Digital Certificates Service - Technical FAQ

About the interface (Sectigo Certificate Manager):

How do I access to the management interface?
Who is the local RA for my institution?
Where can I find more information about the interface?

About certificates:

What certificates are available with Sectigo?
What is a GÉANT wildcard SSL?
Can I request a GÉANT wildcard SSL?
How long will it take to get my certificate?
My server certificate is not issued by a well known Certificate authority (CA). Did I forget something?
What is a PKI?

About CSR and Secure Hash Algorithm (SHA):

How to access to the management interface?

  • Sign your agreement and send it to Belnet. (only if you are a new customer)
  • Belnet will proceed to your service validation and create your account on the Sectigo interface.
  • Visit the Belnet SCM (Sectigo Certificate Manager) interface and log in with your initial credentials (login + password) that Sectigo sent you. 

Who is the local RA for my institution?

For privacy reasons, we cannot provide a list of RAs for each institution. Contact the computing centre or the IT department within your institution.

Where can I find more information about the interface?

Find all the necessary information in this manual written by Belnet: Belnet Sectigo Documentation.

What certificates are available with Sectigo?

There are 4 categories of certificates:

  • SSL Certificates
  • Client Certificates
  • Code Signing Certificates

What are the subcategories of SSL Certificates?

There are seven subcatergories:

  • GÉANT OV SSL 
  • GÉANT Wildcard SSL 
  • GÉANT Unified Communications Certificate
  • GÉANT OV Multi-Domain
  • GÉANT EV SSL 
  • GÉANT EV Multi-Domain
  • GÉANT IGTF Multi-Domain 

Why am I getting an error when trying to request a certificate?

When requesting a certificate, I get an error: "You cannot order certificates for the following or additional domains: ....".

This is probably because you have not yet added the wildcard version of your domains (*.mydomain.be) to "Settings -> Domains". Please check our manual for details.

Can we still have Grid Certificates equivalent in Sectigo?

Yes, it is called "Géant IGTF Multi Domain" certificates.

Can I request an EV (Extended Validation) certificate?

Yes, but there is a very strict validation procedure! Please contact Belnet Service Desk first. We will then provide you the procedure and start the request.

How do I request a code signing certificate?

Your local administrators people will receive an email to confirm your request. After their authorisation, you will receive your certificate by email.

What is a GÉANT wildcard SSL?

It's a certificate that contains a * in its CN (Common ame) field, such as *.mydomain.be. It's very easy to create only one certificate and to install it on all the servers of your domain.

Unfortunately, it is also unsafe, because even if only one server is compromised, the whole wildcard certificate needs to be revoked. So, all other servers will have an invalid certificate too.

Can I request a GÉANT wildcard SSL?

Yes, the system is authorized to issue wildcard certificates. Beware: it should ideally only be used for a subdomain of your principal domain, such as *.myprinters.mydomain.be.

How long will it take to get my certificate?

It depends on the time it takes for the the local administrator within your institution to approve your request.

My server certificate is not issued by a well known Certificate authority (CA). Did I forget something?

You probably forgot to download and install the keychainfile of trust along with your certificate in your webserver.

What is a PKI?

PKI (public key infrastructure) is an operational deployment of a public key cryptographic system, using certificates, CAs, RAs, etc. Its purpose is to let different parties verify the digital identities of people or servers. While not mandatory, PKI uses certificates as its basic building block.

What is a CSR?

CSR (certificate signing request) is a document containing all data that need to be signed in order for a certificate (public key and identity) to be issued by a certificate authority.

Are Unicode or ASCII encoded strings valid in CSR?

Yes, both are valid. Simply select the type within the request page (Unicode is set by default, but you may use ASCII if you prefer).

What about key length?

We recommend a minimum of 2048-bit for key length since Sectigo refuses a key length with a size less than 2048-bit.

What's a PKCS-12 file?

It is a file format to handle certificates as a whole (including public and private keys) and to permit to the transport of certificates from one machine to another one, for example.

What are SHA-1, SHA-2, SHA-256, SHA-384, etc.?

SHA stands for Secure Hash Algorithm. SHAs are split into several families: currently SHA-1, SHA-2 and SHA-3. All are algorithms that compute a hash of a message with a certain length in terms of the number of bits used:

  • SHA-1 hashes are 160 bits long.
  • SHA-2, lengths are of 224, 256, 384 and 512 bits long (and thus the associated names SHA-256, SHA-384, etc.)
  • SHA-3 is the future new NIST standard to replace SHA-2 but, while known and documented, is not published as a standard yet, and thus, not considered as an algorithm to be used in production environments.

Connect to the Sectigo Certificate Manager interface

Download the Sectigo Certificate Manager manual

Copyright © 2020 Belnet.