OpenSRS Trust Manager. May 7, 2013

(1)

OpenSRS Trust Manager

May 7, 2013

(2)

OpenSRS Trust Service

The OpenSRS Trust Service offers SSL Certificates that encrypt

communications between users and SSL (Secure Socket Layer) e-commerce sites. Data sent via an SSL connection is protected by encryption, a

mechanism that prevents eavesdropping and tampering with any transmitted data. SSL provides businesses and consumers with the confidence that

private data sent to a Web site, such as credit card numbers, are kept

confidential. Web server certificates (also known as secure server certificates or SSL Certificates) are required to initialize an SSL session.

Customers know when they have an SSL session with a website when their browser displays the little gold padlock and the address bar begins with a https rather than http. SSL Certificates can be used on Web servers for Internet security and mailservers such as IMAP, POP3, and SMTP for mail collection and sending security.

Business websites must have an SSL Certificate to:

 Validate online businesses by a globally recognized third party  Encrypt sensitive data such as credit card numbers or passwords All Trust Services offered through OpenSRS have the highest encryption levels available, compatible with over 99% of all browsers and include globally recognized certification seals.

The OpenSRS Trust Services offering includes certificates from Comodo, GeoTrust, SiteLock, Symantec, thawte, TRUSTe, and Trustwave.

The terms vary by supplier and product, and range from one to four years.

The Product Suite

The OpenSRS Trust Service includes products from the most trusted and most recognized certificate providers: Comodo, GeoTrust, SiteLock, Symantec, thawte, TRUSTe, and Trustwave.

 Comodo offers a comprehensive range of highly-trusted SSL certificate products designed to meet the needs of every business.  GeoTrust is one of the world's largest SSL certificate providers, with

more than 100,000 customers in over 150 countries. Its product line is extremely popular with small businesses.

 SiteLock offers website security products that meet the needs of small business without requiring CSRs or web server installation scripts. It performs daily malware, network, and spam scans, and

(5)

 Symantec resonates very well with large companies and corporations that want to obtain the highest levels of security possible.

 thawte is a leading provider of domain, business and extended validation SSL certificates. Its brand is particularly strong in Europe, and appeals to European businesses.

 TRUSTe offers a hosted privacy policy service that is available with or without a site seal.

Note: TRUSTe is available to the following countries only: Australia, Austria, Belgium, Bulgaria, Canada, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, New Zealand, Norway, Poland, Portugal, Republic of Ireland, Romania, Singapore, Slovakia, Slovenia, Sweden, Switzerland, The Netherlands, United Kingdom, and United States.

 Trustwave helps companies of all sizes reduce SSL costs while maintaining a high level of trust and security.

Types of SSL certificates

The type of SSL certificate that you choose depends on whether you want to validate a single domain or an entire enterprise, and also the level of

validation that you want to provide.

Domain certificates

SSL Certificates for domains ensure that the domain has been authenticated by a recognized certificate provider. Visitors to the site can click on the seal to verify that the certificate is still valid, giving site visitors extra peace of mind.

The provisioning time for domain certificates is 10 minutes.

Organization certificates

When corporate identity verification is important, an SSL Certificate for the organization assures customers that the website is trustworthy and secure. The provisioning time for organization certificates is two to four business days.

(6)

Wildcard certificates

Wildcard SSL Certificates may be used for situations where several same-domain web sites need to be secured but the hostnames or sub-same-domains vary. You can secure as many sub-domains on one physical box as you like as long as they share the same second level domain name. To do this, the domain/common name in the CSR needs to be "*.mydomain.com". The asterisk is a place holder and enables you to secure different sub-domains that share the same base/second level domain name such as

"mydomain.com" in our example. If you need to secure sub-domains on multiple boxes, you need to purchase separate wildcards for each box. The provisioning time for wildcard certificates is two to four business days.

SAN certificates

Subject Alternative Name (SAN) certificates allow you to specify a list of additional domains or other entities that will be covered by a single SSL certificate. This means that, depending on the product, you may be able to specify multiple top-level domains, subdomains, IP addresses, internal server names, and more. The total number that you can protect with a single

certificate varies by product.

Note: SAN certificates are sold as packages, so if you purchase a SAN

certificate that can secure four additional domains, but you specify only two, you will still be charged the same price. You may be able to add more

domains to a package for an additional charge. For more information on pricing, see http://www.opensrs.com/site/services/trust/pricing.

These multi-domain certificates are more flexible than wildcard certificates because they are not limited to the same domain or the same number of levels.

The provisioning time for SAN certificates is two to four business days.

Product Additional domains allowed Allows server names without any periods Allows Intranet and local names Allows private IP addresses per RFC 1597

True BusinessID SAN 4 to 24 Yes Yes Yes

True BusinessID with

(7)

Product Additional domains allowed Allows server names without any periods Allows Intranet and local names Allows private IP addresses per RFC 1597 QuickSSL Premium SAN 4 (subdomains

only)

Yes Yes Yes

Secure Site SAN 1 to 24 Yes Yes Yes

Secure Site Pro SAN 1 to 24 Yes Yes Yes

Secure Site with EV SAN

1 to 24 No No No

Secure Site Pro with EV

SAN 1 to 24 No No No

SSL Web Server SAN 1 to 4 Yes Yes Yes

SGC SuperCerts SAN 1 to 4 Yes Yes Yes

SSL Web Server with

EV SAN 1 to 4 No No No

Extended Validation (EV) certificates

With Extended Validation, as well as displaying the certificate seal, the address bar is displayed in green, providing customers with an extra level of confidence. The green address bar is a strong visual indication that the site has an Extended Validation Certificate. The Security Status bar displays the organization name and the name of the Certificate Authority (CA).

The provisioning time for EV certificates is five to seven business days.

Site seals

A site seal certifies the owner of the site has been verified and that the site is free of malware.

(8)

SiteLock seals

Every website protected by SiteLock goes under an evaluation which includes:

 Verification of the website owner's contact information.

 Checks for malware, viruses, SQL injections and cross-site scripting vulnerabilities.

 Verifies email addresses and servers haven't been included on spam blacklists.

No CSRs or web server installation scripts are required.

GeoTrust Web Site Anti-Malware Scan

The GeoTrust Web Site Anti-Malware Scan product offers malware scanning and a trust seal.

This product is not vetted. When the order is processed, GeoTrust sends the customer an email to let them know that their site is being scanned. The email also includes instructions on how to log in to their account on the GeoTrust site.

When the initial malware scan completes, GeoTrust sends another email to the customer to let them know whether their site passed or failed the scan. If the site passed the scan, the email contains a link to the GeoTrust seal

configuration page where the customer can access the seal to display on their website.

GeoTrust continues to scan the website on a regular basis and notifies the customer only if the scan fails. If it fails, the seal is removed from the site, and the customer must correct the issues on their site. GeoTrust will

reinstate the seal after the next successful scan.

A customer can request an on demand scans only if the previous scan failed. Additionally, they cannot request a scan if a scan is already in progress.

Note: For the GeoTrust Web Site Anti-Malware product, all communications

and account management tasks take place between the customer and GeoTrust; OpenSRS and the Reseller are only involved in ordering and renewing the product.

(9)

Certificate

Type Verifies Requirements Includes Term Comodo Certificates

EV SSL Full

Organization. Admin, organization, and signer contacts SSL Certificate & Comodo TrustMark plus green bar 1-2 year

InstantSSL Domain and Organization. Organization contact SSL Certificate & Comodo TrustMark 1-4 years

PremiumSSL Domain and

Organization. Organization contact SSL Certificate & Comodo TrustMark

1-4 years

PremiumSSL

Wildcard Single domain only. Organization contact SSL Certificate & Comodo TrustMark

1-4 years

SSL Single domain. Organization

contact SSL Certificate 1-4 years SSL Wildcard Domain and

subdomains. Organization contact SSL Certificate 1-4 years

GeoTrust SSL Certificates

QuickSSL Domain only. Domain authorized email SSL certificate & seal 1-4 years QuickSSL Premium

Domain only. Domain Authorized E-mail

SSL certificate & True Site Seal

1-4 years QuickSSL

Premium SAN Primary domain plus 4 subdomains.

Domain Authorized

E-mail SSL certificate & True Site Seal 1-4 years True BusinessID Full Organization. Proof of Organization or SSL Certificate & True Site Seal

(10)

Certificate

Type Verifies Requirements Includes Term

True BusinessID SAN Organization plus 4 domains; can add up to 24 domains for additional cost. Proof of Organization or DUNS Number and WHOIS

SSL Certificate &

True Site Seal 1-4 years

True BusinessID Wildcard

Full

Organization. Proof of Organization or DUNS Number and WHOIS

SSL Certificate &

True Site Seal 1-4 years

True BusinessID with EV Domain and Organization plus Extended Validation. Proof of Organization or DUNS Number and WHOIS

SSL Certificate & True Site Seal plus green bar

1-2 years True BusinessID with EV SAN Organization plus 4 domains, including Extended Validation. Can add up to 24 domains for additional cost. Proof of Organization or DUNS Number and WHOIS

SSL Certificate & True Site Seal plus green bar

1-2 years

Web Site Anti-Malware Scan

Domain. Admin, Billing, and

Tech contacts Site Seal 1 year

SiteLock

Basic Business

verification and one-time scan of website.

Web and business

addresses Site seal 1 year

Premium Business

verification and extensive malware scanning.

Web and business addresses

(11)

Certificate

SMB Enterprise Secure Business verification and Enterprise-level protection with constant network scans.

Web and business

addresses Site seal 1 year

Symantec Certificates

SecureSite Full

SSL Certificate &

Secured Seal 1-4 years

SecureSite

SAN Organization plus 1 domain; can add up to 24 domains for additional cost.

Proof of

Organization or DUNS Number and WHOIS

SSL Certificate &

SecureSite

Pro Full Organization. Proof of Organization or DUNS Number and WHOIS

SSL Certificate &

SecureSite

Pro SAN Organization plus 1 domain; can add up to 24 domains for additional cost.

Proof of

SSL Certificate &

SecureSite

with EV Full Organization plus Extended Validation.

Proof of

SSL Certificate & Secured Seal plus green bar

(12)

Certificate

SecureSite

with EV SAN Organization plus 1 domain, including Extended Validation. Can add up to 24 domains for additional cost. Proof of Organization or DUNS Number and WHOIS

1-2 years

SecureSite

Pro with EV Full Organization plus Extended Validation.

Proof of

1-2 years SecureSite Pro with EV SAN Organization plus 1 domain can add up to 24 domains for additional cost. Proof of Organization or DUNS Number and WHOIS

1-2 years

thawte SSL Certificates

SSL123 Domain &

Organization. Domain authorized email SSL Certificate & Trusted Site Seal 1-4 years SGC

SuperCerts Full Organization. Proof of Organization or DUNS Number and WHOIS

SSL Certificate &

Trusted Site Seal 1-4 years

SGC SuperCerts SAN Organization plus 1 domain; can add up to 4 domains for additional cost. Proof of Organization or DUNS Number and WHOIS

SSL Certificate & Trusted Site Seal

1-4 years

SSL

WebServer Certificates

Full

SSL Certificate &

(13)

Certificate

SSL WebServer Certificates with SAN Organization plus 1 domain; can add up to 4 domains for additional cost. Proof of Organization or DUNS Number and WHOIS

SSL Certificate &

Trusted Site Seal 1-3 years

SSL WebServer Certificates with EV Full Organization plus Extended Validation. Proof of Organization or DUNS Number and WHOIS

SSL Certificate & Trusted Site Seal plus green bar

1-2 years SSL WebServer with EV SAN Organization plus 1 domain; can add up to 4 domains for additional cost. Proof of Organization or DUNS Number and WHOIS

SSL Certificate & Trusted Site Seal plus green bar

1-2 years SSL Web Server Certificates Wildcard Full Organization. Proof of Organization or DUNS Number and WHOIS

SSL Certificate & Trusted Site Seal

1-2 years

TRUSTe

Privacy Policy with seal

Single domain. Individual contact Hosted Privacy Policy plus seal

1-3 years Privacy Policy Single domain. Individual contact Hosted Privacy

Policy only

1-3 years

Trustwave Certificates

Domain

Vetted (DV) Single domain only. Admin contact SSL Certificate & Trusted Commerce Site Seal

1-3 years

Premium EV Full

(14)

Certificate

Premium SSL Full

Organization. Admin contact SSL Certificate & Trusted Commerce Site Seal

1-3 years

Premium SSL

Wildcard Full Organization. Admin contact SSL Certificate & Trusted Commerce Site Seal

1-3 years

Free trials

GeoTrust, Symantec, and TRUSTe offer 30 day free trials for the following Trust Service products:

• GeoTrust True BusinessID with EV

• Symantec SecureSite, Secure Site Pro, Secure Site with EV, and Secure Site Pro with EV

• TRUSTe Hosted Privacy Policy (HPP) and Privacy Policy with Seal (TPS)

Note: Free trials are not available for SAN products.

