| Why should I purchase digital certificate through OpenSRS instead of a CA? |
| What is a Certification Authority (CA)? |
| How long does a QuickSSL take to time out? |
| Is it legitimate for other companies to send renewal notices to my customers? |
| What is SSL? |
| Why do my customers need a SSL certificate? |
| What should I look for when purchasing a certificate? |
| What is a single root SSL certificate? |
| Which CA's have their own Trusted CA root present in browsers? |
| What validation process do SSL certificates use? |
| If I renew a certificate early will I loose any validity period? |
| What is the difference between QuickSSL and QuickSSL Premium? |
| What is a Wildcard certificate? |
| What is GeoTrust's certificate refund and replacement policy? |
| How long are digital certificates valid for? |
| What is browser ubiquity or browser recognition? |
| Why is my CSR invalid? |
| Why is my web server type not listed? |
| How can I get my Cert order refunded? |
| How do I renew IIS 5.0 SSL Certificates? |
| Why am I receiving the error “Unrecognized CA Root Authority” in my web browser |
| What is the start date of my Certificate? |
| How do I install my Site Seal verification? |
Q:What is SSL? |
A:The SSL (and TLS) protocol is the Web standard for encrypting communications between users and SSL (secure sockets layer) e-commerce sites. Data sent via an SSL connection is protected by encryption, a mechanism that prevents eavesdropping and tampering with any transmitted data. SSL provides businesses and consumers with the confidence that private data sent to a Web site, such as credit card numbers, are kept confidential. Web server certificates (also known as secure server certificates or SSL certificates) are required to initialize an SSL session. Customers know when they have an SSL session with a website when their browser displays the little gold padlock and the address bar begins with a https rather than http. SSL certificates can be used on webservers for Internet security and mailservers such as imap, pop3 and smtp for mail collection / sending security. |
 |
|
Q:What is a Certification Authority (CA)? |
A:Not just anybody can issue trusted SSL Certificates. If they could, then there would be no trust in SSL - and it could no longer be used commercially. Instead, only Certification Authorities, or CAs as they are commonly known, can issue trusted SSL Certificates. CAs have generally invested in establishing the technology, support, legal and commercial infrastructures associated with providing SSL certificates. Even though CAs are essentially self-regulated, the nearest to a regulatory body is the WebTrust compliancy program operated by AICPA/CICA. The majority of CAs comply to the WebTrust principles, however some CAs do not have WebTrust compliance. Those CAs who are WebTrust compliant display a WebTrust Seal. The WebTrust Seal of assurance for Certification Authorities symbolizes to potential relying parties [e.g. to the end customer] that a qualified practitioner has evaluated the CA's business practices and controls to determine whether they are in conformity with the AICPA/CICA WebTrust for Certification Authorities Principles and Criteria. An unqualified opinion from the practitioner indicates that such principles are being followed in conformity with the WebTrust for Certification Authorities Criteria. These principles and criteria reflect fundamental standards for the establishment and on-going operation of a Certification Authority organization or function. |
|
|
Q:Why do my customers need a SSL certificate? |
A:A SSL certificate is a 'must-have' for hosting customers who need to reassure their online customers that they are a legitimate business and that information passing between their browsers and the website cannot be intercepted. For any business managing financial transactions or dealing with sensitive customer data, a SSL certificate is a must. |
|
|
Q:Why should I purchase digital certificate through OpenSRS instead of directly through GeoTrust? |
A:OpenSRS Service Providers have the opportunity to work with a single vendor for all their digital certificate needs in addition to being able to resell other value-added Internet services. Through OpenSRS, you can provision, track and manage certificate orders. You can also configure and automate your customer messaging for important events such as renewals. In addition, OpenSRS Service Providers can reap solid, recurring margins through pricing starting at 60% below retail. |
|
|
Q:What validation process do SSL certificates use? |
