This page contains technical questions and answers relating to SSL Certificates, Certificate Signing Requests (CSR), installation procedures, troubleshooting and common error messages.
If you have a general question about ordering, payments or choosing the right SSL Certificate, please visit our main Frequently Asked Questions (FAQ) page. Explore Our General FAQ 🔗
If you have a technical question which has not been answered here, you can use the Ask Trustico® Assistant service for immediate help or browse our extensive library of technical articles. Explore Our Blog Articles 🔗
Certificate Signing Request (CSR) Questions
A Certificate Signing Request (CSR) is a fundamental component of the SSL Certificate issuance process. This section answers common questions about generating and managing Certificate Signing Requests (CSR).
Understanding and Generating a Certificate Signing Request (CSR)
A Certificate Signing Request (CSR) is a block of encoded data that is generated by your web server and contains the necessary details about your domain and organization. The Certificate Signing Request (CSR) includes your Public Key which will be incorporated into your SSL Certificate.
For instructions on how to generate a Certificate Signing Request (CSR) on your web server or hosting account, please follow our detailed instructions or the instructions provided by your software provider. Learn About Certificate Signing Requests (CSR) 🔗
Invalid Certificate Signing Request (CSR) Error
There are a number of common issues that would cause the Certificate Signing Request (CSR) to be invalid. When you created the Certificate Signing Request (CSR) you will have been asked for several pieces of information.
Check the Common Name (CN) field. You may have specified an IP address such as 178.0.1.23 or a server name such as mywebserver instead of a Fully Qualified Domain Name (FQDN) such as www.mydomain.com or domain name such as mydomain.com. You must specify a Fully Qualified Domain Name (FQDN) or domain name to apply for most SSL Certificates.
Make sure you do not have any illegal characters in any of the fields in the Certificate Signing Request (CSR). Illegal characters include the following : ! @ # $ % ^ ( ) ~ ? > < & / \ , . " '
Check the country field. If you are located in the United Kingdom, do not specify your country code when generating the Certificate Signing Request (CSR) as "UK" as it must be "GB".
Make sure you have included the header and footer of the Certificate Signing Request (CSR) into the application form. The header and footer will look like the following :
-----BEGIN CERTIFICATE REQUEST-----
encoded data
-----END CERTIFICATE REQUEST-----
Make sure that there are five dashes on each side of the BEGIN and END Certificate request text. There should also be no trailing spaces in the Certificate Signing Request (CSR).
Changing Your Certificate Signing Request (CSR)
Yes, you can change or correct your Certificate Signing Request (CSR) at a number of stages during the ordering process. You will be asked in the final steps to confirm the details provided. When you have confirmed then you will no longer be able to change details or your Certificate Signing Request (CSR).
Once your SSL Certificate has been issued you cannot change the Common Name (CN) such as the domain name of your SSL Certificate. If you need to change the domain name after issuance, you will need to request a reissue of your SSL Certificate with a new Certificate Signing Request (CSR). Learn About SSL Certificate Reissues 🔗
Recommended Key Sizes for Certificate Signing Requests (CSR)
Trustico® recommends using a minimum key size of 2048 bits for RSA keys when generating your Certificate Signing Request (CSR). This is the industry standard minimum and provides strong security for most applications.
Some organizations choose to use 4096 bit keys for additional security, though this can impact server performance slightly. If you are using Elliptic Curve Cryptography (ECC), a 256 bit key provides equivalent security to a 3072 bit RSA key. Learn About Encryption Algorithms 🔗
E-Mail and Validation Questions
Successful SSL Certificate issuance depends on receiving and responding to validation e-mails. This section covers common e-mail related issues during the validation process.
Missing E-Mail Notifications
Please ensure that you have access to the e-mail addresses used in the ordering process. Also, as Trustico® sends unique URLs in the issued e-mails, be sure that your mail server has not separated or quarantined the e-mails as spam.
