SSL Certificates FAQ

 

As per GDPR requirements and the new policy of private whois records, the generic e-mail address will now be used for validation of a certificate. This e-mail address is based on the domain you purchased the certificate for.

admin@domain.com
administrator@domain.com
hostmaster@domain.com
webmaster@domain.com
postmaster@domain.com

 

SSL Certificates

Regardless of how secure you make your hosting environment, any sensitive information traveling over the web can be intercepted – unless you have a digital certificate.

easyDNS SSL certificates allows you to conduct online business safer and faster. A SSL certificate is represented by the “lock” appearing in the corner of your browser. It contains your name, a serial number, expiration dates, a key for encrypting and decrypting information and the digital signature of the issuing authority that customers can use to verify that the certificate is real.

We offer GeoTrust, RapidSSL, Symantec, Sectigo [Comodo] and Thawte certificates. GeoTrust is the second largest Certification Authority worldwide. GeoTrust certificates also come with the GeoTrust site seal and are compatible with 99% of all web browsers. This seal is instant and recognisable proof to your customers that your site is safe. It immediately establishes and confirms encrypted, confidential and secure communications, and will help you develop a strong and trusting relationship with your customers.

For help generating a CSR on your server, please visit this GeoTrust page.

NOTE: easyDNS cannot affect the speed of these transactions, or whether the Certificate Authority decides to require additional verification for security purposes.
SAN support is not currently offered on all SSL Certificate types.

What Is A Digital Certificate?

A digital certificate is an electronic “credit card” that establishes your credentials when doing business or other transactions on the Web. The certificate is issued by a certification authority (CA). It contains your name, a serial number, expiration dates, a copy of the certificate holder’s public key (used for encrypting messages and digital signatures), and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real. Digital certificates can be kept in registries so that authenticating users can look up other users’ public keys.

What Is SSL?

The SSL (and TLS) protocol is the Web standard for encrypting communications between users and SSL (secure sockets layer) e-commerce sites. Data sent via an SSL connection is protected by encryption, a mechanism that prevents eavesdropping and tampering with any transmitted data. SSL provides businesses and consumers with the confidence that private data sent to a Web site, such as credit card numbers, are kept confidential. Web server certificates (also known as secure server certificates or SSL certificates) are required to initialise an SSL session.

Customers know when they have an SSL session with a website when their browser displays the little gold padlock and the address bar begins with a https rather than http. SSL certificates can be used on webservers for Internet security and mailservers such as IMAP, POP3 and SMTP for mail collection / sending security.

Why Do I Need A SSL Certificate?

A SSL certificate is a ‘must-have’ for those who need to reassure their online visitors that they are a legitimate entity and that information passing between their browsers and the website cannot be intercepted. For any business managing financial transactions or dealing with sensitive customer data, a SSL certificate is a must. It is essential knowing that certain web browsers will put an alert of a potentially unsafe website due to the lack of HTTPS (an installed SSL certificate).

How do I cancel my certificate?

Certificates can be cancelled and receive a full refund up to 30 days from issuance. To cancel a cert that hasn’t been issued, please contact easyDNS support and we’ll work with you to cancel the process.

If the certificate has been issued, then please go to the GeoTrust user portal here and cancel it within that account. This is for GeoTrust, RapidSSL, Symantec and Thawte certificates.

  • Type in the common name (hostname) for your certificate
  • Type in the contact email address where the certificate was received
  • Type in the numbers you see on the screen.

You’ll then be shown your current/past orders for that common name. Click the Request Access button for your current certificate.

GeoTrust will then send an e-mail to the contact e-mail address. In that e-mail, there will be a link which gives you access to the GeoTrust Portal for that certificate.

To cancel an issued Sectigo [Comodo] certificate, please contact easyDNS support to get assistance.

What Is QuickSSL?

QuickSSL is a web server certificate that allows consumers and web sites to conduct safe e-commerce with encrypted SSL connections. Quick SSL can usually be provisioned within an hour or so, but can take up to 2 business days if manual intervention by GeoTrust is deemed necessary by their verification processes. Much of this depends on whether all the information in your domain’s registration info is correct, and how swiftly the contacts for the domain respond to the necessary authorisations.

What Is The Difference Between QuickSSL And QuickSSL Premium?

QuickSSL Premium comes with all the features and benefits of QuickSSL, but also includes the QuickSSL Premium smart seal with dynamic date/time stamp. The smart seal is dynamically generated by GeoTrust and ensures that GeoTrust has authenticated the domain. Visitors to your site will also be able to click on the smart seal to verify that your certificate is still valid with GeoTrust, giving your customers and extra peace of mind.

What Is True BusinessID?

True BusinessID provides a simple way for your customers to view your validated organisation information via a trusted third party. True BusinessID will increase transactions and revenue by giving your customers the confidence and assurance to trust the identity of your web site. Even if you don’t have a web site brand name, True BusinessID will let your customers know you are legitimate.

What Is A Single Root SSL Certificate?

When connecting to a webserver over SSL, the visitor’s browser decides whether or not to trust the website’s SSL certificate based on which Certification Authority has issued the actual SSL certificate. To determine this, the browser looks at its list of trusted issuing authorities – represented by a collection of Trusted Root CA certificates added into the browser by the browser vendor (such as Microsoft and Netscape).

Most SSL certificates are issued by CAs who own and use their own Trusted Root CA certificates, such as those issued by GeoTrust. As GeoTrust is known to browser vendors as a trusted issuing authority, its Trusted Root CA certificate has already been added to all popular browsers, and hence is already trusted. These SSL certificates are known as “single root” SSL certificates. GeoTrust owns the Equifax Secure eBusiness CA-1 root used to issue its certificates.

Some Certification Authorities, like Comodo, do not have a Trusted Root CA certificate present in browsers, therefore they need a “chained root” in order for their certificates to be trusted – essentially a CA with a Trusted Root CA certificate issues a “chained” certificate which “inherits” the browser recognition of the Trusted Root CA. These SSL certificates are known as “chained root” SSL certificates.

Installation of chained root certificates are more complex and some web servers are not compatible with chained root certificates.

For a Certification Authority to have its own Trusted Root CA certificate already present in browsers is a clear sign that they are long-time, stable and credible organizations who have long term relationships with the browser vendors (such as Microsoft and Netscape) for the inclusion of their Trusted Root CA certificates. For this reason, such CAs are seen as being considerably more credible and stable than chained root certificate providers who do not have a direct relationship with the browser vendors.

You can view the Certification Authorities who have their own root certificates by viewing the list in your browser.

How Does A Server Certificate Work?

The end-user’s browser requests a secure channel (via “https:”) from the server, and then – if the server has a cert – the browser and the server negotiate their highest common encryption strength (e.g., 128-bits), and then exchange the corresponding encryption keys (this exchange is normally done using 2048-bit encryption strength). The 256-bit encryption key is then used for this particular instance of SSL, for all from-to exchanges between the browser and the server. The next https session will have a new session key. The certificate guarantees the security of the connection between the browser and the server. Once data is in the server, it is up to the server admin to make sure the data remains protected What is the encryption strength of GeoTrust certificates? All GeoTrust certificates are 256-bit. For each and every session, the server and browser negotiate and choose the highest common encryption strength between them. So if a 40-bit browser user hits your SSL-secured site, the resulting connection will automatically become a 40-bit strength encryption.

GeoTrust recommends that end-user Subscribers select the 2048-bit encryption strength or the equivalent descriptor option when generating their certificate requests. When the certificate’s key length is 2048 or longer, the SSL session key will be 256 bit. If the certificate key length is 512, the SSL session key will be 40 bit or 56 bit.

If you are running Windows, see Microsoft’s bulletin Q300398: “You install a 256-bit high encryption certificate onto Internet Information Server (IIS) version 4.0 or 5.0, then browse with a 128-bit enabled Web browser to IIS by using https://. However, the Web browser only makes a 40-bit or 56-bit Secure Sockets Layer (SSL) session with IIS (size 7927 bytes, updated 6/13/2001 12:54:00 PM GMT)”

Can I See Which Certification Authorities Have Their Own Trusted CA Root Present In Browsers?

Yes. Your browser contains a Trusted CA root certificate store. You can access this by opening Internet Explorer, then go to Tools, select Internet Options, select the Content tab, click Certificates, select the Trusted Root Certification Authorities tab. You will then see a dialog box presenting a list of all Certification Authorities who own their own Trusted CA roots (you can examine the root certificate by double clicking it):

GeoTrust owns the Equifax root (Equifax Digital Certificate services became GeoTrust in 2001).

What Intermediate Certificate do I need?

The RapidSSL intermediate certificates at: https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=INFO1548 are sorted based on the SHA status of the certificate file. If the certificate has been issued after December, 2015 then it would be a SHA2 under SHA2 root certificate.

SSL tests at: https://www.ssllabs.com/ssltest/index.html will let you know if the certificate is SHA1 or SHA2.

Can I Secure Multiple Subdomains With A Single Certificate?

An SSL certificate is issued to a fully qualified domain name (FQDN). This means that an SSL certificate issued to “secure.mywebsite.com” cannot be used on different subdomains, such as “www.mywebsite.com”. To get around this restriction we have available TrueBusiness Wildcard Certificates. Wildcard Certificates allow you to secure multiple subdomains on the same domain name, thereby saving you time and money, and of course you do not need to manage multiple certificates on the same server.

