SSL Basics

SSL stands for Secure Sockets Layer, which is an encryption technology. SSL creates an encrypted connection between your web server and your visitors' web browser allowing for private information to be transmitted without the risk of the information being stolen, tampered or forged.

To enable SSL on a website, you will need to get an SSL certificate for your domain name and install it on your web server. Once you have installed an SSL Certificate, you can access a site securely using https://yourdomain.com instead of http://yourdomain.com. If SSL is installed correctly, the information transmitted between the web browser and the web server is encrypted and only seen by that particular website.

A certificate authority (CA) is a third-party organization that verifies the information or identity of computers on a network and issues digital certificates of authenticity. Every certificate authority has different products, prices, and customer satisfactions. Some of the common CAs include Geotrust, Comodo, RapidSSL, Thawte etc. There are also free CAs such as Let's Encrypt.

1. Choose an SSL certificate and place an order
2. Generate a CSR (Certificate Signing Request) on your server and submit the CSR with the order
3. Validate the SSL certificate request by approval email sent to the admin email of the domain name (for domain-validation certs only)
4. The Certificate Authority will issue the certificates once the validation process is complete

A CSR or Certificate Signing request is a block of encoded text that is provided to a Certificate Authority when applying for an SSL Certificate. It is usually generated on the server where the certificate will be installed.

Single-domain SSL certificates provide security for one single domain name yourdomain.com. It can only be used on one specific website. Example: https://www.yourdomain.com. Wildcard SSL certificates protect unlimited same-level subdomains of a domain yourdomain.com. Example: https://www.yourdomain.com, https://mail.yourdomain.com.

Browser vendors add root CA certificates into the releases of all the major browsers. Root CA certificates are the certificates issued by the CAs to them for creating a defined relationship between two CAs. Now, when such browser is used, it, by default, relies on the ‘list’ of such root CA certificates which the browser vendor has considered as trustworthy. An SSL certificate, when issued by one such trusted root CAs, the browser will inherently trust the SSL certificate to carry out a secure online session. The certificates from all major certificate providers listed by us are compatible with 99% of all browsers.
Requesting a Certificate

You can choose a certificate based on the brand, the number of certified domains and the validation level. You can see different types of certificates here.

If your order is in 'Awaiting CSR' or 'Pending Verification' status where the SSL certificates have yet to be issued, you can request a cancellation and obtain a full refund. If your order is in 'Complete' or 'Processing' status where the Certificate Authorities have issued the certificates, it is no longer eligible for a refund.

Name | Definition | Example |
Common Name | The fully qualified domain name (FQDN) of your server. This must match exactly what you type in your web browser. Using a common name of yourdomain.com secures www.yourdmain.com as well. | yourdomain.com; *.yourdomain.com for wildcard SSL. |
Organization | The name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC. But you do not need to be legally registered if you are requesting a domain-validation certificate. | Comodo Group, Inc. |
Organizational Unit | The department of your organization managing the certificate. | IT |
City/Locality | The city where your organization is located. | New York |
State/County/Region | The state/region where your organization is located. This shouldn't be abbreviated. | Carlifornia; Arizona |
Country | The two-letter ISO code for the country where your organization is location. | US for United States; GB for United Kingdom. |
Email address | An email address used to contact your organization. | webmaster@comodo.com |
Public Key | The public key that is part of the certificate. | Generated automatically during the CSR generation process. |

