1.3.7 SSL-certificates and methods of their activation
What is an SSL certificate and why is it needed
When using the Internet, you have probably encountered the following error:
This and similar errors of the “Connection is not secure” type are associated with the fact that you tried to open the site using the secure HTTPS protocol instead of the unsecured version HTTP, and at the same time, a valid SSL-certificate is not currently connected to the specified site**.
What are HTTPS and SSL? Why do browsers warn against visiting such sites? What does the message “The connection is not secure” actually mean? Now we will tell you about this in simple words.
The fact is that by default your data is transmitted over the Internet in unencrypted form (HTTP protocol). This means that anyone with access to the network could potentially intercept and read your sensitive information such as logins, passwords, credit card numbers, etc. This is a serious security risk, especially in a world where online transactions and exchanges sensitive data are becoming more common.
It was in order to protect the exchange of data between your browser and a remote site that the SSL (Secure Sockets Layer) protocol and its modern version TLS (Transport Layer Security) were created. They use public key cryptography to encrypt data sent between client and server, making it impossible for attackers to intercept or read it.
What role do SSL certificates play in this?
An SSL certificate is, roughly speaking, a digital identity issued to websites by Certification Authorities. It confirms that the site is trusted and safe for users. When you visit a site at https://, your browser checks for an SSL certificate. If the certificate is valid and matches the domain, your browser establishes an encrypted connection with the site server. If the certificate is invalid, you will see the error you are already familiar with.
Additional: How does SSL/TLS work on a technical level?
When you send a request to an HTTPS-protected website, the server responds with its SSL certificate, which includes a public key to encrypt the data. Your browser then verifies this certificate to ensure that it is genuine and that it was issued by a trusted certificate authority.
After successful verification, your browser creates a secret session key that will be used to encrypt data during ongoing interactions with the server. This key is encrypted using the server’s public key and sent back to the server.
Now both the client and server have a shared secret key to encrypt and decrypt data during the session. This ensures the confidentiality of the transmitted information.
In addition, SSL/TLS ensures data integrity by adding a digital signature to it, which allows you to verify that the data has not been changed during transmission.
Necessary steps to connect SSL to the site
Unfortunately, simply ordering and paying for SSL is not enough to automatically activate the HTTPS protocol on your website. Now we will look at the entire algorithm of actions that need to be carried out to connect SSL:
1. Selection, order and payment of the certificate you need. We have detailed step-by-step instructions on this topic. The choice itself can be made on our website.
2. Passing validation. Validation is a mandatory procedure and condition for issuing an SSL certificate. There are several different levels, the basic and most common of which is Domain Verification. We will consider all types of validation below in this article. Only after successful validation will you be able to receive the certificate files by email and proceed to its installation and connection.
3. Installation and connection to your site. The certificate files sent to you by email and the secret key that you were given when ordering must be used together to install and connect the certificate to the site. We have a separate, step-by-step instruction on how to install on our hosting or any other service with ISPManager4 control panel.
The type of certificate validation depends on the certificate itself and is listed in the list of available SSLs on our site. There are three main types, each of which we will describe in detail right now.
Important: validation is a mandatory procedure and security requirement for any type of commercial SSL. The validation procedure must be repeated for each new iteration of the certificate (every year), even if the certificate was ordered and paid for several years in advance.
SSL certificate with domain validation
An SSL certificate with domain verification has the easiest and fastest validation. The essence of the procedure is to confirm your ownership of the domain for which you ordered your SSL certificate. Such certificates are available to everyone: enterprises, individual entrepreneurs and individuals.
To activate, you do not need to provide any documents; you just need to pass verification using one of several proposed methods:
1. By Email
The easiest and fastest validation method, which is also the default for all new SSLs.
The certification authority will send you a letter to one of the five proposed email addresses: admin@yourdomain, administrator@yourdomain, hostmaster@yourdomain, webmaster@yourdomain or postmaster@yourdomain. The letter contains an electronic code for passing verification and a link to the site where this code must be entered to pass validation. If the specified mailboxes did not exist at the time of order, it does not matter. Just contact Support Service with a request to resend the validation email to created Your email address.
To login, you can use any convenient client, including our built-in. After successful login, you will find an email with the subject line Domain Control Validation for Order #order_number. The letter itself looks like this:
Next, you need to copy the verification code and click the Complete Domain Control Validation button. You will be redirected to the certification center website, where the verification code must be inserted into the form and click NEXT>:
If the entered code is correct, validation will be successful.
2. Verification file
As part of your request to change the validation method, our Help Desk will provide you with a text file and the address where it should be placed. This address will be based on your domain, for example: https://yourdomain.com/.well-known/pki-validation/C65DB93022457938F7123ASDF35E11B.txt. The .txt text file contains the hash extracted from your CSR code. This file must be publicly accessible via HTTP/HTTPS to be read by the certification authority.
