SSL/TLS certificates

In order to create a Certificate Signing Request (CSR), please have the following information at the ready:

• Common Name (CN) − Fully Qualified Domain Name (FQDN) of the website to be secured
• Organisation Name (O) − applicant (i.e. the organisation that wishes to identify both itself and its web server in future)
• Locality (L) − city (applicant's official place of business)
  State (S) − federal state/canton (applicant's official place of business as recorded in the commercial register (HRA/HRB)
• Country (C) − e.g. DE for Germany (applicants's official place of business)

Note: It is essential that you archive your CSR file and your private key after you have created them.

Once D-TRUST has approved the application, we will send you the certificate by e-mail or we will provide you with a link that you can use to download it. All you need to do now is to install the certificate on your web server.

Note: Our certificates are compatible with all customary platforms that support today's hash algorithms. If you should have questions related to creating a CSR or certificate requests, please refer to the comprehensive and specific documentation provided by the manufacturer of your hardware and software.

If you should experience problems during installation, this may be due to the following reasons:

• Between the time the request was generated and the time the certificate was installed, the certificate request and/or private key was deleted or carried out on a different computer.

• The certificate chain is incomplete on the web server. Please check whether the root certificate (as the root certification authority) and the issuing intermediate certificate (as the intermediate certification authority and/or chain-CA or sub-CA) exist. If one of these certificates does not exist, it will not be possible to import the SSL certificate. This also means that error-free client access to the server will not be possible at a later point in time. You can find our current CA certificates on our certificate download page.

CAA stands for “Certificate Authority Authorization”. This Resource Record determines which CAs (Certificate Authorities) are authorized to issue SSL certificates for the Internet domain administrated by you. 
 
Although the CAA Resource Record is not mandatory, it is designed to protect you since it prevents the unauthorized TLS certificates from being issued for one of your Internet domains. If there is no CAA Resource Record, any CA can issue a TLS certificate for your domain.
 
The specification of the D-TRUST CA in your CAA Resource Record ensures that no unauthorized TLS certificates can be issued for one of your Internet domains.
 
Examples of a CAA Resource Record specifying D-TRUST as the authorized CA:

• All TLS certificate types (including wildcards)
  example.com.        CAA 0 issue “d-trust.net”
• Wildcard TLS certificates only
  example.com.        CAA 0 issuewild “d-trust.net”

 
The first entry applies to all TLS certificate types, the second to wildcard TLS certificates only. If you wish to obtain all TLS certificate types from one CA, the first entry is sufficient. For more in-depth information, please refer to RFC 6844.

Where is the entry made?

You can enter a corresponding CAA record in the DNS configuration of your domain provider (for instance, 1und1, Strato, etc.).
 
NOTE: Please note that D-TRUST GmbH will be unable to issue any TLS certificates to you if your CAA Resource Record contains any CA other than D-TRUST GmbH.