We have collected a number of your questions about this rather technical topic on this page. If you are having trouble working with SSL, you may find the answer to your questions here. If not, remember that as a Gandi customer, you can ask our support department for help at any time.
SSL in an acronym for “Secure Sockets Layer”. A SSL certificate is a file that is installed on a web server that allows, among other things:
When you choose to activate a SSL certificate on your server, you must answer a series of questions to prove the identity of your website and that of your company. Your web server will then create 2 encrypted digital keys: one public, and one private.
The private key (the .key file) remains secret. You must not give it to anyone.
The public key is provided in what is called a CSR (Certificate Signing Request) which is a series of characters that contain your public key information. This CSR (.csr file) will be created by you during the process of generating your Gandi certificate. Public keys do not need to be kept secret, in fact, they are designed to be publicly shared.
As an authority, Gandi will, after performing the necessary checks, validate your certificate with web browsers, which will thereafter recognize your certificate and establish an encrypted connection between the service hosted on the server (mail, website, …) and the computer running the web browser.
HTTPS is the protocol that supports these security measures. On the Internet, you browse non-secure websites with HTTP and secure websites with the HTTPS protocol, for example:
Gandi non-secure : http://www.gandi.net
Gandi secure : https://www.gandi.net
On our orders in progress page we say something like this:
Enter this in the DNS zone file for the domain: BFFD4FAD76429FCAAB36521CA1D30EF1.www.example.com. 10800 IN CNAME CF1DCB91B7A36AEA62151041ACEFB10779F79693.comodoca.com.
If you copy and paste the line that we give you in your zone file at Gandi it will not work, as you'll get the error message: OBJECT_DNS_RECORD+CAUSE_BADPARAMETER
The solution is to be sure that you remove the domain from the name of the record. For example, below is how the above record would need to look:
BFFD4FAD76429FCAAB36521CA1D30EF1.www 10800 IN CNAME CF1DCB91B7A36AEA62151041ACEFB10779F79693.comodoca.com.
(the www is just because the address of the example certificate was for www.example.com. If the certificate was just for example.com you would have nothing there, or if it was for another subdomain like admin.example.com it would just be admin, etc.)
A Certification Authority (or CA) is responsible for delivering and assigning a certificate linking a domain name (and its subdomains) to an owner. It is also responsible for assigning an expiration date to them and maintaining a list of revoked and expired certificates.
Gandi is a hosted Certification Authority operated by Comodo.
Web browsers have a list of trusted Certification Authorities. When SSL connections are established, the web browser checks that the server's certificate has been provided by a trusted Certification Authority.
Without these, it may seem like the certificate does not 'work' correctly with Firefox.
Gandi issues its certificates from a certificate that is “intermediate,” or an inheritor of the trust of the root certificate from the certification authority.
This allows us to reduce risk, since all of Gandi's certificates can be revoked and reissued without revoking the root, should the intermediate certificate's trust become compromised. Most commercial certificate vendors use intermediate certificates for this reason.
More information is available at the Root_certificate article on Wikipedia.
You will want to download and install Gandi's intermediate certificate (also called the operational certificate authority) along with your Gandi SSL certificate so that visitors to your site can automatically download it and verify the trust chain. Instructions for doing this are provided along with those for installing your certificate.
A certificate is linked to a specific domain name, not a given IP address of a server which hosts the secure service.
If your service is hosted among several machines, only one certificate is necessary. Just ensure that servers with the right domain name (and/or subdomains) are used with the certificate.
You should use a wildcard, or “Multiple Address” certificate, if you want to secure multiple subdomains.
Certificate errors will appear otherwise.
Yes, you can install it on any server you like, as the certificate is tied to the domain name that you use to generate it rather than to any particular host.
However, in order to be considered valid, the corresponding domain name must resolve, in the DNS, to the host on which it is installed.
Note that in most cases you will need root (or administrator) access to the server on which you want to install the certificate.
In order to protect the end user, you have the possibility (starting with the Pro level offering) of adding additional insurance in the event the security of the certificate is breeched.
This insurance will cover financial losses by customer caused by the breech.
This added service, the availability of which you can display on your site via our certification logo, gives your customers the assurance that the transaction is secure and guaranteed.
Having transactions insured makes your business safer to run, and safer for the customer to use, and thus more valuable.
Each level of SSL certificate has its own requirements:
The Standard SSL Certificate does not require additional identification beyond that provided in your Gandi Handle.
For the Pro SSL Certificate:
For the Business SSL Certificate, you need:
For the majority of cases, the verification process takes less than 24 working hours upon reception of the proof of ID, after which the certificate is provided.
Extended validation may, however, take longer, in the event that Comodo requests additional documentation from you.
If you did not create an admin@
email account on the domain name you are trying to secure with your SSL certificate, and you have already sent in the CSR, your verification will not be processed.
In this case, please create the admin@
email account, and then contact customer support. We will resend the email so your verification can proceed.
Gandi's SSL certificates work with the majority of web browsers, starting with the versions shown in the table below:
Browser | Version |
---|---|
Microsoft Internet Explorer | 5.01+ |
Mozilla Firefox | 1.0+ |
Opera | 7.0+ |
Apple Safari | 1.2+ |
Google Chrome | 1.0+ |
AOL | 5+ |
Netscape Communicator | 4.77+ |
Camino | 1.0+ |
Konqueror (KDE) | |
Mozilla | 0.6+ |
The Green Bar, which is unique to the Business plan, will only be visible on the following web browsers:
Browser | Version |
---|---|
Microsoft Internet Explorer | 7+ (Vista) |
Microsoft Internet Explorer | 7+ (XP) |
Opera | 9.5+ |
Firefox | 3+ |
Apple Safari | 3.2+ |
Google Chrome | 1+ |
Note: you need to have root access to install the certificate. BaseKit, SiteMaker, and Gandi VPS in AI mode do not support root access. You may install SSL certificates on Simple Hosting instances that are the M pack or greater, however.
You can install the Gandi SSL Certificates on any server that you have root or administrator access to. It does not have to be hosted at Gandi.
Gandi VPS in Expert mode support root access, so you can install Gandi SSL certificates on them.
Yes, they are called 'multi-domain' certificates, but are only available for Standard and Business (EV) certificates. You must define the main domain in you CSR, and fill your alternative names via our interface during the order process. https://www.gandi.net/ssl
When you submit your CSR, you will be asked to indicate the software used to create your CSR:
For all CSRs that were created with OpenSSL, you will need to choose the mod Apache/ModSSL from the list. This is often the case with open source software packages, which leverage the OpenSSL framework.
The warranty on the Pro and Business certificates is described in the SSL Contract (pdf) and in the Gandi Certification Practice Statement (pdf).
The warranty does not apply to the Standard Certificate.