Frequently Asked Questions
General Questions
What is a Web Server Certificate?
How does a Web Server Certificate work?
What is the encryption strength of our Web Server Certificates?
What is SSL?
How does the customer know that a site is secure?
What is browser ubiquity?
Why do visitors receive a security alert when accessing my secure site?
What if I lose my password?
Does a Web Server Certificate secure both "www.domainnamegoeshere.com" and "domainnamegoeshere.com"?
Why is my secure site not displaying the padlock icon in the browser's status bar?
Which countries are currently supported for certificate issuance?
Certificate Types
What is the difference between a High Assurance and a Turbo SSL Web Server Certificate
What is the difference between a Web Server SSL Certificate and a Wild Card Web Server SSL Certificate?
Certificate Issuance
How long does it take to issue an SSL certificate?
What information do you validate, and why?
What happens if validation fails?
How do I install my SSL certificate?
Certificate Requests
How do I generate a Certificate Signing Request (CSR)?
How do I monitor the progress of my certificate request?
How do I obtain a Domain Registration Letter?
Certificate Management
What happens when my certificate expires?
How do I renew my certificate?
What does it mean to revoke a certificate?
What does it mean to reissue a certificate?
What does it mean to re-key a certificate?
Intermediate Certificates
What is an intermediate certificate?
How do I install an intermediate certificate?
What happens if I don't install the intermediate certificate?


General Questions
A Web Server SSL Certificate is a digital certificate that authenticates the identity of a Web site to visiting browsers and encrypts information for the server via Secure Sockets Layer (SSL) technology. Encryption is the process of scrambling data into an undecipherable format — ciphertext —, which can only be returned to a readable format with the proper decryption key. All of our Web Server Certificates support both industry-standard 128-bit encryption and high-grade 256-bit encryption.

A certificate serves as an electronic "passport" that establishes an online entity's credentials when doing business on the Web. When an Internet user attempts to send confidential information to a Web server, the user's browser will access the server's digital certificate and establish a secure connection.

A Web Server SSL Certificate contains the following information:
  • The certificate holder's name,
  • The certificate's serial number and expiration date,
  • Copy of the certificate holder's public key,
  • The digital signature of the certificate-issuing authority.
Back to Top

A Web Server SSL Certificate secures safe, easy and convenient Internet shopping. Once an Internet user enters a secure area — by entering credit card information, e-mail address or other personal data, for example — the shopping site's Web Server SSL Certificate enables the browser and Web server to build a secure, encrypted connection. The SSL "handshake" process, which establishes the secure session, takes place discreetly behind the scene without interrupting the consumer's shopping experience. A "padlock" icon in the browser's status bar and the "https://" prefix in the URL are the only visible indications of a secure session in progress.

By contrast, if a user attempts to submit personal information to an unsecured Web site (i.e., a site that is not protected with a valid SSL certificate), the browser's built-in security mechanism will trigger a warning to the user, reminding him/her that the site is not secure and that sensitive data might be intercepted by third parties. Faced with such a warning most Internet users likely will look elsewhere to make a purchase.

Back to Top

All of our Web Server Certificates support both industry-standard 128-bit and high-grade 256-bit encryption.

The actual encryption strength on a secure connection using a digital certificate is determined by the level of encryption supported by the user's browser and the server that the Web site resides on. For example, the combination of a Firefox browser and an Apache Web server normally enables up to 256-bit AES encryption with our SSL certificates. This means that depending on the Web browser and Web server that combine to establish the secure connection through one of our SSL certificates, the encryption strength of the secure connection may be 40, 56, 128, or 256 bit.

Back to Top

SSL is the de facto standard for creating a secure, encrypted link between a Web server and a browser. SSL thus ensures safe passage of sensitive information, such as credit card numbers, passwords, user names, etc. SSL is used by e-commerce Web sites as a means to protect online transactions with their customers. Once a secure connection has been established, SSL encrypts information sent from your browser to the Web server. SSL utilizes the public-and-private key encryption system.

