1. Starting the Order:
- Navigate to the "SSL Certificates" tab.
- Click “⊕ New SSL Certificate”.
- SSL certificates can be viewed by either the ‘Brand’ (CA) or by ‘Validation’ type.
- Pick the SSL you need and click ‘Put into cart’.
Note: For guidance on selecting the certificate and the appropriate SSL validation type, refer to the end of this article, or contact our sales services. If you're not yet a client, you can use our contact form.
2. Providing Necessary Data:
- Click on the “Additional data required” link under the “Complete?” column.
- Input the CSR into the provided space and then click “Read CSR” to verify the details.
- Add an Owner Contact, choose the duration for 1 year, and specify the authentication method. Other inputs are optional. Finally, click “Update Order SSL Certificate”.
3. Approval Email Details:
The approval email address should match the domain's WHOIS record for the certificate creation. Upon evaluating a CSR, potential email addresses will become apparent. If our system can retrieve an email from the domain's WHOIS automatically, it will display the WHOIS Admin email.
For convenience, the following predefined approver email addresses can also be used:
- admin@...
- administrator@...
- hostmaster@...
- webmaster@...
- postmaster@...
Domain Validation Methods:
- Email: An approval link is sent to the approver email.
- DNS (TXT Record) - to be preferred: Specific TXT resource records are needed for each host. These records will be added automatically if the DNS zone is managed by us.
- File on the web server: A specific file with certain content must be hosted under a particular path on web servers.
NB: Authentication methods may vary depending on the certificate and/or the certificate authority.
4. Finalizing the Order:
- Choose the domain name.
- Click “Submit Order”.
5. Adding contacts to the certificate:
- Add a Registrant Contact with a Mr / Ms title (mandatory for all certificates).
-
For OV / EV certificates only, you will also need to fill in an Organization Contact (OV/EV), and an Organization Contact Person (OV/EV).
To find a contact, enter any data associated with the desired contact.
→ Help with contact creation
Important:
• Characters: All contacts associated with SSL certificates must not contain accents, umlauts, or special characters.
• State: You must enter a state/province or region (the option "Other" is not accepted).
• Title: You must also include a title (Mr. or Mrs.) when referring to a natural person (Organization Contact Person).
• For OV / EV certificates:
→ Your "Organisation Contact" should not indicate First Name and Last Name: leave the fields blank (this will allow you to have an O-handle typology generally preferred but not mandatory, the P-handle typology may also be suitable).
→ Your "Organization Contact Person" (P-handle typology) must indicate the same organization as the one listed in your "Organization Contact", as well as the Last Name and the First Name of a natural person working within it, with their title and role.
It must imperatively indicate an organization as well as a valid postal address and a landline telephone number that can be verified on an official directory basis (Yellow Pages, Kompass, etc.).
Generic names such as "Domain Manager" or "Domain Manager" are not allowed as a contact person.
The telephone number indicated must be a direct line, landline or cellular.
6. Other fields:
The other entries are optional and internal to the Portal, for your own management.
7. Save your changes:
Finally, click on "Update SSL Certificate Order" to validate the form.
8. Complete the order:
- Select the domain name.
- Clic on “Submit order. It's over!
9. Verification of your application, validation and delivery of your certificate:
Your order is now placed and your certificate request is in progress with the selected certificate authority.
You will receive instructions directly from the certification authorities, and your certificate will be delivered to you by email to the address provided in your customer account and/or you can retrieve your certificate directly from the BrandShelter Portal, in the "SSL Certificates" tab.
Your certificate will be issued in CRT format, but in the file extension .TXT. Intermediate certificates are sent at the same time as the certificate itself. Downloaded certificate files will have the filename extension .TXT, but you can rename the file and/or change its extension to . CRT. PEM or . CER, for example, without affecting its functionality.
Important: We name the attached certificate files in the delivery email certificate-crt.txt and intermediate-pem.txt to ensure that they are properly received, and to prevent them from being detected as potential malicious files and blocked. Thus, we no longer use .pem or .crt as file extensions because many virus and malware protection software remove attachments with such extensions. However, we correctly set the MIME type, respectively to application/x-x509-ca-cert and application/x-pem-file.
The PEM format, in particular, is also used to store private keys and certificate signing requests (CSR):
A private key in PEM format will have the .key extension and the header and footer
-----BEGIN RSA PRIVATE KEY----- as well as -----END RSA PRIVATE KEY-----.
Un format PEM CSR aura l'extension .csr et l'en-tête et le pied de page
-----BEGIN CERTIFICATE REQUEST----- as well as -----END CERTIFICATE REQUEST-----.
Root certificates (ROOT) are an integral part of every web browser and operating system, and can be downloaded publicly. Root certificates are therefore not part of our delivery. On Windows, Certificate Manager manages trusted root certificates. On Mac, the root certificates are in Keychain Access. On Linux, they go under /etc/ssl. Certificate authorities make their root and intermediate certificates available for download on their websites.
