What is a CSR?
A CSR stands for Certificate Signing Request and is necessary for all SSL certificates in order to complete the generation process. It is usually generated from your web server / web hosting control panel.
It is created based on the following parameters:
Country Name (C): Use the two-letter country ISO code without punctuation. For example: “US”.
State or Province (S): Spell out the state or province name completely. Do not abbreviate. For example: “California”.
Locality or City (L): This field is for the City or Town name. For example: “Washington”.
Organization (O): Company or business name needs to be entered here. For example: “XYZ Corporation”.
Organizational Unit (OU): This field is the name of the department or organization unit making the request such as “Sales” or “Marketing”.
Common Name (CN): Enter the hostname / domain name for your website i.e. “www.example.com” or “example.com” or “server2.example.com”.
What do I need to keep in mind while generating the CSR?
To secure both www & non-www versions of domain.com under a Standard SSL certificate, enter Common Name as www.domain.com
For Wildcard certificates enter Common Name as *.yourdomain.com
While filling details, only use the English alphabet and numbers 0-9. Ensure no spaces in the Common Name.
If the “&” symbol is included in your Organization / Organisation Unit name, type out “and” instead.
How to generate the CSR?
Please consult official documentation for your web server to know how to generate a CSR with a 2048-bit key. Most documentation can be found online through a simple Google search.
If you use a web hosting service for your website, check with your web hosting support team on how to generate it from their system. Some common scenarios for generating CSR on various server platforms are listed here.
Alternately, if your web server / hosting control panel allows you to import an externally generated CSR & Private key, you can generate a CSR (with a 2048-bit Private key) using an online free tool.
How do I check / decode the CSR generated? What can I do if I noticed something incorrect in my CSR?
You can use an online decoder tool to verify the CSR generated. It is impossible to edit any fields once it has been created. You will need to generate a new CSR with the correct details.
The CSR cannot be decoded. What does that mean and what should I do?
Make sure you have the correct file copied and not your self-signed certificate, your previous SSL, or if it is bundled as a PKCS7 or PKCS12. Or, you could have a pass-phrase that does not have alpha-numeric characters or disallowed characters. If this is the case, you will need to generate a new CSR without the disallowed characters or in the proper form. Please only use the English alphabet and numbers 0-9. For example, if the “&” symbol is included in your Organization Name, please type out “and” instead.
What is a private key used for?
The private key is used on the server-side exchange for creating the secure connection. It should never be exposed to your SSL provider or outside users, unless specifically requested by your web host for installation. Please note if the private key is lost or deleted, you will have to once again generate CSR and private key on your server. Your private key is not provided by the Certificate Authority (CA) or your SSL provider.
What should I do with my private key?
Your private key should always remain private. The only person that should see your private key is your hosting company, if they ask for it. However, do not delete your private key, as it is required for your certificate to work.
Where do I request a certificate using the CSR?
You can request a certificate directly from a Certificate Authority (CA) or from one of their reseller partners. However, from experience it is recommended to go with a reseller partner for the best price.
The process is the same irrespective which certificate seller (CA/reseller) you get your SSL Certificate from.
What is Domain Control Validation (DCV) / Domain Validation (DV)? Why is it necessary?
DCV or DV is the method by which the Certifying Authority (CA) verifies that you are authorised to request a certificate for that hostname by the domain owner. The DCV/DV check is compulsorily done by the CA for every new certificate purchase/request, certificate re-issue request, or certificate renewal request.
The DCV/DV validation can be done in any ONE of the following ways:
* Email with verification link to the Email Approver
* Adding a custom DNS entry (CNAME or TXT)
* Upload a custom file to a website folder
If I place an order for a Domain Validated SSL Certificate, which document(s) do I need to provide?
You do not need to provide any documentation in order to purchase a Domain Validated (DV) certificate. All you will need to do is confirm that you own the domain you wish to cover, either through a simple email or file or DNS-based validation.
If your website uses Privacy Protection services for your domain name, we recommend you do NOT use Email-based validation as it will delay the domain validation and certificate issue process.
I chose Email-based Domain Control Validation but I haven’t received my DCV email yet. What should I do?