You may use the tracking area of our website to resend important e-mails. View Our Order Tracking System 🔗
Missing Approver E-Mail
When ordering a Domain Validation (DV) SSL Certificate the Approver E-Mail will be sent to the authorized domain name owner or controller. When you apply for your SSL Certificate, Trustico® will attempt to obtain the authorized domain contacts for your domain name.
You may then choose to have the Approver E-Mail sent to either the authorized domain contact, or alternatively you will be able to choose a generic domain contact such as admin@, administrator@, hostmaster@, postmaster@ or webmaster@ at your domain. Make sure that you have set up the e-mail addresses chosen at this point in the application otherwise the Approver E-Mail will not be delivered. Learn About E-Mail Address Handling 🔗
Alternative Validation Methods
Yes, Trustico® offers alternative validation methods for customers who prefer not to use e-mail validation or do not have access to the required e-mail addresses.
File Based Authentication requires you to place a specific file on your web server. Domain Name System (DNS) validation requires you to create a specific DNS record for your domain. Both methods provide the same level of validation as e-mail without requiring access to domain e-mail addresses. Learn About File Based Authentication 🔗
SSL Certificate Installation
Installing your SSL Certificate correctly is essential for proper website security. This section covers installation procedures and common installation scenarios.
Installing Your SSL Certificate
SSL Certificate installation varies depending on your web server software and hosting environment. You will need to refer to the documentation provided by your hosting company or software vendor.
Trustico® has compiled installation guides for common server platforms that may assist with the process. View Our Installation Instructions 🔗
Installation Assistance Options
Yes, Trustico® offers a Premium Installation service where our technical team will install your SSL Certificate on your server for you. This service is ideal for customers who are not comfortable with the technical aspects of SSL Certificate installation or who want the assurance that the installation is performed correctly by an expert. Learn About Premium Installation 🔗
Intermediate SSL Certificates and Installation Requirements
To successfully install your SSL Certificate, you may be required to install an Intermediate Certificate Authority (CA) SSL Certificate, also known as a Certificate Authority (CA) Bundle.
Intermediate SSL Certificates form the chain of trust between your SSL Certificate and the Root Certificate Authority (CA) Certificate that is trusted by browsers. Please review your fulfillment e-mail carefully to determine if an Intermediate Certificate Authority (CA) SSL Certificate is required, how to obtain it and correctly import it into your system. Learn About Intermediate SSL Certificates 🔗
Installing an SSL Certificate on Apache
To install an SSL Certificate on Apache web server, you need to configure your Apache configuration file, typically httpd.conf or a virtual host configuration file, with the paths to your SSL Certificate file, Private Key file and Intermediate Certificate Authority (CA) Bundle.
You will need to enable the SSL module and configure the appropriate directives including SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile. After making changes, restart Apache to apply the new configuration. View Our Installation Instructions 🔗
Installing an SSL Certificate on Internet Information Services (IIS)
To install an SSL Certificate on Microsoft Internet Information Services (IIS), you need to complete the pending Certificate request in the IIS Manager. Open the Server Certificates feature, select Complete Certificate Request and browse to your SSL Certificate file.
Once imported, bind the SSL Certificate to your website by editing the site bindings and adding an HTTPS binding on port 443 with your SSL Certificate selected. View Our Installation Instructions 🔗
Installing an SSL Certificate on Nginx
To install an SSL Certificate on Nginx web server, you need to configure your Nginx server block with the paths to your SSL Certificate file and Private Key file. For Nginx, you typically need to combine your SSL Certificate and Intermediate Certificate Authority (CA) Bundle into a single file.
Configure the ssl_certificate and ssl_certificate_key directives in your server block, then restart Nginx to apply the changes. View Our Installation Instructions 🔗
Testing and Verifying Your SSL Certificate
After installing your SSL Certificate, it is important to verify that everything is working correctly. This section covers how to test your SSL Certificate installation.
Testing Your SSL Certificate Installation
After installing your SSL Certificate, you should test your website by visiting it using HTTPS in your web browser. Check that the padlock icon appears and that there are no security warnings.
