Server Management Tips by SupportPRO

August 31, 2007

SSL FAQs

Filed under: Technical Articles — @ 6:15 am

What is an SSL certificate?

An SSL certificate is a digital certificate that authenticates the identity of a Web site to visiting browsers and encrypts information for the server via Secure Sockets Layer (SSL) technology. Encryption is the process of scrambling data into an undecipherable format — ciphertext —, which can only be returned to a readable format with the proper decryption key.

A certificate serves as an electronic “passport” that establishes an online entity’s credentials when doing business on the Web. When an Internet user attempts to send confidential information to a Web server, the user’s browser will access the server’s digital certificate and establish a secure connection.

How does an SSL certificate work?

An SSL certificate enables safe, easy and convenient Internet shopping. Once an Internet user enters a secure area — by entering credit card information, e-mail address or other personal data, for example — the shopping site’s SSL certificate enables the browser and Web server to build a secure, encrypted connection. The SSL “handshake” process, which establishes the secure session, takes place discreetly behind the scene without interrupting the consumer’s shopping experience. A “padlock” icon in the browser’s status bar and the “https://” prefix in the URL are the only visible indications of a secure session in progress.

By contrast, if a user attempts to submit personal information to an unsecured Web site (i.e., a site that is not protected with a valid SSL certificate), the browser’s built-in security mechanism will trigger a warning to the user, reminding him/her that the site is not secure and that sensitive data might be intercepted by third parties. Faced with such a warning most Internet users likely will look elsewhere to make a purchase.

What is the encryption strength of SSL certificates?

SSL certificates support both industry-standard 128-bit and high-grade 256-bit encryption. The actual encryption strength on a secure connection using a digital certificate is determined by the level of encryption supported by the user’s browser and the server that the Web site resides on. For example, the combination of a Firefox or Internet Explorer 7 browser and an Apache Web server normally enables up to 256-bit AES encryption with our SSL certificates. This means that depending on the Web browser and Web server that combine to establish the secure connection through one of our SSL certificates, the encryption strength of the secure connection may be 40, 56, 128, or 256 bit.

What is SSL?

SSL is the de facto standard for creating a secure, encrypted link between a Web server and a browser. SSL thus ensures safe passage of sensitive information, such as credit card numbers, passwords, user names, etc. SSL is used by e-commerce Web sites as a means to protect online transactions with their customers. Once a secure connection has been established, SSL encrypts information sent from your browser to the Web server. SSL utilizes the public-and-private key encryption system.

How does the customer know that a site is secure?

An “https://” prefix in the URL and a key or padlock icon in the browser’s status bar indicates that a Web site is secure.

Note: When displaying an Extended Validation (EV) SSL-secured Web site, Internet Explorer 7 will change the address bar color from the customary white to a shade of green. Additionally, the browser will display the name of the organization to which the certificate was issued, as well as the issuing certification authority (CA).

An SSL-encrypted session is generally commenced once a visitor signs in to a secure area of a Web site, such as the checkout or account-management area of an online store.

What is browser ubiquity?

The term “browser ubiquity” describes an SSL certificate’s browser compatibility – i.e., the extent to which the Certification Authority’s root certificate is included in the Web browsers on the market. In other words: If the root certificate of the CA is present in the “trusted Root Certificates” store of the browser, then the SSL certificates issued by the CA are compatible with that browser. Thus, a high browser ubiquity means that most existing browsers recognize a certificate, and that secure transactions thus can take place on those browsers. In other words: The more browsers and browser versions supported, the higher the level of browser ubiquity, and hence, the more versatile the certificate is. Most SSL certificate services support all major browsers.

Our root certificate — the Valicert Class 2 Policy Validation Authority — is installed in the following browser versions:

*
o

Internet Explorer 5.01 and higher
o

AOL 5 and higher
o

Netscape 4.7 and higher
o

Opera 7.5 and higher
o

Safari on Mac OS X 10.3.4 and higher
o

Mozilla (all versions)
o

Firefox (all versions)
o

Konqueror (all versions)
o

Palm OS 6.1 and higher (also Treo 650)
o

BlackBerry OS 4.1 and higher
o

Sony Playstation Portable 2.5 and higher
o

Microsoft Windows Mobile 2005 AKU 2 and higher
o

Sun Java Runtime (JRE) 1.4.2_07 and higher and 1.5.0_02 and higher
o

ACCESS NetFront 3.3 and higher
o

Cingular WAP Gateways (any Cingular phone which uses WAP version 1.X for Web browsing)

That equals 99% total browser ubiquity.

