Have you got any questions? It is quite likely that someone in our galaxy has already asked them. You are welcome to study our FAQ. If you cannot find an answer to your question there, we strongly suggest you consult the documentation.

Frequently Asked Questions

  1. 1

    How can you tell that a website is secured with a SSL certificate?

    Most of all by:

    • Address containing https:// rather than http://

    • Changing the colour of the address bar of your browser

    • A small padlock icon in the web browser window

  2. 2

    What is the difference between the entities issuing SSL certificates?

    Most of all you should pay attention to whether an entity offering SSL certificates is duly authorised and capable of doing it.

    • The first difference between certification authorities is the compatibility between their certificates and the most popular web browsers. A failure to meet this requirement may have surprising consequences, namely instead of seeming more reliable, the website will actually welcome users with a message that it should not be trusted.

    • Yet another difference is being a holder of the ebTrust SM/TM certificate issued by the American Institute of Certified Public Accountants which guarantees meeting the most stringent security standards set by certification authorities.
    • The third crucial differentiating feature is the country of origin of a given certification authority. This pertains to purchasing a certificate from a representative of a foreign authority which will mean no guarantee of support from the actual vendor.

  3. 3

    I wish to safely enter my data on a website which does not offer a secure connection. How can I do this?

    It is up to the website owner to offer encrypted connections. Users cannot by default choose between an encrypted and open connection. Contact the website administrator.

  4. 4

    How to install a SSL certificate on your website?

    The four basic steps taking you from the level of a vulnerable website up to a website secured with a SSL certificate are as follows:

    • Generating a Certificate Signing Request

    • Purchasing a SSL certificate

    • Validation of the purchaser’s identity by the certification authority

    • Issuing a certificate and installing it on the server along with certificates

  5. 5

    How is SSL encrypted transmission carried out?

    • The user contacts a website, requesting an encrypted connection by entering https:// instead of http://.

    • The server responds automatically by sending its identity certificate to the user.

    • The web browser generates a unique key (sequence of alphanumeric characters) which is to be used to encrypt communication with the website.

    • The user’s web browser encrypts a session key using the public key of the website. In effect only this very specific website will be able to read the data sent by the user.

    • A secure, encrypted transmission has then been established. From this moment onwards all the data sent by either the user or the website will be accessible for them only.

  6. 6

    What kind of data does a SSL certificate contain?

    The SpaceSSL certificate contains:

    • An email address

    • A domain

    • A public key

  7. 7

    What is the difference between various types of SSL certificates?

    The most important differences are:

    • The number of supported subdomains

    • The term of validity

    • Identity validation procedures

Specifications of SpaceSSL certificates

SpaceSSL Domain Validation
Secured address Domain address + website address
Validity terms 1, 2, 3 years
Validation method Domain validation
Encryption 128/256 bit
Guarantee 5000 $
Secured address Domain address and all sub-domains
Validity terms 1, 2, 3 years
Validation method Domain validation
Encryption 128/256 bit
Guarantee 5000 $
Secured address Up to 100 various domain/sub-domain addresses
Validity terms 1, 2, 3 years
Validation method Domain validation
Encryption 128/256 bit
Guarantee 5000 $

How to install SpaceSSL?

1. In order to install an SSL certificate you need the following files:

  • the file containing the server certificate: yourDomainName.crt,
  • the file containing the private key,
  • the file containing the intermediate certificates (intermediate/ca-bundle) relevant to the ordered SSL certificate.
  • Download ca-bundle based on the function of the SHA-2: SpaceSSLChain-SHA2.crt
  • Download ca-bundle based on the function of the SHA-1: SpaceSSLChain-SHA1.crt

2. Place the file on the server which makes your website available, in the relevant directories.

Usual settings:
  • the previously generated ssl.key private key needs to be placed in the /etc/ssl/ssl.key directory.Note:Only Apache can have access permission to this directory.
  • The yourDomainName.crt and ca-bundle files should be moved to /etc/ssl/ssl.crt directory.
Important: The above paths serve only as examples. Your server may have different ones — some modification may be required.

3. Edit the SSL configuration file for the web server with a text editor.

Important: This file location varies depending on the web server configuration. For Apache server:
  • Fedora/CentOS/RHEL: /etc/httpd/conf/httpd.conf
  • Debian and Debian based: /etc/apache2/apache2.conf
Common file names for SSL configuration:
  • httpd-ssl.conf
  • ssl.conf
  • or in the directory: /etc/apache2/sites-enabled/

4. In the VirtualHost configuration of the website to be encrypted, you should add (if there are none) the following entries:

  • SSLEngine on
  • SSLCertificateKeyFile /etc/ssl/ssl.key/server.key
  • SSLCertificateFile /etc/ssl/ssl.crt/yourDomainName.crt
  • SSLCertificateChainFile /etc/ssl/ssl.crt/ (with Apache 1.x SSLCertificateChainFile instead of SSLCACertificateFile should be used)
Important: The above paths serve only as examples. Your server may have different ones — some modification may be required.

5. Additional configuration:

  • SSLProtocol alla. in Apache 2.4 enabling SSLv3 and TLSv1 protocols and optionally TLSv1.1 and TLSv1.2 (in OpenSSL 1.0.1 and higher).b. in Apache 2.2. a SSLProtocol All -SSLv2. directive should be used. The -SSLv2 parameter disables the obsolete SSLv2 protocol support.
  • SSLHonorCipherOrder On - server enforcement of the ciphers use order
  • SSLCipherSuiteECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS - setting priority for the strong ciphers while at the same time disabling the weak and obsolete ones.

6. Save changes to the configuration file

7. Restart the server with the following commands:

  • Debian or Ubuntu distributions: /etc/init.d/apache2 restart
  • Red Hat/Fedora/CentOS distributions: apachectl restart
  • other commands: /usr/sbin/httpsd restart or /etc/init.d/apache restart

Installation of intermediate certificates on an IIS 7 server

Intermediate authority certificates are very important for the SSL certificate to work correctly. They should be installed on the web server, so that the web browser can verify the SSL certificate issuer in the correct manner. Note: Actions described in this manual should be performed only if there are no certificates installed on the Windows 2008/2012 server system.

Installation of Intermediate certificates

For a SpaceSSL certificate or its MultiDomain/Wildcard option, the following intermediate certificate should be downloaded and installed on the server: SSL certificates based on the function of the SHA-2:
  • CA public key: Certum Global Services CA SHA-2: PEMDER
  • CA public key – SpaceSSL: CER | CRT | DER | PEM
  • Cross certificate (Certum Trusted Network CA and Certum CA): DER | PEM
SSL certificates based on the function of the SHA-1:
  • CA public key: Root CA public key – Certum CA: CER
  • CA public key – SpaceSSL: CER | CRT | DER | PEM

Installation of intermediate certificates on a server – step by step

From the Certificates (Local Computer) tree expand the Intermediate Certification Authorities branch. Select the Certificates item, right-click and from the menu select All Tasks -> Import... 01
  1. In the Certificate Import Wizard click Next. 02
  2. Select the file with an intermediate certificate and click Next. 04
  3. Select a target location where the certificate will be stored. Select Place all certificates in the following store. The Certificate store: box should indicate Intermediate Certification Authorities. 05
  4. Select the file with an intermediate certificate and click Next. 03
  5. If you want to install intermediate certificates for certificates of other types, repeat the above steps (from points 2 to 6).
  6. Restart the IIS service.
Note: In some cases changes in the IIS configuration may not be visible after the service restart. If this is the case, you should restart the Windows operating system.

Installation of an SSL certificate on a Microsoft IIS 7 server

Server certificate installation
  1. On receipt of an email with the SSL certificate for the server, copy it into any text editor and save the file with the .cer extension (e.g.www_my_domin.cer).
  2. In order to "close" previously generated CSR requests on the IIS and upload the SSL certificate received, go to the Internet Information Services (IIS) Manager, and from the left menu select your server name. From the centre panel click the Server Certificates icon, then from the Actions right-hand panel select Complete Certificate Request. 01
  3. Select the file that contains the server certificate issued. In the Friendly name: box enter a friendly name for the certificate, which will help you to identify it, e.g. Confirm it with the OK button. 02
  4. The issued server certificate will be displayed in the Server Certificates centre panel. 03
Linking the certificate to a website
  1. Click on the website name (Default Web Site), then from the Actions menu select Bindings... 04
  2. In the Site Bindings window which will be displayed click Add... button. 05
  3. In the Add Site Bindings window from the Type: dropdown list select https, then from the SSL certificate: dropdown list select the certificate which you will use for your website. The list displayed includes certificates with their own private keys. 06
  4. With the changes confirmed, the Site Bindings window should look like this: 07
MMC console configuration
  1. Launch the MMC (Microsoft Management Console) console. From the File menu select Add/Remove Snap-in... 08
  2. Then, from the list of available snap-ins, select Certificates and click on the Add > button. 09
  3. Select Computer account and click on Next>. 10
  4. Select Local computer and click on Finish. 11

Certification Policy

The Certification Policy lays down the rights and obligations of the issuer and the user of the SpaceSSL certificate.