Customers who order the free trial are not charged when they place the order for the product and they can cancel at any time before the 30 days is up without incurring a charge. The full price of the product is displayed in the Control Panel, but the charge is not applied until the end of the 30 day

period. During the free trial period, a CANCEL FREE TRIAL button is displayed on the product page, so that the product order can be cancelled at any time during that period.

If the customer does not cancel the order before the end of the 30 day free trial, they are automatically charged for the term that they selected when they placed the order. There are no notification emails or requests for confirmation. The expiry date is calculated from the date that the paid term begins, not the date that the free trial began. The product status changes to Product - Activated, and a new order is automatically created.

Note: When taking advantage of the free trial period, the term that can be

selected for the Symantec products and for GeoTrust True BusinessID with EV is restricted to one year; TRUSTe products can be ordered for one, two, or three year terms.

(15)

The order process is the same whether you choose the free trial period of not. See “Ordering a Trust Service product”.

Cancelling an order during the free trial period

You can cancel a completed free trial order any time before the end of the 30 day period without incurring a charge.

Note: When you cancel a free trial, you will not be able to re-submit an order

with the same supplier for that domain until 30 days have passed. To cancel an order during the free trial period

1. In the Control Panel, click the TRUST MANAGER tab, and then click

View Trust Services.

2. Click the domain name of the product that you want to cancel. You may see multiple entries for the same domain; be sure to click one that displays Product - Active in the Status column.

3. In the Status section, click CANCEL FREE TRIAL. The order is marked as Declined and the product is marked as Revoked.

For GeoTrust and Symantec, the customer is sent an email containing a link to click to approve the revoke; for TRUSTe, the cancellation is automatic.

The Purchase Process

The following diagram illustrates the steps involved in purchasing SSL Certificates.

(16)

Step 1: User creates order

You can place the order on behalf of your customer either through the Trust Manager or the API. The order can then be saved for later processing or submitted immediately.

ORDER STATE:

 Pending—order was saved

(17)

Step 2: SSL Provider receives and confirms the order

Upon submitting the order, the system sends the information to the SSL vendor.

ORDER STATE: In Progress

Note: For domain vetted certificates, an additional verification email is sent to the domain owner requesting approval. The domain owner is determined during the ordering process, based on the public WHOIS information for the domain.

Step 3: SSL Provider verifies the order

Once a confirmation has been sent, the SSL Provider takes the information provided in the order and verifies it. For organization vetted certificates, there is additional verification of the organization that is applying for the SSL Certificate.

ORDER STATE: In Progress

Step 4: SSL Provider issues the SSL Certificate

If the verification passes, the SSL Provider then, via email, issues the SSL Certificate and accompanying installation instructions to the admin contact specified in the original order.

ORDER STATE: Completed

Step 5: SSL Certificate is received

The admin contact associated with the order receives a copy, by email, of the SSL Certificate.

(18)

Ordering a

Trust

Service product

Depending on the type of Trust Service product that you are ordering, you might not see all of these fields mentioned in these steps.

Note: The address fields that you complete must specify physical addresses; you cannot specify P.O. boxes.

To order a Trust Service SSL Certificate

2. Click an option in each category to choose the supplier and service that you want to purchase.

If you are ordering a domain vetted certificate, in the text field, enter the name of the domain with which you are associating the service. 3. Click CONTINUE TO NEXT STEP.

4. For SiteLock and TRUSTe products, in the Customer section, click the radio button that indicates the type of user account to associate with the Trust service.

If you want to associate your order with an existing account, select the

Existing Customer Account radio button and then select the user from the Account drop-down list.

If the order is for a new customer, select the New Customer Account

radio button, and enter a user name, password, and email address for the new customer in the Username, Password, and Email Address

fields. The username and password allow the domain owner to log in to the Domain Admin end user control panel at

resellername.domainadmin.com to configure and manage their Trust Service product and account. The email address is the address to which the Domain Admin login credentials will be sent.

Important: If you select No Customer Account, the service will work: however, the end user will not be able to access the Domain Admin

control panel. In that case, you can either provision the Trust Service product for your customer or you can provide your own end user interface. If you do not create a username and password when you order the service, you cannot add it later.

5. In the Service Period & Validation Period section, use the drop-down lists to, choose the certification period, validation email, web server,

(19)

and server count for the Trust Service. (Depending on the type of certificate that you are ordering, you may not see all of these fields.)

Certification Period—The number of years for which you want to purchase the product. You can choose between 1 and 5 years, depending on the product type.

Validation Email—The email address of the individual who can approve the order. The Certificate Provider sends the approver email to the address that you specify.

Web Server—Select the type of Web server that will be using the SSL Certificate. Along with the CSR, the Certificate Provider uses this information to generate the SSL Certificate.

Server Count—This feature authorizes you to use the same SSL Certificate on multiple servers. In most cases, you are charged the cost of one SSL Certificate for each server. For example, if you choose 10 from the Server Count drop-down list, you are charged for 10 SSL Certificates.

Note: GeoTrust products include unlimited server licenses. 6. For thawte, Symantec, and most GeoTrust certificates, in the

Organization contact Information section, enter the contact details for the organization.

