General Questions
A Web Server SSL Certificate is a digital certificate
that authenticates the identity of a Web site to visiting
browsers and encrypts information for the server via Secure
Sockets Layer (SSL) technology. Encryption is the process of
scrambling data into an undecipherable format ciphertext ,
which can only be returned to a readable format with the
proper decryption key. All of our Web Server Certificates use
128-bit encryption. A certificate serves as an
electronic "passport" that establishes an online entity's
credentials when doing business on the Web. When an Internet
user attempts to send confidential information to a Web
server, the user's browser will access the server's digital
certificate and establish a secure connection. A Web
Server SSL Certificate contains the following information:
- The certificate holder's
name,
- The certificate's serial
number and expiration date,
- Copy of the certificate
holder's public key,
- The digital signature of
the certificate-issuing authority.
A Web Server SSL Certificate secures safe, easy and
convenient Internet shopping. Once an Internet user enters a
secure area by entering credit card information, e-mail
address or other personal data, for example the shopping
site's Web Server SSL Certificate enables the browser and Web
server to build a secure, encrypted connection. The SSL
"handshake" process, which establishes the secure session,
takes place discreetly behind the scene without interrupting
the consumer's shopping experience. A "padlock" icon in the
browser's status bar and the "https://" prefix in the URL are
the only visible indications of a secure session in progress.
By contrast, if a user attempts to submit personal
information to an unsecured Web site (i.e., a site that is not
protected with a valid SSL certificate), the browser's
built-in security mechanism will trigger a warning to the
user, reminding him/her that the site is not secure and that
sensitive data might be intercepted by third parties. Faced
with such a warning most Internet users likely will look
elsewhere to make a purchase.
All of our Web Server Certificates provide 128-bit
encryption.
SSL is the de facto standard for creating a secure,
encrypted link between a Web server and a browser. SSL thus
ensures safe passage of sensitive information, such as credit
card numbers, passwords, user names, etc. SSL is used by
e-commerce Web sites as a means to protect online transactions
with their customers. Once a secure connection has been
established, SSL encrypts information sent from your browser
to the Web server. SSL utilizes the public-and-private key
encryption system.
An "https://" prefix in the URL and a key or padlock icon
in the browser's status bar indicates that a Web site is
secure.
An SSL-encrypted session is generally
commenced once a visitor signs in to a secure area of a Web
site, such as the checkout or account-management area of an
online store.
What is browser
ubiquity? The term "browser ubiquity" describes an SSL
certificate's browser compatibility i.e., the extent to
which the Certification Authority's root certificate is
included in the Web browsers on the market. In other words: If
the root certificate of the CA is present in the "trusted Root
Certificates" store of the browser, then the SSL certificates
issued by the CA are compatible with that browser. Thus, a
high browser ubiquity means that most existing browsers
recognize a certificate, and that secure transactions thus can
take place on those browsers. In other words: The more
browsers and browser versions supported, the higher the level
of browser ubiquity, and hence, the more versatile the
certificate is. Most SSL certificate services support all
major browsers.
Our root certificate the Valicert Class 2 Policy
Validation Authority is installed in the following browser
versions:
- Internet Explorer 5.01 and higher
- AOL 5 and higher
- Netscape 4.7 and higher
- Opera 7.5 and higher.
- Safari on Mac OS X 10.3.4 or higher
- Mozilla (all versions)
- Firefox (all versions)
- Konqueror (all versions)
That equals 99% total browser ubiquity.
Users of older browser versions may receive a warning that
the root certificate is not trusted. When presented with the
warning those can simply install the root certificate. To do
so, click "View Certificate." Then, when the certificate is
displayed, click "Install Certificate." Alternatively, users
of older browsers may download and install the root
certificate directly from our repository.
The "Security Alert" (see illustration below) is
generally triggered when a Web Server Certificate is invalid
or if the Web site owner has failed to properly install the
intermediate certificate.
![]()
No, a Web server certificate only secures the exact fully
qualified domain entered as the Common Name in your
certificate signing request. Thus if your certificate secures
"www.domainnamegoeshere.com" it will not secure the
domain "domainnamegoeshere.com." If a user types in
"domainnamegoeshere.com" (without the "www") he/she will
receive a warning about the validity of the certificate.
If you need to secure both domains you must request a Web
server certificate for each of them. Alternatively, you can
contact your domain registrar and request that your DNS
records are set up that typing in "domainnamegoeshere.com"
automatically resolves to
"www.domainnamegoeshere.com."
