openssl x509 -noout -modulus -in [certificate-file.cer]

To view the private key Modulus run the command:

openssl rsa -noout -modulus -in [key-file.key]

Encrypt with the public key from and decrypt with the private key

1. Get the public key from certificate:

openssl x509 -in [certificate-file.cer] -noout -pubkey > certificatefile.pub.cer

2. Encrypt test.txt file content using public key

Create a new file called test.txt file (you can use Notepad)  with the content “message test”. Perform the following command to create an encrypted message to cipher.txt file.

openssl rsautl -encrypt -in test.txt -pubin -inkey certificatefile.pub.cer -out cipher.txt

3. Decrypt from cipher.txt using the private key
Perform the following command to decrypt cipher.txt content.

openssl rsautl -decrypt -in cipher.txt -inkey [key-file.key]

Ensure that you can decrypt your cipher.txt file content to your terminal. The output from the terminal must match the content on the test.txt file.

If the content does not match, the private key has been tampered with and may not work with your public key. Consider creating a new private key and requesting a replacement certificate. Here’s an example of a decrypted message:

message test

4. Confirm the file integrity signed with the private key

Run the following command to sign the test.sig and test.txt file with your private key:

openssl dgst -sha256 -sign [key-file.key] -out test.sig test.txt

Now, verify the signed files with your public key extracted from step 1.

openssl dgst -sha256 -verify certificatefile.pub.cer -signature test.sig test.txt

Make sure that the output from the terminal is exactly like in the example below:

verified ok
If your private key is tampered with, you will receive the following message:

verification failure
In this case, you should create a new private key and request a replacement certificate.

Source: Digicert’s Knowledge Base

Some Certificate Authorities (especially Sectigo and DigiCert) may ask you to update or add your phone number to your company’s DUNS listing, as a part of your Business or Extended Validation process.

After you have contacted Dun & Bradstreet and added your phone number to your company’s DUNS listing, it may take between 5 and 40 days for Dun & Bradstreet to make your DUNS listing update available to the public. When you talk to Dun & Bradstreet over the phone, they may tell you that they added or updated your phone number. However, they only initiated process. Your phone number will appear on the Dun & Bradstreet website (https://www.dandb.com/) in about 5 to 40 days after that.

You will know that your DUNS listing has been truly updated, only when you get an email message from Dun & Bradstreet saying that your DUNS profile has been updated successfully. Your phone number will start appearing on your DUNS listing only after you get this email from them. Also, Certificates Authorities (such as Sectigo and DigiCert) can verify your phone number based on your DUNS listing only when your phone number is publicly available. That’s why you or we should contact the Certificate Authority requesting them to check your DUNS listing only after you get that confirmation by email.

In the past, we asked the Validation Department representatives from Sectigo and DigiCert to contact Dun & Bradstreet directly, and check our customer’s phone number with Dun & Bradstreet. We did that after our customers told us that they added or updated their phone number on their DUNS listing. Each time, Sectigo and DigiCert were told by the Dun & Bradstreet representatives that our customers’ DUNS listing update is “in progress” and “has not been completed yet”, and were advised to get back to Dun & Bradstreet when the customers receive an email message from Dun & Bradstreet which confirms them that their DUNS listing was updated.

If 5-40 days is too much to wait, we recommend you to go with other methods of validating your company and phone numbers, such as providing a legal letter written by a notary, an attorney, or a certified public accountant. This method will allow you to pass the Business or Extended Validation within 1-2 days.

When configuring your SSL Certificate, you are asked to choose your webserver type.

If you don’t know which server type you have, simply choose “Other” and your SSL Certificate will work on any server type for sure. For certificate authorities, the webserver type question is more a statistics question than an attribute which your SSL Certificate will be configured by. Certificate authorities needs to know what are the most used server types in order to build their certificates compatible with all these server types.

Once you got your CSR code and Private Key, you can enter your CSR when ordering an SSL Certificate. Here is where you need to enter your CSR code:

  1. Sign in to “My Account” on our SSL Dragon website;
  2. Once you are logged in, go to the main menu, select “SSL Certificates” -> “My SSL Certificates“;
  3. You will see the list of SSL Certificates which you bought on our website. Click on the SSL Certificate which you have just ordered, to enter its details page;
  4. When you are on the details page of the SSL certificate which you bought, go towards the bottom of the page, and click on the green button which says “Configure Now”;
  5. Fill in the 2 or 3 steps form, by entering your personal and your company information. The second thing that you will be asked about on this form is the CSR. Copy and paste your CSR code in the text area which asks you for your CSR;
  6. Once the 2 or 3 steps form is completed in full, your SSL Certificate order will be submitted to the Certificate Authority;
  7. A message will come on the email address which you selected on Step 2. You need to go to your email address, and confirm that you are the owner of the domain name which you asked for an SSL Certificate for;
  8. Once these are done successfully, you will receive your SSL Certificate in anything between 5 minutes (for a Domain Validation SSL Certificate) and 7-10 days (for an Extended Validation SSL Certificate).
  1. One of the most common reasons why a website which has an SSL Certificate installed continues to show as insecure, is that your website continues to pull content, images or videos from unsecured HTTP links. You need to change all the links that you are pulling content from to HTTPS links, and your website will start showing as secure immediately.
  2. The second most common reason why a website may show insecure although you installed an SSL Certificate on it is that your server is outdated and/or doesn’t support the latest TLS settings requirements.
  3. The third most common reason why a website may show as insecure although you installed an SSL Certificate on it, is that you and other visitors continue to open your website through an unsecured HTTP link. You should put a redirect in the server configuration file or in the site’s htaccess file, so that whoever enters your website by typing “www.mywebiste.com” should be automatically redirected to https://www.mywebsite.com. With other words, you should put a redirect that sends all users to your secured site. Here are some articles on how to do this.
  4. You also might be missing the CA-bundle/Intermediate/Root SSL Certificates.
  5. Another problem might be the incorrect SSL installation

All 5 reasons and any other can be revealed by checking how well was your SSL installed using these tools: SSL Server Test and Why No Padlock? 

They will offer you a free report on your SSL Certificate installation along with detailed information on how to fix any vulnerabilities.

Also, we recommend you to read our article called: How to move your website from HTTP to HTTPS easily and with no pain. The article goes even further and comes with many more recommendations on what to check and do to have your website open from an HTTPS link correctly.

Certificate revocation is the process of invalidating a code signing certificate before its scheduled expiration date. It’s software industry-standard best practice to revoke any code signing certificate associated with a security breach, as that certificate could potentially contain compromised code.

Sectigo’s Certificate Practices Statement and license agreement require the company to revoke any certificate that to its knowledge may be used for illegal or dishonest activities.

Since the same certificate could be used for both right and wrong purposes, Sectigo relies on credible third parties to provide correct information about Sectigo certificates used for malware.

Sectigo may revoke the code signing certificate in the following instances:

  • A cybercriminal steals or alters a valid code signing certificate
  • A contractor or employee uses a valid certificate for deceptive purposes without the company’s knowledge.
  • The company’s code, website, or software is infected with malware or other cyber attacks.

As a Certificate Authority, Sectigo cannot rely on self-reporting of false positives by code signing certificate owners because they may not know that their certificates or digital goods are compromised.

Source: Sectigo’s Knowledge Base

As of June 16, 2021, Sectigo no longer accepts WHOIS-based email addresses for Domain Control Validation (DCV) when the WHOIS requires a human lookup for domain information. Whois is a widely used Internet record listing that identifies who owns a domain and how to get in contact with them.

The change won’t affect emails that can be found on WHOIS via automated lookups. These emails will be presented to you during the certificate request process, or via the ‘GetDCVEmailAddressList’ API. The ‘constructed’ email addresses will still be available.

If the email address you need is not displayed or offered during the DCV process, you will need to use one of the alternative methods for the Domain Control Validation below:

Source: Sectigo’s Knowledge Base

Currently, SSL certificates of any type CAN NOT be issued to individuals or business entities in the following countries, websites, or the following country-code-top-level domains (TLDs). The following jurisdictions are restricted by US Export restriction laws:

  • AF – AF – Afghanistan
  • BY – BLR – The Republic of Belarus
  • CU – CUB – Cuba
  • ER – ERI – Eritrea
  • GN – GIN – Guinea
  • IR – IRN – Iran, Islamic Republic of
  • KP – PRK – Korea, Democratic People’s Republic of
  • LR – LBR – Liberia
  • RU – RUS – The Russian Federation – as of March 2022
  • SS – SSD – South Sudan
  • SY – SYR – Syrian Arab Republic
  • ZW – ZWE – Zimbabwe.

Source: Sectigo’s Knowledge Base

When dealing with SSL certificates, you’ll come across different certificate extensions. A file extension is a designation at the end of a file. For example, a certificate named “yourdomain.crt” has a certificate extension of “.crt” The”*” we put in front means that the name before the period could be anything. It’s only what is after the period that matters for identification of extension type. 

Below is a list of certificate extensions:

*.CSR – Certificate Signing Request – a block of encoded text with your contact data you must generate and submit to the CA during the SSL ordering process.

*CER or *CRT – Base64-encoded X.509 Certificate – stores a single certificate. This format does not support the storage of private keys.

*.PFX or *.P12 – Personal Information Exchange Format – stores private and public keys and all certificates in the path. Used to export a certificate and retain full private key functionality.

*.DER – DER-encoded binary X.509 Certificate – stores a single certificate. This format does not support the storage of private keys.

*.P7B or *.P7R or *.SPCCryptographic Message Syntax Standard – storage of all certificates in the path and does not store private keys.

*PEM – Privacy-Enhanced Mail – concatenated (combined) certificate containers frequently used in certificate installations when multiple certificates that form a complete chain are being imported as a single file.

*.CRL – Certificate Revocation List – designates a certificate that has been revoked.

Learn more about certificate formats and conversion tools with our detailed guide.

You can order a Sectigo Personal Authentication Certificate (SPAC) for any valid email address. Below are the validation requirements for each type of Personal Authentication Certificate:

SPAC Basic

Validation requires a challenge-response from you, which is sent to the email address you provide. Once you have followed the instructions in the challenge email, the certificate is issued.

SPAC Pro

To obtain a SPAC Pro certificate, you need to complete the following steps:

  • Provide a government-issued photo ID such as; a driver’s license, passport, national ID card, or military ID. The name on the government-issued photo ID must match the name of the certificate. You must provide a legible and readable copy of the photo ID.
  • Verify your email address by responding to a challenge sent to the email address listed on the certificate.

After you complete the instructions in the challenge email, the certificate is issued.

SPAC Enterprise

Validation for an Enterprise requires the following:

  • Business Identity verification using a QIIS, QGIS, or QTIS document (the definitions of these acronyms are at the end of this FAQ).
  • Authenticating the identity of the applicant (listed as the admin contact on the order). The name on the government-issued photo ID (driver’s license, passport, national ID card, or military ID) must match the name of the admin contact. Sectigo requires applicants to provide a legible and readable copy of the photo ID.
  • Physical address verification via QIIS QGIS or QTIS document.
  • Order authentication via a callback process using the business telephone number included in a QIIS, QGIS, or QTIS document.

Once the above steps are completed, the certificate is issued.

Definitions:

QIIS stands for Qualified Independent Information Source – an up-to-date public database that provides reliable and accurate information for which it is consulted. Examples of QIIS are local phone directories or third-party commercial credit services such as Dun and Brandsheet.

QTIS (Qualified Tax Information Source) is a governmental database that contains tax information relating to Private Organizations, Business Entities, or Individuals. Employer Identification Number (EIN) is considered a QTIS.

QGIS stands for Qualified Government Information Source – a database maintained by a Government Entity that contains legal business registration, corporate filing, trademarks, and patents.

Source: Sectigo’s Knowledge Base

What are Multi-Year SSL Subscription Plans?

Starting with August 19th, 2020, the maximum duration of publicly-trusted SSL/TLS certificates issued by all Certificate Authorities (CAs) has been set to a maximum of 13 months.

