RSS Feed
Knowledgebase : Comodo Certification Authority > Certificates > SSL > SSL Technical FAQs

  The private key for a Comodo Code signing certificate is generated by the browser during certificate enrollment. When the submit button is pressed, a key pair of the selected size is generated. The PRIVATE KEY is encrypted and stored in the LOCAL KEY DATABASE. COMODO recommends using INTERNET EXPLORER 8+ on Windows and FIREFOX on Mac for certificate enrollment as it is both easy to apply and convenient for the user. To apply for a Code signing certificate, visit the below URL.. https://ww...
The private key for a S/MIME certificate is generated by the browser during certificate enrollment. When the submit button is pressed, a key pair of the selected size is generated. The PRIVATE KEY is encrypted and stored in the LOCAL KEY DATABASE. S/MIME certificates can be applied only using INTERNET EXPLORER and MOZILLA FIREFOX. COMODO recommends using INTERNET EXPLORER 8+ on Windows and FIREFOX on Mac for certificate enrollment as it is both easy to apply and convenient for the user. For ap...
REASON AND SOLUTION: If you want the SSL Padlock on your website to look fully green and perfect, then you will have to follow the security standards given by the browsers your customers mostly visit using. As it happens, Internet Explorer, Chrome, Firefox are the most commonly used browsers by the world. These browsers show the padlock of an website in their own unique way and also the warning messages associated with them. # CHROME says, "_Your connection to example.com is encrypted with ob...
Comodo delivers high quality, high assurance SSL certificates at lower prices than other CAs because we have developed new infrastructure technologies and processes to significantly reduce validation intervals and customer installation requirements. These advances include: a) IdAuthority, created by Comodo, which is the largest commercial online directory and provides us high levels of efficiency and accuracy in our validation methods so that many SSL certificates can often be issued in ...
We believe it is important to protect the end user. If we fail to properly validate the information contained in a digital certificate, and our failure causes the end-user to lose money in connection with a fraudulent online credit card transaction, then the end-user may have a claim to recovery under our certificate warranty. (see complete Relying Party Warranty and Agreement for complete details) We value the end user. We believe the warranty provides peace of mind of the accuracy of th...
There are a few possible reasons for this: 1) The certificate has a Common Name (CN) of 'domain.com' but you are going to 'www.domain.com'. In order to correct this, you must have a redirect (consult your web server software manual on how to setup the redirect) from the non SSL portion of your site ('www.domain.com') to the SSL portion of your site ('domain.com'). 2) In Apache, it is possible that the 'server name\server alias' setting does not match the Common Name (CN) in the cer...
CSR is possibly missing one or more required fields. The CSR must contain a minimum of the following fields: Organization Organizational Unit Locality (City) State/Province Country (2 character code) Common Name (Fully Qualified Domain Name) Another possibility is that the CSR contains non-alphanumeric characters in the required fields. Make sure your CSR begins with 5 dashs and ends with 5 dashs as below: -----BEGIN NEW CERTIFICATE REQUEST----- -----END NEW CERTIFICATE REQUES...
If you still have the original order number for your purchase you can use the automated password reminder system located here. If you do not have your order number, then please send an email to support@comodo.com. This email must be sent from the administrative email address on the account, and must include the original domain name it was purchased for.
First check your backups and see if you can re-install the "private key". If you don't know how to re-install the key from your backups, then contact your systems administrator. Failing that, contact your web server software vendor for technical support. The only alternative course of action available is a re-issuance of the certificate following the re-submitting of a replacement CSR. To re-submit a CSR please submit a ticket at http://support.comodo.com include the CSR, order number a...
If you are moving servers or providers, you will need to get the certificate and private key from the old server or provider. Contact your old server administator and ask them to provide you with an exported copy of the certificate and private key. You can then use this to install your SSL certificate onto your new server or send on to your new host. If you do not get the Private Key with your certificate from the old server/provider, you will not be able to install the certificate and ac...
Your trial certificate is a fully-functional SSL Certificate, with exactly the same browser ubiquity and encryption as our other certificates. This is so that you can fully-test your systems prior to roll-out. As such, the trial certificate must be validated to the same standard as other certificates in our range. This validation process is utilised for every application put to us, whether the applicant is an individual or a multi-national conglomerate.
Click here to view a test page secured by InstantSSL, or if you would like to test Instant SSL on your system please feel free to try one of our fully functional Trial SSL Certificates .
As a commercial Certificate Authority, Comodo publish a Certification Practice Statement. This policy document is available here
Your trial certificate is a fully-functional SSL Certificate, with exactly the same browser ubiquity and encryption as our other certificates. This is so that you can fully-test your systems prior to roll-out. As such, the trial certificate must be validated to the same standard as other certificates in our range. This validation process is utilised for every application put to us, whether the applicant is an individual or a multi-national conglomerate. As this is a free service we have to limit...
You can reach us in one of the following ways: Sales sales@comodo.com Telephone: +1.888.266.6361 Telephone: +1.206.203.6361 Support Please register to contact support at http://support.comodo.com Then submit a ticket to support. Telephone: +1.888.266.6361 Telephone: +1.206.203.6361 Please Note: Phone support is not available for free products, except Trial SSL certificates Validation Please register to contact validation at http://support.comodo.com Then submit a ticket ...
We have an online CSR decoder at: https://secure.comodo.net/utilities/decodeCSR.html
After you upgrade to Microsoft Internet Explorer 6.0 Service Pack 2 (SP2) in Microsoft Windows XP SP2, some SSL-secured (128-Bit) Web pages and Web sites may not work correctly. Frequently, this behaviour is caused by security changes in Windows XP SP2. To determine why the pages do not display correctly, use the following methods in the order that they are presented. http://support.microsoft.com/default.aspx?kbid=870700&product=windowsxpsp2
Yes, if you do not install all the certificates that you have from us, then you will receive a "not trusted error message" when you go to the secure area of your web site. Please use the search box on the right for installation instructions that we have for the various SSL Certificates and their server software.
Site seals are available at: http://www.instantssl.com/ssl-certificate-support/siteseal/ssl-certificate-index.html
There may not be a corresponding 'private key' or 'pending request' or the key that is found is not the one that matches the certificates. In order to correct this we recommend you create a new CSR and send that to support to have the certificate re-issued. Click to find the details on creating a CSR If you are using an apache based system, then search your server for files ending .key as the file might be in a different location than the one you are referencing in the httpd.conf file
Name based hosting is rarely used in production environments. IP based hosting should be used due to the way that the SSL protocol works.
This error can be caused by the following reasons: 1.) The file doesn't exist in the https directory. This can be verified by trying to get to the file using a regular, unsecure, http call, and seeing that the file is loaded correctly. In order to correct this problem please add the file to the https directory defined in the SSL configuration of the webserver. 2.) Port 443 is blocked by server's firewall or the end-user's firewall. In order to correct this, you must open up port 443 (for ...
In short, this error means that there are elements in your SSL secured pages that are being accessed from a non SSL secured page. A typical example of this is an image that resides in a non-SSL protected directory. For example, a page that is loaded securely (via https), contains an image tag within the source code such as <img src =http://www.yyy.com/image.gif>. In this case the image is being called absolutely using the non-secure (http) protocol and will thus cause this warning....
The certificate is not bound to any specific IP address. It is bound to the fully qualified domain name such as www.comodo.com Unless the IP address is the Common Name on the certificate.
This problem occurs if you assign the same IP address to each host in your config file. SSL does not support name based virtual hosting (host headers are encrypted in SSL), so only the first certificate listed in your config file will be sent.
The Root Certificates and/or Intermediate Certificate(s) may not be installed correctly. This can be checked by clicking on 'View Certificates' when you get the error message and seeing if all three certificates are visible. It may also be that the certificate being used is not for the Fully Qualified Domain Name, check again using 'View Certificates' to see if the domain name on the certificate matches the domain name in the URL that you are going to. Check your Internet Option' and make sure...
Microsoft IIS is configured to require a secure channel. The following steps will allow non-secure (http) connections to your site: Within Microsoft Internet Information Server, right click on your web site. Under Secure Communications, click on Edit. Un-check the box that says 'Require Secure Channel'
If the web server is set to check the Certificate Revocation List, also known as a CRL, and the server is down, this can cause a time-out of the operation. This will not be the certificates, but something related to the browser timing out on the operation. See also: What is a CRL?
Start, run, type mmc Go into the Console Tab, Add/Remove Snap in Click on Add, Double Click on Certificates and Click on Add > OK Choose Computer Account Choose Local Computer Open up the Certificates Consol Tree Look for a folder labelled REQUEST, then select Certificates Highlight the key that you wish to back up Right click on the file and choose, All Tasks, Export Follow the Certificate Export Wizard Choose to mark the Private key as exportable Leave default settings Choose to sa...
HOW TO MOVE MY SSL CERTIFICATE AND KEY FROM IIS 5.X AND 6.X TO APACHE? EXPORT TO PFX FILE 1) Please start the Microsoft Management Console (MMC) 2) Add the Certificates Snap-in for the Computer account. 3) Under the Personal section of the MMC there should be a folder called "Certificates", open it. 4) Right-click on the SSL certificate you'd like to export. 5) Hover over "All Tasks", from here one should see the option to Export. 6) Go through the wizard, make sure it asks you to expor...
To use ASP to force SSL for specific pages follow the directions.
Please refer to the following URL on Microsoft's Knowledgebase: http://support.microsoft.com/default.aspx?scid=kb;en-us;232136
Please refer to the following URL on Microsoft's Knowledgebase: http://support.microsoft.com/default.aspx?scid=kb;EN-US;232137
Create a new web site in IIS (see Related Items), then go to the 'Properties'--> 'Directory Security' -->'Server Certificate' tab. Use the certificate wizard to create your new Key/CSR file. Backup the private key file by following the instructions: * Start --> Run --> type mmc, select OK. * Go into the Console Tab --> Add/Remove Snap in * Click on Add --> Double Click on Certificates and Click on Add, click OK * Choose Computer Account, then Local Computer * Open up the Cer...
To avoid this error, create a new certificate and verify that there are no special characters in any of the fields in the distinguished name. In particular, do not include a comma in the company name. The following characters are not allowed in any of the CSR fields: [! @ # $ % ^ * ( ) ~ ? > < & / \ , . " ']
There are several possible scenarios. Here are a few: 1) The 'Pending Request Not Found' error appears as if you are attempting to install a certificate that does not match the private key (Pending request) that is currently residing in the Certificate Wizard. Microsoft IIS 5 and 6 only allow you to make one request per site. If you create a new CSR for the same website, your original request will be overwritten. If you have a backup of the private key, you can install the certificate via...
There are a couple of possible reasons: 1. The intermediate Comodo certificate has not been installed, you must use the one that came with the site certificate 2. The wrong intermediate Comodo certificate has been installed, you must use the one that came with the site certificate Please see knowledgebase article for a description of what is an intermediate SSL certificate Please see SSL Installation instructions for the most common web servers
An intermediate certificate is the certificate, or certificates, that go between your site (server) certificate and a root certificate. The intermediate certificate, or certificates, completes the chain to a root certificate trusted by the browser. Using an intermediate certificate means that you must complete an additional step in the installation process to enable your site certificate to be chained to the trusted root, and not show errors in the browser when someone visits your web site. ...
