Can I change the IP address of my domain if I have an ssl certificate on that domain?|
The certificate is not bound to any specific IP address. It is bound to the fully qualified domain name such as www.europeanssl.eu
I have changed my server, or moved to a different provider, how do I move the certificate?|
If you are moving servers or providers, you will need to get the certificate and private key from the old server or provider.
Contact your old server administator and ask them to provide you with an exported copy of the certificate and private key.
You can then use this to install your SSL certificate onto your new server or send on to your new host.
Please note: If you do not get the Private Key with your certificate from the old server/provider, you will not be able to install the certificate and activate SSL for your site.
Do I need to use IP based hosting or Name based hosting?|
Name based hosting is rarely used in production environments.
IP based hosting should be used due to the way that the SSL protocol works.
What is a certification authority (CA) ?|
A certification authority is an organization that issues digital certificates.
A digital certificate is the cyberspace equivalent of an identity card and is used to assign a particular public key to a person or organization.
This assignment is certified by the certification authority, by providing them with its own digital signature.
The certificates contain "keys" and additional information that is used for authentication and for encryption and decryption of sensitive or confidential information that is distributed over the Internet and other networks.
As additional information, for example, lifespan, references to certificate revocation lists, etc. are included , which are introduced by the CA within the certificate.
The purpose of a certification institution is to issue and check such digital certificates. The CA is responsible for the provision , allocation and for securing the integrity of the issued certificates it issues .
Thus it is an important part of the public-key infrastructure.
What is a Certificate Signing Request (CSR)? |
A CSR is a text string that is created by your server software. We need this string for the issuance of your SSL certificate.
If you can not generate a CSR on your server, you can use our CSR-Generator.
You can create the necessary CSR in real time with this tool.
Please note: when using the IIS server platform using an external CSR generator is not possible.
What is Secure Sockets Layer (SSL)?
By using Secure Sockets Layer, data is transferred via http and protected by the server encyption activated by the SSL certificate.
An SSL Certificate consists of a public and a private key. The public key is used to encrypt information and the private for decryption.
When a browser displays a secured domain, server and client are authenticated by a "SSL handshake".
In addition, an encryption method, and a unique session key is established. With this, a secure session can be started, the privacy and integrity of messages can be guaranteed.
What is encryption and why are there more steps? |
Encryption is a mathematical operation for encoding and decoding of information.
Through the number of bits (40 bits, 56 bits, 128 bits, 256 bits) you can see the size of the key. As for a longer password, there are several combinations for a longer key. 128-bit encryption is one trillion times stronger than 40-bit encryption.
When establishing an encrypted session, the strenght depends on the capacity of the web browser, SSL certificate and the web server and operating system of the client.
What is a key pair of a public and private key? |
Encryption is a mathematical operation for encoding and decoding of information.
Each SSL Certificate contains a key pair of a public and a private key.
A private key with the code and a public key for decoding. The private key is installed on the server and will under no circumstances be transmitted.
The public key is included in the SSL certificate and is passed on to the web browser.
Do I need an SSL - certificate for my site ?
You have probably heard of 128-bit encryption , or seen the green address bar of an EV SSL certificate in the address bar of a web page and you ask yourself, " Do I need an SSL certificate on my site ? "
Most people are very careful when making online purchases and want to have the assurance that their data is safe. An SSL certificate provides you with two important things:
These are very important advantages. While not all websites need an SSL certificate, but for certain types of websites, the SSL encryption is a must. To find out if you need an SSL certificate for your website, simply ask yourself these questions:
- Is my website an e-commerce-website that collects credit card information?
Most e-commerce sites absolutely need an SSL certificate! As an online retailer, it is your responsibility that the information collected from your customers are protected.
If a thief gets access to the credit card data, this can be devastating for your customers and your company. Protect yourself and your customers from damage due to misuse by third parties and install an SSL certificate.
- Do I Use a third-party for payment processing?
If your online store directs your customers for payment to the pages of a third party , such as Paypal, you do not need an SSL certificate because your website has "no contact" with the credit card information of customers.
This is of course only valid if your shop does not accept the data as long as the customer is still on your website. Paypal offers both versions for processing the payment.
Is the credit card information collected on your website, the use of an SSL - certificate should be mandatory.