However, in order to make your SSL Management process time-saving and cost-effective, the CAs and SSL Dragon are offering you the 2 Year and 3 Year SSL Subscription Plans.

This means that you can still buy a 2 or 3 year SSL Certificate and continue to benefit from multi-year discounting, while still remaining compliant with the CAB Forum SSL requirements.

How the Multi-Year SSL works?

Due to security reasons, your SSL certificate is initially issued with a maximum 1-year validity.

30 days before the expiration of your certificate, SSL Dragon, on behalf of the CA, will notify you and ask you to reissue your SSL, in order to get the additional (replacement) 1-year certificate, according to your Subscription Plan.

This FAQ explains to you how to reissue your SSL Certificate, step by step.

You will need to validate & install the replacement SSL:

a. If you have a Domain Validation SSL Certificate, a short verification of your domain name will be required via Email, HTTP, or DNS in order to issue the 1-yr replacement SSL.

b. If you have a Business or Extended SSL Certificate – an additional Business Validation/Extended Validation recheck and callback process will also be required.

You can still reissue your certificate at any time and as many times as you like during your Multi-Year SSL Subscription Plan.

On your SSL Certificate’s page within the SSL Dragon account, you will find all the details regarding your Subscription Plan:

  • Valid From – Shows the date when your SSL was issued and became active
  • Expires – Shows the date when your SSL expires and needs to be reissued (not Renewed).
  • Subscription Starts – The date when the first SSL was issued and the subscription period activated
  • Subscription Ends – The date when the subscription ends and SSL needs to be Renewed (not Reissued)
  • Next Reissue – shows the number of days left of your SSL. The Certificate should be reissued 30-days prior to this date.

You can find detailed documentation about the SSL Certificates’ best installation practices at SSL Labs.

If you are still wondering what are the main benefits of each validation type (Domain Validation (DV), Business Validation (BV), and Extended Validation (EV)) and why you should choose one vs. another, then this is the right FAQ for you. Each of these SSL Certificate types was created having in mind a certain customer trust level:

  • BasicDomain Validation SSL Certificates – created for customers who aren’t interested in showing their company name and address in the SSL Certificate – either because they don’t need/want to or simply because they just don’t have a company. They only need to get the SSL Certificate very quickly in order to secure their domain name with HTTPS and have all web and mobile browsers display their website as “Secure”.
  • MediumBusiness Validation SSL Certificates – designed for clients who want to display their company’s name in their SSL Certificate’s details in order to ensure their customers that their business is real and trustworthy. BV SSL Certificates also allows you to display on your website a site seal provided by the third party Certificate Authority which proves that your SSL Certificate was issued to your company’s name and address.
  • Top Extended Validation SSL Certificates   developed for clients for whom users’ trust is highly important. EV SSL Certificates also provide the site seal which proves that your SSL Certificate was issued to your website, company’s name and address but these certificates have the topmost trust level because they show your customers, prospectors, and visitors that your website is highly secure and that their information is always protected.

Now that you know the main differences between Domain Validation (DV), Business Validation (BV), and Extended Validation (EV) SSL Certificates, it should be much easier for you choose the one that fits you the best. 

multi-domainA Multi-Domain (SAN) SSL Certificate is specifically created to allow users to secure multiple domains and/or multiple sub-domains with one single SSL Certificate. Depending on the SSL Certificate product and brand, the certificate will include a different number of additional domains (called SANs) at the price quoted on the SSL Certificate’s details page (see screenshot on the right).

For example, a Multi-Domain (SAN) SSL Certificate that has 4 domains by default allows you to secure:

  • Four different domains:
    1. mysite.com
    2. example.com
    3. abcxyz.com
    4. demo123.com
  • Four different subdomains:
    1. my.example.com
    2. mail.example.com
    3. test.mysite.com
    4. account.mysite.com
  • Four different domains and subdomains:
    1. example.com
    2. my.example.com
    3. abcxyz.com
    4. mail.demo123.com

sanNOTE: Here is how you should configure your Multi-Domain SSL Certificate on our website: When you generate a CSR (Certificate Signing Request), please include one single domain name or sub-domain in it, such as: www.example.com. The rest of the domains or sub-domains, which are called SANs (2nd, 3rd, 4th domains or sub-domains) should be included in the fields for additional domains. You will see the fields for additional domains on the SSL Certificate configuration form, right under the text area for the CSR (see screenshot on the right).

Sectigo Personal Authentication Certificates were designed for individuals and businesses who are looking at implementing the best web security practices, such as email & document encryption and user two-factor authentication. However, each CPAC SSL Certificate was designed to fit a particular need. Just like DV, BV, and EV SSL Certificates, CPAC SSL Certificates come with different validation requirements which enable certain certificate fields:

  • CPAC Basic – requires Domain Control and displays only your email in the SSL Certificate
  • CPAC Pro – requires Domain Control and Identity Verification in order to display your email, First and Last Name in the SSL Certificate
  • CPAC Enterprise – requires Domain Control, Identity Verification, and Organization Validation in order to display your email, First and Last Name, as well as Company Name and Address in the SSL Certificate.

Based on your actual needs, you can now decide which Sectigo Personal Authentication Certificate is the best option for you, providing you an enhanced web security of your business activity. 

For more info about validation requirements for each type of certificate, check this FAQ section.

In order to buy a Domain Validated certificate, you do not need to provide any documentation. You will have to confirm the domain ownership through a simple email, DNS record, or file-based authentication (except wildcard SSL certificates). Following completion of one of these elements, the DV certificate will be signed and released to you.

non-secureYour current SSL Certificate will expire as soon as the “Expires” date for your SSL Certificate passes. If you keep your old and expired SSL Certificate on your website, then all the web and mobile browsers will show your website as insecure and will prompt users that your website has a major security problem, and will not let visitors enter your website unless visitors explicitly accept to enter your website on their own risk. You can see an example of these security alerts that visitors will see on your website if you keep an expired SSL Certificate.

The solution to prevent that is to renew your SSL Certificate, and install the newly renewed SSL Certificate on your website. In that case your website will continue to show as secure.

The other, less preferable solution, is to uninstall the SSL Certificate from your website. In that case, visitors will be able to see your website. They will not be stopped from viewing your website as shown in the screenshot from above. However, so as your website will not have an SSL Certificate in general, then visitors will see the “Not secure” message in the browser’s URL bar next to the name of the website.

Whether you accidentally or purposefully enter some incorrect information during the CSR generation process, the CSR and the Private Key will still be issued to you immediately. However, once you use the CSR code to apply for an SSL Certificate, you may or may not be issued an SSL Certificate. It is solely at the Certificate Authority’s discretion to approve or decline your SSL Certificate issuance if you entered incorrect information about you and your company.

If you found out that the CSR is wrong and you already configured the SSL, please open a ticket with us and provide the correct CSR.

If you realized that you entered incorrect information in the CSR while generating it, you simply have to put aside, ignore or delete your existing CSR and Private Key. After that, you should generate a new CSR code (which will automatically generate a new Private Key too), using correct information about yourself and your company. Use the newer CSR when applying for an SSL Certificate, and then your newer Private Key when installing your SSL Certificate on your website and server.

The CSR must contain the following mandatory encrypted information: your Country, State, City/Town, Name of the company, Department from your company, and the Domain name or IP address that you want the SSL Certificate to be issued for.

It may also contain this optional information: the email address where your CSR code and the Private Key will be sent to once they are both generated.

To avoid any errors, please make sure that:

  1. You DO NOT enter “http://” or “https://” along with your domain name as a common name when generating the CSR. Please enter only “www.domain.com” or “domain.com” as a common name. Also, make sure you don’t have any extra spaces before or after your domain name.
  2. When generating the CSR code you were given a CSR code and a Private Key. Make sure that you only enter the CSR code in the SSL Configuration form. DO NOT enter the Private Key, but save it and keep it in a safe location on your computer or email, because you will need it when installing the SSL Certificate on your website/server.
  3. The CSR that you enter in the SSL Configuration form should include the following two lines: “—–BEGIN CERTIFICATE REQUEST—–” header and “—–END CERTIFICATE REQUEST—–” footer.
  4. For Wildcard SSL Certificates – When generating the CSR code for a Wildcard SSL Certificate, you have to include an asterisk and dot (*.) before your domain name. In other words, you should fill in *.yourdomain.com as a common name in your CSR.
  5. For Multi-Domain Wildcard SSL Certificates – Any Multi-Domain Wildcard SSL Certificate should start with a non-Wildcard domain. This means that you need to generate the CSR for a single domain – example.com – without any asterisk sign “*.”. Please read more in this FAQ.
  6. Your CSR is not configured for the following countries – Russia (RU), Belarus (BY) (since 2022), Afghanistan (AF), Crimea (Russia), Cote d’Ivoire (CI), Cuba (CU), Eritrea (ER), Guinea (GN), Iraq (IQ), Iran (IR), Democratic People’s Republic of Korea (KP), Liberia (LR), Myanmar (MM), Rwanda (RW), Sudan (SD), Sierra Leone (SL), South Sudan (SS), Syrian Arab Republic (SY), Venezuela (VE), Zimbabwe (ZW) – It’s prohibited to issue SSLs for these countries: https://sectigo.com/knowledge-base/detail/Banned-Country-List-1527076085907/kA01N000000zFKI and https://knowledge.digicert.com/solution/Embargoed-Countries-and-Regions.html
  7. For IP Address SSL Certificates – For Sectigo InstantSSL Premium, the common name should be your IP address. For GoGetSSL Public IP SAN SSL Certificate, you will be asked to generate a CSR with NO Common NameHere is how to do it.

The Business Validation (BV), also called Organization Validation (OV), SSL certificate is recommended if you have an e-commerce website that is a registered business. Besides the domain validation performed through e-mail, you will have to provide company documentation to receive business authentication. During this authentication process, the Certificate Authority (CA) will verify if your business is carried out by a legitimate, good faith company operating at the provided location. Since the validation is done manually and involves paperwork, you will receive your Business Validation SSL certificate within 1-3 business days.

After receiving Business Validation, the “https” and padlock icon will be displayed on your website’s address bar. These signs will make customers more willing to entrust you with their personal and financial information. Yet, if your website’s purpose is to perform large sales, offer specific products/services or execute financial transactions, you should consider buying our Extended Validation (EV) certificate.

The CodeSigning certificate was specifically developed for increasing the trustworthiness of your software products. This type of certificate protects your digital downloadable goods, like scripts or codes, by signing them and guaranteeing their authenticity and integrity. This certification brings a greater level of your customers’ trust, by ensuring them that your content is safe and it belongs to your company. Moreover, the Authenticode Technology guarantees that if the code will be damaged after being signed, the digital signature will break and alert the client that the software is no longer credible.

CodeSigning certificates are Business Validation (BV) and Personal Validation SSL certificates. The Business Validation SSLs require Certificate Authority’s (CA’s) authentication through providing your company’s documents, along with performing domain validation by email. The Personal Validation requires personal identification verification of the owner. The entire validation process may take up to 2 or 3 business days to issue your CodeSigning certificate that will serve as a third party guarantee for the authenticity of your digital goods.

You can find our full list of CodeSigning certificates at this link.

“CSR” stands for “Certificate Signing Request”. The CSR code represents an encrypted text message which a person or a company sends to the Certificate Authority through SSL Dragon as a part of applying for an SSL Certificate. The CSR code contains information about you and your company, which will be included in the SSL Certificate that will be issued to you.

The Domain Validation (DV) SSL certificate is the most affordable choice for increasing the security of your blog, personal or small business website. Since there is no required paperwork, the process of acquiring the Domain Validation certificate is very quick and easy: you will have to prove that you are the domain owner just by responding to an automatic e-mail message. After a couple of minutes, you will receive the issued SSL certificate which can be installed immediately. Sites with Domain Validation certification can be identified by the padlock that is displayed by most web browsers.

This type of SSL certificates is recommended to be used if you need to prove that your site is secured, by having a secured connection. The Domain Validation certificates don’t display the legal entity, as the identity of the website owner is not checked while issuing them. So, if you have an e-commerce website or a site that collects users’ personal data, you should consider buying our Business Validation (BV) or Extended Validation (EV) certificates, which will make your site more trustworthy.

