StartCom, the Start of eCommerce.

Frequently Asked Questions

 

Registration

1.) Why do I have to provide my personal details?

2.) The certificate is for my company, what shall I do?

3.) My account request is held up for a review, what shall I do?

4.) How do I backup my client certificates?

 

Login

10.) I get an -12227 or ssl_error_handshake_failure_alert error with Firefox when trying to login.

11.) After clicking on Login I get a "Page not found" error with Internet Explorer.

12.) I have already a client certificate but can't login.

13.) How do I enable advanced smart card support?

14.) I've lost my client authentication certificate, what shall I do?

 

Production

15.) What’s the difference between StartSSL and StartAPI?

16.) What’s the difference between StartSSL and StartPKI?

 

Validation

20.) For how long are validations valid?

21.) The wizard says that I should provide a valid email address. But my email address is valid, what shall I do?

22.) The validation email message never arrives, what's wrong?

23.) I can't select my domain name extension. But my domain name exists, what shall I do?

24.) When will "Extended Validation" be supported by StartCom/StartSSL™?

25.) I'm not able to upload my files for the identity validations. What's wrong?

26.) Which payment methods are supported? What if I don't have a credit card?

27.) For what am I paying exactly and how many certificates do I get with Class 2?

28.) I control only a sub domain, how can I validated and create a certificate?

29.) What’s the difference between “Validation Validity” and “Certificate Validity”?

 

Installation (Server)

30.) I messed up, what now?

31.) Why does Firefox present a warning when browsing to my website?

32.) My browser complains about unsecured content.

33.) I created a private key instead of submitting my certificate request (CSR) for IIS server. How can I use my certificate?

34.) Why do I have to provide a password every time I restart Apache?

35.) How can I decrypt the private key?

36.) How to transfer certificates on IIS servers?

37.) I can submit only one CA certificate at the admin panel provided by my host. Which CA certificate should I install?

38.) How can I use the same certificate on multiple servers?

39.) Do I really need a unique IP address?

40.) How can I publish on a ISA server multiple SSL sites using the same IP address and port, with different certificates?

41.) I created a new private key but can't use the key with my certificate (modulus mismatch).

42.) How do I use Google Analytics in secure mode?

43.) How does the wizard create the private key?

44.) Is my private key secure even when generated by the wizard?

45.) Can I hire your support services for installing server certificates?

46.) I deleted the pending request on IIS. How can I process my certificate now?

47.) I cannot export the private key on IIS, because the option is greyed out.

 

Installation (Client)

50.) I messed up, what now?

51.) Can I submit a certificate request (CSR) for client certificates (S/MIME)?

52.) How can I use the client certificate (S/MIME) in my favorite mail client?

53.) How to use S/MIME Client Certificates with Microsoft Outlook for Windows?

 

Object Code Signing

60.) How to get an object code signing certificate?

61.) Does StartCom operate a time stamping server?

 

Revocation

70.) Who can request revocation of a certificate?

71.) What are the circumstances for revocation?

72.) I made a mistake, can I get my certificate revoked?

73.) Why did StartCom revoke my certificate?

74.) What is a weak key and why do I have to create a new certificate?

75.) Why is MD5 hash considered insecure?

 

OpenID

80.) Do I have to use https:// with my OpenID identifier?

81.) Could not discover an OpenID identity server endpoint message when using my StartSSL™ ID. Why is that?

 

Extended Validation

85.) When will Extended Validation certificates show the green address bar?

86.) Does SSL work with Extended Validation even if the browser doesn't support EV?

87.) Does Extended Validation certificates support wild cards?

88.) How long does the process for Extended Validation take?

 

Miscellaneous

90.) Why are Class 1 certificates free?

 

 

Answers

1.) Why do I have to provide my personal details?

The Terms and Conditions of StartCom and the StartCom Certification Policy requires* subscribers to provide the correct and complete personal details during registration. Without fulfilling this requirement, a subscriber (you) is not entitled for an account with StartSSL™. It is upon the subscriber to prove the validity of the details submitted should StartCom make such a request.

* Since StartCom must enforce adherence of the StartCom Certification Policies by all subscribers, the subscriber must provide his/her personal information.

2.) The certificate is for my company, what shall I do?

In the Class 1 settings (free), the only possible relationship between StartCom and the subscriber is with individuals, i.e. natural persons. All responsibilities according to the StartCom CA Policy are that of the subscriber personally, even in case he/she decides to obtain certification as an employee or representative of an organization.
Organizations should perform Class 3 validation and an organization name may only appear in a digital certificate at Class 3 level.

3.) My account request is held up for a review, what shall I do?

Sometimes an account request is interrupted right after submitting the form. This means that the request for an account at StartSSL™ is being held up for a review by our personnel.
In this case please be patient as we review your request and wait for our response within the next six hours. You may close the browser window at this stage. The instructions how to continue will be sent to your email account.

4.) How do I backup my client certificates?

Firefox: Select “Open menu” -> “Options” -> “Advanced” -> “Certificates” -> “View Certificates” and locate your client certificate from the list. The certificate will be listed under StartCom. Select the certificate and click on "Backup", choose a name for this backup file, provide a password and save it at a known location. Now you should either burn this file to a CD ROM or save it on a USB stick or smart card. Thereafter delete this file from your computer.

Internet Explorer: Select from "Tools" -> "Internet Options" -> "Content" -> "Certificates" -> "Personal" and locate your client certificate from the list. Click on "Export" -> "Next" -> "Yes, export the private key" -> "Next" -> "Next". Choose a password for your file and click "Next", choose a name for this backup file and save it at a known location. Now you should either burn this file to a CD ROM or save it on a USB stick or smart card. Thereafter delete this file from your computer.

Opera: Select “Menu” -> "Settings" -> "Privacy and Security" -> "Manage Certificates" -> "Personal". and locate your client certificate from the list. Click on "Export" -> "Next" -> "Yes, export the private key" -> "Next" -> "Next". Choose a password for your file and click "Next", choose a name for this backup file and save it at a known location. Now you should either burn this file to a CD ROM or save it on a USB stick or smart card. Thereafter delete this file from your computer.

Safari (on OS X): Select the private key and the certificate together in your keychain and export as a PKCS12 file.

Google Chrome: Click on “Customize and control Google Chrome”. Select "Settings" from the menu. Click on "Advanced Settings" and then in the HTTPS/SSL section, click on the "Manage certificates..." button. Select the certificate(s) you want to export, click on the "Export..." button and follow the prompts from the Export Certificate Wizard that pops up. Make sure to include the private key as well, export as .p12 file.

10.) I get an -12227 or ssl_error_handshake_failure_alert error with Firefox when trying to login.

Error ssl_error_handshake_failure_alert and -12227 mean, that you don't have a valid client certificate installed in your browser. During the registration process such a client certificate is produced and installed in your browser. If you want to switch to a different browser (or different computer) you must export (backup) the certificate including the private key and import into the browser in question. If you can't locate your client certificate under Preferences -> Advanced -> Encryption -> View Certificates -> Your Certificates in Firefox, than the certificate is not installed.
If you access the Internet from different locations and browsers it is suggested to obtain a smart card or eToken in order to store and move your certificates securely around.

11.) After clicking on [Authenticate] I get a "Page not found" error with Internet Explorer.

Either the client certificate is not installed into the browser you are using or the security settings prevent it. Make sure that either TLS 1.0 or SSL 3.0 is enabled (but not SSL 2.0).

It may also be that on older systems the StartCom CA root is missing. We suggest to update your system via Windows Update or install the Update for Root Certificates. You can also import the CA root manually from here or from here.

12.) I have already a client certificate but can't login.

Make sure that you are using the same browser you used to register and have the client certificate installed in your browser.

