SSL Certificate Service Product Introduction

SSL Certiﬁcate Service

SSL Certiﬁcate Service Product Introduction

Product Documentation

Copyright in this document is exclusively owned by Tencent Cloud. You must not reproduce, modify, copy or distribute in any way, in whole or in part, the contents of this document without Tencent Cloud's the prior written consent.

Trademark Notice

All trademarks associated with Tencent Cloud and its services are owned by Tencent Cloud Computing (Beijing) Company Limited and its aﬃliated companies. Trademarks of third parties referred to in this document are owned by their respective proprietors.

Service Statement

This document is intended to provide users with general information about Tencent Cloud's products and services only and does not form part of Tencent Cloud's terms and conditions. Tencent Cloud's products or services are subject to change. Speciﬁc products and services and the standards applicable to them are exclusively provided for in Tencent Cloud's applicable terms and conditions.

Contents

Product Introduction Overview Strengths Advantages of HTTPS Features SSL Certificate Brands Certificate Type Selection Cases SSL Certificate Data Security Browser Compatibility Test Report Service Level Agreement

Product Introduction Overview

Last updated：2021-05-07 17:23:51

Overview

SSL Certificates are also known as digital certificates. Tencent Cloud works with well-known Certificate Authorities (CA) to allow users to apply for, manage, and deploy free/paid SSL certificates, which enable HTTPS to identify identities and encrypt data for your websites, apps, and web APIs.

SSL and HTTPS

An encrypted HTTP protocol based on the SSL certiﬁcate for secure data transmission enables a site to be switched from Hypertext Transfer Protocol (HTTP) to Hyper Text Transfer Protocol over Secure Socket Layer (HTTPS).

After you purchase an SSL certificate via Tencent Cloud, you can ask CA to sign and issue it through the SSL Certificate Service console. Once the certificate is issued, you can download and deploy it to the web service of your server. Alternatively, you can deploy it to your Tencent Cloud resources with one click. In this way, your web services or cloud resources can transfer data over HTTPS.

Advantages of HTTPS

Advantage Description

HTTPS encrypts data transferred between the server and client Anti- for your websites, apps, and web APIs to prevent your data from hijacking/tampering/listening being hijacked, tampered, or listened to.

HTTPS websites are more trusted by search engines. Therefore, Improving rankings in SEO your websites can be collected faster and rank higher.

Users trust HTTPS websites more. Therefore, they will feel Increasing PV securer to visit your websites and thus your PV can be increased.

Advantage Description

The green icon on the HTTPS address bar helps users identify Avoiding phishing websites phishing websites, protecting user and business interests and enhancing user trust.

Supported Certiﬁcate Types and Brands

Tencent Cloud supports the following encryption standards of certiﬁcates:

Encryption Standard Certiﬁcate Type Certiﬁcate Brand

DV, OV, EV, OV Pro, SecureSite, GeoTrust, TrustAsia, International standard EV Pro GlobalSign, Wotrus

Chinese cryptographic DV, OV, EV DNSPod standard

Certiﬁcate Type Description

The following table describes the trust levels and use cases of the three certiﬁcate types:

SSL Trust Certiﬁcate Use Case Level Type

For general websites. The certiﬁcate can be issued if the website DV Average authenticity is veriﬁed.

For organization websites. The certiﬁcate can only be issued if the OV High organization is veriﬁed, making it more restrictive and secure.

Usually for banks, securities companies, and other ﬁnancial institutions. EV Highest It requires rigorous auditing to ensure the highest security. The address bar turns green after the EV SSL certiﬁcate is deployed.

References

When purchasing a certiﬁcate, you can refer to the following documents:

Certiﬁcate Type Selection Cases

Certiﬁcate Brands

Strengths

Last updated：2020-05-09 14:06:55

Top CAs

Issued by top international CAs, SSL certificates are safe and secure. Certificate authorities (CAs) are network agencies that manage and issue secure credentials and encryption information keys. They are responsible for verifying the validity of public keys in the public key system and the identities of users and enterprises. Because the authority and fairness of CAs are crucial, Tencent Cloud only collaborates with top authoritative CAs to provide safe and secure SSL certificates.

Encrypted data transfer

Encryption secures the data transfer between the browsers/Apps and servers. Encrypted App and webpage communication via HTTPS can prevent data from being stolen and tampered in the course of transmission and guarantee data integrity, prevent traﬃc hijacking and advertisement insertion by ISPs, and eﬀectively resist man-in-the-middle attacks, greatly improving the security.