You can also use online SSL testing tools that will analyze your SSL Certificate configuration and report any issues with the Certificate chain, expiry date, key strength and server configuration.
Checking Your SSL Certificate Expiry Date
You can check your SSL Certificate expiry date by clicking on the padlock icon in your browser when visiting your HTTPS website and viewing the Certificate details. Alternatively, you can use the Trustico® order tracking system to view the expiry date of SSL Certificates purchased from us.
Trustico® also offers an SSL Certificate monitoring service that will automatically alert you before your SSL Certificate expires. Learn About SSL Certificate Monitoring 🔗
Verifying Your SSL Certificate Chain
Your SSL Certificate chain consists of your SSL Certificate, any Intermediate Certificate Authority (CA) SSL Certificates and the Root Certificate Authority (CA) Certificate. You can view the Certificate chain by clicking on the padlock icon in your browser and viewing the Certificate path or hierarchy.
A correctly installed SSL Certificate will show a complete chain from your SSL Certificate up to a trusted Root Certificate Authority (CA). If the chain is incomplete, you may need to install the Intermediate Certificate Authority (CA) Bundle. Learn About Intermediate SSL Certificates 🔗
Common SSL Errors and Solutions
This section covers common SSL Certificate errors and their solutions to help you troubleshoot installation and configuration issues.
Untrusted Certificate Authority Error
Problem : This error message appears when connecting to your website over HTTPS, indicating the browser does not trust your SSL Certificate.
Solution : This usually indicates that the SSL Certificate has not been installed correctly, the Intermediate Certificate Authority (CA) Bundle is missing, or the server requires a physical reboot. First try reinstalling the SSL Certificate including the Intermediate Certificate Authority (CA) Bundle and physically restarting your server. Learn About Intermediate SSL Certificates 🔗
Expired or Not Yet Valid SSL Certificate Error
Problem : This error message appears relating to SSL Certificate validity dates.
Solution : This indicates that the SSL Certificate has expired and needs to be renewed, or the SSL Certificate is not yet valid because it was issued with a future start date. It may also indicate that the time or date is incorrect on the computer being used to visit the website over HTTPS or on the server itself.
Check the system clock on both the client and server. If your SSL Certificate has genuinely expired, you will need to renew it. Learn About SSL Certificate Renewals 🔗
SSL Certificate Name Mismatch Error
Problem : A name mismatch error occurs when connecting to your website, indicating the SSL Certificate was issued for a different domain name.
Solution : An SSL Certificate is issued to a Fully Qualified Domain Name (FQDN). The actual Fully Qualified Domain Name (FQDN) is digitally signed and sealed within the issued SSL Certificate. The SSL Certificate can only be used on this Fully Qualified Domain Name (FQDN) and nothing else, otherwise a name mismatch occurs.
For example, an SSL Certificate issued to www.yourdomain.com can only be used on www.yourdomain.com. It cannot be used on secure.yourdomain.com or even just yourdomain.com without the www prefix.
If you require a single SSL Certificate that can be used on multiple sub domains then you should consider a Wildcard SSL Certificate. If you need to secure both www and non-www versions of your domain, ensure your SSL Certificate includes both as Subject Alternative Names (SAN). Discover Our Wildcard SSL Certificate Options 🔗
Mixed Content Warnings Explained
Problem : A mixed content warning appears on your HTTPS pages, indicating some resources are being loaded over insecure HTTP.
Solution : This error occurs when you are loading resources such as images, scripts, stylesheets or other files over HTTP when your page is being served over HTTPS.
Either change the resource URLs in your HTML code to use HTTPS, use protocol-relative URLs that start with // instead of http:// or https://, or use relative paths. Ensure all external resources you load also support HTTPS.
Resolving SSL Connection Errors
Problem : The browser cannot establish an SSL connection to your website at all.
Solution : Check that your SSL Certificate has been installed for the correct website and that the site is configured to listen on port 443. Ensure your Private Key is not corrupt or has not been accidentally deleted. Verify that port 443 is open on your firewall and router. Check that your Domain Name System (DNS) settings are correctly configured to point to your server.