13.) How do I enabled advanced smart card support?

In order to manage smart cards from the "Tool Box" or force smart card usage for your digital identity (OpenID) and authentication to the StartSSL™ Control Panel you must enable codebase principal support in the Firefox config. To do this, type into the address bar about:config and toggle the value of the signed.applets.codebase_principal_support configuration directive to true.

14.) I've lost my client authentication certificate, what shall I do?

Make sure that you are using the same computer and browser you used to register. If you are certain that you've lost the client certificate and you can't login anymore, get a new certificate on https://www.startssl.com/ReissueNewCertificate.

15.) What’s the difference between StartSSL and StartAPI?

StartSSL is a web interface system for subscribers to apply identity validation and apply certificate, you can log into your account to finish the identity validation for personal and for organizational, do the domain control validation, submit the certificate request and get the issued certificate in the system. All work is done manually.
StartAPI is a API system for subscriber that have the program ability to post certificate request to system and get the certificate instantly and automatically. For simplification, you need to finish the identity validation and domain validation in your StartSSL account manually, then you can use API to get certificate. All issued certificate is listed in your StartSSL account same as ordered in StartSSL account.
StartSSL and StartAPI use the same account identity information, same domain validation information, same email validation information, same certificate type, same certificate cost structure.

16.) What’s the difference between StartSSL and StartPKI?

All certificates in StartSSL is issued by StartCom named intermediate CA, if you setup your own named intermediate CA, then this type certificate will be issued by your named intermediate CA, this is the unique difference.
For SSL certificate, StartSSL have 4 intermediate CA for DV SSL, IV SSL, OV SSL and EV SSL, but for StartPKI, only one intermediate CA for each organization that it can be used to issue DV SSL, OV SSL and EV SSL certificate, it will be distinguished by certificate subject information and policy OID.
StartSSL and StartPKI use the same account identity information, same domain validation information, same email validation information, same certificate type, same certificate cost structure.
There is no any setup fee for StartSSL, but there is a onetime setup fee and annual maintenance fee for StartPKI.

20.) For how long are validations valid?

Validations are valid for 1 year. After the validation period expires they must be re-validated exactly the same way as the first time.

The validation period must not be mistaken with the validity of certificates which may be between one and three years, depending on the verification level.

21.) The wizard says that I should provide a valid email address. But my email address is valid, what shall I do?

  • Make sure that the email account really exists. Many times administrative accounts such as postmaster@ must be created first.
  • Make sure your DNS zone has an MX record for the mail server otherwise mail delivery might fail.
  • Check if your mail server implements grey listing. If this is the case you may try another time after the passing of the temporary waiting period (usually after about five minutes).
  • Check if the mail server is responding. If response time exceeds more than 20-30 seconds it will fail.

22.) The validation email message never arrives, what's wrong?

Make sure that the server accepts mail from the startssl.com domain. Disable any spam filters on the server, specially on MS Exchange disable any smart filtering or white list the startcom.org domain name. Check your spam folder at your email client. If in doubt check with the log files of the mail server.

Important! Experience has shown that the failure of email messages not arriving are always the fault of the receiving end. If the wizard confirms to having sent the message, i.e. no error occurred, than the message has been delivered and accepted by your mail server!

23.) I can't select my domain name extension. But my domain name exists, what shall I do?

Some domain name registrars don't operate a WHOIS lookup server and they are in the absolute minority! If your domain name extension isn't provided from our list, please contact your domain name registrar and request to provide such a service. Please note that WHOIS lookup servers are a special service and not web pages. Don't send us a URL of a web site but the address of the WHOIS server. We'll be glad to add yours to the list of supported extensions. Currently a whois lookup is required by the StartCom CA policy!

24.) When will "Extended Validation" be supported by StartCom/StartSSL™?

Please see item 85.

25.) I'm not able to upload my files for the identity validations. What's wrong?

First of all make sure you are only uploading images like JPG, PNG or GIF. Don't upload any other file types such as PDF, TIFF or DOC.The images should be clear and in high resolution, but not exceed 1 MB and not bigger 800x640 pixels in size.

26.) Which payment methods are supported? What if I don't have a credit card?

Supported Payment MethodsWe accept credit cards from various vendors such as Visa, American Express, Mastercard Paypal and Wire Transfer.

27.) For what am I paying exactly and how many certificates do I get with Class 2?

The fees for Class 2 and higher are applied to the verification and not for the certificate(s), i.e. you pay for the validations we perform. Once validated there is no limit placed on the amount of certificates one can receive (This depends on other limitations such as uniqueness of the subject line for example).

Disclaimer: Obviously you are not allowed to create certificates for others. The identity and organization validation confirms only the subscriber. Doing so would violate the StartCom CA policy and all certificates would be revoked immediately upon detection.

28.) I control only a sub domain, how can I validate and create a certificate?

Domain name control validation are performed entirely by automatic means in the Class 1 (free) settings and it's not possible to validate a specific domain space or part thereof without controlling the parent domain.

You may perform Class 2 Identity (and Organization) validation and apply for their specific domain space by providing this authorization letter from the domain name owner. The validations are performed manually and are not supported below the Class 2 level.

29.) What’s the difference between “Validation Validity” and “Certificate Validity”?

The validation validity for Class 2 Validation, Class 3 validation and Class 4 validation is one year, and the certificate validity for Class 1 certificate is one year, for Class 2 certificate is two years, for Class 3 certificate is three years, and for Class 4 certificate is 2 years.
Subscriber need to finish the validation first, then get the certificate, so the validation expiration date should be early than certificate expiration date. Please make sure to renew your validation annually before it is expired, then you can apply the certificate smoothly.
System will send the validation expiration renewal email to subscriber at the expiration day and the day before the expiration day, and will send the certificate expiration renewal email to subscriber at the 30th day, 15th day, 7th day and 0 day of the certificate expiration day.

30.) I messed up, what now?

Never delete any files received from StartSSL™ but back them up securely. Never delete the pending request (at IIS). Try to find the answer in the next questions below. Check if the "Tool Box" from the StartSSL™ Control Panel has a tool to solve your problem. If all fails, Contact us and describe your problem in detail.

31.) Why does Firefox present a warning when connecting to my website?

If you receive a warning that the certificate is signed by an "untrusted authority", than the installation of the server certificate isn't complete. You must add the intermediate CA certificate to your installation. This is important, because most browsers will issue an error if this is not properly done. Consult the installation instructions on how to do that. The missing certificate can be obtained from here (choose depending on the class level).

32.) My browser complains about unsecured content.

If you received a warning about unsecured content or a crossed out pad lock, than the web page you are viewing has unsecured content. This shouldn't happen. The easiest way to fix this is by making all links of images, javascripts and other embedded content relative. For example <img src="/images/photo.png"> and not <img src="http://www.domain.com/images/photo.png">.

33.) I created a private key instead of submitting my certificate request (CSR) for IIS server. How can I use my certificate?

Login to the StartSSL™ Control Panel and click on the "Tool Box" tab. Select "Create PFX File" and submit the encrypted private key, certificate and your password for the key. Disable any download blocker before continuing. Save the PFX file at a convenient location on your computer. Use the MMC utility to install the certificate at your IIS server. Afterward simply replace the current certificate at the IIS wizard and you are done.

34.) Why do I have to provide a password every time I restart Apache?

Because the private key is encrypted by default, the Apache web server will ask every time at startup for the password. You should decrypt the private key and change the file permission to chmod 400 as user root. For instructions how to decrypt the private key see the next question.

35.) How can I decrypt the private key?

Decrypt the private key by either using the OpenSSL utility (command: openssl rsa -in ssl.key -out ssl.key) or login to the StartSSL™ Control Panel. Click on the "Tool Box" tab and select "Decrypt Private Key", submit the encrypted private key and password. Save the content of the text box into a file. On the server make sure to change the permissions to be readable only by the super user (chmod 400 as user root).

