Get answers to the most common questions asked around SSL certificates such as CSR generation, SSL certificate installation, SSL certificate renewal, Domain Validation, SSL order process at iWebz.




General SSL FAQs

What is SSL?

SSL, which stands for Secure Sockets Layer, is a cyber-security protocol that digitally encrypts information sent from a browser to a server. SSL certificates are used to protect sensitive information like credit card numbers, usernames, passwords, email addresses, and more. A website with an SSL certificate is identified using a number of trust indicators, like "https" and the padlock icon in the browser bar, a site seal from a reputable Certificate Authority (CA), and a green bar that wraps around the URL on more premium certificates.


What is a Domain Validated (DV) SSL Certificate?

A Domain Validated (DV) SSL certificate is a quick and easy way to secure a domain, as the Certificate Authority (CA) issuing the certificate only requires verification that the recipient actually owns the domain they wish to cover. This verification process can typically be completed in a matter of minutes. However, these certificates offer little in the way of SSL recognition, so they are recommended for websites where visitor trust is not of high importance and information like usernames, passwords, or credit card information is not required.


What is the difference between 128- and 256-bit security?

That is the difference between the key lengths used once an SSL connection has been established in the browser. 256-bit security is indeed a bigger key however that does not necessarily mean it is more secure. Experts and research agrees that 128-bit is equally secure for the foreseeable future. The only reason 256-bit security is needed is if it's specifically required by your industry or company policy. All our certificates have the ability to use either bit-length, which one you use is a matter of server configuration, NOT certificate support.


How can I use 256-bit encryption?

256-bit encryption is a server configuration. This has nothing to do with the certificate itself, it is based on your server configuration. To learn this, you should seek information provided by your webhosting platform or operating system. They will inform you how to set this encryption strength up.


What is the difference between 1024- and 2048-bit key lengths?

These key lengths refer to the strength of the private key. You can think of it as the size of the cypher being used to encode your messages. Obviously, 2048-bit private keys are exponentially more secure than 1024-bit ones and are the new standard across the industry and are required during the generation process.


What is the difference between SHA-1 and SHA-2?

SHA stands for Signature Hashing Algorithm. It's a mathematical hash that proves the authenticity of the certificate. SHA-1 is an older version of the algorithm that is no longer seen as secure by industry experts and major browsers and is not allowed to be used during the generation process any longer by the industry. SHA-2 is the latest version that is widely accepted and viewed as secure by all major browsers and industry experts. The hashing algorithm of your CSR has no relevance to what hashing algorithm is used on the certificate.


What is a Certificate Authority and what is your relationship to them?

A Certificate Authority (CA) is the company that actually issues the SSL certificates. Symantec, Thawte, GeoTrust, RapidSSL, Certum, and Comodo are all CAs, for example. We are a reseller of these CAs, meaning that we are able to offer the exact same certificate that you would get from buying direct, but at much lower prices. Since we buy in bulk, we are able to offer them at the significant discounts that you see.


Which SSL brands are most trusted & secure?

All of the Certificate Authorities (CAs) that we carry are leaders in the industry and trusted across the world. Symantec is the largest CA in the world, and their Norton Trust Seal is the most recognized symbol of trust across the web. Their name definitely adds the most value of any CA in the industry. Additionally, GeoTrust, Thawte, RapidSSL, Certum, and Comodo are all trusted and secure CAs.


Can I see which Certification Authorities have their own Trusted CA root present in browsers?

Yes, the brands that we provide all have their roots included in modern devices and browsers. They all feature 99% or better compatibility, or browser ubiquity.


What is the SSL certificate warranty?

An SSL certificate warranty, also known as relying-party warranty, covers any damages that you may incur as a result of a data breach or hack that was caused due to a flaw in the certificate. The warranties range in value, which means that the higher value certificates come with more extensive warranties.more details


What is browser ubiquity or browser recognition?

Browser ubiquity or browser recognition basically means how many browsers recognize an SSL certificate and properly display the trust indicators. So, the higher the browser ubiquity of an SSL certificate, the more browsers that recognize and accept it.


How do you define Mobile support?

If your website or online store attracts a lot of visitors from mobile operating systems such as Android, Windows Mobile, Blackberry, Symbian OS, Palm OS or iOS(iPhone, iPad), we would advise you to select an SSL certificate with Mobile Support. This is especially true for mobile devices with older browsers or operating systems. While regular web browsers accept both root and intermediate certificates, many mobile browsers will only accept root certificates and will give SSL errors if they encounter an intermediate certificate.