A:Companies that issue digital certificates such as GeoTrust provide consumers with confidence that the companies they secure are who they claim to be. With physical companies, identification documents like photo ids and papers of incorporation are used to tell consumers who they are so if their products or services are defective, buyers can seek recourse. Online companies rely on digital certificates to promote their legitimacy and to protect their customer's information. To apply for a digital certificate they must prove to the certificate authority (in this case GeoTrust) that they have the credentials to present themselves as who they are online. There are different levels of documentation which a corporation will need to provide depending on the type of certificate they wish to purchase - from proof of domain ownership to letters of incorporation. Customers wishing to purchase QuickSSL certificates need to prove that they are the owner of that domain. This tells online visitors that the URL "owners" are who they claim to be. This form of validation is a quicker, lower cost alternative to the True Business validation model. Customers wishing to purchase True BusinessID and True Business Wildcard certificates must fax in their articles of incorporation or provide a DUNS number as part of the provisioning process. They will then be assigned a ChoicePoint Unique Identifier (CUI) - equivalent to a DUNS number. The CUI adds a corporate profile to the information embedded in the digital certificate which can be viewed by your visitors. |
|
|
Q:Why is my CSR invalid? |
A:To prevent the most common CSR errors, the following fields must NOT BE LEFT BLANK:
Organization Locality State Country The challenge password MUST be left blank. (This is different from the encryption password) The full Common Name of the server’s URL must be specified in the CSR. Example:If the cert is for the URL http://www.mydomain.com, you must enter the Common Name as "www.mydomain.com" not as “mydomain.com” Make sure the Common Name in the CSR matches the domain you are placing the order for. The 2-letter country code MUST be the ISO3166 country code. You can check the country codes here http://www.iso.ch/iso/en/prods-services/iso3166ma/02iso-3166-code-lists/list-en1.html#g No orders will be accepted for country’s that banned by U.S export. Example: Angola, Bosnia, Burma, Cuba, Iran, Iraq, Korea (North), Libya, Montenegro, Serbia, Sudan and Yugoslavia (Republic of) Paste the entire CSR into the textbox including, the -----BEGIN CERTIFICATE REQUEST---- and -----END CERTIFICATE REQUEST----- headers and footers. You can generate a CSR by following the link at http://www.geotrusteurope.com/sbs/csr/ |
|
|
Q:Why am I receiving the error “Unrecognized CA Root Authority” in my web browser |
A:The CA Root used is "Equifax", and the fully supported browser list is here: http://www.geotrust.com/quickssl/browsers/index.htm If you run into a browser that does not include the Equifax root by default, please let us know, and we can work on getting it installed into a future release of that browser. Also, if you need to download any of the roots to preinstall, you can get them here: http://www.geotrust.com/resources/roots/index.htm |
|
|
Q:What is the start date of my Certificate? |
A:The start date of the Cert itself will become the date that the Cert is fully issued. For one of the True Business ID products, which require the Organization Name to be verified, Geotrust's turn-around time for the verification/issue process is about 3-4 days from the date you place the order. For the QuickSSL products, if the Approver Email address will be able to confirm the request the same day that you place the order, then that Cert will get issued the same day and the start date of the Cert will also be the day you placed the order. |
|
|
Q:Why is my web server type not listed? |
A:Geotrust only uses the "Web Server Type" field for information-gathering purposes, and for cases of technical support reasons. You can select any one of the web server types, or the "Other" option when this happens. It does not affect the issuing of the Certificate itself. Please be sure to select a server type before processing the order. |
|
|
Q:How do I install my Site Seal verification? |
A:All "TrueBusiness ID", and "QuickSSL Premium" Certs orders from GEOTRUST include a Site Seal. Here are the instructions for how to install that seal. An example of it is also at the bottom of this page: http://www.geotrust.com/true_site/install.htm |
|
|
Q:How can I get my Cert order refunded? |
A:Once the Cert has been successfully issued, you would need to follow up with Geotrust directly for any Refunds, Revokes, or Cancellations. Once Geotrust has revoked the cert, the funds will become automatically refunded to your Reseller account balance. If you require a replacement Certificate, you can place a New order via your Reseller Interface. Geotrust will Revoke/Cancel the original order once the Replacement cert has been successfully issued. Once you have the replacement cert, and have installed it successfully and there are no further issues with it, let Geotrust know that you have the replacement and require the original order revoked. As per Geotrust's refund policy, the original order refund must be requested Seven days from the original issuance date. The full refund policy is listed here, and under the Digital Certificate tab in your reseller interface: https://certs.tucows.com/geotrust_agreements/refund.htm Geotrust can be reached via the following: 1-866-GEOTRUST 1-678-942-0400 http://smb.attenza.com/frontend/login.aspx?ID=%7b66cf91c1-3286-4930-be96-c00be5aa054a%7d |
|
|
Q:How do I renew IIS 5.0 SSL Certificates? |
