SSL Certificate Order and Issuance Problems

Every SSL Certificate order now passes through a series of automated checks before the SSL Certificate is issued. These include Domain Control Validation (DCV), Certification Authority Authorization (CAA) checks, and Multi-Perspective Issuance Corroboration (MPIC) confirmation from several locations around the world. Most orders complete these checks without any problem.

Occasionally an order does not complete as expected. The reason may lie with your own Domain Name System (DNS) configuration, or it may be caused by a temporary problem within the validation systems operated by the Certificate Authority (CA). This page explains how to tell the difference and what to do in each case.

Reasons an SSL Certificate Order May Fail to Process

The number of checks required to issue a publicly trusted SSL Certificate has grown significantly. Each check is a point where a problem can occur, and every one of them must succeed before the SSL Certificate is issued.

Most order failures come from the way a domain is configured rather than from any fault at the Certificate Authority (CA). A frequent cause is a Domain Name System (DNS) server that cannot be reached from every region. Geographic restrictions and firewall rules are common culprits.

This happens because Multi-Perspective Issuance Corroboration (MPIC) requires the Certificate Authority (CA) to confirm each check from several locations at the same time. If the Domain Name System (DNS) cannot be reached from all of them, the check fails even when the records themselves are correct. Learn About Multi-Perspective Validation 🔗

The same is true of Certification Authority Authorization (CAA) records. A Certification Authority Authorization (CAA) lookup is performed for every SSL Certificate request, whether or not any records exist, so the Domain Name System (DNS) must answer that lookup reliably from anywhere in the world. Learn About Certification Authority Authorization (CAA) Records 🔗

Orders That Stall After Successful Checks

A different situation can occur when the checks appear to have passed but the order still does not progress. This is not a configuration problem on your side. It usually points to a temporary fault within the systems operated by the Certificate Authority (CA).

A typical example is an order where Domain Control Validation (DCV) has completed and the tracking system records it as successful. The Certification Authority Authorization (CAA) stage, however, shows as unsuccessful or simply does not move forward.

When you use the retry option, the system may return an unexpected error. It can read along the lines of the order not being in a status where the Certification Authority Authorization (CAA) check needs to be performed. That message is a sign that the order has stalled at the Certificate Authority (CA), not a problem you can fix.

Important : An error stating that the order is not in a status for the Certification Authority Authorization (CAA) check to run usually indicates a stalled order at the Certificate Authority (CA). Please contact Trustico® so the problem can be investigated.

The Certificate Authority (CA) applies an automatic policy that retries the last failed action on its own. In most cases this clears the stall and the order continues, although the retry can take up to 24 hours to run.

The delay is inconvenient, and Trustico® understands that waiting is not ideal. If you would rather not wait, or if the order has not cleared after that period, please get in touch so the matter can be raised directly with the Certificate Authority (CA).

Using the Retry Options in the Tracking System

The Trustico® tracking system gives you direct control over the checks that apply to your order. Where a check has timed out or returned a temporary error, you can ask the Certificate Authority (CA) to run it again from within the tracking system.

Retrying is the right first step for a Domain Name System (DNS) or Certification Authority Authorization (CAA) check that failed because of a brief timeout or a change you have since corrected. Manage Your SSL Certificate Orders 🔗

There is an important distinction to make. If the retry runs successfully but the check still fails, the Domain Control Validation (DCV) record itself is most likely incorrect. That is not a matter for the Certificate Authority (CA) to investigate, because the records simply need to be entered correctly.

To confirm that a record is present and correct, third-party checking tools can help, and Trustico® provides its own set of tools for this purpose. Use Our SSL Certificate Tools 🔗

Tip : Keep your Domain Control Validation (DCV) records and validation files in place until the SSL Certificate has been fully issued. Removing them too early can cause a later check to fail.

If a retry itself produces an error, or the order behaves in a way that does not match any of the situations above, that is the point to ask Trustico® for help.

Accessing the Certificate Authority Portal Directly

The tracking system also includes an option that opens the validation portal operated by the Certificate Authority (CA). Most of the actions you can take there are already available within the Trustico® tracking system, which presents more detail and a wider range of options.

The portal operated by the Certificate Authority (CA) is there as a secondary option for anyone who prefers to work with it directly. It can also be useful for confirming the current status of an order whenever an error message or an outstanding requirement is unclear.

The portal is also where documentation requirements are shown for orders that need identity checks. If you are placing an Organization Validation (OV) or Extended Validation (EV) order and you are unsure what the Certificate Authority (CA) still needs, that information can be reviewed there.

Detailed guidance on what the Certificate Authority (CA) requires for a business-verified order is available on the Trustico® website. Explore the Organization Validation (OV) Guide 🔗

The requirements for the highest level of business validation are covered separately. Explore the Extended Validation (EV) Guide 🔗

Requesting Assistance From Trustico®

When an order shows the signs of a stall at the Certificate Authority (CA), or when a retry produces an error that you cannot resolve, Trustico® is here to help. Send an e-mail or a message through the contact page, describing the order and what you have seen.

Trustico® will then raise the problem with the Certificate Authority (CA) on your behalf and ask for the stalled order to be investigated and put right.

Contact Trustico®

These validation systems are operated by the Certificate Authority (CA) rather than by Trustico® and are outside our direct control. As the number of checks has grown, occasional problems of this kind have appeared while the systems are refined.

Trustico® reports each occurrence to the Certificate Authority (CA) so that the process continues to improve. In the meantime, if anything about your order looks wrong, please raise it with us and we will make sure it is resolved.

Most Popular Questions

Frequently asked questions covering SSL Certificate order processing problems, stalled issuance, retry options, the Certificate Authority portal, and requesting assistance from Trustico®

Reasons an SSL Certificate Order May Fail to Process

Issuing an SSL Certificate now involves several automated checks, and each one is a point where a problem can occur. Most failures come from the way a domain is configured, such as a Domain Name System (DNS) server that cannot be reached from every region because of geographic restrictions or firewall rules. A smaller number are caused by temporary faults within the systems operated by the Certificate Authority (CA).

Orders That Stall After Successful Validation Checks

Sometimes the checks appear to pass but the order still does not progress, which is not a configuration problem on your side. A common pattern is Domain Control Validation (DCV) completing and showing as successful while the Certification Authority Authorization (CAA) stage stalls or shows as unsuccessful. This usually points to a temporary fault at the Certificate Authority (CA).

Understanding a Stalled Certification Authority Authorization (CAA) Check

An error stating that the order is not in a status where the Certification Authority Authorization (CAA) check needs to run is a sign that the order has stalled at the Certificate Authority (CA). It is not something you can correct through your own configuration. Please contact Trustico® so the stalled order can be investigated.

Automatic Retry Policy at the Certificate Authority

The Certificate Authority (CA) applies a policy that automatically retries the last failed action on its own. In most cases this clears a stalled order without any further action, although the retry can take up to 24 hours to run. If you would rather not wait, or the order has not cleared after that period, please get in touch.

Using the Retry Options in the Tracking System

The Trustico® tracking system lets you ask the Certificate Authority (CA) to run a check again when it has timed out or returned a temporary error. Retrying is the right first step for a Domain Name System (DNS) or Certification Authority Authorization (CAA) check that failed briefly or that you have since corrected. If the retry itself produces an error, that is the point to ask Trustico® for help.

Retry Succeeds but the Check Still Fails

If a retry runs successfully but the check still fails, the Domain Control Validation (DCV) record itself is most likely incorrect. That is not a matter for the Certificate Authority (CA) to investigate, because the records simply need to be entered correctly. Third-party tools and the tools provided by Trustico® can help you confirm that a record is present and correct.

Accessing the Certificate Authority Portal Directly

The tracking system includes an option that opens the validation portal operated by the Certificate Authority (CA). Most of those actions are already available within the Trustico® tracking system, which presents more detail and more options, so the portal is a secondary choice. It is useful for checking order status directly and for reviewing outstanding documentation requirements.

Documentation Requirements for Organization Validation (OV) and Extended Validation (EV) Orders

When an Organization Validation (OV) or Extended Validation (EV) order needs identity checks, the required documentation can be reviewed in the portal operated by the Certificate Authority (CA). Detailed guidance is also available on the Trustico® website. Checking the requirements directly is the fastest way to confirm what is still outstanding.

Requesting Assistance From Trustico®

If an order shows the signs of a stall, or a retry produces an error you cannot resolve, send an e-mail or a message through the contact page describing the order and what you have seen. Trustico® will then raise the problem with the Certificate Authority (CA) on your behalf and follow it through until it is put right.

Ask Trustico® Assistant

For Instant Answers - Start Here When You Have a Question or Need Help

SSL Certificates and Front-of-Site Services Like Cloudflare

SSL Certificates and Front-of-Site Services Lik...

Learn how front-of-site services like Cloudflare affect which SSL Certificate visitors see and how to apply your purchased SSL Certificate to them.

SSL Certificates and Front-of-Site Services Lik...

Learn how front-of-site services like Cloudflare affect which SSL Certificate visitors see and how to apply your purchased SSL Certificate to them.

Understanding X9 Certificates and the Public Trust Model

Understanding X9 Certificates and the Public Tr...

Learn what X9 Certificates are, how X9 PKI differs from public browser trust, and why they are not a substitute for a publicly trusted SSL Certificate.

Understanding X9 Certificates and the Public Tr...

Learn what X9 Certificates are, how X9 PKI differs from public browser trust, and why they are not a substitute for a publicly trusted SSL Certificate.

Why Your SSL Certificate Type and Brand Matter by Industry

Why Your SSL Certificate Type and Brand Matter ...

Why the type and brand of SSL Certificate matter across regulated industries, who examines your validation standing, and what is at stake when they do.

Why Your SSL Certificate Type and Brand Matter ...

Why the type and brand of SSL Certificate matter across regulated industries, who examines your validation standing, and what is at stake when they do.

Revocation Status Errors on a Valid SSL Certificate

Revocation Status Errors on a Valid SSL Certifi...

A revocation status error such as RevocationStatusUnknown can appear on a valid SSL Certificate. Learn how to confirm it is not revoked and what to do next.

Revocation Status Errors on a Valid SSL Certifi...

A revocation status error such as RevocationStatusUnknown can appear on a valid SSL Certificate. Learn how to confirm it is not revoked and what to do next.

Website Security Checks : Essential Steps to Protect Your Business Online

Website Security Checks : Essential Steps to Pr...

Keep your website secure with the SSL Certificate checks that matter most, from expiry and chain coverage to validation levels, issuance controls, and automation.

Website Security Checks : Essential Steps to Pr...

Keep your website secure with the SSL Certificate checks that matter most, from expiry and chain coverage to validation levels, issuance controls, and automation.

Installing an S/MIME E-Mail Certificate in Mozilla Thunderbird

Installing an S/MIME E-Mail Certificate in Mozi...

Import a PKCS12 E-Mail Certificate into Mozilla Thunderbird, assign it for signing and encryption, and exchange secured messages with any recipient.

Installing an S/MIME E-Mail Certificate in Mozi...

Import a PKCS12 E-Mail Certificate into Mozilla Thunderbird, assign it for signing and encryption, and exchange secured messages with any recipient.

1 / 6