We cannot retrieve a lost password. If you forgot your
SSL account password, you may create a new one instead.
To do so, please go to the login screen and enter your User
ID and the e-mail address you used when you set up the
account; then create a temporary security code. Do not forget
your security code, as you will need it to reset the password.
Once you have entered the requested information you will
receive an e-mail message that contains a link to the page
that allows you to reset your password. Note that you must
click the link and reset the password within 30 minutes.
If any site element an image, for example is being
queried from outside the secure layer, the padlock icon will
not be displayed in the user's browser. To resolve this
problem, make sure that all images and other site elements you
want on the secure version of your Web site are being pulled
from a secure folder located within the secure site.
Our
Web Server Certificates can be issued to individuals and
companies worldwide, but with the following restrictions:
High Assurance Web Server Certificates currently cannot be
issued to requestors in the following countries:
- Afghanistan
- Belarus
- Burundi
- Congo, Democratic Republic of the (formerly Zaire)
- Congo, Republic of the
- Cτte d'Ivoire
- Cuba
- Cyprus
- Haiti
- India
- Indonesia
- Iran
- Iraq
- Israel
- Liberia
- Libya
- Myanmar
- North Korea
- Pakistan
- People's Republic of China
- Russia
- Rwanda
- Sierra Leone
- Somalia
- Sudan
- Syria
- Tanzania
- Uganda
- Vietnam
- Yemen
- Zimbabwe
Medium Assurance Web Server Certificates (aka "Turbo SSL
certificates") currently cannot be issed for Web sites with
the following country-code top-level domains:
- .af Afghanistan
- .cu Cuba
- .ir Iran
- .ly Libya
- .kp North Korea
- .rw Rwanda
- .sd Sudan
- .sy Syria
Certificate Types
This Certification Authority (CA) is offering two types
of Web Server SSL Certificates: High Assurance Web Server
Certificates and Turbo SSL Web Server Certificates. The main
difference between the certificate types lies in validation
level and issuance speed. Your choice of certificate type
should depend on the size and type of your business, your
budget and whether or not you prefer (close-to) instant
certificate issuance to a more thorough validation process.
See below for a comparison between our Web Server
Certificates
Certificate Comparison
| |
High Assurance Certificate
Corporate |
High Assurance Certificate
Small Business/Sole Proprietor |
Turbo SSL Certificate |
| Authentication Process |
Domain control verification, corporate
identity, fraud screening |
Domain control verification, individual
identity, fraud screening |
Domain control verification, fraud
screening |
| Issuance Speed |
2-5 business days |
2-5 business days |
Immediate |
| Name in Certificate "O" Field |
Company name |
Requestor name |
Web site's common name |
| Encryption Level |
128 bit |
128 bit |
128 bit |
A Web Server SSL Certificate secures a single domain
name.
A Wild Card SSL Web Server Certificate secures
multiple sub-domains of a domain name.
When generating
a Certificate Signing Request (CSR) for a Wild Card
certificate, please add an asterisk (*) on the left side of
the Common Name (e.g., "*.domainnamegoes.com" or
"www*.domainnamegoeshere.com"). This will secure all
subdomains of the Common Name.
Note: A Web server
certificate only secures the exact fully qualified domain
entered as the Common Name in your certificate signing
request. Thus if your certificate secures
"www.domainnamegoeshere.com" it will not secure the
domain "domainnamegoeshere.com." If you need to secure both
domains you must request a Web server certificate for each of
them.
Certificate Issuance
High Assurance Web Server
Certificates
If all required documentation is provided and we
successfully authenticate the submitted information, a High
Assurance Web Server Certificate generally can be issued
within 2-5 hours of CSR submission.
Turbo SSL Web Server Certificates
If all required documentation is provided and we
successfully authenticate the submitted information, a Turbo
SSL Web Server Certificate can be issued within minutes of CSR
submission.
High Assurance Web Server Certificate
Corporate Authentication Process
Before issuing an SSL certificate, we will authenticate
that:
- The certificate is being
issued to an organization that is currently registered with
a government authority.
- The requesting entity
controls the domain in the request.
- The individual
requesting the certificate is associated with the
organization named in the certificate.
Note: Submitted information must successfully pass a
fraud screening procedure before a Web Server Certificate can
be issued.
