This article explains the factors that may be the reason that the SSL is not issued yet.
The SSL panel will show the status of your SSL request. You can see the steps which will be taken before your ssl can be issued. "Not applicable for this order" means that those steps are skipped for your selected ssl type.
In case you notice that the issuing of your SSL takes longer then you are used to, please review the topics below.
SSL status is "OPEN" - Did not pass the pre-validation
Domain Validation Pending
Missed Message from the CA
CAA Record is prohibiting the validation
CA stopped doing automatic checks
Contact Handle information incomplete or invalid
-
SSL status is "OPEN" - Did not pass the pre-validation
After creating the SSL order, our system can preform a pre-validation check. This will be done for certain orders, where the business registration database can be reached by API to validate and match your provided details. In case the order did not pass the pre-validation, it stays in the status "OPEN" and is not forwarded yet to Sectigo.
We advise to Edit the order details, before submitting your request to Sectigo for validation. Changing details once the order is submitted to Sectigo is less easy.
You can review the pre-validation results in your ssl panel.
-
Domain Validation PENDING
Domain Validation is one of the most important part of SSL Certificate Process.
Domain validation is required for all SSL certificates: DV, OV and EV.
Sometimes, you can see that on the SSL Panel, the following message is displayed.
Make sure that you have followed all the steps correctly for domain validation.
- Is the email already successfully verified?
- Or was the correct Cname value added in the dns zone?
- Is the file correctly uploaded without a redirect for file based validation?
In case you want to change the validation method, use the buttons in the Action section to change this. More information about how to confirm your domain ownership can be found here.
Before performing domain validation, do checkout our article for pre-validation checks here.
-
You may have missed the message from Certificate Authority (Sectigo)
Sectigo (CA) will validate your SSL request. In case there is an issue with the details, they will inform you via the CHAT window on the detail page of the SSL.
Examples:
- The company is registered with a different name or different address in the company registration database and does not match the used handle.
- During the phone validation, the person who answered was not aware of the order and rejected the validation.
- There is a CAA record in your zone which prohibits the validation.
You can reply to Sectigo, but keep in mind, this is not a realtime chat.
This CHAT is only operational from the moment the SSL request is "pending" and will be closed once the SSL is issued. When the SSL has the status "open" the CHAT can not be used yet.
-
CAA record is prohibiting the validation
During a mandatory check of the CAA record for the (sub)domain it gives a DNS server error. In case a CAA is used in the zone, it must permit Comodo / Sectigo to issue certificates for your domain.
There are 4 options that could solve the issue, before the certificate can be issued.
1: Ensure that the DNS server gives a correct NSEC / NSEC3 signed response that no CAA records exist.
2: Add a CAA record that approves issuance by Comodo / Sectigo;
CAA 0 issue "comodoca.com"
3: Fix the failure in the DNS response.
4: Disable DNSSEC on the domain(s).
-
CA stopped doing AUTOMATIC CHECKS
Sectigo does automated checks with a frequency of 15 minutes for a limited time period from the time when the certificate is REQUESTED.
At some point, Sectigo stops doing these automated checks on a frequent basis and limit the amount of checks they are preforming. This can delay the issuing of an "older" certificate.
In case a validation was stuck and fixed by the requester, inform Sectigo via the CHAT and ask them to continue the validation. This is not a realtime chat but it will trigger Sectigo to check the case manually.
-
Contact Handle information incomplete or invalid
This is the most important part when you request a SSL Certificate, the contact information for the certificate. The order will be created based on the handle which you select during the order creation. Make sure this handle contains is complete and valid. In case of a OV or EV order, the contact person mentioned in this handle will be contacted.
A handle containing:
Firstname: Domain
Lastname: Administration
can therefore not be used for a SSL request as this validation will fail.
We advise to always check the handle which you are going to use if the information and contact person mentioned are still valid. In case the information is outdated, please create a new handle select this one.