Ordering an SSL Certificate

1. Starting the Order:

Navigate to the "SSL Certificates" tab.
Click "⊕ New SSL Certificate".
SSL certificates can be either viewed by "Brand (CA)" or by "Validation" type.
Pick the SSL you need and click "Put into cart".

Note: For guidance on selecting the certificate and the appropriate SSL validation type, refer to the end of this article, or contact our sales services. If you're not yet a client, you can use our contact form.

2. Providing Required Data:

a) Additional Data Required:
Click on the " Additional data required" link under the "Complete?" column.

b) CSR (Certificate Signing Request):
Input the CSR into the provided space and then click “Read CSR” to verify the details.

Note: Underscores are not accepted in the Common Name (more information here: LDH & RFC 3492). If this is an absolute requirement, it might be possible (with reservations) to explicitly state the CN as the SAN as well, but using non-LDH names here is not recommended, and there is no guarantee that this will work or that the certificate can be issued by the authority.

c) Approver Email:

The approver email address should match the domain's WHOIS record for the certificate creation. Upon evaluating a CSR, potential email addresses will become apparent. If our system can retrieve an email from the domain's WHOIS automatically, it will display the WHOIS Admin email.

For convenience, the following standard and predefined approver email addresses can be used and should be preferred:

admin@...
administrator@...
hostmaster@...
webmaster@...
postmaster@...

The domain part (after @) must match the certificate domain (2nd level), including for subdomains (e.g. @domain.com for sub.domain.com).

Only use a custom address if you’re sure it’s actually exposed in WHOIS.

d) Authentication Methods:

You can select any option among the following choice, but we recommend to use DNS validation. If the domain related to your SSL order is currently managed through us and is using BrandShelter DNS, we will automatically create the related appropriate host records to speed up the process.

Email: An approval link is sent to the approver email (currently depreciated by most of the certificate authorities)
DNS (TXT Record) - to be preferred: specific TXT resource records are needed for each host. These records will be added automatically if the DNS zone is managed by us (only possible if the domain is on our primary NS servers, not possible as a secondary DNS setup).
File on the web server: A specific file with certain content must be hosted under a particular path on web servers.

NB: Authentication methods may vary depending on the certificate and/or the certificate authority.

e) Contact Information

Owner contact: to find an eligible "Owner contact" contact for SSL certificate, enter any data associated with the desired contact (see this help page for contact creation)

Important:
An eligible contact for SSL certificate is a contact which contains all mandatory fields included the below two additional ones:
- Title --> Mr / Ms
- State / Province --> please do not select "Other", the field must be completed with the right information

If an existing contact does not contains data for the above two fields, it will not be available for selection in the contact list.

Also please note that certain special characters, such as ö and ß, may cause issues. It is recommended to replace them with their "non-special" equivalents (e.g., ö → o, ß → ss) to ensure proper handling.

This contact is mandatory for all types of certificate order.

Organization Contact and Organization Contact Person: these two types of contacts are only required for OV / EV certificates type.
- "Organisation Contact" (O-handle typology) should not indicate First Name and Last Name ; leave the fields blank (this will allow you to have an "O-handle" typology, generally preferred but not mandatory; the "P-handle" typology may also be suitable). It must imperatively indicate an Organization as well as a valid postal address and a landline telephone number that can be verified on an official directory basis (Yellow Pages, Kompass, etc).
- "Organization Contact Person" (P-handle typology) must indicate the same organization as the one listed in your "Organization Contact", as well as the Last Name and the First Name of a natural person working within it, with their title and role.
  To be noted:
  - Generic names such as "Domain Manager" or "Domain Manager" are not allowed as a contact person
  - The telephone number indicated must be a direct line, landline or cellular.

-- Important --
- Accepted characters: all contacts associated with SSL certificates must not contain accents, umlauts, or special characters.
- Title: it must be selected when referring to a natural person.
- State: it must defined with an approved State or Region (the option "Other" is not accepted)

f) Other fields:

The other entries are optional and internal to the portal, for your own management.

3. Save your changes:

Finally, click on "Update SSL Certificate Order" to validate the form.

4. Complete the order:

Select the certificate.
Click on “Submit order. It's over!

5. Verification of your application, validation, and delivery of your certificate:

Your order is now placed, and your certificate request is in progress with the selected certificate authority.

You will receive instructions directly from the certification authorities, and your certificate will be delivered to you by email to the address provided in your customer account and/or you can retrieve your certificate directly from the BrandShelter Portal, in the "SSL Certificates" tab.

Your certificate will be issued in CRT format.
Intermediate certificates are sent at the same time as the certificate itself.
Downloaded certificate files will have the filename extension ".txt", but you can rename the file and/or change its extension to . CRT. PEM or . CER, for example, without affecting its functionality.

Important: we name the attached certificate files in the delivery email certificate-crt.txt and intermediate-pem.txt to ensure that they are properly received, and to prevent them from being detected as potentially malicious files and blocked. Thus, we no longer use .pem or .crt as file extensions because many virus and malware protection software remove attachments with such extensions. However, we correctly set the MIME type, respectively, to application/x-x509-ca-cert and application/x-pem-file.

The PEM format, in particular, is also used to store private keys and certificate signing requests (CSR):

A private key in PEM format will have the .key extension and the header and footer

-----BEGIN RSA PRIVATE KEY-----

-----END RSA PRIVATE KEY-----

A PEM CSR format will have the .csr extension and a header and footer

-----BEGIN CERTIFICATE REQUEST----- 

-----END CERTIFICATE REQUEST-----

Root certificates (ROOT) are an integral part of every web browser and operating system, and can be downloaded publicly. Root certificates are therefore not part of our delivery.

On Windows, Certificate Manager manages trusted root certificates.
On Mac, the root certificates are in Keychain Access.
On Linux, they go under /etc/ssl.

Certificate authorities make their root and intermediate certificates available for download on their websites.

Capture d’écran 2025-06-05 à 17.54.07.png

6. More information on SSL Certificates and Useful tools

There are three types of validation:

Domain Validation (DV) verifies that the requestor has administrative rights to the domain listed in the certificate (corresponds to a standard certificate).
Organization Validation (OV) includes authenticating the company's identity, verifying the domain name, and verifying that the organization's contact who is applying for the certificate on behalf of the company or organization is an employee of that organization.
Extended Validation (EV) is the highest level of authentication and requires recognition or an agreement signed by the company.

Understanding SSL Certificates

SSL certificates serve as a protective shield for online data transfers, but not all certificates are created equal. Let's delve into the differences between the commonly used Standard SSL Certificate and the more rigorous Extended Validation Certificate.

Difference Between Standard SSL Certificate and Extended Validation Certificate

Validation Levels: While both SSL certificate types offer industry-standard encryption, their level of validation differs. Typically, when referring to a "standard SSL", one means a single domain, domain validated (DV) SSL certificate. These certificates are swiftly registered, and affordable, yet might not provide the desired level of trust for business-centric tasks. On the other hand, an Extended Validation (EV) certificate involves a meticulous validation process where the issuing authority verifies multiple facets of your company, ensuring a higher level of trust.
Pricing Disparity: You might wonder why EV certificates come with a higher price tag compared to standard SSL certificates. The answer lies in the detailed validation process. The extra effort and resources expended by the Certificate Authority to vet and issue an EV certificate naturally translates to a higher cost.

Considerations for Extended Validation Certificates
Before opting for an EV certificate, consider the following:

Urgency: Need a certificate in a jiffy or at a lower cost? A standard SSL might be your go-to.
Trust Factor: If instilling maximum trust in your visitors is pivotal, and you wish to showcase serious commitment to security, an EV certificate should be your choice.
Nature of Your Site: Sites handling e-commerce, finance, healthcare, or any sensitive data should ideally lean towards EV certificates for enhanced credibility and security.

Certificate lifespan:

More information: SSL/TLS Certificate Lifetime Reduction – 47-Day Certificates by 2029

7. More Support and Best Practices

→ What is an SSL certificate?
→ Why do I need an SSL certificate?
→ SSL Certificate Management Best Practices

CSR Generation & Decoder Tools:

Convert to . PFX

Sometimes you may want to have a self-installing package of the certificate (. PFX), then you will need to have the private key in your possession otherwise it will not be possible.

Here's how to do it:

Install OpenSSL (https://slproweb.com/products/Win32OpenSSL.html, available also for MacOS, https://www.slingacademy.com/article/how-to-install-upgrade-openssl-with-homebrew/)
Retrieve your .pem file containing the certificate (.crt) and the intermediate string. Note that you may be required to create this file yourself in .pem format; To do this, you will need to:
- open the .crt file (1) with a text editor (Notepad for example)
- Open the file containing the intermediate string (2) with the same text editor
- Open a blank document (3) with the same text editor
- paste in (3) the contents of (1) and then (2) (one after the other, with a simple line break)
- Save the document (3) by naming it e.g. "yourcertificatename.pem"
File under your computer user folder (example: C:\Users\JohnDoe):
- The previously created .pem formatted certificate ("yourcertificatename.pem")
- and the private key.
On your text editor (Notepad for example), prepare a strong password (mix numbers and letters with at least 15 characters)
Launch OpenSSL (for Windows, click on the Windows logo at the bottom left, find the OpenSSL folder and launch "Win64 OpenSSL Command Prompt")

Type the following command:

openssl pkcs12 -export -out yourfilename.pfx -inkey yourprivatekeyname.key -in yourcertificatename.pem

Once the command is launched, there will be a prompt to enter the password you prepared above: enter it twice (NB: the cursor does not seem to react, but the password is well taken into account)
- Tip: it's easier to create your password in a Notepad, copy it, and paste it into the Openssl window
Once the password has been validated twice consecutively, the . PFX will be created (keep this password so you can use your . PFX thereafter).
Recover your . PFX in the same folder where you deposited the certificate and private key
It's over!