- Do I use a login form ?
If you give your website visitors the opportunity to register as a user , but you do not encrypt the login page via SSL , an attacker could easily be able to read the credentials of the users in plain text.
This allows the attacker not only to use the user's account, it opens more doors to him because people unfortunately use the same password for different accounts.
Treat the data of your users resonsibly, even if the content on your website is not critical.
Heartbleed bug and EuropeanSSL - How to make your SSL encrypted page safe again.|
As you may know, a vulnerability known as " Heartbleed " was recently dicovered in OpenSSL, through which an attacker can theoretically get the private key of SSL certificates.
We recommend a timely examination of the web server.
Please make sure that the OpenSSL version is updated. The replacement of the installed SSL certificates is in any case advisable. The server may not be compromised at the moment, however, the keys of the "old" certificates and other data from the memory could also be read, if the certificates are not be replaced.
Please note that the vulnerability occurs in the web server tool OpenSSL, the EuropeanSSL certificates are of course still completely trustworthy.
You can replace your current SSL certificates free of charge. To do this, follow these steps:
Why does an EuropeanSSL Certificate cost considerably less than the ones from other Certification Authorities?|
EuropeanSSL delivers high quality SSL certificates at lower prices than other CAs because we have developed new infrastructure technologies and processes to significantly reduce validation intervals and customer installation requirements.
Which browsers support the certificates by EuropeanSSL? |
99.3% of Internet users inherently trust EuropeanSSL Certificates – Equivalent to VeriSign and Thawte!
Can I protect various sub-domains with one certificate? |
A SSL certificate is normally issued to a specific host name. This means that an SSL certificate for "secure.yourdomain.de" can not be used for another host name, eg "shop.ihredomain.de".
To overcome this limitation, we offer the EuropeanSSL Wildcard Certificates. This certificate type allows you to protect an unlimited number of subdomains under the same main domain name.
Our Wildcard certificates can also be used on an unlimited number of physical servers. Thus, there are no additional licensing fees when using a wildcard certificate on multiple physical machines.
A wildcard certificate for * ihredomain.de protects, for example:
Can I test EuropeanSSL certificates before buying? |
You are welcome to test our certificates for 30 days free of charge and without obligation.
Please order the product "EuropeanSSL Trial".
The certificate is not recognized by my mobile device. |
The compatibility with different mobile devices is a common problem in the field of SSL certificates, as there are unfortunately no fixed guidelines for the manufacturer who specifies which root - certificates are setup in the factory settings.
Due to this, we can not guarantee browser compatibility for mobile devices.
The user can manually download and install the required certificates under https://secure.europeanssl.eu/de/info/terms
The following micro browser / PDA support EuropeanSSL Certificates:
The CSR cannot be decoded or is invalid|
CSR is possibly missing one or more required fields.
The CSR must contain a minimum of the following fields:
Country (2 character code)
Common Name (Fully Qualified Domain Name)
Another possibility is that the CSR contains non-alphanumeric characters in the required fields.
Make sure your CSR begins with 5 dashes and ends with 5 dashes as below:
-----BEGIN NEW CERTIFICATE REQUEST-----
-----END NEW CERTIFICATE REQUEST-----
Also, please check for additional characters that may have been picked up by accident, possibly through cutting and pasting. Below is an example where the additional characters (the '!' and the 'space' underlined and highlighted in red) will cause a CSR decoding error. Normally, a CSR that contains characters such as '?', '@', '#', '$', '%', '^', '&' and '*' will cause issues. The only allowable non-alphanumeric character is the backslash '\'.
Example of a defective CSR:
-----BEGIN NEW CERTIFICATE REQUEST-----
-----END NEW CERTIFICATE REQUEST-----
If the suggestions above do not resolve the issue, please send your CSR to our support team and we will be happy to decode it and help you to identify the problem, or instruct you to generate a new one if necessary.
I only want a trial certificate, why do you validate those applications?|
Your trial certificate is a fully-functional SSL Certificate, with exactly the same browser ubiquity and encryption as our other certificates. This is so that you can fully-test your systems prior to roll-out. As such, the trial certificate must be validated to the same standard as other certificates in our range. This validation process is utilised for every application put to us, whether the applicant is an individual or a multi-national conglomerate.
