SSL Certificates Questions Answers
Do I need warranty?
In actuality, the warranty is insurance that protects the CA should they make a mistake. Symantec™ takes it a step further, for an additional cost, by providing insurance to protect a compromise of a private key or loss of a certificate. The warranty level specifies the financial protection awarded to end user customers against the CA miss-issuing an SSL Certificate. If a customer suffers financial loss as a direct result of relying on information within a miss-issued SSL Certificate, that loss is protected by insurance held by the CA to cover related claims.
Do I require a single root or intermediate SSL certificate?
Most SSL certificates are issued by Certification Authorities (CAs) who own and use their own Trusted Root CA certificates. GeoTrust and RapidSSL.com are well known to browser vendors as a trusted issuing authority so their Trusted Root CA certificates have already been added to all popular browsers establishing immediate trust. These are "single root" SSL certificates. RapidSSL.com is a subsidiary of GeoTrust and owns the Equifax roots used to issue its certificates.
Some CAs don't have a Trusted Root CA certificate present in browsers or don't use the root they own. Instead they gain trust for their SSL certificates by using a "chained root". A "chained root" SSL certificate is issued by a CA with a Trusted Root CA certificate and basically "inherits" the browser recognition of the Trusted Root CA. It's more complicated to install chained root certificates and not all web servers are compatible with them.
CAs who have and use their own Trusted Root CA certificate already present in browsers are known to be stable, credible companies with direct and long-established relationships with all the popular browsers like Microsoft and Netscape.
How credible and stable is the CA issuing the SSL certificate?
One of the fastest and easiest ways for your visitors and customers to know your SSL certificate is credible is if it's automatically recognized by the popular browsers. That means it was issued by a well-established, credible CA who owns its own trusted root. It's important for both you and your customers to identify the issuing CA and validate their integrity. By simply double-clicking the padlock visible in the browser and choosing the 'Certification Path' once the SSL Certificate appears you can identify which trusted root CAL issued the certificate. You can also confirm the issuing CA through your browser toolbar by clicking on 'Tools', 'Internet Options' and choosing 'Content', 'Certificates', then selecting the 'Trusted Root Certification Authorities' tab. Long-term CA stability is particularly important for enterprise solutions. GeoTrust owns the Equifax root (Equifax Digital Certificate services became GeoTrust in 2001). RapidSSL.com's RapidSSL and RapidSSL Wildcard product owns its own root. If the CA relies on an intermediate certificate it's important to know the long-term stability of that CA as well as the strength and stability of their relationship with the original CA.
In addition to owning its own trusted root, a CA's financial stability is also important to know. We recommend enterprise class accounts research the business health of each CA.
How likely is a miss-issuance?
Every WebTrust compliant CA has passed certification to make sure proper procedures and policies are in place that make the chances of a miss-issuance highly unlikely. That's why many WebTrust compliant CAs offer no warranty.
How long are your SSL certificates valid for?
FreeSSL certificates are valid for 30 days. RapidSSL certificates are valid for 1 to 2 years (3 & 4 year bundle certificate). Our Professional Level Certificates from GeoTrust are available for up to 2 years. We will give you instructions on how to renew when your certificate expires.
How long does it take to issue my Certificate?
There are several options. If you need an SSL certificate right away immediate issuance certificates use fast validation methods. RapidSSL and FreeSSL are issued immediately. If you can wait 3-5 days, established vendors use slower traditional validation methods. Be sure to review our validation information to understand what standard methods entail and help you ask the right questions from your vendors.
I forgot or lost my login details.
If you have your original order number you can use the automated password reminder system. Otherwise an email must be sent from the account's administrative email address to Send Support an e-mail that includes the original domain name it was purchased for or the original order number.
What do I do if I accidentally delete my "private key"?
First see if you can re-install the "private key" from your backups. If you need help with the re-install you should contact your systems administrator. Otherwise you can contact your web server software vendor for technical support. The last resort is to re-issue the certificate after re-submitting a replacement CSR.
How do I move the certificate after changing my server or my provider?
The easiest way is to create a new CSR on the new machine and have the certificate re-issued.
Is technical support available from the CA should I need it?
All CAs provide some support but you'll want to know if it includes web-based, email, phone support or some combination. You also want to know if there's an extra fee for phone support as some CAs charge extra. Installing an SSL certificate requires you first generate a CSR and then install your issued certificate. It's sometimes tricky so it's important that the CA provides prompt support. In most cases you can find the help you need in the extensive online knowledge bases offered by CAs but, if not, you want to be able to access their technical staff quickly and easily.
Is there a limit to the number of certificates I can order?
There's no limit on the quantity of RapidSSL or RapidSSL Wildcard certificates you can order. Get as many as you need! There is a limit of one FreeSSL certificate per domain name. FreeSSL is strictly a test certificate so you can evaluate using RapidSSL.com for your production certificates.
The CSR cannot be decoded?
It is either missing one or more required fields or the CSR contains non-alphanumeric characters in the required fields.
What browser recognition is required?
Browser recognition or ubiquity refers to the approximate percentage of Internet users that will inherently trust an SSL certificate. The rule of thumb for a commercial site is an SSL certificate with more than 95% browser ubiquity.
Certification Authorities who own their own roots have Root CA Certificates that are added into releases of all the major browsers such as Internet Explorer, Netscape, Opera, etc by the browser vendor (such as Microsoft). Browsers automatically rely on a list of root CA certificates that the browser vendor has deemed trustworthy. SSL certificates issued by a trusted root CA are inherently trusted by the browser and the gold padlock will appear transparently during secure sessions. When a browser 'sees' a website using an SSL certificate issued by a CA root it does not trust the website visitor will see a warning message. Obviously for maximum reach you want the highest number of online users to trust your SSL certificate. Since browser ubiquity is open to interpretation the table in the Appendix simply identifies whether an SSL Certificate is acceptable for commercial sites.
What budget do I have for my certificate?
Certificate prices can vary dramatically between CAs–some may as much as 40 times higher! The most important factors are typically the specific application and the source, meaning the need for a known brand certificate that has been issued from a highly trusted and credible CA. SSL certificate are designed for specific environments–some are ideal for development while others for government or large enterprises. Still others are perfect for sites handling low-volume, low-value transactions. These are all things to consider before making your choice.
What certificate strength is required?
There are two primary certificate strengths available–40-bit and 128-bit. Today you can also get 256-bit with the use of specific browsers (currently Firefox) and a specific web server (currently Apache). All RapidSSL.com and GeoTrust certificates support 256-bit encryption.
The bit size indicates the length of the key size used for encryption during a secure SSL session. To see the current encryption strength simply hover the mouse over the gold padlock.
What do I need to consider when purchasing a SSL certificate?
Consider these ten factors when choosing a CA and SSL certificate type: