SSL Certificate FAQ SSL Certificate FAQ

SSL Basics


FAQ What is an SSL?

SSL stands for Secure Sockets Layer, which is an encryption technology. SSL creates an encrypted connection between your web server and your visitors' web browser allowing for private information to be transmitted without the risk of the information being stolen, tampered or forged.

FAQ How do I enable SSL on my website?

To enable SSL on a website, you will need to get an SSL certificate for your domain name and install it on your web server. Once you have installed an SSL Certificate, you can access a site securely using https://yourdomain.com instead of http://yourdomain.com. If SSL is installed correctly, the information transmitted between the web browser and the web server is encrypted and only seen by that particular website.

FAQ What is a certificate authority (CA)?

A certificate authority (CA) is a third-party organization that verifies the information or identity of computers on a network and issues digital certificates of authenticity. Every certificate authority has different products, prices, and customer satisfactions. Some of the common CAs include Geotrust, Comodo, RapidSSL, Thawte etc. There are also free CAs such as Let's Encrypt.

FAQ What is the process of buying an SSL certificate for my domain name?

1. Choose an SSL certificate and place an order
2. Generate a CSR (Certificate Signing Request) on your server and submit the CSR with the order
3. Validate the SSL certificate request by approval email sent to the admin email of the domain name (for domain-validation certs only)
4. The Certificate Authority will issue the certificates once the validation process is complete

FAQ What is a CSR (Certificate Signing Request)?

A CSR or Certificate Signing request is a block of encoded text that is provided to a Certificate Authority when applying for an SSL Certificate. It is usually generated on the server where the certificate will be installed.

FAQ How many domain names can I secure?

Single-domain SSL certificates provide security for one single domain name yourdomain.com. It can only be used on one specific website. Example: https://www.yourdomain.com. Wildcard SSL certificates protect unlimited same-level subdomains of a domain yourdomain.com. Example: https://www.yourdomain.com, https://mail.yourdomain.com.

FAQ What is browser compatibility?

Browser vendors add root CA certificates into the releases of all the major browsers. Root CA certificates are the certificates issued by the CAs to them for creating a defined relationship between two CAs. Now, when such browser is used, it, by default, relies on the ‘list’ of such root CA certificates which the browser vendor has considered as trustworthy. An SSL certificate, when issued by one such trusted root CAs, the browser will inherently trust the SSL certificate to carry out a secure online session. The certificates from all major certificate providers listed by us are compatible with 99% of all browsers.

Requesting a Certificate


FAQ What types of certificates should I order?

You can choose a certificate based on the brand, the number of certified domains and the validation level. You can see different types of certificates here.

FAQ What is contained in a CSR?

Name Definition Example
Common Name The fully qualified domain name (FQDN) of your server. This must match exactly what you type in your web browser. Using a common name of yourdomain.com secures www.yourdmain.com as well. yourdomain.com; *.yourdomain.com for wildcard SSL.
Organization The name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC. But you do not need to be legally registered if you are requesting a domain-validation certificate. Comodo Group, Inc.
Organizational Unit The department of your organization managing the certificate. IT
City/Locality The city where your organization is located. New York
State/County/Region The state/region where your organization is located. This shouldn't be abbreviated. Carlifornia; Arizona
Country The two-letter ISO code for the country where your organization is location. US for United States; GB for United Kingdom.
Email address An email address used to contact your organization. webmaster@comodo.com
Public Key The public key that is part of the certificate. Generated automatically during the CSR generation process.


FAQ What does a CSR look like?

A CSR may be represented as a Base64 encoded PKCS#10. The CSR needs to be in 2048 bit. This format includes the "-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----" lines at the begining and end of the CSR. A PEM format CSR can be opened in a text editor and looks like the following example:

-----BEGIN CERTIFICATE REQUEST-----
MIICzDCCAbQCAQAwgYYxCzAJBgNVBAYTAkVOMQ0wCwYDVQQIDARub25lMQ0wCwYD
VQQHDARub25lMRIwEAYDVQQKDAlXaWtpcGVkaWExDTALBgNVBAsMBG5vbmUxGDAW
BgNVBAMMDyoud2lraXBlZGlhLm9yZzEcMBoGCSqGSIb3DQEJARYNbm9uZUBub25l
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMP/U8RlcCD6E8AL
PT8LLUR9ygyygPCaSmIEC8zXGJung3ykElXFRz/Jc/bu0hxCxi2YDz5IjxBBOpB/
kieG83HsSmZZtR+drZIQ6vOsr/ucvpnB9z4XzKuabNGZ5ZiTSQ9L7Mx8FzvUTq5y
/ArIuM+FBeuno/IV8zvwAe/VRa8i0QjFXT9vBBp35aeatdnJ2ds50yKCsHHcjvtr
9/8zPVqqmhl2XFS3Qdqlsprzbgksom67OobJGjaV+fNHNQ0o/rzP//Pl3i7vvaEG
7Ff8tQhEwR9nJUR1T6Z7ln7S6cOr23YozgWVkEJ/dSr6LAopb+cZ88FzW5NszU6i
57HhA7ECAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4IBAQBn8OCVOIx+n0AS6WbEmYDR
SspR9xOCoOwYfamB+2Bpmt82R01zJ/kaqzUtZUjaGvQvAaz5lUwoMdaO0X7I5Xfl
sllMFDaYoGD4Rru4s8gz2qG/QHWA8uPXzJVAj6X0olbIdLTEqTKsnBj4Zr1AJCNy
v /YcG4ouLJr140o26MhwBpoCRpPjAgdYMH60BYfnc4/DILxMVqR9xqK1s98d6Ob/+v 3wHFK+S7BRWrJQXcM8veAexXuk9lHQ+FgGfD0eSYGz0kyP26Qa2pLTwumjt+nBPl
rfJxaLHwTQ/1988G0H35ED0f9Md5fzoKi5evU1wG5WRxdEUPyt3QUXxdQ69i0C+7
-----END CERTIFICATE REQUEST-----
FAQ How do I generate a CSR and private key?

The CSR and private key need to be generated on the server that the certificate will be used on. You can find instructions in your server documentation or use the instructions from one of these certificate authorities:

Comodo CSR Generation Instructions
GeoTrust RapidSSL CSR Generation Instructions
Thawte CSR Generation Instructions
Symantec CSR Generation Instructions

FAQ How do I decode a CSR?

You can decode a CSR using our CSR decoder tool.

FAQ My web server type isn't listed in drop down for web server type, what should I select?

You can choose 'Other' from the drop down list. This item is purely for statistical reporting and will not affect certificate generation. You can select anything from the drop down and processing will be the same.

FAQ How do I validate the SSL certificate request?

After you submit the CSR for a domain-validation SSL, you'll be presented with a list of email addresses to send the approval email to. The email addresses include *@yourdomain.com email addresses such as admin@yourdomain.com and the admin contact email address listed in your domain name's WHOIS record.

FAQ How long does it take to get my certificate?

How long it takes for you to get your certificate depends on the type of certificate you are requesting. If you order a domain-validated certificate the certificate will be issued within a few minutes after you act on the approval email. If you order an organization-validated certificate, you may receive it within an hour to a few days after you submit all the documentation. If you order an extended validation certificate (EV), it may take several days to a few weeks for the validation to take place.

Installing a Certificate


FAQ What is an Intermediate certificate?

Any certificate in between your certificate and the root certificate is called a chain or intermediate certificate. These must be installed on the web server with the primary certificate so that users' browsers can link your certificate to a trusted authority.

FAQ How do I check if my certificate is installed correctly?

This is a common problem and is likely because you do not have the intermediate certificates installed on the server.

FAQ Why do I get a "Certificate not trusted" error message after installing the certificate?

This is a common problem and is likely because you do not have the intermediate certificates installed on the server.

FAQ What happens if I lose the private key corresponding to my certificate?

The certificate authority that creates the certificate never requires the private key from you, so they can't help you if you lose it. You will need to submit a new CSR to have the certificate reissued, which is free of cost.

FAQ What is reissuing a certificate?

If you lose the current certificate and need to create a new certificate based on a new private key, you can reissue it. In order to reissue the certificate, you will just need to create a new CSR, reissue with the CA, and install the new certificate. The reissue only works on the exact same domain name. If the original certificate was issued for yourdomain1.com, you cannot request a reissue for yourdomain2.com or mail.yourdomain1.com.

Renew an SSL certificate


FAQ How soon can I renew an existing server certificate?

You can renew a certificate up to 90 days in advance of the certificate expiring. Please note that you will not lose any time when you renew.

FAQ When are renewal notices sent?

Renewal reminders are sent at 28, 21, 14, 7 days out from expiration.

FAQ Do I need to submit a new CSR when renewing the certificate?

Yes. You do need to generate a new CSR on your server and go through the validation process like you did for a new certificate order.