100% Compatible

DigiCert root certiﬁcate supports all browsers and mobile devices. Compatibility determines whether web page security will properly prompts when users access sites via browsers. Supporting all current major browsers and mobile devices, DigiCert root certiﬁcates rank top in browser compatibility.

Improving Search Rankings

HTTPS can help improve search rankings and sites credibility. Google adjusted the search engine algorithm in 2014. According to the platform, "HTTPS-encrypted websites rank higher in search results than HTTP sites." Search engine vendors in Mainland China are also stepping up their focus on HTTPS to fuel SEO optimization.

Advantages of HTTPS

Last updated：2020-09-03 11:10:26

Preventing traﬃc hijacking

Applying HTTPS to the whole website is a solution for eliminating ISPs or intermediary induced traﬃc hijackings. This solution prevents small ads from being displayed in web pages and protects user privacy.

Improving website search ranking

HTTPS can help improve your website’s search ranking, credibility, and brand image.

Avoiding phishing websites

The green icon on the HTTPS address bar helps users identify phishing websites, protecting user and business interests and enhancing user trust.

Features

Last updated：2020-05-11 10:30:23

Certiﬁcate Issuance

DV certiﬁcates are reviewed and veriﬁed automatically by DigiCert for fast issuance.

As a world-leading digital certificate provider, DigiCert offers the best certificate services to its global customers. It has remained a reliable partner with many top businesses around the world, providing trusted SSL, private and managed PKI deployment, and device certificates for the emerging IoT market.

TrustAsia is a brand of TrustAsia Technologies, Inc. in the ﬁeld of information security. It is a platinum partner of DigiCert.TrustAsia specializes in providing businesses with all network security services including the digital certiﬁcates.

Quick Application

Simplified processes: Tencent Cloud certificate service supports automatic generation of CSR online. The domain name is automatically verified by DNS, and the application is submitted in one step. The verification and issuance process is fully automatic.

Centralized Management

Multi-platform management: upload and manage certiﬁcates issued by any agency, with centralized validity monitoring of each certiﬁcate.

Private key hosting: for a certiﬁcate with CSR generated online and a private key password set, the password is used for encrypted certiﬁcate hosting to ensure information security.

SSL Certiﬁcate Brands

Last updated：2021-06-30 10:55:40

Certiﬁcate Brands and Models

Tencent Cloud provides the following brands of SSL certiﬁcates for sale:

Certiﬁcate Description Brand

SecureSite is the world's largest information security service provider and most reputable digital certificate issuer. It provides a wide spectrum of content and network security solutions to individuals, businesses, and service providers. SecureSite 93% of Fortune Global 500 companies choose VeriSign SSL digital certificates. SecureSite acquired VeriSign in August 2010, changed VeriSign's product name and brand logo in April 2012, and since then has been providing the VeriSign verification service.

GeoTrust, the world's second-largest digital certificate authority (CA) and a leader in identity verification and trust certification, provides state-of-the-art technologies that enable organizations and companies of all sizes to deploy SSL digital certificates securely and cost-effectively and to implement a wide range of GeoTrust identity verifications. GeoTrust was founded in 2001, and by 2006, it accounted for 25% of the global market. VeriSign acquired GeoTrust for 125 million USD in May-September 2006, and is now another cost-effective SSL certificate brand under SecureSite.

TrustAsia, a brand under Yashu Information Technology (Shanghai) Co., Ltd in the field of information security, is a SecureSite platinum partner. TrustAsia specializes TrustAsia in providing businesses with complete network security services including digital certificates. TrustAsia SSL certificates are issued using Digicert root certificates.

Founded in 1996, GlobalSign is a reputable and trusted CA and provider of SSL certificates with more than 20 million SSL certificates issued worldwide. GlobalSign A great number of server providers, domain name registrars, and system service providers in the Chinese market prefer GlobalSign and partner with it for digital certification services.

WoTrus, operated by WoTrus CA Limited, is an internationally verified CA that has also obtained the electronic certification service license (issued by the MIIT) of WoTrus China. It provides third-party digital identity verification for organizations and issues globally trusted digital certificates.

DNSPod Tencent’s DNSPod adopts the GM standard and is completely China-developed. GM (SM2) Supported by well-reputed CAs in China, it is highly convenient and eﬃcient, and meets the regulatory requirements of China.