Users of older browser versions may receive a warning that the root certificate is not trusted. When presented with the warning those can simply install the root certificate. To do so, click “View Certificate.” Then, when the certificate is displayed, click “Install Certificate.” Alternatively, users of older browsers may download and install the root certificate directly from the certificate provider’s repository.

Why is my secure site not displaying the “padlock” icon in the browser’s status bar?

If any site element — an image, for example — is being queried from outside the secure layer, the padlock icon will not be displayed in the user’s browser. To resolve this problem, make sure that all images and other site elements you want on the secure version of your Web site are being pulled from a secure folder located within the secure site.
Certificate Types

What is the difference between an SSL certificate and a Wildcard SSL certificate?

n An SSL certificate secures a single domain name.

n A Wildcard SSL certificate secures multiple sub-domains of a domain name.

When generating a Certificate Signing Request (CSR) for a Wildcard certificate, please add an asterisk (*) on the left side of the Common Name (e.g., “*.yourpersonaldomainname.com” or “www*.yourpersonaldomainname.com”). This will secure all sub-domains of the Common Name.

Note: An SSL certificate only secures the exact fully-qualified domain entered as the Common Name in your certificate signing request. Thus if your certificate secures “www.yourpersonaldomainname.com” it will not secure the domain “yourpersonaldomainname.com.” If you need to secure both domains you must request an SSL certificate for each of them.
Extended Validation (EV) SSL Certificates

What is an Extended Validation SSL Certificate?

An Extended Validation (EV) SSL Certificate is a digital certificate issued in conformance with the extended validation guidelines defined by the CA/Browser Forum.

The introduction of EV SSL Certificates will tighten the security of Internet transactions as certificate requestors will be subject to a thorough, standardized vetting process which all issuing CAs must adhere to.

The EV SSL Certificate standard provides an improved level of authentication of entities that request digital certificates for securing transactions on their Web sites. The latest generation of Internet browsers will display EV SSL-secured Web sites in a way that allows visitors to instantly recognize that the organization that operates the site has been authenticated in accordance with the CA/Browser Forum’s uniform vetting standard.

EV SSL Certificates are particularly useful for companies whose Internet domains are considered at a high risk of being targeted by phishing schemes and other types of Internet fraud. High-risk domains include domains owned by high-profile online financial services, banking sites, auction sites, popular retailers and other sites that conduct Internet transactions likely to be targeted by Internet fraud.

What is the difference between an Extended Validation SSL Certificate and a High Assurance SSL Certificate?

The main difference between Extended Validation (EV) and High Assurance (HA) SSL Certificates is the vetting process that must be completed in order for the Certification Authority (CA) to issue a signed certificate to the requestor. Additionally, Web sites secured with EV SSL Certificates will be displayed differently in the new generation of Web browsers, starting with Internet Explorer 7. New versions of Firefox and Opera browsers will soon follow.

More comprehensive than the HA vetting process, the EV SSL vetting process validates the requestor’s domain control and verifies the requesting entity’s legal existence and identity. The process authenticates the following information pertaining to the certificate-requesting organization:

n Legal Existence: The Certification Authority (CA) must confirm with the Incorporating Agency in the requesting entity’s Jurisdiction of Incorporation that, as of the date the EV Certificate is issued, the organization named in the EV Certificate legally exists as a valid organization or entity in the Jurisdiction of Incorporation.

n Identity: The CA must confirm that, as of the date the EV Certificate is issued, the legal name of the entity named in the EV Certificate matches the name on the official government records of the Incorporating Agency in the requesting entity’s Jurisdiction of Incorporation. (And if an assumed name is also included, that the assumed name is properly registered by the requesting entity in the jurisdiction of its place of business.)

n Registration Number: The CA must obtain the specific unique registration number assigned to applicant by the Incorporating Agency in the requesting entity’s Applicant’s Jurisdiction of Incorporation.

n Registered agent: The CA must obtain the identity and address of the requesting entity’s Registered Agent or Registered Office (as applicable) in the requestor’s Jurisdiction of Incorporation.

n Right to Use Domain Name: The CA must take all steps reasonably necessary to verify that, as of the date the EV Certificate is issued, the entity named in the EV Certificate owns or has the exclusive right to use the domain name listed in the EV Certificate.

n Authorization for EV Certificate: The CA must take all steps reasonably necessary to verify that the entity named in the EV Certificate has authorized the issuance of the EV Certificate.