3. CNAME DNS record As part of your request to change the validation method, our Support Service will provide you with a DNS record of the CNAME type, which will need to be created for your domain. This method usually takes the longest, so we recommend using it only if you have difficulties with the previous two.
Important: Email confirmation is always set by default for every new order. This means that to change the validation method to an alternative one, you will need to contact our Support Service for further instructions.
What is Brand Validation?
Certification authorities may require manual verification if the order is subject to the so-called Brand Validation - brand verification. There are several reasons why an order may be rejected during manual review:
- Order from the following countries: South Korea, North Korea, Sudan, Afghanistan, Iran or Iraq.
- The target domain name includes a famous brand: such as
sony-shop.net,dellshop.comorfacebook.com.ua. For example, the domainsibmama.com.uamay be subject to brand verification due to theibmpart of the address, due to its similarity with the world famous trademark IBM. - The domain name has “stop words” associated with cyber crime. For example: pay, online, secure, booking, shop, bank, transfer, money, e-payment, payment, protection, violence, and others.
Fortunately, the need for manual verification of Brand Validation arises very rarely and the previously described example of the domain sibmama.com.ua is the exception rather than the rule.
SSL certificates with Organization Validation SSL
SSL certificate with organization verification are available for order only to legal entities. The process takes about 2-5 business days if all documents were submitted on time.
The organization verification process includes the following steps:
1. Domain verification. Completely similar to the first validation level described above.
2. Company Verification. To verify the organization, you may need to provide some official documents to the certification authority. Basically they require a license/incorporation/statutory documents of the organization. You can send them by fax or email in PDF/JPG format. The real existence of an organization is verified through open state registers, using the company name or unique identification number. The company can also be verified using publicly available electronic directories such as Duns & Bradstreet, Hoovers, Companies House GOV.UK, Lursoft.lv, etc. .d.
You can find the company’s unique Duns & Bradstreet number on website, indicating the English transliteration of Ukrainian company name (not translation, but transliteration).
The company address can be verified using one of the following documents:
- Charter of the company (indicating the address);
- State license for entrepreneurial activity (indicating the address);
- A copy of a recent company bank statement;
- A copy of the latest telephone bill;
- A copy of the company’s most recent major utility bill (water bill, electricity bill, etc.) or a current lease agreement for the company;
The whois domain output must contain the name of the organization, the name of which must match the name in the unified state register of legal entities.
3. Verification call. The SSL service provider makes a call to the phone number that is listed in the international database of Dun & Bradstreet organizations (you can also use Kompass.com and Infobell to validate the phone number and company address) and ask for the user who is listed in the domain name’s administrative contact. It is necessary that this person knows the order number provided by the Certification Center and can confirm his order in English.
When issuing an OV certificate to confirm an order by telephone, an email will be sent to the customer’s technical contact address containing a link to the Comodo service provider portal. You will need to follow the provided link and click the Call Me Now button, after which you will receive a 6-digit code to your contact number. You will need to enter the code on the supplier portal and then click Submit to complete the verification procedure.
Important: In all documents, information sources, CSR, and WHOIS of the domain, the company name and contact information about it must completely match!
To speed up and simplify the certificate issuance process, we recommend registering a DUNS number for your company. DUNS is a kind of electronic passport of a legal entity. This condition is optional and does not provide any guarantee of SSL issue, but having a DUNS number simplifies the CA verification process.
To change the phone number or company name (if your data does not match the Dun & Bradstreet database), you must contact the representative office of this organization in Ukraine.
Extended Validation SSL certificates
SSL with Extended Validation are the most reliable and tested products. The verification takes about 4-7 business days if all documents are completed correctly and on time, therefore, such a certificate must be ordered and reissued in advance.
In fact, the Extended Validation SSL validation procedure is not significantly different from the Organization Validation SSL described earlier.
The main difference is the need to fill out and send two forms to the certification authority, which are available at address.
Examples of already completed forms, first and second.
After filling out, you must send scanned copies to the address docs@sectigo.com indicating the order number in the certification center in the subject line of the letter. The order number appears in letters from Sectigo/Comodo; you can also always check it with Support Service. Sometimes, the certification center asks to notarize completed forms. Other SSL service providers (for example Geotrust or RapidSSL) send all the necessary forms to be filled out to the contact email address of your domain.
The subsequent stages of validation are similar to those already described:
1. Domain check. Which has already been described above.
2. Checking the organization. Which has already been described above.
3. Callback. Which has already been described above, in the 3rd step in the organization validation paragraph.
