This guide explains the main differences between an EV and DV certificate.

SSL EV Certificates: for companies

The Sectigo SSL EV certificate can only be issued to companies registered in an official registry.

It provides the highest level of trust with your clients and offers unique advantages in addition to including the benefits of a DV certificate:

• name of your company in the navigation bar
• lock in the navigation bar
• dynamic site seal
• domain name validation
• manual verification of your company's details and identity
• warranty up to $1,750,000 for end users
• 7/7 support

The activation of an EV SSL certificate may take up to 24 hours and will require action on your part.

SSL DV Certificates: for companies and individuals

The Sectigo DV certificate is available to individuals and companies. It does not include some of the advantages mentioned above, but it offers additional benefits compared to free Let's Encrypt SSL certificates:

• dynamic site seal
• domain name validation
• guarantee up to $10,000 for end users
• support 24/7

The activation of a DV SSL certificate is immediate.

And what about Let's Encrypt certificates?

A free Let's Encrypt certificate guarantees the same level of encryption as an EV or DV certificate. However, Let's Encrypt certificates do not offer the following benefits:

• manual validation of your company's credentials and authenticity (EV)
• warranty for end users in case of fraud (EV/DV)
• support in case of questions

In summary, Let's Encrypt certificates ensure the encryption of exchanges between your users and your site, but they do not guarantee to internet users that they are on a legitimate site whose identity has been authenticated by a certification authority.

This guide suggests solutions to resolve common issues and frequent errors that may occur when you try to display your website in https after activating an SSL certificate.

The web browser automatically displays the http version of the site when you try to access it via https

It is recommended to perform the following actions:

• Clear the cache of your applications or your site.
• Check that the pages and scripts of the site do not contain redirects to the http version of the site.
• Check that the site's .htaccess file does not contain redirects to the site's http version.
• Set the https address of the site as the default:
  • with WordPress Infomaniak
  • for other cases

The website displays poorly (missing images, unsupported stylesheets, etc.) or displays a warning in the address bar

It is recommended to perform the following actions:

• Clear the cache of your applications or your site.
• Check that the pages and scripts do not point to external resources in http; the site whynopadlock.com can help you identify the unsecured elements of your site.
• Also refer to this other guide on this topic.

"This web page has a redirect loop", "ERR_TOO_MANY_REDIRECTS"

If your web browser displays this error, it is recommended to perform the following actions:

• If the site runs on a web application like WordPress or Joomla, disable the extensions one by one to identify the problematic one.
• Check that the pages and scripts of the site do not contain redirects to the http version of the site.
• Try to disable HSTS.
• If **Prestashop** is used, you need to activate SSL **on all pages**:
  1. Add your SSL domain:
     • Go to Preferences > SEO & URLs.
     • In the "Shop URL" section, enter your site address in the "SSL Domain" field (without the https://, just www.domain.xyz).
  2. Activate SSL:
     • Go to Preferences > General Settings.
     • At the top of the page, click on "Click here to use the HTTPS protocol before activating SSL mode."
     • A new page will open with your site in secure HTTPS version.
  3. Force SSL usage on the entire site:
     • Go back to Preferences > General Settings.
     • Set the "Enable SSL" option to YES.
     • Also set "Force SSL usage for all pages" to YES.

An old SSL certificate is displayed - clear the SSL cache

Web browsers cache SSL certificates to speed up navigation. Normally, this is not a problem. However, when you develop pages for your website or install a new certificate, the SSL state of the browser can hinder you. For example, you might not see the padlock icon in the browser's address bar after installing a new SSL certificate.

The first thing to do in this case is to make sure that the domain is correctly pointing to the server's IP address (A and AAAA records) and if it is still the wrong SSL certificate that is returned, clear the SSL cache:

• Chrome: go to Settings and click on Settings. Click on Show advanced settings. Under Network, click on Change proxy settings. The Internet Properties dialog box appears. Click on the Content tab. Click on Clear SSL state, then click OK. Find other tips in this other guide.
• Firefox: go to History. Click on Clear Recent History then select Active Logins and click on Clear Now.

