The CA/Browser Forum, an industry body made up of Certificate Authorities (CAs), web browsers and operating systems, the ballot 193 was passed to reduce the maximum validity period for SSL/TLS Certificates to two years (825 days, to be specific). Prior to this, the maximum validity was three years (39 months) for Domain Validated (DV) and Organization Validated (OV) Certificates; Extended Validation (EV) Certificates have always been capped at two years (27 months).
As of March 1, 2018, this affected all CAs and all types of SSL/TLS Certificates. The CA/Browser Forum is responsible for setting and maintaining best practices and requirements for CAs and the certificates they issue. Longer certificate validity periods can delay widespread compliance with new guidelines since changes wouldn’t go fully into effect until all existing (issued before the update) certificates expired.
Decreasing the maximum lifetime of certificates from three years to two years helps reduce the presence of older, outdated and possibly vulnerable certificates that were issued before new guidelines were put in place.
Alpha SSL is the most basic certificate that also uses SHA-256 signing algorithm and can be issued in less than 3 minutes. This certificate has limited options availability, you can order a Single/Standard SSL or a Wildcard SSL.
Domain SSL is domain validated and fully automated, which means you’ll be able to start protecting your e-commerce, logins, webmail, blog visitors and more in just a few minutes. You can secure Single/Standard SSL or a Wildcard SSL, it comes with free Unified Communications Service (.owa, .mail, .autodiscover) and an option to add SAN multiple sub-domains.
To order an SSL certificate, CSR is required. CSR must be generated on the server where you want to install the certificate, this would also create the private key on the same machine and will be paired to the public key that we will be issuing. The process of Creating a CSR varies slightly from platform to platform, you may refer to this guide and select your server. Make sure there are no extra space on every information that you will provide as this may cause an error.
Please be informed that CA/Browser Forum has changed all SSL/TLS Certificate Validity and is now capped at a Maximum of two (2) years. This would help reduce the presence of older, outdated and possibly vulnerable certificates that were issued before new guidelines were put in place.
How to order Alpha SSL - How to Order an Alpha SSL Certificate
How to order Domain SSL - How to Order a New SSL Certificate
For Alpha SSL, customer must order for a certificate with Common Name “www.example.com” and validate the order on “example.com”.
For Domain SSL, customer has an option to add a UC SAN to cover “www.example.com”.
When placing an order, a Domain Verification is required and you will be provided with options (Approver Email, HTTP Verification and DNS TXT Record). Select Approver Email option and choose your preferred email address from the list. Once the purchase has been successful, an email will be sent to your selected email address that contains a link with a random value for the approver page. Simply click on the link provided, this will open up a new page for you to Approve or Disapprove the order. An email will be sent to you confirming the order has been completed with the details of your certificate. Please be informed that the approval link is valid for one time use only and will expire after 30 days.
When an order is placed through one of our partners/resellers, they are responsible in managing your orders or certificates and you should receive an email from them instead. For any renewals or reissuance requests, please contact your point of purchase.
For direct customers, you may simply log in to your GlobalSign account to change the Approver Email. The email address should be registered in WHOIS for it to show up in our pre-listed email addresses. Please see guide below for the steps on how to change your Approver Email:
Change an Approval Email Address
If you do not know your GlobalSign Log In Credentials, please reach out to our support team. We will conduct a verification call to the number registered in our system before we can provide your credentials. Customers can also send the request to change the approval email directly to the Vetting Team (firstname.lastname@example.org, email@example.com, firstname.lastname@example.org).
NOTE: It is not possible to change the approval method of an order once it has been selected during the initial application. We simply advise the customers to cancel and reorder with their preferred validation method.
For direct customers, you may simply log in to your GlobalSign account to change the Approver Email.
Please see guide below for the steps on how to resend your Approver Email: How to Resend the Approval Email in GCC
Some customers are unable to receive approval mails, support agents can resend it but please ensure to do the following:
As mentioned above, when ordering an Alpha SSL or Domain SSL certificate
For further details, please view the following Support Articles below:
After performing the verification, the email that was sent to you will also includes a link where you can validate the order in the portal. After validation, your certificate should be issued in few minutes. Ensure you have performed the verification correctly to avoid getting an error when validating. If you are still having problems validating the order, please contact a support agent to assist you in confirming if the validation was done correctly and we can request for a manual validation.
CAA Checking is required and carried out to improve the strength of the PKI ecosystem with a control to restrict which CAs can issue certificates for a particular domain name. Certificate Authorities will be obligated to check for DNS CAA records and honor those preferences. If no DNS CAA record is present, any CA is allowed to issue a certificate for the domain. If a DNS CAA record is present, only the CAs listed in the record(s) are allowed to issue certificates for that hostname. Also, when processing DNS CAA records, GlobalSign will process the issue, issuewild, and iodef property tags as specified in RFC 6844. Please note that CAA check responses are cached for a maximum of one (1) hour.