If you ordered your certificate directly from Comodo then you can sign into your account, select 'SSL Certificates', and then download the certificate as a zip file for the appropriate order. If you ordered via a web host who is a Comodo partner, they will be able to download the certificate zip file for you.
The word subnetwork (usually shortened to subnet) has two related meanings. In the older and more general meaning, it meant one physical network of an internetwork. In the Internet Protocol (IP), a subnetwork is a division of a classful network. The rest of this article is about the second meaning. Subnetting an IP network allows a single large network to be broken down into what appear (logically) to be several smaller ones. It was originally introduced before the introduction of classful ne...
Public key cryptography is a form of cryptography which generally allows users to communicate securely without having prior access to a shared secret key. This is done by using a pair of cryptographic keys, designated as public key and private key, which are related mathematically. In public key cryptography, the private key is kept secret, while the public key may be widely distributed. In a sense, one key "locks" a lock; while the other is required to unlock it. It should not be feasible to...
If the problem is just the password then as long as you have the order number and either account email address or user name this can be automatically reset by visiting www.instantssl.com and clicking on the 'forgotten password' link. This will take you to the automated password reset facility: If you do not have the details required above, please send an email, from the account administrative email address to passwordreminder@comodo.com with as much detail as possible so that we c...
This error means that there is already an order on our system for the required domain. It can also mean that you have not signed into your account before placing the order. If this is the case, please sign in to your account at the top of the same page where this error occurs and try again to place the order. If the problem continues, please submit a ticket
In order to make changes to your Comodo account information we will require the following: 1. A clearly written request either by fax or a ticket submitted via http://support.comodo.com. Example: Please change the account information associated with order [Insert Order Number] to: [Name of organization or individual] [Street address] [City] [State or Province] ...
Yes, the dates are hard-coded into the certificate, so for the site to present the correct certificate the new one must be installed. Click to find Installation instructions
HOW TO CREATE A CSR IN IIS 5.X/6.X WITHOUT REMOVING THE CURRENT CERTIFICATE Currently the RENEW option within IIS 5.x/6.x does not work as intended most of the time. Since IIS does not allow your site that is currently running SSL to generate a CERTIFICATE SIGNING REQUEST (CSR) without removing the existing certificate. For most sites this is not a viable option since the SSL portion of your site would be down until the new certificate was put in place. In order to obtain a certificate for yo...
COMODO SECURE SITE SEALS Comodo site seals are an ideal way to help customers feel safe and confident when using your secure online services. To setup your site seal: * Visit https://ssl.comodo.com/site-seal.php [https://ssl.comodo.com/site-seal.php] * Choose your certificate type from the drop-down menu * Right-click and download the seal design you prefer * Upload the seal graphic to your web server * Add the corresponding html snippet to each page on which you wish to display...
Wildcard certificates are not support by mobile devices, or Windows Mobile, until Windows Mobile version 6. The browser used in these types of devices is a cut down version of the desktop versions, and support for wildcard certificates was removed prior to version 6. The only option, if using Windows Mobile version prior to 6, is to purchase certificates with a fully qualified domain name for the domains that require mobile device access. Microsoft information on certificates included w...
To see Microsoft information on certificates included with mobile devices click Windows Mobile 5.0 and Windows Mobile 6
Our SHA-1 Root certificates were included in Java JRE 1.5.0_8(1.5.0, aka 5.0, Update 8): http://java.sun.com/javase/downloads/index.jsp [http://java.sun.com/javase/downloads/index.jsp] We are also mentioned in the Release Notes: http://java.sun.com/j2se/1.5.0/ReleaseNotes.html#150_08 (search for "Comodo") Our SHA-2 Root certificates are now included in Java starting with Java JRE 1.8.0_51-b16 (1.8.0 , aka 8.0, update 51 ) For more information please reference - http://www.oracle.com/tec...
In order to export the Certificate, Private Key and any intermediate certificate as a pfx file use the command below: - > openssl pkcs12 -export -in my.crt -inkey my.key -certfile my.bundle -out my.pfx Note: Remember to change the names to match your file names!
To import an openssl based generated private key and certificate into java keystore, follow the instructions below. First you will have to create a new text file, which contains the cert from 'yourdomain.crt' and the private key from 'yourdomain.key'. It must be like this: BEGIN CERTIFICATE lines of text between the Begin and End END CERTIFICATE BEGIN RSA PRIVATE KEY lines of text between the Begin and End END RSA PRIVATE KEY NOTE: DO NOT INCLUDE THE EXTRA TEXT WHICH IS INSERTED BY O...
Below are some commands you might find useful in determining Keystore issues. Deleting a certificate keytool -delete -alias aliasname list all of the keystore certificate keytool -list -v | more list all cacerts certificates keytool -list -keystore \j2sdk\jre\lib\security\cacerts | more list or display a certificate keytool -printcert -v -file anycert.cer | more
A Fully Qualified Domain Name is also called the 'Domain Name' or 'Common Name'. During the create of a Certificate Signing Request (CSR) you are asked for the 'Domain Name' or 'Common Name'. As an example, if you wish your secure area to be https://secure.comodo.net/paymentpage.html then the 'Domain Name' or 'Common Name' is secure.comodo.net As you can see, the 'Domain Name' or 'Common Name' does not include the 'https://' or the '/paymentpage.html'. Click to know what the https proto...
