StartSSL™
Sign-up for Free
 
StartSSL™
en  fr  de  ru  cz     






StartSSL™ EV

Supported Browsers and Platforms

StartSSL™ - The Swiss Officer's Knife of Digital Certificates & PKI

 
Frequently Asked Questions

Frequently Asked Questions

 

Registration

1.) Why do I have to provide my personal details?

2.) The certificate is for my company, what shall I do?

3.) My account request is held up for a review, what shall I do?

4.) How do I backup my client certificates?

 

Login

10.) I get an -12227 or ssl_error_handshake_failure_alert error with Firefox when trying to login.

11.) After clicking on Login I get a "Page not found" error with Internet Explorer.

12.) I have already a client certificate but can't login.

13.) How do I enable advanced smart card support?

14.) I've lost my client authentication certificate, what shall I do?

 

Validation

20.) For how long are validations valid?

21.) The wizard says that I should provide a valid email address. But my email address is valid, what shall I do?

22.) The validation email message never arrives, what's wrong?

23.) I can't select my domain name extension. But my domain name exists, what shall I do?

24.) When will "Extended Validation" be supported by StartCom/StartSSL™?

25.) I'm not able to upload my files for the identity validations. What's wrong?

26.) Which payment methods are supported? What if I don't have a credit card?

27.) For what am I paying exactly and how many certificates do I get with Class 2?

28.) I control only a sub domain, how can I validated and create a certificate?

 

Installation (Server)

30.) I messed up, what now?

31.) Why does Firefox present a warning when browsing to my website?

32.) My browser complains about unsecured content.

33.) I created a private key instead of submitting my certificate request (CSR) for IIS server. How can I use my certificate?

34.) Why do I have to provide a password every time I restart Apache?

35.) How can I decrypt the private key?

36.) How to transfer certificates on IIS servers?

37.) I can submit only one CA certificate at the admin panel provided by my host. Which CA certificate should I install?

38.) How can I use the same certificate on multiple servers?

39.) Do I really need a unique IP address?

40.) How can I publish on a ISA server multiple SSL sites using the same IP address and port, with different certificates?

41.) I created a new private key but can't use the key with my certificate (modulus mismatch).

42.) How do I use Google Analytics in secure mode?

43.) How does the wizard create the private key?

44.) Is my private key secure even when generated by the wizard?

45.) Can I hire your support services for installing server certificates?

46.) I deleted the pending request on IIS. How can I process my certificate now?

47.) I cannot export the private key on IIS, because the option is greyed out.

 

Installation (Client)

50.) I messed up, what now?

51.) Can I submit a certificate request (CSR) for client certificates (S/MIME)?

52.) How can I use the client certificate (S/MIME) in my favorite mail client?

 

Object Code Signing

60.) How to get an object code signing certificate?

61.) Does StartCom operate a time stamping server?

 

Revocation

70.) Who can request revocation of a certificate?

71.) What are the circumstances for revocation?

72.) I made a mistake, can I get my certificate revoked?

73.) Why did StartCom revoke my certificate?

74.) What is a weak key and why do I have to create a new certificate?

75.) Why is MD5 hash considered insecure?

 

OpenID

80.) Do I have to use https:// with my OpenID identifier?

81.) Could not discover an OpenID identity server endpoint message when using my StartSSL™ ID. Why is that?

 

Extended Validation

85.) When will Extended Validation certificates show the green address bar?

86.) Does SSL work with Extended Validation even if the browser doesn't support EV?

87.) Does Extended Validation certificates support wild cards?

88.) How long does the process for Extended Validation take?

 

Miscellaneous

90.) Why are Class 1 certificates free?

91.) Can I make a donation?

92.) How else can I contribute?

93.) Can I invest in StartCom?

 

 

Answers

 

Back to Top1.) Why do I have to provide my personal details?

The Terms and Conditions of StartCom and the StartCom Certification Policy requires* subscribers to provide the correct and complete personal details during registration. Without fulfilling this requirement, a subscriber (you) is not entitled for an account with StartSSL™. It is upon the subscriber to prove the validity of the details submitted should StartCom make such a request.

* Since StartCom must enforce adherence of the StartCom Certification Policies by all subscribers, the subscriber must provide his/her personal information.
 