To know more about the errors, reason and solution, you may refer to the guide below:
CAA Checking for SSL Certificates
An Alpha SSL or Domain SSL orders may sometimes be flagged for additional checks whether due to a keyword in the domain name or a domain that has been reported to the Anti-Phishing Workgroup as a potential phishing site. No action is required unless you are contacted by a vetting agent.
Whether a SAN is going to be a Sub-Domain SAN or FQDN SAN depends on what the common name is. By looking at the common name first, all SAN types can be identified. Look at what domain is used in the common name. Any SAN that also ends with this domain is a Subdomain SAN. Even if the common name is in the format of a sub-domain, the same rules apply.
Wildcard cover unlimited subdomains in the same "column" as the “wildcard”. They don't cover different values to the left or right of the wildcard.
For CN: *.example.com.SG let's break each part of the domain into columns:
Note: The customer may purchase a WC certificate for *.sub1.domain.com, this secures unlimited number of the next sub-domain level (xyz.sub1.domain.com) only.
Key duplicate error
The SANs options you have entered do not match the SAN options on the original certificate
Accessing their account
“We have temporarily suspended your GCC account in order to update your security settings and logon credentials. Please contact your GlobalSign account manager to enable activation of your account or our GlobalSign support service”
Most commonly this will happen if a customer does not access their account for over a year, then the account can get locked due to inactivity. After checking the account has no outstanding financial transactions with finance the account can be reactivated for continued use.
Approval email - being unsuccessful
As discussed earlier on in the approval section, the approval email are valid for one time use, if they press it again they will be presented with the following message. Also the approval link is valid for up to 30 days only.
“Sorry, the approval challenge has not been successful. Please contact support for assistance’
There are two potential outcomes:
a) they declined the approval email and the order is cancelled
b) they approved the order and the certificate has now been issued. Only once one of those options are selected does the approval email link become invalid.
Check for extra spaces or if the whole content of the request is not included, then the CSR
will be seen as invalid.
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
To make sure that the CSR is correct, we recommend copy and paste it to a Notepad, choose the option “word wrap” and try submitting the CSR once again. The CSR will also accuse an error if the key is smaller than 2048 bit and if its information is different from requested certificate.
The common name does not match base option
This error occurs when the common name defined in the CSR is different from certificate. For example, this error will be displayed during the order process of a Wildcard certificate if the common name in the CSR is missing the asterisk (*.domain.com).
Order State Has Already Been Changed
This error message generally appears when your order has timed out. You should start the ordering process from scratch and to let us know if the issue persists. If it does, we need to run further checks on your account.
NOTE: This error message can also be caused by wrongly specified (entered) SANs. For example, if the CN is "www.domain.co" and you specified sub-domain as "domain.domain2.com" which actually specifies FQDN.
Missing private key
As previously mentioned, the private key and the CSR should be generated on the same
server when the certificate will be later installed to. In this way, one can ensure that the
public key generated by GlobalSign will have its matching private key during installation.
If the private key was compromised or misplaced, then it will be necessary to generate a new
CSR and reissue the certificate.
Duplicate key error
This error generally occurs when the same key is being used in the same server for a second certificate. A private key and CSR can only be used once. The private key is only paired to the public key that we have issued. In this case we recommend to generate a new CSR, reissuing and resubmitting it to the server.
There are times when the system will not allow orders to be processed and will time out.
To resolve this issue try to:
Use browser on Incognito / InPrivate mode. Change gcc to system from the link as displayed below.
Barred/sanctioned countries or territories, or secured websites promoting illicit activities. Additionally, we do not issue certificates to websites that promote activities such as terrorist organizations.
GlobalSign does NOT issue certificates to the following territories:
Switching from competitor or transference is an available option during the ordering process, during the ordering process. This will allow existing certificate from a competitor into a GlobalSign certificate. We offer 30 additional days to be added to the validity period of the certificate as a bonus for switching
Revocation – This will completely invalidate the certificate, its status cannot be reverted back and we won’t be able to issue a Refund. If the customer would just like to revoke a certificate but needs to reinstall onto another server, we advise to Reissue first, before revoking the old certificate (i.e., Customer thinks that their private key is compromised and needs a new keypair).
Cancellation – This option will only be available as long as the order is within 7 days Trial Period from the issuance date and should be coordinated with the account manager.
Please see this guide on how to Cancel or Revoke a certificate.
For Direct customers, you may log in to the GlobalSign Portal to manage your invoice. You can View, Download and Request Invoices.
Invoices are typically issued and available in your GCC account 8 days after the issuance date of the certificate. If you are unable to access the View / Request Invoices link, please contact your account administrator, or billing user, and request that they issue you an invoice. Please see this guide on how to manage your invoices.
For orders that were placed through one of our partners, please contact your point of purchase to get your invoice.
As a GlobalSign Partner, you have access to more than what is provided in a typical break-fix support contract.
You have a collaborative relationship with a CA trusted leader. This relationship allows us to work together to make our customers successful.
We will work with you to make sure you have all the tools and resources you need to provide the best value possible and understand what you and your customers need today in order to have a safer and secure digital world. To sign up and know more about the benefits of becoming our partner, please visit the link here.