What is SSL? SSL Certificate Basics
Overview
What is SSL? SSL is an acronym for Secure Sockets Layer, an encryption technology that
was created by Netscape. SSL creates an encrypted connection between your web
server and your visitors' web browser allowing for private information to be
transmitted without the problems of eavesdropping, data tampering, or message
forgery.
To enable SSL on a website, you will need to get an SSL Certificate that identifies you
and install it on the server. The use of an SSL certificate on a website is usually indicated
by a padlock icon in web browsers but it can also be indicated by a green address bar.
Once you have done the SSL install, you can access a site securely by changing the URL
from http:// to https://. When an SSL certificate is installed on a website, you can be
sure that the information you enter (contact or credit card information), is secured and
only seen by the organization that owns the website.
Millions of online businesses use SSL certificates to secure their websites and allow their
customers to place trust in them. In order to use the SSL protocol, a web server requires
the use of an SSL certificate. SSL certificates are provided by Certification Authorities
(CAs).
Why do I need SSL?
If you are transmitting sensitive information on a web site, such as credit card numbers
or personal information, you need to secure it with SSL encryption. It is possible for
every piece of data to be seen by others unless it is secured by an SSL certificate.
Your customers won't trust your web site without an SSL certificate. According to
Gartner Research, nearly 70 percent of online shoppers have terminated an online order
because they did not "trust" the transaction. In those cases, 64 percent indicated that
the presence of a trust mark would have likely prevented the termination. An SSL
certificate and a site seal could stop people from abandoning your website and more
money for you.
What is a certificate authority (CA)?
A certificate authority is an entity which issues digital certificates to organizations or
people after validating them. Certification authorities have to keep detailed records of
what has been issued and the information used to issue it, and are audited regularly to
make sure that they are following defined procedures. Every certification authority
provides a Certification Practice Statement (CPS) that defines the procedures that will
be used to verify applications. There are many commercial CAs that charge for their
services (VeriSign). Institutions and governments may have their own CAs, and there are
also free Certificate Authorities.
Every certificate authority has different products, prices, SSL certificate features, and
levels of customer satisfaction. Read our certificate authority reviews to find the best
provider to purchase from.
How do SSL Certificates compare between certificate authorities?
Verisign certificates are better because they cost so much more, right? Not necessarily.
You can get a certificate for $100 that does that exact same thing as a certificate sold
for $800 from another certificate authority. It is the exact same SSL encryption.
Why the difference? Trust is the biggest difference. Since VeriSign has been around for
longer than other certificate authorities, more people trust them so they can charge
more. You are essentially paying for the brand.
What is browser compatibility?
The certificate that you purchase to secure your web site must be digitally signed by
another certificate that is already in the trusted store of your user's web browsers. By
doing this, the web browser will automatically trust your certificate because it is issued
by someone that it already trusts. If it isn't signed by a trusted root certificate, or if links
in the certificate chain are missing, then the web browser will give a warning message
that the web site may not be trusted.
So browser compatibility means that the certificate you buy is signed by a root
certificate that is already trusted by most web browsers that your customers may be
using. Unless otherwise noted, the certificates from all major certificate providers listed
on SSL Shopper are compatible with 99% of all browsers. For more details about a
specific certificate provider, see SSL Certificate Compatibility.
How many domain names can I secure?
Most SSL server certificates will only secure a single domain name or sub-domain. For
example, a certificate could secure www.yourdomain.com or mail.yourdomain.com but
not both. The certificate will still work on a different domain name but the web browser
will give an error anytime it sees that the address in the address bar doesn't match the
domain name (called a common name) in the certificate. If you need to secure multiple
sub-domains on a single domain name, you can buy a wildcard certificate. For a wildcard
certificate, a common name of *.yourdomain.com would secure www.yourdomain.com,
mail.yourdomain.com, secure.yourdomain.com, etc... There are also special certificates
such as Unified Communications (UC) certificates for Microsoft Exchange Server 2007
that can secure several different domain names in one certificate.
What is a site seal?
A site seal is a logo that you can display on your web site that verifies that you have
been validated by a particular certificate provider and are using their SSL certificate to
secure your site. It can be displayed on secure and non-secure pages and is most
appropriate on pages where customers are about to enter their personal information
such as a shopping cart page but they can be displayed on every page to help build trust.