Back to Top2.) The certificate is for my company, what shall I do?

In the Class 1 settings (free), the only possible relationship between StartCom and the subscriber is with individuals, i.e. natural persons. StartCom has no relationship with the organization a subscriber may represents and acknowledges only the subscriber. All responsibilities according to the StartCom CA Policy are that of the subscriber personally, even in case he/she decides to obtain certification as an employee or representative of an organization.
Organizations should perform Class 2 validation and an organization name may only appear in a digital certificate at Class 2 level and higher.
 

Back to Top3.) My account request is held up for a review, what shall I do?

Sometimes an account request is interrupted right after submitting the form. This means that the request for an account at StartSSL™ is being held up for a review by our personnel.
In this case please be patient as we review your request and wait for our response within the next six hours. You may close the browser window at this stage. The instructions how to continue will be sent to your email account.
 

Back to Top4.) How do I backup my client certificates?

Firefox: Select "Preferences|Options" -> "Advanced" -> "Encryption" -> "View Certificates", choose the "Your Certificates" tab and locate your client certificate from the list. The certificate will be listed under StartCom. Select the certificate and click on "Backup", choose a name for this backup file, provide a password and save it at a known location. Now you should either burn this file to a CD ROM or save it on a USB stick or smart card. Thereafter delete this file from your computer.

Internet Explorer: Select from "Tools" -> "Internet Options" -> "Content" -> "Certificates" -> "Personal" and locate your client certificate from the list. Click on "Export" -> "Next" -> "Yes, export the private key" -> "Next" -> "Next". Choose a password for your file and click "Next", choose a name for this backup file and save it at a known location. Now you should either burn this file to a CD ROM or save it on a USB stick or smart card. Thereafter delete this file from your computer.

Opera: Select from "Settings" -> "Preferences" -> "Advanced" -> "Security" -> "Manage Certificates" -> "Personal". Click on "Export" and choose a name for this backup file. Make sure to choose the .p12 for PKCS12 extension, not the default .usr.

Safari (on OS X): Select the private key and the certificate together in your keychain and export as a PKCS12 file.

Google Chrome: Click on the "Options" icon in the upper left (. Select "Settings" from the menu. Click on "Advanced Settings" and then in the HTTPS/SSL section, click on the "Manage certificates..." button. Select the certificate(s) you want to export, click on the "Export..." button and follow the prompts from the Export Certificate Wizard that pops up. Make sure to include the private key as well, export as .p12 file.
 

Back to Top10.) I get an -12227 or ssl_error_handshake_failure_alert error with Firefox when trying to login.

Error ssl_error_handshake_failure_alert and -12227 mean, that you don't have a valid client certificate installed in your browser. During the registration process such a client certificate is produced and installed in your browser. If you want to switch to a different browser (or different computer) you must export (backup) the certificate including the private key and import into the browser in question. If you can't locate your client certificate under Preferences -> Advanced -> Encryption -> View Certificates -> Your Certificates in Firefox, than the certificate is not installed.
If you access the Internet from different locations and browsers it is suggested to obtain a smart card or eToken in order to store and move your certificates securely around.
 

Back to Top11.) After clicking on [Authenticate] I get a "Page not found" error with Internet Explorer.

Either the client certificate is not installed into the browser you are using or the security settings prevent it. Make sure that either TLS 1.0 or SSL 3.0 is enabled (but not SSL 2.0).

It may also be that on older systems the StartCom CA root is missing. We suggest to update your system via Windows Update or install the Update for Root Certificates. You can also import the CA root manually from here or from here.
 

Back to Top12.) I have already a client certificate but can't login.

Make sure that you are using the same browser you used to register and have the client certificate installed in your browser.
 

Back to Top13.) How do I enabled advanced smart card support?

In order to manage smart cards from the "Tool Box" or force smart card usage for your digital identity (OpenID) and authentication to the StartSSL™ Control Panel you must enable codebase principal support in the Firefox config. To do this, type into the address bar about:config and toggle the value of the signed.applets.codebase_principal_support configuration directive to true.
 

Back to Top14.) I've lost my client authentication certificate, what shall I do?

Make sure that you are using the same computer and browser you used to register. If you are certain that you've lost the client certificate and you can't login anymore, register once again by using a different email address (if the original certificate hasn't expired yet). Contact the CertMaster with your details and we'll try to associate your new client authentication certificate with your original account.
 

Back to Top20.) For how long are validations valid?

Validations of domain names and email addresses are valid for 30 days. After the 30 days they must be re-validated.
Identity and organization validations are valid for 350 days. After the validation period expires they must be re-validated exactly the same way as the first time.

The validation period must not be mistaken with the validity of certificates which may be between one and three years, depending on the verification level.
 

Back to Top21.) The wizard says that I should provide a valid email address. But my email address is valid, what shall I do?

  • Make sure that the email account really exists. Many times administrative accounts such as postmaster@ must be created first.
  • Make sure your DNS zone has an MX record for the mail server otherwise mail delivery might fail.
  • Check if your mail server implements grey listing. If this is the case you may try another time after the passing of the temporary waiting period (usually after about five minutes).
  • Check if the mail server is responding. If response time exceeds more than 20-30 seconds it will fail.
If you already have an account, you may use the Email Checker utility. Login to the StartSSL™ Control Panel and click on the "Tool Box" tab and select "Check Email Account" to locate eventual problems for a specific email address.
 

Back to Top22.) The validation email message never arrives, what's wrong?

Make sure that the server accepts mail from the startcom.org domain. Disable any spam filters on the server, specially on MS Exchange disable any smart filtering or white list the startcom.org domain name. Check your spam folder at your email client. If in doubt check with the log files of the mail server.

Important! Experience has shown that the failure of email messages not arriving are always the fault of the receiving end. If the wizard confirms to having sent the message, i.e. no error occurred, than the message has been delivered and accepted by your mail server!
 

Back to Top23.) I can't select my domain name extension. But my domain name exists, what shall I do?

Some domain name registrars don't operate a WHOIS lookup server and they are in the absolute minority! If your domain name extension isn't provided from our list, please contact your domain name registrar and request to provide such a service. Please note that WHOIS lookup servers are a special service and not web pages. Don't send us a URL of a web site but the address of the WHOIS server. We'll be glad to add yours to the list of supported extensions. Currently a whois lookup is required by the StartCom CA policy!
 

Back to Top24.) When will "Extended Validation" be supported by StartCom/StartSSL™?

Please see item 85.
 

Back to Top25.) I'm not able to upload my files for the identity validations. What's wrong?

First of all make sure you are only uploading images like JPG, PNG or GIF. Don't upload any other file types such as PDF, TIFF or DOC.The images should be clear and in high resolution, but not exceed 1 MB and not bigger 800x640 pixels in size.
 

Back to Top26.) Which payment methods are supported? What if I don't have a credit card?

Supported Payment MethodsWe accept credit cards from various vendors such as Visa, American Express, Mastercard and Paypal. The payment details can be added to your account by selecting the "Tool Box" -> "Add Credit Card". The status of your credit card will show up at the identity section of your StartSSL™ account.

Other payment methods include Paypal and money transfer via Western Union. For the latter please send an email to the Certmaster.
 

Back to Top27.) For what am I paying exactly and how many certificates do I get with Class 2?

The fees for Class 2 and higher are applied to the verification and not for the certificate(s), i.e. you pay for the validations we perform. Once validated there is no limit placed on the amount of certificates one can receive (This depends on other limitations such as uniqueness of the subject line for example).

Disclaimer: Obviously you are not allowed to create certificates for others. The identity and organization validation confirms only the subscriber. Doing so would violate the StartCom CA policy and all certificates would be revoked immediately upon detection.
 

Back to Top28.) I control only a sub domain, how can I validate and create a certificate?

Domain name control validation are performed entirely by automatic means in the Class 1 (free) settings and it's not possible to validate a specific domain space or part thereof without controlling the parent domain.

You may perform Class 2 Identity (and Organization) validation and apply for their specific domain space by providing this authorization letter from the domain name owner. The validations are performed manually and are not supported below the Class 2 level.
 

Back to Top30.) I messed up, what now?

Never delete any files received from StartSSL™ but back them up securely. Never delete the pending request (at IIS). Try to find the answer in the next questions below. Check if the "Tool Box" from the StartSSL™ Control Panel has a tool to solve your problem. If all fails, contact the CertMaster and describe your problem in detail.
 

Back to Top31.) Why does Firefox present a warning when connecting to my website?

If you receive a warning that the certificate is signed by an "untrusted authority", than the installation of the server certificate isn't complete. You must add the intermediate CA certificate to your installation. This is important, because most browsers will issue an error if this is not properly done. Consult the installation instructions on how to do that. The missing certificate can be obtained from here (choose depending on the class level).
 

Back to Top32.) My browser complains about unsecured content.

If you received a warning about unsecured content or a crossed out pad lock, than the web page you are viewing has unsecured content. This shouldn't happen. The easiest way to fix this is by making all links of images, javascripts and other embedded content relative. For example <img src="/images/photo.png"> and not <img src="http://www.domain.com/images/photo.png">.
 

Back to Top33.) I created a private key instead of submitting my certificate request (CSR) for IIS server. How can I use my certificate?

Login to the StartSSL™ Control Panel and click on the "Tool Box" tab. Select "Create PFX File" and submit the encrypted private key, certificate and your password for the key. Disable any download blocker before continuing. Save the PFX file at a convenient location on your computer. Use the MMC utility to install the certificate at your IIS server. Afterward simply replace the current certificate at the IIS wizard and you are done.
 

Back to Top34.) Why do I have to provide a password every time I restart Apache?

Because the private key is encrypted by default, the Apache web server will ask every time at startup for the password. You should decrypt the private key and change the file permission to chmod 400 as user root. For instructions how to decrypt the private key see the next question.
 

Back to Top35.) How can I decrypt the private key?

Decrypt the private key by either using the OpenSSL utility (command: openssl rsa -in ssl.key -out ssl.key) or login to the StartSSL™ Control Panel. Click on the "Tool Box" tab and select "Decrypt Private Key", submit the encrypted private key and password. Save the content of the text box into a file. On the server make sure to change the permissions to be readable only by the super user (chmod 400 as user root).
 

Back to Top36.) How to transfer certificates on IIS servers?

Click "Start -> Run" and type MMC, then click Enter. Next click "File -> Add/Remove Snap-in" in the menu, afterwards click "Add" and select "Certificates". Now choose Computer Account then Local Computer then click "Next -> Close" and "OK". Locate the server certificate and left-click the "Certificates" container, then choose "All tasks -> Export". Select including private key and CA certificates. Provide a password and save the file at a convenient location. Now the file may be transferred to the target server and imported in the same fashion using the MMC utility.
 

Back to Top37.) I can submit only one CA certificate at the admin panel provided by my host. Which CA certificate should I install?

If your server supports only one CA certificate file (no chained CA certificates), than use the intermediate CA certificate. This would be typically the certificate sub.class1.server.ca.pem from here.
 

Back to Top38.) How can I use the same certificate on multiple servers?

For this you need to have your identity validated. Once Class 2 or higher validated you can create certificates with multiple domain names. To achieve this, validate all your domain names first, then select the "Certificates Wizard" and "Add More" when selecting the domain names you wish to have included. This is specially useful if you are deploying Exchange, IIS and ISA servers or virtual hosts with only one unique IP (Only IIS and newest Apache support this).
 

Back to Top39.) Do I really need a unique IP address?

If you have your web site hosted on a virtual hosting environment, then you must request from the hosting company to assign you a dedicated, unique IP address in order to secure your web site. Most hosting companies charge an extra fee for this.
 

Back to Top40.) How can I publish on ISA multiple SSL sites using the same IP address and port, with different certificates?

You can only use one SSL certificate per listener. If all sites are published using the same domain name, you can use a wildcard certificate, and then use a single IP address and a single listener to publish multiple sites. For example, if you are trying to publish the following sites: OWA, WebSite1, WebSite2 at domain.com, you can acquire a wildcard certificate for the ISA Server computer for *.domain.com. It's also possible to add different domain names in addition to wildcards depending on the achieved validation level. For more information about wildcard certificates see also question #38.
 

Back to Top41.) I created a new private key but can't use the key with my certificate (modulus mismatch).

Only the private key which was used to generated the certificate request or certificate can be used! The private and public keys must match the modulus signature and one can't simply create a different private key and use that instead. If you don't have the very original private key for your certificate, than the certificate is useless.

Private key files should be treated with greatest care in every respect and backed up accordingly. There is no way to regain a private key if lost!
 

Back to Top42.) How do I use Google Analytics in secure mode?

By using the following JavaScript (adjust tracker value to yours):

  <script type="text/javascript">
    var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
    document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
  </script>
  <script type="text/javascript">
    var pageTracker = _gat._getTracker("YOUR-ID");
    pageTracker._initData();
    pageTracker._trackPageview();
  </script>

Always consider, if it's a good idea to gather statistics via Google Analytics for secure pages which might be confidential
 

Back to Top43.) How does the wizard create the private key?

The StartCom CA uses a hardware based real random number generator (RNG) as a high quality source to seed the entropy pool. The software checks the randomness before creating and delivering the key. The key itself is delivered in encrypted form using AES-256-CBC algorithm.

Hardware RNG's provide better randomness much faster than so-called software based pseudo random number generators which are to some extent predictable. In short, good security starts with good random numbers.
 

Back to Top44.) Is my private key secure even when generated by the wizard?

No copies of generated private keys are kept at any stage. This also means that the private key is non-retrievable and subscribers should take care to save and backup this key at a secure place. Obviously the web server itself is a bad idea for that, but rather a CD-ROM, USB stick or smart card should be used. The key should be saved in encrypted form and private keys generated by the wizard are as secure as the subscriber treats them.

Important: The wizard doesn't force subscribers to use private keys generated by the CA, instead clicking on Skip at the step for private key generation allows to submit a certificate request (CSR) prepared by the subscriber. Some server software even requires this, most notable Java based software. The creation of the private key by the wizard is completely optional and at the sole risk of the subscriber.
 

Back to Top45.) Can I hire your support services for installing server certificates?

Yes. You can hire us for support services, including installing certificates for you. To send a support ticket enter the StartSSL Control Panel and click on the "Tool Box", then "Help" -> "Support Request". Prior to that you may add your credit card details to your account under "Tool Box" -> "Add Credit Card".
 

Back to Top46.) I deleted the pending request on IIS. How can I process my certificate now?

  1. Click Start, point to Run, type cmd, and then click OK.
  2. Navigate to the directory where Certutil.exe is stored; by default, this is %windir%\system32.
  3. Type the following command at the command prompt: certutil -addstore my certnew.cer
    where certnew.cer is the name of the certificate you received from StartCom. You should see the following message: CertUtil: -addstore command completed successfully.
  4. Navigate to the directory where you stored the certificate you received from StartCom. Open the certificate, right click and then point to Properties.
  5. Click the Details tab and select <All> in the Show drop-down list.
  6. In the Field list, select Thumbprint to display its value in the view pane.
  7. Select the Thumbprint value in the view pane and then click CTRL+C.
  8. Return to the command prompt window and type the following command: certutil -repairstore my "thumbprint"
    where thumbprint is the value of the Thumbprint field. Be sure to type the double quotes as part of the command. If the command is successful, the following message is displayed: "Encryption test passed CertUtil: = repairstore command completed successfully."
  9. Install the server certificate on your Web server.
Note:If the certutil command does not complete successfully, the following error message is displayed: "Certutil: -repairstore command FAILED: 0x80090011 (-2146893807) Certutil: Object was not found." This message indicates that the private key for the certificate does not exist in the certificate store. You cannot install the certificate you received and you must generate a new certificate request, obtain the new certificate, and install that new certificate on your Web server.
 

Back to Top47.) I cannot export the private key on IIS, because the option is greyed out.

Make sure that you have full admin rights, Windows will not allow it otherwise. You must give your self access to the MachineKeys Folder:
  1. Open Microsoft Windows Explorer.
  2. Locate the "%SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys" (assuming you have a clean install) folder.
  3. here are several files located in this folder. Each file in this folder corresponds to a key container. Try to open each with Notepad.
  4. If you receive an Access Denied error message when you try to open a file, open the properties of the file, and then take ownership of it. Reassign the Administrator account Full access.
  5. Repeat step four for each file in this folder. You should then be able to start the System Attendant service.
If you cannot find the above folder, insure you can view hidden files and folders.
 

Back to Top50.) I messed up, what now?

Try to find the answer in the next questions below. Check if the "Tool Box" from the StartSSL™ Control Panel has a tool to solve your problem. If all fails, contact the CertMaster and describe your problem in detail.
 

Back to Top51.) Can I submit a certificate request (CSR) for client certificates (S/MIME)?

No. The client certificates (S/MIME) are created by using the capabilities of the browser. The private key and certificate request are generated by either using the <KEYGEN> tag (Firefox) or activeX control (Internet Explorer). This is the most convenient way for the majority of users. The installation of the certificate is seamless and doesn't require any special knowledge by the user. For the security minded it's important to note that the private key is generated in the browser and not at the server side!
 

Back to Top52.) How can I use the client certificate (S/MIME) in my favorite mail client?

First you will have to export (backup) the certificate, including private key, from your browser. Navigate to the certificate store (Firefox: Preferences -> Advanced -> Encryption -> View Certificates -> Your Certificates, Internet Explorer: Internet Options -> Content -> Certificates -> Personal), click "Backup/Export" and save the resulting file.

At your favorite mail client navigate to the certificates store as well and click "Install/Import". Select the previously saved file and provide the password when required. Now you can associate the certificate to the corresponding email account at the account settings in order to sign (and encrypt) your mail messages.

Make sure that the intermediate CA certificate corresponding to your level from here is imported as well with your certificate, otherwise you need to import it manually. For example right click the file sub.class1.client.ca.crt and "Save as...", then import in the same manner but into the authorities store.
 

Back to Top60.) How to get an object code signing certificate?

Object Code Signing certificates require at least Class 2 identity validation. In order to obtain the certificate a certificate signing request must be prepared beforehand. Thereafter the signing request must be submitted to the StartSSL™ Certificates Wizard.
 

Back to Top61.) Does StartCom operate a time stamping server?

Yes, the time-stamping server is available at the address http://www.startssl.com/timestamp. The URL should not be accessed through the browser, but with a signing tool. This is a RFC 3161 compliant server, please use the /tr switch with signtool.exe, for example:

signtool.exe sign /v /d <My Project> /f <My PFX file> /p <My PFX Password> /tr "http://www.startssl.com/timestamp" <My EXE File>
 

Back to Top70.) Who can request revocation of a certificate?

Revocation can be requested by the subscriber of the certificate or by any other entity presenting proof and knowledge of circumstances for revocation.
 

Back to Top71.) What are the circumstances for revocation?

A certificate will be revoked when the information it contains is suspected to be incorrect or the private key compromised. This includes:
  • The subscriber’s private key is lost or suspected to be compromised
  • The information in the subscriber’s certificate is suspected to be inaccurate
  • The information supplied may be misleading (e.g., paypa1.com, micr0soft.com)
  • The subscriber has failed to comply with the rules of the StartCom CA policy
  • The system to which the certificate has been issued has been retired
  • The subscriber makes a request for revocation
  • The subscriber violated his/her obligations
Revocations may carry a handling fee, see next question.
 

Back to Top72.) I made a mistake, can I get my certificate revoked?

Revocations carry a handling fee of currently US$ 24.90. Class 1 subscribers may use a different sub domain in order to create additional certificates without the need to revoke a previously created certificate. Alternatively it's possible to upgrade to Class 2 level which allows to create the same set of certificates once again (besides all the other benefits), because different levels are issued by different issuers, making revocation unnecessary.

Extended Validation certificates are exempt from the revocation handling fee.
 

Back to Top73.) Why did StartCom revoke my certificate?

Certificates which were obtained by providing wrongful or misleading information will be revoked by StartCom whenever such a case has been detected. Knowledge of such circumstances requires StartCom to revoke any of the certificates in the possession of a subscriber. Subscribers may be banned from obtaining additional certificates in the future.
A mail message is always sent to the subscriber notifying of the revocation and the reason for it.
 

Back to Top74.) What is a weak key and why do I have to create a new certificate?

All private keys and the resulting certificates which were created on a Debian based operating system - including Ubuntu, are compromised due to a bug since September 2006. Web sites which rely on a private key created by the affected systems are highly vulnerable and should be replaced immediately.

If you received an email from StartCom warning you about being affected, please request revocation from within the StartSSL Control Panel -> "Tool Box" -> "Revocation Request" and create a new certificate. Certificates which were signed by our old CA root should be revoked from here.
Don't use a Debian system without having it updated - which includes those of hosting providers using cPanel and Plesk. You can create your private key by the StartSSL Certificates Wizard (more information).

StartCom will eventually revoke all affected certificates after a short week period after sending the warning mail.
 

Back to Top75.) Why is MD5 hash considered insecure?

A weakness in the MD5 cryptographic hash function allows the construction of different messages with the same MD5 hash. This is known as an MD5 "collision". StartCom disallows the use of MD5 hash signatures for all end-user certificates. SHA1 or better should be used instead.
 

Back to Top80.) Do I have to use https:// with my OpenID identifier?

You should always use the complete identifier URI which is something like https://<nickname>.startssl.com. Providing incomplete identifiers by omitting https:// or using wrongfully http:// at the web site you want to login may or may not work.
Sites which are updated to the latest OpenID version 2.0 don't have these requirements usually, like the StartCom Forum. It's enough to enter the identifier without any prefix and even submitting startssl.com alone works.
 

Back to Top81.) Could not discover an OpenID identity server endpoint message when using my StartSSL™ ID. Why is that?

This is typically due to an outdated CA cert bundle being used by libcurl and happens commonly with the Word Press OpenID plugin. Add the StartCom CA root certificate for your server to the existing default CA cert bundle or replace the old ca-bundle with this one. The default path of the CA bundle installed with the curl package is usually /usr/local/share/curl/curl-ca-bundle.crt, but may vary from server to server. On Red Hat based systems this is usually located in /etc/pki/tls/certs/ca-bundle.crt. On Windows this file is usually named curl-ca-bundle.crt.
 

Back to Top85.) When will Extended Validation certificates show the green address bar?

Support of the green address-bar with StartSSL™ EV certificates works with the most common browsers today. Every software vendor has its own time-line and way to update and distribute the changes required for the browser to recognize StartSSL™ EV certificates. Should your browser not yet support the green address-bar we suggest to contact the browser vendor for more information.
 

Back to Top86.) Does SSL work with Extended Validation even if the browser doesn't support EV?

Yes, the browsers will treat the certificate as a valid SSL certificate like a non-EV certificate.
 

Back to Top87.) Does Extended Validation certificates support wild cards?

No, the EV guidelines prohibit the issuance of wildcard certificates. EV certificates support however multiple domain and sub domains in the SAN DNS extension. Wild cards certificates may be used in addition to an EV certificate to cover other sub domain besides the main web site.
 

Back to Top88.) How long does the process for Extended Validation take?

The process depends greatly on the completeness and speed of the documents we need to receive from the subscriber. Typically the extended validation process takes between 2 - 10 business days.
 

Back to Top90.) Why are Class 1 certificates free?

The philosophy of StartCom is guided by the principle that our services are charged according to the effort we have to invest. Since Class 1 certificates are domain and/or email validated only and the process is performed mostly by electronic and automatic means, StartCom doesn't apply any fees for this type of certification. StartCom started the certification authority a few years ago with the goal to provide free digital certification and adopted a unique business model previously unknown in this industry.
 

Back to Top91.) Can I make a donation?

Thank you for your interest, but we prefer to see your support through the purchase of one of our products.
 

Back to Top92.) How else can I contribute?

By various ways:
  • Place the StartSSL™ SiteSeal at your web site (see code snippets from here).
  • Write about StartCom/StartSSL™ in your forum and web log. Tell your friends about us.
  • Use Twitter, Facebook and other social web sites to spread the message.
  • Write a "Howto" for devices and software not covered yet.
  • Volunteer as a translator for our web pages.
  • Have your identity (and organization) validated to a higher level.
  • Become a notary of the StartSSL™ Web-of-Trust network.
  • Join and contribute to our Community Portal.
 

Back to Top93.) Can I invest in StartCom?

StartCom is a growing startup company and provides several diverse products and services ranging from web hosting, application hosting, enterprise security solutions, web based solutions, security appliances and more. We are active at various Open Sources projects, vendor of the StartCom Linux operating systems and operator of the StartCom Certification Authority. StartCom is an official Aladdin® Solution Partner and distributor of Aladdin® products. We are proud to have various investors and shareholders from all over the world. For more information contact Eddy Nigg.