The purpose of this article is to help you troubleshoot any issues that may be preventing us from processing your Volusion SSL certificate order. In many cases, we can approve and install an SSL certifcate without further action from you. If your site is new, however, or if it's not currently live on your domain name, you must click a special link in an email that we send to a specific address before we can install the certificate. Please read on for further details.
- Understanding Certificate Issuing Validation Requirements
- Unpublished Email Addresses
When an internet user enters sensitive data on a website -- such as credit card information when making an online purchase -- it must travel from the user's browser to the website's host server. This data is vulnerable in two ways: it can be intercepted during transmission, or it can be transmitted to an impostor. SSL certificates were invented to protect against both vulnerabilities.
The primary purpose of an SSL certificate is to encrypt data during transmission so that, if intercepted, it can't be read. Think of SSL-protected data as a message in a newly-invented language that only the sender (browser) and the recipient (host server) can translate back into a known language. To any third party that happens to be spying in between, it will look like gibberish.
All commercial browsers such as Firefox, Chrome, and Safari keep lists of certificate-issuing authorities, and they trust all certificates issued by those authorities. If data is entered on a secure connection ("https://" rather than "http://"), the browser will make certain that the certificate is still valid (not expired) and was issued by a trusted authority. If both conditions are true, it encrypts the data and sends it to the website's host server. This is a powerful level of protection, but it can be abused if it falls into the wrong hands.
If you give an SSL to a scammer, it can actually make data theft easier by allowing the scammer to forge the identity of an intended data recipient. This is why a certificate-issuing authority can't simply issue a certificate for any requested domain name without verifying the requesting party's identity first. If you successfully purchased a certificate for www.paypal.com, for example, you could create a fake PayPal site and collect user account credentials through the encrypted connection; browsers would automatically allow it before the forgery was discovered and reported. It is of utmost importance, therefore, that certificate-issuing authorities take steps to ensure that they don't issue certificates to scammers.
To do this, they must ensure that the individual requesting a certificate for a particular website actually owns the website in question. The issuer sends an email to an address known to be an authoritative address for the website. In it, there is a special link for the owner to click to validate ownership. There are two kinds of authoritative email addresses: the WHOIS email address, and approved-format domain addresses.
When you register a domain name, you're required to provide contact information, including at least one valid email address. For most domain names, this email address information is published in a public database called WHOIS. There are many websites that allow you to query domain names in the WHOIS database.
If the WHOIS database doesn't contain email address information for a particular domain name, another option for ownership validation is for the certificate issuer to send an email to any of the following addresses:
If your domain name is www.yourvolusiondomain.com, for example, you could create the following address:
In most cases, only the true owner of a domain name can create these addresses and receive emails sent to them.
Any internet user can look up information about any domain name in use in the WHOIS database. Depending on the domain authority in the region of the registration, the listing displays certain information about each domain, which may include:
- the registrar
- the status
- the dates of registration and expiration
- the name servers of the DNS host
- the contact information of the registrant (domain owner)
Some domain authorities do not allow display of a contact email address. This is true of all ".co.uk", ".com.au", and ".ca" domains. In other regions, when you purchase the rights to a domain name, some third-party registrars allow you to pay extra to keep your contact information private. In these cases, your contact information will be replaced by the privatization service's information. You can view how your domain name registration record appears to us by searching for it on a look-up site. If your email address is not published, you may be able to contact your registrar to make it public, or you can create an approved-format email address.
If you host your email with Volusion, you can create an approved-format address for domain ownership validation in two ways: by creating a new mailbox, or by creating an alias for an existing mailbox. An alias is merely an address that forwards all messages received to an inbox of your choice. For instructions on either procedure, see Email Account Setup. For acceptable address formats, review the Approved-Format Domain Email Addresses section.
If you host your email with a third-party mail provider, the process by which you create a new mailbox or alias will depend on your provider's requirements. For more information, contact your provider directly. For acceptable address formats, review the Approved-Format Domain Email Addresses section.
If your WHOIS email address is published, please be aware that it may not be the same email address as the one associated with the account you used to order the SSL certificate from our website (and which we use to correspond with you about all of your Volusion purchases). If the WHOIS address isn't listed in our customer database, therefore, we may contact you at your Volusion account's primary address and ask you if the WHOIS address is yours and if you can access it. If so, we can send the ownership validation email to it. If not, you may need to log in to your domain registrar's account and edit the Administrative Contact or Technical Contact email address.