Every certificate authority's site seal is different and some look more professional so you
should consider what the site seal looks like in order to maximize customer trust.
SSL Certificate Features
There are many different types of certificates and many different SSL certificate
features that you may need to understand in order to purchase the right SSL
certificate. The most critical distinction to make is whether you need a high
assurance certificate, a low assurance certificate, or an EV certificate.
What is a high assurance certificate?
A high assurance certificate is the normal type of certificate that is issued. There are
two things that must be verified before you can be issued a high assurance
certificate: ownership of the domain name and valid business registration. Both of
these items are listed on the certificate so visitors be be sure that you are who you
say you are. Because it requires manual validation, high assurance certificates can
take an hour to a few days to be issued.
What is a low assurance/domain-validated certificate?
A low assurance/domain-validated certificate is a certificate that only includes your
domain name in the certificate (not your business or organization name). Certificate
authorities usually can automatically verify that you own the domain name by
checking the WHOIS record. They can be issued instantly and are cheaper but, as
the name implies, they provide less assurance to your customers.
What is an EV (Extended Validation) certificate?
An EV certificate is a new type of certificate that is designed to prevent phishing
attacks. It requires extended validation of your business and authorization to order
the certificate and can take a few days to a few weeks to receive. It provides even
greater assurance to customers than high assurance certificates by making the
address bar turn green. Learn more about EV Certificates and compare the cheapest
ones.
What is a wildcard certificate?
A wildcard certificate can secure an unlimited number of first level sub domains on a
single domain name. For example, you could get a wildcard certificate with
*.yourdomain.com as the common name. This certificate would secure
www.yourdomain.com, mail.yourdomain.com, secure.yourdomain.com,
anything.yourdomain.com, etc... In other words, it will work on any sub-domain that
replaces the wildcard character (*).
What is an SGC Certificate?
SGC SSL Certificates, enable older browsers to connect to a site using 128-bit
encryption even if the normal browser encryption rate is 40-bit. They usually cost
significantly more and are only available from certain vendors. However, there are
several strong arguments against using SGC SSL Certificates. Essentially, the
percentage of people using web browsers that would benefit from an SGC certificates
is less than 1% because all browsers released since the year 2000 have been
capable of using strong crypto without needing SGC certificates. In addition, by using
an SGC certificate on your site, you are encouraging your visitors to use old,
insecure browsers which have many more security flaws than newer browsers. Read
Say No To SGC SSL Certificates for more information.
What is a Chain Certificate, Intermediate Certificate,
Root Certificate, etc…?
A certificate authority issues certificates in the form of a tree structure. A root
certificate is the top-most certificate of the tree. All certificates below the root
certificate inherit the trustworthiness of the root certificate. Many software
applications, such as web browsers, include certain root certificates that are
automatically deemed trustworthy. Any certificate signed by a trusted root certificate
will also be trusted. In turn, the signed certificate can sign another certificate and it
will also be trusted as long as the browser has all of the certificates in the chain to
link it up to a trusted root certificate.
Any certificate in between your certificate and the root certificate is called a chain or
intermediate certificate. These must be installed to the web server with the primary
certificate for your web site so that user's browers can link your certificate to a
trusted authority. Most certificate authorities use intermediate certificates for
security purposes and most web servers and devices support them.
What is a warranty?
The warranty that you get when you purchase an SSL certificate ($10,000,
$250,000, etc...) can be misleading. It is not a warranty to the purchaser but rather
to the end users who use a site secured by an SSL certificate. Basically, if you, the
purchaser, turn out to be fraudulent and a user of your web site loses money
because the certificate authority didn't properly validate you, then the certificate
authority will compensate the end user. This practically never happens! It is
therefore not very important how big the warranty is when you buy an SSL
certificate. Certain certificate authorities have slightly different policies on warranties
that you may wish to look into.
What is a Scalable SSL Certificate?
All certificate authorities now issue scalable certificates. Certificates can be used at
low encryption rates (40 bit encryption), normal encryption rates (128 bit
encryption), or even higher encryption rates (usually up to 256 bit encryption)
depending on what the users web browser and the web server support. The term
"scalable SSL Certificate" is just marketing hype.
How To Order An SSL Certificate
Ordering an SSL certificate can be as simple as pie or it can make you want to pull
your hair out. If you prepare to order an SSL certificate by creating a CSR and
preparing your WHOIS record and company validation documents, you can make the
process much easier to deal with. The process of ordering a certificate goes
something like this:





Prepare by getting your server set up and getting your WHOIS record
updated, etc.
