Sep 14, 2021

SSL/TLS Certificate Validity Is Now Capped at a Maximum of Two Years

The CA/Browser Forum, an industry body made up of Certificate Authorities (CAs), web browsers and operating systems, the ballot 193 was passed to reduce the maximum validity period for SSL/TLS Certificates to two years (825 days, to be specific). Prior to this, the maximum validity was three years (39 months) for Domain Validated (DV) and Organization Validated (OV) Certificates; Extended Validation (EV) Certificates have always been capped at two years (27 months).

As of March 1, 2018, this affected all CAs and all types of SSL/TLS Certificates. The CA/Browser Forum is responsible for setting and maintaining best practices and requirements for CAs and the certificates they issue.  Longer certificate validity periods can delay widespread compliance with new guidelines since changes wouldn’t go fully into effect until all existing (issued before the update) certificates expired.

Decreasing the maximum lifetime of certificates from three years to two years helps reduce the presence of older, outdated and possibly vulnerable certificates that were issued before new guidelines were put in place.

Difference between Alpha SSL and Domain SSL Certificates

Alpha SSL is the most basic certificate that also uses SHA-256 signing algorithm and can be issued in less than 3 minutes. This certificate has limited options availability, you can order a Single/Standard SSL or a Wildcard SSL.
Domain SSL is domain validated and fully automated, which means you’ll be able to start protecting your e-commerce, logins, webmail, blog visitors and more in just a few minutes. You can secure Single/Standard SSL or a Wildcard SSL, it comes with free Unified Communications Service (.owa, .mail, .autodiscover) and an option to add SAN multiple sub-domains.

To order an SSL certificate, CSR is required. CSR must be generated on the server where you want to install the certificate, this would also create the private key on the same machine and will be paired to the public key that we will be issuing. The process of Creating a CSR varies slightly from platform to platform, you may refer to this guide and select your server. Make sure there are no extra space on every information that you will provide as this may cause an error.

Please be informed that CA/Browser Forum has changed all SSL/TLS Certificate Validity and is now capped at a Maximum of two (2) years. This would help reduce the presence of older, outdated and possibly vulnerable certificates that were issued before new guidelines were put in place.
 


How to order Alpha SSL - How to Order an Alpha SSL Certificate
How to order Domain SSL - How to Order a New SSL Certificate

Securing both www. and non-www domains

For Alpha SSL, customer must order for a certificate with Common Name “www.example.com” and validate the order on “example.com”.
For Domain SSL, customer has an option to add a UC SAN to cover “www.example.com”. 

Using Email Approval for issuance of an Alpha or DV Certificates

When placing an order, a Domain Verification is required and you will be provided with options (Approver Email, HTTP Verification and DNS TXT Record). Select Approver Email option and choose your preferred email address from the list. Once the purchase has been successful, an email will be sent to your selected email address that contains a link with a random value for the approver page. Simply click on the link provided, this will open up a new page for you to Approve or Disapprove the order. An email will be sent to you confirming the order has been completed with the details of your certificate. Please be informed that the approval link is valid for one time use only and will expire after 30 days.
When an order is placed through one of our partners/resellers, they are responsible in managing your orders or certificates and you should receive an email from them instead. For any renewals or reissuance requests, please contact your point of purchase. 

Change of Approval Email Address

For direct customers, you may simply log in to your GlobalSign account to change the Approver Email. The email address should be registered in WHOIS for it to show up in our pre-listed email addresses. Please see guide below for the steps on how to change your Approver Email:
Change an Approval Email Address

If you do not know your GlobalSign Log In Credentials, please reach out to our support team. We will conduct a verification call to the number registered in our system before we can provide your credentials. Customers can also send the request to change the approval email directly to the Vetting Team (vetting-apac@globalsign.com, vetting-emea@globalsign.com, vetting-us@globalsign.com).

NOTE: It is not possible to change the approval method of an order once it has been selected during the initial application. We simply advise the customers to cancel and reorder with their preferred validation method. 

Resending Approval Email in GCC

For direct customers, you may simply log in to your GlobalSign account to change the Approver Email.  
Please see guide below for the steps on how to resend your Approver Email: How to Resend the Approval Email in GCC
Some customers are unable to receive approval mails, support agents can resend it but please ensure to do the following:

• Check junk mail
• Check firewall settings or any email filtering with their IT
• Whitelist GlobalSign IPs:
  • 211.123.204.251
  • 211.0.153.1
  • 211.0.153.2
  • 114.179.250.1
  • 114.179.250.2
     

Domain Validation Methods

As mentioned above, when ordering an Alpha SSL or Domain SSL certificate

• HTTP Based Validation Method - Ideal for customers that can upload a file to a specified directory under the ".well-known/" directory with a GlobalSign provided random string. Ensure to upload the file containing the Validation Code to your website in https.
• DNS Based Validation Method - Ideal for customers that are able to create a DNS TXT record containing a GlobalSign provided random string for the domain.
• Approver Email Method - Ideal for customers that can receive an email sent to one of the predefined domain mailboxes (admin@example.com, administrator@example.com, webmaster@example.com, hostmaster@example.com, or postmaster@example.com) or sent to one of the domain contacts listed in who-is.

For further details, please view the following Support Articles below: 

1. Performing Domain Verification Approver Email
2. Performing Domain Verification HTTP Verification Method
3. Performing Domain Verification DNS TXT Record

After performing the verification, the email that was sent to you will also includes a link where you can validate the order in the portal. After validation, your certificate should be issued in few minutes. Ensure you have performed the verification correctly to avoid getting an error when validating. If you are still having problems validating the order, please contact a support agent to assist you in confirming if the validation was done correctly and we can request for a manual validation.

CAA Checking for SSL Certificate Orders

CAA Checking is required and carried out to improve the strength of the PKI ecosystem with a control to restrict which CAs can issue certificates for a particular domain name. Certificate Authorities will be obligated to check for DNS CAA records and honor those preferences. If no DNS CAA record is present, any CA is allowed to issue a certificate for the domain. If a DNS CAA record is present, only the CAs listed in the record(s) are allowed to issue certificates for that hostname. Also, when processing DNS CAA records, GlobalSign will process the issue, issuewild, and iodef property tags as specified in RFC 6844. Please note that CAA check responses are cached for a maximum of one (1) hour.
To know more about the errors, reason and solution, you may refer to the guide below:
CAA Checking for SSL Certificates

Phishing Status

An Alpha SSL or Domain SSL orders may sometimes be flagged for additional checks whether due to a keyword in the domain name or a domain that has been reported to the Anti-Phishing Workgroup as a potential phishing site. No action is required unless you are contacted by a vetting agent.

Sub-Domain SAN vs FQDN SAN

Whether a SAN is going to be a Sub-Domain SAN or FQDN SAN depends on what the common name is. By looking at the common name first, all SAN types can be identified. Look at what domain is used in the common name. Any SAN that also ends with this domain is a Subdomain SAN. Even if the common name is in the format of a sub-domain, the same rules apply.



Wildcard cover unlimited subdomains in the same "column" as the “wildcard”. They don't cover different values to the left or right of the wildcard.
For CN: *.example.com.SG let's break each part of the domain into columns:



Note: The customer may purchase a WC certificate for *.sub1.domain.com, this secures unlimited number of the next sub-domain level (xyz.sub1.domain.com) only.

Common Errors

Key duplicate error  

• This error appears when a customer is using a private key which has already been used. As mentioned before, a private key and CSR can only be used once. The private key is paired only to the public certificate that we have issued.
• Therefore, ask the customer to generate a new private key and CSR on their server and re-submit the new CSR.
   

The SANs options you have entered do not match the SAN options on the original certificate

•  The customer is entering the Common Name of the certificate as a SAN, therefore the system will not recognise it if it is already secured by the certificate.
•  The customer has incorrectly entered the SAN as a sub-domain, multi-domain name, internal SAN or IP. They will need to choose the correct type of SAN which applies to the SAN.
•  The customer has added a space after the SAN which our system is rejecting. Make sure the customer checks they have no spaces and tries again.
• The customer has made a typo error. Check the spelling of the original Common Name.

 
Accessing their account

“We have temporarily suspended your GCC account in order to update your security settings and logon credentials. Please contact your GlobalSign account manager to enable activation of your account or our GlobalSign support service”
Most commonly this will happen if a customer does not access their account for over a year, then the account can get locked due to inactivity. After checking the account has no outstanding financial transactions with finance the account can be reactivated for continued use.

Approval email - being unsuccessful
As discussed earlier on in the approval section, the approval email are valid for one time use, if they press it again they will be presented with the following message. Also the approval link is valid for up to 30 days only.
“Sorry, the approval challenge has not been successful. Please contact support for assistance’
There are two potential outcomes:
a) they declined the approval email and the order is cancelled
b) they approved the order and the certificate has now been issued. Only once one of those options are selected does the approval       email link become invalid.

Invalid CSR
Check for extra spaces or if the whole content of the request is not included, then the CSR
will be seen as invalid.
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
To make sure that the CSR is correct, we recommend copy and paste it to a Notepad, choose the option “word wrap” and try submitting the CSR once again. The CSR will also accuse an error if the key is smaller than 2048 bit and if its information is different from requested certificate.

The common name does not match base option
This error occurs when the common name defined in the CSR is different from certificate. For example, this error will be displayed during the order process of a Wildcard certificate if the common name in the CSR is missing the asterisk (*.domain.com).

Order State Has Already Been Changed

This error message generally appears when your order has timed out. You should start the ordering process from scratch and to let us know if the issue persists. If it does, we need to run further checks on your account.
NOTE: This error message can also be caused by wrongly specified (entered) SANs. For example, if the CN is "www.domain.co" and you specified sub-domain as "domain.domain2.com" which actually specifies FQDN.

Missing private key
As previously mentioned, the private key and the CSR should be generated on the same
server when the certificate will be later installed to. In this way, one can ensure that the
public key generated by GlobalSign will have its matching private key during installation.
If the private key was compromised or misplaced, then it will be necessary to generate a new
CSR and reissue the certificate.

Duplicate key error
This error generally occurs when the same key is being used in the same server for a second certificate. A private key and CSR can only be used once. The private key is only paired to the public key that we have issued. In this case we recommend to generate a new CSR, reissuing and resubmitting it to the server.

Error 524’
There are times when the system will not allow orders to be processed and will time out.
To resolve this issue try to:
Use browser on Incognito / InPrivate mode. Change gcc to system from the link as displayed below.
https://gcc.globalsign.com
https://system.globalsign.com

Barred Territories

Barred/sanctioned countries or territories, or secured websites promoting illicit activities. Additionally, we do not issue certificates to websites that promote activities such as terrorist organizations.

GlobalSign does NOT issue certificates to the following territories:

• Democratic People's Republic of Korea (KP)
• Islamic Republic of Iran (IR)
• Republic of Cuba (CU)
• Syrian Arab Republic (SY)
• Republic of the Sudan (SD)

How to Transfer an SSL Certificate

Switching from competitor or transference is an available option during the ordering process, during the ordering process. This will allow existing certificate from a competitor into a GlobalSign certificate. We offer 30 additional days to be added to the validity period of the certificate as a bonus for switching

Requirements:

1. Customers' current certificate must not be expired.
   1. The "Valid to" date in the certificates must be beyond today's date
2. Common name of customers' current SSL certificate must match the common name of the new order.
   1. Check the domain you customer is ordering for in an ssl checker such as https://globalsign.ssllabs.com/
   2. If the common name of the certificate in the results does not match the common name your customer is ordering for, it will not work (Even if this name is listed as a SAN of the currently installed certificate).
3. Copy of customers' current SSL certificate either installed and available on the website, or in PEM format.

Revocation vs Cancellation

Revocation – This will completely invalidate the certificate, its status cannot be reverted back and we won’t be able to issue a Refund. If the customer would just like to revoke a certificate but needs to reinstall onto another server, we advise to Reissue first, before revoking the old certificate (i.e., Customer thinks that their private key is compromised and needs a new keypair).
Cancellation – This option will only be available as long as the order is within 7 days Trial Period from the issuance date and should be coordinated with the account manager.
Please see this guide on how to Cancel or Revoke a certificate.
 

Invoice Management

For Direct customers, you may log in to the GlobalSign Portal to manage your invoice. You can View, Download and Request Invoices.
Invoices are typically issued and available in your GCC account 8 days after the issuance date of the certificate. If you are unable to access the View / Request Invoices link, please contact your account administrator, or billing user, and request that they issue you an invoice. Please see this guide on how to manage your invoices.
For orders that were placed through one of our partners, please contact your point of purchase to get your invoice.

How to become a Partner with GlobalSign

As a GlobalSign Partner, you have access to more than what is provided in a typical break-fix support contract.
You have a collaborative relationship with a CA trusted leader. This relationship allows us to work together to make our customers successful.
We will work with you to make sure you have all the tools and resources you need to provide the best value possible and understand what you and your customers need today in order to have a safer and secure digital world. To sign up and know more about the benefits of becoming our partner, please visit the link here.