Paid SSL certificates

Wondering how paid SSL certificates are issued, validated, and renewed at Cyberfusion?

This article explains the paid SSL certificate lifecycle.

Validation

Before an SSL certificate is issued, ownership of the domain must be validated. This is called Domain Control Validation (DCV).

Each certificate uses one of two validation methods:

• DNS — automatic.
• Email — requires you to monitor an email address.

DNS

DNS validation is fully automatic. No action is required from you.

DNS validation is only possible when both of these are true:

• The domain is registered with Cyberfusion.
• The domain uses Cyberfusion's nameservers.

If either is not true, email validation is used instead.

Email

When a certificate is requested, the Certificate Authority (CA) sends a validation email to the configured approver email address. You must click the link in the email to validate the certificate.

Approver email

The list of usable email addresses ('approver emails') is limited and determined by the CA. They are typically prefixed with admin@, administrator@, and similar.

To view or change the approver email:

1. On the platform, navigate to the certificate.
2. Click 'Change approver email'.

You see the list of approver emails that the CA accepts for the domain.

Extended Validation

Extended Validation (EV) certificates require additional steps, including phone validation.

EV is not commonly used. Most projects use Domain Validation (DV) certificates, described above.

Renewal

A renewal request is sent 14 days before a certificate's expiration date.

Currently, certificates are renewed every 6 months.

Decreasing maximum lifetime

The maximum certificate lifetime is being progressively shortened by the CA/Browser Forum:

As the maximum lifetime decreases, certificates are renewed more frequently — eventually every few days.