Note that if the submitted documentation is written in a
language other than English, an English translation must be
submitted along with a copy of the original
document(s).
High Assurance Web Server Certificate
Small Business/Sole Proprietor Authentication Process
Before issuing an SSL certificate, we will authenticate
that:
- The individual who
requested the certificate is who he/she claims to be.
- The individual
requesting the certificate controls the domain in the
request.
- The individual named in
the certificate is the individual who requested the
certificate.
Note: Submitted information must successfully pass a
fraud screening procedure before a Web Server Certificate can
be issued.
Note that if the submitted documentation is written in a
language other than English, an English translation must be
submitted along with a copy of the original document(s).
Turbo SSL Web Server Certificate
Before issuing an SSL certificate, we will authenticate
that:
- The requesting entity
controls the domain in the request.
Note: Submitted information must successfully pass a
fraud screening procedure before a Web Server Certificate can
be issued.
Our authentication process ensures the
highest level of trust. Only through thorough validation of
submitted data can the online customer rest assured that
online businesses that display SSL certificates indeed are to
be trusted.
If we are unable to authenticate the submitted
information, the certificate request will be denied. In some
cases, the requestor may be able to fix the problem by
providing additional documentation to enable authentication.
We will notify you if additional documentation is needed.
Note: If when processing a High Assurance Web Server
Certificate Request we are unable to authenticate the
existence/identity of the requesting entity, the requestor
will have the option of aborting the validation process and
instead have us issue a Turbo SSL Web Server Certificate,
which relies on validation of domain control, only. If the
requestor declines this option, the certificate request will
be denied.
To install your certificate, you will need the original
private key, which was created when you first generated your
CSR. If you cannot find this key, or it cannot be accessed,
you cannot use the certificate and you will have to get a new
one. Click here for
certificate-installation instructions for supported Web server
software.
Certificate Requests
In order to purchase a digital certificate, you must
first generate and submit a Certificate Signing Request (CSR)
to a Certification Authority (CA). The CSR is generated with
your Web server software, which will also create your
public/private key pair used for encrypting and decrypting
secure transactions. Click here for CSR-generation
instructions for all supported server software.
Please
note that if you are applying for a hosting-integrated
certificate (i.e., the domain to which you wish to apply the
SSL certificate is hosted with your certificate provider then
your hosting provider will generate and submit the CSR for
you.
You can monitor the status and progress of your
certificate request in the certificate-management section of
our SSL Web site.
If we are unable to verify a certificate-requesting
entity's domain registration ownership and domain control via
the Whois database generally because the information in the
Whois database cannot be found or does not match the
information in the certificate request , the requestor must
instead provide a Domain Authorization Letter from his/her
domain registrar as documentation of domain registration
ownership. If we successfully authenticate the letter, a
Registration Authority (RA) associate will manually verify
domain control.
In order to obtain a Domain
Authorization Letter you must request it from your domain
registrar. Consult your registrar for specific instructions.
If the domain in the certificate request is hosted
with our Domains By Proxy affiliate, log in to your Domains By
Proxy account and request the Domain Authorization Letter.
Domains By Proxy will prepare the letter within 48 hours of
the request.
Once you have obtained the Domain
Authorization Letter, please fax or scan-and-e-mail it to us
as proof of domain registration ownership. An RA associate
will review the letter upon reception.
Certificate Management
If you allow a certificate to expire, the certificate
will be invalid and you will no longer be able to secure
transactions on your Web site. We will prompt you to renew
your SSL certificate in due time. You can renew a certificate
for one or two years. Please note that a certificate can be
renewed up to 120 days prior to and 30 days following the
expiration date. If the certificate is allowed to expire, the
visitor's browser will display a warning upon entering the Web
site area that was supposedly protected with your SSL
certificate.
To renew an expiring SSL certificate, you must purchase a
certificate-renewal credit from ys; then log in to your SSL
account and follow the provided instructions for requesting a
certificate renewal. We will prompt you to renew expiring SSL
certificates via e-mail. Renewal notices will be sent 30 and
15 days prior to the certificate's expiration date.
Please note that a certificate can be renewed up to 120
days prior to and 30 days following the expiration date. If
the certificate is allowed to expire, the visitor's browser
will display a warning upon entering the Web site area that
was supposedly protected with your SSL certificate.