There are a few actions you may take in this case:
First, verify which email address you have chosen for the Domain Control Validation email. This may be different from the customer contact email information you provide during the generation process. Check if the email is listed in the Email Approver list for your domain.
Make sure to check the Spam or Junk Mail folder of your email provider.
If you need to change your DCV email, or if your website’s domain name uses Domain/WHOIS Privacy Protection services to hide your email address, you can use any ONE of the five following pre-approved alias email if they already exist for your domain name:
Changes after 25th May 2018 due to GDPR
Some domain registrars such as GoDaddy have restricted access to their domain WHOIS contact info. Due to this, domains registered with these domain registrars can only use one of the five standard approver email addresses listed above for email-based DCV. see: GDPR impact on domain WHOIS info
If the email address does not exist, make sure you create it before selecting the email approver.
My File Authentication file has been uploaded to the wrong directory. What should I do?
Please upload your file to the correct directory. To make sure the authorization is successful make sure the file is viewable in the correct directory on BOTH yourdomain.com AND subdomain.yourdomain.com. Check with your certificate seller's customer support if you're unsure.
How long will validation take?
This largely depends on the type of certificate that you purchased and your response times. No matter which type of certificate that you purchase, the Certificate Authority (CA) will be contacting you directly and will only proceed with next steps upon your response.
For Domain Validated (DV) certificates, these can typically be issued in a matter of minutes to one business day.
Email-based DCV is completed as soon as you click the link and enter the verification code from the CA email.
DNS-based DCV is completed when the CA detects the correct DNS entry (CNAME or TXT as the case may be) after it has propagated globally and depending on the TTL value could take from 1 to 4 hours in rare cases.
File-based DCV is completed when the CA detects the file at the correct location and could take upto 4 hours.
Selected orders may be flagged for an additional Brand Validation procedure by the CA. That means that the CA’s managers will review your order as it requires manual check.
Possible reasons for manual review:
* Some countries may be reviewed manually, for example: South Korea, North Korea, Sudan, Afghanistan and some others.
* Your domain name include popular Brand name, for example: facebook-app.com, sony-shop.net and others.
* Your domain name has similar brand name, for example you have domain name “sibmama.com”, but validation system may flag your order as “sIBMama”, so “IBM” brand was found in your name, so managers must check order manually.
* Your domain name has special words: “pay, online, secure, booking, shop, bank, transfer, money, e-payment, payment, protection and others”, in that case validation also will be manual.
In most cases after the manual review the hold on order processing is removed. Manual review may take up to 24-48 business hours.
I completed the validation requirements, but never received the certificate. What should I do?
Please contact the certificate seller's customer support so they can check if any issue exists.
Possible issues you can check before contacting us are:
* For File-based DCV, there may be extra space(s) in the text file content, or a firewall setting may be blocking http/https requests from CA server IPs since they are located outside the country.
* For DNS-based DCV, the DNS record may not have been correctly created, or may need more time to propagate globally depending on the initial TTL value. Use the lowest possible TTL value for quickest validation.
After completing validation, the Certificate Authority (CA) will send the certificate to the email address that was used for Domain Control Validation. If, for whatever reason, the email address does not receive the email, you can download the files from the Order Details page on the certificate seller's website.
If you have difficulty locating the email from the CA check your Spam & Junk Mail folders.
Can I use the email address listed in the domain WHOIS info to complete Domain Control Validation (DCV)?
Yes, you can do this for all Comodo/Sectigo SSL Certificates if your domain’s domain registrar shares this info publicly. For RapidSSL, Thawte and GeoTrust certificates you need to use one of the 5 pre-approved email addresses. To know which email addresses are authorised to be DCV Approvers for your domain use this free DCV Email Approver Check tool.
Can I switch my method of Domain Control Validation from Email to File, or vice versa?
This option is dependent on the certificate seller's website. Check with your certificate seller's customer support to know more.
How do I avoid impact on Website SEO?
Moving to https is the right move in Google’s eyes and you do get a bit of a bump up when you show in SERPs amongst similarly ranked http pages.
Having said that you also need to be careful not to lose your ranking. Google has listed some best practices when implementing https that you should be sure to read.
How do I ensure that the website loads properly after shifting to https?
it is a good practice to use Relative & Protocol Relative URLs for all internal linking.