Loss of CSS formatting

If the website displays without CSS styling, analyze the page loading with the browser's Console. There might be mixed content errors related to your .css styles, which you will need to resolve to load them correctly again.

Cloudflare

If you use Cloudflare, refer to this other guide on the subject.

Thank you for choosing Infomaniak to secure your sites with a SSL certificate EV or DV from Sectigo.

Main SSL guides

• Order an EV SSL certificate from Sectigo
• Understand the difference between EV and DV certificates
• Use a Sectigo certificate on an external site (other host)
• Understand the Sectigo warranty for SSL Certificates
• Troubleshoot an SSL/https issue
• Install a free Let's Encrypt SSL certificate on a site
• Install a free wildcard SSL certificate
• Uninstall an SSL certificate
• Update a Let's Encrypt SSL certificate (for example after adding/removing aliases)

Further assistance

• Familiarize yourself with all the FAQs on SSL
• Contact Infomaniak support

This guide helps you understand the error "Your Connection Is Not Private" when you try to access a website, whether you are the site owner or a simple visitor.

Understand the error

The error "Your Connection Is Not Private" sometimes appears in your browser when it has trouble establishing a secure connection with the site you are trying to visit. This usually happens when the website does not have a valid security certificate and does not use the SSL/TLS protocol to protect communication between the site and your web browser.

In fact, this is a security measure aimed at protecting your data. Websites with invalid SSL certificates may have security issues, making them less reliable. They can also expose your personal information to hackers if you enter sensitive data, such as your login credentials or payment information.

If you are a visitor

This may be due to configuration errors, such as an insecure Wi-Fi connection, incorrect date and time on your computer, or even an SSL/HTTPS analysis by your antivirus software.

If you own an Infomaniak website

Have you installed an SSL certificate?

Learn about the different certificates available on the Infomaniak site.

And if you already have an SSL certificate for your site, have you updated it to include any potential site aliases?

Check the SSL certificate expiration date

Certificates are renewed automatically. To check the expiration date:

1. Click here to access the management of your product on the Infomaniak Manager (need help?).
2. Check the column containing the expiration dates:
   

Check the installation

If you think you have activated SSL on your site, check a few points in this other guide.

This guide explains how to install a free SSL certificate from Let's Encrypt on a website hosted by Infomaniak.

Preamble

• Once the certificate is installed, your website will be accessible in http and https …
  • If necessary automatically redirect all your visitors to the secure https site.
• If you want to include an alias domain recently added to your site that already had a certificate, you need to update it.
• For multiple subdomains, refer to this other guide.
• Let's Encrypt limits certificate installation to:
  • 100 subdomains
  • 20 certificates for 7 days per registered domain
  • 5 failed requests per account per host name per hour

Install a free SSL certificate on a site

Prerequisites

• For the installation to be possible, the DNS of the domain name must be correctly configured to point to the site in question.
• If a change has recently been made at this level, some operations may not be functional immediately.

To access the websites to install an SSL certificate:

1. Click here to access the management of your product on the Infomaniak Manager (need help?).
2. Click directly on the name assigned to the product in question:
   
3. Click on Configure under SSL Certificate:
   
4. Click the Install certificate button:
   
5. Choose the free certificate.
6. Click on the Next button:
   
7. Check or select the relevant domains.
8. Click on the Install: button:
   
9. Wait until the certificate is obtained on the site.

This guide explains how to renew a wildcard certificate via DNS challenge using Certbot.

Preamble

• Make sure to protect the configuration files and scripts containing sensitive information such as API tokens.
• Test the manual and automatic renewal process to ensure everything works correctly before the expiration date of the existing certificate.

Generate the wildcard certificate

Prerequisites

1. Click here to access API management on the Manager Infomaniak (need help?).
2. Create an Infomaniak API token with the scope "domain".
3. Save this token for later use.

From a terminal application (command line interface, CLI) on your device, for example cmd on Windows or Terminal (installed by default on macOS), run the Certbot command with the following parameters:

certbot certonly --manual -d *.domain.tld --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

Create the TXT record

Create the TXT record for _acme_challengez.domain.tld manually from the Infomaniak interface.

Set up automatic renewal

Create the renewal configuration file

Create or edit the file /etc/letsencrypt/renewal/domain.tld.conf with the following information:

	[...]	
	[renewalparams]	
	account = xxxxx	
	pref_challs = dns-01,	
	server = https://acme-v02.api.letsencrypt.org/directory	
	authenticator = manual	
	manual_auth_hook = /root/infomaniak-auth.sh	
	key_type = rsa

Create the script infomaniak-auth.sh

Create the file /root/infomaniak-auth.sh with the following content:

	#!/bin/bash	
	INFOMANIAK_API_TOKEN=XXXXXXX	
	certbot certonly \	
	--authenticator dns-infomaniak \	
	--server https://acme-v02.api.letsencrypt.org/directory \	
	--agree-tos \	
	--rsa-key-size 4096 \	
	-d $CERTBOT_DOMAINdsqqds

Replace XXXXXXX with your Infomaniak API Token.

Automatic renewal

Schedule regular execution of certbot renew via a cron job to account for the configuration file and automatically renew your certificate at regular intervals.

0 0 */x * * /usr/bin/certbot renew --quiet --config /etc/letsencrypt/renewal/domain.tld.conf

Replace /x with the desired renewal frequency, for example every 30 days.

This guide explains how…

1. … generate a CSR and private key to request a third-party certificate from a Certification Authority (CA),
2. … import this certificate for your Infomaniak site, using the CRT obtained from the CA.

Preamble

• Although Infomaniak offers all the SSL certificates you might need…
  • free Let's Encrypt certs for personal sites (only possible with sites hosted at Infomaniak),
  • DV certs from Sectigo for professional/private sites that are not registered in the trade register,
  • EV certs from Sectigo for companies registered in the trade register,
• It is also possible to install an SSL certificate obtained elsewhere (intermediate certificate from a certification authority of your choice), custom or self-signed certificates.

1. Generate a CSR (Certificate Signing Request)

A CSR (Certificate Signing Request or Certificate Signing Request) is an encoded file containing the information necessary to request an SSL/TLS certificate.

It must be generated on your side to ensure that the private key remains under your control, using for example OpenSSL.

Adapt and run the following command from a terminal application (command line interface, CLI) on your device:

openssl req -utf8 -nodes -sha256 -newkey rsa:2048 -keyout domain.xyz.key -out domain.xyz.csr -addext "subjectAltName = DNS:domain.xyz, DNS:www.domain.xyz"

Explanations

• newkey rsa:2048: Generates a new 2048-bit RSA key.
• keyout domain.xyz.key: Specifies the file where the private key will be saved.
• out domain.xyz.csr: Specifies the file where the CSR will be saved.
• addext “subjectAltName = ...”: Adds additional domains via the SAN (Subject Alternative Name) extension, necessary to include all desired domains in the certificate (the main domain domain.xyz + any other associated domain or subdomain, such as www.domain.xyz).

After generation, you can check the contents of the CSR with the following command:

openssl req -in domain.xyz.csr -noout -text

This allows you to verify that all domains listed in subjectAltName are correctly included.

Once the CSR is generated, you can send it to the certification authority (CA) to obtain your SSL/TLS certificate.

2. Import the external certificate

Once validated, the CA issues a certificate (domain.xyz.crt) and sometimes an intermediate certificate (ca_bundle.crt). To access SSL certificate management:

1. Click here to access the management of your product on the Infomaniak Manager (need help?).
2. Click directly on the name assigned to the relevant product.
3. Click on SSL Certificates in the left sidebar.
4. Click the blue Install a certificate button:
   
5. Choose the custom certificate.
6. Click on the Next button:
   
7. Import your certificate and private key, either by importing the .crt and .key files or by copy-pasting.
8. Click on Complete:
   

Alternative command to generate a self-signed certificate (optional)

If you want a local certificate for testing purposes only or without going through a CA (not recommended for production), you can use this command:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout domain.xyz.key -out domain.xyz.crt -addext “subjectAltName = DNS:domain.xyz, DNS:www.domain.xyz”

This generates both a self-signed certificate (domain.xyz.crt) and a private key (domain.xyz.key). However, self-signed certificates are not recognized as valid by public browsers or systems. They are only suitable for internal or development environments.

Import an intermediate certificate

When adding a custom SSL certificate, it is possible to import the intermediate certificate (by importing the .crt file or pasting the data provided by the certification authority):

This guide details the conditions and procedure to obtain a EV SSL certificate from Sectigo with Infomaniak.

Preamble

• Extended Validation (EV) SSL certificates can only be issued to organizations, companies, and societies legally registered with a recognized government authority (such as a commercial register).
  • The DV certificates from Sectigo and Let's Encrypt are not subject to this constraint.
  • Compare the available SSL certificates
• In case of a DV or EV certificate validation issue, refer to this other guide.

EV Certificate Validation Procedure

Obtaining an EV SSL certificate can take up to 24 hours and requires valid information from the client.

This procedure is repeated every 12 months, regardless of the subscription duration chosen for the EV certificate.

1. Verification of the company's details

The data that will be added to the certificate must first be verified with an independent source:

• the legal or commercial name
• the legal form
• the address
• the postal code
• the region / the canton / the department
• the country / the country code

Attention:

• The company name must exactly match the one registered with the registry or the chamber of commerce; the order can only be processed if the given name is registered and correctly noted.
• Only the registered legal name or the brand name followed by the legal name in parentheses is allowed [example: Commercial Name (Legal Name)]; for entities without a legal name, all commercial names can be used.
• It is forbidden to use a postal address.

Given the above, a new request with correct data in the CSR is sometimes necessary, and Infomaniak may also need your approval to make changes to the information provided during the order.

2. Verification of data in the WHOIS directory

The WHOIS directory displays the information of the owner of a domain name. This data must match the information provided when ordering the EV SSL certificate.

To update the information for a domain in the WHOIS:

• If your domain is managed at Infomaniak, refer to this other guide.
• If your domain is not managed at Infomaniak, contact your host/registrar.

3. Contract & validation for the EV certificate

After ordering an EV certificate, the designated company contact person will receive an email from the certification authority Sectigo with the following documents:

• the certificate application form
• the certificate contract

These documents are pre-filled and the contact person must validate them online using an additional code. This will be provided by a Sectigo telephone robot (the call number will come from the Netherlands, +31 88 775 77 77 in principle) orally to your number registered with the registry or the chamber of commerce.

Each certificate request is validated by phone, including renewals and reissues of multi-domain certificates.

4. Domain verification (for external sites only)

This step verifies that you have control over the domain (if it is external to Infomaniak) for which the certificate is requested. Domains of sites hosted at Infomaniak are automatically validated.

Each (sub-)domain must be approved individually via one of the methods described in this other guide.

This guide details the conditions and procedure for using a Sectigo Infomaniak certificate on a site hosted elsewhere, with a third-party host.

Preamble

• You have the possibility to benefit from the advantageous rates of Infomaniak for your SSL certificates while managing your sites with another host.

Install a Sectigo certificate

Due to the different service providers, the installation of your certificate will not be automatic:

1. Obtain the CSR

Export the CSR configuration file from your host and enter it when ordering your certificate at Infomaniak.

2. Confirm domain ownership

Validate the domains included in the certificate via one of the following methods:

• Enter a validation code received at one of the following email addresses (the complete email address must exist on the domain to be validated, for example “domain.xyz”):
  • admin@domain.xyz
  • administrator@domain.xyz
  • hostmaster@domain.xyz
  • postmaster@domain.xyz
  • webmaster@domain.xyz
• Creation of a unique CNAME record in the domain's DNS.
• Validation txt file to upload via FTP to your site.

This guide details the validity rules for SSL EV and DV certificates (effective as of September 1, 2020).

Validity period of SSL certificates

Following a meeting of the CA/B Forum, which brings together major web players (Safari, Google Chrome, Mozilla Firefox, etc. - learn more), it was decided to set the maximum validity period for SSL certificates to 397 days. This change aims, among other things, to limit the risk of certificate hacking and to increase the level of security of the certificates. It is not excluded that the maximum validity period of a certificate may be further shortened in the coming years. Some players like Apple, Google or even Sectigo are pushing in this direction.

SSL DV Certificates from Sectigo

Sectigo SSL DV certificates with a duration of more than 1 year are automatically renewed by Infomaniak (certificate reissued during the month preceding its expiration date).

It is necessary to reinstall the certificate on your site if it is not managed by Infomaniak.

SSL EV Certificates from Sectigo

The SSL EV certificates from Sectigo will need to be validated each year, regardless of the chosen subscription duration.

It is necessary to reinstall the certificate on your site if it is not managed by Infomaniak.

This guide explains how to generate a certificate signing request (CSR) for a domain name and all its subdomains with a Web Hosting. This allows you to encrypt the connection to your domain name and all its subdomains via SSL.

Setting up a Wildcard certificate

1. Add a wildcard domain alias with asterisk *

To add a wildcard alias * to your website:

1. Click here to access the management of your product on the Infomaniak Manager (need help?).
2. Click directly on the name assigned to the product concerned:
   
3. Then click on the chevron ‍ to expand the Domains section of this site.
4. Click on the Add a domain button:
   
5. Enter the domain name to add in this format:
   • *.domain.xyz (the asterisk is mandatory, followed by a dot, then the domain name of the website which is domain.xyz in this example)
6. Click on the Confirm button to complete the procedure:
   

2. Install a SSL certificate or update it

Example of updating the existing certificate to include the wildcard sub-domain *:

1. Click here to access the management of your product on the Infomaniak Manager (need help?).
2. Click directly on the name assigned to the relevant product.
3. Click on SSL in the left sidebar.
4. Click on the action menu ⋮ located on the right.
5. Click on Change the certificate:
   
6. Select the same certificate that you already own.
7. Click on the button Next:
   
8. Make sure the recently added subdomain is selected.
9. Click on the Install button at the bottom:
   
10. Wait for the creation or update to complete.

This guide explains how to add or modify one or more CAA type records in the DNS zone (of a domain name) managed on the Manager Infomaniak.

Introduction

• A CAA record allows you to specify a certification authority authorized to issue certificates for a domain.

Add a CAA

Refer to this other guide to manage this type of record in a DNS zone.

Adding CAA to validate an SSL certificate…

… Sectigo

In the case of a SSL certificate validation for Sectigo, follow the generic guide above but enter the following data specifically:

• Select "Issue for Certification Authority".
• Enter the flag: 0.
• Specify sectigo.com:

… Let's Encrypt

In the case of a SSL certificate validation for Let's Encrypt, follow the generic guide above but enter the following data specifically:

• Select "Issue for Certification Authority".
• Enter the flag: 0.
• Specify letsencrypt.org:

The warranty provided with an EV or DV SSL certificate protects your users against any unexpected issues related to a possible validation error by Sectigo, the certification authority that issues SSL certificates and validates your personal data.

The guarantee is therefore claimable if the certification authority does not correctly validate the information contained in the digital certificate and this failure causes the end user to lose money in the context of a fraudulent credit card transaction.

This guide explains how to uninstall an SSL Certificate regardless of its type, initially installed from the Infomaniak Manager. If your certificate is a paid type and you wish to cancel the current offer instead, refer to this other guide.

Remove an SSL Certificate

To uninstall an Infomaniak certificate:

1. Click here to access the management of your product on the Manager Infomaniak (need help?).
2. Click directly on the name assigned to the product in question:
   
3. Click on the action menu ⋮ located to the right of the relevant item.
4. Click on Uninstall:
   
5. Confirm the uninstallation of the certificate.

This guide explains how to add a dynamic trust seal to a secure site with a SSL certificate from Sectigo.