The answer is no. With an SSL certificate the Fully qualified Domain Name (FQDN) does not include the '/', or anything after it. or the https:// at the beginning. So, as an example, if I wanted my secure area to be https://support.comodo.com/myfolder the FQDN is support.comodo.com Therefore you could not get a certificate for support.comodo.com/myfolder as /folder is not part of the FQDN. We would recommend getting a second certificate for something like folder.comodo.com Please note ...
The Java error saying 'The security certificate was issued by a company that is not trusted' is due to the root certificate not being found in the java root certificate store. Below is the type of error that is seen. To resolve this issue update to the latest version of Java. Also see this article which identifies when our roots were first included in Java
It is not possible to provide two domain names for the same Server IP address and get two different SSL certificates (one for each domain name). It is however possible to get a Multi-Domain certificate, which is a single certificate containing more than one domain name, and that certificate is for a single server installation (most commonly used by hosting providers). For more information on this type of certificate please contact our sales team: http://www.instantssl.com/ssl-certificate-corp...
SSL stands for Secure Socket Layer Like TLS (which stands for Transport Layer Security) SSL is a security protocol that operates between a browser and a Web site. It provides confidentiality and data integrity by means of cryptographic techniques and, when used with a third-party-issued certificate it can report trustworthy information to one party about the other party. Typically, this is used to provide the browser and its user with trustworthy information about the Web site. Cryptograph...
A certificate (more properly called a public-key certificate in this context) is an electronic document that is signed by a certification authority asserting the binding between identifying information and a public key that can be used to authenticate the entity to which the identifying information applies. As a minimum, the identifying information includes a domain name, and the browser verifies that the URL displayed in its address bar is in the domain identified by the certificate. The ce...
A certification authority (sometimes referred to as a certificate authority) is a trusted third party that issues certificates. On the Web, certification authorities are typically separate business entities whose public keys are provisioned to the browser by the browser supplier. The certification authority accepts requests for certificates from Web site operators who provide the identifying information that they wish to have included in the certificate. The certification authority verifies...
DNS stands for Domain Name System. It is the part of the Internet that translates a familiar domain name, such as 'example.com' to an IP address. The Internet routes messages to their destinations on the basis of the destination IP address. But, users are more familiar with domain names to identify locations on the Internet. So, a system is needed to translate between these two forms of address: that is the DNS.
Generally, in order to be accepted by a browser supplier, a certification authority must meet standards set either by the AICPA/CICA or by ETSI. The AICPA/CICA standard if called 'WebTrust for CAs' and the ETSI standard is called 'ETSI TS 101456 Policy requirements for certification authorities issuing qualified certificates'. These audit schemes impose requirements on the certification authority’s systems, personnel and procedures. But, they don’t prescribe the methods used by the certific...
A domain validated certificate is one in which the validated identifying information contained in the certificate is limited to the domain in which the Web site is located. If one of these certificates validates correctly, then the browser displays the padlock icon.
An organizationally validated certificate is one in which the validated identifying information includes the domain and information about he business entity that operates the Web site, such as its registered business name. Organizationally validated certificates differ from extended validation certificates in that they are not necessarily issued in compliance with the extended validation guidelines. Furthermore, the organizational identifying information they contain does not receive prominent...
An extended validation (EV) certificate is a certificate issued in conformance with the extended validation guidelines. The organizational identifying information receives prominent display in some browsers.
The extended validation guidelines contain a set of requirements on the operations of certification authorities that issue extended validation certificates. These requirements mostly govern the process of validating the identifying information that is to appear in an extended validation certificate. However, they also establish requirements for several other aspects of a certification authority’s operations, including: insurance coverage, revocation services, cryptographic key parameters, pers...
Because there are no generally accepted standards for verifying the organizational information that is contained in some certificates, uncertainty has arisen in users’ minds over the significance of the padlock icon. This confusion has been compounded by the growing practice of Web site operators to display padlock icons within the site contents. Furthermore, the URLs that commonly appear in browser address bars have become obscure and users can no longer use these to assure themselves that th...
Question: When will we see Web sites protected by extended validation (EV) certificates? Answer:You need to be using Firefox 3, IE 7, Opera 9, Safari 3.2, and Google Chrome 1.x. These are the only browsers as of Dec 2008 that support the EV identifier. Typically this modifies the color of the address bar. If a site uses an EV Certificate and it is valid, it typically changes some part of the Address Bar to a shade of green. Most browsers do support EV, but do not change the address bar. Only...
A Certificate Revocation List (CRL) is a list of certificate serial numbers which have been revoked, are no longer valid, and should not be relied upon by any system user. A CRL is generated periodically, for Comodo that is every 24 hours. The CRL is always issued by the CA which issues the corresponding SSL certificates. All CRLs have a (often short) lifetime in which they are valid and in which they may be consulted by a PKI-enabled application to verify a counterpart's certificate prior it...
Our intermediate and root certificates can be downloaded from the download section of the web site. Click for a direct link to the intermediate and roots for various product types.
The AddTrustExternalCARoot.crt file is a root certificate and is normally not required as it will reside in the client browser. There are very few web servers that need this root certificate installed in order to function, but we provide it in the certificate issuance email just in case it is.
More specifically, the message is: You have asked to be warned about certificates from 'GTE CyberTrust Global Root' Click on Preferences under the Tools menu (or press CTRL+F12). Select the Advanced tab. In the left pane, select Security. Click the Manage Certificates button. Click the Authorities tab. Scroll down to "GTE CyberTrust Global Root" and select it. Click the View button. Ensure the checkbox labeled "Warn me before using this certificate" is unche...
Yes, a single SSL server certificate can cover multiple ports for the same domain name. As an example, the certificate for myserver.mydomain.com will work for: https://myserver.mydomain.com; and https://myserver.mydomain.com:8888 A specific port number should not be specified in the CN (Common Name) field. If a port number is included as part of the CN (Common Name) then our system will not accept the Certificate Signing Request (CSR) as valid. The error our system would ...
A .cer file is an extended set of certificates, that is it usually contains more than one certificate. If you try to open a .cer file you will see this error: The file can be opened by changing the extension from .cer to .p7b Once opened the file will look like the example below.
MDCs and Wildcard certificates and single IP addresses Part One : IIS Based on information in the below two articles we have found that if you are using the correct patched server versions IIS6 on windows 2003 server (service pack 1) it is entirely possible to run multiple SSL secured sites http://support.microsoft.com/Default.aspx?id=187504 http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/596b9108-b1a7-494d-885d-f8941b07554c.mspx Below are some extracts from...
Apache based servers Obtaining a Wildcard /MDC Server Certificate (apache) To generate a pair of private key and public Certificate Signing Request (CSR) for a webserver, "server", use the following command : openssl req -new -nodes -keyout myserver.key -out server.csr This creates a two files. The file myserver.key contains a private key; do not disclose this file to anyone. Carefully protect the private key. In particular, be sure to backup the private key, as there is no means to ...
If the intermediate certificates are not installed then you will see the message when looking at the site certificate: And the certificate path will not be complete to a trusted root certificate. To resolve this you will need to install all of the certificates that were sent.
The email address for the account is displayed in the 'Company Details' section under the idAuthority Option. To locate the company details section follow these steps: 1. Login to your account. 2. Select the idAuthority option 3. Select the Company Details button 4. Locate the 'Admin Contact: Personal Details' section where the email address assigned to the account can be viewed If you require a change to the admin email address please provide the details of the c...
Appropriate Use of SSL Certificates -Or - Why we don't have a certificate for www.instantssl.com SSL Certificates are commonly used to protect the flow of confidential or sensitive information. Most commonly, personal details and credit cards. Their use is, and should be, kept to areas where this is needed such as payment gateways or forms that require personal information to be entered. All of the Comodo sites use one centralised system for payment and information processing. This reside...
'You have a private key that corresponds to this certificate but CryptAcQuireCertificatePrivateKey failed' 1. Set the correct permission for Machinekey folder C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys 2. Add administrator and system Full Control Permissions. 3. Restart IIS
There are two possible causes for this error: 1. No root certificate for Keytool to chain to. Keytool relies on a root certificates in order to install the certificate. 2. Error occurs because the JDK keystore is very particular about the format of the Certificate. This error is related to the format the certificate has been downloaded in. Please make sure you download the (default) PKCS#7 format certificate and import this into your keystore. JDK prefers this format, which cont...
To add another web site on IIS follow the instructions below: 1. To start Internet Information Services, select Administrative Tools, select Internet Information Services 2. Right click on 'Web Sites' and select 'New', then 'Web Site'. 3. Key in a name for the web site. 4. Decide which IP will be used and the port setting. 5. Enter the path to the 'Home Directory', this is the root of your web site content. 6. Set Access Permissions. 7. Select Finished. Y...
Double-click on the yourwebsite.crt file to open it into the certificate display. Select the Details tab, then select the Copy to file button. Press Next on the Certificate Wizard. Select Base-64 encoded X.509 (.CER), then Next. Select Browse (to locate a destination) and type in the filename yourwebsite. Select Next then Finished. You now have the file yourwebsite.cer
Hi, 1. Launch Windows Explorer 2. Locate your Web site's Alias directory. By default, this directory may be found in c:\iPlanet\Servers. 3. Select and copy the relevant .db files for your Web Server. These files will have a naming convention that includes the alias that was defined when creating the key pair. Be sure to copy both the -cert7.db, and the -key3.db files. You have successfully backed up your Web Server's private-key and certificate. In the event of a disaster recovery, ...
Hi, To remove a certificate in Microsoft IIS 5.0, please follow the instructions Start Internet Services Manager Right click on Default Web Site and select Properties Select Directory Security Select Server certificate which starts the wizard Select Remove current certificate The wizard will display details of the current certificate Click Next, then Finished to remove the certificate
A passphrase is a word or phrase that protects private key files. It prevents unauthorized users from encrypting them. Usually it's just the secret encryption/decryption key used for Ciphers. To change the passphrase you simply have to read it with the old pass-phrase and write it again, specifying the new pass-phrase. You can accomplish this with the following commands: $ openssl rsa -des3 -in myserver.key -out server.key.new $ mv server.key.new myserver.key The first time you...
Backing up the private key of the pending request Click the Start Button, select Run, type mmc and select OK Click File and select Add/Remove Snap in Select Add Select Certificates from the Add Standalone Snap-in box and click Add Select Computer Account (NOTE: This step is very important. It must be the computer account and no other account) and click Next Select Local Computer and select Finish Close the Add Standalone Snap-in box, click OK in th...
There is no option to change the algorithm on Webstar 4.5 when creating the CSR. And, no other options can be changed relating to the algorithm under any of the other settings.
The following Comodo certificates are now included within Blackberry release 4.2.1 handheld software and higher: AddTrust External CA Root AAA Certificate Services UTN-USERFirst-Client Authentication and Email UTN-USERFirst-Hardware
SSH is not a product we offer, but we can provide links to external resources. Click to find the details regarding SSH
I receive a wrong certificate when I open any domain via HTTPS. I added the certificate under server settings, assigned this certificate to an IP, set default domain for the IP and restarted Apache. But if I open https://domain.tld I still get a localhost.localdomain (or another) default certificate. Look into /etc/httpd/conf.d/ssl.conf for the line like: <VirtualHost _default_:443> If it exists you have to delete/comment this default SSL virtual host starting from the "<Virtu...
CSR Generation and Installation instructions can be found at: CSR Generation / Installation: Exchange 2007 [https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/591/19/]
You will need to run the following command with open SSL ( available from openssl.org) openssl pkcs12 -in mypfxfile.pfx -out outputfile.txt –nodes This will produce a file that contains the Private key and all the certificates contained within the PFX file (please note it is recommended that you select the option to include all the certificates in the certification path when creating the PFX file for use on apache.) You will then need to copy out the relevant pieces of informati...
-> openssl pkcs12 -export -inkey KEY_FILE_NAME -in CERT_FILE -out SOMETHING.pfx If you would like to combine all certificates (Domain, Root and Intermediates) and the Private Key into a PFX/P12 file -> openssl pkcs12 -export -inkey KEY_FILE_NAME -in CERT_FILE -certfile APACHE_CA_BUNDLE -out SOMETHING.pfx Note: OpenSSL is usually installed in most Linux Distributions already. Source and Binary OpenSSL packages can be found at the OpenSSL homepage
According to Sun to do this you will need to use the “key export” command to export a private key from a java keystore. To get this functionality you will need to install the sun “Java web services developers pack 1.6” which is available for download from sun as well as the latest sun JDK (also available from sun) Source for article http://java.sun.com/webservices/docs/1.6/tutorial/doc/XWS-SecurityIntro6.html#wp528721 Please note that we cannot support or advise on this procedure and yo...
The first reason is that the SSL implementation in some MSIE versions has some subtle bugs related to the HTTP keep-alive facility and the SSL close notify alerts on socket connection close. Additionally the interaction between SSL and HTTP/1.1 features are problematic in some MSIE versions. You can work around these problems by forcing Apache not to use HTTP/1.1, keep-alive connections or send the SSL close notify messages to MSIE clients. This can be done by using the following directive in yo...
The yellow warning triangle in the certificate is an 'indicator' only. It does not indicate any issue with the certificate. Below are the details describing what each symbol indicates: It must be stressed, these are indicators relating to the field, and not an issue with the certificate
For the support team to re-issue a certificate they will need a new CSR. Please make sure this is included with your request for a re-issue. Related Articles CSR Generation
SSL Error 82 Resolution for error 82: The Security certificate (TheNameOfYourCertificateAuthority) is not suitable for use in SSL connections. Reason: Unsuitable Netscape Usage Extension field This issue is resolved in the public release of version 10.100 of the Presentation Server Client for 32-bit Windows or Use version 9.237 of the Presentation Server Client for 32-bit Windows. Click here for the Citrix Article on Error 82
There are a few things to consider if you are having difficulties with the installation of a certificate on plesk. You will need to take into account what operating system you are using for your server. On an apache based server if is vitally important that the intermediate and root certificates are uploaded in the correct order. If these are uploaded in the incorrect order, or with any files missing, the installation will fail and you will receive untrusted warnings when visiting the webs...
The secure padlock will not show while any unsecured items are displayed or used. Please make sure you are using the correct setup on your web pages. As an example, if you see this message and select 'Yes' then the page will be secure but will not display the padlock. 1. If you are using frames, make sure you are securing the entire website, and not just a frame page 2. If you are using images unsecured as in the example, make sure you change the reference from http to http...
The certificate is not bound to the IP address, but to the domain name......unless the IP address is being used in the address bar to access the web server. If your hosting provider bought the certificate for you: If you are moving the certificate to another hosting provider you will need to ask your present hosting provider to backup the certificate and private key for you, as you will need to install these on the new hosting machine. Details on backing up the certificate and private key c...
Do you have a toll for creating the CSR and collecting the certificates that are issued? Yes..........but it is only available for Java or Apache based systems. The Applet can be found at http://www.comodo.com/csr_autogenerator.html NOTE: This tool only collects the certificates, it does not install them for you NOTE: This tool will not work for orders placed via the Comodo web host account NOTE: You must have java installed for this to work NOTE: If java is installed but dis...
List of 2 letter country codes. There is quite a comprehensive list of 2 letter country codes on Wikipedia.
This file is invalid for use as the following: Security Certificate This is not an error, it simply means you cannot open the file. To view the certificates in the file, change the file extension from .cer to .p7b Now, when you open the file and open the branch on the left of the window you will see 'Certificates'. By clicking on 'Certificates' you will see all the certificates contained in the single .cer format file.
For these instructions to work you will need to have generated your CSR For your certificate and have a pending request waiting on the website. The First step you will need to do is follow the instructions on the article below and backup the pending request. Backing up and Restoring the pending request in IIS 5 or 6 Once this is done you can the use your CSR you have generated previously to order and install a temporary or trial certificate onto your server. Once you have this tempo...
Intended Audience: Web hosts, web server administrators, technical personnel responsible for generating CSRs and installing SSL certificates on web servers. On May 13th, 2008 the Debian project announced that Luciano Bello found an interesting vulnerability in the OpenSSL package they were distributing. Details can be found here: http://www.debian.org/security/2008/dsa-1571 Please note that this vulnerability does not affect ComodoCA or our PKI infrastructure in any way. The vulner...
If you have successfully installed your certificate, however you wish to make a backup with the private key, if you do not have full admin rights, Windows will not allow it. You must give your self access to the MachineKeys Folder: Open Microsoft Windows Explorer. Locate the "%SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys" (assuming you have a clean install) folder. There are several files located in this folder. Each file in this fo...
Microsoft ISA Server and SAN Certificates ISA Server 2006 SP1 includes Support for certificates with multiple Subject Alternative Name (SAN) entries in published web servers. Previous to this release this is not correctly support by ISA servers. Please insure that you are using ISA Server 2006 with Service pack 1 installed if you wish to take advantage of Subject Alternative Name (SAN) entries in your certificate.
According to ( http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html ) this error means error :-12263 SSL_ERROR_RX_RECORD_TOO_LONG "SSL received a record that exceeded the maximum permissible length." This generally indicates that the remote peer system has a flawed implementation of SSL, and is violating the SSL specification. If you are using Apache2: In the ports.conf file, make sure it looks like the following: — clip — Listen 80 Listen 443 https — cli...
Files to have on hand: Root and Intermediates. These can be obtained from us through your account. If you don't have access to them you may download them from the Root & Intermediate Certificates section of our Downloads area. If you're unsure which to get or which is which, please visit: Which is Root? Which is Intermediate? Root and Intermediate Certificate installation via MMC 1. Open up the Microsoft Management Console (MMC) Start -> Run -> Type "mmc" (without quotes) an...
Please read this before proceeding: Java Based (Tomcat) Web Servers (using keytool) Tomcat will first need a SSL Connector configured before it can accept secure connections. Note: By default Tomcat will look for your Keystore with the file name .keystore in the CATALINA_Home directory with the default password 'changeit'. Commonly found CATALINA_HOME Directories Unix, Linux or *nix -- /etc/tomcat5.5 Windows -- C:\Program Files\Apache Software Foundation\Tomcat 5.5\ ...
QUESTION: I get CERTENROLL::CX509ENROLLMENT::P_INSTALLRESPONSE: ASN1 BAD TAG VALUE MET. 0X8009310B on IIS 7 and I am unable to install my certificate. ANSWER: This can be a result of IIS placing the certificate in the wrong certificate store or forgetting where it places the private key, in many cases it gets placed in OTHER PEOPLE Certificate store for the CURRENT USER account. Only certificates that are stored in the PERSONAL Section of the LOCAL COMPUTER store can be used in IIS. ...
In order to disable weak ciphers, please modify your SSL/TLS CONNECTOR container attribute inside SERVER.XML with the following information based on the version of Java that is used on the Server. directive Java 7 Java 8 sslProtocol TLSv1, TLSv1.1, TLSv1.2 Not Used, please remove if specified useServerCipherSuitesOrder Not Supported true ciphers TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_...
Disable Client Auth on IIS 5.x and 6.x If Client Authentication is enabled on IIS 5.x and 6.x, you will see the below message when try to access the site: Please follow the below procedure to disable the Client Authentication on IIS 5.x and 6.x: 1. Open up the IIS console. 2. Right-click on the website that you are using the certificate on and left-click Properties. 3. Click on the Directory Security Tab. 4. Under theSecure Communications section, click on the Edit button. 5. Sel...
Export certificate and private key to PFX (Personal File Exchange) format Certificate Snap-in 1. Open up the Microsoft Management Console (MMC). Start -> Run -> Type "mmc" (without quotes) and Click OK or hit Enter on your keyboard. 2. Open Add/Remove Snap-in Window. File -> Add/Remove Snap-in 3. Add the Certificates Snap-in. Click Add then double-click Certificates 4. Select Computer Account and click Next. Note: This step is very important. It must be t...
If you would like to force the entire site to use SSL:           RewriteEngine On           RewriteCond %{HTTPS} !=on           RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L] Alternatively, you may use an .htaccess file(or inside a <Directory> block):           RewriteRule ^(.*) https://%{SERVER_NAME}/$1 [R,L] Note: Take note this method is missing leading slash ( / ). ...
Error code: sec_error_unknown_issuer This Firefox error means that Firefox is unable to chain up to a trusted Certificate Authority based on information provided to Firefox from the web site you're visiting. If you're the owner or maintainer of the site in question please install the Intermediates that came with your certificate. This is required as per the SSL/TLS RFC starting with RFC 2246, which covers TLS 1.0. RFC 2246 states: certificate_list This is a sequence (...
How do I verify that a private key matches a certificate? To verify that a private key matches its certificate you need to compare the modulus of the certificate against the modulus of the private key. Please follow the below command to view the modulus of the certificate. openssl x509 -noout -modulus -in server.crt | openssl md5 Now you will receive the modulus something like a77c7953ea5283056a0c9ad75b274b96 Please follow the below command to view the modulus of the pri...
To obtain a copy of OpenSSL for: * WINDOWS: Windows 2000 or better [http://www.shininglightpro.com/products/Win32OpenSSL.html] * UNIX-LIKE: (LINUX, OS X, ETC.) Many vendors include OpenSSL as a part of a standard distribution/install. If it was not included, either consult your Operating System's package management feature (apt, yum, yast, etc.) or visit the OpenSSL.org website [http://www.openssl.org/] for binaries.
Question: When I am purchasing or replacing my certificate I get the error:    Your RSA key is too small! or This CSR uses an unsupported key size. Answer: For all certificates that Comodo issues (including EV SSL), the RSA key size MUST BE at least 2048-bit as of 20-DEC-2010. To resolve this error please regenerate your CSR with the key size of 2048 and try again. Note: To retain maximum compatibility across all browsers do not use an RSA key size of over 2048 at this...
Question: Why won't OCS 2007 start after we've updated to OCS 2007 R2? Answer: In February/March 2009 Microsoft Released OCS 2007 R2, with it they incorporated a certificate limitation with the Response Group Service where the pool FQDN would have to be the last SAN entry. Microsoft Office Communication Server 2007 R2 Release Notes: Certificate Limitation With Response Group Service Issue: If the certificate assigned to the Office Communications Server 2007 R2 or to the Office Communic...