So with a single certificate issued to *.mywebsite.com you could protect:

  • www.mywebsite.com
  • secure.mywebsite.com
  • etc.yourdomain.com

What Is Browser Ubiquity Or Browser Recognition?

Browser ubiquity is the term used in the industry to describe the estimated percentage of Internet users that will inherently trust an SSL certificate. The lower the browser ubiquity, the less people will trust your certificate – clearly, if you are operating a commercial site you require as many people as possible to trust your SSL certificate. As a general rule, any SSL certificate with over 95% browser ubiquity is acceptable for a commercial site.

Ubiquity is however not the only consideration in deciding whether one SSL certificate is better than another. Businesses that need to maximize customer confidence buy certificates from well known, long time security vendors e.g. GeoTrust who is WebTrust compliant.

What Type Of Servers Does GeoTrust Support?

GeoTrust supports all current releases of commercial and freeware web servers supporting SSL v.3. Supported servers include:

Web Browsers (SSL enabled)

  • Microsoft IE 5.01+
  • Netscape Communicator 4.51+
  • Mozilla Firefox 1.0+
  • Mozilla Suite 1.0+
  • Google Chrome
  • AOL 5+
  • Opera 7+
  • Apple Safari 1.0+
  • Red Hat Linux Konqueror
  • Sony Playstation
  • Microsoft WebTV

Micro Browsers (SSL enabled)

  • Apple iOS
  • Android 2.3+
  • Netfront 3.0+
  • Opera 7.0+
  • Palm / Handspring Blazer 2.0+
  • Microsoft Windows CE 2003
  • Microsoft Internet Explorer Pocket PC 2003
  • Microsoft Internet Explorer Smartphone 2003
  • Blackberry 4.0+
  • AT&T
  • Sony Playstation Portable
  • Sony Netjuke audio
  • Brew
  • NTT Do Co Mo
  • Vodaphone

Email Clients (S/Mime)

  • Microsoft Outlook 99+
  • Netscape Communicator 4.51+
  • Mozilla Thunderbird 1.0+
  • Qualcomm Eudora 6.2+
  • Lotus Notes
  • Mulberry Email 3.1.6+

Application Clients and Servers

  • Sun J2SE 1.4.2_02
  • Sun J2EE 1.4.2_02
  • IBM Web Sphere Micro Environment (WME)
  • IBM Web Sphere Custom Environment (WCE)

Server Compatibility of GeoTrust SSL Certificates

GeoTrust supports all current releases of commercial and freeware web servers and mail servers supporting SSL. Supported servers include:

Web Servers

  • Apache + MOD SSL
  • Apache + Raven
  • Apache + Raven 1.5x
  • Apache + SSLeay
  • BEA WebLogic
  • C2Net Stronghold
  • Cobalt RaQ3/RaQ4 “Main Site”
  • Cobalt RaQ3 “Virtual Site”
  • Cobalt RaQ4 “Virtual Site”
  • cPanel / WHM
  • Ensim
  • HSphere
  • IBM HTTP
  • iPlanet Enterprise Server 4.1
  • Lotus Domino Go 4.6.2.6 and higher
  • Lotus Domino 4.6 and higher
  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Server 5.0 & 6.0
  • Netscape Enterprise/Fast Track
  • Novell ConsoleOne
  • O’Reilly / Deerfield WebSite Professional 2.X / 3.X
  • Plesk
  • Stronghold 3
  • Tomcat
  • WebSTAR 4
  • WebSTAR V
  • Zeus Web Server v3

Mail Servers

  • CPopper
  • CPPop (cPanel mail server) and other stunnel based mail servers
  • Courier IMAP
  • Exchange 5 / 2000 / 2003 (Outlook Web Access)
  • IPswitch IMAIL
  • Postfix

What Validation Process Do SSL Certificates Use?

Companies that issue digital certificates such as GeoTrust provide consumers with confidence that the companies they secure are who they claim to be.

With physical companies, identification documents like photo ids and papers of incorporation are used to tell consumers who they are so if their products or services are defective, buyers can seek recourse. Online companies rely on digital certificates to promote their legitimacy and to protect their customer’s information. To apply for a digital certificate they must prove to the certificate authority (in this case GeoTrust) that they have the credentials to present themselves as who they are online.

There are different levels of documentation which a corporation will need to provide depending on the type of certificate they wish to purchase – from proof of domain ownership to letters of incorporation.

Customers wishing to purchase QuickSSL certificates need to prove that they are the owner of that domain. This tells online visitors that the URL “owners” are who they claim to be. This form of validation is a quicker, lower cost alternative to the True Business validation model.

