Automatic backups with one-click restore.
A comprehensive, all-in-one managed Security-as-a-Service solution.
Make Payment Card Industry (PCI) compliance simple.
Build trust with proven seals and certifications.
Easily protect your site against hackers and malware.
See and control all of your certificates in one tool.
Enterprise-class SSL/TLS mgmt. plus additional security solutions.
A robust certificate lifecycle manager from Sectigo.
Manually manage certificates with our specialized portal.
Adaptable application driver for Venafi’s Trust Protection Platform.
Connect ManageEngine’s Key Manager Plus with The SSL Store.
Over
in Partner Revenue Generated
PROFESSIONAL SSL/TLS
BUSINESS SSL/TLS
BASIC SSL/TLS
IDENTITY & ENCRYPTION
Managed Security Service Backed by Cyber Security Experts
Extended Validation
Organizational Validation
Domain Validation
Wildcard
Multi-Domain
Code Signing
Your most common SSL questions answered
Our Customer Experience team gets more than 150 inquiries per day. That's over 750 questions per week! Around 3,000 per month! Roughly 36,000 a year! Multiply that by the number of years we've been in business and…that's a lot of SSL answers! When it comes to SSL, we've seen and heard it all. We are true experts and our team has compiled an extensive list of the most common FAQ they get day-in and day-out. If you want to profit from SSL, these are the questions and answers you need to know to retain customers, encourage renewals, prevent cancellations and to be awesome. Know these and you'll be on your way to growing your SSL business.
General SSL Knowledge
SSL (Secure Sockets Layer) is a cybersecurity protocol that digitally encrypts information sent from a browser to a server. SSL certificates protect information you enter on a site, such as credit card details, usernames, passwords, and more. You can tell a website has an SSL certificate if the address starts with “https” and displays a padlock icon in the browser. Many websites also display a site seal from a reputable Certificate Authority (CA). SSL helps keep online shopping, banking, account logins, and overall internet browsing secure.
Hide
A Domain Validated (DV) SSL certificate is a quick and easy way to secure a domain, as the Certificate Authority (CA) issuing the certificate only requires proof of domain ownership. However, these certificates offer little in the way of SSL recognition, so they are recommended for websites where visitor trust is not of high importance, and information such as usernames, passwords, or credit card information is not required. These certificates can be issued in a matter of minutes.
An Organization Validated (OV) SSL certificate requires a business to complete a light vetting process with the Certificate Authority before issuance. OV certificates are a good middle-ground between DV and EV certificates. They are more affordable than EV certificates while offering more trust indicators than DV certificates. Issuance typically takes 2 - 3 business days.
An Extended Validated (EV) SSL Certificate is the most premium type of SSL certificate. The organization is required to complete an extended validation process, which is why EV are used by many of the most trusted sites in the world, such as Bank of America, PayPal, Meta, and more. Due to the extensive vetting process, EV certificates typically take 3 – 5 business days to be issued.
The main criteria to qualify for an EV certificate would be that your business is an official company registered with a recognized government authority. Sole proprietors and partnerships registered in the U.K. are not eligible for EV SSL certificates.
All major SSL Brands- such as Digicert, GeoTrust, RapidSSL, Sectigo, Comodo, and Thawte- offer coverage for both www and non-www domains on single-domain certificates. However, multi-domain certificates may require each domain you wish to secure to be added individually and do not automatically cover additional domain versions. Please contact our support team if you need any help selecting the best certificate for your needs!
Wildcard SSL certificates can cover one main domain name (*.domain.com) and an unlimited number of the first-level subdomains under it (examples: www.domain.com, mail.domain.com, login.domain.com, test.domain.com, etc.). The “*” (asterisk/star) character acts as a placeholder for any subdomain under the main domain.
Multi-domain or SAN (Subject Alternative Name) SSL certificates secure multiple domain names with a single certificate, making them a cost-effective alternative to purchasing separate SSLs for each domain. They simplify management by allowing one certificate to cover multiple sites or servers, with just one validation and expiration date to track
Note: Wildcard domains cannot be added to a Multi-domain Certificate, only to Multi-domain Wildcard certificates.