How are EV SSL-secured Web sites displayed in Internet browsers?New versions of leading Internet browsers – starting with Internet Explorer 7 – will allow visitors to instantly recognize that a given page has been authenticated by an EV SSL-issuing CA. When displaying an EV SSL-secured Web site, IE 7 will change the address bar color from the customary white to a shade of green. Additionally, the browser will display the name of the organization to which the certificate was issued, as well as the issuing certification authority (CA).

How do I install an EV SSL Certificate?

An EV SSL Certificate is installed just like any other SSL certificate. The installation procedure is determined by your operating system and Web server software. Click on the link below to review certificate-installation instructions for all supported Web server software.

What type of organization can request an EV SSL Certificate?

Any incorporated or limited liability company which is legally registered in the jurisdiction of its principal place of business and verified with a registered status of “Good Standing,” “Active” or equivalent can apply for an EV SSL Certificate.

What is a certificate requestor?

A certificate requestor is the primary contact person representing the certificate applicant. The certificate requestor must be an individual who is employed by the certificate applicant, or an authorized agent who has express authority to represent the applicant, or a third party (such as an ISP or hosting company) that completes and submits an EV Certificate request on behalf of the applicant.
An EV Certificate request must be submitted by an authorized certificate requestor.

What is a contract signer?

A contract signer is an individual who is authorized to sign legal documents on behalf of the applicant. The contract signer must be an individual who is employed by the certificate applicant, or an authorized agent who has express authority to represent the applicant who has authority on behalf of the applicant to sign Subscriber Agreements on behalf of the applicant.

How do I apply for an EV SSL Certificate?

In order to request an EV SSL Certificate, you must submit a certificate request to the Certification Authority (CA), which authenticates the identity of your business and your domain control before issuing a signed certificate. You will be required to submit pertinent information and documentation regarding your organization in order for the CA to process your certificate request.

The first step toward obtaining an EV SSL Certificate for your Web site is to purchase an EV SSL Certificate credit. Once you have purchased your certificate, you may start the certificate request process by logging in to your account and following the provided instructions.

Which documentation is required in order to apply for an EV SSL Certificate?

Depending on the requesting corporation, a combination of the following documents must be submitted in order to apply for an EV SSL Certificate:

o Required by all:

Signed Certificate Request. Signed by Certificate Requestor, Certificate Approver.

o Required depending on length of time in business and control of the domain listed in certificate request:
Legal Opinion or Accountant Letter

o Required for first certificate requested by a given organization, as well as any subsequent change of authorized signer:

Subscriber Agreement

What is a Verified Legal Opinion?

In order to process an EV SSL Certificate request, the requestor must submit a Verified Legal Opinion or CPA letter.

A legal opinion must come from a lawyer certified by the State Bar Association located in the same jurisdiction as either:

o The organization’s jurisdiction of primary incorporation.

o The jurisdiction indicated by the physical address submitted in the certificate request, provided the physical address can be substantiated by a registration with a government agency.

The Verified Legal Opinion document serves to authenticate (any of) the following information pertaining to the certificate-requesting organization:

o Certificate Approver: Name, Title, Agency and Authorization

o Contract Signer: Name, Title, Agency and Authorization

o Place of Business

o Phone Number

o Operational Experience

o Domain Name Exclusive Right of Use

o Domain Name Exclusive Right of Use Knowledge

What is a Verified Accountant Letter?

In some instances (but not in the context of domain control verification), a Verified Legal Opinion may be replaced with a Verified Accountant Letter.

An accountant letter must come from an accountant who is a certified public accountant, chartered accountant, or equivalent licensed by the accountancy board to practice accounting in the country of the Applicant’s jurisdiction of incorporation or the jurisdiction indicated by the physical address submitted in the certificate request.

The Verified Accountant Letter document serves to authenticate (any of) the following information pertaining to the certificate-requesting organization:

o Certificate Approver: Name, Title, Agency and Authorization

o Contract Signer: Name, Title, Agency and Authorization

o Place of Business • Phone Number

o Operational Experience

What is a Subscriber Agreement?

A Subscriber Agreement is a contract between the Certification Authority (CA) and the certificate owner. In order to issue a signed EV SSL Certificate, the certificate applicant must submit a Subscriber Agreement signed by an authorized contract signer acting on behalf of the certificate applicant.

The Subscriber Agreement must:

o Specifically name the certificate applicant

o Specifically name the contract signer

o Specifically confirm that the applicant has exclusive use of the domain name applicable to the certificate request

o Include a clear and readable signature of the specifically named contract signer.

Which browsers support Extended Validation?

Currently, the following browser versions support the Extended Validation SSL Certificates:

o Internet Explorer 7 on Windows Vista

o Internet Explorer 7 on XP*

* If properly configured: In order for the Internet Explorer 7 running on Windows XP to display the green bar associated with EV SSL-secured Web sites, you must add either our Site Seal or the provided Web beacon (invisible to end users) to your Web site.

How do I get my Extended Validation Certificate to show the green bar in Internet Explorer 7 on XP?

In order for the Internet Explorer 7 running on Windows XP to display the green bar associated with EV SSL-secured Web sites, you must add either our Site Seal or the provided Web beacon (invisible to end users) to your Web site. The Web beacon is integrated into the Site Seal.

Both the Site Seal and the standalone Web beacon force Windows XP to automatically download the updates that are necessary in order to display EV SSL Certificates properly.

How do I install my SSL certificate?

Once your SSL certificate has been signed and issued, authority will send you an e-mail message that allows you to download the signed certificate and our intermediate certificates, which must be downloaded and installed on your Web site.

Note: You must use the provided certificate-download link within 30 days of receiving the certificate-issuance e-mail message. If the download link is allowed to expire, you must request a certificate re-key in order to retrieve your SSL certificate.

The exact installation process for an SSL certificate depends on your type of Web server software. Click on the link below to review certificate-installation instructions for all supported Web server software.

Certificate Requests

How do I generate a Certificate Signing Request (CSR)?

In order to purchase a digital certificate, you must first generate and submit a Certificate Signing Request (CSR) to a Certification Authority (CA). The CSR is generated with your Web server software, which will also create your public/private key pair used for encrypting and decrypting secure transactions.
Please note that if you are applying for a hosting-integrated certificate (i.e., the domain to which you wish to apply the SSL certificate is hosted with your certificate provider then your hosting provider will generate and submit the CSR for you.

How do I obtain a Domain Authorization Letter?

If the certificate authority is unable to verify a certificate-requesting entity’s domain registration ownership and domain control via the Whois database — generally because the information in the Whois database cannot be found or does not match the information in the certificate request —, the requestor must instead provide a Domain Authorization Letter from his/her domain registrar as documentation of domain registration ownership. If certificate authority is able to successfully authenticate the letter, a Registration Authority (RA) associate will manually verify domain control.

In order to obtain a Domain Authorization Letter you must request it from your domain registrar. Consult your registrar for specific instructions.

If the domain in the certificate request is hosted with certificate authority ’s affiliate Domains By Proxy, log in to your Domains By Proxy account and request the Domain Authorization Letter. Domains By Proxy will prepare the letter within 48 hours of the request.

How do I upload required documents for your review?

In some cases, you may need to provide certain documents — e.g., articles of incorporation, personal identification, Domain Authorization Letters, etc. — in order for certificate authority to process your certificate request. You may submit the applicable documentation by faxing or e-mailing it to us for review. However, the easiest and most secure method of providing the document(s) is to upload them to your SSL account.

To do so:

Scan the document(s) and save the files on your computer.
2.

Click on the status message for the certificate request in question.
4.

The ensuing page lists the document(s) you need to submit.
5.

Use the upload function to locate and upload the necessary document(s).
6.

An RA associate will review the document once they are uploaded

Certificate Management

What happens when my certificate expires?

If you allow a certificate to expire, the certificate will be invalid and you will no longer be able to secure transactions on your Web site. Certificate authority will prompt you to renew your SSL certificate in due time. You can renew a certificate for one or two years. Please note that a certificate can be renewed up to 120 days prior to and 30 days following the expiration date. If the certificate is allowed to expire, the visitor’s browser will display a warning upon entering the Web site area that was supposedly protected with your SSL certificate.

How do I renew my certificate?

To renew an expiring SSL certificate, you must purchase a certificate-renewal credit from certificate authority; then log in to your SSL account and follow the provided instructions for requesting a certificate renewal. Certificate authority will prompt you to renew expiring SSL certificates via e-mail. Renewal notices will be sent 30 and 15 days prior to the certificate’s expiration date.

Please note that a certificate can be renewed up to 120 days prior to and 30 days following the expiration date. If the certificate is allowed to expire, the visitor’s browser will display a warning upon entering the Web site area that was supposedly protected with your SSL certificate.