Mobile web browsers & operating systems covered under Mobile support are as follows:

Mobile Web Browsers

  • ACCESS NetFront
  • Atomic
  • Dolphin HD
  • Fennec Alpha
  • Internet Explorer (All Windows devices)
  • Opera Mini
  • Opera Mobile
  • Openwave
  • Chrome for Mobile
  • Firefox Mobile
  • RIM BlackBerry
  • Safari (iPhone, iPad, and iPod Touch)
  • SkyFire
  • Sony PlayStation Portable
  • xScope

Mobile operating systems

  • Android
  • BlackBerry OS
  • Brew
  • iOS
  • Meego
  • Palm OS
  • Palm WebOS
  • Windows CE
  • Windows Mobile
  • Windows Phone 7/8
  • Maemo
  • Symbian
  • Sailfish OS


How long are your SSL certificates valid for?

Our SSL certificates can be valid from anywhere to 1-3 years, depending on the certificate you choose to purchase.


Can I use SSL to cover an internal domain?

You can use SSL to cover an internal domain if it is an officially registered domain (a publically available FQDN). If the internal domain is not a delegated and registered domain, the certificate will not be issued.


What is an Intermediate certificate?

An intermediate certificate is a file that helps the web browser identify who issued your SSL certificate. It is not required, but it is HIGHLY recommended that you install it along with your server SSL certificate in order to have full compatibility with all desktop & mobile browsers and mobile devices.


Where do I get my Intermediate certificate?

An intermediate certificate will be emailed to you along with your SSL certificate. You can also download the intermediate certificate from the vendor's website, which is something that can be done if you didn't receive the intermediate via email. This is also sometimes referred to as the "CA Bundle." It is also important to note that some certificates have multiple intermediate certificates.


What if I can only use one certificate file?

If your hosting platform or company tells you that you can only use one certificate file, then you can combine your server certificate text with the intermediate file text.

back to FAQ menu





CSR Generation FAQs


What is a CSR?

CSR stands for Certificate Signing Request and is necessary for all SSL certificates in order to complete the generation process. It is usually generated from your web server / web hosting control panel.

sample csr

It is created based on the following parameters:
Country Name (C): Use the two-letter country ISO code without punctuation. For example: “US” or “IN”.
State or Province (S): Spell out the state or province name completely. Do not abbreviate. For example: “California” or “Maharashtra”.
Locality or City (L): This field is for the City or Town name. For example: “Washington” or “Mumbai”.
Organization (O): Company or business name needs to be entered here. For example: “XYZ Corporation”.
Organizational Unit (OU): This field is the name of the department or organization unit making the request such as “Sales” or “Marketing”.
Common Name (CN): Enter the hostname / domain name for your website i.e. “” or “” or “”.


What do I need to keep in mind while generating the CSR?

  • To secure both www & non-www versions of under a Standard SSL certificate, enter Common Name as
  • For Wildcard certificates enter Common Name as *
  • While filling details for the CSR, only use the English alphabet and numbers 0-9
  • If the “&” symbol is included in your Organization / Organisation Unit name, type out “and” instead.


How do I generate a CSR?

Please consult official documentation for your web server to know how to generate a CSR with a 2048-bit key. Most documentation can be found online through a simple Google search. If you use a web hosting service for your website, check with your web hosting support team on how to generate it from their system. Some common scenarios for generating CSR on various server platforms are listed here.

Alternately, if your web server / hosting control panel allows you to import an externally generated CSR & Private key, you can generate a CSR (with a 2048-bit Private key) using our online free service.


How do I check / decode the CSR generated? What can I do if I noticed something incorrect in my CSR?

You can use an online decoder tool to verify the CSR generated. It is impossible to edit any fields once it has been created. You will need to generate a new CSR with the correct details.


The CSR cannot be decoded. What does that mean and what should I do?

Make sure you have the correct file copied and not your self-signed certificate, your previous SSL, or if it is bundled as a PKCS7 or PKCS12. Or, you could have a pass-phrase that does not have alpha-numeric characters or disallowed characters. If this is the case, you will need to generate a new CSR without the disallowed characters or in the proper form. Please only use the English alphabet and numbers 0-9. For example, if the "&" symbol is included in your Organization Name, please type out "and" instead.


What should I do if I receive a 'CSR invalid' error during the certificate activation process?