Wildcard SSL certificates cover one main domain (www.domain.com) and an unlimited number of subdomains (mail.domain.com, login.domain.com, test.domain.com, etc.) without needing to specify the subdomains as the SAN domain. You are required to include an asterisk/star on the domain as the common name (*.domain.com).
Multi-domain (SAN) SSL certificates secure multiple domains under just one certificate. Unlike the Wildcard certificate, each domain or subdomain must be manually added to the SAN list. Most major brands, such as DigiCert and Sectigo, can cover up to 250 domains in one certificate, but the free number of domains that come with a purchased certificate will vary.
Key length refers to the strength of the private key used in encryption. You can think of it as the size of the cypher used to encode your data – larger key sizes generally provide stronger security. A minimum of 2048-bit encryption is required during certificate generation and is the current industry standard.
Note: Code signing certificates require a minimum key size of 3072 bits.
SHA stands for Signature Hashing Algorithm. It's a mathematical hash that proves the authenticity of the certificate. SHA-1 is an older version of the algorithm that is no longer seen as secure by industry experts and major browsers and is not allowed to be used during the generation process any longer by the industry. SHA-2 is the latest version that is widely accepted and viewed as secure by all major browsers and industry experts. The hashing algorithm of your CSR has no relevance to what hashing algorithm is used on the certificate.
Sole Proprietors outside of the U.K. can qualify for both OV and EV certificates. However, Sole Proprietors located in the United Kingdom or UK Partnerships cannot qualify for EV certificates, but are eligible for OV certificates, with additional documentation required.
A Certificate Authority (CA) is a trusted entity that issues SSL certificates. Companies like DigiCert and Sectigo are examples of CAs that are globally established. We are a recognized reseller of these CAs, which means that we are able to offer the exact certificate you would get from buying them directly, but at much lower prices. We are hooked up to the API of these CAs, which is how we are able to offer the exact same products. Because we buy in bulk, we are able to offer them at the significant discounts that you see. We also offer dedicated SSL support and can help walk you through the entire process, from purchasing to generation to issuance to installation and more.
Yes! All certificate brands and products we offer are included in the trusted “Root Store” or “Trust Store” used by major browsers and operating systems. Our SSL certificates are supported by 99.9% of web browsers (desktop and laptop), as well as iPhones and Android devices. Any brand available on our product list includes a trusted CA root.
An SSL certificate warranty covers any damages that you may incur as a result of a data breach or hack that was caused due to a flaw in the certificate. The warranties range in value, which means that the higher value certificates come with more extensive warranties.
Browser ubiquity or browser recognition basically means how many browsers recognize an SSL certificate and properly display the trust indicators. So, the higher the browser ubiquity of an SSL certificate, the more browsers that recognize and accept it.
As of September 2020, large browsers such as Google and Safari no longer trust SSL certificates with a validity longer than 398 days (1 year + 30-day renewal period). If you have purchased a multi-year certificate, you will need to re-generate it (at no cost to you) to add 1 more year validity.
Please note that the CA/Browser Forum unanimously approved Ballot SC-081v3 to accelerate certificate turnover and reduce risk from compromised keys. All publicly trusted SSL/TLS certificates remain subject to the CA/Browser Forum’s Baseline Requirements which mandate an ever-shorter maximum validity period starting March 15, 2026.
An intermediate certificate is a file that helps the web browser identify who issued your SSL certificate. It is not required, but it is HIGHLY recommended that you install it along with your server SSL certificate in order to have full compatibility with all browsers and mobile devices.
An intermediate certificate will be emailed to you along with your SSL certificate. In case you didn't receive the email with all the certificate files, you can download them from your account. Another option is to download the certificate from the vendor's website. This is also sometimes referred to as the "CA Bundle." It is also important to note that some certificates have multiple intermediate certificates.
Below are the links that you can use to download your intermediate certificate from the vendor websites:
You can use SSL for an internal domain only if it is an officially registered and publicly resolvable Fully Qualified Domain Name (FQDN). Certificates cannot be issued for internal, non-delegated, or unregistered domain names.
If your hosting platform or company tells you that you can only use one certificate file, then you can combine your server certificate with the intermediate file.