Generate the CSR on the server
Submit the CSR and other info to the Certification Authority
Have your domain and company validated
Receive and install the issued certificate
What do I need to have before buying an SSL
certificate?
A unique IP address. Because of the way that the SSL protocol was set up, you will
need a separate IP address for each certificate that you want to use.
If you have multiple subdomains on one IP address, you can secure them with a
Wildcard SSL Certificate. If you have multiple different domain names on one IP
address, you can secure them with a UC Certificate. You will need to set up SSL Host
Headers to do this.
A CSR. A certificate signing request or CSR is a piece of text that must be generated
on your web server before ordering the SSL certificate. The certificate authority will
use the information contained in the CSR (Organization name, domain name, public
key, etc...) to create your certificate.
Correct contact information in WHOIS record. When you purchase a certificate
for a particular domain name, the certificate authority needs to ensure that you own
the domain name that you are getting the certificate for and that you are authorized
to order the certificate. This is primarily done by making sure that the WHOIS record
(the ownership and contact information associated with each domain name) matches
the company name and address that is submitted with the certificate order. Some
CAs will call the phone number listed in the WHOIS record and many will send an
email to the address listed there so make sure you have the correct information
listed. You can check the WHOIS record for your domain name here.
Business/Organization validation documents. If you are buying a highassurance certificate, your business must also be validated. Certificate authorities
often check government databases online to verify that your company is registered
but they may still need you to send in a government registration document if they
can't find your business. Each certificate authority has slightly different requirements
for validation. If you want to check whether your company is correctly listed and
active with your government, try using one of these online searches.
How long does it take to get my certificate?
How quickly you get your certificate depends on what type of certificate you get and
which certificate provider you get it from. If you get a domain-validated only
certificate you will receive it within a few minutes. If you get a normal,
organization-validated certificate, you may receive it within an hour to a few
days after you submit all the documentation. If you get an extended validation
certificate (EV), you may wait several days to a few weeks while the validation
takes place before you get the certificate.
What is a CSR (Certificate Signing Request)?
What is a CSR? A CSR or Certificate Signing request is a block of encrypted text
that is generated on the server that the certificate will be used on. It contains
information that will be included in your certificate such as your organization name,
common name (domain name), locality, and country. It also contains the public key
that will be included in your certificate. A private key is usually created at the same
time that you create the CSR.
A certificate authority will use a CSR to create your SSL certificate, but it does not
need your private key. You need to keep your private key secret. What is a CSR and
private key good for if someone else can potentially read your communications? The
certificate created with a particular CSR will only work with the private key that was
generated with it. So if you lose the private key, the certificate will no longer work.
What is contained in a CSR?
NAME
EXPLANATION
EXAMPLES
Common Name
The fully qualified domain name (FQDN) of
your server. This must match exactly what
you type in your web browser or you will
receive a name mismatch error.
*.google.com
mail.google.com
Organization
The legal name of your organization. This
should not be abbreviated and should
include suffixes such as Inc, Corp, or LLC.
Google Inc.
Organizational Unit
The division of your organization handling
the certificate.
Information Technology
IT Department
City/Locality
The city where your organization is located.
Mountain View
State/County/Region
The state/region where your organization is
located. This shouldn't be abbreviated.
California
Country
The two-letter ISO code for the country
where your organization is location.
US
GB
Email address
An email address used to contact your
organization.
webmaster@google.com
Public Key
The public key that will go into the
certificate.
The public key is created
automatically
What is a CSR's format?