Certification Practice Statement

Certification Practice Statement version 3.5 (1.40 MB) Download

Certificates and CA public keys

When downloading public keys from CAs, you should remember to install them in your web browser or dedicated software. The tables below present the public keys of the Root Certification Authority and of intermediary authorities (4 classes corresponding to 4 reliability levels of Certum CA).

Public Key for SSL certificates based on SHA-2 hash algorithm:  
The crucial CA public keys: Root CA public key – Certum Trusted Network CA 
CA public keys - Certum Global Services CA SHA-2: PEM | DER 
CA public key – SpaceSSL: CER | CRT | DER | PEM | Repository  
Cross certificate (Certum Trusted Network CA and Certum CA): DER | PEM  
Public Key for SSL certificates based on SHA-1 hash algorithm:  
The crucial CA public keys: Root CA public key – Certum CA 
CA public keys - Certum Global Services CA SHA-1: CRT  
CA public key – SpaceSSL: CER | CRT | DER | PEM | Repository  

Required documents

The verification process and the documents required when purchasing: The SpaceSSL certificates with their available MultiDomain and Wildcard option are issued automatically upon confirmation by the Subscriber of his/her authority over the certified domain. Select ONE out of FOUR available verification methods:

  • e-mail address verification by clicking on the verification link sent by SpaceSSL to the e-mail in the domain (i.e.:,,,, or,

  • verification of domain access by uploading to the server a "html" file, whose name will be given to you by SpaceSSL or,

  • verification of domain access by placing part of the text sent by SpaceSSL on your website (in thesection of the header ) or,

  • verification of the domain access by creating an appropriate TXT record in DNS, the content of which you will receive from SpaceSSL.


For each of the above-mentioned methods you will receive a message from SpaceSSL containing all data needed to perform verification and a special activation link that must be used after applying the required changes in the certified domain. The domain will be automatically verified, of which you will be informed in a special message.


Please note!

If the verification of the domain is successful, SpaceSSL will not require the Subscribers to present any additional documents. However, if for any legitimate reasons the Subscriber will not be able to perform the automatic verification of the domain then the SpaceSSL team will examine the application on the basis of the following documents:

  • ID card (identity card, passport, permanent residence card, driving license) of a person filing a certification application - the copy should contain current date and a note "I certify that this is a true copy of the original document" and the signature of the document holder,

  • power of attorney – granted to the person filing the certification application - only in the event that this person is not the document holder,

  • bill paid for the domain or a statement by the domain owner about the exclusive right vested in the Subscriber to use the domain name - only in the case where the domain is not registered in the WHOIS database or the information contained therein shows that the Subscriber is not the domain owner.


The copies of the above mentioned documents should be delivered to the Certification Authority within 7 days using one of the following methods:

  • via e-mail in a form of a scan to:



In appropriate cases the SpaceSSL Team may ask for additional documents necessary for correct verification to be provided.

Certificate Revocation Lists (CRL)

These lists contain the name of a certification authority that issued them and the date of the present and next publication as well as certificates serial numbers, dates and revocation (or suspension) reasons. These lists are published at specified intervals or anytime one of the issued certificates is suspended or revoked.
SHA-2 hash algorithm: Download CRL List (SHA-2) | Repository CRL SpaceSSL CA
SHA-1 hash algorithm: Download CRL List (SHA-1) | Repository CRL SpaceSSL CA

Supported browsers and email applications

Web browsers
icon Microsoft Internet Explorer (IE) 5+
icon Mozilla Firefox 0.9+
icon Google Chrome 1.01+
icon Opera 9.5+
icon Safari 3.x+
icon AOL 5+
icon Netscape Communicator 4.51+
icon Camino
icon Konqueror (KDE)
icon SeaMonkey
Operating systems
icon Microsoft Windows
icon Aplle MacOS X (10.5.8+)
icon Linux (OpenSSL v0.9.5+)
E-mail clients
icon Microsoft Outlook 2003, 2007, 2010
icon Mozilla Thunderbird 1.0+
icon Apple Mail
icon Microsoft Outlook Express
icon Windows Live Hotmail
icon The Bat 1.62+
icon Microsoft Office (Word, Excel, Powerpoint, Access, InfoPath)
icon Mozilla Suite v.1.7.3+
icon Microsoft Authenticodes & Visual Basic Applications (VBA)
icon Java SE 6 Update 13 and 5.0 Update 18
Mobile platforms
icon iOS 3.x+
icon Google Android 1.5+
icon Windows Phone 8
icon Opera Mini 3.10+


Have you got any questions or need explanations? Or maybe you are not sure if SpaceSSL is for you? Contact us.

Leave your contact data and a dedicated team of specialists will answer all your questions.