7. In the Individual Contact Information sections, enter the details for the Trust Service contacts.

If you are entering a new contact, you must complete all of the fields. To use the same information as an existing contact, choose that

contact from the Make same as drop-down list. If you use this feature, make sure that the fields in the designated section are completed.

Note: For Symantec, thawte, and True BusinessID EV certificates, Title

is a required field.

Important: For Trustwave certificates only, the approver and

certificate emails are always sent to five email addresses: Admin, Administrator, Hostmaster, Postmaster,and Root; therefore, you must ensure that at least one of the following five addresses exists:

 [email protected]  [email protected]

(20)

8. For all except seal type certificates, in the Certificate Settings section, enter the CSR for the Web server that will be using the SSL Certificate and, optionally, any special instructions regarding the order, and then click ADD SERVICE or SAVE AS DRAFT.

Important: For Trustwave only, you need to remove the word NEW

from the BEGIN and END statements of the CSR before you submit the order.

The Certificate Provider uses this information to generate the SSL Certificate. You can find instructions on how to create the CSR on the supplier’s website. Comodo: http://www.comodo.com/csr_autogenerator.php GeoTrust: http://www.geotrust.com/support/generate-csr/ Symantec: https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR235 thawte : https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=AR1108 Trustwave: https://ssl.trustwave.com/support/create-csr.php

Note: All certificates require 2048 bit CSRs; however, Symantec will

accept 1024 bit CSRs for certificates with expiry dates prior to December 31, 2013, except for EV certs, which require 2048, regardless of the term.

SSL Certificate Providers require the domain’s Admin or Technical contact to approve every order for an SSL Certificate. The SSL

Provider sends an email to the Admin or Technical contact, which that contact must approve and return to the Provider. Once the Provider receives the approval, the order is processed.

9. For SAN certificates, in the Additional Domains section, enter the additional domains (other than the primary domain) that you want to include with this SSL certificate. Click ADD DOMAIN to display an additional text field. To delete a domain, click the red X beside the domain name.

The following products allow you to enter intranet and local names and to specify server names without any periods: QuickSSLPremium SAN, Secure Site SAN, Secure Site Pro SAN, SSL Web Server SAN, SGC SuperCerts SAN, and True BusinessID SAN.

Each SAN product allows a certain number of additional domains (either 1 or 4, depending on the product), and in most cases, more

(21)

additional domains you can specify for each certificate type are as follows:

• Quick SSL Premium SAN—4 (subdomains only) • TrueBusiness ID SAN—4 to 24

• TrueBusiness ID EV SAN—4 to 24 • Secure Site EV SAN—1 to 24 • Secure Site Pro EV SAN—1 to 24 • Secure Site Pro SAN—1 to 24 • Secure Site SAN—1 to 24 • SGC Super Certs SAN—1 to 4 • SSL WebServer EV SAN—1 to 4

• SSL WebServer Certificates with SAN—1 to 4

Note: If you want to add more domains to a SAN cert after the order has been processed, you must contact the Trust Service provider. 10. Click ADD SERVICE to submit your order or click SAVE AS DRAFT to

save the order as pending.

Parsing the CSR

In order to reduce the number of orders that get declined as a result of incorrect CSRs, you can parse the CSR while the order is either pending or processing. You can then see the information contained in the CSR, and any errors related to it.

To parse the CSR

Parse CSR.

2. Click an option in each category to choose the supplier and service that you want to purchase.

If the CSR is for a domain vetted certificate, enter the name of the domain with which you are associating the certificate.

3. In the CSR (Certificate Signing Request) field, enter the CSR for the Web server that will be using the Trust Service.

4. Click PARSE CSR.

(22)

Installing the Trust Service Certificate

Once the Trust Service order is processed, the Trust Service provider sends an email with instructions on how to install the Trust Service certificate. You can also refer to the Trust Service provider's website for installation instructions: Comodo: https://support.comodo.com/index.php?_m=knowledgebase&_ a=view&parentcategoryid=95&pcid=1&nav=0,96,1 GeoTrust: https://knowledge.geotrust.com/support/knowledge-base/index? page=content&id=SO15065&actp=LIST&viewlocale=en_US Symantec: https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR212&actp=LIST&viewlocale=en_US thawte: https://search.thawte.com/support/ssl-digital-certificates/index? page=content&id=SO1498&actp=LIST&viewlocale=en_US Trustwave: https://ssl.trustwave.com/support/install-certificate.php

Enabling the Symantec Trust Seal

When you view or order a Symantec SSL Certificate, you will see a section called Trust Seal Settings.

If Trust Seal Enabled displays a checkmark, the service is enabled and you can display the Symantec Trust Seal on your website.

When the Trust Seal is enabled, you can also choose to enable Seal In Search. If you put a checkmark next to Seal In Search Enabled, Symantec certifies that your site is free of malware, and Symantec scans your site on a daily basis to verify that the site remains free of malware.

Whenever anyone who is using the AVG anti-virus solution performs a search that returns your website in the search results, they will see the Symantec seal next to the link for your web site.

The status of Seal in Search is displayed in the following three read-only fields:

 Seal Status: The current state of Search in Seal. The possible values are:

 Off—The Trust Seal order is pending authorization.  Trust Seal—Site has passed the daily malware scan.

(23)

 Malware Scan Status: The result of the Symantec scan. A value is displayed in this field only if Seal Status is Off. The possible values are:

 Date of the latest successful malware scan.  Failed—Scan failed; malware found on site.

 Pending—Malware scan has not yet been run on the site.  Unreachable—Scan not run as site unreachable at DNS level.  Unavailable—Scan not run as server accessible, but site down.  Last Scan Date: The latest date that a Symantec scan was done. A

value is displayed in this field only if Seal Status is Off.

Click UPDATE to save any changes you make to this section or click CANCEL

to ignore the changes and revert to the last saved settings.

Enabling the SiteLock product and seal

SiteLock offers three website security products, depending on the type of website on which it will be installed: Basic, Premium, and SMB Enterprise Secure.

• Basic—Provides simple, affordable protection from hackers, blacklisting by search engines, and many other website hazards.

• Premium—Provides a comprehensive suite of protection and detection tools.

• SMB Enterprise Secure—Offers the highest level of protection for customers who already use SSL, have a shopping cart, databases or are storing customer data on their site.

