Frequently Asked Questions

The Internet Corporation for Assigned Names and Numbers, or ICANN, is a non-profit organization which sets technical and procedural policies for domain name registrars and registries. In order to sell generic Top-Level Domains, like .com, a registrar must be accredited with ICANN. EPAG has been an ICANN Accredited Registrar since 2007.

EPAG supports over 800 Top-Level Domains and Second-Level Domains, ranging from exotic ccTLDs to the newest gTLDs! You can find an up-to-date list on our Domain Pricing page.

If we do not support the domain ending you are looking for, contact our Support Team to see if we can add it to our portfolio!

As a domain registrar accredited with the Internet Corporation for Assigned Names and Numbers (ICANN), EPAG is required to verify the domain name Registrant (owner) for all generic Top-Level Domains (gTLDs). Furthermore, we are required to suspend all other gTLDs under our management, which are connected to that Registrant, if the Registrant does not respond to the verification request within 15 days.

What do you need to do? If you are the Registrant of a gTLD and have made one of below changes to your domain, you should have received an email at the Registrant email address, which allows you to start the Registrant Verification process.

• You changed the company, first name, or last name of the Registrant contact
• You changed the email address of the Registrant contact
• You just registered a new gTLD domain
• You transferred your domain to a new registrar

If you do not complete the Registrant Verification on the 16th day after one of the above changes, ALL gTLDs connected to your name, company, and email address will be placed in Client Hold status. Client Hold status removes the domain’s DNS from the root zone so the domain can no longer be active on the internet.

If you have not received this email or if your domain has already been suspended, please contact your domain name provider immediately.

As a domain registrar accredited with the Internet Corporation for Assigned Names and Numbers (ICANN), EPAG is required to follow the Expired Registration Recovery Policy (ERRP) for all gTLD domains.

The ERRP requires that renewal reminders are sent both 30 days and 7 days before the expiration date of every gTLD domain. If the domain is allowed to expire, an expiration notice must also sent 5 days after the domain is deleted. Due to policy restrictions, these emails cannot be disabled. Detailed information regarding these notices, and the ERRP, is available on the Registrant Information page of our website.

For questions regarding your domain name or hosting, you will need to contact your domain name provider or hosting provider.

EPAG is a domain registrar and cannot assist with hosting issues. However if you do not know who your domain name provider is, or cannot reach them, you can contact the EPAG Support Team and we will forward your request to them.

For questions regarding your domain name, you will need to contact your domain name provider. If you do not know who your domain name provider is, or cannot reach them, you can contact the EPAG Support Team and we will forward your request to them.

ICANN requires that the following emails are sent to the Registrant of every gTLD domain:

• Registrant Verification Emails
• Expired Registration Recovery Policy (ERRP) Emails
• Whois Data Reminder Policy (WDRP) Emails
• Owner Change Confirmation Emails

Please read below for further information about each of these emails.

Registrant Verification Emails

EPAG is required to verify the domain name Registrant (owner) for all generic Top-Level Domains (gTLDs). If the Registrant does not respond to the verification request within 15 days, we are required to suspend all other gTLDs under our management, which are connected to that Registrant.

What do you need to do? If you are the Registrant of a gTLD and made one of below changes to your domain:

• You changed the company, first name, or last name of the Registrant contact,
• You changed the email address of the Registrant contact,
• You just registered a new gTLD domain, or
• You transferred your domain to a new registrar

then you should have received an email at the Registrant email address, which allows you to start the Registrant Verification process. If you do not complete the Registrant Verification process by the 16th day after making one of the above changes, ALL gTLDs connected to your name, company, and email address will be placed in Client Hold status. Client Hold status removes the domain’s DNS from the root zone so the domain can no longer be active on the internet.

If you have not received this email or if your domain has already been suspended, please contact your domain name provider immediately.

Expired Registration Recovery Policy (ERRP) Emails

ICANN’s Expired Registration Recovery Policy (ERRP), requires that Registrants are notified of the expiration date of their gTLD domain and informed of procedures in case they wish to recover the domain after it expires.

You will receive two renewal emails at the Registrant email address in the Whois. The first email will be sent approximately 1 month prior to the expiration of each domain. The second will be sent 1 week prior to the expiration date. These emails will be sent, even if you have indicated to your domain provider that the domain should be renewed.

If your domain is deleted or allowed to expire, you will receive another email containing recovery instructions. This will be sent within five days of the deletion of your domain.

Whois Data Reminder Policy (WDRP) Emails

ICANN requires that an email is sent once a year, which displays the current Whois details (contact information) for a gTLD domain.

As a domain Registrant, you will receive an email once a year which displays the Registrant, admin, and technical contacts of the domain as well as the listed nameservers. If any of the information is inaccurate, it is your responsibility to correct it by contacting your domain provider. If all of the information is correct, no action is required.