36.) How to transfer certificates on IIS servers?

Click "Start -> Run" and type MMC, then click Enter. Next click "File -> Add/Remove Snap-in" in the menu, afterwards click "Add" and select "Certificates". Now choose Computer Account then Local Computer then click "Next -> Close" and "OK". Locate the server certificate and left-click the "Certificates" container, then choose "All tasks -> Export". Select including private key and CA certificates. Provide a password and save the file at a convenient location. Now the file may be transferred to the target server and imported in the same fashion using the MMC utility.

37.) I can submit only one CA certificate at the admin panel provided by my host. Which CA certificate should I install?

If your server supports only one CA certificate file (no chained CA certificates), then use the _bundle.crt in the Nginx Server.zip.

38.) How can I use the same certificate on multiple servers?

For this you need to have your identity validated. Once Class 2 or higher validated you can create certificates with multiple domain names. To achieve this, validate all your domain names first, then select the "Certificates Wizard" and "Add More" when selecting the domain names you wish to have included. This is specially useful if you are deploying Exchange, IIS and ISA servers or virtual hosts with only one unique IP (Only IIS and newest Apache support this).

39.) Do I really need a unique IP address?

If you have your web site hosted on a virtual hosting environment, then you must request from the hosting company to assign you a dedicated, unique IP address in order to secure your web site. Most hosting companies charge an extra fee for this.

40.) How can I publish on ISA multiple SSL sites using the same IP address and port, with different certificates?

You can only use one SSL certificate per listener. If all sites are published using the same domain name, you can use a wildcard certificate, and then use a single IP address and a single listener to publish multiple sites. For example, if you are trying to publish the following sites: OWA, WebSite1, WebSite2 at domain.com, you can acquire a wildcard certificate for the ISA Server computer for *.domain.com. It's also possible to add different domain names in addition to wildcards depending on the achieved validation level. For more information about wildcard certificates see also question #38.

41.) I created a new private key but can't use the key with my certificate (modulus mismatch).

Only the private key which was used to generated the certificate request or certificate can be used! The private and public keys must match the modulus signature and one can't simply create a different private key and use that instead. If you don't have the very original private key for your certificate, than the certificate is useless.

Private key files should be treated with greatest care in every respect and backed up accordingly. There is no way to regain a private key if lost!

42.) How do I use Google Analytics in secure mode?

By using the following JavaScript (adjust tracker value to yours):

  <script type="text/javascript">
    var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
    document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
  </script>
  <script type="text/javascript">
    var pageTracker = _gat._getTracker("YOUR-ID");
    pageTracker._initData();
    pageTracker._trackPageview();
  </script>

Always consider, if it's a good idea to gather statistics via Google Analytics for secure pages which might be confidential

43.) How does the wizard create the private key?

The StartCom CA uses a hardware based real random number generator (RNG) as a high quality source to seed the entropy pool. The software checks the randomness before creating and delivering the key. The key itself is delivered in encrypted form using AES-256-CBC algorithm.

Hardware RNG's provide better randomness much faster than so-called software based pseudo random number generators which are to some extent predictable. In short, good security starts with good random numbers.

44.) Is my private key secure even when generated by the wizard?

No copies of generated private keys are kept at any stage. This also means that the private key is non-retrievable and subscribers should take care to save and backup this key at a secure place. Obviously the web server itself is a bad idea for that, but rather a CD-ROM, USB stick or smart card should be used. The key should be saved in encrypted form and private keys generated by the wizard are as secure as the subscriber treats them.

Important: Some server software even requires this, most notable Java based software. The creation of the private key by the wizard is completely optional and at the sole risk of the subscriber.

45.) Can I hire your support services for installing server certificates?

Yes. You can hire us for support services, including installing certificates for you. To send a support ticket enter the StartSSL Control Panel and click on the "Tool Box", then “Help Items” > “leave message”.

46.) I deleted the pending request on IIS. How can I process my certificate now?

  1. Click Start, point to Run, type cmd, and then click OK.
  2. Navigate to the directory where Certutil.exe is stored; by default, this is %windir%\system32.
  3. Type the following command at the command prompt: certutil -addstore my certnew.cer
    where certnew.cer is the name of the certificate you received from StartCom. You should see the following message: CertUtil: -addstore command completed successfully.
  4. Navigate to the directory where you stored the certificate you received from StartCom. Open the certificate, right click and then point to Properties.
  5. Click the Details tab and select <All> in the Show drop-down list.
  6. In the Field list, select Thumbprint to display its value in the view pane.
  7. Select the Thumbprint value in the view pane and then click CTRL+C.
  8. Return to the command prompt window and type the following command: certutil -repairstore my "thumbprint"
    where thumbprint is the value of the Thumbprint field. Be sure to type the double quotes as part of the command. If the command is successful, the following message is displayed: "Encryption test passed CertUtil: = repairstore command completed successfully."
  9. Install the server certificate on your Web server.
Note:If the certutil command does not complete successfully, the following error message is displayed: "Certutil: -repairstore command FAILED: 0x80090011 (-2146893807) Certutil: Object was not found." This message indicates that the private key for the certificate does not exist in the certificate store. You cannot install the certificate you received and you must generate a new certificate request, obtain the new certificate, and install that new certificate on your Web server.

47.) I cannot export the private key on IIS, because the option is greyed out.

Make sure that you have full admin rights, Windows will not allow it otherwise. You must give your self access to the MachineKeys Folder:
  1. Open Microsoft Windows Explorer.
  2. Locate the "%SystemDrive%\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys" (assuming you have a clean install) folder.
  3. here are several files located in this folder. Each file in this folder corresponds to a key container. Try to open each with Notepad.
  4. If you receive an Access Denied error message when you try to open a file, open the properties of the file, and then take ownership of it. Reassign the Administrator account Full access.
  5. Repeat step four for each file in this folder. You should then be able to start the System Attendant service.
If you cannot find the above folder, insure you can view hidden files and folders.

50.) I messed up, what now?

Try to find the answer in the next questions below. Check if the "Tool Box" from the StartSSL™ Control Panel has a tool to solve your problem. If all fails, Contact us and describe your problem in detail.

51.) Can I submit a certificate request (CSR) for client certificates (S/MIME)?

Yes. In “Certificate wizard” select the option “Generated by Myself”.

52.) How can I use the client certificate (S/MIME) in my favorite mail client?

First you will have to export (backup) the certificate, including private key, from your browser. See this FAQ Question Nr. 4. At your favourite mail client navigate to the certificates store as well and click "Install/Import". Select the previously saved file and provide the password when required. Now you can associate the certificate to the corresponding email account at the account settings in order to sign (and encrypt) your mail messages.
Make sure that the intermediate CA certificate corresponding to your level from here is imported as well with your certificate, otherwise you need to import it manually. For example, right click the file sub.class1.client.ca.crt and "Save as...", then import in the same manner but into the authorities’ store.

53.) How to use S/MIME Client Certificates with Microsoft Outlook for Windows?

Importing the certificate


To use an S/MIME Client Certificate, you must first import it to your local computer:
  1. On the computer to which you're importing the certificate, locate your certificate file, right-click the file, and click Install PFX.
  2. When the Certificate Import Wizard starts, click Next....
  3. On the "File to Import" page, click Next.
  4. Enter the password or PIN that you used to secure the private key, and click Next.
         UITS recommends that you select Mark this key as exportable. This will allow you to back up or transport your keys at a later time.
  5. On the "Certificate Store" page, leave the default option Automatically select the certificate store based on the type of certificate. Click Next.
  6. Click Finish. To complete importing your certificate, click OK.
  InfoNote: If you have Symantec Encryption Desktop installed, you may not have the option to import the certificate by right-clicking the file and using the instructions above. Instead:
  1.Open Outlook. From the File tab, choose Options, then Trust Center, and then Trust Center Settings.
  2.Click Email Security, and then Import/Export.
  3.Click Browse.... Locate your certificate file and click Open.
  4.Enter the password or PIN you used to secure the private key, and click OK. Click OK to finish importing the certificate.