How to find the thumbprint/serial number of a certificate? Please be aware this article assumes you have access to: the CRT file, the certificate via IIS, Internet Explorer (IE), Microsoft Management Console (MMC), Firefox or OpenSSL. Option #1: Windows (MMC, IE, IIS) Open Certificate to the General Tab IIS 5.x & 6.x: Right-Click website -> Left-Click Properties -> Directory Security -> View Certificate MMC (Microsoft Management Console):File -> Add/Remove Snap-in -> Certificates ->...
QUESTION: How do I move a certificate from IIS / PFX (.p12 file) to a JKS (Java KeyStore)? ANSWER: Run the following command: KEYTOOL -IMPORTKEYSTORE -SRCKEYSTORE _PFX_P12_FILE_NAME_ -SRCSTORETYPE PKCS12 -SRCSTOREPASS _PFX_P12_FILE_ -SRCALIAS _SOURCE_ALIAS_ -DESTKEYSTORE _KEYSTORE_FILE_ -DESTSTORETYPE JKS -DESTSTOREPASS _PASSWORD_ -DESTALIAS _ALIAS_NAME_ NOTE: To find the SRCALIAS, list the contents of the PFX/P12 file: KEYTOOL -V -LIST -STORETYPE PKCS12 -KEYSTORE _PFX_P12_FILE_ > _FILENA...
Although not really related to certificate installation and outside the scope of certificate support, instructions on how to use 256 bit SSL in IIS 6.0 can be found here: http://blogs.msdn.com/asiatech/archive/2009/11/11/how-to-use-256-bit-ssl-in-iis-6-0.aspx
To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority. To turn off Automatic Root Certificates Update: 1. Click Start, and then click Run. 2. Type gpedit.msc, and then click OK. 3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. 4. Double-click Administrative Templates, double-click System, double-click Internet...
Question: After I have imported a Comodo certificate through the Exchange Management Console (EMC), I am unable to assign it any services due to the error message of: "The certificate status could not be determined because the revocation check failed." Answer: This can be caused by any number of different reasons: Lack of network connectivity or Internet Outage Network or proxy misconfiguration: See MS KB ID 979694 Intentional blocking of Internet connectiopn from the server. ...
Question: Does Comodo provide a way for me to check to see if my SSL certificate is installed correctly? Answer: Yes, we have our SSL Analyzer to offer. On this page you simply need to enter the FQDN of the website you want us to analyze (check). (e.g. secure.comodo.com, www.comodo.com, secure.YOURDOMAIN.COM, example.com) Some Frequently Asked Questions on reading the output of the SSL Analyzer What validation level is the certificate I have installed on my site? Look for Validat...
SSL ADVISORY: HEARTBLEED VULNERABILITY OVERVIEW * All customers are advised to patch systems to run the latest version of OpenSSL. * Vulnerability lies with OpenSSL, not with Comodo certificates or Comodo CA keys. * Certificates on affected systems need to be replaced, free of charge, with immediate effect. * Customers can order a certificate reissue via our web-interface, management portal or the APIs. In the light of the recently discovered vulnerability known as 'Heartbleed', Comod...
Here is the list of support for SHA-2 (or) SHA-256 hash algorithm. WEB-BROWSERS : Chrome - Version 26 and above Mozilla Firefox - Version 1.5 and above Internet Explorer - Version 6.0 and above (must have Windows XP Service Pack 3 installed or above). Java based applications and products - Version 1.4.2 and above Konqueror - Version 3.5.6 and above Netscape - Version 7.1 and above OpenSSL based applications and products - Version 0.9.8 and above Opera - Version 9.0 and above ...
This article explains the process of converting a Java Keystore file, into a PKCS12 file which is a .pfx or .p12 . Requirements - A Java Keystore containing the root, intermediate, and your domain/end entity certificate which was imported by following these instructions. [https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/638/37/certificate-installation-java-based-web-servers-tomcat-using-keytool] In order to convert the Java Keystore file into a .pfx or .p12 file, you ...
Comodo Certificate Manager – SSL End User Guide SSL Certificates Enrollment, Collection, Installation and Renewal Guide Version 5.7
CAUSE: This error occurs if the server administrator does not have permissions to the local security policy on Microsoft Windows 2008 server. SOLUTION: Although the error occurs during installation, the certificate might still install successfully. Check the bindings to see if the new certificate is available to be assigned. If the SSL certificate is not in available in the bindings list then proceed with the below instructions to set the appropriate permissions. To bind the certificate ...
1. First off, you need to ensure that you have root access. Otherwise, please contact the webhosting/server administrator. 2. Log into the SSH. 3. Run the following command and replace the domain_name with your domain name such as comodo.com, > _# OPENSSL PKCS12 -EXPORT -OUT /BACKUP/DOMAIN_NAME.PFX -INKEY > /ETC/SSL/PRIVATE/DOMAIN_NAME.KEY -IN /ETC/SSL/CERTS/DOMAIN_NAME.CRT_
HOW DO I MAKE MY OWN BUNDLE FILE FROM CRT FILES? ANSWER: You may do this using you favorite text editor or by using the command line. Example: # Root CA Certificate - AddTrustExternalCARoot.crt # Intermediate CA Certificate 1 - ComodoRSAAddTrustCA.crt OR ComodoECCAddTrustCA.crt # Intermediate CA Certificate 2 - ComodoRSADomain/Organization/ExtendedvalidationSecureServerCA.crt OR ComodoRSAECCDomain/Organization/ExtendedvalidationSecureServerCA.crt # Intermediate CA Certificate 3 - ComodoSHA25...
How to install an SSL Certificate onto a DigitalOcean Droplet using (Ubuntu/Apache) Third party reference please click here [http://brettdewoody.com/how-to-setup-ssl-certs-with-digitalocean-and-comodo/]