A:The renewal request option within IIS 5.0 does not create a request in a PKCS10 format. This may be corrected with a future Service Pack. IIS 5.0 does not allow your site that is currently running SSL to generate a certificate signing request (CSR) without removing the existing certificate. For most sites this is not an option since your site will not be able to run a SSL session while your certificate is being processed. To obtain a certificate for your existing web site you will have to do the following. Please read and print these instructions before submitting your new certificate request. 1. Leave your existing site that currently has the certificate installed alone. 2. Create another virtual site within IIS (this does not have to be a functional site). 3. Enter Properties for the newly created virtual site, then go to the Certificate Wizard to create a new certificate request. The information you enter on this certificate request should match exactly the information on your production certificate, since that is the existing certificate this new CSR will replace. For QuickSSL certificates, you can enter anything you like for the Organizational Unit (OU) as this will be replaced by Geotrust's information when the cert is issued. Only certs that require manual validation of your Organization, such as True Business IDs, will need the OU information to match the current production certificate. 4. Submit the new certificate order through the OpenSRS system. 5. Wait for the new certificate file to be emailed to you from support@geotrust.com. 6. Install this certificate into your new virtual site; follow the process the pending request by selecting the certificate file Geotrust sent you. Complete the installation of your new certificate into your virtual web site. 7. Now delete the new virtual site! 8. Go to your Production web site, enter Properties, and select Replace the current certificate - choose the new certificate from the list. 9. Make sure you bind the web site to a unique IP address at Port 443, then Stop and then Start your web site. Your new certificate should be installed. 10. When convenient, go into your MMC console (with Certificate snap-in added) and delete the old certificate. |
|
|
Q:My customers have received renewal notices from other companies. Is this legitimate? |
A:Geotrust competitors may have sent your customers certificate renewal notices and solicitations that specifically relate to the domain owned by your customer. It is important to educate your customers about this possibility and instruct them that they need not respond to such notices. If they do respond to such notices then they will be effectively purchasing a certificate that does not come from you. Our sample renewal message in the Reseller Resource Centre is one example of how you can educate customers about misleading renewal notices: http://rrc.tucows.com/resources/market/saleskits/certs_renewal.doc |
|
|
Q:What should I look for when purchasing a certificate? |
A:There are several factors which should be considered prior to purchasing a certificate. Consider the following elements. Ask yourself the following questions: * What is the reputation and credibility of the certificate authority (CA)? How long have they been in business? How large is their customer base? * How ubiquitous is the root? Is it embedded in all of the popular browsers and therefore accessible to the widest audience? * Is the root owned by the CA, or is it a 'chained root' and that "borrows" the browser recognition of a Trusted Root CA? * What tools are at hand to assist you in managing your certificate? How easy is it to install, renew or revoke (if the certificate is compromised) a certificate? * Who vets the customer documentation prior to issuing the certificate? Is it the CA or has the responsibility been delegated to someone else? |
|
|
Q:What is a single root SSL certificate? |
A:When connecting to a webserver over SSL, the visitor's browser decides whether or not to trust the website's SSL certificate based on which Certification Authority has issued the actual SSL certificate. To determine this, the browser looks at its list of trusted issuing authorities - represented by a collection of Trusted Root CA certificates added into the browser by the browser vendor (such as Microsoft and Netscape). Most SSL certificates are issued by CAs who own and use their own Trusted Root CA certificates, such as those issued by GeoTrust. As GeoTrust is known to browser vendors as a trusted issuing authority, its Trusted Root CA certificate has already been added to all popular browsers, and hence is already trusted. These SSL certificates are known as "single root" SSL certificates. GeoTrust owns the Equifax Secure eBusiness CA-1 root used to issue its certificates. Some Certification Authorities, like Comodo, do not have a Trusted Root CA certificate present in browsers, therefore they need a "chained root" in order for their certificates to be trusted - essentially a CA with a Trusted Root CA certificate issues a "chained" certificate which "inherits" the browser recognition of the Trusted Root CA. These SSL certificates are known as "chained root" SSL certificates. Installation of chained root certificates are more complex and some web servers are not compatible with chained root certificates. For a Certification Authority to have its own Trusted Root CA certificate already present in browsers is a clear sign that they are long-time, stable and credible organizations who have long term relationships with the browser vendors (such as Microsoft and Netscape) for the inclusion of their Trusted Root CA certificates. For this reason, such CAs are seen as being considerably more credible and stable than chained root certificate providers who do not have a direct relationship with the browser vendors. You can view the Certification Authorities who have their own root certificates by viewing the list in your browser. |
|
|
Q:Can I see which Certification Authorities have their own Trusted CA root present in browsers? |
A:Yes. Your browser contains a Trusted CA root certificate store. You can access this by opening Internet Explorer, then go to Tools, select Internet Options, select the Content tab, click Certificates, select the Trusted Root Certification Authorities tab. You will then see a dialog box presenting a list of all Certification Authorities who own their own Trusted CA roots (you can examine the root certificate by double clicking it) GeoTrust owns the Equifax root (Equifax Digital Certificate services became GeoTrust in 2001). |
|
|
Q:If I renew a certificate early will I loose any validity period? |
A:No, if a GeoTrust certificate is renewed early, GeoTrust will honor the remaining validity period and add it on to the life of the new certificate issued from GeoTrust (up to 90 days). |
|
|
Q:What is the difference between QuickSSL and QuickSSL Premium? |
A:QuickSSL Premium comes with all the features and benefits of QuickSSL, but also includes the QuickSSL Premium smart seal with dynamic date/time stamp. The smart seal is dynamically generated by GeoTrust and ensures that the domain has been authenticated by GeoTrust. Visitors to your site will also be able to click on the smart seal to verify that your certificate is still valid with GeoTrust, giving your customers and extra peace of mind. |
|
|
Q:What is a Wildcard certificate? |
A:A wildcard certificate may be used for situations where several same-domain web sites need to be secured but the hostnames or sub-domains vary. In accordance with the certificate licensing agreement, you can secure as many sub-domains on one physical box as you would like as long as they share the same second level domain name. In order for you to do this, the domain/common name in the CSR would need to be "*.mydomain.com". The asterisk is a place holder and enables you to secure different sub-domains that share the same base/second level domain name such as "mydomain.com" in our example. If you need to secure sub-domains on multiple boxes, you will need to purchase separate wildcards for each box. Here is an example of sub-domains with the same second level domain: www.mydomain.com w1.mydomain.com secure.mydomain.com money.mydomain.com trash.mydomain.com All of these have the same second level domain "mydomain.com" but different hostnames. One wildcard certificate of the form " *.mydomain.com " could serve all these web sites. The wildcard is really useful in situations like that above or when the web hosting service puts customer branding as the host name but all of them will have the same domain. For example: A Web Hosting Service offers its Fortune 500 clients a convenient shopping mydomain cart with their own brand name - cnn.mydomain.com pepsi.mydomain.com fordmotorcompany.mydomain.com amazon.mydomain.com fedex.mydomain.com compusa.mydomain.com jspennys.mydomain.com sears.mydomain.com All of these individualized web sites can be secured with the one and same wildcard of the form: *. mydomain.com Wildcards can also have more than three fields, such as: *.*. domain.com or *.*.*.*.*.domain.com If you are running IIS 5.0, you cannot get a multi-asterisk wildcard. You can only get a single asterisk wildcard. |
|
|
Q:What is GeoTrust's certificate refund and replacement policy? |
A:You can replace a certificate for free, for the lifetime of the certificate, provided all core certificate details are the same. Simply search for the certificate order item in RWI2 and click on the 'resend certificate' button at the bottom of the page. The refund policy for all certificates can be accessed here: https://rrc.tucows.com/wholesale_services/DigitalCertificates/refundpolicy |
|
|
Q:How long are digital certificates valid for? |
A:All certificates are valid for 1 to 3 years. When your customer's SSL certificate approaches expiry, RWI2 enables you to send an automated message to your customer at set intervals before the expiry date as well as the date of the expiry. |
|
|
Q:What is browser ubiquity or browser recognition? |
A:Browser ubiquity is the term used in the industry to describe the estimated percentage of Internet users that will inherently trust an SSL certificate. The lower the browser ubiquity, the less people will trust your certificate - clearly, if you are operating a commercial site you require as many people as possible to trust your SSL certificate. As a general rule, any SSL certificate with over 95% browser ubiquity is acceptable for a commercial site. Ubiquity is however not the only consideration in deciding whether one SSL certificate is better than another. Businesses that need to maximize customer confidence buy certificates from well known, long time security vendors e.g. GeoTrust who is WebTrust compliant. |
|
|
Q:Once the approver email is sent out, how long does it take for a QuickSSL to time out if they don't respond? |
A:If the Approver Email for a cert does not respond within 5 days the order will automatically cancel and the Reseller will be refunded the full amount. |
|