Owner Change Confirmation Emails

ICANN requires email approvals whenever certain changes are made to the Registrant (owner) of a gTLD domain.

An Ownership Change (OC) is the process of changing the current Registrant (owner) of a gTLD domain to a new Registrant. Whenever a change is made to the Registrant’s first name, last name, organization name or email address, an Owner Change process is started. This process requires that the OC is approved by both the old and new Registrants, or their designated agents, before the change can be processed. By default, domains are locked against registrar transfer for 60 days following each OC process.

If, after an OC process, you will become the new Registrant of a domain, then you may receive an email asking you to confirm that you would like to become the new Registrant of the domain. If you would like to approve the OC, you need to do so within 10 days of receiving this email. If you do not want to approve the OC, you can ignore the email and the request will time out after 10 days.

If you are the current Registrant and would like to make someone else the Registrant of your domain, you may receive an email asking you to confirm this change. After each OC, the domain is locked for 60 days so that it cannot be transferred to another Registrar. However you, as the current Registrant of the domain, have the option to request that this lock is not applied to the domain. In the OC process, you will be asked if you would like to opt-out of the 60-day Registrar Transfer Lock. If you opt out of the transfer lock, the new registrant can transfer the domain to another registrar directly after the OC process. If you do not actively opt-out of the Lock, the domain will be locked for 60 days after the OC completes and the new Registrant will need to wait 60 days before they can move that domain to another registrar.

After an Owner Change completes successfully, you will receive an email confirming the change.

The abbreviation CSR is short for “Certificate Signing Request”. The CSR is a sequence of text characters which will be generated by your SSL software for the certificate hostname. Only after a CSR has been supplied, the Certificate Authority (e. g. Thawte or Symantec) will be able to generate your certificate.

The CSR must contain the following information:

• Country (= C)
• State (= ST)
• Locality (= L)
• Organisational name (= O)
• Organisational unit (= OU)
• Common name (= CN)

Indicating your email address within the CSR is optional.

Important notices for generating the CSR:

• Please do not enter a challenge password or an optional company name when generating the CSR. The Certificate Authority will not accept a CSR with these two additional fields.
• Please make sure that no umlauts (e.g. ä, ö, ü) were used in the CSR.
• Please make sure that you have installed the newest version of OpenSSL when you generate a CSR. When using older versions of OpenSSL, it might be possible that CSRs are generated with only light decryption. Those CSRs will not be accepted by the Certificate Authority. This affects mostly Debian or Ubuntu distributions.

Along with the SSL certificate order, the CSR needs to be submitted in a specific format. Please see the following example that shows a valid CSR for “example.com”:

-----BEGIN CERTIFICATE REQUEST-----
 MIIBvzCCASgCAQAwfzELMAkGA1UEBhMCREUxDDAKBgNVBAgTA05SVzENMAsGA1UE
 BxMEQm9ubjEZMBcGA1UEChMQRXhhbXBsZS5jb20gSW5jLjEUMBIGA1UEAxMLZXhh
 bXBsZS5jb20xIjAgBgkqhkiG9w0BCQEWE2V4YW1wbGVAZXhhbXBsZS5jb20wgZ8w
 DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMOTp1J6/RJ6n3b7q+VBnzZCScQJGJyr
 caLtVUpTxztO94jMRUlHYFzE9qoE17k3E+BwNf/k5Oq3RHvZjn7HkbLPWKDElkNz
 TbhrVM1pV1QiSitVHURy9JhdS9V7FKm5loZczkjatnBq+1pKBgh8OPXBdA99V3Ma
 BGmWsZ/1x4nxAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQBDqhJ2qL3zcY8AIauO
 hjiKgHciy/Y9jgNedDGD3uw2G7XUBUcewP7Q82Ra9SccIE5kyVeO1u81UAKjmQfH
 1ywUkuSbib01ZFNCeoa+GmMJkEq9UbSl0rkcP8Qrh9gme+3zu8Ag0VsBn0+2GgrE
 Q0lolzzvT/k0HuLRiu4QR1Fs+g==
 -----END CERTIFICATE REQUEST-----

The private key requires a minimum length of 2048 bits.

More information on how to generate a CSR on your server is available on the Thawte and Symentec websites:

Thawte – Help for generating CSR

Symantec – Help for generating CSR

Geotrust – Generate CSR

There are a few causes for this error; here are some things you can check to resolve this:

• Check that the CSR is formatted correctly and does not contain special characters (e.g. &, %, $, §). You can reference the sample CSR further below.
• If you are trying to renew a Certificate, the CSR generated during the renewal process may be too large. Instead of renewing the certificate request, try creating a new certificate request. This will not prompt you to fill out the CSR field.
• Ensure that a domain name (www.domain.com) is listed in the Common Name field and not an IP Address, Name Server, or Wild Card (*) domain.

Sample CSR:

-----BEGIN CERTIFICATE REQUEST-----
 MIIBvzCCASgCAQAwfzELMAkGA1UEBhMCREUxDDAKBgNVBAgTA05SVzENMAsGA1UE
 BxMEQm9ubjEZMBcGA1UEChMQRXhhbXBsZS5jb20gSW5jLjEUMBIGA1UEAxMLZXhh
 bXBsZS5jb20xIjAgBgkqhkiG9w0BCQEWE2V4YW1wbGVAZXhhbXBsZS5jb20wgZ8w
 DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMOTp1J6/RJ6n3b7q+VBnzZCScQJGJyr
 caLtVUpTxztO94jMRUlHYFzE9qoE17k3E+BwNf/k5Oq3RHvZjn7HkbLPWKDElkNz
 TbhrVM1pV1QiSitVHURy9JhdS9V7FKm5loZczkjatnBq+1pKBgh8OPXBdA99V3Ma
 BGmWsZ/1x4nxAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQBDqhJ2qL3zcY8AIauO
 hjiKgHciy/Y9jgNedDGD3uw2G7XUBUcewP7Q82Ra9SccIE5kyVeO1u81UAKjmQfH
 1ywUkuSbib01ZFNCeoa+GmMJkEq9UbSl0rkcP8Qrh9gme+3zu8Ag0VsBn0+2GgrE
 Q0lolzzvT/k0HuLRiu4QR1Fs+g==
 -----END CERTIFICATE REQUEST-----

The administrative contact is the person who will hold the SSL certificate. This person is as well the administrative domain contact in the public Whois database and will usually also be the authorizing person who confirms the SSL certificate order. EPAG will not contact the administrative contact if all contact details have been submitted in due order.

The technical contact is the person who will receive technical information related to the SSL certificate order. The technical contact is as well the person who will be contacted at first by Thawte or EPAG for questions.

In addition to the technical contact, a contact person for EPAG is required. To specify this contact, simply use the “E-mail address (contact person)” field on the second ordering screen to insert the e-mail address of the person which EPAG shall contact to process the order and send the invoice. This contact person will not be contacted by the Certificate Authority.

To reissue a certificate, please contact certs@epag.de and provide a new CSR. Please also indicate why a reissue is required.

You may renew a certificate starting 90 days before it expires. You can still renew the SSL certificate up to 90 days after it expires. We will send a renewal reminder 30 days before the certificate expires.

Please start the renewal process well in advance of the expiration date is the renewal may take several days. Updated information may be subject to comprehensive verification.

To renew a certificate, you can duplicate your previous order. We only need a new CSR for the renewal order. All other data from the previous order can be re-used.

Yes, it is possible to renew Thawte or Symantec certificates with EPAG, even if the certificate has originally been purchased through another Thawte or Symantec partner.

There are a number of reasons why a domain validated certificate would not complete immediately:

• Orders are randomly for additional checks by the issuing authority.
• The contact name provided is too short or is uncommon.
• The organization or website indicates a financial institution.

The e-mail address provided for the authorizing person should be active and also visible in the public Whois database. If the e-mail address is for some reason not visible or different to the one shown in the public Whois record, then you should make sure that one of the following predefined e-mail addresses are active and monitored:

• admin@yourdomain
• administrator@yourdomain
• hostmaster@yourdomain
• webmaster@yourdomain
• postmaster@yourdomain

When choosing one of those predefined e-mail addresses, Thawte, Symantec or RapidSSL can be sure that the contact person of this domain is authorized. The e-mail required to approve the certificate will be sent to this person for checking and confirming the application.

For Domain Validated certificates, the Whois data and email address are checked against the contact data provided in the SSL Certificate order. The email address provided for the Authorizing Person must be active and visible in the Whois. If the email address in the SSL Certificate order is not listed in the Whois, then one of the following, predefined email addresses must be listed and active.

• admin@yourdomain
• administrator@yourdomain
• hostmaster@yourdomain
• webmaster@yourdomain
• postmaster@yourdomain

For an Organization Validated certificate, the identity of the company and domain registrant is validated in a thorough authentication process.

You can expect the following verification checks:

• Confirmation of the existence of the company (Company Register)
• Verification of the domain (Whois)
• Verification call

For EV Certificates, the following is validated in addition to the above:

• Validation of the company’s postal address
• Email to Corporate Contact (CC): The CC must be employed by the company and authorized to order the certificate. The email sent to the CC will contain an „Acknowledgement of Agreement“, which the CC must sign and return to the Certificate Authority