Most CSRs are created in the Base-64 encoded PEM format. This format includes the
"-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST----" lines at the begining and end of the CSR. A PEM format CSR can be opened in a
text editor and looks like the following example:
-----BEGIN CERTIFICATE REQUEST----MIIByjCCATMCAQAwgYkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMR8w
HQYDVQQLExZJbmZvcm1hdGlvbiBUZWNobm9sb2d5MRcwFQYDVQQDEw53d3cuZ29v
Z2xlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEApZtYJCHJ4VpVXHfV
IlstQTlO4qC03hjX+ZkPyvdYd1Q4+qbAeTwXmCUKYHThVRd5aXSqlPzyIBwieMZr
WFlRQddZ1IzXAlVRDWwAo60KecqeAXnnUK+5fXoTI/UgWshre8tJ+x/TMHaQKR/J
cIWPhqaQhsJuzZbvAdGA80BLxdMCAwEAAaAAMA0GCSqGSIb3DQEBBQUAA4GBAIhl
4PvFq+e7ipARgI5ZM+GZx6mpCz44DTo0JkwfRDf+BtrsaC0q68eTf2XhYOsq4fkH
Q0uA0aVog3f5iJxCa3Hp5gxbJQ6zV6kJ0TEsuaaOhEko9sdpCoPOnRBm2i/XRD2D
6iNh8f8z0ShGsFqjDgFHyF3o+lUyj+UC6H1QW7bn
-----END CERTIFICATE REQUEST-----
How do I generate a CSR and private key?
You need to generate a CSR and private key on the server that the certificate will be
used on. You can find instructions in your server documentation or try the
instructions from one of these certificate authorities:
Comodo CSR Generation Instructions
DigiCert CSR Generation Instructions
GeoTrust CSR Generation Instructions
Thawte CSR Generation Instructions
VeriSign CSR Generation Instructions
If you are familiar with OpenSSL you can use the following command to generate a
CSR and private key:
openssl req -new -keyout server.key -out server.csr
How do I decode a CSR?
You can easily decode your CSR to see what is in it by using our CSR Decoder. In
order to decode a CSR on your own machine using OpenSSL, use the following
command:
openssl req -in server.csr -noout -text
How do I know if I did the SSL install correctly?
You can easily see if you did the SSL Certificate installation correctly by entering the
hostname in the following box and clicking "Check SSL". Our SSL Checker will show
you the certificate that is installed and tell you if there are any SSL install problems.
Server Hostname:
Check SSL
(e.g. www.google.com)
What is an Intermediate certificate and how do I install
it?
Any certificate in between your certificate and the root certificate is called a chain or
intermediate certificate. These must be installed to the web server with the primary
certificate for your web site so that user's browers can link your certificate to a
trusted authority. Most certificate authorities use intermediate certificates for
security purposes and most web servers and devices support them. To find out more
about Intermediate certificates and why most providers require them for SSL
Certificate installation, see Extinction of Unchained SSL Certificates.
How do I install a wildcard certificate?
A wildcard certificate is installed the exact same way that a normal certificate is
installed. The only difference is the * character in the common name field. Nothing
extra is needed to install the certificate on the server.
What is reissuing a certificate?
If you need to create a new certificate based on a new private key, you will need to
reissue it. By reissuing you can install the certificate on a new server without moving
your private key or replace your certificate if your private key is lost or stolen. Most
certificate authorities offer free reissues but some are more flexible than others. In
order to reissue your certificate you will just need to create a new CSR, reissue with
your certificate provider, and install the new certificate.
Do I have to buy a new certificate if my server crashes?
No. Most certificates authorities allow you to reissue the certificate with a new
private key if you lose the current one. Still, it is a very good idea to backup your
certificate and private key.
How do I backup my private key?
Without your private key, your digital certificate is useless. It isn't possible to
recover a private key once it is lost. The certificate authority that creates the
certificate never sees your private key, so they can't help you if you lose it. If you do
lose your private key you can create a new one and reissue the certificate. You can
backup the SSL certificate using our SSL Certificate Import/Export/Move
Instructions.
There are several problems that can occur when ordering, installing and using a
certificate. Here are some common SSL certificate errors and how to fix them.
Why does the website say the SSL certificate is
untrusted?
If a browser says that a certificate is untrusted it means that it isn't signed by a
trusted root certificate or that it can't link the certificate to a trusted root certificate.
If your certificate is signed by a major certificate authority then it just means one of
the chain certificates in between yours and the root is not installed on the web
server. You can view the certificate's chain or certification path by viewing the
certificate details in Internet Explorer and clicking on the Certification Path tab.
If you have any problems installing the chain certificates, contact your certificate
authority for specific instructions. For more information, read about certificate not
trusted errors.
Why does the secure part of the website say the name
on the security certificate is invalid or does not match
the name of the site?
This error indicates that the common name (domain name) in the SSL certificate
doesn't match the address that is in the address bar of the browser. For example, if
the certificate is for www.paypal.com and you access the site without the "www"
(https://paypal.com), you will get this SSL certificate name error. Learn more about
the name mismatch error.
