FAQs

To install the SSL certificate on a server, you must upload the SSL certificate files, including the root and intermediate certificates (usually included in a CA Bundle file), from your device to the server of the website you want to encrypt. As there isn’t a universal process for SSL certificate installation, the quickest way to enable HTTPS on any server is by following our SSL installation guides.

Copy Link

You install the SSL certificate on your website’s hosting server. The file directory will vary from system to system, but it’s usually indicated next to the “Upload Certificate” section. Some platforms will automatically upload the certificate in the correct folder, while other clients may support only OpenSSL commands for certificate installation.

Copy Link

To install the SSL certificate on your website, you must get it from a valid CA by submitting the Certificate Signing Request. After the CA validates your application, you will receive the installation files via email. Your next step is to download them on your local computer and then upload the files to the website server. This is a brief explanation of how to enable SSL.

Copy Link

The cost of installing an SSL certificate on a website will vary depending on the type of certificate you choose and the Certificate Authority. To buy a certificate costs between $7 to hundreds of dollars per year.

The cost of having someone install an SSL certificate on your website will depend on their specific skills and the complexity of your particular installation. You can find web developers or IT professionals who specialize in SSL certificate installations and negotiate a fee with them based on their experience and project scope. Their costs will range from $20 to a few hundred dollars.

Copy Link

The amount of time it takes to install an SSL certificate will depend on a few factors such as the web server platform, type of Certificate Authority, and complexity of the installation. Generally speaking, an SSL certificate can be installed in a few minutes if all of the necessary information is available. If additional steps are required, it may take longer to complete the installation.

Copy Link

Installing an SSL certificate is quite easy and can usually be done in a few simple steps. First, you will need to generate a Certificate Signing Request (CSR) file and submit it to the Certificate Authority. Once the SSL certificate is issued, you will then need to install it on the web server. Depending on the server, the installation process may vary, but the documentation provided by the hosting company or CA should make this straightforward.

Copy Link

You can verify the integrity of an SSL certificate and private key pair with the OpenSSL utility and its command lines. 

The process consists of four steps:

1. Verify that the private key has not been altered.
2. Verify the modulus value matching with Private Key and SSL certificate pair
3. Successfully perform encryption with the public key from certificate and decryption with the private key
4. Confirm the integrity of the file, which is signed with the private key

Verify the private key integrity

Run the following command: openssl rsa -in [key-file.key] -check -noout

Here’s an example of a corrupt private key:

Other errors resulting from an altered/forged key are listed below:

• RSA key error: p not prime
• RSA key error: n does not equal p q
• RSA key error: d e not congruent to 1
• RSA key error: dmp1 not congruent to d
• RSA key error: iqmp not inverse of q

If you encountered any of the above errors, your private key has been tampered with and may not work with your public key. Consider creating a new private key and requesting a replacement certificate.

Here’s an example of the private key which meets the integrity:

Verify the modulus value matching with Private Key and SSL certificate pair

Note: The modulus of the private key and certificate must match exactly.

To view the certificate Modulus run the command:

openssl x509 -noout -modulus -in [certificate-file.cer]

To view the private key Modulus run the command:

openssl rsa -noout -modulus -in [key-file.key]

Encrypt with the public key from and decrypt with the private key

1. Get the public key from certificate:

openssl x509 -in [certificate-file.cer] -noout -pubkey > certificatefile.pub.cer

2. Encrypt test.txt file content using public key

Create a new file called test.txt file (you can use Notepad)  with the content “message test”. Perform the following command to create an encrypted message to cipher.txt file.

openssl rsautl -encrypt -in test.txt -pubin -inkey certificatefile.pub.cer -out cipher.txt

3. Decrypt from cipher.txt using the private key
Perform the following command to decrypt cipher.txt content.

openssl rsautl -decrypt -in cipher.txt -inkey [key-file.key]

Ensure that you can decrypt your cipher.txt file content to your terminal. The output from the terminal must match the content on the test.txt file.

If the content does not match, the private key has been tampered with and may not work with your public key. Consider creating a new private key and requesting a replacement certificate. Here’s an example of a decrypted message:

4. Confirm the file integrity signed with the private key

Run the following command to sign the test.sig and test.txt file with your private key:

openssl dgst -sha256 -sign [key-file.key] -out test.sig test.txt

Now, verify the signed files with your public key extracted from step 1.

openssl dgst -sha256 -verify certificatefile.pub.cer -signature test.sig test.txt

Make sure that the output from the terminal is exactly like in the example below:

If your private key is tampered with, you will receive the following message:

In this case, you should create a new private key and request a replacement certificate.

Source: Digicert’s Knowledge Base

Copy Link

Inside your ~/public directory on your server, you might find the .well-known folder. Well-known URIs are Uniform Resource Identifiers for well-known services or information available consistently across servers at URLs.

Some servers create the .well-known folder automatically, but sometimes, you may have to add it manually. This directory acts as a web-based protocol to fetch site metadata about a host before making a request.

What is the .well-known folder used for?

When ordering an SSL Certificate, you must prove domain ownership as part of DCV. If you choose the HTTP/HTTPS method, you’ll have to create the .well-known directory, the folder where you must upload a TEXT file for the CA to scan and approve your SSL request.

The file should be accessible via a live website link. After you add the validation file, the CA crawler system will scan your website and look for the file. Once it finds it, you should pass domain validation within minutes.

Copy Link

To create the well-known folder, you’ll need access to your server via an SFTP client, a web hosting control panel, or any other appropriate means. Here’s how to create the .well-known folder on the most popular platforms:

How to create the .well-known folder on Linux-based servers? 

The instructions below are valid for Ubuntu, Debian, and CentOS servers.

1. Go to the root directory of your website
2. Create a directory called “.well-known“
3. Inside it, create another folder called “pki-validation“
4. Upload the TXT file inside the “pki-validation” directory

How to create the .well-known folder in cPanel?

1. Log into WHM, or skip this step if you don’t have WHM
2. Locate and log into the cPanel account for your domain name
3. Click on “File Manager”
4. Choose the “Web Root (public_html/www)” option and click “Go.”
5. Create a new folder called .well-known
6. Inside that folder create another folder called: pki-validation
7. Upload your TXT file inside the pki-validation folder

How to Create the .well-known folder in Plesk?

1. Use the File Manager option and go to the Files section in the right-side menu.
2. You should create the .well-known folder in the default document root folder for your domain, which in Plesk is httpdocs.
3. To create the folder, select New, then Create Directory.
4. Inside the .well-known folder, create the pki-validation subfolder.
5. Use the Upload button to add the validation TXT file into the pki-validation folder.

How to create the .well-known folder in Windows IIS servers?

Windows-based servers do not allow you to place a dot in a folder name, therefore you need to follow these steps:

1. Go to the C: drive
2. Create a new folder called well-known
3. Inside the well-known folder, create another folder named pki-validation.
   So far, your folders should look like this: C:well-knownpki-validation
4. Upload the TXT file in the pki-validation folder
5. Open the IIS Manager on your server
6. Do right-click on your website and select Add Virtual Directory
7. In the Alias section write .well-known
8. In the Psychical Path area enter the path to the well-known folder. For example:
   C:well-known
9. Press OK to create this alias

How to create a .well-known folder in WordPress?

You can create a .well-known folder in WordPress in three different ways.

1. Using a special plugin
2. Through your web-hosting panel
3. Via an SFTP Client such as FileZilla

We don’t recommend using a plugin as it may cause compatibility and security issues over time. Instead, use our instructions above to create the .well-known folder in cPanel, the most popular hosting panel.

If you don’t have cPanel, use an SFTP client. Connect to your server and inside your ~/public folder look for the .well-knwon directory. If it’s not there, right-click on the public folder, choose Create directory, and name the new directory .well-known.

How to create a .well-known folder in AWS?

1. Use the bash command to create the .well-known.folder in the AWS EC2 instance:
   mkdir -p .well-known/pki-validation
2. Put your validation file in the pki-validation subfolder:
   nano .well-known/pki-validation/HashFileName.txt

How to Create the .well-known in macOS X Server?

Connect to your server via the built-in FTP client or the Command Line Interface.

FTP

1. Press Command+K
2. In the Connect to Server window, enter the address of the FTP server. For example, ftp://ftp.yourdomain.com. Click connect.
3. Next, enter your FTP username and password and hit Connect again.
4. Find the root directory of your domain.
5. Create a directory called .well-known
6. Inside the. well-known folder, create another folder called pki-validation.
7. Upload the TXT file inside the pki-validation directory

Command Line Interface

You can use SSH and the Secure Copy protocol to upload the TXT file.

scp AC3E5D6I8G12935LSJEIK.txt

your_username@hostname:tld://Library/WebServer/Documents/.well-known/pki-validation

Where ‘AC3E5D6I8G12935LSJEIK.txt’ is the validation file name, ‘your_username’ is the username of your server account, ‘hostname.tld’ is your Mac OSX server hostname, and ‘/Library/WebServer/Documents/’ is the default directory of the document root folder.

For all server types, if you did everything correctly, you should be able open the following URL and see the hash code along with “comodoca.com” in any web browser:

http://mywebsite.com/.well-known/pki-validation/HashFileName.txt

Copy Link

Yes, you can look at what information your CSR includes, by using our CSR Decoder tool. It is doing a process which is opposite to encrypting it.

Copy Link