Common Questions about SSL Certificates¶
How do I know a website is secured?¶
HTTPS is the protocol that supports these security measures. On the Internet, you browse non-secure websites with HTTP and secure websites with the HTTPS protocol, for example:
Non-secure: http://www.gandi.net. Secure: https://www.gandi.net
Web browsers will recognize certificates and establish an encrypted connection between the website hosted on a server and the visitor.
How long does verification take?¶
For the majority of cases, the verification process takes less than 24 working hours upon receipt of the proof of ID. Extended validation for business certificates may, however, take longer, in the event that Sectigo requests additional documentation from you.
How often should I renew my SSL certificates?¶
You should renew your certificates every year. Some free certificates will automatically renew each year.
What is an intermediate SSL certificate?¶
Without these, it may seem like the certificate does not work correctly with Firefox.
Gandi issues its certificates from a certificate that is “intermediate,” or an inheritor of the trust of the root certificate from the certification authority.
This allows us to reduce risk, since all of Gandi’s certificates can be revoked and reissued without revoking the root should the intermediate certificate’s trust become compromised. Most commercial certificate vendors use intermediate certificates for this reason.
You will want to download and install Gandi’s intermediate certificate (also called the operational certificate authority) along with your Gandi SSL certificate so that visitors to your site can automatically download it and verify the trust chain. Instructions for doing this are provided along with those for installing your certificate.
How many servers can be secured with a certificate?¶
A certificate is linked to a specific domain name, not a given IP address of a server which hosts the secure service.
If your service is hosted among several machines, only one certificate is necessary. Just ensure that servers with the right domain name (and/or subdomains) are used with the certificate.
You should use a full domain or several address certificate if you want to secure multiple subdomains.
Certificate errors will appear otherwise.
Can I use my Gandi SSL certificate on a host at another hosting provider?¶
Yes, you can install it on any server you like, as the certificate is tied to the domain name that you use to generate it rather than to any particular host.
However, in order to be considered valid, the corresponding domain name must resolve, in the DNS, to the host on which it is installed.
Note that in most cases you will need root (or administrator) access to the server on which you want to install the certificate.
What does the SSL certificate’s financial guarantee mean?¶
In order to protect your customers, you have the possibility (starting at the Pro level) of adding additional insurance in the event the security of the certificate is breached.
This insurance will cover financial losses by customer which were caused by the breach.
This added service, which you can inform visitors of using our certification logo, gives your customers the assurance that the transaction is secure and guaranteed.
Having transactions insured makes your business safer to run, and safer for the customer to use, and thus more valuable.
How do I export my SSL certificate and private key as a pfx file?¶
In order to export your certificate, private key, and our intermediate certificate as a pfx file, use the following command:
openssl pkcs12 -export -in my.crt -inkey my.key -certfile my.pem -out my.pfx
You can replace “my” with the correct filename. You can also rename your .pfx file after you export it.
my.crt is the certificate delivered by Gandi
my.key is the private key that was generated along with the CSR
my.pem is the Gandi intermediate certificate (GandiStandardSSLCA2.pem for example)
my.pfx will be the name of your pfx file
Gandi cannot assist in this operation since we do not have (and should not have) your private key.
Where can I find the Root trust CA or Root CA ?¶
Normally, if your system is up to date, you will not have to install the “root certificate” to complete the chain of certification. But if this certificate is missing, or asked for during the install or the use on your website, you can find the various version of root certificates at this address:
https://www.sectigo.com/knowledge-base/detail/Sectigo-Root-Certificates/kA03l000000c4KVCAY