This guide explains how to export an SSL certificate from the Infomaniak Manager.

Preamble

• Downloading the certificate generates a file in .zip format.
• The archive contains the .key and .crt files.
• It is recommended to store this certificate and its private key in a secure location, as the latter could allow access to your encrypted data:
  

Export an SSL certificate

To access the management of your certificates:

1. Click here to access the management of your product on the Manager Infomaniak (need help?).
2. Click directly on the name assigned to the relevant product.
3. Click on the action menu ⋮ to the right of the relevant item in the displayed table.
4. Select Export the certificate and follow the instructions to download the archive:
   

This guide explains how to correctly interpret the detailed information provided by Qualys SSL Labs (https://www.ssllabs.com/ssltest/) which may sometimes seem technical or alarming without an appropriate context.

Preamble

• Qualys SSL Labs is an analysis tool widely used to evaluate the SSL/TLS configuration of websites.
• Warnings in their reports are often only technical details without impacting the safety or SEO of the site.

Multiple certificates in SSL Labs reports

When SSL Labs analyzes a site, it can display several numbered certificates (certificate #1, certificate #2, etc.). This happens for several reasons:

1. Principal certificate (#1)The certificate submitted when the NIF (Server Name Indication) is used.
   • The SNI is a TLS extension that allows a server to host multiple SSL certificates for different domains on the same IP address. When a browser connects, it indicates the domain name it wishes to join.
2. Secondary certificate (#2)The certificate submitted when the NIS is not used or when connecting directly via IP.

An indication "No SNI" in certificate #2 is not a mistake It simply means that SSL Labs has tested what happens when a client connects without providing SNI information. In this case:

• The server serves a backup certificate (often a generic or preview certificate).
• This situation concerns only very obsolete customers who do not support the NIS.
• Modern browsers all use the NIS and will therefore receive certificate #1.

Certificate chain problems

"Chain issues: Incorrect order, Extra certs, Contains anchor"

These warnings do not necessarily mean that the certificate is defective:

• Incorrect order: Intermediate certificates are not presented in the optimal order.
• Extra certs: Additional certificates not required are included.
• Contains anchor: The root certificate is included in the chain.

The TLS protocol allows to omit the root certificate as it is normally already present in the certificate stores of the browsers. Including it is not an error, but a redundancy.

“Alternative names mismatch”

For the emergency certificate (#2), the warning "MISMATCH" is normal because:

• This certificate is designed for another field (preview.infomaniak.website).
• It is presented only when the NIS is not used.
• The browser receiving this certificate would identify it as not corresponding to the requested domain, but this does not affect normal connections with SNI.

On SEO concerns:

• Google and other search engines use modern browsers that support the NIS.
• They receive the #1 certificate that is valid for your domain.
• Warnings concerning certificate #2 have no impact on the SEO.
• Only problems with the main certificate (#1) could affect the SEO.

This configuration is perfectly suited for shared hosting where several sites share the same infrastructure, with a preview certificate serving as a folding solution.

This guide explains how to obtain an SSL certificate of type .p12 2048 bits , useful notably for SAP, Salesforce, etc. from the Infomaniak infrastructure.

Obtain a .p12 certificate

A p.12 certificate is a container that includes the certificate, the intermediate CAs and the key itself.

It is possible to create this type of certificate from what can be downloaded from the Infomaniak Manager:

• Order a certificate for the domain sap.domain.xyz by providing a CSR (which means having the private key with you, named for example server.key)
• Download the generated certificate from the Manager Infomaniak: sap.domain.xyz-15-03-2024.zip
• Unzip the archive

• Run

  openssl pkcs12 -export -out server.p12 -inkey server.key -in sap.domain.xyz.crt -certfile ca_bundle.crt

A server.p12 file will then be obtained.

If the certificate was generated without a CSR, it is the .key file present in the downloaded zip that will serve as the key.

This guide explains how to add two different EV or DV SSL Certificates to the same site.

Preamble

• Since it is not possible to install two SSL certificates on the same site, it is necessary to create two identical sites.

Creation of the second site

Prerequisites

• Remove any potential domain name alias from your site.

To access web hosting to add a site:

1. Click here to access the management of your product on the Infomaniak Manager (need help?).
2. Click directly on the name assigned to the relevant product.
3. Click on the button Add a site:
   
4. Continue without installing any tool.
5. Choose between using a domain name or a subdomain.
6. Specify the domain or subdomain name.
7. Click on Advanced options.
8. Enable (or not) the Let's Encrypt SSL certificate on the future site.
9. Check the box Set location manually.
10. Choose the same location as the main site:
    
11. Choose the same version PHP as the main site:
12. Click on the blue Next button to start creating the site.

Install the SSL certificate

Once the second site is created (any addition/modification may take up to 48 hours to propagate), you will be able to install an SSL certificate (if you chose not to install the certificate at point 8 above).

To access website management:

1. Click here to access the management of your product on the Infomaniak Manager (need help?).
2. Click directly on the name assigned to the relevant product.
3. Click on SSL Certificates in the left sidebar.
4. Click on the blue button Install a SSL certificate and follow the procedure.