Depending on your choice of Web server software, you may or
may not need to generate a new Certificate Signing Request
(CSR) for the renewed certificate. If you are using
Linux-based server software, you may use your existing CSR for
the certificate renewal (you can also generate and submit a
new one, if so desired). If you are running Microsoft IIS 4.x,
5.x, or 6.x on your Web server; it it strongly recommended
that you generate and submit a new CSR before attempting to
renew your SSL certificate.
Note: If any of the
information in your CSR (including company name or address
information) has changed, you must generate and submit a new
CSR before your certificate can be renewed).
Once the renewed certificate has been signed and issued, we
will e-mail it to you, along with our intermediate certificate
and certificate-installation instructions for all supported
Web servers.
If more than 13 months have elapsed since the last time we
authenticated your or your company as part of the
certificate-issuance process, you must submit your
personal/company information again as we will need to
authenticate the information again before a renewed
certificate can be issued. If you or your company were
successfully authenticated less than 13 months ago, we will
not need to re-verify your information in order to renew your
certificate. A certificate holder may request that his/her certificate
is revoked i.e., deleted. A revoked certificate is instantly
rendered invalid. Generally, a certificate should only be
revoked if the security of the holder's private key has been
compromised.
Consider revoking your certificate if any
of the following situations occur:
- Loss of your private key,
- Your private key is compromised,
- The certificate contains incorrect information.
A revoked certificate cannot be re-keyed, reissued or
renewed.
Reissuing a certificate means to reproduce an existing
certificate. Certificates are generally reissued if the
certificate holder has lost his/her certificate.
Re-keying is the process of replacing an existing SSL
certificate. Specifically, re-keying entails:
- Deleting/revoking
an existing SSL certificate,
- Creating a new
public/private key pair,
- Issuing a new SSL
certificate.
The original certificate is automatically deactivated when
the new one is issued.
Consider re-keying an SSL
certificate if any of the following situations occur:
- Loss of your private key,
- Compromise of your private key,
- Certificate does not work properly.
Note that the Distinguished Name (DN) in the replacement
SSL certificate must be identical to the Distinguished Name in
the SSL Certificate that is being re-keyed. In other words:
The Common Name, Organization Name,
Locality, State/Province, and Country
as entered in the Certificate Signing Request (CSR)
must be the same in both of the certificates. Certificate
holders can have their certificates re-keyed at no
expense.
You can only request a re-key within 30 days
of initial issuance of certificate. A maximum of two re-key
requests is permitted within the 30-day period.
Intermediate Certificates
In order to enhance the security of the Root certificate
(Valicert Class 2 Policy Validation Authority), we have
created an intermediate certificate from which SSL
certificates are signed and issued. An intermediate
certificate is a subordinate certificate issued by the trusted
root specifically to issue end-entity server certificates. The
result is a trust-chain that begins at the trusted root CA,
through the intermediate and finally ending with the SSL
certificate issued to you. Such certificates are called
chained root certificates.
Creating certificates
directly from the CA Root Certificate increases the risk of CA
Root Certificate compromise, and if the CA Root Certificate is
compromised, the entire trust infrastructure built by the SSL
provider will fail. The usage of intermediate certificates for
issuing SSL certificates to end entities, therefore, provides
an added level of security. You must install the intermediate
certificate in your Web server along with your issued SSL
certificate.
Using intermediate certificates does not
cause installation, performance or compatibility
issues.
Once your Web Server Cerrtificate has been issued you
will receive an e-mail message containing the issued
certificate, along with our intermediate certificate and
certificate-installation instructions for all supported Web
servers. The certificates and installation instructions will
be attached to the message in .ZIP format. Please download and
unzip the attachment before proceeding to the installation
process. The specific procedure through which the intermediate
certificate is installed depends on the type of server
software you are using. Please refer to the attached
installation instructions for specific installation process
for your certificate, including the intermediate certificate.
Our intermediate certificate is also available from
the repository.
Failure to properly install our intermediate certificate
along with the issued Web Server Certificate means that the
trusted-chain certificate cannot be established. This means
that when visitors attempt to access your supposedly secure
site they will be presented with a "Security Alert" that
indicates that "The security certificate was issued by a
company you have not chosen to trust
" Faced with such a
warning, potential customers most likely will take their
business elsewhere.
Downloading and installing the
intermediate certificate on your Web server will immediately
fix this problem. The intermediate certificate is attached to
the e-mail message you'll receive upon certificate issuance.
It is also available from the repository.
| 