This page contains both secure and nonsecure items
This is a common error that occurs when some element on a secure web page (one
that is loaded with https:// in the address bar) is not being loaded from a secure
source. This usually occurs with images, frames, and JavaScripts. The simplest way
to fix this is to change all links to images and such to https.
Just open up the offending web page and search for http://. Change the references
to https://:
<img src="https://www.domain.com/image.gif" alt="" />
Alternatively, if the images or scripts are located on the same domain, you can
access them relatively, rather than absolutely:
<img src="image.gif" alt="" />
SSL Certificate Name Mismatch Error
"The security certificate presented by this website was
issued for a different website's address."
The name mismatch error indicates that the common name (domain name) in the
SSL certificate doesn't match the address that is in the address bar of the browser.
For example, if the certificate is for www.paypal.com and you access the site
without the "www" (https://paypal.com), you will get this SSL certificate name
error. If you aren't the website administrator you will want to always access the site
with the full name (usually include the "www." before the domain name) or ask the
website owner to fix the problem.
If you are the website administrator, you will usually want to forward all traffic
without the "www" to an address with the "www" and get an SSL certificate with the
"www" in the common name. That way you will completely avoid the name mismatch
error. Some certificate authorities get around this problem by issuing a certificate
with SANs. So you can get a certificate for paypal.com and include a SAN of
www.paypal.com so you don't get a name mismatch error. Another common reason
for this error is if you are accessing a server using an internal name when the SSL
certificate on it just has the public name on it. In this situation you can get a UC
certificate that has both the external public name and the internal server name in the
certificate. You can verify whether you will get a name mismatch error by using our
SSL Checker.
Most web browsers make it clear that you shouldn't just continue when you
receive this error. This is because, while most of the time it doesn't, it could
indicate that a phisher is trying to pass a website off as a legitimate site. You
shouldn't have to continue through this error message on legitimate web sites.
This error is often phrased differently depending on the web browser. These are
some common ways the name mismatch error is stated in other browsers:
Different name mismatch errors in different web
browsers
Web Browser
Error Message
Internet
Explorer 6
"The name on the security certificate is invalid or does not
match the name of the site"
Internet
Explorer 7
"The security certificate presented by this website was
issued for a different website's address."
Firefox 2
"You have attempted to establish a connection with
"www.paypal.com". However, the security certificate
presented belongs to "paypal.com.phishingsite.com". It is
possible, though unlikely, that someone may be trying to
intercept your communication with this web site.
If you suspect the certificate shown does not belong to
"www.paypal.com", please cancel the connection and notify
the site administrator."
Firefox 3
Safari 3
"www.phishingsite.com uses an invalid security certificate.
The certificate is only valid for: www.paypal.com"
"This certificate is not valid (host name mismatch)"
Digg
Slashdot
Posted on November 06, 2008
Robert
Posts: 1
del.icio.us
Reddit
furl
Re: certificate error mismatch : IE 7
Reply #2 on : Sat April 11, 2009, 22:54:36
Hi Mary,
It looks like you have a certificate for *.dlm.myherbalife.com. That is why you get an
error when you access it with dlm.myherbalife.com. You will need to change the
common name in the certificate to *.myherbalife.com to get rid of the error. Talk to
your certificate provider (GeoTrust) about how to do this.
Mary Sylvia.S
Posts: 1
certificate error mismatch : IE 7
Reply #1 on : Sat April 11, 2009, 01:00:12
Internet Explorer 7 "The security certificate presented by this website was issued for
a different website's address."
I'm not getting the SECURITY ALERT Screen, prev i use to get it an when i click yes,
it will go to the secured page.
Now my prob with the ceritifacte error is originally the certifacte was issue to
"*.myherbalife.com" ( equifax) and now i tried to connect "dlm.myherbalife.com"
that time i get this error.
help me to clear this error.
SSL Certificate Not Trusted Error
"The security certificate presented by this website was
not issued by a trusted certificate authority."
The certificate not trusted error indicates that the SSL certificate is not signed or
approved by a company that the browser trusts. This occurs most often for one of
the following reasons:



The web site is using a self-signed certificate. Self-signed certificates
can be generated for free but they don't provide as much trust as a
commercial certificate. You can tell your browser to trust the self-signed
certificate or you can buy (or ask the site owner to buy) a trusted SSL
certificate from a certification authority.
