FAQs

You need a CSR in order to apply for an SSL Certificate. Later, when your SSL Certificate is issued to you, then you will also use the CSR code for the activation of the TLS (Transport Layer Security).

Copy Link

Unfortunately, there are no Wildcard EV SSL Certificates on the market. The Certificate Authorities refuse to issue EV Wildcard SSL Certificates because of the security reasons, so as they want to have complete control over the subdomains that they issue an EV SSL to. That is why, your only solution is to buy a Multi-Domain EV SSL Certificate that secures multiple domains and subdomains.

Copy Link

As of June 1, 2021, and in compliance with the CA/Browser Forum Code-signing Baseline Requirements, Sectigo will require RSA keys to be a minimum of 3072 bits in size.

When generating keys and CSRs for code-signing certificates, please ensure you choose an RSA key with a 3072- or 4096-bit key size.

Only the size of the keys is to change, the rest of the process remains the same. Existing RSA 2048 bit certificates will continue to work and no changes are needed to them.

Certificates requested with ECC (elliptic curve) keys are unaffected and Sectigo will still sign certificates with keys using the NIST P-256 and P-384 curves.

Source: Sectigo’s Knowledge Base

Copy Link

As of June 16, 2021, Sectigo no longer accepts WHOIS-based email addresses for Domain Control Validation (DCV) when the WHOIS requires a human lookup for domain information. Whois is a widely used Internet record listing that identifies who owns a domain and how to get in contact with them.

The change won’t affect emails that can be found on WHOIS via automated lookups. These emails will be presented to you during the certificate request process, or via the ‘GetDCVEmailAddressList’ API. The ‘constructed’ email addresses will still be available.

If the email address you need is not displayed or offered during the DCV process, you will need to use one of the alternative methods for the Domain Control Validation below:

• A pre-determined email address such as-admin@, administrator@, hostmaster@,postmaster@, webmaster@
• HTTP(s) or DNS based Domain Control Validation

Source: Sectigo’s Knowledge Base

Copy Link

Here are the steps that you need to do in order to reissue your Sectigo/Comodo Code Signing certificate:

1) Login at https://secure.trust-provider.com/products/frontpage?area=ssl using the username and password that you used when you configured your Sectigo/Comodo Code Signing certificate initially;
2) Once you are logged in, find the “Replace” button and click on it;
3) You will start the reissue process for your Sectigo/Comodo Code Signing certificate.
4) Follow the steps and instructions that come next, until you complete the Sectigo Code Signing certificate reissue.

Copy Link

Starting June 1, 2023, industry standards mandate storing code signing certificate private keys on FIPS 140 Level 2, Common Criteria EAL 4+ certified hardware. This change enhances security, aligning with EV code signing standards. Certificate Authorities can no longer support browser-based key generation or laptop/server installations. Private keys must be on FIPS 140-2 Level 2 or Common Criteria EAL 4+ certified tokens/HSMs. To sign the code, access the token/HSM and use stored certificate credentials.

In line with the new guidelines, your private key should be on the token shipped by the CA or on your Hardware Security Module.

Copy Link

All DigiCert SSL Certificates require customers to pass the Business Validation or Extended Validation process. On DigiCert SSL Certificates, these two validation processes are identical. As a part of the Business Validation or Extended Validation process, you need to provide information about your company and your company’s phone number.

DUNS number

You need to provide your DUNS number to DigiCert, and your DUNS profile needs to display your phone number. You can check your company’s DUNS number/profile on this website: https://www.dandb.com/. If you see that your DUNS listing does not contain a phone number, then you need to contact Dun & Bradstreet (at https://www.dandb.com/) and ask them to add your phone number to their “business directory and on the report”.

Please note that after asking DNB (Dun & Bradstreet) to add your phone number to your DUNS listing, it will take them a few days to do this update. You should expect to receive an email message from DNB saying that your DUNS profile has been updated successfully. Your phone number will start appearing on your DUNS profile on the https://www.dandb.com/ website only after you get that confirmation message from DNB.

At that point, you should contact DigiCert at +1 (877) 438-8776 and provide them your DigiCert Order ID and your DUNS number. You can find your DigiCert Order ID on your SSL Certificate’s details page inside your SSL Dragon account. See the screenshot on the right.

