General FAQs
How can I become a reseller at EPAG?
Are you a business that manages at least 100 domains? Then get in touch with our sales team on the Get Started page of our website to open an account.
Do you offer a web portal or API to manage domains?
Both! Resellers can manage domains via our web portal or API. You can find a description of our API and an introduction to our web portal on the Integration page of our website.
- no setup fee
- no fixed monthly fees
- no hidden costs
There is no minimum revenue. Just a prepayment of €100 is required which is credited towards your account balance.
Is there a fixed monthly fee or other additional costs for the reseller program?
No, with a reseller account at EPAG you will only pay for the domains or ssl certificates which you manage. You benefit from our fair pricing and pay:
- no setup fee
- no fixed monthly fees
- no hidden costs
There is no minimum revenue. Just a prepayment of €100 is required which is credited towards your account balance.
What forms of payment do you accept?
We accept payments via bank transfer, direct withdrawal, credit card, and PayPal.
Do you offer access to a testing environment?
Yes, we gladly provide access to the test environment of our registration system. Test access is available both to our web portal and API.
Can I create sub-accounts for my customers which allow them to manage their domains on their own?
Yes, as an EPAG reseller you may create your own sub-accounts in your web admin panel and make those accounts available to your customers. Using those sub-accounts, your customers may:
- create and manage domains on their own behalf
- manage domain contacts
- create their own sub-accounts, if you allow them to do so
This portal can be whitelabled with your company name, logo and color scheme. We will always invoice all domain transactions directly to you; your customers will not receive invoices from us.
Domain FAQs
What is a gTLD?
A gTLD is a generic Top-Level Domain. These domain endings have three or more characters, such as .com, .org, or .info, and are regulated by the Internet Corporation for Assigned Names and Numbers (ICANN).
All TLDs listed in the IANA Root Zone Database as either “generic” or “generic-restricted” are gTLDs.
What is a ccTLD?
A ccTLD, or “country code Top-Level Domain”, is a domain ending that is allocated to a nation or state, such as .de for Germany or .cn for China. These extensions are often regulated by the local government and are frequently more restricted than gTLDs.
All TLDs listed in the IANA Root Zone Database as “country-code” are ccTLDs.
Whois information and tiered access
If you have a legitimate interest to access the tiered registration directory, click here to send an email including your name, legitimate interest for access, and domain name(s) for which access is desired.
What is ICANN?
The Internet Corporation for Assigned Names and Numbers, or ICANN, is a non-profit organization which sets technical and procedural policies for domain name registrars and registries. In order to sell generic Top-Level Domains, like .com, a registrar must be accredited with ICANN. EPAG has been an ICANN Accredited Registrar since 2007.
Which Top-Level Domains does EPAG support?
EPAG supports over 800 Top-Level Domains and Second-Level Domains, ranging from exotic ccTLDs to the newest gTLDs! You can find an up-to-date list on our Domain Pricing page.
If we do not support the domain ending you are looking for, contact our Support Team to see if we can add it to our portfolio!
What is Registrant Verification and do I have to do anything?
As a domain registrar accredited with the Internet Corporation for Assigned Names and Numbers (ICANN), EPAG is required to verify the domain name Registrant (owner) for all generic Top-Level Domains (gTLDs). Furthermore, we are required to suspend all other gTLDs under our management, which are connected to that Registrant, if the Registrant does not respond to the verification request within 15 days.
What do you need to do? If you are the Registrant of a gTLD and have made one of below changes to your domain, you should have received an email at the Registrant email address, which allows you to start the Registrant Verification process.
- You changed the company, first name, or last name of the Registrant contact
- You changed the email address of the Registrant contact
- You just registered a new gTLD domain
- You transferred your domain to a new registrar
If you do not complete the Registrant Verification on the 16th day after one of the above changes, ALL gTLDs connected to your name, company, and email address will be placed in Client Hold status. Client Hold status removes the domain’s DNS from the root zone so the domain can no longer be active on the internet.
If you have not received this email or if your domain has already been suspended, please contact your domain name provider immediately.
Why are Renewal Reminder emails sent and can I turn them off?
As a domain registrar accredited with the Internet Corporation for Assigned Names and Numbers (ICANN), EPAG is required to follow the Expired Registration Recovery Policy (ERRP) for all gTLD domains.