If this happens, your common name is not appropriately formatted for your type of certificate (wildcard certificates should use *, for example) or you could also have disallowed characters in other fields. Please create a new CSR that only use the English alphabet and numbers 0-9. For example, if the "&" symbol is included in your Organization Name, please type out "and" instead.


What is a private key used for?

The private key is used on the server-side exchange for creating the secure connection. It should never be exposed to your SSL provider or outside users, unless specifically requested by your web host for installation. Please note if the private key is lost or deleted, you will have to make a new CSR and private key on your server. Your private key is not provided by the Certificate Authority (CA) or your SSL provider.


What should I do with my private key?

Your private key should always remain private. The only person that should see your private key is your hosting company, if they ask for it. However, do not delete your private key, as it is required for your certificate to work.


back to FAQ menu





SSL Validation / Authentication FAQs


What is Domain Control Validation (DCV) / Domain Validation (DV)? Why is it necessary?

DCV or DV is the method by which the Certifying Authority (CA) verifies that you are authorised to request a certificate for that hostname by the domain owner. The DCV/DV check is compulsorily done by the CA for every new certificate purchase/request, certificate re-issue request, or certificate renewal request.

The DCV/DV validation can be done in any ONE of the following ways:

  • Email with verification link to the domain owner from Email Approver list
  • Upload a custom file to a website folder
  • Adding a custom DNS entry (CNAME or TXT).


If I place an order for a Domain Validated SSL Certificate, which document(s) do I need to provide?

You do not need to provide any documentation in order to purchase a Domain Validated (DV) certificate. All you will need to do is confirm that you own the domain you wish to cover, either through a simple email or file or DNS-based validation.

If your website uses Privacy Protection services for your domain name, we recommend you do NOT use Email-based validation as it will delay the domain validation and certificate issue process.


I haven't received my Domain Control Validation email (DCV) yet. What should I do?

There are a few actions you may take in this case:

  • First, verify which email address you have chosen for the Domain Control Validation email. This may be different from the customer contact email information you provide during the generation process. Check if the email is listed in the Email Approver list for your domain.
  • Make sure to check the Spam or Junk Mail folder of your email provider.

If you need to change your DCV email, or if your website’s domain name uses Domain/WHOIS Privacy Protection services to hide your email address, you can use any ONE of the five following pre-approved alias email if you have already created them for your domain name:

Also, make sure to check the Spam or Junk Mail folder of your email provider.


How do I change some information for my Domain Control Validation email (DCV)?

If the common name needs to be changed, the only way to do so is by cancelling and reordering the certificate.


My File Authentication file has been uploaded to the wrong directory. What should I do?

Please upload your file to the correct directory. To make sure the authorization is successful make sure the file is viewable at both and


How long will validation take?

This largely depends on the type of certificate that you purchased and your response times. No matter which type of certificate that you purchase, the Certificate Authority (CA) will be contacting you directly and will only proceed with next steps upon your response. For Domain Validated (DV) certificates, these can typically be issued in a matter of minutes to one business day.

  • Email-based DCV is completed as soon as you click the link and enter the verification code from the CA email.
  • File-based DCV is completed when the CA detects the file at the correct location and could take upto 4 hours.
  • DNS-based DCV is completed when the CA detects the correct DNS entry (CNAME or TXT as the case may be) after it has propagated globally and could take upto 12 hours in rare cases.

Selected orders may be flagged for an additional Brand Validation procedure by the CA. That means that the CA’s managers will review your order as it requires manual check.

Possible reasons for manual review:

  • Some countries may be reviewed manually, for example: South Korea, North Korea, Sudan, Afghanistan and some others.
  • Your domain name include popular Brand name, for example:, and others.
  • Your domain name has similar brand name, for example you have domain name “”, but validation system may flag your order as “sIBMama”, so “IBM” brand was found in your name, so managers must check order manually.
  • Your domain name has special words: “pay, online, secure, booking, shop, bank, transfer, money, e-payment, payment, protection and others”, in that case validation also will be manual.

In most cases after the manual review the hold on order processing is removed. Manual review may take up to 24-48 business hours.


I completed validation, but never received the certificate. What should I do?

After completing validation, the Certificate Authority (CA) will send the certificate to the email address you provided as your technical contact. If you have difficulty locating the email with the Order Details page link after checking your Spam & Junk Mail folders, please submit a ticket so we can resolve your case.


Can I use the email address listed in the Whois to complete Domain Control Verification (DCV)?

Yes, you can do this for all Comodo SSL Certificates listed on our website. For RapidSSL, Thawte and GeoTrust certificates you need to use one of the 5 pre-approved email addresses. To know which email addresses are authorised to be DCV Approvers for your domain use this free DCV Email Approver Check tool.


I have accidentally deleted my "private key" what can I do now?

First check your backups and see if you can re-install the "private key". If you don't know how to re-install the key from your backups, contact your systems administrator. Failing that, contact your web server software vendor for technical support. The only alternative course of action available is a re-issuance of the certificate following the re-submitting of a replacement CSR. This will be charged at the full amount as a new order.


I have changed my server, or moved to a different provider; how do I move the certificate?

The easiest way is to create a new CSR on the new machine and have the certificate re-issued. Alternately, contact your new web hosting service provider to assist you in this process.

back to FAQ menu





SSL Order Processing FAQs


What should I do with my private key?

Your private key should always remain private. The only person that should see your private key is your hosting company, if they ask for it. However, do not delete your private key, as it is required for your certificate to work.


What should I do to expedite the validation of my order?

If you're in a hurry and need your certificate fast, feel free to contact us with the exact order number you need expedited. We have connections with the Certificate Authorities (CAs) directly and can help make sure your urgent order is treated with top priority.


How do I know what my Control Panel/Server OS is?

If you are unsure what your Control Panel/Server OS is, we recommend that you ask your web hosting provider or your IT department.


Can I switch my method of Domain Control Validation from Email to File, or vice versa?

You can switch your method of Domain Control Validation from file-based to email-based for any SSL product that we provide. You can switch from email-based to file-based only for Comodo products. To request change of DCV method you must contact us.

back to FAQ menu





SSL Installation FAQs


How do I download my certificate files?

When the certificate is issued, the Certificate Authority (CA) will send an email to the Technical Contact listed on the order. That email will contain the certificate files.


I have received .CRT files but I need .CER files for installation on my Microsoft Windows server. How do I get .CER certificate files?

Both .CRT and .CER files contain the same text X.509-encoded certificate. So in most cases you can simply rename the extension to .CER and it should work. However, if the server does not accept the file and requires to use binary X.509-encoded .CER file extension, then you could change the encoding within 2 minutes with the following steps:

  • Double-click the .CRT file and open it into the certificate display.
  • Click open the Details tab and then select the Copy to file button.
  • Click Next on the Certificate Wizard.
  • Choose Base-64 encoded X.509 (.CER), then click Next.
  • Choose Browse and type in the filename (for eg: website_name).
  • Click Save. Now the file is converted to .CER and saved as “website_name.cer”

How to install a SSL certificate?

SSL certificates have to be installed based on the type of access you have to the web server. It is recommended you have a technical expert to help you. It should be someone who knows how to do this using your web server access. SSL certificates purchased from us can be setup on most shared hosting & dedicated/cloud servers. Contact your shared hosting / server provider for details of installing externally purchased SSL certificates on their offerings.

Here are some common SSL installation scenarios based on the SSL Certificate brand / Certifying Authority (CA):

Want someone to install the certificate for you?
Remote installation of certificate is available from fiverr®**
**We recommend you check the ratings/reviews before choosing to outsource.


Can I install or use the third-party SSL certificates purchased here on GoDaddy web hosting?

GoDaddy allows third-party SSL certificate installs on some of its products. Visit this link for details. If you need still more info, you should check with GoDaddy Support.


Can I install or use the third-party SSL certificates purchased here on Zencommerce platform?

Zencommerce allows third-party SSL certificate installs on the e-commerce stores hosted with them. Visit this link for details. Check with the Zencommerce support team on the web server details you need to provide before purchasing your certificate. After receiving your certificate files, you will need to send them to the Zencommerce support team to install it for your store.


How can I install my SSL certificate on more than one server?

First, check your certificate license. There are two methods to install your certificate on multiple servers. The first method is to import the certificate, private key, and intermediate files on server #2, #3, etc. Or, create a new CSR and key file on server #2, #3, etc. and reissue the active certificate.


I have accidentally deleted my “private key” what can I do now?

First check your backups and see if you can re-install the “private key”. If you don’t know how to re-install the key from your backups, contact your systems administrator. Failing that, contact your web server software vendor for technical support. The only alternative course of action available is a re-issuance of the certificate following the re-submitting of a fresh CSR for the same Common Name. Certificate re-issue can be initiated via the Order Details page.


