FAQ

SSL Certificates FAQ

Can I secure multiple sub domains with a single Certificate?

An SSL certificate is issued to a fully qualified domain name (FQDN). This means that an SSL certificate issued to "secure.RapidSSL.com" cannot be used on different sub domains, such as "www.RapidSSL.com". To get around this restriction we have available RapidSSL Wildcard Certificates. Wildcard Certificates allow you to secure multiple sub domains on the same domain name, thereby saving you time and money, and of course you do not need to manage multiple certificates on the same server.

So with a single certificate issued to *.yourdomain.com you could protect:

  • www.name-of-site.com
  • secure.name-of-site.com
  • etc.name-of-site.com

For more details on our Wildcard offerings, please click here. Or please view
Professional Level products for single root, highly credible Wildcard solutions.

top


Can I see which Certification Authorities have their own Trusted CA root present in browsers?

Yes. Your browser contains a Trusted CA root certificate store. You can access this by opening Internet Explorer, then go to Tools, select Internet Options, select the Content tab, click Certificates, select the Trusted Root Certification Authorities tab. You will then see a dialog box presenting a list of all Certification Authorities who own their own Trusted CA roots (you can examine the root certificate by double clicking it. ):



GeoTrust owns the Equifax root (Equifax Digital Certificate services became GeoTrust in 2001).

RapidSSL.com's RapidSSL product owns its own root. RapidSSL.com uses a different Equifax root

top


What is the Warranty?

We value our customers, so we provide a $10,000 warranty on our RapidSSL and RapidSSL Wildcard certificates. The warranty protects the end user if we mis-issue a certificate.

It is worth noting that other SSL Providers use warranty as a means of adding perceived value to their offerings, as such will offer the same certificate with higher warranties and then charge more for the certificate! We want to make it clear that warranty has not been collected on any SSL Certificate, ever! The inclusion of a $10,000 warranty on RapidSSL makes RapidSSL.com the lowest cost provider of highly trusted, fully warranted SSL certificates!

top


Do I need warranty?

The warranty level is the financial protection awarded to end customers against the CA misissuing an SSL Certificate. If a customer relies on the information within a misissued SSL Certificate and suffers financial loss as a direct result of relying on the certificate, the CA will hold insurance to cover claims made by the customer against the CA. Effectively, the warranty is the insurance taken out by the CA to protect itself in the event it makes a mistake. Symantec offers a more advanced insurance policy in that it will also provide insurance against a compromise of a private key or loss of certificate - but such insurance comes at a price.

top


Do I require a single root or intermediate SSL certificate?

Most SSL certificates are issued by CAs who own and use their own Trusted Root CA certificates, such as those issued by GeoTrust and RapidSSL.com. As GeoTrust and RapidSSL.com is known to browser vendors as a trusted issuing authority, its Trusted Root CA certificate has already been added to all popular browsers, and hence is already trusted. These SSL certificates are known as "single root" SSL certificates. RapidSSL.com, a subsidiary of GeoTrust, owns the Equifax roots used to issue its certificates.

Some Certification Authorities, do not have a Trusted Root CA certificate present in browsers, or do not use the root they do own, and use a "chained root" in order for their SSL certificates to be trusted. Essentially a CA with a Trusted Root CA certificate issues a "chained" certificate which "inherits" the browser recognition of the Trusted Root CA. These SSL certificates are known as "chained root" SSL certificates.

For a Certification Authority to have and use its own Trusted Root CA certificate already present in browsers is a clear sign that they are long-time, stable and credible organizations who have long term relationships with the browser vendors (such as Microsoft and Netscape) for the inclusion of their Trusted Root CA certificates. For this reason, such CAs are seen as being considerably more credible and stable than chained root certificate providers who do not have a direct relationship with the browser vendors, or do not use their own root certificates to issue SSL certificates.

Installation of chained root certificates are more complex and some web servers are not compatible with chained root certificates.

top


How credible and stable is the CA issuing the SSL certificate?

Clearly for any SSL certificate to be taken seriously, it is important to ensure that the CA issuing the SSL certificate is well established and credible. The best way of determining the credibility of a CA is by simply establishing whether the CA in question owns its own trusted root i.e. does the CA own a root that is already present in all popular browsers?

You can examine trusted root ownership by double clicking the padlock seen in the browser during an SSL connection with a webserver. When the SSL Certificate appears, simply click the "Certification Path" tab to see which trusted root CA certificate issued the SSL certificate.

It is also possible to see the trusted roots referenced in a browser e.g. for IE6, go to "Tools", "Internet Options" and select "Content", "Certificates" and then the tab "Trusted Root Certification Authorities".



GeoTrust owns the Equifax root (Equifax Digital Certificate services became GeoTrust in 2001).

RapidSSL.com's RapidSSL and RapidSSL Wildcard product owns its own root.

Business stability is also an essential component when selecting any supplier. Whilst we do not examine financial stability of each CA in detail in this white paper, enterprise class accounts are advised to conduct their own due diligence into each CA, as well as examine the root CA certificate ownership.

When selecting a CA, always therefore consider the long term stability of the CA, especially if a longer term enterprise solution is required.

If the CA relies on an intermediate certificate - consider the long-term stability of the CA supplying the intermediate, and obviously the stability of the supplier relationship between the two CAs.

