Home  ›  Please Check Your Client Certificate Settings and Try Again

Please Check Your Client Certificate Settings and Try Again

Written By Thursday, May 19, 2022 Add Comment Edit

Editor's Annotation: This web log was originally posted in September of 2016. It has been reviewed for clarity and accuracy by GlobalSign Product Manager Sebastian Schulz and updated accordingly.

Sometimes, even  PKI veterans struggle with ordering or installing SSL/TLS certificates. This does not suggest a lack of knowledge – rather, those processes tin can bring up previously unseen errors. Ordering the right certificate, creating a CSR, downloading information technology, installing it, and testing it to make certain in that location are no problems are all areas where 1 may run across errors.

We want to help make the process as simple as possible from start to finish. For that reason, nosotros collated our top queries and issues that customers may confront during ordering or installation. We hope this blog volition help yous avert those pitfalls and streamline your time to completion, but if y'all accept a problem that y'all cannot solve using this blog you can notwithstanding cheque out the GlobalSign Support Knowledge Base of operations or submit a ticket.

Choosing the Right Approval Method

There are three ways to have your domain verified with united states: approver electronic mail, HTTP verification, and DNS TXT record. And if at some point y'all abound tired of verifying domains every time yous social club a certificate, why not give Managed SSL a try?

Note: When ordering an SSL Document from our organization, blessing methods cannot exist changed in one case chosen.

Approver Email


When placing an guild, you can choose from the following electronic mail addresses to allow u.s.a. to verify your domain:

  • admin@domain.com
  • administrator@domain.com
  • hostmaster@domain.com
  • postmaster@domain.com
  • webmaster@domain.com

An email will be sent to the selected address and upon receipt of the electronic mail you can click a link to verify the domain is yours.

Note: Brand certain yous cull the right one, or you will take to cancel the guild and start a new lodge.

If y'all do non have admission or cannot gear up an email from the above list, you will demand to contact Support who will guide you through other possible options for electronic mail verification. These are:

  • Updating the WHOIS records with an email address (an example of a website GlobalSign uses to cheque Who is records is networksolutions.com).
  • Creating a folio on the website of the domain using instructions from our back up squad. This will signal command of the domain and allow the vetting team to send the approval e-mail to ANY alternative email address.

NOTE: A defended back up commodity guiding y'all through domain verification past approver electronic mail can be found here.

HTTP Verification

Using the HTTP Verification (also chosen Approver URL- or meta tag-) method, yous tin insert a random cord provided past GlobalSign in the root page of your domain (for example domain.com). The directory chosen for this must be domain.com/well-known/pki-validation/gsdv.txt

Our verification system will be able to detect the meta tag on the page and verify the domain ownership. However, our organization cannot verify the domain if it redirects to another page so make sure to disable all redirects.

Annotation: A dedicated support commodity guiding you through domain verification past HTTP verification can be found here.

DNS TXT Record

DNS TXT records entail implementing a code into the DNS TXT of the registered domain. Yous need to make certain the string exactly matches what you were provided at the terminate of ordering your certificate or from our vetting squad. As well, you need to make sure that the record is publicly accessible. You lot can apply some free online tools to check your DNS TXT records. Alternatively, yous can run a command in command prompt to come across if there is a txt entry, for example: nslookup -type=txt domain.com

Note: A dedicated back up article guiding you through domain verification by DNS TXT record can be found hither.

Individual Central Missing

Ordering an SSL/TLS certificate requires the submission of a CSR and in social club to create a CSR a private key has to exist created. Your individual fundamental matching your certificate is unremarkably located in the aforementioned directory the CSR was created. If the private key is no longer stored on your machine (lost) then the certificate will demand to exist reissued with a new CSR and therefore also a newly created private key.

Examples of error letters/situations which would indicate there is no private key:

  • 'Private key missing' mistake message appears during installation
  • 'Bad tag value' error message appears during installation
  • Afterward importing the certificate into IIS, the certificate disappears from the list when refreshed
  • When going onto your website, the site does not load in https://

No thing how convenient it seems, nosotros want to discourage the use of online tools to generate CSRs. Those will as well have your private key, meaning the security of your server may be compromised in the time to come.

Note: Nosotros offering many guides to help you generate private keys and CSRs.

SAN Compatibility

With a subject alternative name or SAN certificate, in that location are several things to note before ordering:

  • UCC (Unified Communication) SANs can be selected for gratuitous. Those cover some direct subdomains of the Mutual Name (for example, domain.com):
    1. mail service.domain.com
    2. owa.domain.com
    3. autodiscover.domain.com
    4. world wide web.domain.com
  • Subdomain SANs are applicable to all host names extending the Common Proper noun past one level. For instance:
    • support.domain.com could be a Subdomain SAN for a certificate with the Common Name domain.com
    • advanced.back up.domain.com could NOT exist covered by a Subdomain SAN in a certificate issued to domain.com, as it is not a straight subdomain of domain.com
  • FQDN (Fully Qualified Domain Name) SANs are applicable to all fully qualified host names, unrelated to the Common Proper noun
    • support-domain.net could be a FQDN SAN in a certificate with the Common Name domain.com
    • support.domain.com would also be a valid FQDN for a certificate with Common Name domain.com, but roofing this option with a Subdomain SAN is the smarter selection
    • IP Addresses can not be covered by FQDN SANs
  • SANs for Public IP Addresses will only work for registered and public Global IP Addresses, otherwise ownership cannot exist verified
    • Wildcard SANs work the same fashion as FQDN SANs just volition cover an entire subdomain level, no thing what stands for the asterisk
    • For example, the Wildcard SAN *.domain.com will cover support.domain.com, gcc.domain.com, mail.domain.com – and and then on!

For the compatibility of the different SAN Types with different products, delight see the table below:

san compatability chart

It is also possible to remove a SAN after your certificate has been issued.

Invalid CSR

If yous are creating a renewal CSR, then yous will demand to ensure the Mutual Name matches the ane of your original CSR. The new CSR will not exist the aforementioned since the private key must be unlike. Yous may not use the same CSR once again, even if it seems user-friendly.

Y'all tin can test a CSR past using the decoder in the Managed SSL Tab of your GlobalSign accounts. Should you not take that available, you tin safely use online resources to check your CSR, as long every bit you exercise not share your private key you do not have to be concerned for their security. If there are any extra spaces or besides many or too few dashes at the showtime/end of the certificate request, information technology volition invalidate the CSR.
-----Brainstorm Certificate Asking-----
-----END Certificate REQUEST-----

The Common Name Yous Have Entered Does Not Match the Base Option

This error appears when you lot are ordering a Wildcard SSL Document but have non included the asterisk in the Mutual Name of the CSR (e.g. a CSR with CN domain.com, rather than*.domain.com). Or if conversely, you accept entered *.domain.com with the CSR and not selected that you wish to gild a Wildcard certificate.

Every bit earlier explained, the [*] represents all sub-domains you tin secure with this type of certificate. For example, if y'all want to secure www.domain.com, post.domain.com and secure.domain.com, you volition demand to enter *.domain.com equally the Common Proper name in the CSR.
Note: You cannot create a Wildcard with a sub-domain before the asterisk, e.m. mail.*.domain.com, or double Wildcards, such as *.*.domain.com.

Fundamental Indistinguishable Mistake

This fault appears when y'all are using a private key which has already been used. A private central and CSR must only be used One time.

You lot should generate a new private key and CSR on your server and re-submit the new CSR. The reason SSL/TLS certificates have a maximum validity (and this one being cut curt repeatedly) is an endeavour to ensure that keys are exchanged frequently, therefore mitigating the risk of undetected compromise.

Gild State Has Already Been Changed

order state has been changed

This error message generally appears when your social club has timed out. You should commencement the ordering procedure from scratch and to allow us know if the consequence persists. If it does, we need to run farther checks on your account.

NOTE: this error message can as well be caused by wrongly specified SANs. For example, if the CN is "www.domain.com" and you specified sub-domain as "domain.domain2.com" which specifies a separate FQDN. Bank check the information about SANs to a higher place for description.

The SANs Options You Have Entered Practice Non Match the SAN Options on the Original Document

This trouble tin can occur for several reasons:

  • You added a infinite before or later the SAN.
  • There is a typo in the information you accept provided.
  • Yous are entering the Mutual Proper name (CN) of the certificate equally a SAN. Following regulations, we will always add together your Common Name every bit a SAN, this does not need to be specified.
  • Yous incorrectly enter the SAN equally a sub-domain, multi-domain proper name, internal SAN or IP. Y'all need to cull the right blazon of SAN which applies to the SAN. Please also check the above data on different SANs.

Certificate Not Trusted in Web Browser

After installing the certificate, you may still receive untrusted errors in certain browsers. This happens when the intermediate certificate has not been installed or for some reason the GlobalSign Root Certificate is missing from the customer connecting to your server. Unless the client has been heavily tampered with, this should not occur – our Root Certificates are embedded in almost all modernistic operating systems and applications.

Running a health check on the domain will place missing intermediate certificates. If the intermediate document is missing, apply the post-obit link to make up one's mind which intermediate is needed based on product type (DomainSSL, OrganisationSSL, ExtendedSSL, AlphaSSL etc).

Findout more than about intermediate certificates and why we utilise them.

'Switch From Competitor' Error Message

switch from competitor error message

When choosing the 'switch from competitor' selection in our certificate ordering system, you may run into the post-obit error message:

The server hosting your existing certificate cannot be reached to confirm its validity. Please obtain a copy of your existing document and paste information technology in the box below. All competitive switches are subject to review past GlobalSign'due south vetting team against the trusted issuers in the browser trust stores. If your document is not issued by a valid root CA Document, it will exist subject to cancellation and/or revocation.

This mistake message occurs when your current certificate is no longer valid. You should simply cull this option if yous are switching before your document with another company expires.
This mistake message could also occur if your current document is non installed on the domain. Our organisation volition not exist able to detect the validity in this example and then you should untick this option and get through the normal ordering process.

If you take a valid certificate from a competitor that is not installed on the server then yous can paste your CSR into the text box using the 'Switch from Competitor' option. See the below image.

Finally, this error message could show when yous have installed a document on your server but the CN is not the same as the domain name. For instance, this tin happen with a SAN certificate. In this case, simply untick 'switch from a competitor' and get through the normal ordering procedure.

If you are switching over to GlobalSign that's bang-up! If yous call back you should exist eligible for 30 days of complimentary validity but if you cannot go through with the procedure simply contact us and a squad member will reach out to you.

For more help with general SSL Certificate queries then visit the General SSL folio on our support site.

ramseyhaost1986.blogspot.com

Source: https://www.globalsign.com/en/blog/top-ssl-certificate-errors-and-solutions

0 Response to "Please Check Your Client Certificate Settings and Try Again"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel