Can I secure multiple sub domains with a single Certificate?
An SSL certificate is issued to a fully qualified domain name (FQDN). This means
that an SSL certificate issued to "secure.RapidSSL.com" cannot be used on different
subdomains, such as "www.RapidSSL.com". To get around this restriction we have available
RapidSSL Wildcard Certificates. Wildcard Certificates allow you to secure multiple
subdomains on the same domain name, thereby saving you time and money, and of course
you do not need to manage multiple certificates on the same server.
So with a single certificate issued to *.yourdomain.com you could protect:
For more details on our Wildcard offerings, please click here
products for single root, highly credible Wildcard
Can I see which Certification Authorities have their
own Trusted CA root present in browsers?
Yes. Your browser contains a Trusted CA root certificate store. You can access this
by opening Internet Explorer, then go to Tools, select Internet Options, select
the Content tab, click Certificates, select the Trusted Root Certification Authorities
tab. You will then see a dialog box presenting a list of all Certification Authorities
who own their own Trusted CA roots (you can examine the root certificate by double
GeoTrust owns the Equifax root (Equifax Digital Certificate services became GeoTrust
RapidSSL.com's RapidSSL product owns its own root. RapidSSL.com uses a different
What is the Warranty?
We value our customers, so we provide a $10,000 warranty on our RapidSSL and RapidSSL
Wildcard certificates. The warranty protects the end user if we mis-issue a certificate.
It is worth noting that other SSL Providers use warranty as a means of adding perceived
value to their offerings, as such will offer the same certificate with higher warranties
and then charge more for the certificate! We want to make it clear that warranty
has not been collected on any SSL Certificate, ever! The inclusion of a $10,000
warranty on RapidSSL makes RapidSSL.com the lowest cost provider of highly trusted,
fully warranted SSL certificates!
Do I need warranty?
The warranty level is the financial protection awarded to end customers against
the CA misissuing an SSL Certificate. If a customer relies on the information within
a misissued SSL Certificate and suffers financial loss as a direct result of relying
on the certificate, the CA will hold insurance to cover claims made by the customer
against the CA. Effectively, the warranty is the insurance taken out by the CA to
protect itself in the event it makes a mistake. Verisign offers a more advanced
insurance policy in that it will also provide insurance against a compromise of
a private key or loss of certificate - but such insurance comes at a price.
Do I require a single root or intermediate SSL certificate?
Most SSL certificates are issued by CAs who own and use their own Trusted Root CA
certificates, such as those issued by GeoTrust and RapidSSL.com. As GeoTrust and
RapidSSL.com is known to browser vendors as a trusted issuing authority, its Trusted
Root CA certificate has already been added to all popular browsers, and hence is
already trusted. These SSL certificates are known as "single root" SSL certificates.
RapidSSL.com, a subsidiary of GeoTrust, owns the Equifax roots used to issue its
Some Certification Authorities, do not have a Trusted Root CA certificate present
in browsers, or do not use the root they do own, and use a "chained root" in order
for their SSL certificates to be trusted. Essentially a CA with a Trusted Root CA
certificate issues a "chained" certificate which "inherits" the browser recognition
of the Trusted Root CA. These SSL certificates are known as "chained root" SSL certificates.
For a Certification Authority to have and use its own Trusted Root CA certificate
already present in browsers is a clear sign that they are long-time, stable and
credible organizations who have long term relationships with the browser vendors
(such as Microsoft and Netscape) for the inclusion of their Trusted Root CA certificates.
For this reason, such CAs are seen as being considerably more credible and stable
than chained root certificate providers who do not have a direct relationship with
the browser vendors, or do not use their own root certificates to issue SSL certificates.
Installation of chained root certificates are more complex and some web servers
are not compatible with chained root certificates.
How credible and stable is the CA issuing the SSL certificate?
Clearly for any SSL certificate to be taken seriously, it is important to ensure
that the CA issuing the SSL certificate is well established and credible. The best
way of determining the credibility of a CA is by simply establishing whether the
CA in question owns its own trusted root i.e. does the CA own a root that is already
present in all popular browsers?
You can examine trusted root ownership by double clicking the padlock seen in the
browser during an SSL connection with a webserver. When the SSL Certificate appears,
simply click the "Certification Path" tab to see which trusted root CA certificate
issued the SSL certificate.
It is also possible to see the trusted roots referenced in a browser e.g. for IE6,
go to "Tools", "Internet Options" and select "Content", "Certificates" and then
the tab "Trusted Root Certification Authorities".
GeoTrust owns the Equifax root (Equifax Digital Certificate services became GeoTrust
RapidSSL.com's RapidSSL and RapidSSL Wildcard product owns its own root.
Business stability is also an essential component when selecting any supplier. Whilst
we do not examine financial stability of each CA in detail in this white paper,
enterprise class accounts are advised to conduct their own due diligence into each
CA, as well as examine the root CA certificate ownership.
When selecting a CA, always therefore consider the long term stability of the CA,
especially if a longer term enterprise solution is required.
If the CA relies on an intermediate certificate - consider the long-term stability
of the CA supplying the intermediate, and obviously the stability of the supplier
relationship between the two CAs.
Clearly it is very advisable to ensure the integrity of the CA and to establish
which CA is issuing the SSL certificate to be used.
How likely is a missisuance?
It is highly unlikely that a WebTrust compliant CA will mississue a certificate.
All WebTrust compliant CAs have passed certification to ensure that procedures and
policies are in place that make misissuance improbable. For this reason, many WebTrust
compliant CAs do not offer a warranty at all.
Some CAs will offer the warranty as a means of adding perceived value to their SSL
How long are your SSL certificates valid for?
RapidSSL certificates are valid for 1 to 5 years.
FreeSSL certificates are valid for 30 days.
Our Professional Level Certificates from GeoTrust are available for up to 6 years.
When your SSL certificate expires and you wish to renew with us, we will give you
instructions on how to renew with us.
How long does it take to issue my Certificate?
If you need an SSL certificate right away, you have options. If you can wait 3-5
days, you can get certificates from established vendors that use slow traditional
validation methods. However, immediate issuance certificates use alternate validation
methods. Please review our information on validation to familiarize yourself with
standard methods and question your vendors when in doubt.
RapidSSL and FreeSSL are issued immediately.
I cannot remember or have lost my login details.
If you still have the order number they can use the automated password reminder
system or if not then, an email must be sent from the administrative email address
on the account to support (at) sslrenewals (dot) com.
comincluding the original domain name it was purchased for, or the original order
I have accidentally deleted my "private key" what
can I do now?
First check your backups and see if you can re-install the "private key". If you
don't know how to re-install the key from your backups, contact your systems administrator.
Failing that, contact your web server software vendor for technical support. The
only alternative course of action available is a re-issuance of the certificate
following the re-submitting of a replacement CSR.
I have changed my server, or moved to a different
provider; how do I move the certificate?
The easiest way is to create a new CSR on the new machine and have the certificate
Is technical support available from the CA should
I need it?
Installing a SSL certificate can sometimes be tricky - you will need to first generate
a CSR and then install your issued certificate. For this reason it is essential
that the CA provides sufficient and timely support.
All CAs provide some level of support, even if it is only email and web based. Most
issues can easily be solved using the expansive online resources and knowledge bases
provided by the CA. However, should an issue arise, it is highly recommended that
there is access to technical support staff, therefore make sure the CA clearly publishes
a technical support telephone number. Also, be aware that some CAs charge extra
for telephone support.
Is there a limit to the number of certificates I
We do not limit the amount of RapidSSL or RapidSSL Wildcard certificates that can
be ordered. Go ahead and get as many as you need!
We limit one FreeSSL certificate to a domain name - FreeSSL is only a test certificate
designed to help you test your system and evaluate using RapidSSL.com for your production
The CSR cannot be decoded?
This is because it is missing one or more required fields or the CSR contains non-alphanumeric
characters in the required fields.
What browser recognition is required?
Browser recognition or ubiquity is the term used in the industry to describe the
estimated percentage of Internet users that will inherently trust an SSL certificate.
Certification Authorities who own their own roots, have what are known as Root CA
Certificates. These root CA certificates are added into releases of all the major
browsers such as Internet Explorer, Netscape, Opera, etc by the browser vendor (such
as Microsoft). When a browser is used, it automatically relies on a "list" of root
CA certificates that the browser vendor has deemed trustworthy. If a SSL certificate
is issued by one of the trusted root CAs, then the browser will inherently trust
the SSL certificate and the gold padlock will appear transparently during secure
The browser stores the CA roots that can be trusted, therefore if a browser encounters
a website using a SSL certificate issued by a CA root it does not trust, the browser
will display warning messages to the website visitor. The lower the browser ubiquity,
the less people will trust a certificate - clearly, a commercial site will require
as many people as possible to trust a SSL certificate.
The general rule is that any SSL certificate with over 95% browser ubiquity is acceptable
for a commercial site.
As with any form of statistics, browser ubiquity is open to interpretation, hence
in the Appendix, the table does not place a great deal of validity in presenting
browser recognition "percentages", instead it simply concludes whether a SSL Certificate
is acceptable for commercial sites.
What budget do I have for my certificate?
Certificates range dramatically in price from one CA to another. The highest prices
are 40 times the lowest prices!
This white paper has examined numerous points of consideration in determining which
SSL certificate to purchase.
The correct choice of SSL certificate is principally dependent on the application
type and on whether there is a need for a well known brand of SSL that has been
issued from a highly trusted and credible CA.
There are however significant savings available for websites conducting low volume
/ low value transactions. Some SSL certificate types are perfect for development
environments, whilst other certificate types suit professional requirements. Buyers
are therefore urged to carefully consider their choice of CA before purchasing.
What certificate strength is required?
Generally there are two strengths of certificate in existence - 40 bit & 128 bit.
256 bit is now also available but requires a combination of the use of specific
browsers (currently Firefox) and a specific web server (currently Apache). All RapidSSL.com
and GeoTrust certificates support 256 bit encryption.
The bit size indicates the length of the key size used for the encryption during
a secure SSL session. Hovering the mouse over the gold padlock will detail the current
strength of encryption being used:
What do I need to consider when purchasing a SSL
The following 10 considerations must be taken into account before deciding which
CA and which type of SSL certificate to purchase? Each point will be discussed in
more detail on this page.