Clearly it is very advisable to ensure the integrity of the CA and to establish which CA is issuing the SSL certificate to be used.

top


How likely is a missisuance?

It is highly unlikely that a WebTrust compliant CA will mississue a certificate. All WebTrust compliant CAs have passed certification to ensure that procedures and policies are in place that make misissuance improbable. For this reason, many WebTrust compliant CAs do not offer a warranty at all.

Some CAs will offer the warranty as a means of adding perceived value to their SSL certificates.

top


How long are your SSL certificates valid for?

RapidSSL certificates are valid for 1 to 5 years.
FreeSSL certificates are valid for 30 days.
Our Professional Level Certificates from GeoTrust are available for up to 6 years.

When your SSL certificate expires and you wish to renew with us, we will give you instructions on how to renew with us.

top


How long does it take to issue my Certificate?

If you need an SSL certificate right away, you have options. If you can wait 3-5 days, you can get certificates from established vendors that use slow traditional validation methods. However, immediate issuance certificates use alternate validation methods. Please review our information on validation to familiarize yourself with standard methods and question your vendors when in doubt.

RapidSSL and FreeSSL are issued immediately.

top


I cannot remember or have lost my login details.

If you still have the order number they can use the automated password reminder system or if not then, an email must be sent from the administrative email address on the account to support@TheSSLStore.com. comincluding the original domain name it was purchased for, or the original order number.


top


I have accidentally deleted my "private key" what can I do now?

First check your backups and see if you can re-install the "private key". If you don't know how to re-install the key from your backups, contact your systems administrator. Failing that, contact your web server software vendor for technical support. The only alternative course of action available is a re-issuance of the certificate following the re-submitting of a replacement CSR.

top


I have changed my server, or moved to a different provider; how do I move the certificate?

The easiest way is to create a new CSR on the new machine and have the certificate re-issued.

top


Is technical support available from the CA should I need it?

Installing a SSL certificate can sometimes be tricky - you will need to first generate a CSR and then install your issued certificate. For this reason it is essential that the CA provides sufficient and timely support.

All CAs provide some level of support, even if it is only email and web based. Most issues can easily be solved using the expansive online resources and knowledge bases provided by the CA. However, should an issue arise, it is highly recommended that there is access to technical support staff, therefore make sure the CA clearly publishes a technical support telephone number. Also, be aware that some CAs charge extra for telephone support.

top


Is there a limit to the number of certificates I can order?

We do not limit the amount of RapidSSL or RapidSSL Wildcard certificates that can be ordered. Go ahead and get as many as you need!

We limit one FreeSSL certificate to a domain name - FreeSSL is only a test certificate designed to help you test your system and evaluate using RapidSSL.com for your production certificates.

top


The CSR cannot be decoded?

This is because it is missing one or more required fields or the CSR contains non-alphanumeric characters in the required fields.

top


What browser recognition is required?

Browser recognition or ubiquity is the term used in the industry to describe the estimated percentage of Internet users that will inherently trust an SSL certificate.

Certification Authorities who own their own roots, have what are known as Root CA Certificates. These root CA certificates are added into releases of all the major browsers such as Internet Explorer, Netscape, Opera, etc by the browser vendor (such as Microsoft). When a browser is used, it automatically relies on a "list" of root CA certificates that the browser vendor has deemed trustworthy. If a SSL certificate is issued by one of the trusted root CAs, then the browser will inherently trust the SSL certificate and the gold padlock will appear transparently during secure sessions.

The browser stores the CA roots that can be trusted, therefore if a browser encounters a website using a SSL certificate issued by a CA root it does not trust, the browser will display warning messages to the website visitor. The lower the browser ubiquity, the less people will trust a certificate - clearly, a commercial site will require as many people as possible to trust a SSL certificate.

The general rule is that any SSL certificate with over 95% browser ubiquity is acceptable for a commercial site.

As with any form of statistics, browser ubiquity is open to interpretation, hence in the Appendix, the table does not place a great deal of validity in presenting browser recognition "percentages", instead it simply concludes whether a SSL Certificate is acceptable for commercial sites.

top


What budget do I have for my certificate?

Certificates range dramatically in price from one CA to another. The highest prices are 40 times the lowest prices!

This white paper has examined numerous points of consideration in determining which SSL certificate to purchase.

The correct choice of SSL certificate is principally dependent on the application type and on whether there is a need for a well known brand of SSL that has been issued from a highly trusted and credible CA.

There are however significant savings available for websites conducting low volume / low value transactions. Some SSL certificate types are perfect for development environments, whilst other certificate types suit professional requirements. Buyers are therefore urged to carefully consider their choice of CA before purchasing.

top


What certificate strength is required?

Generally there are two strengths of certificate in existence - 40 bit & 128 bit. 256 bit is now also available but requires a combination of the use of specific browsers (currently Firefox) and a specific web server (currently Apache). All RapidSSL.com and GeoTrust certificates support 256 bit encryption.

The bit size indicates the length of the key size used for the encryption during a secure SSL session. Hovering the mouse over the gold padlock will detail the current strength of encryption being used:



top


What do I need to consider when purchasing a SSL certificate?

The following 10 considerations must be taken into account before deciding which CA and which type of SSL certificate to purchase? Each point will be discussed in more detail on this page.

top