This guide explains how to generate a certificate signing request (CSR) for a domain name and all its subdomains with a Web Hosting. This allows you to encrypt the connection to your domain name and all its subdomains via SSL.

Setting up a Wildcard certificate

1. Add a wildcard domain alias with asterisk *

To add a wildcard alias * to your website:

1. Click here to access the management of your product on the Infomaniak Manager (need help?).
2. Click directly on the name assigned to the product concerned:
   
3. Then click on the chevron ‍ to expand the Domains section of this site.
4. Click on the Add a domain button:
   
5. Enter the domain name to add in this format:
   • *.domain.xyz (the asterisk is mandatory, followed by a dot, then the domain name of the website which is domain.xyz in this example)
6. Click on the Confirm button to complete the procedure:
   

2. Install a SSL certificate or update it

Example of updating the existing certificate to include the wildcard sub-domain *:

1. Click here to access the management of your product on the Infomaniak Manager (need help?).
2. Click directly on the name assigned to the relevant product.
3. Click on SSL in the left sidebar.
4. Click on the action menu ⋮ located on the right.
5. Click on Change the certificate:
   
6. Select the same certificate that you already own.
7. Click on the button Next:
   
8. Make sure the recently added subdomain is selected.
9. Click on the Install button at the bottom:
   
10. Wait for the creation or update to complete.

This guide explains how to add or modify one or more CAA type records in the DNS zone (of a domain name) managed on the Manager Infomaniak.

Introduction

• A CAA record allows you to specify a certification authority authorized to issue certificates for a domain.

Add a CAA

Refer to this other guide to manage this type of record in a DNS zone.

Adding CAA to validate an SSL certificate…

… Sectigo

In the case of a SSL certificate validation for Sectigo, follow the generic guide above but enter the following data specifically:

• Select "Issue for Certification Authority".
• Enter the flag: 0.
• Specify sectigo.com:

… Let's Encrypt

In the case of a SSL certificate validation for Let's Encrypt, follow the generic guide above but enter the following data specifically:

• Select "Issue for Certification Authority".
• Enter the flag: 0.
• Specify letsencrypt.org:

The warranty provided with an EV or DV SSL certificate protects your users against any unexpected issues related to a possible validation error by Sectigo, the certification authority that issues SSL certificates and validates your personal data.

The guarantee is therefore claimable if the certification authority does not correctly validate the information contained in the digital certificate and this failure causes the end user to lose money in the context of a fraudulent credit card transaction.

This guide explains how to uninstall an SSL Certificate regardless of its type, initially installed from the Infomaniak Manager. If your certificate is a paid type and you wish to cancel the current offer instead, refer to this other guide.

Remove an SSL Certificate

To uninstall an Infomaniak certificate:

1. Click here to access the management of your product on the Manager Infomaniak (need help?).
2. Click directly on the name assigned to the product in question:
   
3. Click on the action menu ⋮ located to the right of the relevant item.
4. Click on Uninstall:
   
5. Confirm the uninstallation of the certificate.

This guide explains how to add a dynamic trust seal to a secure site with a SSL certificate from Sectigo.

Preamble

• As a host, Infomaniak offers SSL certificates to secure its clients' websites
• Sectigo (formerly known as Comodo) is a recognized SSL certificate provider that offers different levels of security
• The "dynamic trust seal", or "Sectigo Trust Seal" / "Sectigo Trust Logo" is a visual that website owners can display on their pages to indicate to visitors that their connection is secure, a sign of trust that informs users that the transactions and information exchanges carried out on the site are encrypted and protected by an SSL certificate issued by Sectigo.
• By using a Sectigo SSL certificate and displaying the dynamic trust seal, a website at Infomaniak benefits not only from secure data exchange but also from increased user trust, which is essential for e-commerce and personal information protection.

Add a trust seal

Here's how a dynamic trust seal works:

1. Validation: to obtain such a seal, the site owner must first obtain a valid SSL certificate from Sectigo, which requires a validation process; depending on the level of certificate chosen (Domain Validation - DV, Organization Validation - OV or Extended Validation - EV), this validation can be more or less in-depth
2. Installation: once the SSL certificate is obtained and installed on the Infomaniak web server, the website is then able to establish secure HTTPS connections
3. Displaying the seal: Sectigo provides an HTML code or a script that the site owner can then integrate into their website; this code allows the dynamic trust seal from Sectigo to be displayed
4. Update: the seal is often updated in real-time to reflect the current status of the SSL certificate; if the certificate were to expire or be revoked, the seal would reflect this as well, thus warning potential visitors that the site might no longer be secure
    

The trust seal consists of an image and an HTML code. The latter only works if a Sectigo certificate is installed on the site and in this case generates an interactive logo that displays the certificate data.

Save one of the images below

Right-click on the image you want to save, then click on Save image as...

• Small
• Medium
• Large

Upload the image to your site

Send the image to your web server (via FTP or your CMS) and note the URL to access this image for the next step (for example https://domain.xyz/wp-content/uploads/sectigo.png).

Get the code to integrate into your pages

Enter the full address of your image on the page https://www.trustlogo.com/install/index2.html to check if the image is accessible.

Click the Continue button on the same page to get the 2 codes to copy and paste into the header of your web page(s):

Important:

• In the code, CL1 corresponds to a DV SSL certificate; replace CL1 with SC5‍ for an EV type SSL certificate.

This guide explains how to export an SSL certificate from the Infomaniak Manager.