The ERRP requires that renewal reminders are sent both 30 days and 7 days before the expiration date of every gTLD domain. If the domain is allowed to expire, an expiration notice must also sent 5 days after the domain is deleted. Due to policy restrictions, these emails cannot be disabled. Detailed information regarding these notices, and the ERRP, is available on the Registrant Information page of our website.
My website is down, what do I do?
For questions regarding your domain name or hosting, you will need to contact your domain name provider or hosting provider.
EPAG is a domain registrar and cannot assist with hosting issues. However if you do not know who your domain name provider is, or cannot reach them, you can contact the EPAG Support Team and we will forward your request to them.
I need the AuthCode or login details for my domain name. What do I do?
For questions regarding your domain name, you will need to contact your domain name provider. If you do not know who your domain name provider is, or cannot reach them, you can contact the EPAG Support Team and we will forward your request to them.
What emails will I receive as the Registrant of a gTLD domain?
ICANN requires that the following emails are sent to the Registrant of every gTLD domain:
- Registrant Verification Emails
- Expired Registration Recovery Policy (ERRP) Emails
- Whois Data Reminder Policy (WDRP) Emails
- Owner Change Confirmation Emails
Please read below for further information about each of these emails.
Registrant Verification Emails
EPAG is required to verify the domain name Registrant (owner) for all generic Top-Level Domains (gTLDs). If the Registrant does not respond to the verification request within 15 days, we are required to suspend all other gTLDs under our management, which are connected to that Registrant.
What do you need to do? If you are the Registrant of a gTLD and made one of below changes to your domain:
- You changed the company, first name, or last name of the Registrant contact,
- You changed the email address of the Registrant contact,
- You just registered a new gTLD domain, or
- You transferred your domain to a new registrar
then you should have received an email at the Registrant email address, which allows you to start the Registrant Verification process. If you do not complete the Registrant Verification process by the 16th day after making one of the above changes, ALL gTLDs connected to your name, company, and email address will be placed in Client Hold status. Client Hold status removes the domain’s DNS from the root zone so the domain can no longer be active on the internet.
If you have not received this email or if your domain has already been suspended, please contact your domain name provider immediately.
Expired Registration Recovery Policy (ERRP) Emails
ICANN’s Expired Registration Recovery Policy (ERRP), requires that Registrants are notified of the expiration date of their gTLD domain and informed of procedures in case they wish to recover the domain after it expires.
You will receive two renewal emails at the Registrant email address in the Whois. The first email will be sent approximately 1 month prior to the expiration of each domain. The second will be sent 1 week prior to the expiration date. These emails will be sent, even if you have indicated to your domain provider that the domain should be renewed.
If your domain is deleted or allowed to expire, you will receive another email containing recovery instructions. This will be sent within five days of the deletion of your domain.
Whois Data Reminder Policy (WDRP) Emails
ICANN requires that an email is sent once a year, which displays the current Whois details (contact information) for a gTLD domain.
As a domain Registrant, you will receive an email once a year which displays the Registrant, admin, and technical contacts of the domain as well as the listed nameservers. If any of the information is inaccurate, it is your responsibility to correct it by contacting your domain provider. If all of the information is correct, no action is required.
Owner Change Confirmation Emails
ICANN requires email approvals whenever certain changes are made to the Registrant (owner) of a gTLD domain.
An Ownership Change (OC) is the process of changing the current Registrant (owner) of a gTLD domain to a new Registrant. Whenever a change is made to the Registrant’s first name, last name, organization name or email address, an Owner Change process is started. This process requires that the OC is approved by both the old and new Registrants, or their designated agents, before the change can be processed. By default, domains are locked against registrar transfer for 60 days following each OC process.
If, after an OC process, you will become the new Registrant of a domain, then you may receive an email asking you to confirm that you would like to become the new Registrant of the domain. If you would like to approve the OC, you need to do so within 10 days of receiving this email. If you do not want to approve the OC, you can ignore the email and the request will time out after 10 days.
If you are the current Registrant and would like to make someone else the Registrant of your domain, you may receive an email asking you to confirm this change. After each OC, the domain is locked for 60 days so that it cannot be transferred to another Registrar. However you, as the current Registrant of the domain, have the option to request that this lock is not applied to the domain. In the OC process, you will be asked if you would like to opt-out of the 60-day Registrar Transfer Lock. If you opt out of the transfer lock, the new registrant can transfer the domain to another registrar directly after the OC process. If you do not actively opt-out of the Lock, the domain will be locked for 60 days after the OC completes and the new Registrant will need to wait 60 days before they can move that domain to another registrar.
