Home  ›  The Uploaded File Does Not Contain a Valid Certficate

The Uploaded File Does Not Contain a Valid Certficate

Written By Monday, 11 April 2022 Add Comment Edit

Editor's Note: This blog was originally posted in September of 2016. It has been reviewed for clarity and accuracy by GlobalSign Product Managing director Sebastian Schulz and updated accordingly.

Sometimes, even  PKI veterans struggle with ordering or installing SSL/TLS certificates. This does not suggest a lack of cognition – rather, those processes tin can bring up previously unseen errors. Ordering the correct certificate, creating a CSR, downloading it, installing information technology, and testing information technology to make sure there are no bug are all areas where one may encounter errors.

We want to assistance make the process as simple equally possible from kickoff to cease. For that reason, we collated our top queries and issues that customers may face during ordering or installation. We hope this web log volition help you avoid those pitfalls and streamline your time to completion, but if you accept a trouble that yous cannot solve using this web log you can still check out the GlobalSign Back up Noesis Base or submit a ticket.

Choosing the Right Approval Method

In that location are three ways to have your domain verified with us: approver email, HTTP verification, and DNS TXT tape. And if at some point you grow tired of verifying domains every time you lot order a certificate, why not give Managed SSL a try?

Note: When ordering an SSL Certificate from our system, approval methods cannot exist changed once called.

Approver Electronic mail


When placing an guild, you lot can choose from the following email addresses to allow us to verify your domain:

  • admin@domain.com
  • ambassador@domain.com
  • hostmaster@domain.com
  • postmaster@domain.com
  • webmaster@domain.com

An e-mail will be sent to the selected accost and upon receipt of the email you tin can click a link to verify the domain is yours.

Note: Make sure you choose the right 1, or yous will take to abolish the order and start a new order.

If yous do non take access or cannot set up up an email from the to a higher place listing, you volition need to contact Back up who will guide you through other possible options for email verification. These are:

  • Updating the WHOIS records with an electronic mail accost (an case of a website GlobalSign uses to cheque Who is records is networksolutions.com).
  • Creating a page on the website of the domain using instructions from our support team. This will indicate control of the domain and allow the vetting team to send the approval email to Any alternative email address.

Annotation: A dedicated support article guiding you through domain verification by approver email tin can be institute here.

HTTP Verification

Using the HTTP Verification (also chosen Approver URL- or meta tag-) method, you can insert a random string provided by GlobalSign in the root page of your domain (for case domain.com). The directory chosen for this must be domain.com/well-known/pki-validation/gsdv.txt

Our verification system volition exist able to detect the meta tag on the page and verify the domain ownership. However, our arrangement cannot verify the domain if it redirects to another page so make certain to disable all redirects.

Notation: A dedicated support article guiding you lot through domain verification past HTTP verification tin can be found here.

DNS TXT Tape

DNS TXT records entail implementing a code into the DNS TXT of the registered domain. You need to make sure the string exactly matches what you were provided at the stop of ordering your certificate or from our vetting team. Also, y'all demand to make sure that the record is publicly attainable. You can use some free online tools to check your DNS TXT records. Alternatively, you tin run a control in command prompt to meet if there is a txt entry, for instance: nslookup -blazon=txt domain.com

Note: A defended support article guiding you lot through domain verification by DNS TXT record can be found here.

Private Key Missing

Ordering an SSL/TLS certificate requires the submission of a CSR and in club to create a CSR a private key has to exist created. Your private cardinal matching your document is unremarkably located in the same directory the CSR was created. If the private central is no longer stored on your machine (lost) and so the certificate volition need to exist reissued with a new CSR and therefore also a newly created private central.

Examples of error messages/situations which would bespeak there is no private key:

  • 'Individual key missing' fault message appears during installation
  • 'Bad tag value' error message appears during installation
  • After importing the certificate into IIS, the document disappears from the list when refreshed
  • When going onto your website, the site does not load in https://

No matter how convenient it seems, we want to discourage the utilise of online tools to generate CSRs. Those will too have your private fundamental, pregnant the security of your server may be compromised in the future.

Note: We offer many guides to assistance yous generate individual keys and CSRs.

SAN Compatibility

With a subject alternative proper noun or SAN document, there are several things to notation before ordering:

  • UCC (Unified Communication) SANs can be selected for free. Those cover some direct subdomains of the Mutual Name (for example, domain.com):
    1. mail service.domain.com
    2. owa.domain.com
    3. autodiscover.domain.com
    4. world wide web.domain.com
  • Subdomain SANs are applicable to all host names extending the Mutual Name by 1 level. For instance:
    • support.domain.com could be a Subdomain SAN for a certificate with the Common Name domain.com
    • advanced.support.domain.com could NOT exist covered past a Subdomain SAN in a certificate issued to domain.com, as it is not a direct subdomain of domain.com
  • FQDN (Fully Qualified Domain Name) SANs are applicative to all fully qualified host names, unrelated to the Mutual Proper noun
    • support-domain.net could be a FQDN SAN in a certificate with the Common Proper name domain.com
    • support.domain.com would also be a valid FQDN for a certificate with Common Proper name domain.com, just covering this option with a Subdomain SAN is the smarter choice
    • IP Addresses can not be covered by FQDN SANs
  • SANs for Public IP Addresses will just work for registered and public Global IP Addresses, otherwise ownership cannot be verified
    • Wildcard SANs work the same style as FQDN SANs but will cover an entire subdomain level, no matter what stands for the asterisk
    • For example, the Wildcard SAN *.domain.com will cover support.domain.com, gcc.domain.com, mail.domain.com – and so on!

