FAQs

Passing Organization Validation (OV) for a code signing cert issued by Sectigo requires the following:

• Identity Authentication
• Organization Authentication
• Locality Presence
• Telephone Verification
• Final Verification Call

To complete each step, follow our guide on how to validate a Sectigo OV Code Signing certificate.

Copy Link

How to reissue an SSL Certificate? (Except CPAC and Code Signing)

We allow you to reissue your SSL Certificate for various reasons, including Multi-Year SSL Subscriptions.

But also, you need to reissue your SSL if you:

• want to change your domain name,
• want to change your company name,
• want to change your CSR,
• use a new CSR,
• lost your Private Key, etc.

Domain Validation SSL Certificates

You can reissue your SSL Certificate from your SSL Dragon account by following the next steps:

1. Log into your SSL Dragon account;
2. Go to SSL Certificates” -> “My SSL Certificates“;
3. You will see the list of products that you bought from SSL Dragon. Click on the SSL Certificate which you would like/need to reissue;
4. Click on the “Reissue” button in the Actions section;
5. Reconfigure your SSL Certificate – select the Server Type and CSR. As a part of the reconfiguration, your existing CSR code is auto-pasted, in case you need another CSR, please replace it;
6. For Multi-Domain SSL –  The existing SANs are auto-pasted in the SANs field, if you need to change a SAN or add a new one – please update the SAN list;
7. After reconfiguring your SSL Certificate, you will have to pass the Domain Validation again.

For Domain Validation SSL Certificates, your SSL Certificate will be reissued after you pass the domain validation successfully.

Business Validation SSL Certificates

To reissue a Business Validation SSL Certificate, you have to go through the same reconfiguration and domain validation process as described under the “Domain Validation” section above. After that, you have to pass the entire Business Validation process again, so the Certificate Authority needs to recheck the legal existence of your domain name, company, and your company’s phone number. You can read how to pass the Business Validation process at this link.

Your BV SSL Certificate will be reissued after you pass the Business Validation process again.

Extended Validation SSL Certificates

To reissue an Extended Validation SSL Certificate, you have to go through the same reconfiguration and domain validation process as described under the “Domain Validation” section above. After that, you have to pass the entire Extended Validation process again, so the Certificate Authority needs to recheck the legal existence of your domain name, company, and your company’s phone number. You can read how to pass the Extended Validation process at this link.

Your EV SSL Certificate will be reissued after you pass the Extended Validation process again.

Copy Link

The process of renewing your SSL Certificate is almost the same as placing a new order. You may start the renewal within 30 days before the expiration date.

SSL certificate lifetimes are also getting shorter. The maximum validity is now 200 days (since March 15, 2026), will drop to 100 days from March 15, 2027, and to 47 days starting March 15, 2029.

Because of this, renewals will happen more often. Using ACME Certificate-as-a-Service can automate the process, helping you avoid missed renewals and keeping your certificate active without manual work.

Here are the steps on how to renew your Standard (Domain/IP address) SSL Certificate:

1. Click on the “Renew” button on the product page of your expiring SSL Certificate within your SSL Dragon account.
   

   

2. Complete the payment of the newly created invoice for the renewed SSL Certificate.
3. Once the invoice for the renewed SSL Certificate is paid, click on “Back to Client Area” or go to “My SSL Certificates” section inside your SSL Dragon account.
4. Click on the renewed SSL Certificate. Once you are on the SSL Certificate’s details page, scroll down and click on the green button that says “Configure Now”.
5. Under the “Order Type” you should choose “Renewal”. This information will go to the Certificate Authority, and they will know that you had an SSL Certificate and you are renewing it. In this way, your new SSL Certificate will be connected to the old one. All remaining days from the previous SSL Certificate will be added to the new one. (An exception to this rule are – Code Signing and CPAC SSL Certificates – unfortunately, the CA’s SSL Certificate management portal for these SSL certificates is not technically capable to match the old and new SSL Certificates.)
   

   

6. After that, you have to submit a CSR. You can use the old CSR from your previous SSL Certificate, or generate a new CSR. Either way is fine.
7. Fill in the rest of the form information for your renewed SSL Certificate.
8. Then pass the domain validation, or business validation, or extended validation, depending on what applies to your SSL Certificate.
9. When your SSL Certificate is renewed, you need to reinstall the new SSL Certificate on your server. In other words, you need to replace your old/expiring SSL Certificate with the new one which you have just received. The old certificate will NOT get replaced, renewed, or continued automatically.

