Here you will find answers to frequently asked questions about SSL certificates. In case we did not answer your question below, please feel free to contact our SSL support team by e-mail.

The abbreviation CSR is short for “Certificate Signing Request”. The CSR is a sequence of text characters which will be generated by your SSL software for the certificate hostname. Only after a CSR has been supplied, the Certificate Authority (e. g. Thawte or VeriSign) will be able to generate your certificate.

The CSR must contain the following information:

Indicating your e-mail address within the CSR is optional.

Along with the SSL certificate order, the CSR needs to be submitted in a specific format. Please see the following example that shows a valid CSR for “example.com”:

-----BEGIN CERTIFICATE REQUEST-----
MIIBvzCCASgCAQAwfzELMAkGA1UEBhMCREUxDDAKBgNVBAgTA05SVzENMAsGA1UE
BxMEQm9ubjEZMBcGA1UEChMQRXhhbXBsZS5jb20gSW5jLjEUMBIGA1UEAxMLZXhh
bXBsZS5jb20xIjAgBgkqhkiG9w0BCQEWE2V4YW1wbGVAZXhhbXBsZS5jb20wgZ8w
DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMOTp1J6/RJ6n3b7q+VBnzZCScQJGJyr
caLtVUpTxztO94jMRUlHYFzE9qoE17k3E+BwNf/k5Oq3RHvZjn7HkbLPWKDElkNz
TbhrVM1pV1QiSitVHURy9JhdS9V7FKm5loZczkjatnBq+1pKBgh8OPXBdA99V3Ma
BGmWsZ/1x4nxAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQBDqhJ2qL3zcY8AIauO
hjiKgHciy/Y9jgNedDGD3uw2G7XUBUcewP7Q82Ra9SccIE5kyVeO1u81UAKjmQfH
1ywUkuSbib01ZFNCeoa+GmMJkEq9UbSl0rkcP8Qrh9gme+3zu8Ag0VsBn0+2GgrE
Q0lolzzvT/k0HuLRiu4QR1Fs+g==
-----END CERTIFICATE REQUEST-----

The private key requires a minimum length of 1024 bits. Please note that when ordering “extended validation” certificates, a mandatory minimum length of 2048 bit is required for the private key.

More information on how to generate a CSR on your server is available at www.thawte.com:
Thawte-Help for generating CSR
Information for VeriSign certificates is available at www.verisign.com:
VeriSign-Help for generating CSR

The administrative contact is the person who will hold the SSL certificate. This person is as well the administrative domain contact in the public Whois database and will usually also be the authorizing person who confirms the SSL certificate order. EPAG will not contact the administrative contact if all contact details have been submitted in due order.

The technical contact is the person who will receive technical information related to the SSL certificate order. The technical contact is as well the person who will be contacted at first by Thawte or EPAG for questions.

In addition to the technical contact, a contact person for EPAG is required. To specify this contact, simply use the “E-mail address (contact person)” field on the second ordering screen to insert the e-mail address of the person which EPAG shall contact to process the order and send the invoice. This contact person will not be contacted by the Certificate Authority.

The e-mail address provided for the authorizing person should be active and also visible in the public Whois database. If the e-mail address is for some reason not visible or different to the one shown in the public Whois record, then you should make sure that one of the following predefinded e-mail addresses are active and monitored:

When choosing one of those predefined e-mail addresses, Thawte, VeriSign or RapidSSL can be sure that the contact person of this domain is authorized. The e-mail required to approve the certificate will be sent to this person for checking and confirming the application.

After a SSL certificate has been successfully issued by Thawte, VeriSign or RapidSSL, it will be sent via e-mail to the technical contact, and a copy will be sent to the administrative contact. The SSL certificate will be contained within the e-mail in plain text format within the e-mail.

More information about how to install a SSL certificate is available at www.thawte.com:
How to install a Thawte certificate
Help for VeriSign certificates can be found at www.verisign.com:
How to install a VeriSign certificate

After receiving a successfully issued SSL certificate from Thawte, VeriSign or RapidSSL, you can show in the secure area on your website a so called Seal to indicate to your customers that this website is trustworthly. You may retrieve your Site Seal through the following links:

Please note that you need to renew the Seal after you have renewed your SSL certificate.

Yes, it is possible to renew Thawte or VeriSign certificates with EPAG, even if the certificate has originally been purchased through another Thawte or VeriSign partner.

To renew a certificate, we only need the Certificate Signing Request (CSR) of your current certificate. Please note that if a Microsoft product is used, a new CSR might be required for renewing your SSL certificate.

You may renew a Thawte certificate starting 90 days before it expires. From the day of expiration, it is still possible to renew the SSL certificate within 90 days.

Please be aware that a renewal may take several days, and make sure to initiate the process early enough. In some cases, altered information will again be subject to comprehensive verification.

In general, the Wildcard Certificate is valid only for the subdomains of the “main” domain like [server1.example.com] and [server2.example.com]. That implies that it is impossible to include subdomains of a subdomain into the certificate signature, such as [mail1.server1.example.com], [mail1.server2.example.com] and [mail2.server2.example.com].

The thawte SSL Webserver Wildcard certificate is not valid for the actual 2nd level domain [example.com]. Geotrust True BusinessID Wildcard and RapidSSL Wildcard in turn do include validity for the domain itself [example.com] without extra fee.

A SSL certificate may generally be installed only on one physical server. If you have several subdomains included in a Wildcard Certificate spread out over different physical servers, you will need additional licences. The licence guarantees that you have the right to install a copy of the Wildcard Certificate on another server.

Additional licenses are available for all SSL certificate types except the Code Signing Certificate. Geotrust certificates may be installed on an unlimited number of servers.

Please contact us directly to find out about pricing for additional licences.

A reissue is needed if you wish to change information in an existing SSL certificate. For example, you might decide to change the server software and for that reason are unable to use the current SSL certificate any longer. Within the validity period of a SSL certificate, reissues through Thawte and VeriSign are free of charge. RapidSSL does not offer free reissues!

Please make sure when ordering a RapidSSL Certificate to submit only predefinded e-mail addresses with the application. Otherwise, certificate provision might fail or will experience considerable delays.

There is no SSL data encryption but only the check and confirmation of the Trust Seal owner's identity. Additionally every 24 hours a malware check is taken. More than that websites protected by the Trust Seal are highlighted in the results of the most popular search engines. If you ask for personal data on your website, you will also need a SSL certificate.