Back to Top

An "https://" prefix in the URL and a key or padlock icon in the browser's status bar indicates that a Web site is secure.

An SSL-encrypted session is generally commenced once a visitor signs in to a secure area of a Web site, such as the checkout or account-management area of an online store.

Back to Top

What is browser ubiquity?
The term "browser ubiquity" describes an SSL certificate's browser compatibility – i.e., the extent to which the Certification Authority's root certificate is included in the Web browsers on the market. In other words: If the root certificate of the CA is present in the "trusted Root Certificates" store of the browser, then the SSL certificates issued by the CA are compatible with that browser. Thus, a high browser ubiquity means that most existing browsers recognize a certificate, and that secure transactions thus can take place on those browsers. In other words: The more browsers and browser versions supported, the higher the level of browser ubiquity, and hence, the more versatile the certificate is. Most SSL certificate services support all major browsers.

Our root certificate — the Valicert Class 2 Policy Validation Authority — is installed in the following browser versions:

  • Internet Explorer 5.01 and higher
  • AOL 5 and higher
  • Netscape 4.7 and higher
  • Opera 7.5 and higher
  • Safari on Mac OS X 10.3.4 and higher
  • Mozilla (all versions)
  • Firefox (all versions)
  • Konqueror (all versions)
  • Palm OS 6.1 and higher (also Treo 650)
  • Sony Playstation Portable 2.5 and higher
  • Microsoft Windows Mobile 2005 and higher
  • BlackBerry OS 4.1 and higher
  • Sun Java Runtime (JRE) 1.4.2_07 and higher and 1.5.0_02 and higher
  • ACCESS NetFront 3.3 and higher
  • Cingular WAP Gateways (any Cingular phone which uses WAP version 1.X for Web browsing)

That equals 99% total browser ubiquity.

Users of older browser versions may receive a warning that the root certificate is not trusted. When presented with the warning those can simply install the root certificate. To do so, click "View Certificate." Then, when the certificate is displayed, click "Install Certificate." Alternatively, users of older browsers may download and install the root certificate directly from our repository.


Back to Top

The "Security Alert" (see illustration below) is generally triggered when a Web Server Certificate is invalid or if the Web site owner has failed to properly install the intermediate certificate.


Back to Top

No, a Web server certificate only secures the exact fully qualified domain entered as the Common Name in your certificate signing request. Thus if your certificate secures "www.domainnamegoeshere.com" it will not secure the domain "domainnamegoeshere.com." If a user types in "domainnamegoeshere.com" (without the "www") he/she will receive a warning about the validity of the certificate.

If you need to secure both domains you must request a Web server certificate for each of them. Alternatively, you can contact your domain registrar and request that your DNS records are set up that typing in "domainnamegoeshere.com" automatically resolves to "www.domainnamegoeshere.com."


Back to Top

We cannot retrieve a lost password. If you forgot your SSL account password, you may create a new one instead.

To do so, please go to the login screen and enter your User ID and the e-mail address you used when you set up the account; then create a temporary security code. Do not forget your security code, as you will need it to reset the password.

Once you have entered the requested information you will receive an e-mail message that contains a link to the page that allows you to reset your password. Note that you must click the link and reset the password within 30 minutes.

Back to Top

If any site element — an image, for example — is being queried from outside the secure layer, the padlock icon will not be displayed in the user's browser. To resolve this problem, make sure that all images and other site elements you want on the secure version of your Web site are being pulled from a secure folder located within the secure site.

Back to Top

Our Web Server Certificates can be issued to individuals and companies worldwide, but with the following restrictions:

High Assurance Web Server Certificates currently cannot be issued to requestors in the following countries:

  • Afghanistan
  • Belarus
  • Burundi
  • Congo, Democratic Republic of the (formerly Zaire)
  • Congo, Republic of the
  • Côte d'Ivoire
  • Cuba
  • Cyprus
  • Haiti
  • India
  • Indonesia
  • Iran
  • Iraq
  • Israel
  • Liberia
  • Libya
  • Myanmar
  • North Korea
  • Pakistan
  • People's Republic of China
  • Russia
  • Rwanda
  • Sierra Leone
  • Somalia
  • Sudan
  • Syria
  • Tanzania
  • Uganda
  • Vietnam
  • Yemen
  • Zimbabwe

Medium Assurance Web Server Certificates (aka "Turbo SSL certificates") currently cannot be issued for Web sites with the following country-code top-level domains:

  • .af — Afghanistan
  • .cu — Cuba
  • .ir — Iran
  • .ly — Libya
  • .kp — North Korea
  • .rw — Rwanda
  • .sd — Sudan
  • .sy — Syria

Back to Top

Certificate Types
This Certification Authority (CA) is offering two types of Web Server SSL Certificates: High Assurance Web Server Certificates and Turbo SSL Web Server Certificates. The main difference between the certificate types lies in validation level and issuance speed. Your choice of certificate type should depend on the size and type of your business, your budget and whether or not you prefer (close-to) instant certificate issuance to a more thorough validation process. See below for a comparison between our Web Server Certificates

Certificate Comparison

  High Assurance Certificate — Corporate High Assurance Certificate — Small Business/Sole Proprietor Turbo SSL Certificate
Authentication Process Domain control verification, corporate identity, fraud screening Domain control verification, individual identity, fraud screening Domain control verification, fraud screening
Issuance Speed 2-5 business days 2-5 business days Immediate
Name in Certificate "O" Field Company name Requestor name Web site's common name
Encryption Level* Up to 256 bit Up to 256 bit Up to 256 bit
* The actual encryption strength on a secure connection using a digital certificate is determined by the level of encryption supported by the user's browser and the server that Web site resides on. For example, the combination of a Firefox browser and an Apache Web server normally enable up to 256-bit AES encryption with certificates. This means that depending on the Web browser and Web server that combine to establish the secure connection through a SSL certificate, the encryption strength of the secure connection may be 40, 56, 128, or 256 bit.

Back to Top

— A Web Server SSL Certificate secures a single domain name.
— A Wild Card SSL Web Server Certificate secures multiple sub-domains of a domain name.

When generating a Certificate Signing Request (CSR) for a Wild Card certificate, please add an asterisk (*) on the left side of the Common Name (e.g., "*.domainnamegoes.com" or "www*.domainnamegoeshere.com"). This will secure all subdomains of the Common Name.

Note: A Web server certificate only secures the exact fully qualified domain entered as the Common Name in your certificate signing request. Thus if your certificate secures "www.domainnamegoeshere.com" it will not secure the domain "domainnamegoeshere.com." If you need to secure both domains you must request a Web server certificate for each of them.

Back to Top

Certificate Issuance
High Assurance Web Server Certificates
If all required documentation is provided and we successfully authenticate the submitted information, a High Assurance Web Server Certificate generally can be issued within 2-5 hours of CSR submission.


Turbo SSL Web Server Certificates
If all required documentation is provided and we successfully authenticate the submitted information, a Turbo SSL Web Server Certificate can be issued within minutes of CSR submission.

Back to Top

High Assurance Web Server Certificate — Corporate Authentication Process
Before issuing an SSL certificate, we will authenticate that:
  • — The certificate is being issued to an organization that is currently registered with a government authority.
  • — The requesting entity controls the domain in the request.
  • — The individual requesting the certificate is associated with the organization named in the certificate.
Note: Submitted information must successfully pass a fraud screening procedure before a Web Server Certificate can be issued.

Note that if the submitted documentation is written in a language other than English, an English translation must be submitted along with a copy of the original document(s).


High Assurance Web Server Certificate — Small Business/Sole Proprietor Authentication Process
Before issuing an SSL certificate, we will authenticate that:
  • — The individual who requested the certificate is who he/she claims to be.
  • — The individual requesting the certificate controls the domain in the request.
  • — The individual named in the certificate is the individual who requested the certificate.
Note: Submitted information must successfully pass a fraud screening procedure before a Web Server Certificate can be issued.

Note that if the submitted documentation is written in a language other than English, an English translation must be submitted along with a copy of the original document(s).

Turbo SSL Web Server Certificate
Before issuing an SSL certificate, we will authenticate that:
  • — The requesting entity controls the domain in the request.
Note: Submitted information must successfully pass a fraud screening procedure before a Web Server Certificate can be issued.

Our authentication process ensures the highest level of trust. Only through thorough validation of submitted data can the online customer rest assured that online businesses that display SSL certificates indeed are to be trusted.

Back to Top

If we are unable to authenticate the submitted information, the certificate request will be denied. In some cases, the requestor may be able to fix the problem by providing additional documentation to enable authentication. We will notify you if additional documentation is needed.

Note: If — when processing a High Assurance Web Server Certificate Request — we are unable to authenticate the existence/identity of the requesting entity, the requestor will have the option of aborting the validation process and instead have us issue a Turbo SSL Web Server Certificate, which relies on validation of domain control, only. If the requestor declines this option, the certificate request will be denied.

Back to Top

To install your certificate, you will need the original private key, which was created when you first generated your CSR. If you cannot find this key, or it cannot be accessed, you cannot use the certificate and you will have to get a new one. Click here for certificate-installation instructions for supported Web server software.

Back to Top

Certificate Requests
In order to purchase a digital certificate, you must first generate and submit a Certificate Signing Request (CSR) to a Certification Authority (CA). The CSR is generated with your Web server software, which will also create your public/private key pair used for encrypting and decrypting secure transactions. Click here for CSR-generation instructions for all supported server software.

Please note that if you are applying for a hosting-integrated certificate (i.e., the domain to which you wish to apply the SSL certificate is hosted with your certificate provider then your hosting provider will generate and submit the CSR for you.

Back to Top

You can monitor the status and progress of your certificate request in the certificate-management section of our SSL Web site.

Back to Top

If we are unable to verify a certificate-requesting entity's domain registration ownership and domain control via the Whois database — generally because the information in the Whois database cannot be found or does not match the information in the certificate request —, the requestor must instead provide a Domain Authorization Letter from his/her domain registrar as documentation of domain registration ownership. If we successfully authenticate the letter, a Registration Authority (RA) associate will manually verify domain control.

In order to obtain a Domain Authorization Letter you must request it from your domain registrar. Consult your registrar for specific instructions.

If the domain in the certificate request is hosted with our Domains By Proxy affiliate, log in to your Domains By Proxy account and request the Domain Authorization Letter. Domains By Proxy will prepare the letter within 48 hours of the request.

Once you have obtained the Domain Authorization Letter, please fax or scan-and-e-mail it to us as proof of domain registration ownership. An RA associate will review the letter upon reception.

Back to Top

Certificate Management
If you allow a certificate to expire, the certificate will be invalid and you will no longer be able to secure transactions on your Web site. We will prompt you to renew your SSL certificate in due time. You can renew a certificate for one or two years. Please note that a certificate can be renewed up to 120 days prior to and 30 days following the expiration date. If the certificate is allowed to expire, the visitor's browser will display a warning upon entering the Web site area that was supposedly protected with your SSL certificate.

Back to Top

To renew an expiring SSL certificate, you must purchase a certificate-renewal credit from us; then log in to your SSL account and follow the provided instructions for requesting a certificate renewal. We will prompt you to renew expiring SSL certificates via e-mail. Renewal notices will be sent 30 and 15 days prior to the certificate's expiration date.

Please note that a certificate can be renewed up to 120 days prior to and 30 days following the expiration date. If the certificate is allowed to expire, the visitor's browser will display a warning upon entering the Web site area that was supposedly protected with your SSL certificate.

Depending on your choice of Web server software, you may or may not need to generate a new Certificate Signing Request (CSR) for the renewed certificate. If you are using Linux-based server software, you may use your existing CSR for the certificate renewal (you can also generate and submit a new one, if so desired). If you are running Microsoft IIS 4.x, 5.x, or 6.x on your Web server; it is strongly recommended that you generate and submit a new CSR before attempting to renew your SSL certificate.

Note: If any of the information in your CSR (including company name or address information) has changed, you must generate and submit a new CSR before your certificate can be renewed).

Once the renewed certificate has been signed and issued, we will e-mail it to you, along with our intermediate certificate and certificate-installation instructions for all supported Web servers.

If more than 13 months have elapsed since the last time we authenticated your or your company as part of the certificate-issuance process, you must submit your personal/company information again as we will need to authenticate the information again before a renewed certificate can be issued. If you or your company were successfully authenticated less than 13 months ago, we will not need to re-verify your information in order to renew your certificate.


Back to Top

A certificate holder may request that his/her certificate is revoked – i.e., deleted. A revoked certificate is instantly rendered invalid. Generally, a certificate should only be revoked if the security of the holder's private key has been compromised.

Consider revoking your certificate if any of the following situations occur:
  • Loss of your private key,
  • Your private key is compromised,
  • The certificate contains incorrect information.
A revoked certificate cannot be re-keyed, reissued or renewed.

Back to Top

Reissuing a certificate means to reproduce an existing certificate. Certificates are generally reissued if the certificate holder has lost his/her certificate.

Back to Top

Re-keying is the process of replacing an existing SSL certificate. Specifically, re-keying entails:
  1. Deleting/revoking an existing SSL certificate,
  2. Creating a new public/private key pair,
  3. Issuing a new SSL certificate.

The original certificate is automatically deactivated when the new one is issued.

Consider re-keying an SSL certificate if any of the following situations occur:

  • Loss of your private key,
  • Compromise of your private key,
  • Certificate does not work properly.

Note that the Distinguished Name (DN) in the replacement SSL certificate must be identical to the Distinguished Name in the SSL Certificate that is being re-keyed. In other words: The Common Name, Organization Name, Locality, State/Province, and Country — as entered in the Certificate Signing Request (CSR) — must be the same in both of the certificates. Certificate holders can have their certificates re-keyed at no expense.

You can only request a re-key within 30 days of initial issuance of certificate. A maximum of two re-key requests is permitted within the 30-day period.

Back to Top

Intermediate Certificates
In order to enhance the security of the Root certificate (Valicert Class 2 Policy Validation Authority), we have created an intermediate certificate from which SSL certificates are signed and issued. An intermediate certificate is a subordinate certificate issued by the trusted root specifically to issue end-entity server certificates. The result is a trust-chain that begins at the trusted root CA, through the intermediate and finally ending with the SSL certificate issued to you. Such certificates are called chained root certificates.

Creating certificates directly from the CA Root Certificate increases the risk of CA Root Certificate compromise, and if the CA Root Certificate is compromised, the entire trust infrastructure built by the SSL provider will fail. The usage of intermediate certificates for issuing SSL certificates to end entities, therefore, provides an added level of security. You must install the intermediate certificate in your Web server along with your issued SSL certificate.

Using intermediate certificates does not cause installation, performance or compatibility issues.

Back to Top

Once your Web Server Certificate has been issued you will receive an e-mail message containing the issued certificate, along with our intermediate certificate and certificate-installation instructions for all supported Web servers. The certificates and installation instructions will be attached to the message in .ZIP format. Please download and unzip the attachment before proceeding to the installation process. The specific procedure through which the intermediate certificate is installed depends on the type of server software you are using. Please refer to the attached installation instructions for specific installation process for your certificate, including the intermediate certificate.

Our intermediate certificate is also available from the repository.

Back to Top

Failure to properly install our intermediate certificate along with the issued Web Server Certificate means that the trusted-chain certificate cannot be established. This means that when visitors attempt to access your supposedly secure site they will be presented with a "Security Alert" that indicates that "The security certificate was issued by a company you have not chosen to trust…" Faced with such a warning, potential customers most likely will take their business elsewhere.

Downloading and installing the intermediate certificate on your Web server will immediately fix this problem. The intermediate certificate is attached to the e-mail message you'll receive upon certificate issuance. It is also available from the repository.

Back to Top