How do order and validation of domain validated SSL certificates work?
Domain validated SSL certificates are all EuropeanSSL Certificates ( Single / Wildcard). EuropeanSSL Premium certificates are not domain validated.
Step 1: Create a CSR (Certificate Signing Request)
The CSR contains important information , such as the host name , and it is usually created directly on your server. If you have no possibility to generate your CSR, you can use our CSR generator.
Step 2 : Order the required certificate
After placing an order on our websites you will receive an email which you must confirm by calling a link. Then the desired certificate is created and sent to you within minutes.
The following e-mail addresses can be used for validation :
Can I order a SSL Certificate for an IDN domain (domain with Umlaut) as well? |
Yes, please indicate the domain name as an ACE string when generating the CSR, such as xn-zz-viaa.de for IDN domain a zääz.de.
When using our CSR-Generators, the conversion is done automatically.
How do order and validation of Premium SSL certificates work? |
In the first step, the order is validated via E-Mail Validation. Find details about this process in our FAQ Article "How do order and validation of domain validated SSL certificates work?". Once you click on the link, mentioned in this email, the validation process proceeds.
1.Validation of documents:
Please send one of the following documents for manual validation of your order to EuropeanSSL:
Please note: The contact details and information mentioned in your drivers licence or Business Registration needs to be identical to the data you placed in your order and which you setup in the WHOIS of the domain name.
In case the data is not identical, additional documents will be necessary, which are:
for the second validation step, we will need the following information :
During telephone Validation, the contact person will receive a „EuropeanSSL Callback Request“ E-Mail. This E-Mail contains a link and the mentioned "email verification code". You can activate the call back for telephone validation with sthat. This code will be mentioned during conversation. Place the code in the beforementioned webpage. Once the telephone Validation is done, the order is activated. .
Please send all documents, forms and other information over FAX, postal Service or email to:
c/o EUNETIC GmbH
Fax national: +49 7245 919 585
Fax international: +49 7245 919 585
Which CAA record can I use to authorize EuropeanSSL for my domain?|
In order for us to be authorized to create an SSL certificate for your domain, please use the term "trust-provider.com" in your DNS settings. The entry should then look like this
domain.tld IN CAA issue "usertrust.com"
domain.tld IN CAA issuewild "usertrust.com"
For more information, see https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization
Do I need to install all the certificates that I received?|
Yes, if you do not install all the received certificates you will receive not trusted messages when you go to the secure area of your web site.
Installation example: Apache and mod_ssl/OpenSSL
Extract the ZIP file containing yourSERVERNAME.crt and yourSERVERNAME.ca files in the folder /etc/ssl/crt/ and the keyfile yourSERVERNAME.key to /etc/ssl/key/. Then set the files on readonly for the system user with command "chmod 400 filename".
Now change the httpd.conf for the corresponding vhost as follows:
Please note that the path of your system may differ.
Installing the Root and Intermediate Certificate on IIS 5.x / 6.x|
To install the Root Certificate:
To install the Intermediate Certificate/Certificates:
Ensure that the Root certificate appears under Trusted Root Certification Authorities.
Ensure that the intermediate certificate / certificates appears under Intermediate Certification Authorities.
Once these are installed you may need to restart the server.
Where can I get the Free Site Seals?|
Site seals are available through the detailed view of your certificate in your customer panel.
Installing your IIS SSL Certificate on Microsoft IIS 5.x / 6.x|
Important: You must now restart the computer to complete the install
How to create a CSR on your own Linux server ?|
Installation of an extended IIS SSL Certificate on Microsoft IIS 5.x / 6.x |
Important: Restart the server to complete the installation of the extended certificate.
I get the error message " cert / key mismatch"|
The reasons for the above error might be:
Why did I receive a. ZIP folder with multiple files? |
After the successful validation of your order you will receive an e-mail with a. ZIP folder in the Appendix.
The contained .Cert file is the actual certificate that you install as usual.
The .CA file is the file that contains the root certificate.
Depending on the platform used, the server may need a different file extensions. If this is the case, you can simply rename the .CA file extension.
Then install the .Ca file in the root certificates and, in case you use IIS, reboot. Then you simply need to check whether EuropeanSSL is setup in the list of installed root certificates.
I get the error message "Unsupported keysize" |
The mentioned error message appears due to an incorrect key length of the CSR you used.
Currently CSR may only be used with a key length equal to or higher than 2048 bit. Please create a new CSR and perform the order again.
How do I install my SSL certificate on the Apache web server ?|
How do I install my SSL certificate on IIS 7 (Windows Server 2008)|
Microsoft 's server platform , Windows Server 2008 uses the Internet Information Services ( IIS) 7.0. The new version brings important changes with regard to the management of SSL certificates. Especially in terms of setting up the certificates , which has become much easier in this release .
In addition to the known options on ordering SSL - Certificates, IIS 7 includes the ability to:
This article guides you to set up in 2008 through the checkout process to EuropeanSSL a certificate on an IIS 7 / Windows Server .
Creating the Certificate Signing Requests
The first step begins before the actual order , when creating a Certificate Signing Request (CSR). On the IIS7 that is very simple :
Explanation of terms :
Common Name: the host name for which you need a certificate .
Organization: The name of your company. Please enter the exact name , including the Company Type ( GmbH, AG , etc..) To .
Organizational Unit: The department that manages the certificate and set up .
City / Locality: Enter ask the company's headquarters at .
State/Province: Enter here the state .
Country/Region: Here Please enter the country code .
After entering all information please click on "Next"
The CSR now created , you can now use for ordering your EuropeanSSL certificate.
Installation of SSL - certificate on the IIS 7
To configure your new EuropeanSSL Certificate on IIS 7, in the first step copy the file to your web server .
Note: Please note that use of the CSR generator is generally not possible in connection with the web server IIS , since it only accepts certificates for which the CSR was generated on the server itself .
If the server does not accept CSR and certificate, please create a new request on the server and send the new CSR unformatted by email to EuropeanSSL.
We are happy to provide you with your certificate with the new CSR again . This service is free of charge .
Bind the certificate to a website
To set up an intermediate certificate on the IIS 7
The installation of the supplied intermediate certificate is important, in case this certificate is not installed, the certificate chain is not closed and the browser categorizes your certificate as invalid / untrusted.
Now click on "OK" , then "Next" and then click " Finish" to complete the installation of the intermediate certificate .
It may be necessary to restart the IIS 7 . Whether the installation of the certificate has been operating as desired , you can easily check by going to the website with https instead of http as usual .
How do I copy or Transfer an SSL certificate from a Windows server to another Windows Server ?|
Copying an SSL certificate from another on the server may be necessary if you are running multiple servers and want to use a WildCard Certificate . The export an SSL certificate is then very important if you change your hosting provider.
At this point we assume that you have your SSL certificate successfully installed on a Windows web server. The following instructions will explain in three sections as you copy or transfer the certificate furnished to another server .
Please note: This manual explains how to export an SSL certificate using the MMC console. If you use a Windows Server 2008 ( IIS7 ), you can export the certificate directly in the " Server Certificates " area of the IIS.
Export the certificate from the Windows MMC console
Import a certificate from the Windows MMC console.
After you have successfully exported your certificate , upload the created . Pfx file directly to the new server .
Assign the imported SSL certificate.
After you have successfully imported the . Pfx file, it needs to be assigned in IIS.
SSL Installation under Exim 4.x|
Below is a description of how to set up the SSL certificate. This assumes that the certificate and the private key already exist on the server:
Please insert the data into the corresponding directories from:
/ etc / ssl.key / example.com.key
/ etc / ssl.crt / example.com.crt
If you have met the above-mentioned basic requirements, you can begin:
How do I generate a CSR under OpenSSL?|
Below is a description of how to generate a Certificate Signing Request ( CSR) with OpenSSL.
Call the program openssl to generate the prompt:
openssl req -nodes -new- newkey rsa : 2048 -out csr.pem
This creates a private key and a corresponding certificate request. Now following output appears on your screen :
# Generating a 2048 bit RSA private key
# ............................................... + + + + + +
............................ # + + + + + +
# Writing new private key to ' privkey.pem '
# You are about to be asked to enter information thatwill be incorporated
# Into your certificate request .
# What you are about to enter is what is called a Distinguished Name or a DN .
# There are quite a few fields but you can leave some blank
# For some fields there will be a default value ,
# If you enter ' . ' , The field will be left blank .
After that you are asked questions about the registration information.
We've installed Windows Server 2003 / Windows XP and get the following error: The integrity of this certificate cannot be guaranteed. The certificate may be corrupted or may have been altered.|
For Windows XP you have to install ServicePack 3. For Windows Server 2003 you have to install two hotfixes which will fix this error. Please refer to the following link to fix this issue http://blogs.technet.com/b/pki/archive/2010/09/30/sha2-and-windows.aspx.
How to install a certificate on a Java Based Web Servers (Tomcat) using keytool?|
Installing SSL Certificate Chain (Root, Intermediate(s) and the End Entity)
1. Import Root Certificate
-> keytool -import -trustcacerts -alias AddTrustExternalCARoot -file AddTrustExternalCARoot.crt -keystore domain.keystore
2. Import Intermediate(s)
-> keytool -import -trustcacerts -alias intermediate_filename -file intermediate_filename.crt -keystore domain.keystore
Note: Depending on the type of certificate that was purchased, there may be more than one Intermediate certificate in the chain of trust. Please install all intermediates in numberical order until you get to the domain/end entity certificate.
3. Import Entity/Domain certificate
-> keytool -import -trustcacerts -alias mykey -file yourDomainName.crt -keystore domain.keystore
You should you should receive a message: Certificate reply was installed in keystore if successful. It should NOT match the output of Step 1 or 2 above.
Note: If an alias was specified upon creation of the CSR then please use that alias instead of mykey.
4. Restart the Web Server Service.
Note: Tomcat will first need an SSL Connector configured before it can accept secure connections. Please ensure this is set BEFORE the server is restarted.
Tomcat SSL Connector
Please read this before proceeding: Java Based (Tomcat) Web Servers (using keytool)
Tomcat will first need a SSL Connector configured before it can accept secure connections.
Note: By default Tomcat will look for your Keystore with the file name .keystore in the CATALINA_Home directory with the default password 'changeit'.
Commonly found CATALINA_HOME Directories
Unix, Linux or *nix -- /etc/tomcat5.5
Windows -- C:\Program Files\Apache Software Foundation\Tomcat 5.5\
It is possible to change the file name, password, and even location that Tomcat looks for the keystore. If you need to do this, pay special attention to #8 of Option 2 or #5 of Option 1 below.
Option 1 -- Configure the SSL Connector in server.xml:
1. Copy your keystore file (your_domain.key or your_domain.pfx) to the home directory (see the Note above)
2. Open the file Home_Directory/conf/server.xml in a text editor
3. Un-comment the 'SSL Connector' Configuration
4. Make sure that the 'Connector Port' is 443
5. If your keystore filename is something other than the default file name (.keystore) and/or your keystore password is something other than default ('changeit') then you will need to specify the correct keystore filename and/or password in your connector configuration -- ex. keystorePass="newpassword". When you are done your connector should look something like this:
To use a JKS (Java Key Store) file:
To use a PFX/P12 (PKCS#12) file:
6. Save the changes to server.xml
Note: You may need to comment out the following line:
Note2: You may also need to set SSLEnabled="true"on the Connector in order for the SSL connection to work or else an HTTP only connection may be made. However, this is often not required.
7. Restart Tomcat
Please remember all Connector arguments are case sensitive!
Option 2 -- Add an SSL Connector using admintool:
1. Start Tomcat
2. Enter 'http://localhost:8080/admin' in a local browser to start admintool
3. Type a username and password with administrator rights
4. On the left select 'Service' (Java Web Services Developer Pack)
5. Select 'Create New Connector' from the drop-down list on the right
6. Choose 'HTTPS' in the 'Type' field
7. In the 'Port' field, enter '443'. This defines the TCP/IP port number on which Tomcat will listen for secure connections
8. Enter the Keystore Name and Keystore Password if (a.) your keystore is named something other than .keystore, (b.) if .keystore is located in a directory other than the home directory of the machine on which Tomcat is running, or if (c.) the password is something other than the default value of 'changeit'. If you have used the default values, you can leave these fields blank.
9. Select 'Save' to save the new Connector
10. Select 'Commit Changes' to save the new Connector information to the server.xml file so that it is available the next time Tomcat is started