------------------------------------------------------------------------------------------------------
There are three types of validation:
- Domain Validation (DV) verifies that the requestor has administrative rights to the domain listed in the certificate (corresponds to a standard certificate).
- Organization Validation (OV) includes authenticating the company's identity, verifying the domain name, and verifying that the organization's contact who is applying for the certificate on behalf of the company or organization is an employee of that organization.
- Extended Validation (EV) is the highest level of authentication and requires recognition or an agreement signed by the company.
Understanding SSL Certificates
SSL certificates serve as a protective shield for online data transfers, but not all certificates are created equal. Let's delve into the differences between the commonly used Standard SSL Certificate and the more rigorous Extended Validation Certificate.
Difference Between Standard SSL Certificate and Extended Validation Certificate
-
Validation Levels: While both SSL certificate types offer industry-standard encryption, their level of validation differs. Typically, when referring to a "standard SSL", one means a single domain, domain validated (DV) SSL certificate. These certificates are swiftly registered, and affordable, yet might not provide the desired level of trust for business-centric tasks. On the other hand, an Extended Validation (EV) certificate involves a meticulous validation process where the issuing authority verifies multiple facets of your company, ensuring a higher level of trust.
-
Pricing Disparity: You might wonder why EV certificates come with a higher price tag compared to standard SSL certificates. The answer lies in the detailed validation process. The extra effort and resources expended by the Certificate Authority to vet and issue an EV certificate naturally translates to a higher cost.
Considerations for Extended Validation Certificates
Before opting for an EV certificate, consider the following:
- Urgency: Need a certificate in a jiffy or at a lower cost? A standard SSL might be your go-to.
- Trust Factor: If instilling maximum trust in your visitors is pivotal, and you wish to showcase serious commitment to security, an EV certificate should be your choice.
- Nature of Your Site: Sites handling ecommerce, finance, healthcare, or any sensitive data should ideally lean towards EV certificates for enhanced credibility and security.
More Support and Best Practices:
What is an SSL certificate?
Why do I need an SSL certificate?
SSL Certificate Management Best Practices
CSR Generation Tools:
Convert to . PFX
Sometimes you may want to have a self-installing package of the certificate (. PFX), then you will need to have the private key in your possession otherwise it will not be possible.
Here's how to do it:
- Install OpenSSL (https://slproweb.com/products/Win32OpenSSL.html, available also for MacOS, https://www.slingacademy.com/article/how-to-install-upgrade-openssl-with-homebrew/)
- Retrieve your .pem file containing the certificate (.crt) and the intermediate string. Note that you may be required to create this file yourself in .pem format; To do this, you will need to:
-
- open the .crt file (1) with a text editor (Notepad for example)
- Open the file containing the intermediate string (2) with the same text editor
- Open a blank document (3) with the same text editor
- paste in (3) the contents of (1) and then (2) (one after the other, with a simple line break)
- Save the document (3) by naming it e.g. "yourcertificatename.pem"
-
- File under your computer user folder (example: C:\Users\JohnDoe):
- The previously created .pem formatted certificate ("yourcertificatename.pem")
- and the private key.
- On your text editor (Notepad for example), prepare a strong password (mix numbers and letters with at least 15 characters)
- Launch OpenSSL (for Windows, click on the Windows logo at the bottom left, find the OpenSSL folder and launch "Win64 OpenSSL Command Prompt")
- Type the following command:
openssl pkcs12 -export -out yourfilename.pfx -inkey yourprivatekeyname.key -in yourcertificatename.pem
- Once the command is launched, there will be a prompt to enter the password you prepared above: enter it twice (NB: the cursor does not seem to react, but the password is well taken into account)
- Tip: it's easier to create your password in a Notepad, copy it, and paste it into the Openssl window
- Once the password has been validated twice consecutively, the . PFX will be created (keep this password so you can use your . PFX thereafter).
- Recover your . PFX in the same folder where you deposited the certificate and private key
- It's over!
Other useful links:
• Create a pkcs12 (.pfx or .p12) from OpenSSL files (.pem , .cer, .crt...) with TBS : https://www.tbs-certificates.co.uk/FAQ/en/288.html
• SECTIGO SSL Converter - Convert the Format of Any SSL Certificate : https://sectigostore.com/ssl-tools/ssl-converter.php
• Convert your P7B Certificate to PFX : https://www.veritech.net/convert-p7b-certificate-pfx/
• Sectigo Validation >> SSL Validation FAQs
• Sectigo Validation >> Organization Validated (OV) Certificates
• Sectigo's Organization Validated (OV) SSL Certificate Explained
• Sectigo Validation >> Extended Validation (EV) Certificates
• Sectigo's Extended Validated (EV) SSL Certificate Explained
• Sectigo WHOIS Email DCV Deprecation