Preamble

• Downloading the certificate generates a file in .zip format.
• The archive contains the .key and .crt files.
• It is recommended to store this certificate and its private key in a secure location, as the latter could allow access to your encrypted data:
  

Export an SSL certificate

To access the management of your certificates:

1. Click here to access the management of your product on the Manager Infomaniak (need help?).
2. Click directly on the name assigned to the relevant product.
3. Click on the action menu ⋮ to the right of the relevant item in the displayed table.
4. Select Export the certificate and follow the instructions to download the archive:
   

This guide explains how to correctly interpret the detailed information provided by Qualys SSL Labs (https://www.ssllabs.com/ssltest/) which can sometimes seem technical or alarming without the appropriate context.

Preamble

• Qualys SSL Labs is a widely used analysis tool to evaluate the SSL/TLS configuration of websites.
• The warnings in their reports are often just technical details with no impact on the site's security or SEO.

Multiple certificates in SSL Labs reports

When SSL Labs analyzes a site, it may display several numbered certificates (certificate #1, certificate #2, etc.). This happens for several reasons:

1. Main certificate (#1): The certificate presented when SNI (Server Name Indication) is used.
   • SNI is a TLS extension that allows a server to host multiple SSL certificates for different domains on the same IP address. When a browser connects, it indicates the domain name it wants to join.
2. Secondary certificate (#2): The certificate presented when SNI is not used or during a direct IP connection.

An indication "No SNI" in certificate #2 is not an error. It simply means that SSL Labs tested what happens when a client connects without providing SNI information. In this case:

• The server provides a fallback certificate (often a generic or preview certificate).
• This situation only concerns very outdated clients that do not support SNI.
• Modern browsers all use SNI and will therefore receive certificate #1.

Certificate chain issues

"Chain issues: Incorrect order, Extra certs, Contains anchor"

These warnings do not necessarily mean that the certificate is defective:

• Incorrect order: The intermediate certificates are not presented in the optimal order.
• Extra certs: Unnecessary additional certificates are included.
• Contains anchor: The root certificate is included in the chain.

The TLS protocol allows the root certificate to be omitted as it is normally already present in the browsers' certificate stores. Including it is not an error, but a redundancy.

“Alternative names mismatch”

For the backup certificate (#2), the "MISMATCH" warning is normal because:

• This certificate is designed for another domain (preview.infomaniak.website).
• It is only presented when SNI is not used.
• The browser receiving this certificate would identify it as not matching the requested domain, but this does not affect normal connections with SNI.

Regarding SEO concerns:

• Google and other search engines use modern browsers that support SNI.
• They receive certificate #1, which is valid for your domain.
• Warnings regarding certificate #2 do not impact SEO.
• Only issues with the primary certificate (#1) could affect SEO.

This configuration is perfectly suited for shared hosting where multiple sites share the same infrastructure, with a preview certificate serving as a fallback solution.

This guide explains how to obtain an SSL certificate of type .p12 2048 bits , useful notably for SAP, Salesforce, etc. from the Infomaniak infrastructure.

Obtain a .p12 certificate

A p.12 certificate is a container that includes the certificate, the intermediate CAs and the key itself.

It is possible to create this type of certificate from what can be downloaded from the Infomaniak Manager:

• Order a certificate for the domain sap.domain.xyz by providing a CSR (which means having the private key with you, named for example server.key)
• Download the generated certificate from the Manager Infomaniak: sap.domain.xyz-15-03-2024.zip
• Unzip the archive

• Run

  openssl pkcs12 -export -out server.p12 -inkey server.key -in sap.domain.xyz.crt -certfile ca_bundle.crt

A server.p12 file will then be obtained.

If the certificate was generated without a CSR, it is the .key file present in the downloaded zip that will serve as the key.

This guide explains how to add two different EV or DV SSL Certificates to the same site.

Preamble

• Since it is not possible to install two SSL certificates on the same site, it is necessary to create two identical sites.

Creation of the second site

Prerequisites

• Remove any potential domain name alias from your site.

To access web hosting to add a site:

1. Click here to access the management of your product on the Infomaniak Manager (need help?).
2. Click directly on the name assigned to the relevant product.
3. Click on the button Add a site:
   
4. Continue without installing any tool.
5. Choose between using a domain name or a subdomain.
6. Specify the domain or subdomain name.
7. Click on Advanced options.
8. Enable (or not) the Let's Encrypt SSL certificate on the future site.
9. Check the box Set location manually.
10. Choose the same location as the main site:
    
11. Choose the same version PHP as the main site:
12. Click on the blue Next button to start creating the site.

Install the SSL certificate

Once the second site is created (any addition/modification may take up to 48 hours to propagate), you will be able to install an SSL certificate (if you chose not to install the certificate at point 8 above).

To access website management:

1. Click here to access the management of your product on the Infomaniak Manager (need help?).
2. Click directly on the name assigned to the relevant product.
3. Click on SSL Certificates in the left sidebar.
4. Click on the blue button Install a SSL certificate and follow the procedure.

This guide is for you if you are having issues with a Sectigo SSL certificate of type DV or EV.

Sectigo Change (June 2025)

Since June 2025, Sectigo uses a new validation infrastructure called MPIC, which performs the necessary checks to issue SSL certificates (including EV and OV) from servers located around the world, and no longer solely from the United States.

A challenge is a method used by the certification authority to verify that the applicant actually controls the domain. This can be done through an HTTP request, a DNS record, or an email. For EV and OV certificates, this challenge is combined with checks on the organization's identity.

With this new method, validation requests can come from any country or internet service provider. If your site or server uses geoblocking rules, a web application firewall (WAF), or a service like Cloudflare with country or ASN access restrictions, these checks may be blocked, causing the validation to fail.

Even though Sectigo mainly discusses OV and EV certificates, this change can also indirectly affect DV certificates, since domain validation always relies on the ability to access the necessary resources.