For the compatibility of the dissimilar SAN Types with dissimilar products, please see the table below:

san compatability chart

Information technology is also possible to remove a SAN subsequently your certificate has been issued.

Invalid CSR

If you are creating a renewal CSR, then you will demand to ensure the Common Proper name matches the one of your original CSR. The new CSR volition not be the same since the private cardinal must exist different. You may not use the same CSR again, even if it seems user-friendly.

You can exam a CSR by using the decoder in the Managed SSL Tab of your GlobalSign accounts. Should you lot not have that available, you can safely use online resources to check your CSR, as long equally you exercise not share your private key you exercise not have to be concerned for their security. If there are any extra spaces or also many or too few dashes at the beginning/end of the certificate request, information technology will invalidate the CSR.
-----Brainstorm CERTIFICATE REQUEST-----
-----Stop Document Asking-----

The Common Proper name Yous Have Entered Does Not Match the Base Option

This error appears when you are ordering a Wildcard SSL Certificate only have not included the asterisk in the Mutual Name of the CSR (e.g. a CSR with CN domain.com, rather than*.domain.com). Or if conversely, you have entered *.domain.com with the CSR and non selected that you lot wish to lodge a Wildcard document.

As earlier explained, the [*] represents all sub-domains yous can secure with this type of certificate. For example, if you desire to secure www.domain.com, mail.domain.com and secure.domain.com, you will need to enter *.domain.com as the Common Proper name in the CSR.
Notation: Y'all cannot create a Wildcard with a sub-domain before the asterisk, east.grand. post.*.domain.com, or double Wildcards, such as *.*.domain.com.

Cardinal Duplicate Error

This error appears when you are using a private primal which has already been used. A private central and CSR must only be used ONCE.

You should generate a new private key and CSR on your server and re-submit the new CSR. The reason SSL/TLS certificates take a maximum validity (and this one beingness cut brusk repeatedly) is an effort to ensure that keys are exchanged frequently, therefore mitigating the adventure of undetected compromise.

Order State Has Already Been Changed

order state has been changed

This error message generally appears when your lodge has timed out. Y'all should start the ordering process from scratch and to let us know if the issue persists. If it does, we need to run further checks on your business relationship.

Note: this mistake message tin can also exist caused by wrongly specified SANs. For instance, if the CN is "www.domain.com" and y'all specified sub-domain as "domain.domain2.com" which specifies a separate FQDN. Check the information about SANs above for description.

The SANs Options You Have Entered Practice Not Friction match the SAN Options on the Original Certificate

This problem can occur for several reasons:

  • You added a space before or after the SAN.
  • There is a typo in the information y'all have provided.
  • Y'all are entering the Mutual Proper name (CN) of the certificate as a SAN. Following regulations, we volition always add your Common Name as a SAN, this does not demand to be specified.
  • You incorrectly enter the SAN as a sub-domain, multi-domain name, internal SAN or IP. You need to choose the correct blazon of SAN which applies to the SAN. Please as well check the higher up data on dissimilar SANs.

Document Not Trusted in Spider web Browser

After installing the certificate, you may nevertheless receive untrusted errors in certain browsers. This happens when the intermediate certificate has not been installed or for some reason the GlobalSign Root Certificate is missing from the client connecting to your server. Unless the client has been heavily tampered with, this should not occur – our Root Certificates are embedded in nearly all modern operating systems and applications.

Running a health bank check on the domain will identify missing intermediate certificates. If the intermediate certificate is missing, employ the following link to determine which intermediate is needed based on product type (DomainSSL, OrganisationSSL, ExtendedSSL, AlphaSSL etc).

Findout more nearly intermediate certificates and why nosotros apply them.

'Switch From Competitor' Fault Message

switch from competitor error message

When choosing the 'switch from competitor' option in our certificate ordering system, y'all may see the following mistake message:

The server hosting your existing certificate cannot exist reached to confirm its validity. Delight obtain a copy of your existing certificate and paste information technology in the box beneath. All competitive switches are subject to review past GlobalSign's vetting team against the trusted issuers in the browser trust stores. If your certificate is not issued by a valid root CA Certificate, it volition be subject to cancellation and/or revocation.

This mistake bulletin occurs when your electric current document is no longer valid. You should only choose this choice if you are switching before your certificate with another company expires.
This fault message could likewise occur if your current certificate is non installed on the domain. Our organization volition not be able to find the validity in this instance and then you should untick this option and go through the normal ordering process.

If you lot accept a valid certificate from a competitor that is not installed on the server and so you lot tin can paste your CSR into the text box using the 'Switch from Competitor' selection. Run into the below epitome.

Finally, this fault message could show when yous accept installed a certificate on your server simply the CN is not the aforementioned as the domain proper name. For example, this tin happen with a SAN document. In this example, merely untick 'switch from a competitor' and become through the normal ordering process.

If y'all are switching over to GlobalSign that'southward great! If y'all remember you lot should be eligible for 30 days of costless validity but if yous cannot go through with the process but contact u.s. and a team member will reach out to you.

For more than help with full general SSL Certificate queries then visit the General SSL page on our back up site.

moralespusting.blogspot.com

Source: https://www.globalsign.com/en/blog/top-ssl-certificate-errors-and-solutions

0 Response to "The Uploaded File Does Not Contain a Valid Certficate"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel