SSL Certificate: Seven Common Mistakes and Solutions

No matter how experienced we are, we will always encounter errors of one kind or another during the process of purchasing or installing SSL certificates. So what are the common mistakes in SSL certificate installation? What are the causes and solutions for these errors? The editor has summarized seven common errors and solutions for SSL certificates for you, let’s take a look!

Error 1: Domain name verification failed

Solution: Please confirm that you are using the correct domain name verification method and completing the verification correctly.

(Choose the correct domain name verification method)

• To use email verification, first make sure you are using the website administrator's email address, that is, choose any of the following prefixes: admin@domain name, administrator@domain name, webmaster@domain name, hostmaster@domain name, postmaster@domain name. Please do not use the applicant's personal email address, otherwise the order cannot be submitted and the domain name cannot be verified.
• To use DNS verification, please add the specified content to the domain name resolution, ensure that the DNS record value matches the content provided in the order information, and ensure that this record can be publicly accessed.
• To use file verification, please create a new specified path on the root path of the domain name and place the verification content. Please confirm that the added path and placed content match the content provided in the order information, and ensure that the path link is publicly accessible .

Note: According to the latest CA/B Forum policy change notice on SSL certificate domain name verification, starting from December 1, 2021, wildcard certificates no longer support file verification.

Error 2: Private key lost

Solution: Reissue the certificate. If you find that the private key is lost and you are sure that it can no longer be found on the computer memory, please re-sign the certificate as soon as possible to avoid the risk of data leakage caused by the loss of the private key.

If you apply for an SSL certificate on the Ruicheng Information Platform, there will be no charge for re-signing the SSL certificate within the validity period of the certificate.

Note: When re-signing, please be sure to generate a new .csr file and .key file and keep them properly.

Error 3: Invalid CSR

Workaround: Regenerate the CSR. When re-signing a certificate to generate a CSR, please ensure that the domain name is consistent with the domain name in the original CSR. One CSR only matches one private key. Please do not reuse the same CSR.

The information in the CSR can be decoded using tools. You can use Ruicheng Information's free decoding tool, the CSR file online verification tool, to check whether the information filled in the CSR is correct.

In addition, if there are extra spaces and dashes before/after the certificate application, the CSR certificate will also be invalid.

Error 4: Common name mismatch

Solution: When submitting a wildcard certificate order, please confirm that the domain name is in the format *.domain.com. The * cannot be omitted, otherwise you will receive an error message: Invalid domain name format. When applying for a non-wildcard certificate, if you fill in the format *.domain.com, you will also receive an error: Invalid domain name format; please fill in the non-wildcard domain name directly as domain.com.

(Invalid domain name format prompt)

As mentioned before, * represents all subdomains you can protect with this type of certificate. For example, if you want to protect www.racent.com, ssltrus.racent.com, and portal.racent.com, enter *.racent.com as the common name in the CSR.

Note: You cannot create subdomains before a wildcard character with an asterisk, such as mail.*.domain.com, or a double wildcard character, such as *.*.domain.com.

Error 5: Public key and private key do not match

Solution: Regenerate the CSR file and private key and save them safely. When applying for a certificate, you may have generated the private key and CSR files multiple times, or the provided CSR and private key were not generated at the same time, which will result in a mismatch between the public and private keys. In this case, you need to regenerate the CSR file and private key, and then submit the application to the service provider to re-issue the SSL certificate to replace the previous certificate before it can be used.

Error 6: SAN options do not match

Solution: Confirm whether the entered SAN is consistent with the SAN included in the certificate. There are many reasons for this error. You may:

• An extra space is spelled before or after SAN.
• SAN has a spelling error.
• Fill in the common name of the certificate as SAN.
• Incorrectly filling in the SAN as a subdomain name, multiple domain names, internal SAN or IP address.

Error 7: The certificate is not trusted by the browser

After the certificate installation is complete, a warning that the certificate is not trusted may appear.

Solution:

First, confirm that the installed SSL certificate is a globally trusted SSL certificate and is compatible with the browser you are using. Check again whether you have no intermediate certificate installed or the root certificate is missing. If the intermediate certificate is lost, you can contact your certificate agency service provider to check and determine which intermediate certificate you need.

Secondly, please check whether your website materials contain HTTP resources. If so, please replace them with HTTPS resources.

Conclusion

In addition, you also need to pay attention to recording the expiration time of your SSL certificate. To prevent business interruption caused by the expiration of the SSL certificate, please make sure to update and replace the certificate before it expires. If you have other questions, please consult Ruicheng Information’s online customer service. We have a professional team to help you solve technical problems.

Recommended site searches: vip domain name, Hong Kong vps, independent ip space, registered domain name query, how to register a website, mainland China dynamic ip agent, Ministry of Industry and Information Technology registration system, US website server, Taiwan server, Hong Kong vps host rental,