A fully qualified domain name (FQDN), sometimes also referred to as an ‘Absolute Domain Name’, the ‘Domain Name’, or ‘Common Name’ is a domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS).

You must specify the FQDN when filling in the Certificate Signing Request form. For example, if you wish to secure the https://yoursite.com/about.html, the ‘Domain Name’ or ‘Common Name’ is Yoursite.com.

As you can see, the FQDN doesn’t include the protocol name (https://) nor the subpages or subcategories (about.html).

Please note, when requesting a Wildcard SSL certificate, you must add an asterisk before your Domain Name. For instance, *.yourdomain.com.

Source: Sectigo’s Knowledge Base

The Subject Alternative Name (SAN) SSL certificate, also called the Unified Communication Certificate (UCC) or the Multi-Domain SSL certificate was particularly developed to secure all your domains and subdomains by owning one single SSL certificate. This type of certificate ensures the security for both, your internal and external domains/subdomains and is fully compatible with your Microsoft Exchange products and Microsoft Office Communications Server.

UCC/SAN SSL certificates are not just easy to be managed but are the most cost-effective option. These certificates give you the opportunity to secure your main domain, for example, ssldragon.com, together with many other totally distinct domains, like ssldragon.net, ssldragonsslcertificates.com and its subdomains mail.ssldragon.com and account.ssldragon.com – all with 1 single certificate. Besides, unlike Wildcard SSL certificates, UCC/SAN certificates are available in all three validation methods: Domain Validation (DV), Business Validation (BV) and Extended Validation (EV).

You can find our full list of Multi Domain (UCC/SAN) SSL Certificates at this link.

Scalable certificates offer a range of encryption bit lengths. By default, DigiCert digital certificates are 2048-bit encryption strength. However, some older web browsers only support an encryption length of 256-bit, 128-bit, and 40 bits. Rather than force those customers to upgrade their browsers, the DigiCert certificate scales down, offering the customer the maximum strength they can support.

A site seal is a security icon graphic showing the name of the issuing Authority of the SSL. The site seal on your website is a proof that your business has been verified by the Certificate Authority.

You will be issued a static or dynamic site seal, depending on the SSL certificate that you buy for your website. A dynamic site seal will usually display a live time and date stamp and/or your company name. Visitors can click on the site seal to display additional verification information.

By displaying the site seal in preeminent place on your website, you will make your clients feel safer while performing transactions, knowing that any information shared is within a secure environment and authenticated by a trusted Certificate Authority.

The Wildcard SSL certificate was specifically designed for ensuring the security of your main domain, along with its multiple subdomains. For instance, if your site’s domain is ssldragon.com, then the Wildcard certificate for “*.ssldragon.com” will secure an unlimited number of your first-level subdomains like mail.ssldragon.com, account.ssldragon.com or login.ssldragon.com. By buying this SSL certificate, you don’t need to purchase other certificates for each subdomain. The Wildcard SSL certificate comes in two options: Domain Validation (DV) and Business Validation (BV).

Besides being a convenient way of securing your site, Wildcard SSL certificates are very easy to be managed because the domains will have the same renewal date. This is why you should consider getting Wildcard certificates if you own a complex website, with different subdomains, IP addresses or server storage options. Yet, if you have level 2 subdomains (like test.account.ssldragon.com) or you need an Extended Validation (EV) SSL Certificate, you may have to buy a separate SSL certificate for each domain/subdomain or a UCC/SAN SSL certificate for all of them.

The Extended Validation (EV) SSL Certificate is the best choice if you want to build customer relationships based on security and trust. This certificate is issued only after the Certificate Authority (CA) performed an extensive verification of your company and its owner, confirming that your business is trustworthy. The validation process can take a few business days. But if you keep your company’s records up to date, the Extended Validation SSL certificate will be issued quickly, confirming that your company owns the website.

This type of SSL certificate significantly enhances the trust level of your website. Extended Validation certificates are highly effective in providing protection against phishing attacks because they make your clients feel safer while performing transactions and this fact will definitely boost your conversions. This is why Extended Validation certificates are considered the most reputable SSL Certificates for your website.

An SSL certificate warranty is insurance which covers any damage that you may incur as a result of a data breach or hack that was caused due to a flaw in the certificate. The SSL warranties range in value from $5,000 to $1,500,000. This means that the higher value certificates come with more extensive warranties.

The “SSL Certificate” stands for “Security Socket Layers Certificate”. This protocol was created to protect data travelling between two machines through data encryption.

All the information from the Internet is basically transferred from one location to another in the form of HTTP language (Hyper Text Transfer Protocol). But HTTP by itself is unprotected and susceptible to Internet tricksters and thieves. That’s why SSL Certificates were developed to protect the information traveling on the Internet.

You may know about the SSL Certificates by some common things you see in your browser: the padlock, the “HTTPS” on the browser tab (when HTTP is being protected by SSL it inherits the letter “S”).

These are all indications that the website you are using has SSL encryption and its information is secure against cyber attacks.

The reissue of an SSL certificate means its replacement with a new SSL. The reissued SSL certificate will only be valid until the expiration of the original certificate.

You will need to request the reissue of your SSL certificate in any one of the following situations:

  • You have lost the private key for the certificate;
  • You have changed your web server/hosting provider;
  • You have changed your contact information and you need to update it on your certificate;
  • You feel that your private key is compromised.

The reissue of your SSL certificate is free of charge.

Encryption strength is the size of the keys used to perform the encryption of data during an SSL session. The longer keys provide stronger encryption and make it difficult for computers to break the code.

All our SSL certificates support up to 256-bit encryption, as it is strongly recommended by the industry experts.

SHA – standing for Secure Hash Algorithm – is a hash algorithm used by certification authorities to sign certificates and CRL (Certificates Revocation List).

SHA-1 is an older version of the algorithm that is no longer considered to be secure by major browsers and industry experts. SHA-1 is no longer allowed to be used during the generation process by the industry.

