GlobalSign Support Centre: SSL Certificate FAQs
Global Support Centre > SSL Certificates > FAQs
How many servers can I secure with one SSL Certificate?
To help you meet your budget GlobalSign certificates are provided with licensing for an unlimited number of servers included in the standard price. This allows you to easily secure your primary server, a secondary or backup server and a load balancer without any further costs.
To move your certificate between servers you will need to firstly install the certificate on the same web server that you generated the CSR from and then export the SSL certificate and its private key to a PFX or PKCS12 file, which can then be imported to another web server. Click here for more instructions
Can I still use a CSR with a 1024 key length
All order placed from November 29th 2010 will only be accepted with a CSR key length of 2048 bits or higher. This is to fully comply with the National Institute of Standards and Technology Recommendations (NIST) and the mandatory requirements by Microsoft's Root Certificate Program to issue Certificates from a minimum of 2048 bits by January 1, 2011.
How do I use the Wildcard SSL Certificate?
A single Wildcard SSL Certificate can secure multiple Web Sites. Typically a standard secure server SSL Certificate is issued to a single Fully Qualified Domain Name only, which means it can only be used on the exact domain (including sub-domain) to which it has been issued. With the Wildcard SSL option activated you easily get around this restriction by receiving a Wildcard SSL Certificate issued to *.domain.com. The * character replaces a "fixed" sub-domain with a "variable" one.
Can I secure my top-level domain with and without the "www." sub-domain?
SSL Certificates are usually issued to a sole Fully Qualified Domain Names (FQDN), so normally customers wanting to secure both https://www.globalsign.com and https://globalsign.com would need two separate SSL Certificates. With GlobalSign SSL Certificates if you purchase an SSL Certificate to secure www.domain.com it will also secure domain.com.
Can I secure my Public IP Address?
Typically a SSL Certificate is issued to a Fully Qualified Domain Name (FQDN) such as www.domain.com. However some organizations need a SSL Certificate issued to an IP address. This option allows you to specify an IP address as the Common Name in your Certificate Signing Request. The issued certificate can then be used to secure connections directly with the IP address, e.g. https://123.456.78.99.
Notes: Only Public IP Addresses may be used. You must be the owner of the IP Address as per records held at RIPE. Make sure you create a CSR with a common name of your IP address, e.g 123.456.78.90.
Can I customize my SSL Certificate start and end dates?
Bring all your SSL Certificates into line and have them co-terminating on the same day. This option allows you to set a Start Date and an End Date within the validity period of the certificate. For organizations that wish to dictate a time period, e.g. a week, in which all certificate renewals must take place, specifying a End Date will ensure the Administrators commit to this activity. Furthermore, setting a Start Date allows SSL Certificates for future projects to be applied for, paid for and issued now, but will not become valid and usable until the chosen Start Date has been reached.
Does GlobalSign provide test server certificates?
Yes, please see http://www.globalsign.com/free-ssl-certificate/free-ssl.htm for free 45 day Trial SSL Certificates.
Does the user need the GlobalSign's server root certificate to access information securely on secure server?
If users don't have the GlobalSign root certificate installed and they go to a server secured through a GlobalSign SSL Certificate, the browser will ask them if they will trust certificates issued by GlobalSign. If they answer yes, the GlobalSign root certificates will be installed automatically. If they answer no, they can still choose to accept the secure session they are about to start but the next time they will receive the exact same question from their browser.
Would the user need his own Personal Certificate to access information securely on a webserver?
The user doesn't necessarily need his own personal certificate to have access to a secure server. However, the secure server can be configured to explicitly ask for the user to select and present a personal certificate (eg. a PersonalSign certificate) before entering a certain page. This is an extra feature of Secure Socket Layer (SSL) v3. In this way, the SSL server also has an idea of who is accessing the site, and can decide whether or not to let that person access certain information.
Which fields are allowed in a request for a SSL server certificate?
| Common Name | = mandatory |
| Country Name | = mandatory |
| Organization | = mandatory |
| Organizational Unit Name | = optional |
| State or Province Name | = optional |
| Locality Name | = optional |
| Email Address | = optional (cannot be used with Windows IIS) |
Do not use blank fields in your csr, if you do not wish a field to be in your certificate, do not create this field in your CSR.
eg "Locality= " will result in our system refusing your request.
How do I (as user) verify I have accessed a trusted secure server?
If you access a server secured with a GlobalSign SSL Certificate, you will see a padlock at the bottom of your browser. If you click on it, you will see the details of the server's SSL Certificate.
How can I have 128 bits encryption key length for SSL when using Windows 2000 with IIS 5.0?
Upgrade to Strong Encryption Pack for Windows 2000, here is the URL for Installing it:
http://www.microsoft.com/windows2000/downloads/recommended/encryption/default.asp.
Which webservers are compatible with GlobalSign's Secure Server Certificates?
GlobalSign issues Secure Server Certificates for any server compatible with the standard x509 v3 and able to make a request in PKCS#10 format. That includes the majority of all recent servers, in particular:
- Microsoft Internet Information Server v3 or higher
- Netscape Enterprise Server v3 or higher
- Netscape Commerce Server v1 or higher
- Netscape FastTrack Server
- Stronghold Server
- Internet Application Server 1.0
- Netscape Iplanet Web Server 4.1
Note: For Apache Servers, a patch for SSL is needed (http://www.apache-ssl.org/).
Importing and Exporting in Windows
Export:
You have to export the certificate from MMC.
To do this open the mmc, (start>run>mmc) and open the certificates snap in.
Select "local computer account" when prompted.
You will then see on the left, certificates, please select the "personal" folder.
Find the certificate for the correct domain, and then right click it.
Select "all tasks" and then "export".
Insure you export the certificate WITH the private key, save the .pfx file to a USB Drive so you can import it easily.
Import:
You must now import the certificate onto the new server.
To do this open mmc, (start>run>mmc) and open the certificates snap in.
Select "local computer account" when prompted
You will then see on the left, certificates, please select the “personal” folder.
Right click the "personal" folder and select all "tasks>Import"
Find the .pfx file you saved previously and import the certificate and private key into the MMC
Now open IIS
Once you have open IIS, select the domain the certificate is for
Right click the domain, selecting properties
Then select "directory security" tab, and then "server certificates"
Now press "assign certificate"
Find the certificate you have just imported, and select it.