Customers wishing to purchase True BusinessID and True Business Wildcard certificates must fax in their articles of incorporation or provide a DUNS number as part of the provisioning process. They will then be assigned a ChoicePoint Unique Identifier (CUI) – equivalent to a DUNS number. The CUI adds a corporate profile to the information embedded in the digital certificate which can be viewed by your visitors. What is a Certification Authority (CA)? Not just anybody can issue trusted SSL Certificates. If they could then there would be no trust in SSL – and it could no longer be used commercially. Instead only Certification Authorities, or CAs as they are commonly known, can issue trusted SSL Certificates.

Before deciding on what certificate to purchase, please strongly consider the types of validation methods that are required to secure a certificate.

Domain Validated (DV): Inexpensive and very quick to get issued. For those looking for encryption, this protection is recommended for internal use, personal & hobby sites and small forums that have logins, forms or other non-transactional data. DV certs really shouldn’t be used for commercial purposes. Validation is done only through the domain’s Whois record. Will display a padlock and HTTPS.

Organisation Validated (OV): Affordable protection for small businesses to display trust. Recommended for small to mid-sized business sites where validation of the company is important. Can be used for sites with low-volume eCommerce transactions. Will display a padlock and HTTPS. Validation takes a few days and the organisation is strictly authenticated by the personnel of the Certification Authority [CA] to confirm legitimate business information [using business listings such as Dun & Bradstreet].

Extended Validated (EV): Proven to boost your customer confidence as this is maximum security and trust. Recommended for mid-sized to enterprise sites where visitor confidence is key. A must for trustworthy websites with eCommerce, online banking, and secure customer information. EV Certs are distinguished by the browser displaying the Green Address Bar along with the padlock and HTTPS. Issuance can take a week to go through a rigorous validation process with the Certification Authority [CA].

CAs have generally invested in establishing the technology, support, legal and commercial infrastructures associated with providing SSL certificates. Even though CAs are essentially self-regulated, the nearest to a regulatory body is the WebTrust compliancy program operated by AICPA/CICA. The majority of CAs comply to the WebTrust principles, however some CAs do not have WebTrust compliance. Those CAs who are WebTrust compliant display the WebTrust Seal, as seen below. Ernst and Young Webtrust

The WebTrust Seal of assurance for Certification Authorities symbolises to potential relying parties [e.g. to the end customer] that a qualified practitioner has evaluated the CA’s business practices and controls to determine whether they are in conformity with the AICPA/CICA WebTrust for Certification Authorities Principles and Criteria. An unqualified opinion from the practitioner indicates that such principles are being followed in conformity with the WebTrust for Certification Authorities Criteria. These principles and criteria reflect fundamental standards for the establishment and on-going operation of a Certification Authority organisation or function. Why are static IP addresses required for the certificate to work? You need to have a separate IP address for each domain you want to secure. The reason for this is because a certificate is bound only to a domain name but, the SSL protocol is bound to static IP addresses; therefore, any certificate-enabled web site must have its own unique IP address. The IP can be real (routable) or internal (RFC 1918 non-routable address) but, it must be unique on a server. How to I move a certificate from one ISP to another ISP? You may be able to move your certificate from one ISP to another. Per our certificate licensing agreement, you must purchase a new certificate if you plan on continuing to use the certificate on its current location. Otherwise, it largely depends on the server compatibility and the willingness of your current ISP to assist you.

Your current ISP will need to export your key pair file from the server hosting your web site. Once you have the complete key pair file, you can provide it to your new ISP to import on their server. If your current ISP will not provide you with the key pair file, you will need to purchase a new certificate to use with your new ISP. If you have to purchase another certificate, please let us know and we will expedite the processing of the new request. In addition, you will not have to resubmit your business documentation as long as nothing has changed.

Please be aware that if the two ISPs are running different server types, you may not be able to import the key pair file due to server compatibility issues. If this happens, a new certificate will have to be purchased.

How Do I Get My Certificate Re-issued?

Sometime, servers have to generate new keys after a certificate is issued, in cases of crashes, for example, or a security breach. When this occurs, you’ll need to re-issue the SSL certificate. This is done by generating a new CSR (with all the same information) and submitting it to GeoTrust. You can do so here.

Where Can I Get More Information On Validation And Certificate Issuance?

Click here to be brought to GeoTrust’s FAQ.

Can I Call GeoTrust Directly For Technical Support?

easyDNS is your frontline support on certificates. We will be able to escalate problems with the CA [Certificate Authority – GeoTrust, RapidSSL, Comodo, Trustwave and Symantec] to get the assistance you need.

Calls to CA’s directly will receive a response requesting the certificate holder to contact their vendor directly. Geotrust Chat support can be used effectively to have certificate e-mails reissued to the approver email address.

If you need to cancel the certificate, then that must be done by you with the CA directly as we do not have the authority to make that request.

We can suggest that each CA does offer help pages and videos on certificate management that are very helpful.