A CSR may be represented as a Base64 encoded PKCS#10. The CSR needs to be in 2048 bit. This format includes the "-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----" lines at the begining and end of the CSR. A PEM format CSR can be opened in a text editor and looks like the following example:
-----BEGIN CERTIFICATE REQUEST-----
MIICzDCCAbQCAQAwgYYxCzAJBgNVBAYTAkVOMQ0wCwYDVQQIDARub25lMQ0wCwYD
VQQHDARub25lMRIwEAYDVQQKDAlXaWtpcGVkaWExDTALBgNVBAsMBG5vbmUxGDAW
BgNVBAMMDyoud2lraXBlZGlhLm9yZzEcMBoGCSqGSIb3DQEJARYNbm9uZUBub25l
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMP/U8RlcCD6E8AL
PT8LLUR9ygyygPCaSmIEC8zXGJung3ykElXFRz/Jc/bu0hxCxi2YDz5IjxBBOpB/
kieG83HsSmZZtR+drZIQ6vOsr/ucvpnB9z4XzKuabNGZ5ZiTSQ9L7Mx8FzvUTq5y
/ArIuM+FBeuno/IV8zvwAe/VRa8i0QjFXT9vBBp35aeatdnJ2ds50yKCsHHcjvtr
9/8zPVqqmhl2XFS3Qdqlsprzbgksom67OobJGjaV+fNHNQ0o/rzP//Pl3i7vvaEG
7Ff8tQhEwR9nJUR1T6Z7ln7S6cOr23YozgWVkEJ/dSr6LAopb+cZ88FzW5NszU6i
57HhA7ECAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4IBAQBn8OCVOIx+n0AS6WbEmYDR
SspR9xOCoOwYfamB+2Bpmt82R01zJ/kaqzUtZUjaGvQvAaz5lUwoMdaO0X7I5Xfl
sllMFDaYoGD4Rru4s8gz2qG/QHWA8uPXzJVAj6X0olbIdLTEqTKsnBj4Zr1AJCNy
v /YcG4ouLJr140o26MhwBpoCRpPjAgdYMH60BYfnc4/DILxMVqR9xqK1s98d6Ob/+v 3wHFK+S7BRWrJQXcM8veAexXuk9lHQ+FgGfD0eSYGz0kyP26Qa2pLTwumjt+nBPl
rfJxaLHwTQ/1988G0H35ED0f9Md5fzoKi5evU1wG5WRxdEUPyt3QUXxdQ69i0C+7
-----END CERTIFICATE REQUEST-----
MIICzDCCAbQCAQAwgYYxCzAJBgNVBAYTAkVOMQ0wCwYDVQQIDARub25lMQ0wCwYD
VQQHDARub25lMRIwEAYDVQQKDAlXaWtpcGVkaWExDTALBgNVBAsMBG5vbmUxGDAW
BgNVBAMMDyoud2lraXBlZGlhLm9yZzEcMBoGCSqGSIb3DQEJARYNbm9uZUBub25l
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMP/U8RlcCD6E8AL
PT8LLUR9ygyygPCaSmIEC8zXGJung3ykElXFRz/Jc/bu0hxCxi2YDz5IjxBBOpB/
kieG83HsSmZZtR+drZIQ6vOsr/ucvpnB9z4XzKuabNGZ5ZiTSQ9L7Mx8FzvUTq5y
/ArIuM+FBeuno/IV8zvwAe/VRa8i0QjFXT9vBBp35aeatdnJ2ds50yKCsHHcjvtr
9/8zPVqqmhl2XFS3Qdqlsprzbgksom67OobJGjaV+fNHNQ0o/rzP//Pl3i7vvaEG
7Ff8tQhEwR9nJUR1T6Z7ln7S6cOr23YozgWVkEJ/dSr6LAopb+cZ88FzW5NszU6i
57HhA7ECAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4IBAQBn8OCVOIx+n0AS6WbEmYDR
SspR9xOCoOwYfamB+2Bpmt82R01zJ/kaqzUtZUjaGvQvAaz5lUwoMdaO0X7I5Xfl
sllMFDaYoGD4Rru4s8gz2qG/QHWA8uPXzJVAj6X0olbIdLTEqTKsnBj4Zr1AJCNy
v /YcG4ouLJr140o26MhwBpoCRpPjAgdYMH60BYfnc4/DILxMVqR9xqK1s98d6Ob/+v 3wHFK+S7BRWrJQXcM8veAexXuk9lHQ+FgGfD0eSYGz0kyP26Qa2pLTwumjt+nBPl
rfJxaLHwTQ/1988G0H35ED0f9Md5fzoKi5evU1wG5WRxdEUPyt3QUXxdQ69i0C+7
-----END CERTIFICATE REQUEST-----

The CSR and private key need to be generated on the server that the certificate will be used on. You can find instructions in your server documentation or use the instructions from one of these certificate authorities:
Comodo CSR Generation Instructions
GeoTrust RapidSSL CSR Generation Instructions
Thawte CSR Generation Instructions
Symantec CSR Generation Instructions

You can decode a CSR using our CSR decoder tool.

You can choose 'Other' from the drop down list. This item is purely for statistical reporting and will not affect certificate generation. You can select anything from the drop down and processing will be the same.

After you submit the CSR for a domain-validation SSL, you'll be presented with a list of email addresses to send the approval email to. The email addresses include *@yourdomain.com email addresses such as admin@yourdomain.com and the admin contact email address listed in your domain name's WHOIS record.

How long it takes for you to get your certificate depends on the type of certificate you are requesting. If you order a domain-validated certificate the certificate will be issued within a few minutes after you act on the approval email. If you order an organization-validated certificate, you may receive it within an hour to a few days after you submit all the documentation. If you order an extended validation certificate (EV), it may take several days to a few weeks for the validation to take place.
Installing a Certificate

Any certificate in between your certificate and the root certificate is called a chain or intermediate certificate. These must be installed on the web server with the primary certificate so that users' browsers can link your certificate to a trusted authority.

This is a common problem and is likely because you do not have the intermediate certificates installed on the server.

This is a common problem and is likely because you do not have the intermediate certificates installed on the server.
Renew an SSL certificate

You can renew a certificate up to 30 days in advance of the certificate expiring. Please note that you will not lose any time when you renew.

Renewal reminders are sent at 28, 21, 14, 7 days out from expiration.

Yes. You do need to generate a new CSR on your server and go through the validation process like you did for a new certificate order.