Depending on your choice of Web server software, you may or may not need to generate a new Certificate Signing Request (CSR) for the renewed certificate. If you are using Linux-based server software, you may use your existing CSR for the certificate renewal (you can also generate and submit a new one, if so desired). If you are running Microsoft IIS 4.x, 5.x, or 6.x on your Web server; it is strongly recommended that you generate and submit a new CSR before attempting to renew your SSL certificate.
Note: If any of the information in your CSR (including company name or address information) has changed, you must generate and submit a new CSR before your certificate can be renewed).

Once your renewed SSL certificate has been signed and issued, certificate authority will send you an e-mail message that includes a link that allows you to download the signed certificate and our intermediate certificate, both of which must be downloaded and installed on your Web site.

If more than 13 months have elapsed since the last time certificate authority authenticated your or your company as part of the certificate-issuance process, you must submit your personal/company information again as certificate authority will need to authenticate the information again before a renewed certificate can be issued. If you or your company were successfully authenticated less than 13 months ago, certificate authority will not need to re-verify your information in order to renew your certificate.

What does it mean to reissue a certificate?

Reissuing a certificate means to reproduce an existing certificate. Certificates are generally reissued if the certificate holder has lost his/her certificate.

What does it mean to re-key a certificate?

Re-keying is the process of replacing an existing SSL certificate. To re-key (i.e., “replace”) an SSL certificate, click the “Re-Key” link in the certificate-management menu; then generate and submit a new Certificate Signing Request (CSR). Finally, select your Web server type from the drop-down menu.

The original certificate is automatically disabled (i.e., revoked) when the new one is issued. You should re-key (i.e., replace) an SSL certificate if you know of or suspect that the certificate has been compromised or contains incorrect information. Consider re-keying your certificate if any of the following situations occur:

Loss of your private key,
*

Compromise of your private key,
*

Certificate does not work properly.

Note that the Distinguished Name (DN) in the replacement SSL certificate must be identical to the Distinguished Name in the SSL certificate that is being re-keyed. In other words: The Common Name, Organization Name, Locality, State/Province, and Country — as entered in the Certificate Signing Request (CSR) — must be the same in both of the certificates. Certificate holders can have their certificates re-keyed at no expense.

You can only request a re-key within 30 days of initial issuance of certificate. A maximum of two re-key requests is permitted within the 30-day period.
Intermediate Certificates

What is an intermediate certificate?

In order to enhance the security of the Root certificate (Valicert Class 2 Policy Validation Authority) certificate authority will create an intermediate certificate from which SSL certificates are signed and issued. An intermediate certificate is a subordinate certificate issued by the trusted root specifically to issue end-entity server certificates. The result is a certificate chain that begins at the trusted root CA, through the intermediate and ending with the SSL certificate issued to you. Such certificates are called chained root certificates.

Creating certificates directly from the CA Root Certificate increases the risk of CA Root Certificate compromise, and if the CA Root Certificate is compromised, the entire trust infrastructure built by the SSL provider will fail. The usage of intermediate certificates for issuing SSL certificates to end entities, therefore, provides an added level of security. You must install the intermediate certificate in your Web server along with your issued SSL certificate.

How do I install an intermediate certificate?

Once your SSL certificate has been signed and issued, certificate authority will send you an e-mail message that includes a link that allows you to download the signed certificate and our two intermediate certificate, all of which must be downloaded and installed on your Web site.
Note: You must use the provided certificate-download link within 30 days of receiving the certificate-issuance e-mail message. If the download link is allowed to expire, you must request a certificate re-key in order to retrieve your renewed SSL certificate.

The exact installation process for the SSL and intermediate certificates depends on your type of Web server software. Click on the link below to review certificate-installation instructions for all supported Web server software.

Our intermediate certificates are also available from the certificate authority’s repository.

What happens if I don’t install the intermediate certificates?

Failure to properly install the intermediate certificates along with the issued SSL certificate means that the trusted-chain certificate cannot be established. This means that when visitors attempt to access your supposedly secure site they will be presented with a “Security Alert” that indicates that “The security certificate was issued by a company you have not chosen to trust…” Faced with such a warning, potential customers most likely will take their business elsewhere.

Downloading and installing the intermediate certificates on your Web server will immediately fix this problem. .
Root Certificate Installation — Mobile Devices

How do I install the root certificate on a Windows Mobile 5.0 device?