UC stands for Unified Communications and is a newer type of SSL certificate that is designed and primarily used for securing Microsoft Exchange 2007 and Microsoft Office Communications Server 2007 products. The main difference between a UCC SSL and a standard Multi-Domain certificate is that a UCC can secure both internal network names and external domain names as well.
A Multi-Domain Wildcard SSL certificate combines the features of both Wildcard and Multi-domain certificates. It allows you to include wildcard entries for some domains and single/individual domains for others, all within a single certificate. This hybrid certificate is ideal if you need broad wildcard coverage across multiple domains and want to list specific domains —managing everything under one certificate and renewal cycle.
Order Processing
When you generate your Certificate Signing Request (CSR) to process your SSL certificate, a Private Key is created on your server at the same time. This private key should never be shared publicly, as it functions like a password and is required to install the SSL certificate once it is issued. Be sure to keep track of where the private key is stored on your server or computer. If your hosting provider needs the private key to install the SSL certificate on your behalf, it is safe to share it directly with them.
If you're in a pinch and need your certificate fast, feel free to contact your SSL provider with the exact order you need expedited. They have connections with the Certificate Authorities (CAs) directly and can help make sure your urgent order is treated with top priority.
If you are unsure what your Control Panel/Server OS is, we recommend that you ask your web hosting provider or your IT department.
Yes. You can switch your domain control validation (DCV) method between Email, File-based authentication, and DNS for all SSL products we offer.
Wildcard SSL certificates are the only exception, as they do not support File-based validation. For Wildcard certificates, you may choose either Email or DNS validation.
For DNS validation, DigiCert brands require adding a TXT record, while Sectigo brands require adding a CNAME record.
Validation/Authentication
You do not need to provide any documentation in order to have a Domain Validated (DV) issued certificate. All you need to do is confirm that you have control over the domain you wish to be secured through either one of the domain control validation options such as email, file-based authentication, or adding a DNS record on your domain.
Organization Validated (OV) verification requires checking your business registration. If the Certificate Authority (CA) can verify this information using online government databases, no additional documents will be required. However, if the online filings are not available or inaccurate or not up to date, the CA may request additional official government registration documents, which vary on a case-by-case basis. A Dun & Bradstreet listing can usually satisfy most of the requirements for an OV certificate.
For the full step-by-step guide to Organization Validation, you can check our Knowledge Based Article here: https://www.thesslstore.com/knowledgebase/ssl-validation/ov-ssl-validation-made-simple/
EV certificates require a more stringent verification process than OV certificates. To understand the basis of this procedure, please refer to the above question about OV certificate verification. Please note that EV certificates require you to complete a few extra steps, including proving both physical and operational existence as well as completing a simple telephone call with the Certificate Authority (CA) directly.
For the full step-by-step guide to completing Extended Validation, you can check our Knowledge Based Article here: https://www.thesslstore.com/knowledgebase/ssl-validation/ev-ssl-validation-made-simple/
First, verify that the email address selected for Doman Control Validation is correct. Please note that this email address may be different from the contact information provided during the certificate generation process. If you need to change your DCV email, you can contact your hosting provider or domain registrant to select one of the below five pre-approved alias email addresses:
Be sure to check your spam or junk mail folder. Due to the CA/B Forum updates, sending domain validation emails to a WHOIS email address is no longer possible, even if the WHOIS record is public.
If the common name/domain name needs to be changed, the only way to complete this action is by cancelling and re-purchasing the certificate.
Please upload your file to the correct directory on your server. To ensure the authorization is successful, make sure the file is publicly accessible at both yourdomain.com/filepath and subdomain.yourdomain.com/filepath.
For the step-by-step guide in completing the File Verification, you can check our Knowledge Based article here:https://www.thesslstore.com/knowledgebase/ssl-validation/how-to-complete-http-https-file-verification/
Please contact your SSL provider and confirm what source the Certificate Authority (CA) pulled the telephone number from and then seek the proper method of updating that number or creating a new listing. Your provider should be able to advise you on how to create an appropriate listing.