The web site is using a free SSL Certificate. Free SSL Certificates are
issued by a couple of free certificate authorities but their Root Certificate
must be manually imported to each browser to get rid of this error.
The web site is using a trusted SSL certificate but it is missing a
chain/intermediate certificate. Most trusted certificates require that you
install at least one other intermediate/chain certificate on the server to link
your certificate up to a trusted source.
The last option is a very common one. For example, if PayPal installed their server
certificate for www.paypal.com without installing VeriSign's Class 3 Extended
Validation SSL SGC CA intermediate certificate, a web browser would give the
certificate not trusted error.
Occasionally, certain browsers will give this error when others do not. For example,
Microsoft Internet Explorer can automatically download intermediate certificates the
first time you visit a site that needs one while Firefox cannot. Once a trusted
certificate is installed properly, all browsers will work without getting this
error. You can verify whether the certificate will get a certificate not trusted error by
using our SSL Checker. The SSL checker uses the latest roots included in Mozilla's
Firefox to determine if a certificate is trusted. For specific compatibility of your
certificate see, SSL certificate compatibility.
How to Fix The Untrusted Error
To fix this error, you will need to install one or more intermediate/chain certificates
onto the web server. If you have any questions about how to do this, contact your
certificate authority or follow their SSL certificate installation instructions listed
below:
CERTIFICATE PROVIDER
LINKS TO INSTALLATION INSTRUCTIONS
Comodo
Comodo Certificate Installation Instructions
InstantSSL Certificate Installation Instructions
DigiCert
DigiCert Certificate Installation Instructions
Entrust Certificate Installation Instructions
Entrust
GeoTrust Certificate Installation Instructions
RapidSSL Certificate Installation Instructions
GeoTrust
GlobalSign Certificate Installation Instructions
GlobalSign
GoDaddy
GoDaddy Certificate Installation Instructions
Network Solutions
Network Solutions Certificate Installation Instructions
Network Solutions list of Intermediate Certificates
StartCom
StartCom Certificate Installation Instructions
StartCom list of Intermediate Certificates
Thawte
Thawte SSL Web Server Certificate Installation Instructions
Thawte SSL123 Certificate Installation Instructions
Thawte SGC SuperCert Certificate Installation Instructions
VeriSign
VeriSign Certificate Installation Instructions
VeriSign list of Intermediate Certificates
Most web browsers make it clear that you shouldn't just continue when you
receive this error. This is because, while most of the time it doesn't, it could
indicate that a phisher is trying to pass a website off as a legitimate site. You
shouldn't have to continue through this error message on legitimate web sites unless
the web site owner just doesn't want to spend a little money to buy a trusted SSL
certificate. You definitely shouldn't continue through this error on big websites like
your bank.
This error is often phrased differently depending on the web browser. These are
some common ways the certificate not trusted error is stated in other browsers:
Different certificate not trusted errors in different web
browsers
WEB
BROWSER
ERROR MESSAGE
Internet
Explorer 6
"The security certificate was issued by a company you have not chosen
to trust. View the certificate to determine whether you want to trust
the certifying authority."
Internet
Explorer 7
"The security certificate presented by this website was not issued by a
trusted certificate authority."
Firefox 2
"Unable to verify the identity of www.paypal.com as a trusted site.
Possible reasons for this error:
- Your browser does not recognize the Certificate Authority that issued
the site's certificate.
- The site's certificate is incomplete due to a server misconfiguration."
"The certificate is not trusted because it is self signed."
Firefox 3
"The certificate is not trusted because the issuer certificate is
unknown. (Error code: sec_error_unknown_issuer)"
Safari 3
"Authentication failed because the server certificate is not trusted."
Google Chrome
"The site's security certificate is not trusted!"
Digg
Slashdot
del.icio.us
Reddit
furl
Posted on November 06, 2008
John
Posts: 3
Thawte Certificates
Reply #4 on : Tue June 02, 2009, 19:52:30
These truly are a load of crap. - I have just tried to install their trial certificate only
to find that I could not access their tester because trial certificates do not give you
an order number or login details ...and that there is a file, cert, etc. available from
Thawte to fix this is a complete and total myth.
On the plus side, the certificate did install without problem, though, and the details
were available immediately and it was not necessary to wait several hours for them
to be emailed to me.