SHA-2 is the latest version that is widely accepted and considered to be secure by all major industry experts and browsers. The encryption hash used in SHA-2 is significantly stronger and not subject to the same vulnerabilities as SHA-1.

A Wildcard SSL Certificate is specifically created to allow users to secure one single domain name and all its sub-domains. In other words, you can secure one single domain name and an unlimited number of sub-domains belonging to that domain name with one single Wildcard SSL Certificate.

You can add sub-domains to your server and they will be covered by your Wildcard SSL Certificate automatically. You do not need to re-issue your Wildcard SSL Certificate each and every time when you add sub-domains to it. The newly added sub-domains will be automatically covered by your Wildcard SSL Certificate.

NOTE: The subdomains that you can secure with one Wildcard SSL Certificate have to be either 1st level sub-domains (e.g.: *.example.com) or 2nd level sub-domains (*.mob.example.com). You cannot secure 1st and 2nd level sub-domains with one regular Wildcard SSL Certificate.  If you want to secure 1st level sub-domains and 2nd level sub-domains, you have to get a Multi-Domain Wildcard SSL Certificate or 2 separate Wildcard SSL Certificates.

For example, a regular Wildcard SSL Certificate allows you to secure:

  1. One main domain name (example.com) and all its 1st level subdomains (*.example.com):
    1. my.example.com
    2. test.example.com
    3. dev.example.com
    4. mail.example.com
    5. (etc)
  2. Or, one subdomain (mob.example.com) and all 2nd level sub-domains (*.mob.example.com):
    1. my.mob.example.com
    2. test.mob.example.com
    3. dev.mob.example.com
    4. mail.mob.example.com
    5. (etc)

In order to secure one domain and all its sub-domains as shown in the first example, you have to include *.example.com as a common name (domain name) when creating a CSR (Certificate Signing Request). If you want to secure 2nd level sub-domains, then you have to enter *.mob.example.com as a common name (domain name) when creating a CSR (Certificate Signing Request).

The validity of an SSL certificate varies between 1 and 3 years, depending on the certificate you choose to buy. The Extended Validated SSL certificates are valid for 1 or 2 years. The Domain and Business Validated SSL certificates offered by Sectigo, GoGetSSL, can be issued for up to 3 years, RapidSSL, DigiCert, GeoTrust and Thawte – for 2 years.

You can save between 7% and 15% when purchasing an SSL certificate for 2 or 3 years ahead.

expiry-dateYou may start the renewal process for your SSL Certificate within 30 days before its expiration date.

Your new SSL Certificate will be connected with the old one, which means that all the remaining days from the previous SSL Certificate will be added to the new one.

If you have a Domain Validation SSL Certificate, you can renew your SSL Certificate 1-2 weeks prior to your SSL Certificate’s expiration date.

Your SSL Certificate expires on its “Expires” date. Also, you should plan to have the SSL Certificate renewed enough time ahead so that you manage to install it on your website and server before your current SSL Certificate expires.

If you have a Business Validation SSL Certificate or an Extended Validation SSL Certificate, then we recommend renewing your SSL Certificate 3-4 weeks prior to the expiration date, so as you have to pass the Business Validation or Extended Validation again.

The Business Validation or Extended Validation process is quicker when renewing an SSL Certificate than when getting it for the first time.

Anyway, it is always good to do this as early as possible, in order to assure the continuity of your website being secured by an SSL Certificate.

Two great tools to check how well your SSL Certificate is installed are:
1) SSL Server Test
2) Why No Padlock?

You only have to paste your https URL to get a free report and an A++ to F grade on your SSL Certificate installation. These tools will tell you what are the vulnerabilities of your SSL Certificate installation, and will offer you detailed information on how to fix them.

We also recommend you to read our article called: How to move your website from HTTP to HTTPS easily and with no pain.

You can download the SSL Certificate directly from the SSL Certificate page within your SSL Dragon account.

Simply use the Download Intermediate/Chain and Download Certificate buttons.

Or you can use the Send Certificate button, too.

We provide you the SSL Certificate in the exact same format in which we get it from the Certificate Authority.

Also, you can use any text editing tool such as Notepad and create the actual files that you need:

Go to your SSL Dragon account, then to your SSL Certificate details page, you will find the 3 large pieces of codes that your SSL Certificate is made of:

  1. The CSR code is the one which you generated along with your Private Key, and which you used to configure your SSL Certificate. If you need this code as a file, you can copy and paste this code in Notepad, and then save it as a .csr format file.
  2. The CRT code which is your actual SSL Certificate code. Save this one as a .crt format file.
  3. The CA Bundle code has the root and intermediate certificates in it. Save this one as a .ca-bundle format file.

You won’t be able to find your Private Key inside your SSL Dragon account, because we don’t have it, and we don’t store it. Private Keys are private, and it is only you who should have it. If you cannot find your Private Key, we recommend reading this article so as it may help you to find it, or generate a new one.

If you generated your CSR code on the CSR Generator on our website, then the CSR and the Private Key were both shown to you when you generated your CSR. They were also sent to your email address that you included in the CSR form that you filled in on our website. The message that was sent to your email address came from [email protected] and it had the following subject: “Your CSR code and your Private Key”.

If you generated your CSR on your server, then your CSR code and your Private Key were both provided to you by your server. You had to copy both on your computer or email, and store them in a safe place. In some cases, some servers may show the CSR code and the Private Key, and at the same time store both these pieces of code for you on the server. In other cases, the server only provides you the CSR code and keeps the Private Key hidden on the server.

Also, your CSR code will be displayed to you again when your SSL Certificate is issued. Once the SSL Certificate is issued and shown in your SSL Dragon account, it will also show you the CSR code that you used to configure your SSL Certificate.

This is one of the most frequent questions that we get. Unfortunately we cannot send you the Private Key, because it is private, and we do not store it anywhere in our system and database. The Private Key is always confidential, and it is only you as the SSL Certificate owner who should have it. If we were to have or store your Private Key, this would compromise the “security” of your SSL Certificate.

If you generated your CSR code on the CSR Generator on our website, then the CSR and the Private Key were both shown to you when you generated your CSR code. They were also sent to your email address that you included in your CSR. The message that was sent to your email address came from [email protected] and has the following subject: “Your CSR code and your Private Key”.