This largely depends on the type of certificate that you purchased and your response times. No matter which type of certificate that you purchase, the Certificate Authority (CA) will be contacting you directly and will only proceed with next steps upon your response. For Domain Validated (DV) certificates, these can typically be issued in a matter of minutes to one business day. For Organization Validated (OV) certificates, these tend to take around 2-3 business days to be issued. And for Extended Validation (EV) certificates, these usually take between 3-5 business days to be issued.
After completing validation, the Certificate Authority (CA) will send the certificate to the email address you provided as your technical contact. You can also download the files directly from your account from the order details page.
No. On 14th of December 2024, the CA/B Forum decided to phase out WHOIS-based methods of domain ownership validation after months of discussion. Due to that, the WHOIS protocol will completely not be an option anymore to validating domains, and any of the certificates getting renewed, reissued, or purchased will have to get validated using the remaining domain validation options (Email, File, or DNS).
If you still have access to the email address used to create your account, you can use the automated password recovery system.
If you no longer have access to that email address, please contact our support team by sending an email from the account’s administrative email address. Include the following information in your message:
The easiest way is to create a new CSR on the new machine and have the certificate re-issued.
CSR Generation
CSR stands for Certificate Signing Request, and it’s a file that you or your server create to apply for an SSL certificate. IA CSR contains important information such as your domain name, company name (if applicable), and your public encryption key. This file is sent to a Certificate Authority (CA), which uses the information to verify your request and issue an SSL certificate for your website.
Think of it like filling out an application form for your website's digital ID—once approved; it allows your site to use HTTPS and secure the connection between you and your visitors.
You can refer to our KnowledgeBase for CSR generation guides specific to your server type, operating system, or control panel. If you do not see instructions for your setup, we recommend contacting your hosting provider or system administrator for assistance.
It is impossible to edit any fields once the CSR has been created. You will simply need to generate a new CSR with the correct details?
If this happens, your common name is not appropriately formatted for your type of certificate (wildcard certificates should use *.domain.com, for example) or you could also have disallowed characters in other fields. Please create a new CSR that only use the English alphabet and numbers 0-9. For example, if the "&" symbol is included in your Organization Name, please type out "and" instead.
This is because it is missing one or more required fields or the CSR contains non-alphanumeric characters in the required fields.
Certificate Management
You can add additional domains to an active certificate by reissuing it.
Once a common name is submitted during the enrollment process, it cannot be edited or changed. Since we have our refund policy in place, you can cancel your order and re-purchase the same certificate to re-do the enrollment process using the correct common name you need.
First, check your backups to see if you can re-install the private key. If you don't know how to re-install the key from your backups, contact your systems administrator. Failing that, contact your web server software vendor for technical support. The only alternative course of action available is a re-issuance of the certificate following the re-submission of a replacement CSR.
If you have the original private key on the active certificate, you can install it on the new server or provide it to your new web host. If you do not have the original private key, you will have to reissue your certificate with a new CSR.
Installation
After completing validation, the Certificate Authority (CA) will send the certificate to the email address you provided as your technical contact. Should you not receive it, you can download the certificate directly from your account. Make sure you are logged in, then follow the steps below:
If you are unsuccessful and you cannot locate the Download Certificate button, please contact support for further assistance.
First, check your certificate license. There are two methods to install your certificate on multiple servers. The first method is to import the certificate, private key, and intermediate files on server #2, #3, etc. Or, create a new CSR and key file on server #2, #3, etc. and reissue the active certificate.
No, you do not need a dedicated or static IP address to use a standard SSL certificate today. While a dedicated IP address was historically required, modern technology, specifically Server Name Indication (SNI), has completely removed this limitation. As long as your web server is running a modern operating system and software, you can install and use an SSL certificate on a shared or dynamic IP address using SNI.
There are many reasons why this could be happening, some of which could be entirely unrelated to your certificate. We cannot give specific advice. We would recommend clicking on the "Details" button to get more specific information about this error from the browser.
This happens when the URL in the browser and the common name registered on the certificate are not an EXACT match. For instance, the “www” is missing on the certificate, or the specific subdomain is not covered on the certificate. For specific reasons, you can contact us so we can check it out for you.
The message “Untrusted” on your SSL certificate means the browser cannot verify the certificate's authenticity, usually because the full chain of trust is broken or incomplete.
