Frequently Asked Questions About Gandi SSL Certificates

We have collected a number of your questions about this rather technical topic on this page. If you are having trouble working with SSL, you may find the answer to your questions here. If not, remember that as a Gandi customer, you can ask our support department for help at any time.

What is an SSL certificate?

SSL in an acronym for “Secure Sockets Layer”. A SSL certificate is a file that is installed on a web server that allows, among other things:

  • the authentication of the server by the Certification Authority (Gandi).
  • secure transmission and validated integrity of data sent between the website's visitor and the server.

When you choose to activate a SSL certificate on your server, you must answer a series of questions to prove the identity of your website and that of your company. Your web server will then create 2 encrypted digital keys: one public, and one private.

The private key (the .key file) remains secret. You must not give it to anyone.

The public key is provided in what is called a CSR (Certificate Signing Request) which is a series of characters that contain your public key information. This CSR (.csr file) will be created by you during the process of generating your Gandi certificate. Public keys do not need to be kept secret, in fact, they are designed to be publicly shared.

As an authority, Gandi will, after performing the necessary checks, validate your certificate with web browsers, which will thereafter recognize your certificate and establish an encrypted connection between the service hosted on the server (mail, website, …) and the computer running the web browser.

HTTPS is the protocol that supports these security measures. On the Internet, you browse non-secure websites with HTTP and secure websites with the HTTPS protocol, for example:

Gandi non-secure : http://www.gandi.net

Gandi secure : https://www.gandi.net

The use of a SSL certificate on a server requires access to the root account. You cannot install a SSL certificate on a Gandi VPS with the AI mode without first taking root rights.

Why does my DNS validation not work?

On our orders in progress page we say something like this:

Step 2: Validation of the rights to the domain (yourdomain) Pending

Enter this in the DNS zone file for the domain: BFFD4FAD76429FCAAB36521CA1D30EF1.www.example.com. 10800 IN CNAME CF1DCB91B7A36AEA62151041ACEFB10779F79693.comodoca.com.

If you copy and paste the line that we give you in your zone file at Gandi it will not work, as you'll get the error message: OBJECT_DNS_RECORD+CAUSE_BADPARAMETER

The solution is to be sure that you remove the domain from the name of the record. For example, below is how the above record would need to look:

BFFD4FAD76429FCAAB36521CA1D30EF1.www 10800 IN CNAME CF1DCB91B7A36AEA62151041ACEFB10779F79693.comodoca.com.

(the www is just because the address of the example certificate was for www.example.com. If the certificate was just for example.com you would have nothing there, or if it was for another subdomain like admin.example.com it would just be admin, etc.)

What is a Certification Authority?

A Certification Authority (or CA) is responsible for delivering and assigning a certificate linking a domain name (and its subdomains) to an owner. It is also responsible for assigning an expiration date to them and maintaining a list of revoked and expired certificates.

Gandi is a Certification Authority. We also digitally sign each certificate that is given.

Web browsers have a list of trusted Certification Authorities. When SSL connections are establishd, the web browser checks that the server's certificate has been provided by a trusted Certification Authority.

Gandi CA is recognized by over 99% of all web browsers.

What is an intermediate SSL certificate?

Without these, it may seem like the certificate does not 'work' correctly with Firefox.

Gandi issues its certificates from a certificate that is “intermediate,” or an inheritor of the trust of the root certificate from the certification authority.

This allows us to reduce risk, since all of Gandi's certificates can be revoked and reissued without revoking the root, should the intermediate certificate's trust become compromised. Most commercial certificate vendors use intermediate certificates for this reason.

More information is available at the Root_certificate article on Wikipedia.

You will want to download and install Gandi's intermediate certificate (also called the operational certificate authority) along with your Gandi SSL certificate so that visitors to your site can automatically download it and verify the trust chain. Instructions for doing this are provided along with those for installing your certificate.

How many servers can be secured with a certificate?

A certificate is linked to a specific domain name, not a given IP address of a server which hosts the secure service.

If your service is hosted among several machines, only one certificate is necessary. Just ensure that servers with the right domain name (and/or subdomains) are used with the certificate.

You should use a wildcard, or “Multiple Address” certificate, if you want to secure multiple subdomains.

Certificate errors will appear otherwise.

Can I Use My Gandi SSL Certificate on a host at another hosting provider?

Yes, you can install it on any server you like, as the certificate is tied to the domain name that you use to generate it rather than to any particular host.

However, in order to be considered valid, the corresponding domain name must resolve, in the DNS, to the host on which it is installed.

Note that in most cases you will need root (or administrator) access to the server on which you want to install the certificate.

What Does the SSL Certificate's Financial Guarantee Mean?

In order to protect the end user, you have the possibility (starting with the Pro level offering) of adding additional insurance in the event the security of the certificate is breeched.

This insurance will cover financial losses by customer caused by the breech.

This added service, the availability of which you can display on your site via our certification logo, gives your customers the assurance that the transaction is secure and guaranteed.

Having transactions insured makes your business safer to run, and safer for the customer to use, and thus more valuable.

When do I need to provide documents to validate my certificate?

Each level of SSL certificate has its own requirements:

The Standard SSL Certificate does not require additional identification beyond that provided in your Gandi Handle.

For the Pro SSL Certificate:

  • As an individual, you need a proof of residence and a copy of a passport or legal photo ID.
  • As a company or organization, you need a certified copy of the association's registration from the public agency that manages such registrations in your country.

For the Business SSL Certificate, you need:

Please see this page for detailed instructions.

How Long Does Verification Take?

For the majority of cases, the verification process takes less than 24 working hours upon reception of the proof of ID, after which the certificate is provided.
Extended validation may, however, take longer, in the event that Comodo requests additional documentation from you.

My Verification is Not Being Processed. What do I do?

If you did not create an admin@ email account on the domain name you are trying to secure with your SSL certificate, and you have already sent in the CSR, your verification will not be processed.

In this case, please create the admin@ email account, and then contact customer support. We will resend the email so your verification can proceed.

Do Gandi SSL Certificates Work With All Web Browsers?

Gandi's SSL certificates work with the majority of web browsers, starting with the versions shown in the table below:

Browser Version
Microsoft Internet Explorer 5.01+
Mozilla Firefox 1.0+
Opera 7.0+
Apple Safari 1.2+
Google Chrome 1.0+
AOL 5+
Netscape Communicator 4.77+
Camino 1.0+
Konqueror (KDE)
Mozilla 0.6+

The Green Bar, which is unique to the Business plan, will only be visible on the following web browsers:

Browser Version
Microsoft Internet Explorer 7+ (Vista)
Microsoft Internet Explorer 7+ (XP)
Opera 9.5+
Firefox 3+
Apple Safari 3.2+
Google Chrome 1+

Can I Use My Gandi SSL Certificate With My BaseKit/SiteMaker Simple Hosting Website?

Note: you need to have root access to install the certificate. BaseKit, SiteMaker, and Gandi VPS in AI mode do not support root access. You may install SSL certificates on Simple Hosting instances that are the M pack or greater, however.

You can install the Gandi SSL Certificates on any server that you have root or administrator access to. It does not have to be hosted at Gandi.

Gandi VPS in Expert mode support root access, so you can install Gandi SSL certificates on them.

Do Gandi SSL certificates support Subject Alternative Names (SAN)?

Yes, they are called 'multi-domain' certificates, but are only available for Standard and Business (EV) certificates. You must define the main domain in you CSR, and fill your alternative names via our interface during the order process. https://www.gandi.net/ssl

What Software Do I Select When Validating My SSL Certificate?

When you submit your CSR, you will be asked to indicate the software used to create your CSR:

sslsoftware-en.jpeg

For all CSRs that were created with OpenSSL, you will need to choose the mod Apache/ModSSL from the list. This is often the case with open source software packages, which leverage the OpenSSL framework.

What does the warranty cover?

The warranty on the Pro and Business certificates is described in the SSL Contract (pdf) and in the Gandi Certification Practice Statement (pdf).

The warranty does not apply to the Standard Certificate.

Last modified: 08/11/2016 at 11:34 by Nicolas C. (Gandi)