Please note:

1. If you have a CPAC or Code Signing Certificate from GoGetSSL, Sectigo, Thawte, or DigiCert, then steps 4-5 do not apply to you. You will have to fill in the certificate request form for your CPAC/Code Signing Certificate on the certificate authority’s website further and let us know about the details you field in, as usual. Also, unfortunately, the CA’s SSL Certificate management portal for these SSL certificates is not technically capable to match the old and new SSL Certificates, thus the remaining days from the old SSL Certificate will not be added to the new SSL Certificate.
2. If you are renewing a Business Validation SSL Certificate or an Extended Validation SSL Certificate, you will still have to pass the Business Validation or the Extended Validation again. Anyway, the Business Validation and Extended Validation processes are quicker when renewing an SSL Certificate than when getting it for the first time.
3. If you own a Multi-Domain (SAN/UCC) SSL Certificate for which you have previously purchased & added additional SANs (domains), don’t forget to include all of them in the SANs field when configuring the renewed SSL.
4. If you want to change the validity of the renewed SSL Certificate – e.g. you have a Sectigo PositiveSSL Multi-Domain with 4 SANs (5 Domains) for 2-year SSL, but you what to renew it for 3 years. Then you must order a 3-year SSL of the same type and configuration – a Sectigo PositiveSSL Multi-Domain with 4 SANs (5 Domains) for 3-years – complete the payment, and click on the newly purchased SSL. Then please follow Steps 5-9 from above.

Copy Link

You may start the renewal process for your SSL Certificate within 30 days before its expiration date.

Your new SSL Certificate will be connected with the old one, which means that all the remaining days from the previous SSL Certificate will be added to the new one.

If you have a Domain Validation SSL Certificate, you can renew your SSL Certificate 1-2 weeks prior to your SSL Certificate’s expiration date.

Your SSL Certificate expires on its “Expires” date. Also, you should plan to have the SSL Certificate renewed enough time ahead so that you manage to install it on your website and server before your current SSL Certificate expires.

If you have a Business Validation SSL Certificate or an Extended Validation SSL Certificate, then we recommend renewing your SSL Certificate 3-4 weeks prior to the expiration date, so as you have to pass the Business Validation or Extended Validation again.

The Business Validation or Extended Validation process is quicker when renewing an SSL Certificate than when getting it for the first time.

Keep in mind that certificate lifetimes are getting shorter. The maximum is now 200 days (since March 15, 2026), will drop to 100 days from March 15, 2027, and to 47 days starting March 15, 2029. This means you’ll be renewing certificates much more often than before.

To avoid missing deadlines, you can use ACME Certificate-as-a-Service option. It automates issuance and renewal, so your certificates stay valid and your site remains secure without manual tracking or last-minute fixes.

Copy Link

Certificate revocation is the process of invalidating a code signing certificate before its scheduled expiration date. It’s software industry-standard best practice to revoke any code signing certificate associated with a security breach, as that certificate could potentially contain compromised code.

Sectigo’s Certificate Practices Statement and license agreement require the company to revoke any certificate that to its knowledge may be used for illegal or dishonest activities.

Since the same certificate could be used for both right and wrong purposes, Sectigo relies on credible third parties to provide correct information about Sectigo certificates used for malware.

Sectigo may revoke the code signing certificate in the following instances:

• A cybercriminal steals or alters a valid code signing certificate
• A contractor or employee uses a valid certificate for deceptive purposes without the company’s knowledge.
• The company’s code, website, or software is infected with malware or other cyber attacks.

As a Certificate Authority, Sectigo cannot rely on self-reporting of false positives by code signing certificate owners because they may not know that their certificates or digital goods are compromised.

Source: Sectigo’s Knowledge Base

Copy Link

Currently, SSL certificates of any type CAN NOT be issued to individuals or business entities in the following countries, websites, or the following country-code-top-level domains (TLDs). The following jurisdictions are restricted by US Export restriction laws:

• AF – AF – Afghanistan
• BY – BLR – The Republic of Belarus
• CU – CUB – Cuba
• ER – ERI – Eritrea
• GN – GIN – Guinea
• IR – IRN – Iran, Islamic Republic of
• KP – PRK – Korea, Democratic People’s Republic of
• LR – LBR – Liberia
• RU – RUS – The Russian Federation – as of March 2022
• SS – SSD – South Sudan
• SY – SYR – Syrian Arab Republic
• ZW – ZWE – Zimbabwe.

