SSL Certificates are the first line of defense in your internet security detail, thus it is important that they are installed and functioning properly. To do this effectively you should seek guidance from your hosting provider because even the most seasoned and skilled webmaster can experience problems with SSL Certificates. When using SSL you need to order the type of certificate that is right for your website, create a CSR, download and install the certificate, and test it to ensure that there are no issues present; all of these areas can present issues to a seasoned webmaster so we’ve created a guide to help you navigate SSL Certificates with ease.
To make this simple for you this guide examines the frequent troubleshooting errors users have while trying to choose the right certificate, download it, and install it and all the issues that follow. We have made this easy for you to follow, and hope that this blog post will enable you to troubleshoot these issues in an efficient way.
Table of Contents
Choosing the Precise Approval Method
You need to have your domain verified and there are three ways that you can do this: with an approver email, approver URL, and DNS TXT Records.
Note: When ordering an SSL Certificate the method of approval cannot be changed once chosen.
1. Approver Email
When placing an order for your SSL Certificate, you need to choose from one of the following email addresses in order to approve and authenticate your domain:
Once you’ve provided the email, we will send you an email with a link. Click the link to authenticate and verify your domain.
Note: Be sure to choose the right email. Otherwise, you will have to cancel your order and restart an order.
If you are unable to set up one if the emails from the list above, you can contact technical support to be guided through some other options. These include:
- Updating the WHOIS database with an email address.
- Creating a page on the website of the domain you want the SSL Certificate for using instructions from our support team. This will specify ownership of the domain and allow the vetting team to send the approval email to ANY alternative email address
2. Approver URL
With this method, you will be given a meta tag to insert on the root page of your domain. The method of verification will detect the meta tag on the webpage and verify the ownership of the domain.
Note: the meta tag must be inserted on the root page on the domain. The system cannot verify the domain if it redirects to another page on the website.
DNS TXT records require implementing a code into the DNS TXT of the website. Use this link to check if a DNS TXT record is present on a domain. Instead, you could run a command in the command prompt to find out if there is a txt entry: nslookup -type=txt www.domain.com.
3. Private Key Missing
A CSR and private key must always be generated on the server you are installing the SSL Certificate on in order for the certificate to be correctly installed. If the private key is somehow lost and no longer stored on the server then the SSL certificate will need to be reissued along with a new CSR.
In the event of this happening here are a few error messages you may see that will indicate there is no private key stored on the server:
- You receive an error message appearing during installation: “Private Key Missing”
- You receive an error message appearing during installation: “Bad tag value”
- The certificate disappears from the list when refreshed after importing the SSL Certificate into the IIS.
- Your site does not display the https:// when loaded after installation of SSL Certificate
4. SAN Compatibility
A SAN certificate or subject alternative name is compatible with SSL Certificates due to the following items. You must be aware of them before ordering:
- Domain Validated SSL Certificates merely secure sub-domains and not the Common Name
- Organization Validated and Extended Validation SSL Certificates secure multi-domain names or FQDNs.
- At one time you can secure up to 100 SANS on a certificate and more can be added after issuance.
- Unlimited sub-domains can be secured by Wildcard SSL certificates by the asterisk.
5. Invalid CSR
Your CSR will be invalid if you do not update the information. When creating a renewal CSR it is imperative to ensure that the information in it is the same as the information in the original CSR. The new CSR will not be exactly the same since there is a new private key.
Sometimes there is also an error in the renewal process when you create a CSR function in the IIS7 server. A bug which will make the CSR too long is usually the problem. The best way to mitigate this is to create a new certificate request as opposed to a renewal request.
Testing a CSR can be done by using a decoder from one of the websites listed below. If there are additional characters or spaces at the beginning or end of the certificate request, it will make the CSR invalid.
—–BEGIN CERTIFICATE REQUEST—–
—–END CERTIFICATE REQUEST—–
- Cert Logik
- SSL Shopper
6. The Common Name You Have Entered Does Not Match the Base Option
You will receive this error message when you’re ordering a Wildcard SSL Certificate but haven’t included the asterisk in the Common Name for e.g. *.domain.com. On the other hand, if you have included the asterisk in the common name and not entered your certificate as a Wildcard.
The [*] represents all sub-domains you’re able to secure with this type of SSL certificate. For example, if you want to secure www.domain.com, mail.domain.com and info.domain.com, you will need to enter *.domain.com as the Common Name in the CSR.
Note: Creating a Wildcard with a sub-domain before the asterisk, e.g. mail.*.domain.com, or double Wildcards, such as *.*.domain.com is something you can’t do.
7. Key Duplicate Error
You will receive this error message if you use a private key which has already been used. You can only use a unique Private Key and CSR once.
Therefore you must generate a new private key and CSR on your server and resubmit the new CSR.
8. Order State Has Already Been Changed
You will receive this error message generally when your order has timed out. Simply start the ordering process from the beginning and if the problem persists contact technical support.
NOTE: this error message can also be caused by entering a SANs incorrectly. For example, if the CN is “www.domain.com” and you specified a sub-domain as “domain.domain2.com” which actually identifies FQDN.
9. The SANs Options You Have Entered Does Not Match the SAN Options on the Original Certificate
This issue can occur for a few reasons:
- You mistakenly added a space after the SAN which the system is rejecting.
- There is a typo or error in the information you’ve input.
- You are entering the Common Name (CN) of the certificate as a SAN so the system can’t recognize if it was already secured by the certificate.
- You incorrectly entered the SAN as a sub-domain, multi-domain name, internal SAN or IP. To correct this you need to choose the correct type of SAN which applies to the SAN.
10. Certificate Not Trusted in Web Browser
After installing the certificate, you may still receive untrusted error messages in certain browsers. This usually happens when the intermediate certificate has not been installed as well. If the intermediate certificate is missing it could be one of the following: DomainSSL, OrganisationSSL, ExtendedSSl, AlphaSSL, etc.
SSL Certificates are the baseline in ensuring your website is secure for users. Ensuring proper installation is not only crucial to your user’s sensitive information and your web site’s reputation but it also enhances your ranking on Google. Therefore if you have been having issues troubleshooting your certificates we hope this article helped you iron out the kinks. If not be sure to contact our Technical Support and they will be sure to help.