Discussions / FAQs
Change or Add a password for PFX using OpenSSL
Generally, PFX files are generated without a password. When importing and being asked for a password this can normally be left blank. Some systems insist that a password is entered.
Therefore we recommend regenerating the PFX file with a password. This can be done using OpenSSL
First convert the PFX file to PEM.
```text
openssl pkcs12 -in cert.pfx -out cert.pem -nodes
```
Then convert the PEM file back to PFX and specify a password
```
openssl pkcs12 -export -out cert.pfx -in cert.pem
Enter Export Passord:
Verifying - Enter Export Password:
```
Posted by Andy Gambles about 2 months ago
How do I download my intermediate certificate?
Once the order is complete there is the option to download the certificate from the order management page within your account. Within the Certificates section of the order management page is the option to select [Show CA Certs]. Clicking this will reveal the intermediate and root certificates linked to your certificate.
[Download Certificate Docs](https://docs.servertastic.com/docs/https-orders#download-certificate)
Posted by Andy Gambles 7 months ago
Why was my order cancelled before it was issued?
There are a few reasons why the order may be cancelled before it was issued.
**Not Validated within 90 days**
If the order has not been validated within 90 days of placing the order then it will automatically be cancelled.
**Approver Rejected**
An email approver was sent to approve the certificate issuance. The email recipient has rejected the issuance and so the order has been cancelled.
**Cancelled by User**
The order was cancelled by the user either via the order management page or the API
**How to restart your order or request a refund**
Please refer to the following guidance on how to restart yoru order or request a refund
[Restart Order / Request Refund](https://docs.servertastic.com/docs/cancel-https-order#restart-order)
Orders purchased using points automatically receive a credit for orders cancelled.
Posted by Andy Gambles over 1 year ago
Can I get an EV SSL Wildcard Certificate?
Due to strict validation requirements set down by all Certificate Authorities wildcard EV certificates are not available from any provider.
You can obtain [EV Multi-Domain SSL certificates](https://www.servertastic.com/ssl-multi-domain).
Posted by Andy Gambles about 2 years ago
I need a certificate with CA=True or KeyUsage=CertSign
The above key constraints mean that the certificate is allowed to issue signed certificates. It is not possible to purchase a publicly trusted certificate with these constraints from any Certificate Authority.
If such a certificate were issued it would be possible to sign an end-entity certificate for any domain and it automatically be trusted by browsers.
This creates a significant security risk as the owner of such a certificate could simply just issue a certificate for google.com or paypal.com and inspect all traffic between the user and the server.
The main reason for requiring such a certificate is to install on a firewall type device that performs deep packet inspection. This is essentially performing a Man-in-the-Middle attack on the end user using the firewall by breaking end-to-end encryption for that user.
The only option is to create a self-signed certificate with these key constraints and then add it as a trusted certificate on all the end user devices connecting through the firewall either via a group policy or asking the end users to install the certificate.
Posted by Andy Gambles about 2 years ago
Why is my certificate is only valid for 1 year but I purchased for multiple years?
Due to changes implemented by the CA Browser Forum certificates can only have a maximum validity period of 397 days to be trusted by browsers.
You can reissue your certificate multiple times during the life of your certificate plan to obtain the full validity.
For more information please see our guide on [Multi-Year HTTPS Certificates](https://docs.servertastic.com/docs/multi-year-https-certificates)
Posted by Andy Gambles over 2 years ago
Convert Private Key to RSA format
Some hosting systems require the Private key to be in RSA format rather than PEM. You can easily convert these files using OpenSSL.
Your private key file will usually start with
`-----BEGIN PRIVATE KEY-----`
an RSA private key will start with
`-----BEGIN RSA PRIVATE KEY-----`
To convert your key simply run the following OpenSSL command
`openssl rsa -in domain.key -out domain-rsa.key`
Posted by Andy Gambles over 2 years ago
How do I convert a PEM to PFX?
You can achieve this using OpenSSL (Mac OSX includes OpenSSL within Terminal.app) or our converter tool.
You should have the following files (Filenames are just for reference)
- Your generated CSR (cert.csr)
- Your Private Key File (key.pem)
- Your SSL certificate provided by the CA (cert.cer)
- The Intermediate Certificate provided by the CA (CA.cer)
**Servertastic Certificate Converter**
You can also use the [Servertastic Certificate Converter](https://tools.servertastic.com/certificate-converter)
**OpenSSL Commands**
Using OpenSSL run the following command
`openssl pkcs12 -export -in cert.cer -inkey key.pem -out certificate.pfx -certfile CA.cer`
This should output a certificate.pfx file.
Posted by Andy Gambles over 2 years ago
CSR does not contain a wildcard domain as expected
Posted by Andy Gambles over 2 years ago
SSL Certificate does not work on Parallels Panel (Plesk)?
Once you have installed the certificate in Parallels Panel you need to then assign it to a web site. While managing your domain click
`Websites & Domains > Show Advanced Operations > Website Scripting and Security`
Tick the box `Enable SSL support` then from the drop down select the correct SSL certificate.
Posted by Andy Gambles over 2 years ago