SSL Certificates FAQ

SSL in an acronym for “Secure Sockets Layer”. A SSL certificate is a file that is installed on a web server that allows, among other things:

  • the authentication of the server by the Certification Authority (Gandi/Comodo)
  • secure transmission and validated integrity of data sent between the website's visitor and the server.

When you choose to activate a SSL certificate on your server, you must answer a series of questions to prove the identity of your website and that of your company. Your web server will then create 2 encrypted digital keys: one public, and one private.

The private key (the .key file) remains secret. You must not give it to anyone.

The public key is provided in what is called a CSR (Certificate Signing Request) which is a series of characters that contain your public key information. This CSR (.csr file) will be created by you during the process of generating your Gandi certificate. Public keys do not need to be kept secret, in fact, they are designed to be publicly shared.

Gandi (and/or Comodo depending on the type of certificate you purchase) will, after performing the necessary checks, validate your certificate with web browsers, which will thereafter recognize your certificate and establish an encrypted connection between the service hosted on the server (mail, website, …) and the computer running the web browser.

HTTPS is the protocol that supports these security measures. On the Internet, you browse non-secure websites with HTTP and secure websites with the HTTPS protocol, for example:

Who needs it & Why?

  1. Business Users, Emails users, Simple users (everybody).
  2. Protect sensitive information like accounts, emails, credit cards, from steal
  3. Increase your ranking position by making your website trustable by search engines like Google.
  4. make your website more valuable for customers by showing them your website is secured.

HTTPS is the protocol that supports these security measures. On the Internet, you browse non-secure websites with HTTP and secure websites with the HTTPS protocol, for example:

Non-secure: http://www.gandi.net. | Secure: https://www.gandi.net

Web browsers will recognize certificates and establish an encrypted connection between the website hosted on a server and the user who want to reach gandi.net.

For the majority of cases, the verification process takes less than 24 working hours upon reception of the proof of ID, after which the certificate is provided. Extended validation may, however, take longer, in the event that Comodo requests additional documentation from you.

Every year/certificates for 2 years / free certificates auto renew

Standard

These are ideal for securing an administration interface, a members-only space, an intranet, webmail. etc.

Pro

These are ideal for securing E-Commerce websites, or a customer account zone with sensitive data for example. These certificates add a financial warranty to your certification.

Business

These are ideal for securing a large and popular E-Commerce website, or one a site that handles highly sensitive data. These certificates offer the highest level of protection currently available in this type of certificate.

The CSR — Certificate Signing Request— is a series of characters that contain your public key information.

When you want to activate an SSL certificate on your server, you must prove the identity of your website and of your company. Your web server will then create 2 encrypted digital keys: one public, and one private.

Public keys are designed to be publicly shared. Private keys — the .key file — remain secret. You must not give it to anyone.

The CSR — a .csr file — will be created by you during the process of generating your certificate.

On our orders in progress page we say something like this:

Step 2: Validation of the rights to the domain (yourdomain) Pending

Enter this in the DNS zone file for the domain: BFFD4FAD76429FCAAB36521CA1D30EF1.www.example.com. 10800 IN CNAME CF1DCB91B7A36AEA62151041ACEFB10779F79693.comodoca.com.

If you copy and paste the line that we give you in your zone file at Gandi it will not work, as you'll get the error message: OBJECT_DNS_RECORD+CAUSE_BADPARAMETER

The solution is to be sure that you remove the domain from the name of the record. For example, below is how the above record would need to look:

BFFD4FAD76429FCAAB36521CA1D30EF1.www 10800 IN CNAME CF1DCB91B7A36AEA62151041ACEFB10779F79693.comodoca.com.

(the www is just because the address of the example certificate was for www.example.com. If the certificate was just for example.com you would have nothing there, or if it was for another subdomain like admin.example.com it would just be admin, etc.)

The method used to validate the ownership of a domain via DNS records has recently been modified to provide a more secure entry (SHA2).

If it does not work after waiting about 2 hours, then please check that your CNAME record name starts with an underscore “_”.

A Certification Authority (or CA) is responsible for delivering and assigning a certificate linking a domain name (and its subdomains) to an owner. It is also responsible for assigning an expiration date to them and maintaining a list of revoked and expired certificates.

Gandi is a hosted Certification Authority operated by Comodo.

Web browsers have a list of trusted Certification Authorities. When SSL connections are established, the web browser checks that the server's certificate has been provided by a trusted Certification Authority.

Without these, it may seem like the certificate does not 'work' correctly with Firefox.

Gandi issues its certificates from a certificate that is “intermediate,” or an inheritor of the trust of the root certificate from the certification authority.

This allows us to reduce risk, since all of Gandi's certificates can be revoked and reissued without revoking the root, should the intermediate certificate's trust become compromised. Most commercial certificate vendors use intermediate certificates for this reason.

More information is available at the Root_certificate article on Wikipedia.

You will want to download and install Gandi's intermediate certificate (also called the operational certificate authority) along with your Gandi SSL certificate so that visitors to your site can automatically download it and verify the trust chain. Instructions for doing this are provided along with those for installing your certificate.

A certificate is linked to a specific domain name, not a given IP address of a server which hosts the secure service.

If your service is hosted among several machines, only one certificate is necessary. Just ensure that servers with the right domain name (and/or subdomains) are used with the certificate.

You should use a wildcard, or “Multiple Address” certificate, if you want to secure multiple subdomains.

Certificate errors will appear otherwise.

Yes, you can install it on any server you like, as the certificate is tied to the domain name that you use to generate it rather than to any particular host.

However, in order to be considered valid, the corresponding domain name must resolve, in the DNS, to the host on which it is installed.

Note that in most cases you will need root (or administrator) access to the server on which you want to install the certificate.

In order to protect the end user, you have the possibility (starting with the Pro level offering) of adding additional insurance in the event the security of the certificate is breached.

This insurance will cover financial losses by customer caused by the breech.

This added service, the availability of which you can display on your site via our certification logo, gives your customers the assurance that the transaction is secure and guaranteed.

Having transactions insured makes your business safer to run, and safer for the customer to use, and thus more valuable.

Each level of SSL certificate has its own requirements:

The Standard SSL Certificate does not require additional identification beyond that provided in your username.

For the Pro SSL Certificate:

  • As an individual, you need a proof of residence and a copy of a passport or legal photo ID.
  • As a company or organization, you need a certified copy of the association's registration from the public agency that manages such registrations in your country.

For the Business SSL Certificate, you need:

Please see this page for detailed instructions.

Validation by DNS record implies that you have access to the DNS zone file for your domain—hosted or not at Gandi—and that you can add a CNAME record to it. You will be asked to add a special CNAME record to your domain's DNS zone file.

Validation by email requires that you have a specific email address available for each domain to be validated. This email address must be created with the user admin@yourdomain.com. You have a limited time to confirm by email, after which the operation will time out.

Validation by file requires that you have access to the web server that hosts the website where the domain will point to. You are asked to copy a TXT file that contains a verification key, and to place it at the following location:

http(s):www.yourdomain.com/.well-known/pki-validation/filename.txt ===== How Long Does Verification Take? ===== For the majority of cases, the verification process takes less than 24 working hours upon reception of the proof of ID, after which the certificate is provided.
Extended validation may, however, take longer, in the event that Comodo requests additional documentation from you. ===== My Verification is Not Being Processed. What do I do? ===== If you did not create an admin@ email account on the domain name you are trying to secure with your SSL certificate, and you have already sent in the CSR, your verification will not be processed. In this case, please create the admin@ email account, and then contact customer support. We will resend the email so your verification can proceed. ===== Do Gandi SSL Certificates Work With All Web Browsers? ===== Gandi's SSL certificates work with the majority of web browsers, starting with the versions shown in the table below: ^ Browser ^ Version ^ |Microsoft Internet Explorer | 5.01+ | |Mozilla Firefox | 1.0+ | |Opera | 7.0+ | |Apple Safari | 1.2+ | |Google Chrome | 1.0+ | |AOL | 5+ | |Netscape Communicator | 4.77+ | |Camino | 1.0+ | |Konqueror (KDE) | | |Mozilla | 0.6+ | The Green Bar, which is unique to the Business plan, will only be visible on the following web browsers: ^ Browser ^ Version ^ |Microsoft Internet Explorer | 7+ (Vista) | |Microsoft Internet Explorer | 7+ (XP) | |Opera | 9.5+ | |Firefox | 3+ | |Apple Safari | 3.2+ | |Google Chrome | 1+ | ===== Do Gandi SSL certificates support Subject Alternative Names (SAN)? ===== Yes, they are called 'multi-domain' certificates, but are only available for Standard and Business (EV) certificates. You must define the main domain in you CSR, and fill your alternative names via our interface during the order process. https://www.gandi.net/ssl ===== What does the warranty cover? ===== The warranty on the Pro and Business certificates is described in the SSL Contract (pdf) and in the Gandi Certification Practice Statement (pdf). The warranty does not apply to the Standard Certificate.