1. Relative URLs: Lets you call resources quickly without involving a protocol. Use /images/favicon.ico instead of http://example.com/images/favico...
2. Protocol Relative URLs: Lets your website load resources irrespective of the protocol used. Use //example.com instead of http://example.com or https://example.com
When linking to your https website from another location make sure your use the URL with https:// so that you don’t lose http Referer info.
Set up 301 redirects from http to https so that search engines are notified that your site’s addresses have changed and so that anyone who has bookmarked a page on your site is automatically redirected to the https address after you flip the switch.
To ensure all http calls to your website from other websites and apps are converted to https calls, you need to force https using URL rewriting. In apache this is done using the .htaccess file.
Alternately, if your website runs on WordPress, you can also evaluate plugins to force https access from this list.
How do I download my certificate files?
When the certificate is issued, the Certificate Authority (CA) will send an email to the contact listed for the order. That email will contain the certificate files in the format matching the web server platform you provided while placing the certificate request (order).
I have received .CRT files but I need .CER files for installation on my Microsoft Windows server. How do I get .CER certificate files?
Both .CRT and .CER files contain the same text X.509-encoded certificate. So in most cases you can simply rename the extension to .CER and it should work.
However, if the (Windows) server does not accept the file and requires to use binary X.509-encoded .CER file extension, then you could change the encoding within 2 minutes with the following steps:
1. Double-click the .CRT file and open it into the certificate display.
2. Click open the Details tab and then select the Copy to file button.
3. Click Next on the Certificate Wizard.
4. Choose Base-64 encoded X.509 (.CER), then click Next.
5. Choose Browse and type in the filename (for eg: website_name).
6. Click Save. Now the file is converted to .CER and saved as “website_name.cer”
I have received .CRT files from Comodo CA but I also need .CA-BUNDLE file for installation. How do I get the .CA-BUNDLE certificate file?
You can do this using your favorite text editor in a few steps.
# Root CA Certificate – AddTrustExternalCARoot.crt
# Intermediate CA Certificate 1 – ComodoRSAAddTrustCA.crt
# Intermediate CA Certificate 2 – ComodoRSADomainValidationSecureServerCA.crt
Note: You will not need your SSL certificate for this exercise.
1. Open all 3 files mentioned above in your text editor. (Remember, not to open your domain certificate file.)
2. Create a new blank text file.
3. Copy contents of all 3 files in reverse order and paste them one below the other into the new file in the following order:
4. Save the newly created file as ‘yourDomain.ca-bundle‘.
How to install a SSL certificate?
To install the SSL Certificate you wil need the Private Key, and the Certificate files received from the CA.
SSL certificates have to be installed based on the type of access you have to the web server. It is recommended you have a technical expert to help you. It should be someone who knows how to do this using your web server access.
SSL certificates can be setup on most shared hosting & dedicated/cloud servers. Contact your shared hosting / server provider for details of installing externally purchased SSL certificates on their offerings.
Here are some common do-it-yourself SSL installation scenarios for Comodo/Sectigo but the process is exactly the same for a specific platform across certificates of any brand.
Want someone to install the certificate for you?
Remote installation of the certificate by an expert is available from here.
Alternately, you can try using a freelancer's services from here.
Can I install or use the third-party SSL certificates purchased here on GoDaddy web hosting?
GoDaddy allows third-party SSL certificate installs on some of its products. Visit this link for details. If you need still more info, you should check with GoDaddy Support.
Can I install or use the third-party SSL certificates purchased here on BlueHost web hosting?
BlueHost allows third-party SSL certificate installs on some of its products. Visit this link for details. If you need still more info, you should check with BlueHost Support.
Can I install or use the third-party SSL certificates purchased here on HostGator web hosting?
HostGator allows third-party SSL certificate installs on some of its products. Visit this link for details. If you need still more info, you should check with HostGator Support.
Can I install or use the third-party SSL certificates purchased here on Zencommerce platform?
Zencommerce allows third-party SSL certificate installs on the e-commerce stores hosted with them. Visit this link for details. Check with the Zencommerce support team on the web server details you need to provide before purchasing your certificate. After receiving your certificate files, you will need to send them to the Zencommerce support team to install it for your store.