Here are the three most common reasons for this:
You can use the SSL checker tool to test whether or not your SSL certificate has been installed properly. The link is: https://www.thesslstore.com/ssltools/ssl-checker.php.
Renewals
You renew your SSL certificate by purchasing a new certificate as usual. “Renewal” is simply an industry term that is used by providers. It does not mean “extending” the validity of your current certificate. If you intend to renew 30 days before the expiration of your certificate, locate the “Renew Certificate” option in your order details to make sure that your remaining time gets rolled over to your new certificate.
We recommend that you generate a new CSR to renew your certificate; however, if generating a new CSR proves to be challenging, you can use the original CSR and it will work. The drawback of using the original CSR is that it will be the exact same private key, so it's a little less secure.
Depending on the details you submitted upon renewing your certificate, the Certificate Authority (CA) may be able to use previously validated information/documents. If any details of your organization change, you may be required to provide additional documents. Either way, your order will still be checked and validated. For specific information regarding your order and its status, it is best to reach out to our support directly.
It’s likely that you have not completed the enrollment process and have not generated your order. The renewal process does not automatically apply when you pay and suddenly extend your current certificate. Like how you purchased with us the first time, the renewal process involves going again through the enrollment and validation process. Once the new certificate is issued, you’ll need to install it again to update the validity of your certificate and keep your website secure.
A Code Signing Certificate is a form of digital security that acts like a digital ID or a tamper-proof seal for software. The certificate creates a unique, encrypted fingerprint (digital signature) for the file. It contains verified information about the software publisher, whether it is a company/business or an individual. Due to that, it can give users confidence that the software they are downloading is safe and legitimate. All major operating systems such as Windows, Apple OS X, and Linux support and rely on code signing tp help protect users from malicious software.
The generation process will depend on the certificate delivery method that you choose. As of today, in compliance with the CA/B Forum requirements, there are three (3) options:
You will need to create a Certificate Signing Request (CSR) with Key and Attestation if you decide to use your own HSM or KMS. A CSR is not required when the Certificate Authority provides a pre-configured USB token.
The download process for your Code Signing Certificate depends on where you generated the Certificate Signing Request (CSR). If the private key was generated on your HSM (Hardware Security Module) or Cloud–based KMS (Key Management Services) you will use a dedicated manager application to securely fetch and install the certificate. If the certificate is delivered on a provisioned USB token from the Certificate Authority (CA), you will just have to use your browser or a specific utility provided by the CA which you need to download and complete the process from there. The CA will send you an email with the necessary link and instructions for your chosen method.
It is not possible anymore to export a Code Signing certificate from your browser in compliance with the latest industry standards. As of June 1, 2023, the CA/Browser Forum mandates that all private keys for both Standard and EV Code Signing Certificates must be generated, stored, and used within a FIPS 140-2 Level 2 (or higher) compliant hardware crypto module (a token, HSM, or cloud key vault).
Platforms are used by developers to sign their applications using specific tools. Since each platform is different, please reference official instructions for your particular platform. The most common platforms are Microsoft, JAVA, Adobe, etc…
Following the CA/Browser Forum mandates that began in 2023, all code signing certificates such as Standard (OV) and Extended Validation (EV) must be delivered and stored on certified hardware. There are three primary delivery methods available for Code Signing Certificates:
Once the vendor validates your order and the certificate gets issued, you will receive a delivery confirmation email with a tracking number. You can use this information to monitor the shipment and estimated delivery date.
If your token appears to be defective or damaged, first contact the Certificate Authority’s technical support team to determine whether the issue can be resolved.
If the problem persists, please reach out to our support team, and we will assist you with the next steps, including placing a replacement order if necessary.
Subscription Products
Yes, you can cancel your subscription at any time. Simply visit your Order Details page to cancel. Once cancelled, you will not be charged again. Your subscription will remain active until the end of the current paid period.
Yes. Your subscription renews automatically on a monthly or yearly basis, depending on the plan you selected. The renewal charge will be billed to the credit card on file unless you cancel before the renewal date.
We don’t provide refunds for your subscription products. Once cancelled, it will be valid until the end of the current paid period. If you experience any issues with the product, please contact our support team and we will be happy to help.