With the IE problems and lack of tester, though, and proposed 'fix' (mutilating your
httpd.conf and .htaccess files) I would say avoid at all costs and use Digicert or
Comodo.
Robert
Posts: 1
Re: I get this error
Reply #3 on : Wed January 14, 2009, 07:09:44
Sometimes you will get this error on certain web browsers or devices but not on
others. This could be because the SSL provider is using a new Root certificate that
isn't included in the old browsers and devices. The error can usually be fixed by
installing an Intermediate certificate that will link the new Root certificate to an old
trusted certificate. Check with your SSL provider.
Nick
Posts: 3
checker
Reply #2 on : Mon December 01, 2008, 21:12:19
I used the checker tool on this site and it said the SSL was fine.
Nick
Posts: 3
I get this error
Reply #1 on : Mon December 01, 2008, 21:07:35
I started getting this "not trusted" error on one of my sites today. I have not
changed anything about the SSL in months. IE, firefox, and google chrome from my
office location started giving me the error. My home location and other computers on
a different network do not display the error. Any ideas?
Stop the "page contains secure and nonsecure
items" warning
Are your SSL web pages plagued by the browser warning "This page contains both
secure and nonsecure items. Do you want to display the nonsecure items?"
This is a common error that occurs when some element on a secure web page (one
that is loaded with https:// in the address bar) is not being loaded from a secure
source. This usually occurs with images, frames, iframes, Flash, and JavaScripts.
There are a few ways to fix it:
1. Change all URLs to https
Just open up the offending web page and search for http://. Change the references
on all images, iframes, Flash, and Javascripts to https://. For example.
<img src="https://www.domain.com/image.gif" alt="" />
This may not work if you are loading an image from another site that does not have
SSL set up. Also, with this method you'll be loading SSL images even when the client
is loading from a non-secure page. This will add extra processing load on the server
and client. This is definitely not recommended for a high volume site.
2. Change all links to // or make them relative
Rather than changing all the links to https://, change them to just //
<img src="//www.domain.com/image.gif" alt="" />
Alternatively, if the images or scripts are located on the same domain, you can
access them relatively, rather than absolutely:
<img src="image.gif" alt="" />
Using this method, the browser will know that it must load the image securely if the
web page is being loaded securely but it will also load the image normally if the page
is not being accessed securely. The image will still need to be available on the other
server securely. This is likely the best method of getting rid of the pesky "Do you
want to display the nonsecure items?" warnings.
3. Change the browser settings
It is best to change the code of the page that is giving the error, but if you don't
have access to change the code, you can always tell your personal web browser not
to display that message. To do so follow these steps for Internet Explorer:
1. Go to Tools, Internet Options.
2. Select the "Security" Tab and then click on the "Custom Level" button.
3. Scroll down until you see the option: "Display mixed content". Select
"Enable".
4. Click Ok. Then you will get a "Security Warning" pop-up. Click Yes.
One common reason that this warning shows up is using normal Google Analytics
code on a secure page. It is a simple fix to enable Google Analytics on a page using
SSL.
SSL Details
The devil is in the details. If you want to avoid problems when dealing with SSL it
would be helpful to understand more of the details that are involved when using it.
What is SSL?
SSL (Secure Sockets Layer), is the standard security technology for encrypting a
connection between a web server and a browser. Once established, this connection
will encrypt all traffic and ensure that all data passed between the web server and
browser remains private. SSL is a standard and is used by millions of websites to
protect their online transactions with their customers. Many software applications
support SSL such as web browsers (Internet Explorer, Firefox, Safari), file transfer
programs (SFTP), and email programs. However, in order to have an SSL encrypted
connection, a web server requires an SSL Certificate.
How does SSL work?
When you prepare your web server to use SSL you will be asked a few questions
about your website and your company including your web site's domain name and
your company's name and location. Your web server then creates two cryptographic
keys: a private key and a public key. Your private key must remain private or the
SSL connection could be made vulnerable. The public key does not need to be secret
and is placed into a Certificate Signing Request or CSR, a piece of encrypted text
that you will submit to a certificate authority. The certificate authority will validate
your details and issue the SSL certificate which you can then install to the web
server with the private key to enable SSL.
Special Types of SSL Certificates
The most popular certificates are web server authentication certificates for securing a
web site but there are several other special types of certificates. Knowing which SSL
certificate type can help you avoid many problems such as trying to use a certificate
for something that it isn't meant to do.
What is a web server authentication certificate?
A web server authentication certificate is the normal type of certificate that is issued
to secure web site traffic or other data connections. All certificates listed in the SSL
Certificate Wizard are web server authentication certificates. Although their primary
use is to secure web servers, they can be used to secure email servers, file transfers,
and other data connections.
What is a Unified Communications (UC) certificate?
A Unified Communications (UC) certificate is a type of certificate that secures Unified
Communications products such as Live Communications Server and Exchange Server
2007 or any normal server. It allows you to secure multiple domain names or server
names in one certificate. For example, you could secure www.domain.com,
domain.com, mail.domain.com, autodiscover.server.local, etc. all in one certificate.
Read our Unified Communications SSL Certificates page to learn more.
What is a wildcard certificate?
A wildcard certificate can secure an unlimited number of first level sub domains on a
single domain name. For example, you could get a wildcard certificate with
*.yourdomain.com as the common name. This certificate would secure
www.yourdomain.com, mail.yourdomain.com, secure.yourdomain.com,
anything.yourdomain.com, etc... In other words, it will work on any sub-domain that
replaces the wildcard character (*).
What is an Extended Validation certificate?
An EV certificate is a new type of certificate that is designed to prevent phishing
attacks. It requires extended validation of your business and authorization to order
the certificate and can take a few days to a few weeks to receive. It provides even
greater assurance to customers than high assurance certificates by making the
address bar turn green. Learn more about EV Certificates and compare the cheapest
ones.
What is a low assurance/domain-validated certificate?
A low assurance/domain-validated certificate is a certificate that only includes your
domain name in the certificate (not your business or organization name). Certificate
authorities usually can automatically verify that you own the domain name by
checking the WHOIS record. They can be issued instantly and are cheaper but, as
the name implies, they provide less assurance to your customers.
What is a code signing certificate?
A code signing certificate is a certificate that enables you to digitally sign an
executable or script to confirm the software author and guarantee that the code has
not been altered or corrupted since it was signed. Normal web server authentication
certificates can't be used to do this so you need to get a special code signing
certificate. Learn more about code signing.
What is an e-mail certificate?
An email certificate/S/MIME certificate is primarily used to sign an e-mail to encrypt
and guarantee authorship of the e-mail. Learn more about email certificates.
What is a root signing certificate?
Root signing certificates are certificates that you can use to sign other certificates
that are linked up to a trusted root certificate. With a root signing certificate, you
essentially become your own certificate authority and you can issue certificates that
are trusted by all major browsers/clients. Read more about root signing certificates.
How to Move or Copy an SSL Certificate from one
Server to Another
Do you have multiple servers that need to use the same SSL certificate? This is very
common in an environment where a load-balancer is used to share the load of a
website across several different servers. This is also becoming more common as
wildcard certificates and UC SSL certificates increase in popularity because they
enable a single certificate to work on multiple different domains or subdomains using
SSL Host Headers.
What about when you set up a new server or switch hosting companies? How do
you move the current SSL certificate to the new server? What if you need to
move it to a different type of server? The answers to all of those questions are
contained in the following pages. Essentially, you will export SSL certificates from
the server that they are currently installed on, move SSL certificates to the new
server, and then import SSL certificates on the new server.
Keep in mind that many certificate authorities, require that you purchase a "server
license" for each server that you install an SSL certificate to, even if it uses the
same private key. And speaking of private keys, it is slightly less secure to copy
the SSL certificate and use the same private key on a different server. If an attacker
breaks into one server and gets the private key, he will be able to listen in on the
connections that other servers are making.
We will assume that you have already successfully installed the SSL certificate on
one web server. You will follow these steps to move or copy that working certificate
to a new server:
1. Export the SSL certificate from the server with the private key and any
intermediate certificates.
2. Convert the certificate to a different format if you are putting it on a
different type of server.
3. Import the SSL certificates and private key on the new server and
configure your sites to use them.
Now on to the instructions. What would you like to do?





Move or
server
Move or
Move or
Move or
server
Move or
server
copy an SSL certificate from a Windows server to another Windows
copy an SSL certificate from a Windows server to an Apache server
copy an SSL certificate from an Apache server to a Windows server
copy an SSL certificate from an Apache server to another Apache
copy an SSL certificate from a Tomcat/Java server to an Apache