Can I install or use the third-party SSL certificates purchased here on Amazon AWS cloud hosting?
Amazon AWS allows third-party SSL certificate installation. There are TWO ways to use third-party certificates on AWS:
* Setup the certificate with its private key on the EC2 instance with the web server. In this method you would set it up following the instructions for the web server platform as mentioned above. (see How to install a SSL certificate? above)
* If you need to use ther AWS services then you need to use Amazon Certificate Manager. (see this support article)
Can I install or use the third-party SSL certificates purchased here on Microsoft Azure cloud hosting?
Microsoft Azure allows third-party SSL certificate installation. To know more read this support article.
How can I install my SSL certificate on more than one server?
First, check your certificate license for server limitations, if any. If in doubt, contact your certificate seller's support team.
There are TWO methods to install your certificate on multiple servers:
1. The first method is to import the certificate, private key, and intermediate files on server #2, #3, etc.
2. Create a new CSR and key file on server #2, #3, etc. and reissue the active certificate.
I have accidentally deleted my “private key” what can I do now?
First check your backups and see if you can re-install the “private key”. If you don’t know how to re-install the key from your backups, contact your systems administrator.
Failing that, contact your web server software vendor for technical support.
The only alternative course of action available is a re-issuance of the certificate following the re-submitting of a fresh CSR for the same Common Name.
Certificate re-issue can be initiated via the Order Details page on the certificate seller's website.
I have changed my server, or moved to a different provider. How do I move the certificate?
The easiest way is to create a new CSR on the new machine for the same Common Name, and have the certificate re-issued.
Alternately, contact your new web hosting service provider to assist you in this process.
My certificate works in my browser, but my visitors get a Security Alert that says ‘The security certificate was issued by a company you have not chosen to trust…’ What is the problem?
The issue is that your visitors’ browsers are unable to properly identify who issued your certificate.
First, confirm that your visitors are not seeing an incorrect or outdated certificate. Some web servers services need to be restarted after installing new/updated certificates.
Once you have made sure that your visitors are seeing the correct certificate, the issue is most likely solved by installing the intermediate certificates.
Do I need a dedicated/static IP address to use an SSL certificate?
Yes, you must have a static IP address for an SSL certificate. If you do not have one, you may be able to assign one to your website or you may need to purchase one from your web host.
My browser is not showing the padlock / secure icon, why?
There are several reasons why this could be occurring or a combination of several.
The four most common reasons are:
1. Insecure content, which means there are HTML elements on your site being explicitly linked by http. This would need to be updated via your system administrator.
2. Missing or invalid intermediate chain. Your certificate is issued from an intermediate file. Make sure that you install this alongside your certificate on your server. If you do not have this file please contact your certificate seller's customer support.
3. Your older certificate may have been issued with the SHA-1 hashing algorithm. Browsers no longer trust this algorithm. You will need to reissue with SHA-2. You can reissue your certificate yourself from your Order Details page. Every reissue will need domain validation process to be performed again.
4. It is the incorrect certificate. Sometimes your old expired certificate or a certificate provided by your hosting company or a self-signed certificate is installed on your site. You will need to identify the source of the incorrect certificate and contact that party to resolve the issue.
Use this free online tool to know more.
When trying to go to the site over https, it displays the message ‘The page cannot be displayed.’ Why is that?
There are actually many reasons why this could be happening, some of which could be not related to your certificate. So, unfortunately, we can’t give specific advice. But, we would recommend clicking on the “Details” button to get more specific information about this error from the browser.
Why does the website say the name on the security certificate does not match the name of the site?
This means that URL in the browser and the common name in the certificate are not an EXACT match (for instance, the www. is missing).
Another common reason for this is the web host’s certificate is incorrectly assigned to your domain name. Or, you purchased a certificate that does not cover the specific subdomain you are looking at.
Why does the website say the SSL certificate is ‘Untrusted’?
This is more than likely because the intermediate certificates were never installed. Installing them should resolve this error.
How can I check to see that my SSL certificate works properly and has been installed correctly?
You can use an SSL checker tool to test whether or not your SSL certificate has been installed properly.
How do I install the Site Seal for my SSL certificate?
You can download & setup your respective Site Seal by following the instructions: