Digital Certificates Service - Technical FAQ

About the interface (Sectigo Certificate Manager):

How do I access to the management interface?
Who is the local RA for my institution?
How to do a Domain Control Validation for all (root) domains?
Where can I find more information about the interface?

About certificates:

What certificates are available with Sectigo?
What is a GÉANT wildcard SSL?
Can I request a GÉANT wildcard SSL?
How long will it take to get my certificate?
My server certificate is not issued by a well known Certificate authority (CA). Did I forget something?
What is a PKI?

About CSR and Secure Hash Algorithm (SHA):

How to access to the management interface?

  • Sign your agreement and send it to Belnet. (only if you are a new customer)
  • Belnet will proceed to your service validation and create your account on the Sectigo interface.
  • Visit the Belnet SCM (Sectigo Certificate Manager) interface and log in with your initial credentials (login + password) that Sectigo sent you. 

Who is the local RA for my institution?

For privacy reasons, we cannot provide a list of RAs for each institution. Contact the computing centre or the IT department within your institution.

How to do a Domain Control Validation for all (root) domains?

In the SCM Sectigo Certificate Manager Administrator's Guide, see chapter §6.4 "Managing and Validating Domains".

Where can I find more information about the interface?

Find all the necessary information in this manual written by Belnet: Belnet Sectigo Documentation.

What certificates are available with Sectigo?

There are 3 categories of certificates:

  • SSL Certificates
  • Client Certificates
  • Code Signing Certificates

What are the subcategories of SSL Certificates?

There are seven subcatergories:

  • GÉANT Wildcard SSL 
  • GÉANT Unified Communications Certificate
  • GÉANT OV Multi-Domain
  • GÉANT EV Multi-Domain
  • GÉANT IGTF Multi-Domain 

How to create notifications for SSL certificates that are about to expire?

screen: Create a notification

  • Fill in the form with the desired values
  • You can also modify the default templates:

- Settings –> Organizations
- Select your organisation and click ‘Edit’
- In the tab ‘Email Template’ you have all available templates.

screen: Edit Organization

  • Select the template you want to modify and click ‘Edit’

screen: edit email template: SSL Expiration

Why am I getting an error when trying to request a certificate?

When requesting a certificate, I get an error: "You cannot order certificates for the following or additional domains: ....".

This is probably because you have not yet added the wildcard version of your domains (* to "Settings -> Domains". Please check our manual for details.

Can we still have Grid Certificates equivalent in Sectigo?

Yes, it is called "Géant IGTF Multi Domain" certificates.

Can I request a Personal/Client Certificate?

Yes, the Sectigo platform allows you to create Personal/Client Certificate. Download the Personal/Client Certificate manual (last update 24th October 2022) for all details about the procedure.

Can I request an EV (Extended Validation) certificate?

Yes, but there is a very strict validation procedure! Please contact Belnet Service Desk first. We will then provide you the procedure and start the request.

Are Document Signing Certificates available via Sectigo?

They are not part of the current contract. However It is possible to order Document Signing Certificates on a preconfigured USB token from Sectigo at reduced prices. More information on this process is available in this GUIDE.

How to request a code signing certificate?

As of May 30th 2023, Sectigo OV code signing certificates will be either:

  • Installed on a Sectigo token and shipped securely to you

  • Available as a download to be installed on your own HSM

The hardware devices (e.g., tokens, HSMs, etc.) must be FIPS-compliant and support externally verifiable key attestation. Please refer to the official Sectigo documentation. Consult the Sectigo_CodeSigningCertificate_AdminGuide_Enterprise guide.

What is a GÉANT wildcard SSL?

It's a certificate that contains a * in its CN (Common ame) field, such as * It's very easy to create only one certificate and to install it on all the servers of your domain.

Unfortunately, it is also unsafe, because even if only one server is compromised, the whole wildcard certificate needs to be revoked. So, all other servers will have an invalid certificate too.

Can I request a GÉANT wildcard SSL?

Yes, the system is authorized to issue wildcard certificates. Beware: it should ideally only be used for a subdomain of your principal domain, such as *

How long will it take to get my certificate?

It depends on the time it takes for the the local administrator within your institution to approve your request.

My server certificate is not issued by a well known Certificate authority (CA). Did I forget something?

You probably forgot to download and install the keychainfile of trust along with your certificate in your webserver.

What is a PKI?

PKI (public key infrastructure) is an operational deployment of a public key cryptographic system, using certificates, CAs, RAs, etc. Its purpose is to let different parties verify the digital identities of people or servers. While not mandatory, PKI uses certificates as its basic building block.

What is a CSR?

CSR (certificate signing request) is a document containing all data that need to be signed in order for a certificate (public key and identity) to be issued by a certificate authority.

Are Unicode or ASCII encoded strings valid in CSR?

Yes, both are valid. Simply select the type within the request page (Unicode is set by default, but you may use ASCII if you prefer).

What about key length?

We recommend a minimum of 2048-bit for key length since Sectigo refuses a key length with a size less than 2048-bit.

What's a PKCS-12 file?

It is a file format to handle certificates as a whole (including public and private keys) and to permit to the transport of certificates from one machine to another one, for example.

What are SHA-1, SHA-2, SHA-256, SHA-384, etc.?

SHA stands for Secure Hash Algorithm. SHAs are split into several families: currently SHA-1, SHA-2 and SHA-3. All are algorithms that compute a hash of a message with a certain length in terms of the number of bits used:

  • SHA-1 hashes are 160 bits long.
  • SHA-2, lengths are of 224, 256, 384 and 512 bits long (and thus the associated names SHA-256, SHA-384, etc.)
  • SHA-3 is the future new NIST standard to replace SHA-2 but, while known and documented, is not published as a standard yet, and thus, not considered as an algorithm to be used in production environments.

Connect to the Sectigo Certificate Manager interface

Download the Sectigo Certificate Manager manual

Did you find this FAQ useful?

Copyright © 2023 Belnet.