When configuring, reissuing, or renewing your SSL Certificate, if you cannot choose the domain validation method, or you encounter an error message, it means there is a CSR error. Here are the most common CSR errors, and the ways to fix them:
- If you have a Wildcard SSL Certificate (for multiple sub-domains), then the common name in your CSR should start with an asterisk and a dot (*.) as in this example *.website.com. For regular, non-wildcard SSL Certificates, the common name should have one of the following formats: website.com, www.website.com or my.website.com.
- Wrong Key Encryption (e.g. 4096 bit). Please make the Key Encryption 2048 bit.
- Your CSR is password protected. Please disable the password so that the Certificate Authority issuing the SSL Certificate can read the CSR code.
- The CSR code is missing some required fields or information. You can find the complete list of fields on our CSR Generator.
- Your CSR may have other information that is incorrect or not allowed. Please see this FAQ article with details on allowed information and formatting.
To fix your CSR code you need to generate a new one. After that, try configuring or reissuing your SSL Certificate with the new CSR code. If the problem persists, please open a ticket with us and send us your the CSR code. We will decode the CSR and tell you what the problem is, so that you can fix it.
Inside your ~/public directory on your server, you might find the .well-known folder. Well-known URIs are Uniform Resource Identifiers for well-known services or information available consistently across servers at URLs.
Some servers create the .well-known folder automatically, but sometimes, you may have to add it manually. This directory acts as a web-based protocol to fetch site metadata about a host before making a request.
What is the .well-known folder used for?
When ordering an SSL Certificate, you must prove domain ownership as part of DCV. If you choose the HTTP/HTTPS method, you’ll have to create the .well-known directory, the folder where you must upload a TEXT file for the CA to scan and approve your SSL request.
The file should be accessible via a live website link. After you add the validation file, the CA crawler system will scan your website and look for the file. Once it finds it, you should pass domain validation within minutes.
To create the well-known folder, you’ll need access to your server via an SFTP client, a web hosting control panel, or any other appropriate means. Here’s how to create the .well-known folder on the most popular platforms:
How to create the .well-known folder on Linux-based servers?
The instructions below are valid for Ubuntu, Debian, and CentOS servers.
- Go to the root directory of your website
- Create a directory called “.well-known“
- Inside it, create another folder called “pki-validation“
- Upload the TXT file inside the “pki-validation” directory
How to create the .well-known folder in cPanel?
- Log into WHM, or skip this step if you don’t have WHM
- Locate and log into the cPanel account for your domain name
- Click on “File Manager”
- Choose the “Web Root (public_html/www)” option and click “Go.”
- Create a new folder called .well-known
- Inside that folder create another folder called: pki-validation
- Upload your TXT file inside the pki-validation folder
How to Create the .well-known folder in Plesk?
- Use the File Manager option and go to the Files section in the right-side menu.
- You should create the .well-known folder in the default document root folder for your domain, which in Plesk is httpdocs.
- To create the folder, select New, then Create Directory.
- Inside the .well-known folder, create the pki-validation subfolder.
- Use the Upload button to add the validation TXT file into the pki-validation folder.
How to create the .well-known folder in Windows IIS servers?
Windows-based servers do not allow you to place a dot in a folder name, therefore you need to follow these steps:
- Go to the C: drive
- Create a new folder called well-known
- Inside the well-known folder, create another folder named pki-validation.
So far, your folders should look like this: C:well-knownpki-validation
- Upload the TXT file in the pki-validation folder
- Open the IIS Manager on your server
- Do right-click on your website and select Add Virtual Directory
- In the Alias section write .well-known
- In the Psychical Path area enter the path to the well-known folder. For example:
- Press OK to create this alias
How to create a .well-known folder in WordPress?
You can create a .well-known folder in WordPress in three different ways.
- Using a special plugin
- Through your web-hosting panel
- Via an SFTP Client such as FileZilla
We don’t recommend using a plugin as it may cause compatibility and security issues over time. Instead, use our instructions above to create the .well-known folder in cPanel, the most popular hosting panel.
If you don’t have cPanel, use an SFTP client. Connect to your server and inside your ~/public folder look for the .well-knwon directory. If it’s not there, right-click on the public folder, choose Create directory, and name the new directory .well-known.
How to create a .well-known folder in AWS?
- Use the bash command to create the .well-known.folder in the AWS EC2 instance:
mkdir -p .well-known/pki-validation
- Put your validation file in the pki-validation subfolder:
How to Create the .well-known in macOS X Server?
Connect to your server via the built-in FTP client or the Command Line Interface.
- Press Command+K
- In the Connect to Server window, enter the address of the FTP server. For example, ftp://ftp.yourdomain.com. Click connect.
- Next, enter your FTP username and password and hit Connect again.
- Find the root directory of your domain.
- Create a directory called .well-known
- Inside the. well-known folder, create another folder called pki-validation.
- Upload the TXT file inside the pki-validation directory
Command Line Interface
You can use SSH and the Secure Copy protocol to upload the TXT file.
Where ‘AC3E5D6I8G12935LSJEIK.txt’ is the validation file name, ‘your_username’ is the username of your server account, ‘hostname.tld’ is your Mac OSX server hostname, and ‘/Library/WebServer/Documents/’ is the default directory of the document root folder.
For all server types, if you did everything correctly, you should be able open the following URL and see the hash code along with “comodoca.com” in any web browser:
In some cases, the CAs may require manual verification if your order fails any internal rules of Brand Validation. It takes around 24-48 hours to pass this manual check, and the CA will either issue or reject an order in such cases.
Here are the most common reasons why certificate authorities decide to do the brand validation for some orders:
- Orders from some countries are reviewed manually more often than others, for example: South Korea, North Korea, Japan;
- Restricted countries – Russia (RU), Belarus (BY) (since 2022), Afghanistan (AF), Crimea (Russia), Cote d’Ivoire (CI), Cuba (CU), Eritrea (ER), Guinea (GN), Iraq (IQ), Iran (IR), Democratic People’s Republic of Korea (KP), Liberia (LR), Myanmar (MM), Rwanda (RW), Sudan (SD), Sierra Leone (SL), South Sudan (SS), Syrian Arab Republic (SY), Venezuela (VE), Zimbabwe (ZW) – SSL are NOT issued for these countries: https://sectigo.com/knowledge-base/detail/Banned-Country-List-1527076085907/kA01N000000zFKI and https://knowledge.digicert.com/solution/Embargoed-Countries-and-Regions.html
- The domain name includes a brand name, such as: facebook-app.com, sony-shop.net, dellshop.com, etc;
- The domain name may have a hidden brand name. For example, your domain is “sibmama.com”, but the automated validation system may read it as “sIBMama” and flag the “IBM” brand. The certificate authority wants to check such orders manually;
- The domain name has “stop words”, such as: pay, online, secure, booking, shop, bank, transfer, money, e-payment, payment, protection, violence, terrorists, and others. These words and many others are set as triggering words inside the validation system, and make the certificate authority review such orders manually;
- Domain name is blacklisted OR has a bad reputation.
What you can do to speed up the process?
Please mention your “Partner Order ID” in your message. You can find your “Partner Order ID” on the details page of your SSL Certificate inside your SSL Dragon account. See the screenshot on the right.
Unfortunately, domain names that end with .local are not supported from November 1st, 2015. If you request an SSL Certificate for a domain or sub-domain that has .local as an extension, your SSL Certificate will be rejected by the Certificate Authority.
If you want to secure a domain or sub-domain on your localhost, you can create a self-signed SSL Certificate. There is plenty of documentation online on how to do that.
Yes, you can secure an IP address with an SSL Certificate. However, only some specific SSL Certificates will allow you to do that. Here are those SSL Certificates:
Please note that the Sectigo InstantSSL Premium is a Business Validation SSL Certificate, which means that you need to have a registered company in order to be issued this SSL certificate.
GeGetSSL Public IP SAN is a Domain Validation SSL Certificate which secures 2 IP addresses by default.
Valid only for Sectigo and GoGetSSL Certificates:
Please go through the next steps in order to change the domain validation type for your SSL Certificate:
- Log into your SSL Dragon account;
- Go to “SSL Certificates” -> “My SSL Certificates“;
- You will see the list of products that you bought from SSL Dragon. Click on the SSL Certificate which you would like to change the domain validation type for;
- Click on the “Change DV Method” button which you can find towards the bottom on the page;
- Choose the new domain validation method for your domain(s); You can read more about what each validation type means at this link; (Important: HTTP validation method is no longer available for Wildcard SSL Certificates).
- Click “Submit” to make the new validation method go into effect.
When you buy a multi-domain SSL Certificate and you include several domain names and/or sub-domains in it, the Certificate Authorities require you to pass the domain validation for each and every domain name and/or sub-domain that you included in your multi-domain SSL Certificate, and only after that, the multi-domain SSL Certificate will be issued to you.
POSSIBLE PROBLEM: Sometimes the email addresses, or your HTTP options, or the DNS records that you choose for your multi-domain certificate do not get set correctly when they reach the Certificate Authority. You will know that when you see that you only got one single domain validation message to your email address instead of getting several domain validation messages, or your multi-domain SSL Certificate’s status still shows as “Awaiting Validation (Full)” even though you passed the domain validation for one of the domains.
HOW TO FIX: There is an easy way to fix that, and that requires getting in contact with the Certificate Authority’s Validation Department. When you contact them, please provide them your “Partner Order ID” (see screenshot on the right), and then tell them about the domain validation method that you chose to go with: HTTP, DNS, or Email. If you chose to pass the domains validation by email, then double-check with the Validation Department representatives what email addresses are set in their system, and ask them to send you the domain validation messages to your desired email addresses.
Please call Sectigo Validation Department at +1 (888) 266-6361 or https://sectigo.com/support for the above-stated reasons. When you talk to them, you will need to provide them your “Partner Order ID”.
Thawte, GeoTrust, DigiCert
Please call Thawte, GeoTrust, DigiCert Validation Department at +1 (877) 438-8776 for the above-stated reasons. Please note that Thawte, GeoTrust, DigiCert are all owned by DigiCert, and they all have the same phone number provided above. When you talk to them, you will need to provide the “Partner Order ID”.
The validation time of an SSL depends on the type of certificate you chose to buy.
Domain Validated certificates are issued within 3-5 minutes in 99% of the cases. Only when an SSL Certificate is requested for a domain name that contains a trademark or a brand name, then those SSL Certificates may pass brand validation, and can take up to a business day to be issued.
Business Validated certificates are usually issued within 1-3 business days.
Extended Validated certificates can take between 1-7 business days to be issued. The Certificate Authority does its part of the work very quickly. If all the information is provided to the Certificate Authority quickly and correctly, then the Certificate Authority can issue the EV certificate within 1 business day. We’ve seen situations when the EV Certificate was issued within a few hours. The 1-7 days period depends on how quickly the customer provides the required information to the Certificate Authority, and how quickly the customer responds to the Certificate Authority’s potential requests for additional information.
By doing the Validation process, the Certificate Authority’s is trying to confirm that you are the owner of the domain, and that the company that you are requesting a Business Validation or Extended Validation certificate for is active. That is why it is important that you keep your company’s records (address and phone number) up to date and you promptly respond to the Certificate Authority’s requests.
If your router has a public IP address, you can still validate that IP address.
HTTP/HTTPS validation is the only method available for IP address validation. The HTTP/HTTPS validation method consists of adding a TXT file on your IP address and having Sectigo scan that IP address and validate it. There is no way to upload a TXT file on your router. The solution to get the IP address validated is to reroute the IP address to a server, put the TXT file on that server, pass the IP validation, and then reroute the IP addresses back to the router.
You can read more information on what the TXT file should include and where to upload it in the following FAQ item: https://www.ssldragon.com/faq/pass-validation-public-ip-address-ssl-certificate/