What's SSL Certificate?

SSL Certificates

FAQ

Product Introduction

FAQ Product Introduction

Copyright in this document is exclusively owned by Tencent Cloud. You must not reproduce, modify, copy or distribute in any way, in whole or in part, the contents of this document without Tencent Cloud's the prior written consent.

Trademark Notice

All trademarks associated with Tencent Cloud and its services are owned by Tencent Cloud Computing (Beijing) Company Limited and its affiliated companies. Trademarks of third parties referred to in this document are owned by their respective proprietors.

Service Statement

This document is intended to provide users with general information about Tencent Cloud's products and services only and does not form part of Tencent Cloud's terms and conditions. Tencent Cloud's products or services are subject to change. Specific products and services and the standards applicable to them are exclusively provided for in Tencent Cloud's applicable terms and conditions.

FAQ Product Introduction

Contents

Documentation Legal Notice ...... 2 FAQ ...... 4 Can the Certificate Be Revoked? ...... 4 Why Would Security Review Fail? ...... 5 The Site Prompts "Connection Is Untrusted"? ...... 6 What's OpenSSL? ...... 7 What's SSL Certificate?...... 10 What's Private Key？ ...... 11 What's CSR? ...... 12 Is DV Certificate Permanently Free? ...... 14 Chrome Browser Prompts "Your Connection Is Not Private Key Connection"? ...... 15 Forgot Your Private Key Password?...... 17

FAQ Product Introduction

FAQ Can the Certificate Be Revoked?

Now, only offline certificate revocations are supported. Please submit a ticket to contact Tencent Cloud engineers for certificate revocation. For more information on revocation processes of domain validation (DV) certificates, see DV Certificate Revocation

FAQ Product Introduction

Why Would Security Review Fail?

If the following prompt appears when applying for a Domain Validation (DV) SSL certificate, it indicates that the domain name failed to pass the security verification. DV SSL certificates cannot be issued via the rapid review process of Symantec CA for the domain name. Please purchase paid certificates.

The specific reasons for failed security verification:

According to the anti-phishing mechanism of CAs, sensitive words contained in domain names, such as bank and pay, can cause failed security verifications. Specific sensitive words are defined by CAs. And some less commonly used root domain names may also fail to pass verifications. For example, root domain names with .pw suffix, such as www.qq.pw and www.qcloud.pw

, will fail to pass the verification.

Because DV SSL certificates are quickly issued through automatic authentication without manual intervention, the verification standards are strengthened with more stringent sensitive words.

FAQ Product Introduction

The Site Prompts "Connection Is Untrusted"?

After the SSL certificate is deployed, the accessed site prompts "Connection is not secure". Is the certificate deployment failed?

A: The certificate has been successfully deployed. This problem occurs because that the browser considers the sites unsafe if they use HTTPS protocol and their pages contain unencrypted HTTP contents. In this case, the code needs to be modified.

For frontend modification, here are the references:

1. Reference resources with relative paths; 2. When referencing the absolute path, use

to reference resources. For example:

//img.qcloud.com/example.png

indicates compliance with the protocol of the current page, and the browser will automatically complete it.

FAQ Product Introduction

What's OpenSSL?

OpenSSL is a well-known open source cryptography toolkit for secure communications, and contains cryptographic algorithms, common passwords, and certificate packaging feature.

1. Official Website of OpenSSL

Official download address.

2. Installation Method on Windows

Installation package for windows is not provided on OpenSSL official website. You can choose tools provided by other open source platforms, for example: http://slproweb.com/products/Win32OpenSSL.html Taking this tool as an example, the installation steps and usage are as follows:

2.1 Download a 32-bit or 64-bit version, for example, Win64OpenSSL_Light-1_0_2h.exe:

2.2 Set environment variables. If the tool is installed in C:\OpenSSL-Win64, copy

FAQ Product Introduction

C:\OpenSSL-Win64\bin; to Path

2.3 Open the command line program cmd (run as an administrator), enter the directory where

2_www.domain.com.key and

1_www.domain.com_cert.crt are stored, and run the command below openssl pkcs12 -export -out www.domain.com.pfx -inkey 2_www.domain.com.key -in 1_www.domain.com_cert.crt

FAQ Product Introduction

For example, if the key and crt files are stored in D:\, it runs as follows:

Ps: Export Password is not required, so press Enter directly without inputting.

2.4 www.domain.com.pfx is generated in D:. You can continue to complete the certificate installation in IIS Manager.

FAQ Product Introduction

What's SSL Certificate?

Secure Sockets Layer (SSL) is a security protocol designed to ensure security and data integrity for Internet communications. Based on the SSL protocol, an SSL certificate can be installed on the server to achieve encrypted data transfer.

Certificate authorities (CAs) are third-party authorities that verify the validity of public keys. They are responsible for specifying policies and procedures to verify users' identities, sign SSL certificates, and ensure the identity of a certificate holder and ownership of a public key. CAs issue SSL certificates for each user using the public key. A SSL certificate is used to certify that individuals/businesses listed in the certificate lawfully own the public key listed in the certificate. Digital signatures from CAs can prevent certificates from being forged and tampered.

An SSL certificate actually represents the verification of the public key from an CA, which contains digital certificate-signing authority information, user information of the public key, the public key, authority signature, and expiration date.

FAQ Product Introduction

What's Private Key？

SSL certificates are developed based on public-key cryptography, which encrypts information with digital keys so that the information can only be read by intended recipients after decryption.

A key pair consists of a public key and a private key. The public key may be publicly distributed by a user, while the private key is kept by the user. Information that is encrypted with the public key can be decrypted only with the corresponding private key, and vice versa.

FAQ Product Introduction

What's CSR?

CSR is short for Certificate Signing Request. To obtain an SSL certificate, you need to generate a CSR file first and submit it to a certificate authority (CA). The CSR includes a public key and a distinguished name. CSR is typically generated from a web server and a public/private key pair for encryption and decryption will be created at the same time.

Relevant organization information is required to create a CSR. The web server creates a distinguished name based on the information provided to identify the certificate. The organization information contains the following contents:

Country/Region Code The code of the country/region where your organization is legally registered, in the format of two- letter defined by the International Organization for Standardization (ISO).

Province/City/Autonomous Region The province/city/autonomous region where your organization is located.

City/Region The city/region where your organization is registered or located.

Organization The name of your business registered according to law.

Department of Organization This field is used to differentiate departments within an organization, such as "Engineering Department " or "Human Resources".

Generic Name

The name entered in the generic name field of CSR must be the fully qualified domain name (FQDN) of the website for which you want to use the certificate, for example www.domainnamegoeshere

FAQ Product Introduction

However, Tencent Cloud applies the method of generating CSR online to simplify the application process. You only need to submit a generic name for a domain validation (DV) certificate application and do not need to generate and submit CSR files.

FAQ Product Introduction

Is DV Certificate Permanently Free?

First, regardless of whether the SSL certificate is a free DV certificate or a paid OV certificate, CAs set a valid period for security reasons. A valid website cannot be guaranteed never to become a phishing site, so CAs conduct a regular review and do not issue permanent valid certificates.

Second, if the private key of a website is lost, you can apply for a certificate revocation. Then the CA adds the revoked certificate to the certificate revocation list (CRL). Whenever a HTTPS website is accessed, the browser retrieves the CRL from a CA to determine whether to trust the certificate. However, permanently valid certificates will lead to an increasing CRL, which will increase the request traffic of browsers. Therefore, it is a more scientific approach to specify a valid period for a certificate.

Now, Tencent Cloud provides a free DV certificate with the model of TrustAsia DV SSL CA - G5 and a valid period of 1 year. The certificate can be re-applied three months before expiration. DV certificates can be issued quickly within one working day, so you have sufficient time to switch the certificate for the site.

FAQ Product Introduction

Chrome Browser Prompts "Your Connection Is Not Private Key Connection"?

Since November 2016, we have received feedbacks from some Google Chrome users on the prompt "Your connection is not private key connection" (error NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED) when accessing HTTPS websites.

See the details below:

This CT error is confirmed to be a kernel bug with Chrome versions 53 and 54, which causes the incompatibility with SSL certificates issued by Symantec CA. CT error occurs in all certificates issued by Symantec CA after June 1, 2016. Chrome handled this problem with automatic patch in the first place, and fixed this problem in version 55.

FAQ Product Introduction

Users who can connect to Chrome's server will not be affected by this issue. But most users in China cannot access Chrome's server. It is recommended to upgrade to version 55 or above to solve this problem.

Details can be found in Symantec's official announcement.

Symantec's official statement.

Chrome's official announcement.

In addition, this problem exists in QQ browsers using Chromium 53 kernel, but has been fixed in new versions. The users using out-of-date QQ browser versions are also recommended to upgrade to the latest version. Details can be found in QQ Browser's official announcement.

FAQ Product Introduction

Forgot Your Private Key Password?

Tencent Cloud does not save the private key password of your certificate. Please keep it in mind.

If you forget the private key password, please submit a ticket, and select Other problems to ask Tencent Cloud engineers to delete the certificate, and then re-apply for a certificate for the domain name.