SSL Basics
What is an SSL?
SSL stands for Secure Sockets Layer, which is an encryption technology. SSL creates an encrypted connection between your web server and your visitors' web browser allowing for private information to be transmitted without the risk of the information being stolen, tampered or forged.
How do I enable SSL on my website?
To enable SSL on a website, you will need to get an SSL certificate for your domain name and install it on your web server. Once you have installed an SSL Certificate, you can access a site securely using https://yourdomain.com instead of http://yourdomain.com. If SSL is installed correctly, the information transmitted between the web browser and the web server is encrypted and only seen by that particular website.
What is a certificate authority (CA)?
A certificate authority (CA) is a third-party organization that verifies the information or identity of computers on a network and issues digital certificates of authenticity. Every certificate authority has different products, prices, and customer satisfactions. Some of the common CAs include Geotrust, Comodo, RapidSSL, Thawte etc. There are also free CAs such as Let's Encrypt.
What is the process of buying an SSL certificate for my domain name?
1. Choose an SSL certificate and place an order
2. Generate a CSR (Certificate Signing Request) on your server and submit the CSR with the order
3. Validate the SSL certificate request by approval email sent to the admin email of the domain name (for domain-validation certs only)
4. The Certificate Authority will issue the certificates once the validation process is complete
What is a CSR (Certificate Signing Request)?
A CSR or Certificate Signing request is a block of encoded text that is provided to a Certificate Authority when applying for an SSL Certificate. It is usually generated on the server where the certificate will be installed.
How many domain names can I secure?
Single-domain SSL certificates provide security for one single domain name yourdomain.com. It can only be used on one specific website. Example: https://www.yourdomain.com. Wildcard SSL certificates protect unlimited same-level subdomains of a domain yourdomain.com. Example: https://www.yourdomain.com, https://mail.yourdomain.com.
Why is my SSL certificate only 1 year?
Starting September 1st, 2019, SSL/TLS certificates cannot be be issued for longer than 13 months (397 days) in compliance with the industry standard. Any SSL/TLS certificates which claim longer terms require re-issuance every 1 year. Within a month of expiration, the SSL/TLS certificate can be renewed for another 1 year without losing any time on the existing SSL/TLS certificate.
Do you have any online SSL tools to assist with SSL certificate implementation?
We provide various online SSL tools to troubleshoot, test, check, generate, verify, convert as well as manage common SSL issues.
What is browser compatibility?
Browser vendors add root CA certificates into the releases of all the major browsers. Root CA certificates are the certificates issued by the CAs to them for creating a defined relationship between two CAs. Now, when such browser is used, it, by default, relies on the ‘list’ of such root CA certificates which the browser vendor has considered as trustworthy. An SSL certificate, when issued by one such trusted root CAs, the browser will inherently trust the SSL certificate to carry out a secure online session. The certificates from all major certificate providers listed by us are compatible with 99% of all browsers.
Requesting a Certificate
What types of certificates should I order?
You can choose a certificate based on the brand, the number of certified domains and the validation level. You can see different types of certificates here.
Can I cancel the SSL and get a refund?
If your order is in 'Awaiting CSR' or 'Pending Verification' status where the SSL certificates have yet to be issued, you can request a cancellation and obtain a full refund. If your order is in 'Complete' or 'Processing' status where the Certificate Authorities have issued the certificates, it is no longer eligible for a refund.
CSR (Certificate Signing Request)
What is contained in a CSR?
Name | Definition | Example |
Common Name | The fully qualified domain name (FQDN) of your server. This must match exactly what you type in your web browser. Using a common name of yourdomain.com secures www.yourdmain.com as well. | yourdomain.com; *.yourdomain.com for wildcard SSL. |
Organization | The name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC. But you do not need to be legally registered if you are requesting a domain-validation certificate. | Comodo Group, Inc. |
Organizational Unit | The department of your organization managing the certificate. | IT |
City/Locality | The city where your organization is located. | New York |
State/County/Region | The state/region where your organization is located. This shouldn't be abbreviated. | Carlifornia; Arizona |
Country | The two-letter ISO code for the country where your organization is location. | US for United States; GB for United Kingdom. |
Email address | An email address used to contact your organization. | webmaster@comodo.com |
Public Key | The public key that is part of the certificate. | Generated automatically during the CSR generation process. |
What does a CSR look like?
A CSR may be represented as a Base64 encoded PKCS#10. The CSR needs to be in 2048 bit. This format includes the "-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----" lines at the begining and end of the CSR. A PEM format CSR can be opened in a text editor and looks like the following example:
-----BEGIN CERTIFICATE REQUEST-----
MIICzDCCAbQCAQAwgYYxCzAJBgNVBAYTAkVOMQ0wCwYDVQQIDARub25lMQ0wCwYD
VQQHDARub25lMRIwEAYDVQQKDAlXaWtpcGVkaWExDTALBgNVBAsMBG5vbmUxGDAW
BgNVBAMMDyoud2lraXBlZGlhLm9yZzEcMBoGCSqGSIb3DQEJARYNbm9uZUBub25l
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMP/U8RlcCD6E8AL
PT8LLUR9ygyygPCaSmIEC8zXGJung3ykElXFRz/Jc/bu0hxCxi2YDz5IjxBBOpB/
kieG83HsSmZZtR+drZIQ6vOsr/ucvpnB9z4XzKuabNGZ5ZiTSQ9L7Mx8FzvUTq5y
/ArIuM+FBeuno/IV8zvwAe/VRa8i0QjFXT9vBBp35aeatdnJ2ds50yKCsHHcjvtr
9/8zPVqqmhl2XFS3Qdqlsprzbgksom67OobJGjaV+fNHNQ0o/rzP//Pl3i7vvaEG
7Ff8tQhEwR9nJUR1T6Z7ln7S6cOr23YozgWVkEJ/dSr6LAopb+cZ88FzW5NszU6i
57HhA7ECAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4IBAQBn8OCVOIx+n0AS6WbEmYDR
SspR9xOCoOwYfamB+2Bpmt82R01zJ/kaqzUtZUjaGvQvAaz5lUwoMdaO0X7I5Xfl
sllMFDaYoGD4Rru4s8gz2qG/QHWA8uPXzJVAj6X0olbIdLTEqTKsnBj4Zr1AJCNy
v /YcG4ouLJr140o26MhwBpoCRpPjAgdYMH60BYfnc4/DILxMVqR9xqK1s98d6Ob/+v 3wHFK+S7BRWrJQXcM8veAexXuk9lHQ+FgGfD0eSYGz0kyP26Qa2pLTwumjt+nBPl
rfJxaLHwTQ/1988G0H35ED0f9Md5fzoKi5evU1wG5WRxdEUPyt3QUXxdQ69i0C+7
-----END CERTIFICATE REQUEST-----
How do I generate a CSR and private key?
MIICzDCCAbQCAQAwgYYxCzAJBgNVBAYTAkVOMQ0wCwYDVQQIDARub25lMQ0wCwYD
VQQHDARub25lMRIwEAYDVQQKDAlXaWtpcGVkaWExDTALBgNVBAsMBG5vbmUxGDAW
BgNVBAMMDyoud2lraXBlZGlhLm9yZzEcMBoGCSqGSIb3DQEJARYNbm9uZUBub25l
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMP/U8RlcCD6E8AL
PT8LLUR9ygyygPCaSmIEC8zXGJung3ykElXFRz/Jc/bu0hxCxi2YDz5IjxBBOpB/
kieG83HsSmZZtR+drZIQ6vOsr/ucvpnB9z4XzKuabNGZ5ZiTSQ9L7Mx8FzvUTq5y
/ArIuM+FBeuno/IV8zvwAe/VRa8i0QjFXT9vBBp35aeatdnJ2ds50yKCsHHcjvtr
9/8zPVqqmhl2XFS3Qdqlsprzbgksom67OobJGjaV+fNHNQ0o/rzP//Pl3i7vvaEG
7Ff8tQhEwR9nJUR1T6Z7ln7S6cOr23YozgWVkEJ/dSr6LAopb+cZ88FzW5NszU6i
57HhA7ECAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4IBAQBn8OCVOIx+n0AS6WbEmYDR
SspR9xOCoOwYfamB+2Bpmt82R01zJ/kaqzUtZUjaGvQvAaz5lUwoMdaO0X7I5Xfl
sllMFDaYoGD4Rru4s8gz2qG/QHWA8uPXzJVAj6X0olbIdLTEqTKsnBj4Zr1AJCNy
v /YcG4ouLJr140o26MhwBpoCRpPjAgdYMH60BYfnc4/DILxMVqR9xqK1s98d6Ob/+v 3wHFK+S7BRWrJQXcM8veAexXuk9lHQ+FgGfD0eSYGz0kyP26Qa2pLTwumjt+nBPl
rfJxaLHwTQ/1988G0H35ED0f9Md5fzoKi5evU1wG5WRxdEUPyt3QUXxdQ69i0C+7
-----END CERTIFICATE REQUEST-----
The CSR and private key need to be generated on the server that the certificate will be used on. You can find instructions in your server documentation or use the instructions from one of these certificate authorities:
Comodo CSR Generation Instructions
GeoTrust RapidSSL CSR Generation Instructions
Thawte CSR Generation Instructions
DigiCert CSR Generation Instructions
How do I decode a CSR?
You can decode a CSR using our CSR decoder tool.
My web server type isn't listed in drop down for web server type, what should I select?
You can choose 'Other' from the drop down list. This item is purely for statistical reporting and will not affect certificate generation. You can select anything from the drop down and processing will be the same.
How do I validate the SSL certificate request?
After you submit the CSR for a domain-validation SSL, you'll be presented with a list of email addresses to send the approval email to. The email addresses include *@yourdomain.com email addresses such as admin@yourdomain.com and the admin contact email address listed in your domain name's WHOIS record.
How long does it take to get my certificate?
How long it takes for you to get your certificate depends on the type of certificate you are requesting. If you order a domain-validated certificate the certificate will be issued within a few minutes after you act on the approval email. If you order an organization-validated certificate, you may receive it within an hour to a few days after you submit all the documentation. If you order an extended validation certificate (EV), it may take several days to a few weeks for the validation to take place.
Validation
What is Domain Control Validation (DCV)?
Domain Validation SSL certificates such as Comodo PostiveSSL are the most basic types of SSL/TLS certificates which only requires proof of ownership over the domain(s) that you are requesting on the SSL certificate.
What are the different options to prove domain ownership?
Email Verification, DNS Record Verification and HTTP/HTTPS File Verification are different options to prove domain ownership.
How to perform domain validation through email?
To use this verification method, you will need to have access to any of the pre-approved email addresses listed below or any email address listed on the domain's public WHOIS directory.
admin@yourdomain.com administrator@yourdomain.com webmaster@yourdomain.com hostmaster@yourdomain.com postmaster@yourdomain.com
How can I perform domain validation through email if I don't have email service for my domain name?
If you don't have email service for your domain name, you can still perform domain validation through email. Instructions for this process are provided in the Control Panel after you place an order for your SSL certificate.
How can I perform domain validation though HTTP/HTTPS file?
To use this verification method you will need to create 2 new sub-folders on your public directory for every domain you are requesting and then place a unique file into the sub-folders. Access to your hosting control panel or your server will be required to make these changes.
How can I perform domain validation through DNS record?
To use this verification method, you will need to create a CNAME record or a TXT record and wait for it to propagate to the internet. If you use our DNS service, this process is automatic or greatly simplified for your convenience.
Installing a Certificate
What is a Private Key?
The Private Key is the most important aspect of your SSL certificate. It provides the ability to authenticate as well as encrypt data using your SSL certificate. The Private Key should be stored securely. The SSL certificate cannot be used without the Private Key so please make sure to not lose it.
What are the different formats for an SSL certificate?
SSL certificates can be of various formats based on the platform on which they are to be installed or utilized on. The most common formats are PEM, PFX#12 (*.pfx, *.p12) and PFX#7 (*.p7b, *.p7s). You can use the SSL Converter tool to perform conversion between different formats.
What is an Intermediate certificate?
Any certificate in between your certificate and the root certificate is called a chain or intermediate certificate. These must be installed on the web server with the primary certificate so that users' browsers can link your certificate to a trusted authority.
How do I check if my certificate is installed correctly?
This is a common problem and is likely because you do not have the intermediate certificates installed on the server.
Why do I get a "Certificate not trusted" error message after installing the certificate?
This is a common problem and is likely because you do not have the intermediate certificates installed on the server.
Renew an SSL certificate
How soon can I renew an existing server certificate?
You can renew a certificate up to 30 days in advance of the certificate expiring. Please note that you will not lose any time when you renew.
When are renewal notices sent?
Renewal reminders are sent at 28, 21, 14, 7 days out from expiration.
Do I need to submit a new CSR when renewing the certificate?
Yes. You do need to generate a new CSR on your server and go through the validation process like you did for a new certificate order.
CAA Records
What is a CAA Record?
CAA record is a type of DNS record that allows domain owners to specify which Certificate Authorities (CAs) are allowed to issue certificates for that domain. By default, every public CA is allowed to issue certificates for any domain name if they are able to validate the requester's ownership of the domain name. If a CA receives an order for a certificate for a domain with a CAA record and that CA isn’t listed as an authorized issuer, they are prohibited from issuing the certificate to that domain or any subdomain.
Should I set up a CAA record for my domain name?
Though you are not required to, we recommend setting one up to help defend against mis-issuance.
How can I set up a CAA DNS record?
The CAA Record resource has extensive details regarding CAA DNS record. Step-by-step instructions on adding a CAA record is provided in the Create CAA record tutorial.
Site Seals
What is a Site Seal?
Site Seals are highly identifiable visual indicators that come with SSL certificates to advertise the fact that a website is encrypted.
How many types of Site Seals are there?
There are two different types of Site Seals. There are static site seals and dynamic site seals. Static Seals are little more than small images that are placed on a page and indicate only that the site has been secured. Dynamic Site Seals are clickable, and when clicked on they display information about the company operating the website, and confirm to the visitor that the SSL certificate being used is valid and legitimate.
How can I install the Comodo PositiveSSL Site Seal on my website?
Installing a Site Seal is simple, if you have ever embedded a video or uploaded an image you already have the technical skills to install a Site Seal. After obtaining your PositiveSSL certificate, you can obtain the code for the Site Seal from the PositiveSSL website and incorporate it into your website's code to display it.