Home  ›  The Private Key Youve Selected Does Not Appear to Be Valid. Upload Cancel

The Private Key Youve Selected Does Not Appear to Be Valid. Upload Cancel

Written By sexta-feira, 15 de abril de 2022 Add Comment Edit

Editor'south Notation: This blog was originally posted in September of 2016. It has been reviewed for clarity and accuracy by GlobalSign Product Manager Sebastian Schulz and updated accordingly.

Sometimes, fifty-fifty  PKI veterans struggle with ordering or installing SSL/TLS certificates. This does not propose a lack of knowledge – rather, those processes can bring up previously unseen errors. Ordering the right certificate, creating a CSR, downloading it, installing information technology, and testing it to make sure there are no problems are all areas where i may come across errors.

We want to help make the procedure every bit simple as possible from start to end. For that reason, we collated our top queries and issues that customers may confront during ordering or installation. We hope this web log volition assistance you avoid those pitfalls and streamline your time to completion, but if you have a problem that you lot cannot solve using this weblog yous can still bank check out the GlobalSign Back up Knowledge Base or submit a ticket.

Choosing the Right Approval Method

At that place are three ways to have your domain verified with united states: approver email, HTTP verification, and DNS TXT record. And if at some bespeak you lot grow tired of verifying domains every time y'all society a document, why not give Managed SSL a try?

Annotation: When ordering an SSL Certificate from our system, approval methods cannot exist changed once called.

Approver Email


When placing an order, y'all tin can choose from the following email addresses to allow us to verify your domain:

  • admin@domain.com
  • administrator@domain.com
  • hostmaster@domain.com
  • postmaster@domain.com
  • webmaster@domain.com

An electronic mail will be sent to the selected address and upon receipt of the electronic mail you tin click a link to verify the domain is yours.

Note: Brand certain you choose the correct one, or yous will have to cancel the order and start a new lodge.

If you do not have access or cannot set up an email from the above listing, y'all will need to contact Support who will guide you through other possible options for email verification. These are:

  • Updating the WHOIS records with an email address (an example of a website GlobalSign uses to check Who is records is networksolutions.com).
  • Creating a folio on the website of the domain using instructions from our support team. This will indicate control of the domain and let the vetting team to send the approval email to ANY alternative email accost.

NOTE: A dedicated support article guiding you through domain verification past approver email can be found here.

HTTP Verification

Using the HTTP Verification (also called Approver URL- or meta tag-) method, you can insert a random string provided by GlobalSign in the root page of your domain (for example domain.com). The directory chosen for this must be domain.com/well-known/pki-validation/gsdv.txt

Our verification system will be able to notice the meta tag on the page and verify the domain ownership. However, our system cannot verify the domain if information technology redirects to another folio so make sure to disable all redirects.

Notation: A dedicated support article guiding yous through domain verification past HTTP verification tin can be found here.

DNS TXT Record

DNS TXT records entail implementing a code into the DNS TXT of the registered domain. Y'all need to make sure the string exactly matches what you were provided at the end of ordering your certificate or from our vetting team. Also, you need to make certain that the record is publicly accessible. You tin use some gratis online tools to check your DNS TXT records. Alternatively, you can run a command in command prompt to see if at that place is a txt entry, for example: nslookup -type=txt domain.com

Note: A dedicated support article guiding y'all through domain verification by DNS TXT record can be plant hither.

Individual Key Missing

Ordering an SSL/TLS certificate requires the submission of a CSR and in order to create a CSR a private key has to exist created. Your private cardinal matching your certificate is usually located in the same directory the CSR was created. If the private key is no longer stored on your machine (lost) then the certificate will need to exist reissued with a new CSR and therefore likewise a newly created private key.

Examples of mistake letters/situations which would bespeak in that location is no individual key:

  • 'Private key missing' error bulletin appears during installation
  • 'Bad tag value' mistake message appears during installation
  • After importing the certificate into IIS, the document disappears from the list when refreshed
  • When going onto your website, the site does not load in https://

No matter how convenient information technology seems, we want to discourage the use of online tools to generate CSRs. Those volition also have your private key, meaning the security of your server may be compromised in the future.

Note: We offer many guides to assistance yous generate private keys and CSRs.

SAN Compatibility

With a subject alternative name or SAN certificate, at that place are several things to note before ordering:

  • UCC (Unified Communication) SANs can be selected for free. Those cover some direct subdomains of the Common Name (for example, domain.com):
    1. mail.domain.com
    2. owa.domain.com
    3. autodiscover.domain.com
    4. www.domain.com
  • Subdomain SANs are applicable to all host names extending the Mutual Name by one level. For example:
    • support.domain.com could be a Subdomain SAN for a certificate with the Common Name domain.com
    • advanced.back up.domain.com could NOT be covered by a Subdomain SAN in a document issued to domain.com, as it is not a directly subdomain of domain.com
  • FQDN (Fully Qualified Domain Name) SANs are applicable to all fully qualified host names, unrelated to the Common Name
    • support-domain.net could be a FQDN SAN in a document with the Mutual Name domain.com
    • support.domain.com would also be a valid FQDN for a certificate with Mutual Proper name domain.com, just covering this choice with a Subdomain SAN is the smarter choice
    • IP Addresses can not be covered by FQDN SANs
  • SANs for Public IP Addresses will only work for registered and public Global IP Addresses, otherwise buying cannot be verified
    • Wildcard SANs work the same mode every bit FQDN SANs but will cover an entire subdomain level, no matter what stands for the asterisk
    • For example, the Wildcard SAN *.domain.com will cover back up.domain.com, gcc.domain.com, postal service.domain.com – and and so on!