I have changed my server, or moved to a different provider. How do I move the certificate?

The easiest way is to create a new CSR on the new machine for the same Common Name, and have the certificate re-issued. Alternately, contact your new web hosting service provider to assist you in this process.


My certificate works in my browser, but my visitors get a Security Alert that says 'The security certificate was issued by a company you have not chosen to trust...' What is the problem?

The issue is that your visitors' browsers are unable to properly identify who issued your certificate. First, confirm that your visitors are not seeing an incorrect or outdated certificate. Once you have made sure that your visitors are seeing the correct certificate, the issue is most likely solved by installing the intermediate certificates.


Do I need a dedicated/static IP address to use an SSL certificate?

Yes, you must have a static IP address for an SSL certificate. If you do not have one, you may be able to assign one via your webserver or you may need to purchase one from your web host if you own/operate your webserver (usually only a few dollars a month).


My browser is not showing the green padlock/green bar, why?

There are several reasons why this could be occurring or a combination of several. The four most common reasons are:

  • Insecure content, which means there are HTML elements on your site being explicitly linked by http. This would need to be updated via your system administrator.
  • Missing or invalid intermediate chain. Your certificate is issued from an intermediate file. Make sure that you install this alongside your certificate on your server. If you do not have this file please contact your SSL provider.
  • Your certificate is issued with the SHA-1 hashing algorithm. Browsers no longer trust this algorithm. You will need to reissue with SHA-2.
  • It is the incorrect certificate. Sometimes your old expired certificate or a certificate provided by your hosting company or a self-signed certificate is installed on your site. You will need to identify the source of the incorrect certificate and contact that party to resolve the issue.


When trying to go to the site over https, it displays the message 'The page cannot be displayed.' Why is that?

There are actually many reasons why this could be happening, some of which could be entirely unrelated to your certificate. So, unfortunately, we can't give specific advice. But, we would recommend clicking on the "Details" button to get more specific information about this error from the browser.


Why does the website say the name on the security certificate does not match the name of the site?

This means that URL in the browser and the common name in the certificate are not an EXACT match (for instance, the www. is missing). Another common reason for this is the web host's certificate is incorrectly assigned to your domain name. Or, you purchased a certificate that does not cover the specific subdomain you are looking at.


Why does the website say the SSL certificate is 'Untrusted'?

This is more than likely because the intermediate certificates were never installed. Installing them should resolve this error.


How can I check to see that my SSL certificate works properly and has been installed correctly?

You can use our SSL checker tool to test whether or not your SSL certificate has been installed properly.


How do I install the Site Seal for my SSL certificate?

You can download & setup your respective Site Seal by following the instructions:

back to FAQ menu





SSL Renewal FAQs


How can I renew my SSL certificate?

A renewal is basically the same as buying a brand new certificate, "renewal" is simply an industry term that is used by all providers. So, you can go through the exact same purchasing process to renew your certificate. However, if you have access to a "renewal" option when purchasing your SSL certificate, be sure and use that so you get the remaining time rolled over from your expiring certificate to your new renewal certificate.


Do I need to create a new CSR to renew my certificate?

We recommend that you generate a new CSR to renew your certificate; however, if generating a new CSR proves to be challenging, you can use the original CSR and it will work. The drawback of using the original CSR is that it will be the exact same private key, so it's a little less secure.


I paid for my renewal, but why is my site not secure? Why does my website still display the old certificate?

Think of SSL like a ticket – when the old one expires you must toss it out and get a new one. When you have received the new certificate files, you need to install the new certificate files to secure your website. For your website to display the new certificate make sure that the new certificate files have replaced the old expiring certificate files. Also make sure any certificate-related settings on the web server are updated. 

If the new certificate is installed, then the issue is with the configuration. Common solutions to this problem are to restart your webserver (http server), also to uninstall/delete the incorrect/old certificate(s).

back to FAQ menu






My web developer found this website for their low rates and suggested I try them out since I was trying to keep my startup costs low. Got my cert at a

Great rates people!! My software development company manages servers for many client projects. Tried this website for the low rates mentioned and now

As an online service startup we needed to secure our APIs across multiple servers. This website helped us get the SSL certificates we needed with very

This website helped me save a lot of money while buying the wildcard SSL certificate I was looking for. I will be buying from here again.

Read More


We uses cookies to remember and process the items in your shopping cart as well as to compile aggregate data about site traffic and interactions so that we can continue improving your experience on our site.