Every website protected by SiteLock goes under an evaluation which includes:

 Verification of the website owner's contact information.

 Checks for malware, viruses, SQL injections and cross-site scripting vulnerabilities.

 Verification that the email addresses and servers haven't been included on spam blacklists.

(24)

Order statuses

After you place an order for a SiteLock product, you will see two entries in the STATUS column for the same domain - one that says Order Completed

and one that says Product - Active. When you view the Product - Active

entry, you will see a link in the Status section called MANAGE ACCOUNT. This link allows logs you in to the SiteLock website where you can verify the

account information, view site statistics, and manage the account. To enable the SiteLock product

View Trust Services.

2. Click a domain name to view the associated Trust Service. 3. In the Status section, click MANAGE ACCOUNT.

You are automatically logged in to the SiteLock account where you can complete the order and make changes to the account.

4. Follow the steps to complete the order.

Once the process is complete, SiteLock provides you with a Javascript trust seal that you can install on your website.

You can also use the MANAGE ACCOUNT link to log in to SiteLock to manage the account and view alerts about issues that can affect the SiteLock seal.

Domain Admin

OpenSRS supplies an unbranded interface called Domain Admin that allows your customers to manage their accounts. The Domain Admin URL is

resellername.domainadmin.com where resellername is your Reseller name. The customer logs in using the username and password that you specified when you ordered the SiteLock product.

An unbranded email is sent to the customer to let them know their username and password as well as the URL for the Domain Admin end user control panel. The address to which this email is sent is the one that you specified in the Customer section when you placed the order for the Trust Service

product.

Important: To use this feature, the Trust Service order must be associated with a customer account. If you select No Customer Account when you order the Trust Service, the end user will not be able to access the Domain Admin

control panel. In that case, you can either provision the Trust Service product for your customer or you can provide your own end user interface.

(25)

To resend the Domain Admin login credentials to your customer, view the Trust Service, and in the Customer section, click Send user log-in info. If the Status is Product - Active or Product - Renewed, you can change the username. You can also change the email address to which the credentials are sent. If you change the Username field or the Email field, remember to click UPDATE to save your changes before you click Send user log-in info. Unbranded documentation for Domain Admin is available on the OpenSRS documentation page.

Upgrading a SiteLock product

At any time during the term, you can upgrade a SiteLock Basic or Premium SSL certificate to a higher level certificate.

SiteLock Basic can be upgraded to SiteLock Premium or SiteLock SMB Enterprise Secure, and SiteLock Premium can be upgraded to SiteLock SMB Enterprise Secure.

When you upgrade, you will be charged the price for one year at the new level, the product type changes, and the new expiry date is one year from the date of the upgrade.

Note: There is no refund for the original certificate.

Because you are upgrading an existing product, you do not need to specify the domain or the period.

To upgrade a SiteLock product

2. Click the domain name of the SiteLock product that you want to upgrade. You may see multiple entries for the same domain; be sure to click one with the status Product - Active.

3. In the Status section, from the Upgrade drop-down list, select the new product level, and then click UPGRADE.

4. In the Customer section, click the radio button that indicates the type of user account to associate with the Trust service. Although you already chose the Customer type when you first ordered the SiteLock product for this domain, you can change your selection when you

(26)

If you want to specify a new customer, select the New Customer Account radio button, and enter a username, password, and email address for the new customer in the Username, Password, and Email Address fields. The username and password allows the domain owner to log in to the Domain Admin end user control panel at

resellername.domainadmin.com to configure and manage their Trust Service product and account.

Important: If you select No Customer Account, the service will work; however, the end user will not be able to access the Domain Admin

control panel. In that case, you can either provision the Trust Service product for your customer or you can provide your own end user interface. If you do not create a username and password when you order the service, you cannot add it later.

5. In the Individual Contact Information sections, enter or edit the

details for the Trust Service contact. If you are entering a new contact, you must complete all of the fields.

6. Click UPGRADE SERVICE.

Creating the TRUSTe privacy policy and seal

TRUSTe offers a hosted privacy policy service that is available with or without a site seal. Unlike most other Trust products, there is no certificate that you need to install.

After you place an order for a TRUSTe product, the initial status of the order is Order - Awaiting Approval. When you view the order, you will see a link in the Status section called MANAGE ACCOUNT. This link logs you in to the TRUSTe website where you create a privacy policy by answering a number of questions.

To create the TRUSTe privacy policy

2. Click a domain name to view the associated Trust Service. 3. In the Status section, click MANAGE ACCOUNT.

You are automatically logged in to the TRUSTe account. 4. Follow the steps to generate the privacy policy.

Once you complete this process, TRUSTe verifies the domain's website, and then sends a fulfillment email to the domain contact.

(27)

that says Product - Active. View the Product - Active entry, and click the link in the Status section called MANAGE ACCOUNT to log in to TRUSTe.

6. Copy and paste the html code snippet to the website. If the order is for the TRUSTe Privacy Service With Seal product, TRUSTe also provides a trust seal to display on the website.

If the customer purchased the TRUSTe privacy policy without the seal, the policy can be posted as soon as it is generated. TRUSTe scans the website to ensure that it adheres to the policy.

If the customer purchased the TRUSTe privacy policy plus the seal, TRUSTe must approve the policy before the customer can post either the privacy policy or the seal. In addition to running a scan, TRUSTe manually reviews the scan report and notifies the customer if they need to make changes to their policy. The assessment and approval process takes one or two days. At the end of the approval process, the customer can log in to their account and get the javascript for the seal and they can post the privacy policy at the same time.

Domain Admin

OpenSRS supplies an unbranded interface called Domain Admin that allows your customers to manage their accounts. The Domain Admin URL is

resellername.domainadmin.com where resellername is your Reseller name. The customer logs in using the username and password that you specified when you ordered the TRUSTe product.

An unbranded email is sent to the customer to let them know their username and password as well as the URL for the Domain Admin end user control panel. The address to which this email is sent is the one that you specified in the Customer section when you placed the order for the Trust Service

product.

Important: To use this feature, the Trust Service order must be associated with a customer account. If you select No Customer Account when you order the Trust Service, the end user will not be able to access the Domain Admin

control panel. In that case, you can either provision the Trust Service product for your customer or you can provide your own end user interface.

To resend the Domain Admin login credentials to your customer, view the Trust Service, and in the Customer section, click Send user log-in info.

(28)

sent. If you change the Username field or the Email field, remember to click

UPDATE to save your changes before you click Send user log-in info. Unbranded documentation for Domain Admin is available on the OpenSRS documentation page.

Requesting a Trust Service scan

The site seal reassures visitors to a website that the site is free of malware, viruses, and other security concerns. The Trust Product providers scan the websites on a regular basis to ensure that this remains true. If issues are discovered and are not corrected, the Trust Service provider may remove the seal from the site.

If you have a Symantec or SiteLock seal, or the GeoTrust Web Site Anti-Malware scan product

,

and you have corrected a malware issue on your site, you can click REQUEST ON DEMAND SCAN to have the Trust Service provider rescan your system immediately and reinstate the Trust Seal.

To request an on demand scan

1. In the Control Panel, click the TRUST MANAGER tab, and then click

2. Click a domain name to view the associated Trust Service. 3. In the Seal Settings section, click REQUEST ON DEMAND SCAN.

Cancelling an SSL Certificate

Once the Trust Service order has been requested it can only be cancelled while it is in progress, it cannot be cancelled after it has been completed. The order can be cancelled by:

 Certificate holder—If you decide that you no longer want the SSL Certificate.

 SSL Provider—If they cannot validate the order for whatever reason.  OpenSRS—If you request assistance or if a problem is detected. ORDER STATE: Cancelled

Declining an SSL Certificate

Once the SSL Provider receives the order request, they can decline it for the following reasons:

(29)

 An invalid SSL Certificate approver where the approver does not match the domain for a given CSR.

 A Wildcard SSL Certificate is ordered but the CSR provided is for a non-wildcard product.

ORDER STATE: Declined

Refunding an SSL Certificate

An SSL certificate order can be cancelled and refunded by:

 Certificate holder—If you decide that you no longer want the SSL Certificate.

 SSL Provider—If they determine that the SSL Certificate was not properly issued or if the Certificate was being misused (installed on more than a single server without permission).

You can request a refund within 30 days of the date of fulfillment for Comodo, GeoTrust, Symantec, thawte, and most Trustwave certificates. Please note however that refunds are not available for SiteLock and TRUSTe certificates or for Trustwave EV certificates.

Trust Service orders that have been fulfilled cannot be cancelled through OpenSRS. Instead, you must contact the SSL Provider to cancel the order. For GeoTrust, Symantec, and thawte certificates, you can easily do this through the certificate provider's end user portal.

For Trustwave and Comodo certificates, you should contact [email protected] for assistance.

Upon refunding the certificate, the SSL Provider sends both the Reseller and the end user a confirmation email, the order is placed in the revoked state, and the money for the certificate is returned to your OpenSRS account. Note: Please allow up to 48 hours for refunds to be processed.

ORDER STATE: Revoked

Setting an SSL Certificate to Let Expire

If you do not want to renew a certificate at the end of the certification period, you can set it to expire at the end of its term without notification. If this option is enabled for a Trust Service product, renewal reminder emails will

(30)

To set a Trust Product to let expire

2. Click the domain that you want to set to let expire.

3. In the Status section, click to put a checkmark in the box beside Let expire without notification, and then click UPDATE.

Searching for Trust Service orders

Enter all or part of the domain name or admin email for which you want to search and click . You can use wildcard characters to represent part of the name.

Click a domain name to view information about the Trust Service for that domain.

Refining your search

You can filter the list of Trust Services based on the values in one or more columns. Click the down arrow in a column heading to display the search criteria for that column. Click the down arrow again to hide the search

criteria. As you select or deselect criteria, the results list changes to reflect your choices. You can select criteria in any column that displays the down arrow, and you can filter your results based on more than one column at a time.

If you don’t want to use filtering, you can check the box beside IGNORE FILTERS. The filtering options will still be displayed, but any selections you make will be ignored. To enable filtering again, remove the checkmark from the box.

Filtering by product type

To restrict your search to a particular type of Trust Services product, click the down arrow in the TYPE column, and then click the checkboxes to select or deselect the Trust Service product types that you want in the displayed list. When a box is checked, only orders for that Trust Service product type are displayed in the search results. Click all to select all product types or click

(31)

Filtering by status

To restrict your search to a particular status, click the down arrow in the

STATUS column, and then click the associated checkboxes to select or deselect the statuses that you want in the displayed list. When a box is checked, only the Trust Service orders that have the selected statuses are displayed in the search results. Click all to select all statuses or click none to deselect all statuses. By default, all statuses are selected.

Filtering by date

To restrict your search according to the date that the Trust Services were created or will expire, click the down arrow in the CREATED or EXPIRES

column, and then use the From and To calendars to restrict your search to Trust Services that were created or will expire within the specified date range.

Exporting Trust Service information

You can export details about Trust Service certificates and view the information as a .csv file. If you have a large number of domains and certificates, before using the export tool, you might want to use the search feature to display only those certificates that meet specific criteria. For example, you might want to see all of the certificates that will expire in a certain time range so that you contact those customers about renewing their certificates. For more information, see "Searching for Trust Service orders". To export Trust Service information

1. In the Control Panel, click the Trust Manager tab.

2. Click the checkboxes to put a checkmark next to each of the domains whose information you want to export, or click the checkbox at the top of the page to select all domains.

3. From the drop-down list beside the GO button, choose Export .CSV, and then click GO.

4. In the dialog box that appears choose whether to open or save the file, and then click OK.

(32)

Note: Since approval is required before an order can be processed, you can only request the Approver email for orders that are in progress.

(33)

Requesting an SSL Certificate reissue

When requesting a reissue, the same contacts and domain name associated with the original SSL Certificate must be used for the new SSL Certificate. To get a reissue on an SSL Certificate, access the SSL certificate provider's site:

Comodo: Contact Comodo Support at [email protected] or https://support.comodo.com/ GeoTrust: http://www.geotrust.com/resources/cert_reissuance/index.asp Symantec: http://www.verisign.com/ssl/current-ssl-customers/revoke-replace- ssl/index.html thawte: http://www.geotrust.com/resources/cert_reissuance/index.asp Trustwave: https://ssl.trustwave.com/ssl-control-center.php You will be asked for three pieces of information:

 Your Server DNS Name—the domain for which the SSL Certificate was issued.

 Email Address—any email address on the original order.

 Digital image—for security measures, you must type the five-digit number displayed on screen.

Once the information is submitted, a confirmation request is sent to the Technical contact on the SSL Certificate order.

Renewing Trust Service Products

Only active Trust Service products are eligible for renewal; once a product has expired, it can no longer be renewed. The renewal option for Trust Service products is displayed 60 days before the expiry date.

Note: You can only renew the Trust Service product as the same type of product. If you want to purchase a different type of product, you must create a new order.

To renew a Trust Service product

1. In the Control Panel, click View Trust Services.

(34)

5. Make any required edits to the saved information, and then click

RENEW SERVICE.

Customer Messaging

The Customer Messaging section is available on the Domain Manager tab, and lists all of the available Trust Services messages. When you see a checkmark in the Active column, it means that the message is enabled and will be sent when it is triggered by the associated action. If you remove the checkmark, the message is disabled and will not sent. If the checkbox is greyed out however, you cannot disable the message and it is always sent. You can click a link in the Message Name column to view and, in some cases, edit the contents of the message.

Editing customer messages

When you click to display a message, it opens in the Editing Message page, which allows you to view and, in some cases, edit the contents of the

message. If there is a checkmark in the Enabled checkbox it means that the message will be sent whenever the associated trigger occurs. If you remove the checkmark, the message is disabled and will not be sent. If the checkbox is greyed out however, you cannot disable the message and it is always sent. You can add or remove text in any of the editable fields. In addition, the Tab Legend section lists all of the variable tags that can be used in the message. To add a tag to an editable message, put your cursor in the location where you want to insert the tag and then click the add tag icon.

(35)

Trust Service SSL order messages

Trust Service - SSL Certificate order Messages are sent when a Trust Service certificate is order or processed. On the Customer Messaging page, click the

Message Name to view and, optionally, edit the message, including any placeholders.

Message Name Explanation Editable _(Y/N)

Message to Reseller when certificate approver rejects the order

Notifies the Reseller that the SSL certificate was rejected by the approver. Y Message to reseller when

vendor revokes the certificate

Notifies the Reseller that the certificate

vendor rejected the order. Y Message to reseller when

vendor cancels the order Notifies the Reseller that the certificate vendor cancelled the order. Y Message to reseller when

vendor completes order

Notifies the Reseller that the order has been completed and the certificate has been sent to the end user contacts. Y Message to Admin Contact

when True Biz ID certificate order is processed

Notifies the admin contact that the request for a True BusinessID certificate is in process.

Y

Message to Admin Contact when True Biz ID with EV certificate order is

processed

Notifies the admin contact that the request for a True BusinessID with EV certificate is in

process. Y

Message to Admin Contact when Domain Vetted certificate order is processed

Notifies the admin contact that the request for a domain vetted certificate is in process. Y

(36)

Message to Admin Contact when Organization Vetted certificate order is

processed

Notifies the admin contact that the request for an organization vetted certificate is in

process. Y

Trust Service SiteLock order messages

Trust Service - SiteLock order messages are sent when a SiteLock Trust Service product is ordered. On the Customer Messaging page, click the

Message Name Message description Editable _(Y/N)

Message to Admin Contact when SiteLock order is processed

Notifies admin contact that the SiteLock order has been processed. Y Message to Reseller when

vendor cancels SiteLock order

Notifies the Reseller that a SiteLock order has been rejected by the vendor. Y Message to Reseller when

vendor completes SiteLock order

Notifies the Reseller that SiteLock has completed the order and sent the certificate

(37)

Trust Service TRUSTe order messages

Trust Service - TRUSTe order messages are sent when a TRUSTe Trust Service product is ordered. On the Customer Messaging page, click the

Message Name Message description Editable _(Y/N)

Message to Reseller when TRUSTe order has been rejected by supplier

Notifies the Reseller that a TRUSTe order has been rejected by the vendor. Y Message to Admin Contact

when TRUSTe order is revoked

Notifies the admin contact that their business does not meet TRUSTe privacy

requirements. Y

Message to Reseller when vendor completes TRUSTe order

Notifies the Reseller that the TRUSTe order is complete and the certificate has been sent

to the admin contact. Y

Message to Reseller when vendor cancels TRUSTe order

Notifies the Reseller that TRUSTe has

cancelled the order. Y

Message to Admin Contact when TRUSTe order is processed

Notifies the admin contact that the order has been processed and they can now log in to TRUSTe to generate their privacy policy. Y Message to Admin Contact

when TRUSTe order is fulfilled

Notifies the admin contact that the order has been processed and they can log in to

TRUSTe to obtain their privacy policy and seal.

Y

Message to Admin Contact when TRUSTe order is on hold

Notifies the admin contact that TRUSTe made revisions to the privacy policy that need to be reviewed and approved. Y

(38)

Trust Service Free Trial order messages

Trust Service - Free Trial order messages are sent when a Trust Service Free Trial is ordered or processed. On the Customer Messaging page, click the

Message to Admin Contact when Free Trial order is processed

Notifies the admin contact that the request for a Trust Service 30 day free trial is in process. Y Message to Reseller

when customer cancels Free Trial order

Notifies the end user that the 30 day free trial

has been cancelled. Y

Message to Admin Contact when Free Trial order is cancelled

Notifies the admin contact that the 30 day free

trial has been cancelled. Y

Trust Service Malware Scan order messages

Trust Service - Malware Scan order messages are sent when a Malware Scan Trust Service product is ordered. On the Customer Messaging page, click the

Message to Admin Contact when Malware Scan order is

processed

Notifies the admin contact that the GeoTrust Malware Scan order has been processed. Y

(39)

Trust Service SSL renewal messages

Trust Service - SSL Certificate renewal messages are sent when a Trust Service certificate is about to expire. On the Customer Messaging page, click the Message Name to view and, optionally, edit the message, including any placeholders.

Reseller Daily Upcoming Renewal Reminder

Daily report to Reseller that lists certificates that are expiring in 60, 30, and 10 days as well as those that expired within the last 30 days, and those were renewed the previous day.

Y

Renewal reminder email 60

days before expiry date Notifies admin contact that their certificate will expire in 60 days. Y Renewal reminder email 30

days before expiry date Notifies admin contact that their certificate will expire in 30 days. Y Renewal reminder email 10

days before expiry date Notifies admin contact that their certificate will expire in 10 days. Y Renewal reminder email at

expiry date Notifies admin contact on the day that their certificate is expiring. Y Renewal reminder email 10

days after expiry date

Notifies admin contact that their certificate has expired and reminds them to renew it. Y

(40)

Trust Service Malware Scan renewal messages

Trust Service - Malware Scan renewal messages are sent when a Malware Scan Trust Service product is about to expire. On the Customer Messaging

page, click the Message Name to view and, optionally, edit the message, including any placeholders.

Message to Admin Contact when Malware Scan order is expiring in 60 days

Notifies admin contact that their GeoTrust Malware Scan service will expire in 60

days. Y

Message to Admin Contact when Malware Scan is expiring in 30 days

days. Y

Message to Admin Contact when Malware Scan order is expiring in 10 days

days. Y

Message to Admin Contact when Malware Scan order at expiry date

Notifies admin contact on the day that their GeoTrust Malware Scan service is

expiring. Y

Message to Admin Contact when Malware Scan order is 10 days after expiry

Notifies admin contact that their GeoTrust Malware Scan service has expired and reminds them to renew it.

(41)

Trust Service SiteLock renewal messages

Trust Service - SiteLock renewal messages are sent when a SiteLock Trust Service certificate is about to expire. On the Customer Messaging page, click the Message Name to view and, optionally, edit the message, including any placeholders.

Message to Admin Contact when SiteLock order is expiring in 60 days

Notifies admin contact that their SiteLock seal expires in 60 days. Y Message to Admin Contact

when SiteLock order is expiring in 30 days

Notifies admin contact that their SiteLock seal expires in 30 days. Y Message to Admin Contact

when SiteLock order is expiring in 10 days

Notifies admin contact that their SiteLock seal will expire in 10 days. Y Message to Admin Contact

when SiteLock order is at expiry date

Notifies admin contact on the day that their SiteLock seal is expiring. Y Message to Admin Contact

when SiteLock order is expired 10 days ago

Notifies admin contact that their SiteLock seal has been expired for 10 days. Y

Trust Service TRUSTe renewal messages

Trust Service - TRUSTe renewal messages are sent when a TRUSTe Trust Service certificate is about to expire. On the Customer Messaging page, click the Message Name to view and, optionally, edit the message, including any placeholders.

(42)

expiring in 60 days

Message to Admin Contact when TRUSTe order is expiring in 30 days

Notifies admin contact that their TRUSTe privacy policy expires in 30 days. Y Message to Admin Contact

when TRUSTe order is expiring in 10 days

Notifies admin contact that their TRUSTe privacy policy will expire in 10 days. Y Message to Admin Contact

when TRUSTe order at expiry date

Notifies admin contact on the day that their TRUSTe privacy policy is expiring. Y Message to Admin Contact

when TRUSTe order is 10 days after expiry

Notifies admin contact that their TRUSTe privacy policy has been expired for 10 days. Y

(43)

Revisions

May 7, 2013

• Added information about the period during which you can request a refund for a Trust Service certificate.

September 20, 2012

• Added the following SAN certificates:

• GeoTrust Quick—SSL Premium SAN, TrueBusiness ID EV SAN, and TrueBusiness ID SAN

• Symantec—Secure Site EV SAN, Secure Site Pro EV SAN, Secure Site Pro SAN, and Secure Site SAN

• Thawte—SGC Super Certs SAN, SSL Web Server EV SAN, and SSL Web Server Certificate with SAN

• Incremented version to 4.0.8.

April 26, 2012

• In order to reduce the number of orders that get declined as a result of incorrect CSRs, you can now use the Parse CSR feature in the Trust Manager to parse the CSR while the order is either pending or

processing.

April 17, 2012

• VeriSign seals and products are have been re-named to Symantec seals and products. In addition, the maximum term for Symantec products is now four years instead of five. The expiry dates for any existing certificates are unaffected by the change to the maximum term.

• The maximum registration period for Trust Service products is now four years.

February 16, 2012

• You can export details about Trust Service certificates and view the information as a .csv file.

(44)

November 15, 2011

• Free 30 day trials are available for the following Trust Service products:

• GeoTrust—True BusinessID with EV

• TRUSTe—Hosted Privacy Policy (HPP) and Privacy Policy with Seal (TPS)

• VeriSign—SecureSite, Secure Site Pro, Secure Site with EV, and Secure Site Pro with EV

October 20, 2011

• Added the following Trust Service product: GeoTrust Web Site Anti-Malware Scan.

• You can now specify the email address to which the Domain Admin credentials are sent for SiteLock and TRUSTe products.

October 6, 2011

• Added the following Trust Service products: • Comodo SSL

• Comodo SSL Wildcard

• At any time during the current term, you can now upgrade SiteLock SSL certificates to a higher level SiteLock certificate.

September 13, 2011

 Added the following Trust Service products:  SiteLock Basic

 SiteLock Premium

 SiteLock SMB Enterprise Secure  TRUSTe HPP (Hosted Privacy Policy)

 TRUSTe TPS (TRUSTe Privacy Policy with seal)  Incremented version to 3.9.

March 15, 2011

 Added the following Trust Service products:  Comodo EV (Extended Validation) SSL

(45)

 Comodo Premium SSL Wildcard

 Trustwave DV (Domain Vetted) SSL Certificate  Trustwave Premium EV (Extended Validation) SSL  Trustwave Premium SSL

 Trustwave Premium SSL Wildcard  Incremented version to 3.7.

OpenSRS Trust Manager. May 7, 2013