For the compatibility of the different SAN Types with different products, please see the table beneath:

san compatability chart

It is too possible to remove a SAN later your certificate has been issued.

Invalid CSR

If y'all are creating a renewal CSR, and then you lot will need to ensure the Mutual Proper noun matches the i of your original CSR. The new CSR will not be the same since the individual central must be different. Yous may non use the same CSR once more, even if information technology seems user-friendly.

Yous can exam a CSR by using the decoder in the Managed SSL Tab of your GlobalSign accounts. Should yous non have that available, you can safely use online resources to check your CSR, as long as yous exercise not share your private central you practise not have to be concerned for their security. If there are any extra spaces or also many or too few dashes at the beginning/end of the certificate request, it will invalidate the CSR.
-----BEGIN Document REQUEST-----
-----END CERTIFICATE REQUEST-----

The Common Name Y'all Have Entered Does Non Friction match the Base Option

This error appears when you lot are ordering a Wildcard SSL Certificate just have not included the asterisk in the Mutual Name of the CSR (due east.thousand. a CSR with CN domain.com, rather than*.domain.com). Or if conversely, you lot accept entered *.domain.com with the CSR and not selected that you wish to order a Wildcard certificate.

As earlier explained, the [*] represents all sub-domains you can secure with this type of certificate. For example, if you want to secure www.domain.com, mail.domain.com and secure.domain.com, you will need to enter *.domain.com every bit the Common Name in the CSR.
Annotation: You cannot create a Wildcard with a sub-domain before the asterisk, e.g. post.*.domain.com, or double Wildcards, such equally *.*.domain.com.

Key Duplicate Error

This error appears when you are using a private key which has already been used. A private key and CSR must but be used ONCE.

You should generate a new private key and CSR on your server and re-submit the new CSR. The reason SSL/TLS certificates accept a maximum validity (and this one beingness cut short repeatedly) is an try to ensure that keys are exchanged frequently, therefore mitigating the gamble of undetected compromise.

Order State Has Already Been Changed

order state has been changed

This error bulletin mostly appears when your order has timed out. Yous should start the ordering process from scratch and to let the states know if the issue persists. If it does, we need to run further checks on your account.

Annotation: this error bulletin can too be caused by wrongly specified SANs. For case, if the CN is "www.domain.com" and you specified sub-domain as "domain.domain2.com" which specifies a separate FQDN. Check the data near SANs in a higher place for description.

The SANs Options You Have Entered Do Non Match the SAN Options on the Original Certificate

This problem tin can occur for several reasons:

  • You added a space earlier or after the SAN.
  • In that location is a typo in the information you have provided.
  • You lot are entering the Common Name (CN) of the document as a SAN. Post-obit regulations, we will always add together your Mutual Name every bit a SAN, this does non need to exist specified.
  • Yous incorrectly enter the SAN equally a sub-domain, multi-domain proper noun, internal SAN or IP. Yous need to choose the correct type of SAN which applies to the SAN. Delight also check the above data on different SANs.

Certificate Not Trusted in Web Browser

Afterward installing the certificate, you may still receive untrusted errors in certain browsers. This happens when the intermediate certificate has not been installed or for some reason the GlobalSign Root Certificate is missing from the client connecting to your server. Unless the client has been heavily tampered with, this should not occur – our Root Certificates are embedded in virtually all modernistic operating systems and applications.

Running a health check on the domain volition identify missing intermediate certificates. If the intermediate certificate is missing, use the following link to determine which intermediate is needed based on product type (DomainSSL, OrganisationSSL, ExtendedSSL, AlphaSSL etc).

Findout more about intermediate certificates and why we utilize them.

'Switch From Competitor' Error Bulletin

switch from competitor error message

When choosing the 'switch from competitor' option in our certificate ordering arrangement, you may see the following error bulletin:

The server hosting your existing document cannot be reached to confirm its validity. Delight obtain a re-create of your existing document and paste it in the box below. All competitive switches are subject to review by GlobalSign'southward vetting team against the trusted issuers in the browser trust stores. If your certificate is not issued past a valid root CA Document, information technology will be field of study to cancellation and/or revocation.

This fault message occurs when your current certificate is no longer valid. You should simply choose this choice if you are switching before your document with another visitor expires.
This mistake bulletin could also occur if your current document is not installed on the domain. Our system will not be able to observe the validity in this example so y'all should untick this option and go through the normal ordering procedure.

If y'all have a valid certificate from a competitor that is not installed on the server so yous can paste your CSR into the text box using the 'Switch from Competitor' choice. See the below epitome.

Finally, this fault message could show when you have installed a certificate on your server but the CN is not the same every bit the domain name. For example, this tin happen with a SAN certificate. In this example, simply untick 'switch from a competitor' and get through the normal ordering process.

If you are switching over to GlobalSign that's bully! If you think you should be eligible for 30 days of gratis validity but if you cannot go through with the procedure simply contact u.s.a. and a team member will reach out to you lot.

For more than help with full general SSL Certificate queries then visit the General SSL page on our support site.

hurstphred1975.blogspot.com

Source: https://www.globalsign.com/en/blog/top-ssl-certificate-errors-and-solutions

0 Response to "The Private Key Youve Selected Does Not Appear to Be Valid. Upload Cancel"

Postar um comentário

Assinar: Postar comentários (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel