Knowledge base

This guide explains how export an SSL certificate from Manager Infomaniak.

Preamble

• Downloading the certificate produces a file in format .zip.
• Archive contains files .key and .crt.
• It is recommended to store this certificate and its private key in a secure place, as it could allow access to your encrypted data:
  

Export an SSL certificate

To access the management of your certificates:

1. Click here in order to access the management of your product on the Manager Infomaniak (Need help?).
2. Click directly on the nameallocated to the product concerned.
3. Click on the action menu ⋮ to the right of the object concerned in the array that appears.
4. Choose Export Certificate and follow the instructions to download the archive:
   

This guide explains how to correctly interpret the detailed information provided by Qualys SSL Labs (https://www.ssllabs.com/ssltest/) which may sometimes seem technical or alarming without an appropriate context.

Preamble

• Qualys SSL Labs is an analysis tool widely used to evaluate the SSL/TLS configuration of websites.
• Warnings in their reports are often only technical details without impacting the safety or SEO of the site.

Multiple certificates in SSL Labs reports

When SSL Labs analyzes a site, it can display several numbered certificates (certificate #1, certificate #2, etc.). This happens for several reasons:

1. Principal certificate (#1)The certificate submitted when the NIF (Server Name Indication) is used.
   • The SNI is a TLS extension that allows a server to host multiple SSL certificates for different domains on the same IP address. When a browser connects, it indicates the domain name it wishes to join.
2. Secondary certificate (#2)The certificate submitted when the NIS is not used or when connecting directly via IP.

An indication "No SNI" in certificate #2 is not a mistake It simply means that SSL Labs has tested what happens when a client connects without providing SNI information. In this case:

• The server serves a backup certificate (often a generic or preview certificate).
• This situation concerns only very obsolete customers who do not support the NIS.
• Modern browsers all use the NIS and will therefore receive certificate #1.

Certificate chain problems

"Chain issues: Incorrect order, Extra certs, Contains anchor"

These warnings do not necessarily mean that the certificate is defective:

• Incorrect order: Intermediate certificates are not presented in the optimal order.
• Extra certs: Additional certificates not required are included.
• Contains anchor: The root certificate is included in the chain.

The TLS protocol allows to omit the root certificate as it is normally already present in the certificate stores of the browsers. Including it is not an error, but a redundancy.

“Alternative names mismatch”

For the emergency certificate (#2), the warning "MISMATCH" is normal because:

• This certificate is designed for another field (preview.infomaniak.website).
• It is presented only when the NIS is not used.
• The browser receiving this certificate would identify it as not corresponding to the requested domain, but this does not affect normal connections with SNI.

On SEO concerns:

• Google and other search engines use modern browsers that support the NIS.
• They receive the #1 certificate that is valid for your domain.
• Warnings concerning certificate #2 have no impact on the SEO.
• Only problems with the main certificate (#1) could affect the SEO.

This configuration is perfectly suited for shared hosting where several sites share the same infrastructure, with a preview certificate serving as a folding solution.

This guide explains how to add two SSL certificates Different EV or DV on the same site.

Preamble

• Since it is not possible to install two SSL certificates on the same site, it is necessary to create two identical sites.

Creation of the second site

Prerequisites

• Remove any possible domain name alias of your site.

To access web hosting to add a site:

1. Click here in order to access the management of your product on the Manager Infomaniak (Need help?).
2. Click directly on the nameallocated to the product concerned.
3. Click on the button Add Site:
   
4. Continue without installing a tool.
5. Choose between using a domain name or subdomain.
6. Indicate the name of the domain or subdomain.
7. Click on Advanced options.
8. Activate (or not) the SSL Let's Encrypt certificate on the future site.
9. Check the box Set Location manually.
10. Choose the same location as the main site:
    
11. Choose the same version PHP that the main site:
12. Click the blue button Next to start creating the site.

Install SSL certificate

Once the second site is created (any addition / modification can take up to 48 hours to spread), you will be able to install an SSL certificate (if you have chosen not to install the certificate in point 8 above).

To access website management:

1. Click here in order to access the management of your product on the Manager Infomaniak (Need help?).
2. Click directly on the nameallocated to the product concerned.
3. Click on SSL certificates in the left side menu.
4. Click the blue button Install an SSL certificate and follow the procedure.

This guide explains how to obtain an SSL type certificate .p12 2048 bits , useful in particular for SAP, Salesforce, etc. from Infomaniak infrastructure.

Obtain a type certificate p.12

A certificate of type p.12 is a container that includes the certificate, intermediate CAs and the key itself.

It is possible to realize this type of certificate yourself from what can be downloaded from the Manager Infomaniak:

• order a certificate for the domain sap.domain.xyz by providing a CSR (which means having the private key with you, named e.g. server.key)
• download the certificate generated in the Manager Infomaniak: sap.domain.xyz-15-03-2024.zip
• uncompress the archive

• execute

  openssl pkcs12 -export -out server.p12 -inkey server.key -in sap.domain.xyz.crt -certfile ca_bundle.crt

A file server.p12 will then be obtained.

If the certificate was generated without CSR it is the file .key present in the downloaded zip that will serve as a key.