Certificate authority’s root certificate is installed on all mobile devices that run Windows Mobile 5.0 AKU 2 or a later incarnation of the operating system. However, devices that run older versions of Windows Mobile 5.0 do not have the root installed.

To check if the certificate authority root is installed on your device, please visit the root store on your device:

Open the “Settings” menu.
*

Select “System.”
*

Select “Certificates.”
*

Verify that the “http://www.valicert.com” is listed in the root store.
*

If the root is included, your device is running Windows Mobile 5 AKU 2 or later. No further action is required.
*

If the root is not included, follow the instructions below to import and install it.

To install the root certificate on your Windows Mobile 5 device:

Download the root certificate to your PC in DER format with a .cer file extension (i.e., valicert_class2_root.cer”). The root can be downloaded from the certificate authority repository.
*

Copy the downloaded root certificate to your device using ActiveSync.
*

On your mobile device, locate the imported file using File Explorer and click on it.
*

The device will display the following prompt: “You are about to install valicert_class2_root.cer certificate issued by http://www.valicert.com/. Do you want to continue?” (If you saved the root under a different name, that file name will show up in the prompt.)
*

Accept the prompt to install the root certificate on your device.

6-in-1 SSL Certificates

What is a 6-in-1 SSL Certificate?

A 6-in-1 SSL Certificate is an SSL certificate that can be used to secure the requestor’s main Web site (e.g., yourpersonaldomainname.com) and up to six top-level domain variations that point to the same IP address as the main site - e.g., yourpersonaldomainname.net, yourpersonaldomainname.org, yourpersonaldomainname.info, yourpersonaldomainname.biz, yourpersonaldomainname.us.

Because an SSL certificate only works properly with the domain for which it is issued, pointing a domain to an IP used by another SSL-secured site normally will cause a certificate security error. The 6-in-1 SSL Certificate solves this problem for customers who have multiple domain names aliased to a single hosting account (i.e. DNS records for multiple TLDs point to the same account). A SSL 6-in-1 Certificate thus eliminates security warning errors that may scare off potential customers and other visitors to a supposedly secure Web site.

6-in-1 SSL Certificates are available as Turbo SSL and High Assurance SSL certificates. Note that domain-control validation must be completed for each of the domains supported by the certificate.

How do I indicate which TLDs to apply the certificate to?

When, as part of the certificate request process, you generate the Certificate Signing Request (CSR), enter as the common name the domain you consider your primary domain. In most cases, this would be the “.com” TLD (www.yourpersonaldomainname.com). However, you may enter any of your TLDs as the primary common name. You can then choose which of the other TLD variations of your domain you wish to include in the certificate.

How do I request a 6-in-1 SSL Certificate?

To request a 6-in-1 SSL Certificate, you must generate and submit a Certificate Signing Request (CSR) the same way you would for a regular SSL certificate request. In the CSR, enter as your common name the domain that is home to your primary Web site. A list of six possible 6-in-1top-level domains (TLDs) is presented. Available TLDs are “.com,” “.org,” “.biz,” “.info,” “.net,” and “.us.” From the list, you can uncheck any TLD(s) that you do not want applied to the certificate.

Once you have selected the applicable TLDs and submitted your certificate request, Whois database lookups are performed for the selected domains and domain verification e-mail messages will be sent to the domain administrators. The administrator(s) must respond to each of the domain verification messages. If two or more of the domains have identical contact e-mail addresses, a single e-mail message that includes all of those domains is sent to the administrator for approval. TLDs that fail to pass the domain-control verification step will be removed from the certificate before its issuance.

How do I install my 6-in-1 SSL Certificate?

The installation procedure for a 6-in-1 SSL Certificate is identical to that of a regular SSL certificate:
Once your SSL certificate has been signed and issued, certificate authority will send you an e-mail message that includes a link that allows you to download the signed certificate and our intermediate certificate, both of which must be downloaded and installed on your Web site.

The certificate will be installed on the hosting machine for the primary domain name. All other applicable TLD variations are included in the certificate code and will be recognized when/if those other domain names are being visited.

Who can purchase a 6-in-1 SSL Certificate?

6-in-1 SSL Certificates are available exclusively to users that have registered multiple TLD variations of a single domain — i.e., yourpersonaldomainname.com, yourpersonaldomainname.net, yourpersonaldomainname.org, yourpersonaldomainname.info, yourpersonaldomainname.biz, yourpersonaldomainname.us. A 6-in-1 SSL Certificate is a single SSL certificate, Turbo SSL or High Assurance SSL, that enables secure, SSL-encrypted transactions on up to six such TLDs.

Installing Your SSL Certificate

Once your SSL certificate has been signed and issued, certificate authority will send you an e-mail message that allows you to download the signed certificate and our intermediate certificates, all of which must be installed on your Web site.

The specific installation procedure is determined by your choice of Web server software. Installation instructions are available for the Web servers listed below.

Installing SSL Certificate - cPanel WebHost Manager

Once your SSL certificate has been signed and issued, certificate authority send you an e-mail message that allows you to download the signed certificate and our root certificate bundle (certificate authority _bundle.crt), both of which must be installed on your Web site.

Note: You must use the provided certificate-download link within three days of receiving the certificate-issuance e-mail message. If the download link is allowed to expire, you must request a certificate re-key in order to retrieve your signed SSL certificate.

Follow the instructions below to install your SSL certificate and the certificate bundle on your Web server.

Installing SSL Certificate and Certificate Bundle

Before you install your issued SSL certificate you must install our certificate bundle (certificate authority_bundle.crt) on your Web server. (You may also download the certificate bundle from the repository. The bundle is located in the Root Bundle section.)

Open the WebHost Manager and click Install an SSL Certificate in the SSL/TLS menu.
You will see a screen with three boxes on it. Your issued certificate, RSA private key and certificate bundle must be pasted into boxes 1, 2, and 3, respectively.
2.

In the first box, paste in the contents of your issued SSL certificate. If the certificate file is on your server, you may use the Fetch button to copy it from the file.
3.

In the second box, paste in your private key which was generated when you created the CSR.
4.

In the third box, paste in the certificate authority certificate bundle (certificate authority _bundle.crt).
5.

At the top of the page click Do it.

Installing SSL Certificate – Plesk

Once your SSL certificate has been signed and issued, certificate authority will send you an e-mail message that allows you to download the signed certificate and our root certificate bundle (certificate authority_bundle.crt), both of which must be installed on your Web site.

Follow the instructions below to install your SSL certificate and the certificate bundle on your Web server.

Installing SSL Certificate and Certificate Bundle (certificate authority_bundle.crt)

From the left-hand menu, select Domains.
3.

Click on the domain name that the certificate is issued for.
4.

Click on the Certificates menu item.
5.

Click the Browse and locate your signed SSL certificate.
6.

Select the certificate file; then click Send File.
7.

Navigate to the location of the saved site certificate you received from us. Select it, then select Send File - this will upload and install the certificate against the corresponding private key.
8.

On the displayed list, click on the name of the certificate.
9.

Open the certificate bundle (certificate authority_bundle.crt) in a text editor and copy and paste its contents into the box labeled CA Certificate.
10.

Click the Send Text button.
11.

Click Up Level; then choose Setup.
12.

At the top of the page, change the SSL Certificate drop-down menu to the certificate you have just installed.
13.

Click the Server item from the left-hand menu.
14.

Click on the Service Management menu item.
15.

Stop and Start the Apache process.

Note: Simply restarting Apache will not work. You must stop the service; then start it again to complete the installation.
Installing SSL Certificate – Apache

Once your SSL certificate has been signed and issued, certificate authority will send you an e-mail message that allows you to download the signed certificate and our intermediate certificate bundle, both of which must be installed on your Web site.

Follow the instructions below to download and install the SSL certificate on your Web server.

Note: Before you install your issued SSL certificate you must install our intermediate certificate bundle (certificate authority_intermediate_bundle.crt) on your Web server. You may also download the intermediate certificate bundle from the repository.

Installing SSL Certificate and the Intermediate Certificate

Copy your SSL certificate file and the intermediate bundle file to your Apache server. You should already have a key file on the server from when you generated your certificate request.
2.

Edit your Apache configuration to reference these files. The exact configuration file you will edit will depend on your version of Apache, your OS platform, and/or the method used to install Apache. In Apache 1.3, you will most likely edit the main httpd.conf file. In Apache 2.x, you will most likely edit the ssl.conf file.
3.

Locate the following directives. If one or more of them are currently commented out, uncomment them by removing the ‘#’ character from the beginning of the line. Set the values of these directives to the absolute path and filename of the appropriate file:
*

SSLCertificateFile /path/to/your/certificate/file
*

SSLCertificateKeyFile /path/to/your/key/file
*

SSLCertificateChainFile /path/to/intermediate/bundle/file
4.

Save your configuration file and restart Apache.

Restarting Your Web Server

The procedure to restart Apache will depend heavily on your OS platform. On Unix-like platforms (Linux, Solaris, HP-UX, etc.) you will typically run a script to stop and restart the httpd daemon. On Windows, you will typically stop and restart the Apache service in the Services administrative console.

Installing SSL Certificate - Microsoft Internet Information Services ( IIS )

Once your SSL certificate has been signed and issued, certificate authority will send you an e-mail message that allows you to download the signed certificate and our intermediate certificate bundle (certificate authority_iis_intermediates.p7b), both of which must be installed on your Web site.

NOTE: For Windows NT 4.0, you must have at least Service Pack 4.0 or higher or Microsoft Internet Explorer 5.0.

Installing SSL Certificate and the Intermediate Certificate Bundle (certificate authority_iis_intermediates.p7b)

Before you install your issued SSL certificate you must download and install our intermediate certificate bundle (certificate authority_iis_intermediates.p7b)on your Web server. You may also download the bundle from the repository.

Once you have downloaded and saved the certificate bundle, please follow the instructions below to install it.

Installing Intermediate Certificate Bundle (certificate authority_iis_intermediates.p7b):

Select Run from the start menu; then type mmc to start the Microsoft Management Console (MMC).
2.

In the Management Console, select File; then “Add/Remove Snap In.”
3.

In the Add/Remove Snap-In dialog, select Add.
4.

In the Add Standalone Snap-in dialog, choose Certificates; then click the Add button.
5.

Choose Computer Account; then click Next and Finish.
6.

Close the Add Standalone Snap-in dialog and click OK on the Add/Remove Snap-in dialog to return to the main MMC window.
7.

If necessary, click the + icon to expand the Certificates folder so that the Intermediate Certification Authorities folder is visible.
8.

Right-click on Intermediate Certification Authorities and choose All Tasks; then click Import.
9.

Follow the wizard prompts to complete the installation procedure.
10.

Click Browse to locate the certificate file (certificate authority_iis_intermediates.p7b).
11.

Choose Place all certificates in the following store; then use the Browse function to locate Intermediate Certification Authorities. Click Next.
12.

Click Finish.

Installing SSL Certificate

Select the Internet Information Service console within the Administrative Tools menu.
2.

Select the Web site (host) for which the certificate was made.
3.

Right mouse-click and select Properties.
4.

Select the Directory Security tab.
5.

Select the Server Certificate option.
6.

The Welcome to the Web Server Certificate Wizard windows opens. Click OK.
7.

Select Process the pending request and install the certificate. Click Next.
8.

Enter the location for the certificate file at the Process a Pending Request window. The file extension may be .txt or .crt instead of .cer (search for files of type all files).
9.

When the correct certificate file is selected, click Next.
10.

Verify the Certificate Summary to make sure all information is accurate. Click Next.
11.

Select Finish.

NOTE: If the certificate authority root certificate is currently installed on your machine you will need to disable it from the Trusted Root Certification Authorities folder. Please follow the instructions below to do this:

Select Run from the start menu; then type mmc to start the Microsoft Management Console (MMC).
2.

In the Management Console, select File; then “Add/Remove Snap In.”
3.

In the Add/Remove Snap-In dialog, select Add.
4.

In the Add Standalone Snap-in dialog, choose Certificates; then click the Add button.
5.

Choose Computer Account; then click Next and Finish.
6.

Close the Add Standalone Snap-in dialog and click OK on the Add/Remove Snap-in dialog to return to the main MMC window.
7.

If necessary, click the + icon to expand the Certificates folder so that the Trusted Root Certification Authorities folder is visible..
8.

Expand the Trusted Root Certification Authorities folder.
9.

Double-click the Certificates folder to show a list of all certificates.
10.

Find the certificate authority Class 2 Certification Authority certificate.
11.

Right-click on the certificate and select Properties.
12.

Select the radio button next to Disable all purposes for this certificate.
13.

Click OK.

<!– @page { size: 8.27in 11.69in; margin: 0.79in } P { margin-bottom: 0.08in } –>

Article Authored by Anoop.K.Baby

Author, Anoop, is a Sr.Systems Engineer(Team Lead) with SupportPRO. Deric specializes in Windows and Linux servers. SupportPRO offers 24X7 technical support services to Web hosting companies and service providers.

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

August 31, 2007

SSL FAQs

No Comments »

Leave a comment

Blogroll

Other Products

Recent Posts

Past articles

Calendar

August 2007
S	M	T	W	T	F	S
« May				Nov »
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31