After an Owner Change completes successfully, you will receive an email confirming the change.
SSL FAQs
What is a CSR and what does it need to contain?
The abbreviation CSR is short for “Certificate Signing Request”. The CSR is a sequence of text characters which will be generated by your SSL software for the certificate hostname. Only after a CSR has been supplied, the Certificate Authority (e. g. Thawte or Symantec) will be able to generate your certificate.
The CSR must contain the following information:
- Country (= C)
- State (= ST)
- Locality (= L)
- Organisational name (= O)
- Organisational unit (= OU)
- Common name (= CN)
Indicating your email address within the CSR is optional.
Important notices for generating the CSR:
- Please do not enter a challenge password or an optional company name when generating the CSR. The Certificate Authority will not accept a CSR with these two additional fields.
- Please make sure that no umlauts (e.g. ä, ö, ü) were used in the CSR.
- Please make sure that you have installed the newest version of OpenSSL when you generate a CSR. When using older versions of OpenSSL, it might be possible that CSRs are generated with only light decryption. Those CSRs will not be accepted by the Certificate Authority. This affects mostly Debian or Ubuntu distributions.
Along with the SSL certificate order, the CSR needs to be submitted in a specific format. Please see the following example that shows a valid CSR for “example.com”:
-----BEGIN CERTIFICATE REQUEST----- MIIBvzCCASgCAQAwfzELMAkGA1UEBhMCREUxDDAKBgNVBAgTA05SVzENMAsGA1UE BxMEQm9ubjEZMBcGA1UEChMQRXhhbXBsZS5jb20gSW5jLjEUMBIGA1UEAxMLZXhh bXBsZS5jb20xIjAgBgkqhkiG9w0BCQEWE2V4YW1wbGVAZXhhbXBsZS5jb20wgZ8w DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMOTp1J6/RJ6n3b7q+VBnzZCScQJGJyr caLtVUpTxztO94jMRUlHYFzE9qoE17k3E+BwNf/k5Oq3RHvZjn7HkbLPWKDElkNz TbhrVM1pV1QiSitVHURy9JhdS9V7FKm5loZczkjatnBq+1pKBgh8OPXBdA99V3Ma BGmWsZ/1x4nxAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQBDqhJ2qL3zcY8AIauO hjiKgHciy/Y9jgNedDGD3uw2G7XUBUcewP7Q82Ra9SccIE5kyVeO1u81UAKjmQfH 1ywUkuSbib01ZFNCeoa+GmMJkEq9UbSl0rkcP8Qrh9gme+3zu8Ag0VsBn0+2GgrE Q0lolzzvT/k0HuLRiu4QR1Fs+g== -----END CERTIFICATE REQUEST-----
The private key requires a minimum length of 2048 bits.
More information on how to generate a CSR on your server is available on the Thawte and Symentec websites:
Thawte – Help for generating CSR
Why is my CSR invalid?
There are a few causes for this error; here are some things you can check to resolve this:
- Check that the CSR is formatted correctly and does not contain special characters (e.g. &, %, $, §). You can reference the sample CSR further below.
- If you are trying to renew a Certificate, the CSR generated during the renewal process may be too large. Instead of renewing the certificate request, try creating a new certificate request. This will not prompt you to fill out the CSR field.
- Ensure that a domain name (www.domain.com) is listed in the Common Name field and not an IP Address, Name Server, or Wild Card (*) domain.
Sample CSR:
-----BEGIN CERTIFICATE REQUEST----- MIIBvzCCASgCAQAwfzELMAkGA1UEBhMCREUxDDAKBgNVBAgTA05SVzENMAsGA1UE BxMEQm9ubjEZMBcGA1UEChMQRXhhbXBsZS5jb20gSW5jLjEUMBIGA1UEAxMLZXhh bXBsZS5jb20xIjAgBgkqhkiG9w0BCQEWE2V4YW1wbGVAZXhhbXBsZS5jb20wgZ8w DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMOTp1J6/RJ6n3b7q+VBnzZCScQJGJyr caLtVUpTxztO94jMRUlHYFzE9qoE17k3E+BwNf/k5Oq3RHvZjn7HkbLPWKDElkNz TbhrVM1pV1QiSitVHURy9JhdS9V7FKm5loZczkjatnBq+1pKBgh8OPXBdA99V3Ma BGmWsZ/1x4nxAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQBDqhJ2qL3zcY8AIauO hjiKgHciy/Y9jgNedDGD3uw2G7XUBUcewP7Q82Ra9SccIE5kyVeO1u81UAKjmQfH 1ywUkuSbib01ZFNCeoa+GmMJkEq9UbSl0rkcP8Qrh9gme+3zu8Ag0VsBn0+2GgrE Q0lolzzvT/k0HuLRiu4QR1Fs+g== -----END CERTIFICATE REQUEST-----
What is the difference between the administrative and technical contact?
The administrative contact is the person who will hold the SSL certificate. This person is as well the administrative domain contact in the public Whois database and will usually also be the authorizing person who confirms the SSL certificate order. EPAG will not contact the administrative contact if all contact details have been submitted in due order.
The technical contact is the person who will receive technical information related to the SSL certificate order. The technical contact is as well the person who will be contacted at first by Thawte or EPAG for questions.
In addition to the technical contact, a contact person for EPAG is required. To specify this contact, simply use the “E-mail address (contact person)” field on the second ordering screen to insert the e-mail address of the person which EPAG shall contact to process the order and send the invoice. This contact person will not be contacted by the Certificate Authority.
How do I reissue a SSL certificate?
To reissue a certificate, please contact certs@epag.de and provide a new CSR. Please also indicate why a reissue is required.
When can I start renewing a SSL certificate?
You may renew a certificate starting 90 days before it expires. You can still renew the SSL certificate up to 90 days after it expires. We will send a renewal reminder 30 days before the certificate expires.
Please start the renewal process well in advance of the expiration date is the renewal may take several days. Updated information may be subject to comprehensive verification.
How do I renew a SSL certificate?
To renew a certificate, you can duplicate your previous order. We only need a new CSR for the renewal order. All other data from the previous order can be re-used.
Can I renew a SSL certificate with EPAG that I purchased somewhere else?
Yes, it is possible to renew Thawte or Symantec certificates with EPAG, even if the certificate has originally been purchased through another Thawte or Symantec partner.
Why do some domain validated certificates not complete immediately?
There are a number of reasons why a domain validated certificate would not complete immediately:
- Orders are randomly for additional checks by the issuing authority.
- The contact name provided is too short or is uncommon.
- The organization or website indicates a financial institution.
What should I consider regarding the authorizing person’s e-mail address?
The e-mail address provided for the authorizing person should be active and also visible in the public Whois database. If the e-mail address is for some reason not visible or different to the one shown in the public Whois record, then you should make sure that one of the following predefined e-mail addresses are active and monitored:
- admin@yourdomain
- administrator@yourdomain
- hostmaster@yourdomain
- webmaster@yourdomain
- postmaster@yourdomain
When choosing one of those predefined e-mail addresses, Thawte, Symantec or RapidSSL can be sure that the contact person of this domain is authorized. The e-mail required to approve the certificate will be sent to this person for checking and confirming the application.
What are the validation criteria for domain validated certificates?
For Domain Validated certificates, the Whois data and email address are checked against the contact data provided in the SSL Certificate order. The email address provided for the Authorizing Person must be active and visible in the Whois. If the email address in the SSL Certificate order is not listed in the Whois, then one of the following, predefined email addresses must be listed and active.
- admin@yourdomain
- administrator@yourdomain
- hostmaster@yourdomain
- webmaster@yourdomain
- postmaster@yourdomain
What are the validation criteria for EV certificates?
For an Organization Validated certificate, the identity of the company and domain registrant is validated in a thorough authentication process.
You can expect the following verification checks:
- Confirmation of the existence of the company (Company Register)
- Verification of the domain (Whois)
- Verification call
For EV Certificates, the following is validated in addition to the above:
- Validation of the company’s postal address
- Email to Corporate Contact (CC): The CC must be employed by the company and authorized to order the certificate. The email sent to the CC will contain an „Acknowledgement of Agreement“, which the CC must sign and return to the Certificate Authority