Brand Diﬀerences

The certificates of different brands vary depending on the browser address bar, encryption level, and the level guaranteed compensation. The most important difference lies in their root certificates. For example, a GeoTrust wildcard certificate is issued using a GeoTrust root certificate, while a SecureSite wildcard certificate is issued using a SecureSite root certificate. Digicert root certificates are compatible with all browsers on the market and also best supports mobile devices. A TrustAsia wildcard certificate is also issued using a Digicert root certificate. A GlobalSign wildcard certificate is issued using a GlobalSign root certificate. A DNSPod certificate is issued using a Wotrus root certificate, and a Wotrus wildcard certificate is issued using a Sectigo root certificate.

From a technical point of view, the diﬀerences between SecureSite (formerly VeriSign) and GeoTrust are as follows:

Compatibility: SecureSite outperforms GeoTrust. SecureSite is compatible with all browsers on the market as well as many mobile devices. OCSP response speed: SecureSite outperforms GeoTrust. CA security: SecureSite outperforms GeoTrust. As an internationally renowned security vendor, SecureSite provides the best CA security in the world. Data security: in addition to encrypted data transmission, SecureSite certiﬁcates provide malware scanning and vulnerability assessment features. Certiﬁcate commercial insurance compensation: SecureSite (up to 1.75 million USD) outperforms GeoTrust (up to 1.5 million USD).

Certiﬁcate Type Selection Cases

Last updated：2020-09-01 09:58:06

This topic lists certiﬁcate type selection cases for certain industries to help you determine which certiﬁcate type for which to apply or purchase.

Recommended Industry Certiﬁcate Case Industry Requirement Type

Enterprise identity information must be displayed in the website Finance and EV certiﬁcate Bank of China address bar. banking Data transmission must be highly secure.

Ministry of Foreign Aﬀairs of the People's Republic of China JD.com New sites will be added in the later Tencent News stage of the website project. Education, Shanghai Gold OV wildcard The government or company government, Exchange certiﬁcate name does not need to be and internet State Grid displayed in the website address Corporation of China bar. Yonyou Network Technology Co. Ltd. Langchao Tencent Cloud

No data transmission. Individual DV certiﬁcate Personal blog The website displays pure business information or content.

SSL Certiﬁcate Data Security

Last updated：2021-07-19 14:32:01

Uploading certiﬁcates

When you upload SSL certificates in the SSL Certificates Service console, HTTPS is used for communication throughout the process, and the OV SSL certificates issued by SecureSite are used for encryption to ensure data communication security.

Hosting certiﬁcates

The certificates uploaded are stored in Tencent Cloud’s databases and are encrypted using the Advanced Encryption Standard and Cipher Block Chaining. The key is 128 bits long, which would take 210.4 billion years to break even using the most powerful computer we have currently. To improve the availability and security of certificate data, Tencent Cloud has deployed three certificate databases across two regions, including a primary database, a hot backup database, and a cold backup database. They use private networks, have no externally exposed APIs, and are protected by Secure Tencent Gateway (STGW). There are 6 backend servers for SSL certificates, which are accessed via a load balancer to ensure API stability.

Accessing and reading certiﬁcates

Accessing SSL Certificate Service has integrated resource-level CAM. It’s backed by a well-established access management system that allows you to grant different access to different certificates on a per sub- account basis to prevent malicious revocation, deletion, etc. Reading Certificate reading by other Tencent Cloud services (e.g., Anti-DDoS): SSL Certificate Service is interconnected with Tencent Cloud services including CLB, CDN, WAF, Anti-DDOS, CSS, etc., which can read SSL certificates via private APIs when necessary. The certificate reading process is also protected by STGW. Other Tencent Cloud services are supposed to read the certificates only when necessary. Requests are validated and authenticated to prevent unauthorized and unnecessary access.

Browser Compatibility Test Report

Last updated：2020-12-16 12:21:46

Certiﬁcates sold on Tencent Cloud oﬃcial website are compatible with the mainstream browser versions. See below for the detailed compatibility test report:

SecureSite Geotrust SecureSite Geotrust TrustAsia Geotrust Browser EV EV OV OV G5 DV DV

IE6 (SHA2 Supported Supported Supported Supported Supported Supported patched)

IE (8+) Supported Supported Supported Supported Supported Supported

QQ CT error CT error CT error CT error CT error CT error (9.5.1/9.5.2)

QQ (7+) Supported Supported Supported Supported Supported Supported

Baidu (6+) Supported Supported Supported Supported Supported Supported

Maxthon Supported Supported Supported Supported Supported Supported (4.4+)

360 (8.1) Supported Supported Supported Supported Supported Supported

360 (6+) Supported Supported Supported Supported Supported Supported

UC (5+) Supported Supported Supported Supported Supported Supported

Sogou (6+) Supported Supported Supported Supported Supported Supported

CM (3+) Supported Supported Supported Supported Supported Supported

2345 (7.1+) Supported Supported Supported Supported Supported Supported

ChromePlus Supported Supported Supported Supported Supported Supported (2+)