Configuring Outlook 2016, 2013, and 2010


To configure Microsoft Outlook with an S/MIME Client Certificate:
  1. Open Outlook. From the File tab, choose Options, then Trust Center, and then Trust Center Settings.
  2. Click Email Security.
  3. Click Settings.....
  4. Next to the "Security Settings Name" text box, enter a name; this will simply be a label for your security settings, e.g., "My S/MIME Settings (username@iu.edu)".
  5. Next to "Signing Certificate", click Choose.... Select your certificate and click OK.
  6. Next to "Encryption Certificate", click Choose.... Select your certificate and click OK.
      InfoNote: Outlook will not let you import your S/MIME settings if you have not imported your security certificate (see Importing the certificate above).
  7. To digitally sign all your messages, check Add digital signature to outgoing messages, and click OK.
  8. Click Publish to GAL to put your public certificate in the Global Address List. This will allow others at IU to access your public key so that they can send encrypted messages to you.
      InfoNote: You may not see the "Publish to GAL" button if you have multiple Exchange accounts added to your Outlook profile. If the button is missing, create another Outlook profile containing the single Exchange account for which you’re publishing the certificate, and then retry these instructions.
  9. Click OK twice.
You should now have the option to digitally sign (and encrypt) email messages:
  1. In Outlook, click New Email to compose a new message.
  2. Click the Options tab, and you will see:
         ◦Sign: This option digitally signs the message so others can be sure it came from you.
         ◦Encrypt: This option encrypts the message content and attachments.
         Important: Email clients not using S/MIME Client Certificates will not be able to view encrypted email. Clients that cannot use Client Certificates include OWA through Chrome, Firefox, and Safari; recipients who use one of these clients will be unable to view encrypted email. However, all mail clients can view digitally signed email.

60.) How to get an object code signing certificate?

Object Code Signing certificates require at least Class 2 identity validation. In order to obtain the certificate a certificate signing request must be prepared beforehand. Thereafter the signing request must be submitted to the StartSSL™ Certificates Wizard.

61.) Does StartCom operate a time stamping server?"

Yes, the time-stamping server is available at the address http://tsa.startssl.com/rfc3161. The URL should not be accessed through the browser, but with a signing tool. This is a RFC 3161 compliant server, please use the /tr switch with signtool.exe, for example:

signtool.exe sign /v /d /f /p /tr "http://tsa.startssl.com/rfc3161"

70.) Who can request revocation of a certificate?

Revocation can be requested by the subscriber of the certificate or by any other entity presenting proof and knowledge of circumstances for revocation.

71.) What are the circumstances for revocation?

A certificate will be revoked when the information it contains is suspected to be incorrect or the private key compromised. This includes:
  • The subscriber’s private key is lost or suspected to be compromised
  • The information in the subscriber’s certificate is suspected to be inaccurate
  • The information supplied may be misleading (e.g., paypa1.com, micr0soft.com)
  • The subscriber has failed to comply with the rules of the StartCom CA policy
  • The system to which the certificate has been issued has been retired
  • The subscriber makes a request for revocation
  • The subscriber violated his/her obligations
Revocations may carry a handling fee, see next question.

72.) I made a mistake, can I get my certificate revoked?

Revocations carry a handling fee of currently US$ 9.90. Class 1 subscribers may use a different sub domain in order to create additional certificates without the need to revoke a previously created certificate. Alternatively it's possible to upgrade to Class 2 level which allows to create the same set of certificates once again (besides all the other benefits), because different levels are issued by different issuers, making revocation unnecessary.

Extended Validation certificates are exempt from the revocation handling fee.

73.) Why did StartCom revoke my certificate?

Certificates which were obtained by providing wrongful or misleading information will be revoked by StartCom whenever such a case has been detected. Knowledge of such circumstances requires StartCom to revoke any of the certificates in the possession of a subscriber. Subscribers may be banned from obtaining additional certificates in the future.
A mail message is always sent to the subscriber notifying of the revocation and the reason for it.

74.) What is a weak key and why do I have to create a new certificate?

All private keys and the resulting certificates which were created on a Debian based operating system - including Ubuntu, are compromised due to a bug since September 2006. Web sites which rely on a private key created by the affected systems are highly vulnerable and should be replaced immediately.

If you received an email from StartCom warning you about being affected, please request revocation from within the StartSSL Control Panel -> "Tool Box" -> "Revocation Request" and create a new certificate. Certificates which were signed by our old CA root should be revoked from here.
Don't use a Debian system without having it updated - which includes those of hosting providers using cPanel and Plesk. You can create your private key by the StartSSL Certificates Wizard (more information).

StartCom will eventually revoke all affected certificates after a short week period after sending the warning mail.

75.) Why is MD5 hash considered insecure?

A weakness in the MD5 cryptographic hash function allows the construction of different messages with the same MD5 hash. This is known as an MD5 "collision". StartCom disallows the use of MD5 hash signatures for all end-user certificates. SHA1 or better should be used instead.

80.) Do I have to use https:// with my OpenID identifier?

You should always use the complete identifier URI which is something like https://<nickname>.startssl.com. Providing incomplete identifiers by omitting https:// or using wrongfully http:// at the web site you want to login may or may not work.
Sites which are updated to the latest OpenID version 2.0 don't have these requirements usually, like the StartCom Forum. It's enough to enter the identifier without any prefix and even submitting startssl.com alone works.

81.) Could not discover an OpenID identity server endpoint message when using my StartSSL™ ID. Why is that?

This is typically due to an outdated CA cert bundle being used by libcurl and happens commonly with the Word Press OpenID plugin. Add the StartCom CA root certificate for your server to the existing default CA cert bundle or replace the old ca-bundle with this one. The default path of the CA bundle installed with the curl package is usually /usr/local/share/curl/curl-ca-bundle.crt, but may vary from server to server. On Red Hat based systems this is usually located in /etc/pki/tls/certs/ca-bundle.crt. On Windows this file is usually named curl-ca-bundle.crt.

85.) When will Extended Validation certificates show the green address bar?

Support of the green address-bar with StartSSL™ EV certificates works with the most common browsers today. Every software vendor has its own time-line and way to update and distribute the changes required for the browser to recognize StartSSL™ EV certificates. Should your browser not yet support the green address-bar we suggest to contact the browser vendor for more information.

86.) Does SSL work with Extended Validation even if the browser doesn't support EV?

Yes, the browsers will treat the certificate as a valid SSL certificate like a non-EV certificate.

87.) Does Extended Validation certificates support wild cards?

No, the EV guidelines prohibit the issuance of wildcard certificates. EV certificates support however multiple domain and sub domains in the SAN DNS extension. Wild cards certificates may be used in addition to an EV certificate to cover other sub domain besides the main web site.

88.) How long does the process for Extended Validation take?

The process depends greatly on the completeness and speed of the documents we need to receive from the subscriber. Typically the extended validation process takes between 2 - 10 business days.

90.) Why are Class 1 certificates free?

The philosophy of StartCom is guided by the principle that our services are charged according to the effort we have to invest. Since Class 1 certificates are domain and/or email validated only and the process is performed mostly by electronic and automatic means, StartCom doesn't apply any fees for this type of certification. StartCom started the certification authority a few years ago with the goal to provide free digital certification and adopted a unique business model previously unknown in this industry.
Top