DigiCert will proceed with the callback verification process to verify your phone number. Once that is completed, your DigiCert SSL Certificate will be issued to you.

Legal letter

If adding your phone number to your DUNS listing takes too long, you can ask DigiCert to tell you what alternatives you have for passing the Business Validation or Extended Validation. DigiCert can send you an email message with information about a legal letter which you can write, then take it to a notary for them to sign it, and then scan and send it back to DigiCert by email. The letter will have your company name, address, and phone number. Once DigiCert receives it, they will do the callback on the number which you provide in the legal letter and will issue your DigiCert SSL Certificate shortly after that. Other certificate authorities have this practice too, so providing a legal letter is a common method for passing the Business Validation and Extended Validation.

Copy Link

If you are still wondering what are the main benefits of each validation type (Domain Validation (DV), Business Validation (BV), and Extended Validation (EV)) and why you should choose one vs. another, then this is the right FAQ for you. Each of these SSL Certificate types was created having in mind a certain customer trust level:

• Basic – Domain Validation SSL Certificates – created for customers who aren’t interested in showing their company name and address in the SSL Certificate – either because they don’t need/want to or simply because they just don’t have a company. They only need to get the SSL Certificate very quickly in order to secure their domain name with HTTPS and have all web and mobile browsers display their website as “Secure”.
• Medium – Business Validation SSL Certificates – designed for clients who want to display their company’s name in their SSL Certificate’s details in order to ensure their customers that their business is real and trustworthy. BV SSL Certificates also allows you to display on your website a site seal provided by the third party Certificate Authority which proves that your SSL Certificate was issued to your company’s name and address.
• Top – Extended Validation SSL Certificates – developed for clients for whom users’ trust is highly important. EV SSL Certificates also provide the site seal which proves that your SSL Certificate was issued to your website, company’s name and address but these certificates have the topmost trust level because they show your customers, prospectors, and visitors that your website is highly secure and that their information is always protected.

Now that you know the main differences between Domain Validation (DV), Business Validation (BV), and Extended Validation (EV) SSL Certificates, it should be much easier for you choose the one that fits you the best.

Copy Link

The SSL renewal requires the purchase of a brand new certificate for your domain and company. To meet the rigorous industry standards, Certificate Authorities must code the expiration date into the certificate. That’s why when an SSL cert expires, it’s no longer valid and needs replacement. It’s impossible to extend the life of an SSL certificate beyond the timeframe set by the CA/Browser Forum. 

The renewal cycle is speeding up. Certificates are capped at 200 days now (as of March 15, 2026), and that limit will shrink to 100 day in 2027 and then 47 days by March, 2029. Managing them manually doesn’t scale, especially across multiple domains.

The solution is ACME-based automation. It takes the entire certificate lifecycle off your hands. Instead of tracking expiration dates, generating CSRs, and reinstalling certificates every few months, everything runs automatically in the background.

Copy Link

To export your certificate from Internet Explorer follow the steps below:

1. Open Internet Explorer, then navigate to Tools > Internet Options.
2. From the Internet Options window, select the Content tab and then Certificates.
3. In the Certificates window, select the Personal tab.
4. Select the certificate you wish to export, then click Export…
   
5. In the Certificate Export Wizard, depending on your needs, select one of the following options:
   1. Yes, export the private key. Pick this option if you want to import the certificate into another browser/email client or mobile device.
   2. No, do not export the private key. Select this option if you need to export the certificate for other purposes such as archiving your public key.
      
6. For this demonstration we’ll pick the first option – Yes, export the private key.
7. After you click Next, from the formats presented, click the Personal Information Exchange radio button and select Include all certificates in the certification path if possible and Enable certificate privacy. Click Next to continue.

   

8. Now, create a password for your certificate. You will need it to import the certificate into another browser/mail client.

   
   

9. Click Browse and go to the location where the certificate was saved. Click Next.

   
   

10. Double-check your select settings, and click Finish to complete the Certificate Export process.

    

Source: Sectigo’s Knowledge Base

Copy Link