TheWorld Supported Supported Supported Supported Supported Supported (3.6+)

Opera Supported Supported Supported Supported Supported Supported (34+)

Safari (5+) Supported Supported Supported Supported Supported Supported

Edge Supported Supported Supported Supported Supported Supported

Firefox Supported Supported Supported Supported Supported Supported (25+)

Chrome CT error CT error CT error CT error CT error CT error (53/54)

Chrome Supported Supported Supported Supported Supported Supported (46+)

Certificate Transparency (CT) is a policy for Google Chrome to monitor and verify HTTPS certificates. Due to a kernel bug in Chrome 53/54, CT error occurs in all certificates of SecureSite CA issued after June 1, 2016. Chrome handled this problem with automatic patch immediately, and fixed this problem in version 55. This issue doesn’t affect users who can connect to Chrome's server. Since most users in China cannot access Chrome's server, it is recommended to upgrade to version 55+ to solve this problem. And, QQ browser using kernel of Chromium（53/54）version is also affected.

Service Level Agreement

Last updated：2019-10-31 17:22:52

In order to use the Tencent Cloud SSL Certificate service (the "Service"), you should read and observe this SSL Certificate Service Level Agreement (this "Agreement", or this "SLA") and the Tencent Cloud Terms of Service. This Agreement contains, among others, the terms and definitions of the Service, Service availability and Service uptime level metrics, compensation plan and release of liabilities. Please carefully read and fully understand each and every provision hereof, and the provisions restricting or releasing certain liabilities, or otherwise related to your material rights and interests, may be in bold font or underlined or otherwise brought to your special attention.

Please do not purchase the Service unless and until you have fully read, and completely understood and accepted all the terms hereof. By clicking "Agree"/ "Next", or by purchasing or using the Service, or by otherwise accepting this Agreement, whether express or implied, you are deemed to have read, and agreed to be bound by, this Agreement. This Agreement shall then have legal eﬀect on both you and Tencent Cloud, constituting a binding legal document on both parties.

1. Terms and Deﬁnitions

1.1 The SSL Certificate service provided by Tencent Cloud means an SSL certificate with a fixed valid term issued by a digital certificate authority provided to you by Tencent Cloud.

1.2 Service Month(s): Service Month(s) means the calendar month(s) within the term of the Service purchased by you. For example, if you purchase the Service for a term of three months starting from March 17, there will be four (4) Service Months (the ﬁrst Service Month from March 17 to March 31, the second from April 1 to April 30, the third from May 1 to May 31, and the fourth from June 1 to June 16). The availability of the Service will be calculated independently for each Service Month.

1.3 Service Downtime: If the digital certiﬁcate CRL/OCSP service remains unavailable for 5 minutes or more, such duration will be counted into Service Downtime. Any period less than 5 minutes during which such Service is unavailable does not count towards the Service Downtime.

1.4 Deﬁnition of “Unavailable”: The duration of unavailability of the Service due to TrustAsia (certiﬁcates provider), server room issue, product functionality issue or improper operation should be counted toward the Service Downtime.

2. Service Availability

2.1 *Calculation of Service Availability/ Service Uptime Level *

Service Availability = (1 - Service Downtime within the Service period of SSL certiﬁcate CRL/OCSP service / total time within the Service period of SSL certiﬁcate CRL/OCSP service) × 100% If we guarantee a Service Availability of 99.99%. Then, for example, for June, the Service available period of SSL CRL/OCSP service is 43,195.68 minutes (= 30 (day) × 24 (hour) × 60 (minute) × 99.99%). That is, the Service Downtime is 4.32 minutes (= 43,200 minutes – 43,195.68 minutes).

Explanations: (1) Duration of Malfunction = the time when the malfunction is resolved – the time when the malfunction starts. The duration of malfunction will be calculated in minutes. Where the duration of malfunction, or an unrounded portion thereof, is less than 1 minute, it will be rounded up to 1 minute. For example, if the duration of malfunction is 11 minutes and 1 second, it will be calculated as 12 minutes. (2) Only the users who have purchased an SSL paid certiﬁcate and have incurred fees are eligible to compensations.

2.2 Service Availability/ Service Metrics Standard

The Service Availability of the Service provided by Tencent Cloud will be no less than 99.99%. You are entitled to the compensation as set forth in Section 3 below if the Service Availability fails to meet the aforementioned standard, other than in any circumstance as provided for in the release of liabilities provisions below.

3. Service Compensation

In respect of this Service, if the Service Availability fails to meet the abovementioned standard, you will be entitled to compensations in accordance with the following terms:

3.1 Standards of Compensation

(1) Compensations will be made in the form of voucher by Tencent Cloud, and you should follow the rules for using the voucher (including the valid term; for details, please refer to the rules of vouchers published on Tencent Cloud's oﬃcial website). You cannot redeem such voucher for cash or request to issue an invoice for such voucher. Such voucher can only be used to purchase the Service by using your Tencent Cloud account. You cannot use the voucher to purchase other services of Tencent Cloud, nor should you give the voucher to a third party for consideration or for free.

(2) If the Service Availability for a Service Month fails to meet the standard, the amount of compensation will be calculated for such month independently, and the aggregate amount shall

be no more than the applicable monthly Service fee paid by you for such month (the monthly Service fee referred to herein shall exclude the portion deducted by a voucher or promotional coupon, due to discounted service fee or otherwise deducted).

Service Availability (Av) for a Service Month Value of Compensation Voucher

99.99% > Av ≥ 99.00% 10% of the monthly Service fee

99% > Av ≥ 95% 25% of the monthly Service fee

95% > Av 100% of the monthly Service fee

3.2 Time Limit for Compensation Application

(1) If the Service Availability for a Service Month fails to meet the abovementioned Service Availability standard, you may apply for compensation through (and only through) the support ticket system under your relevant account after the ﬁfth (5^th^) business day of the month immediately following such Service Month. Tencent Cloud will verify and ascertain your application upon receipt of such application. If there is any dispute over the calculation of the Service Availability for a Service Month, both parties agree that the back-end record of Tencent Cloud will prevail.

(2) You should apply for such compensation no later than sixty (60) calendar days following the expiry of the applicable Service Month in which the Service Availability fails to meet the standard. If you fail to make any application within such period, or make the application after such period, or make the application by any means other than that agreed herein, it shall be deemed that you have voluntarily waived your right to apply for such compensation and any other rights you may have against Tencent Cloud, in which case Tencent Cloud has the right to reject your application for compensation and not to make any compensation to you.

3.3 Application Materials for Compensation

If you believe that the Service fails to meet the Service Availability standard speciﬁed above, you may apply for compensation within the period of time as stipulated under this SLA, and you should at least provide the following information together with your compensation application:

1) a statement of malfunction of the CRL/OCSP service issued by an SSL certiﬁcate provider

2) order information of the SSL certiﬁcate

4. Release of Liabilities

If the Service is unavailable due to any of the following reasons, the corresponding Service Downtime shall not be counted towards Service unavailability period, and is not eligible for compensation by Tencent Cloud, and Tencent Cloud will not be held liable to you:

4.1 any system maintenance or update with prior notice by Tencent Cloud to users. 4.2 any failure of a user to follow the relevant guidelines in using the Service. 4.3 any malfunction of a user’s network or application. 4.4 any event of force majeure (please refer to the relevant provision in the master contract). 4.5 any Service unavailability or failure of the Service to meet the availability standard due to any reason not attributable to Tencent Cloud. 4.6 any other circumstances in which Tencent Cloud will be exempted or released from its liabilities (for compensation or otherwise) according to relevant laws, regulations, agreements or rules, or any rules or guidelines published by Tencent Cloud separately.

5. Miscellaneous

5.1 The parties hereto acknowledge and agree that, for any losses incurred by you during the course of using the Service due to any breach by Tencent Cloud, the aggregate compensation amount payable by Tencent Cloud shall under no circumstance exceed the total service fees you have paid for the relevant Service which is not performed.

5.2 Tencent Cloud has the right to amend the terms of this Agreement as appropriate or necessary in light of changes in due course. You may review the most updated version of relevant Agreement terms on the oﬃcial website of Tencent Cloud. If you disagree with such revisions made by Tencent Cloud to this Agreement, you have the right to cease using the Service; by continuing to use the Service, you shall be deemed to have accepted the Agreement as amended.

5.3 As an ancillary agreement to the Tencent Cloud Service Agreement, this Agreement is of the same legal effect as the Tencent Cloud Service Agreement. In respect of any matter not agreed herein, you shall comply with relevant terms under the Tencent Cloud Service Agreement. In case of any conflict or discrepancy between this Agreement and the Tencent Cloud Service Agreement, this Agreement prevails to the extent of such conflict or discrepancy. (End of Document)