If you generated your CSR on your server, then your CSR code and your Private Key were both provided to you by your server. You had to copy both on your computer or email, and store them in a safe place. In some cases, some servers may show the CSR code and the Private Key, and at the same time store both these pieces of code for you on the server. In other cases, the server only provides you the CSR code and keeps the Private Key hidden on the server.

re-issue-certificateThis being said, please look for the Private Key in your email address or on the server. If you cannot find it, then please generate a new CSR code on your server, or on the CSR Generator on our website. The CSR code will come with a Private Key. Once you generate a new CSR code and Private Key, then please go to the SSL Certificate details page inside your SSL Dragon account, and click on the “Reissue certificate” button from the left side bar on the page. You will have to pass the domain validation again, and once you do that, the SSL Certificate will be re-issued to you based on the new CSR code that you entered. Also, the re-issued SSL Certificate will pair with the Private Key which came along with the new CSR code.

If you cannot find the “Reissue certificate” button on the SSL Certificate details page inside your SSL Dragon account, then please send us the new CSR code via a Support Ticket inside your SSL Dragon account, or directly at [email protected] and we will re-generate the SSL Certificate for you, using the new CSR code. Please do not send us the Private Key, so as only you should be the one to have it. Store it in a safe place in your email or computer.

You can get the SSL Certificate from your SSL Dragon account by following the next steps:
1) Log into your SSL Dragon account;
2) Go to SSL Certificates;
3) Then go to My SSL Certificates;
4) You will see the list of products which you bought from us. Click on the SSL Certificate which you bought;
5) When you are on the SSL Certificate page, scroll down, and you will see the codes that the SSL Certificate is made of.

The 3 large pieces of codes that you will see are:
1) The CSR code is the one that you generated along with your Private Key, and which you used to configure your SSL Certificate. If you need this code as a file, you can copy and paste this code in Notepad, and then save it as a .csr format file.
2) The CRT code which is your actual SSL Certificate code. Save this one as a .crt format file.
3) The CA Bundle code has the root and intermediate certificates in it. Save this one as a .ca-bundle format file.

You won’t be able to find your Private Key inside your SSL Dragon account, because we don’t have it, and we don’t store it. Private Keys are private, and it is only you who should have it. If you cannot find your Private Key, we recommend reading this article so as it may help you to find it, or generate a new one.

If you go to your SSL Dragon account, then to your SSL Certificate details page, you will find the 3 large pieces of codes that your SSL Certificate is made of:

1) The CSR code is the one that you generated along with your Private Key, and which you used to configure your SSL Certificate.
2) The CRT code which is your actual SSL Certificate code.
3) The CA Bundle code contains the root and intermediate certificates in it. 

Also, listed below you will find all the Sectigo Root and Intermediate CA certificates and the bundle files required to complete the SSL certificate installation across various servers and email clients.

DV ECC Files

DV RSA files

  • Sectigo RSA DV CATXT file
  • USERTrust RSA CATXT file
  • RSA DV Bundle TXT file
  • RSA DV Bundle with SHA-1TXT fileincludes SHA-1 AddTrust External Root CA required for legacy platforms and Zimbra.

OV ECC files

OV RSA files

  • Sectigo RSA OV CATXT file
  • USERTrust RSA CATXT file
  • RSA OV BundleTXT file
  • RSA OV Bundle with SHA-1TXT fileincludes SHA-1 AddTrust External Root CA required for legacy platforms and Zimbra.

EV ECC files

EV RSA files

  • Sectigo RSA EV CATXT file
  • USERTrust RSA CATXT file
  • RSA EV BundleTXT file
  • RSA EV Bundle with SHA-1 –  TXT fileincludes SHA-1 AddTrust External Root CA required for legacy platforms and Zimbra.

Code Signing – Intermediate

Standard

  • Sectigo RSA Code Signing CA – TXT file

EV Code Signing

  • Sectigo RSA Extended Validation Code Signing CA – TXT file

For Code Signing Certificates, issued on or after June 1, 2021

Standard

  • Sectigo Public Code Signing CA R36 – TXT file
  • SectigoPublicCodeSigningRootR46_AAA [ Cross Signed ] – TXT file

EV Code Signing

  • Sectigo Public Code Signing CA EV R36 – TXT file
  • SectigoPublicCodeSigningRootR46_AAA [ Cross Signed ] – TXT file

Secure Email 

  • Sectigo RSA Client Authentication and Secure Email CA – TXT file

Note: Few legacy systems that no longer receive updates from their vendor may not trust Sectigo SHA-2 Certificates. To enable them to trust the SHA-2 Certificates, Sectigo recommends including the Cross Signed Certificate into the Server Certificate chain. This will enable those legacy systems to trust the SHA-2 Certificates.

Source: Sectigo’s Knowledge Base

After installing an SSL Certificate on your website, you can also let your visitors and customers know that your website is secure by adding a site seal somewhere on a prominent place on your website. You can choose to place the site seal in the footer of your website, or on the checkout page where customers have to enter their credit card information, or in both these places.

Site seals are of two types: static and dynamic. All Domain Validation SSL Certificates come with a static site seal, which is basically an image. All Business Validation and Extended Validation SSL Certificates come with a dynamic site seal that can be hovered or clicked on, and they will show the name of your company, will confirm that your website was issued a legitimate SSL Certificate, and will prove that your website belongs to your company.


Site Seals for RapidSSL SSL Certificates 

If you purchased an SSL issued by RapidSSL, you can get your site seal at the following link:
https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO14424


Site Seals for GeoTrust SSL Certificates 

If you purchased an SSL issued by GeoTrust, you can get your site seal at the following link:
https://www.geotrust.com/support/seal/agreement/installation-instructions/


Site Seals for Thawte SSL Certificates 

If you purchased an SSL issued by Thawte, you can get your site seal at the following link:
https://www.thawte.com/ssl/secured-seal/installation-agreement/


Site Seals for DigiCert SSL Certificates 

If you purchased an SSL issued by DigiCert, you can get your site seal at the following link:
https://www.digicert.com/site-seal-conversion-rate-benefits.htm


Sectigo Site Seals 

If you purchased a Sectigo SSL  you can download the dynamic site seal at the following link:  https://sectigo.com/trust-seal


GoGetSSL Site Seals 

If you purchased a GoGetSSL SSL  you can download the dynamic site seal at the following link https://www.gogetssl.com/wiki/installation/gogetssl-site-seal-installation/

During the certificate enrollment, the browser generates your private key. After you submit the CSR (Certificate Signing Request), the browser creates a key pair and stores it in the local key database.

You can apply for a S/MIME certificate only using the following browsers:

  • Internet Explorer on Windows
  • Firefox ESR version 68 and earlier on Mac. Newer versions (from 69 onwards) don’t offer keygen support.

Note: Safari on Mac no longer supports key generation. 

Source: Sectigo’s Knowledge Base

When you configure your Sectigo/GoGetSSL Code Signing SSL Certificate, it is best to use some specific browsers for that. Here is an article that describes which browsers are best to use for configuring a Sectigo/GoGetSSL Code Signing Certificate.

code-signing2When you configure your Sectigo/GoGetSSL Code Signing Certificate, make sure that “Advanced Private Key Options” is visible to you in the same way it is shown in the screenshot from the right. Internet Explorer is always a good option to configure your Sectigo/GoGetSSL Code Signing Certificate.

For Mac Users, please see the following 2 resources:

Attention: The export instructions for Mac may produce a certificate that does not include the Root/Intermediate crt files. Please download the Root/Intermediate crt files and include them in the command for the Code Signing SSL.

BV SSL Certificates issued by GeoTrust, Thawte, and DigiCert have a quicker and easier Business Validation process compared to those issued by Sectigo.

With GeoTrust, Thawte, and DigiCert, the Certificate Authority does most of the company validation process all by itself, and in rare cases requires the customers to provide additional information and legal letters signed by a notary, certified public accountant, or an attorney.

On the other side, Sectigo relies a lot on the customer to provide all the information about his/her company, as well as updating the company’s DUNS listing (on the Dun & Bradstreet website) and providing legal letters signed by a notary, a certified public accountant, or an attorney.

You can read what the Business Validation process with these different brands consists of at this link.

EV SSL Certificates issued by GeoTrust, Thawte, and DigiCert have a quicker and easier Extended Validation process compared to those issued by Sectigo.

With GeoTrust, Thawte, and DigiCert, the Certificate Authority does most of the company validation process all by itself, and in rare cases requires the customers to provide additional information and legal letters signed by a notary, certified public accountant, or an attorney.

On the other side, Sectigo relies a lot on the customer to provide all the information about his/her company, as well as updating the company’s DUNS listing (on the Dun & Bradstreet website) and providing legal letters signed by a notary, a certified public accountant, or an attorney.

You can read what the Extended Validation process with these different brands consists of at this link.

This article will help you determine which multi-domain SSL Certificate you should get. We have categorized the multi-domain SSL Certificates in 4 groups, and we would recommend you to read about each group and then choose a multi-domain SSL Certificate from the group that meets your preferences best:

  1. Domain validated multi-domain certificates. There are two certificates in this category: PositiveSSL Multi-Domain and SSL UCC DV. These certificates will secure your websites by making it open from a permanent HTTPS link, will display a padlock icon next to the URL bar, and will make your website show as “Secure” in all web and mobile browsers. These multi-domain certificates are the quickest and easiest to get, so as you only have to prove the domain ownership.
  2. Business validated multi-domain certificates & Extended validated multi-domain certificatesYou need to have a registered company to be eligible for a business validated SSL Certificate. Besides the HTTPS link and the padlock icon near your website’s URL, the people who visit your website will be able to see your company name when they search whom the SSL Certificate was issued to, and they will also see your company name and address when they roll over or click on the dynamic site seal which comes with your SSL Certificate and which you can add to your website. This type of certificate is issued within 1-7 days.
  3. Multi-domain Wildcard certificates. These certificates allow you to secure one main domain and multiple wildcard domains using one single SSL Certificate. You can get a PositiveSSL Multi-Domain Wildcard SSL if you want a domain validated SSL, or a Multi-Domain Wildcard SSL if you prefer a business validated certificate. You can learn more about how multi-domain wildcard certificates work at this link.
There are SSL Certificates of three validation types:

1) Domain Validation SSL Certificates – are the least expensive SSL Certificates. They are the easiest to get, and are issued within 3-5 minutes. More info…

2) Business Validation SSL Certificates require you to have a registered company. When users click on the padlock icon for your certificate, they will see your company name. Also, Business Validation Certificates come with a dynamic site seal, similar to the Sectigo site seal that we have in the footer of our website. They are issued within 1-3 business days.  More info…

3) Extended Validation SSL Certificates – just like the Business Validation certificates, the Extended Validation SSL Certificates require you to have a registered company, and when users click on the padlock icon for your certificate, they will see your company name. They also come with a dynamic site seal similar to the one from the footer of our website. They are issued within 1-5 business days. More info…

Also, based on how many domains or sub-domains you want to secure, you can look at One Domain SSL Certificates which will secure only one single domain name or sub-domain, Multi-Domain (SAN) SSL Certificates which secure several domains and/or sub-domains at a time, and the Wildcard SSL Certificates which secure one domain and all its sub-domains under one certificate. Finally, don’t forget about the Code Signing SSL Certificates which will sign, secure and protect your software from being infected with malware and then distributed online.

Please note that all these SSL Certificates types come with the same exact security level and encryption strength.

All our SSL certificates are issued by global leaders in Internet Security: DigiCert, GeoTrust, Thawte, Sectigo, RapidSSL.

Any business that is officially registered with a government authority can qualify for an Extended Validated SSL Certificate. This certificate is issued only after the Certificate Authority (CA) performed an extensive verification of your company and its owner, confirming that your business is trustworthy.

The validation process is completed by the SSL provider, also called Certificate Authority (CA). The CA will contact you during the validation process to confirm that you are indeed the owner of the domain.

The certificate you p