Source: Sectigo’s Knowledge Base

Copy Link

When dealing with SSL certificates, you’ll come across different certificate extensions. A file extension is a designation at the end of a file. For example, a certificate named “yourdomain.crt” has a certificate extension of “.crt” The”*” we put in front means that the name before the period could be anything. It’s only what is after the period that matters for identification of extension type. 

Below is a list of certificate extensions:

*.CSR – Certificate Signing Request – a block of encoded text with your contact data you must generate and submit to the CA during the SSL ordering process.

*CER or *CRT – Base64-encoded X.509 Certificate – stores a single certificate. This format does not support the storage of private keys.

*.PFX or *.P12 – Personal Information Exchange Format – stores private and public keys and all certificates in the path. Used to export a certificate and retain full private key functionality.

*.DER – DER-encoded binary X.509 Certificate – stores a single certificate. This format does not support the storage of private keys.

*.P7B or *.P7R or *.SPC – Cryptographic Message Syntax Standard – storage of all certificates in the path and does not store private keys.

*PEM – Privacy-Enhanced Mail – concatenated (combined) certificate containers frequently used in certificate installations when multiple certificates that form a complete chain are being imported as a single file.

*.CRL – Certificate Revocation List – designates a certificate that has been revoked.

Learn more about certificate formats and conversion tools with our detailed guide.

Copy Link

There are SSL Certificates of three validation types:

(1) Domain Validation SSL Certificates – are the least expensive SSL Certificates. They are the easiest to get, and are issued within 3-5 minutes.

(2) Business Validation SSL Certificates require you to have a registered company. When users click on the padlock icon for your certificate, they will see your company name. Also, Business Validation Certificates come with a dynamic site seal, similar to the Sectigo site seal that we have in the footer of our website. They are issued within 1-3 business days.

(3) Extended Validation SSL Certificates – just like the Business Validation certificates, the Extended Validation SSL Certificates require you to have a registered company, and when users click on the padlock icon for your certificate, they will see your company name. They also come with a dynamic site seal similar to the one from the footer of our website. They are issued within 1-5 business days.

Also, based on how many domains or sub-domains you want to secure, you can look at One Domain SSL Certificates which will secure only one single domain name or sub-domain, Multi-Domain (SAN) SSL Certificates which secure several domains and/or sub-domains at a time, and the Wildcard SSL Certificates which secure one domain and all its sub-domains under one certificate. Finally, don’t forget about the Code Signing SSL Certificates which will sign, secure and protect your software from being infected with malware and then distributed online.

Please note that all these SSL Certificates types come with the same exact security level and encryption strength.

Copy Link

You can find detailed documentation about the SSL Certificates’ best installation practices at SSL Labs.

Copy Link

What are Multi-Year SSL Subscription Plans?

Right now, certificates can run up to 200 days (since March 15, 2026). The SSL validity will change to 100 days from March 15, 2027, and then to just 47 days starting March 15, 2029.

However, in order to make your SSL Management process time-saving and cost-effective, the CAs and SSL Dragon are offering you the 2 Year and 3 Year SSL Subscription Plans.

This means that you can still buy a 2 or 3 year SSL Certificate and continue to benefit from multi-year discounting, while still remaining compliant with the CAB Forum SSL requirements.

How the Multi-Year SSL works?

Due to security reasons, your SSL certificate is initially issued with a maximum 200-day validity.

30 days before the expiration of your certificate, SSL Dragon, on behalf of the CA, will notify you and ask you to reissue your SSL, in order to get the additional (replacement) 1-year certificate, according to your Subscription Plan.

This FAQ explains to you how to reissue your SSL Certificate, step by step.

You will need to validate & install the replacement SSL:

a. If you have a Domain Validation SSL Certificate, a short verification of your domain name will be required via Email, HTTP, or DNS in order to issue the 1-yr replacement SSL.

b. If you have a Business or Extended SSL Certificate – an additional Business Validation/Extended Validation recheck and callback process will also be required.

You can still reissue your certificate at any time and as many times as you like during your Multi-Year SSL Subscription Plan.

On your SSL Certificate’s page within the SSL Dragon account, you will find all the details regarding your Subscription Plan:

• Valid From – Shows the date when your SSL was issued and became active
• Expires – Shows the date when your SSL expires and needs to be reissued (not Renewed).
• Subscription Starts – The date when the first SSL was issued and the subscription period activated
• Subscription Ends – The date when the subscription ends and SSL needs to be Renewed (not Reissued)
• Next Reissue – shows the number of days left of your SSL. The Certificate should be reissued 30-days prior to this date.

Copy Link