ExtendedSSL Certificate: Frequently Asked Questions (FAQs)
Customer Support > ExtendedSSL Certificates > Frequently Asked Questions (FAQs)
Why should I buy a GlobalSign ExtendedSSL certificate?
Due to the CABForum guidelines that are designed to ensure the GlobalSign vetting process of the ExtendedSSL applicant is of the highest level, the ExtendedSSL gives the end user peace of mind and the knowledge that the web site they are visiting is who it claims to be. Therefore the owner of the web site has the opportunity to increase revenues through online sales and the end user has a more relaxed online experience.
Does the GlobalSign ExtendedSSL certificate show the green address bar?
The GlobalSign ExtendedSSL certificate will turn the browser address bar green in Internet Explorer 7, Firefox 3 and Opera 8.
Does the ExtendedSSL certificate use a different Intermediate certificate?
The GlobalSign Intermediate certificate uses it's own Intermediate certificate called the ExtendedSSL Validation CA and a Cross certificate, which can be found here: ExtendedSSL Intermediate and Cross certificate.
Can I get free Reissues of my ExtendedSSL certificate?
If your ExtendedSSL certificate cannot be installed and was issued under 7 days ago we will issue you a new certificate at no extra cost but you must begin the certificate request from the beginning because the CABForum guidelines state that we must vet each certificate request, even if the request is a reissue of a previously issued certificate.
Can I use a 1024 bit Public key inside my CSR?
Yes you can use a 1024 bit Public key in your CSR, but we recommend you use a more secure key size of 2048 bit. Please note we cannot accept a ky size of 512 bit.
Can I use AutoCSR with ExtendedSSL?
ExtendedSSL certificates do not support AutoCSR, your CSR must be generated on the web server you intend to install the certificate on.
Do ExtendedSSL certificates support the Wildcard option?
ExtendedSSL certificates do not support Wildcard certificates, but works with Subject Alternative Names (SANs), which do support extra fully-qualified domain names and sub-domain names.
What preiod of time can I request a ExtendedSSL certificate for?
ExtendedSSL certificates can be issued for either 1 year or 2 years, with a 2 year certificate being not only better value for money, but also omitting the need to request a new certificate when you renew in a years time.
What is the vetting process?
The Extended Validation vetting process establishes the legitimacy of an organization within a specific jurisdiction of incorporation. It also clearly identifies the organizations principle place of business through a rigorous and stringent set of well defined validation processes. The process encompasses authentication of the organizations domain ownership rights as well as contractually binding the organization to a subscriber agreement which benefits relying parties and strengthens the security of the Internet as a whole.
How many servers can I secure with one SSL Certificate?
To help you meet your budget GlobalSign certificates are provided with 3 for 1 server licenses included in the standard price. This allows you to easily secure your primary server, a secondary or backup server and a load balancer without any further costs. Additional licenses can be purchased in blocks of 3 for the industry's most competitive server licensing rates.
To move your certificate between servers you will need to firstly install the certificate on the same web server that you generated the CSR from and then export the SSL certificate and its private key to a PFX or PKCS12 file, which can then be imported to another web server. Click here for more instructions
Can I use the Wildcard option with ExtendedSSL?
The Wildcard option is not available with the ExtendedSSL certificate.
Can I secure my top-level domain with and without the 'www.'sub-domain?
SSL Certificates are usually issued to a sole Fully Qualified Domain Names (FQDN), so normally customers wanting to secure both https://www.globalsign.com and https://globalsign.com would need two separate SSL Certificates. GlobalSign issue professional level SSL Certificate that automatically secure both www.domain.com and just domain.com in a single SSL Certificate without any additional charges, IP address purchase or server configuration.
Can I secure my Public IP Address?
Typically a SSL Certificate is issued to a Fully Qualified Domain Name (FQDN) such as www.domain.com. However some organizations need a SSL Certificate issued to an IP address. This option allows you to specify an IP address as the Common Name in your Certificate Signing Request. The issued certificate can then be used to secure connections directly with the IP address, e.g. https://123.456.78.99.
Notes: Only Public IP Addresses may be used. You must be the owner of the IP Address as per records held at RIPE. Make sure you create a CSR with a common name of your IP address, e.g 123.456.78.90.
Can I customize my SSL Certificate start and end dates?
Bring all your SSL Certificates into line and have them co-terminating on the same day. This option allows you to set a Start Date and an End Date within the validity period of the certificate. For organizations that wish to dictate a time period, e.g. a week, in which all certificate renewals must take place, specifying a End Date will ensure the Administrators commit to this activity. Furthermore, setting a Start Date allows SSL Certificates for future projects to be applied for, paid for and issued now, but will not become valid and usable until the chosen Start Date has been reached.
Does GlobalSign provide test server certificates?
Yes, please see http://www.globalsign.com/free-ssl-certificate/free-ssl.htm for free 45 day Trial SSL Certificates.
Does the user need the GlobalSign's server root certificate to access information securely on secure server?
If users don't have the GlobalSign root certificate installed and they go to a server secured through a GlobalSign SSL Certificate, the browser will ask them if they will trust certificates issued by GlobalSign. If they answer yes, the GlobalSign root certificates will be installed automatically. If they answer no, they can still choose to accept the secure session they are about to start but the next time they will receive the exact same question from their browser.
Would the user need his own Personal Certificate to access information securely on a webserver?
The user doesn't necessarily need his own personal certificate to have access to a secure server. However, the secure server can be configured to explicitly ask for the user to select and present a personal certificate (eg. a PersonalSign certificate) before entering a certain page. This is an extra feature of Secure Socket Layer (SSL) v3. In this way, the SSL server also has an idea of who is accessing the site, and can decide whether or not to let that person access certain information.
Which fields are allowed in a request for a SSL server certificate?
| common name | = mandatory |
| country name | = mandatory |
| organization | = mandatory |
| organizational unit name | = optional |
| state or province name | = optional |
| locality name | = optional |
| email address | = optional (cannot be used with windows iis) |
Note: Do not use blank fields in your csr, if you do not wish a field to be in your certificate, do not create this field in your CSR.
eg "Locality= " will result in our system refusing your request.
How do I (as user) verify I have accessed a trusted secure server?
If you access a server secured with a GlobalSign SSL Certificate, you will see a padlock at the bottom of your browser. If you click on it, you will see the details of the server's SSL Certificate.
How can I have 128 bits encryption key length for SSL when using Windows 2000 with IIS 5.0?
Upgrade to Strong Encryption Pack for Windows 2000, here is the URL for Installing it:
http://www.microsoft.com/windows2000/downloads/recommended/encryption/default.asp.
Which webservers are compatible with GlobalSign's Secure Server Certificates?
GlobalSign issues Secure Server Certificates for any server compatible with the standard x509 v3 and able to make a request in PKCS#10 format. That includes the majority of all recent servers, in particular:
- Microsoft Internet Information Server (IIS) v3 or higher
- Netscape Enterprise Server v3 or higher
- Netscape Commerce Server v1 or higher
- Netscape FastTrack Server
- Stronghold Server
- Internet Application Server 1.0
- Netscape Iplanet Web Server 4.1
NOTE: For Apache Servers, a patch for SSL is needed (http://www.apache-ssl.org/).
Why does my 512-bit private key not work??
The private key sizes for SSL must be either 1024 or 2048 bits, for compatibility with certain web browsers. A keysize of 2048 bits is recommended because the larger key size makes the certificate more secure, however a key size of 1024 is still compatible with versions of Netscape Navigator and Microsoft Internet Explorer, and with other browsers that use RSA's BSAFE cryptography toolkit.