Private Key Issues
The Private Key is a critical component of your SSL Certificate that must be kept secure. This section covers common Private Key related issues.
Recovering from Lost Private Keys
First check your backups and see if you can find the Private Key. The Private Key should be in the same location where you generated your Certificate Signing Request (CSR). If you are using Internet Information Services (IIS), check the Certificate store.
If you have purchased Issuance Insurance from Trustico® you may have your SSL Certificate re-issued free of charge with a new Certificate Signing Request (CSR) and Private Key, otherwise you may need to purchase a new SSL Certificate. Learn About Issuance Insurance 🔗
Resolving Pending Request Not Found Errors
If you are attempting to install an SSL Certificate that does not match the Private Key, also known as the Pending Request in Internet Information Services (IIS), you will receive this error. Internet Information Services (IIS) only allows you to make one Certificate request per site. If you create a new Certificate Signing Request (CSR) for the same website, your original request and Private Key will be overwritten.
If you have a backup of the Private Key, you can install the SSL Certificate via the Microsoft Management Console (MMC) if you can restore the request to the REQUEST folder. If you have lost your Private Key you may need to complete a new order or use Issuance Insurance if previously purchased. Learn About Issuance Insurance 🔗
Keeping Your Private Key Secure
Your Private Key should be kept confidential and only accessible to authorized personnel. Store the Private Key in a secure location with appropriate file permissions. Never share your Private Key via e-mail or other insecure channels.
Consider using a Hardware Security Module (HSM) for high-security applications. Always maintain secure backups of your Private Key in case of server failure.
Moving and Migrating SSL Certificates
Sometimes you need to move your SSL Certificate to a different server or hosting environment. This section covers SSL Certificate migration.
Moving Your SSL Certificate to a New Server
You will need to export your current SSL Certificate and Private Key from your existing server and import them into the new server. The export format depends on your server software.
For Windows servers, you typically export as a PFX or PKCS#12 file which includes the SSL Certificate, Private Key and Intermediate SSL Certificates. For Linux servers, you may export the SSL Certificate and Private Key as separate PEM files.
SSL Certificate Formats for Different Servers
Different server platforms require SSL Certificates in different formats. Apache and Nginx typically use PEM format files with .crt or .pem extensions. Internet Information Services (IIS) uses PFX or PKCS#12 format files with .pfx extension. Java-based servers may require JKS (Java KeyStore) format.
Trustico® can provide your SSL Certificate in multiple formats or you can use OpenSSL to convert between formats.
IP Address Requirements
Understanding IP address requirements for SSL Certificates helps with server configuration and planning. This section covers common IP address related questions.
Changing Your IP Address and SSL Certificates
An SSL Certificate is issued to a domain name and not an IP address. So long as your web server is hosting the domain name for which your SSL Certificate has been issued, the IP address does not matter. You can change your IP address without needing to replace or reissue your SSL Certificate.
Dedicated IP Address Requirements
Modern web servers and browsers support Server Name Indication (SNI) which allows multiple SSL Certificates to be hosted on a single IP address. SNI is supported by all modern browsers and operating systems. If you only host a single domain then you can use name-based hosting without any issues.
However, if you need to support very old browsers or operating systems that do not support SNI, you may need a dedicated IP address for each SSL Certificate.
Please note that host headers on older versions of Internet Information Services (IIS) may cause SSL errors if you install multiple SSL Certificates for multiple domains on a single IP address without SNI support.
SSL Certificate Reissues
Sometimes you need to reissue your SSL Certificate during its validity period. This section explains when and how to request a reissue.
Common Reasons for SSL Certificate Reissues
Common reasons for reissuing an SSL Certificate include changing your web server and needing to generate a new Certificate Signing Request (CSR), losing your Private Key, discovering that your Private Key has been compromised, needing to add or remove domains from a Multi-Domain SSL Certificate, or changing the encryption algorithm from RSA to Elliptic Curve Cryptography (ECC). Learn About SSL Certificate Reissues 🔗
Requesting an SSL Certificate Reissue
You can request a reissue of your SSL Certificate through the Trustico® order tracking system. You will need to generate a new Certificate Signing Request (CSR) on your server and submit it as part of the reissue request.
You will then need to complete the validation process again for the new SSL Certificate to be issued. Reissues are provided free of charge during your SSL Certificate validity period. View Our Order Tracking System 🔗
HTTPS Redirects and Configuration
Once your SSL Certificate is installed, you should configure your website to use HTTPS by default. This section covers HTTPS redirect configuration.
Redirecting HTTP to HTTPS
After installing your SSL Certificate, you should redirect all HTTP traffic to HTTPS to ensure visitors always use the secure version of your website.
For Apache web server, you can add redirect rules to your .htaccess file or virtual host configuration. For Nginx, add a server block that redirects port 80 traffic to HTTPS. For Internet Information Services (IIS), you can use the URL Rewrite module to create redirect rules.
HTTP Strict Transport Security (HSTS) Explained
HTTP Strict Transport Security (HSTS) is a security feature that tells browsers to only connect to your website using HTTPS, even if the user types HTTP. Once a browser receives the HSTS header from your server, it will automatically use HTTPS for all future connections to your domain.
This helps protect against SSL stripping attacks and accidental insecure connections. You can enable HSTS by adding the Strict-Transport-Security header to your server configuration.
SSL Certificate Monitoring
Proactive monitoring helps prevent SSL Certificate expiry and identifies configuration issues before they affect your visitors. This section covers SSL Certificate monitoring.
Monitoring Your SSL Certificate
Trustico® offers an SSL Certificate monitoring service that automatically checks your SSL Certificate and alerts you before it expires. The monitoring service also checks for configuration issues such as incomplete Certificate chains, weak encryption settings and other problems that could affect your website security. Learn About SSL Certificate Monitoring 🔗
Key Monitoring Indicators
Key aspects to monitor include your SSL Certificate expiry date to ensure timely renewal, the completeness of your Certificate chain, the strength of your encryption settings, and whether your server is vulnerable to known SSL and Transport Layer Security (TLS) vulnerabilities.
Regular monitoring helps maintain optimal security and prevents unexpected outages due to expired SSL Certificates.
Automated SSL Certificate Management (ACME)
For organizations that manage multiple SSL Certificates or want to automate the SSL Certificate lifecycle, Trustico® offers automated solutions. This section covers SSL Certificate automation options.
ACME Protocol Explained
Automatic Certificate Management Environment (ACME) is a protocol that automates the process of SSL Certificate issuance, renewal and revocation. ACME allows you to automatically obtain and renew SSL Certificates without manual intervention, reducing administrative overhead and the risk of expiry.
Trustico® supports ACME for automated SSL Certificate management. Learn About ACME 🔗
Supported ACME Clients
There are many ACME clients available for different platforms and use cases. Popular ACME clients include Certbot for Linux servers, win-acme for Windows servers, and acme.sh for shell environments.
Trustico® is compatible with standard ACME clients that support the ACME protocol. Learn About ACME Clients 🔗
Certificate as a Service (CaaS) Explained
Certificate as a Service (CaaS) from Trustico® provides a comprehensive solution for automated SSL Certificate management. Certificate as a Service (CaaS) integrates with your existing infrastructure to automatically provision, renew and manage SSL Certificates across your organization.
This is ideal for enterprises managing large numbers of SSL Certificates or those seeking to implement DevOps practices for SSL Certificate management. Learn About Certificate as a Service (CaaS) 🔗
Getting Started with Automated SSL Certificate Management
To get started with automated SSL Certificate management, you will need to obtain External Account Binding (EAB) credentials from Trustico® which link your ACME client to your Trustico® account.
You can then configure your ACME client with these credentials and begin automating your SSL Certificate management. Learn About EAB Credentials 🔗