Preamble

• As a host, Infomaniak offers SSL certificates to secure its clients' websites
• Sectigo (formerly known as Comodo) is a recognized SSL certificate provider that offers different levels of security
• The "dynamic trust seal", or "Sectigo Trust Seal" / "Sectigo Trust Logo" is a visual that website owners can display on their pages to indicate to visitors that their connection is secure, a sign of trust that informs users that the transactions and information exchanges carried out on the site are encrypted and protected by an SSL certificate issued by Sectigo.
• By using a Sectigo SSL certificate and displaying the dynamic trust seal, a website at Infomaniak benefits not only from secure data exchange but also from increased user trust, which is essential for e-commerce and personal information protection.

Add a trust seal

Here's how a dynamic trust seal works:

1. Validation: to obtain such a seal, the site owner must first obtain a valid SSL certificate from Sectigo, which requires a validation process; depending on the level of certificate chosen (Domain Validation - DV, Organization Validation - OV or Extended Validation - EV), this validation can be more or less in-depth
2. Installation: once the SSL certificate is obtained and installed on the Infomaniak web server, the website is then able to establish secure HTTPS connections
3. Displaying the seal: Sectigo provides an HTML code or a script that the site owner can then integrate into their website; this code allows the dynamic trust seal from Sectigo to be displayed
4. Update: the seal is often updated in real-time to reflect the current status of the SSL certificate; if the certificate were to expire or be revoked, the seal would reflect this as well, thus warning potential visitors that the site might no longer be secure
    

The trust seal consists of an image and an HTML code. The latter only works if a Sectigo certificate is installed on the site and in this case generates an interactive logo that displays the certificate data.

Save one of the images below

Right-click on the image you want to save, then click on Save image as...

• Small
• Medium
• Large

Upload the image to your site

Send the image to your web server (via FTP or your CMS) and note the URL to access this image for the next step (for example https://domain.xyz/wp-content/uploads/sectigo.png).

Get the code to integrate into your pages

Enter the full address of your image on the page https://www.trustlogo.com/install/index2.html to check if the image is accessible.

Click the Continue button on the same page to get the 2 codes to copy and paste into the header of your web page(s):

Important:

• In the code, CL1 corresponds to a DV SSL certificate; replace CL1 with SC5‍ for an EV type SSL certificate.

This guide explains how to export an SSL certificate from the Infomaniak Manager.

Preamble

• Downloading the certificate generates a file in .zip format.
• The archive contains the .key and .crt files.
• It is recommended to store this certificate and its private key in a secure location, as the latter could allow access to your encrypted data:
  

Export an SSL certificate

To access the management of your certificates:

1. Click here to access the management of your product on the Manager Infomaniak (need help?).
2. Click directly on the name assigned to the relevant product.
3. Click on the action menu ⋮ to the right of the relevant item in the displayed table.
4. Select Export the certificate and follow the instructions to download the archive:
   

This guide explains how to correctly interpret the detailed information provided by Qualys SSL Labs (https://www.ssllabs.com/ssltest/) which can sometimes seem technical or alarming without the appropriate context.

Preamble

• Qualys SSL Labs is a widely used analysis tool to evaluate the SSL/TLS configuration of websites.
• The warnings in their reports are often just technical details with no impact on the site's security or SEO.

Multiple certificates in SSL Labs reports

When SSL Labs analyzes a site, it may display several numbered certificates (certificate #1, certificate #2, etc.). This happens for several reasons:

1. Main certificate (#1): The certificate presented when SNI (Server Name Indication) is used.
   • SNI is a TLS extension that allows a server to host multiple SSL certificates for different domains on the same IP address. When a browser connects, it indicates the domain name it wants to join.
2. Secondary certificate (#2): The certificate presented when SNI is not used or during a direct IP connection.

An indication "No SNI" in certificate #2 is not an error. It simply means that SSL Labs tested what happens when a client connects without providing SNI information. In this case:

• The server provides a fallback certificate (often a generic or preview certificate).
• This situation only concerns very outdated clients that do not support SNI.
• Modern browsers all use SNI and will therefore receive certificate #1.

Certificate chain issues

"Chain issues: Incorrect order, Extra certs, Contains anchor"

These warnings do not necessarily mean that the certificate is defective:

• Incorrect order: The intermediate certificates are not presented in the optimal order.
• Extra certs: Unnecessary additional certificates are included.
• Contains anchor: The root certificate is included in the chain.

The TLS protocol allows the root certificate to be omitted as it is normally already present in the browsers' certificate stores. Including it is not an error, but a redundancy.

“Alternative names mismatch”

For the backup certificate (#2), the "MISMATCH" warning is normal because:

• This certificate is designed for another domain (preview.infomaniak.website).
• It is only presented when SNI is not used.
• The browser receiving this certificate would identify it as not matching the requested domain, but this does not affect normal connections with SNI.

Regarding SEO concerns:

• Google and other search engines use modern browsers that support SNI.
• They receive certificate #1, which is valid for your domain.
• Warnings regarding certificate #2 do not impact SEO.
• Only issues with the primary certificate (#1) could affect SEO.

This configuration is perfectly suited for shared hosting where multiple sites share the same infrastructure, with a preview certificate serving as a fallback solution.

This guide explains how to obtain an SSL certificate of type .p12 2048 bits , useful notably for SAP, Salesforce, etc. from the Infomaniak infrastructure.

Obtain a .p12 certificate

A p.12 certificate is a container that includes the certificate, the intermediate CAs and the key itself.

It is possible to create this type of certificate from what can be downloaded from the Infomaniak Manager:

• Order a certificate for the domain sap.domain.xyz by providing a CSR (which means having the private key with you, named for example server.key)
• Download the generated certificate from the Manager Infomaniak: sap.domain.xyz-15-03-2024.zip
• Unzip the archive

• Run

  openssl pkcs12 -export -out server.p12 -inkey server.key -in sap.domain.xyz.crt -certfile ca_bundle.crt

A server.p12 file will then be obtained.

If the certificate was generated without a CSR, it is the .key file present in the downloaded zip that will serve as the key.

This guide explains how to add two different EV or DV SSL Certificates to the same site.

Preamble

• Since it is not possible to install two SSL certificates on the same site, it is necessary to create two identical sites.

Creation of the second site

Prerequisites

• Remove any potential domain name alias from your site.

To access web hosting to add a site:

1. Click here to access the management of your product on the Infomaniak Manager (need help?).
2. Click directly on the name assigned to the relevant product.
3. Click on the button Add a site:
   
4. Continue without installing any tool.
5. Choose between using a domain name or a subdomain.
6. Specify the domain or subdomain name.
7. Click on Advanced options.
8. Enable (or not) the Let's Encrypt SSL certificate on the future site.
9. Check the box Set location manually.
10. Choose the same location as the main site:
    
11. Choose the same version PHP as the main site:
12. Click on the blue Next button to start creating the site.

Install the SSL certificate

Once the second site is created (any addition/modification may take up to 48 hours to propagate), you will be able to install an SSL certificate (if you chose not to install the certificate at point 8 above).

To access website management:

1. Click here to access the management of your product on the Infomaniak Manager (need help?).
2. Click directly on the name assigned to the relevant product.
3. Click on SSL Certificates in the left sidebar.
4. Click on the blue button Install a SSL certificate and follow the procedure.

This guide is for you if you are having issues with a Sectigo SSL certificate of type DV or EV.

Sectigo Change (June 2025)

Since June 2025, Sectigo uses a new validation infrastructure called MPIC, which performs the necessary checks to issue SSL certificates (including EV and OV) from servers located around the world, and no longer solely from the United States.

A challenge is a method used by the certification authority to verify that the applicant actually controls the domain. This can be done through an HTTP request, a DNS record, or an email. For EV and OV certificates, this challenge is combined with checks on the organization's identity.

With this new method, validation requests can come from any country or internet service provider. If your site or server uses geoblocking rules, a web application firewall (WAF), or a service like Cloudflare with country or ASN access restrictions, these checks may be blocked, causing the validation to fail.

Even though Sectigo mainly discusses OV and EV certificates, this change can also indirectly affect DV certificates, since domain validation always relies on the ability to access the necessary resources.