To install an SSL account, you will need a SSL certificate. A certificate is digitally signed by a certificate authority like Thawte. Depending on the type you choose, the certificate verifies the domain name and/or the identity of the certificate owner. Certificates ordered through Hetzner Online are generally signed by DigiCert, Thawte Inc or Let's Encrypt. In addition, you can also import your own certificates using the SSL Manager.

Basic and Let's Encrypt certificates

In cooperation with our partners for security solutions, DigiCert, we can provide free Basic SSL certificates. In addition, we also offer free Let's Encrypt certificates. We provide Thawte Business certificates for a fee.

Request a basic or Let's Encrypt certificate

You can only request a Basic or Let's Encrypt certificate if you have an active web hosting account or for existing subdomains.

To do this, go to the domain overview for the specific domain that you would like to order the SSL certificate for. Then open the SSL Manager (Settings; Extras; SSL Manager).
Under “SSL certificates”, click on “New certificate” and choose “Basic SSL certificate” or "Let's Encrypt certificate" from the selection that follows.
Now simply select the (sub)domain that you would like the SSL certificate for from the list, and then click on “Request”.

In some situations, you may need to do a manual authentication to complete the certification process. You can choose between using a DNS-based or file-based manual authentication method. You can find more information about this in the SSL guide.

Guide for installing your SSL certificate

Step 1: Log into your customer account on konsoleH. Then select your domain. Now an overview will open in the menu on the left-hand side. Here you can select your SSL account by going to "Settings", then to "SSL Manager", and then "SSL Accounts".

Step 2: To request a free basic certificate, first select it.

Step 3: Click on the key symbol.

Step 4: Now click on "Install" to confirm that you would like to request the certificate for your SSL account. Please note: Authentication for the basic certificate shall be performed via DNSAuth. For this, you will need to enter a specific DNS auth record in the DNS settings of the domain that you want the certificate for. There are two ways to do this:

1. Use the konsoleH name server for your domain. Normally, everything will be done automatically. The certificate should be finished within one to two hours.
1. Use your own name server or a third party name server for your domain. In this case, you need to get the DNS auth record, which you will then set directly on konsoleH. This record will look something like the example below:

domain.de. IN TXT "201601011234561bfs5p5fdum9g8kciot9u3tu4t0e10142zq9wsnutvy2tz844d"

Step 6: Until the auth record is set, the displayed status will remain "Waiting for DNS authentication".

Step 7: By clicking on the status text, you can request to get a new auth token or to cancel your order.

Step 8: The requested new auth token will be displayed.

Step 9: Double check that the correct DNS auth record is set and that the certificate is active. Once the certificate has been successfully issued, you can delete the auth record. If you use your own name server or a third party name server, you will need to do this yourself. If you use konsoleH's name server, this will be done automatically.

How long are the Basic and Let's Encrypt certificates valid for?

The Basic certificates are valid for one year; Let's Encrypt certificates are valid for three months. Shortly before the expiration date, we will automatically request an extension of your certificate for you, as long as you have not canceled your account. There is no additional cost for the extension. However, in some circumstances, you may be asked to re-do the authentication needed for the certificate extension. If this is the case with your certificate, we will inform you via email about how to do this.

What limitations are there to the Basic and Let's Encrypt certificates?

In principle, there are no technical limitations to using Basic and Let's Encrypt certificates. However, there are some situations where a Basic or Let's Encrypt certificate cannot be used for domain names, for example, if there are issues regarding protected trademarks. If your domain is affected by this, you will receive a notice about it when you request the certificate. In cases like this, we recommend that you use a business certificate instead. We at Hetzner Online have absolutely no influence over whether a domain name falls under these restrictions. Furthermore, a Basic or Let's Encrypt certificate does not actually validate your identity online. What actually happens is that only the name of the issuer is shown. For online shops, we recommend that you instead use an address-validated business certificate because it confirms your identity in the certificate. For further information, please see the section below on business certificates.

Business certificates

What different type of business certificates are there?

You can choose from several types of business certificates from Thawte. In general, they differ from each other in the manner of how and what they validate.

Domain-validated certificate: the domain or the ownership of the domain is verified. This can be done using various methods, such as DNS, email, or file-based authentication. The certificate is only issued to your domain.
Address-validated certificate: In this type of certificate, in addition to confirming the ownership of the domain, it also includes an identity check. This identity check is usually performed by confirming your business's certificates of registration and by calling you, the certificate owner. This type of certificate also contains your company's name and headquarters.
Extended validation (EV): If you have this certificate, the URL address will be highlighted in green and it will clearly display your identity.

In addition, there are certificates that are either valid for one or for several (sub) domain names, for example, your-domain.de and www-yourdomain.de) and wildcard certificates, which can be valid for all subdomains at once (*.your-domain.de).

Ordering a business certificate

Go to the domain overview for the specific domain that you would like to order the SSL certificate for. Then open the SSL Manager by going to "Settings", "Extras", and "SSL Manager".
On this page, you will see a list of all the available business certificates. The list will also include external certificates that were imported. In the certificate overview, select “New certificate” and then select “Business SSL certificate”. This will then open the setup assistant for Thawte Business certificates.
Select the type of certificate you would like to have.
Address-validated and domain-validated certificates can be used for several domains because they are actually subject alternative name (SAN) certificates. Enter the number of domains you would like to secure in the field "Number of domain names".
Then, enter the address information for the certificate owner and desired manner of validation.
In the last step, you will receive a full overview including a price quotation. You can complete the ordering process by clicking on the button that reads, "Order with the obligation to pay."
Your order will be automatically forwarded to Thawte. Depending on the method of validation you choose, you will receive additional information about the final steps.
When the certificate is complete, you will receive information via email. You will find your certificate highlighted in green in the certificate list on your account on konsoleH.

What different types of authentication methods are available?

There are three different types of methods for domain-validated certificates:

DNS authentication: With this option, the authentication is performed via an entry in your domain's zone file. This process can be performed automatically if your domain uses konsoleH's name servers. If the process cannot be automated, at the end of your ordering process, you will receive a DNS entry in the form of domain.de. IN TXT "201601011234561bfs5p5fdum9g8kciot9u3tu4t0e10142zq9wsnutvy2tz844d" You should enter this entry as a TXT record without changing it. (A-records will not be accepted.)

Please note: Changes to the DNS are often subject to a certain amount of latency. If you use a name server from a third party, please check in advance whether the third party supports the entry of such DNS auth records.

File-based authentication: In this method, authentication is performed via a file on your web space. At the end of the ordering process, you will be shown a file name as well as the necessary content of that file. Please save that file in the document root directory of the relevant (sub)domain. Depending on your server configuration, the file may be automatically generated. Do not be alarmed, therefore, if the file suddenly appears in your web space.

Please note: Depending on your server configuration, such as if you use "mod-rewrite" or other forwarding settings, it may not be possible to access the file externally. Please check your browser in advance to see whether you can access the file via http://ihre-domain.de/.well-known/pki-validation/fileauth.txt

Approve email: With this method, you will be sent an "approve email" at a specific email address within your (sub)domain. This email will contain confirmation link for your order. Normally, you can choose between the mail accounts "webmaster", "admin", "administrator", "hostmaster", and "postmaster". If you choose this method, please be sure to select an email account that actually exists or set up a forwarding address to an existing email account.

The method that you choose is entirely up to you. konsoleH will automatically select the easiest and most automated method for your personal setup (name server, web space, etc.). However, you may change this selection at any time during the ordering process. Once the ordering process is complete, however, you may no longer change the method.

How to extend a business certificate

Approximately 4 weeks before the termination of your Thawte SSL business certificate, you will receive an email from us to remind you that your certificate will soon become invalid.

The process for extending a certificate that is about to run out is not very much different from the normal ordering process for a new certificate.

Select the domain that you would like to order the SSL certificate for and go to the menu on the left-hand side. Then open the SSL Manager (go to "Settings", "Extras", and "SSL Manager").
To the right of the certificate, click on the clock icon.
Double check that the address information and method of validation are correct on the following pages.
In the last step, you will receive a full overview including a price quotation. You can complete the ordering process by clicking on the button that reads, "Order with the obligation to pay."
Your order will be automatically forwarded to Thawte. Depending on the method of validation you choose, you will receive additional information about the final steps.
When the certificate is complete, you will receive information via email. You will find your certificate in the certificate list on your account on konsoleH. There will be a green square next to it once it is complete.

How to request a reissue

At any time during the duration of your certificate, you may request to have your certificate reissued to you. This may be advisable if:

you would like to change the subdomain (!) of your certificate (for example, from sub1.domain.de to sub2.domain.de).
your certificate was issued using an outdated digital signature algorithm (DSA) or was signed using an outdated one (such as SHA1).
your private key and/or the entire certificate becomes compromised.

Important note: A reissue will not affect the duration of the certificate in any way. It cannot be used to extend the certificate and should not be confused with the "Extend" menu tab.

Log into your account on konsoleH.
Choose the domain that you would like the SSL certificate to be reissued for and go to the menu on the left-hand side. Then open the SSL Manager (go to "Settings", "Extras", and "SSL Manager").
On the right-hand side of the certificate, click on the pencil icon.
By clicking on "Send request", your request for a reissue will automatically be sent to Thawte.
Once the certificate has been validated, you will receive an email to notify you that it is complete.

Note: In some situations, it may be necessary to manually re-do the authentication for the certificate.

Certificates from third parties and self-signed certificates

Please note: If you would like to use the certificate of a third party, it is not necessary to generate a respective CSR via konsoleH. Instead, for security reasons, we recommend that you generate the certificate's data on your server or local computer and that you forward just the CSR to the certificate authority. If you would like to create the CSR, you can continue to read below to learn more, or see: https://www.digicert.com/kb/csr-creation.htm

How to import an existing certificate

Please note: A certificate that has been imported cannot be changed again regardless of the respective intermediate certificates.

Therefore, please import certificates from third parties only once they have been totally completed.

You must have the certificate key, the private key, and all intermediate certificates in PEM format in order to be able to import an external certificate. In addition, the private key may not be encrypted with a password.

Log into your account on the customer administration interface konsoleH.
Choose the domain that you would like to import the SSL certificate for and go to the menu on the left-hand side. Then open the SSL Manager (go to "Settings", "Extras", and "SSL Manager").
Click on “New certificate” and then on “Import certificate”.
Copy-paste the certificate key into the field "Certificate".
Copy-paste the private key into the field "Key".
Enter all intermediate certificates (root and intermediate) in block format below each other in the field "CA".
Click on "Import certificate".
When the certificate is complete, you will receive information via email. You will find your certificate in the certificate list on your account on konsoleH. There will be a green square next to it once it is complete.

Note: To order an SSL certificate, you need a Certificate Request Key (CSR). On a Linux server, you can create one of these simply by entering the following command:

openssl req -new -nodes -newkey rsa:2048 -keyout www_meinedomain_de.key -out www_meinedomain_de.csr

This command will also create a private key.

How to activate an extended or reissued certificate (Thawte business certificate or external certificate

You need to activate and upload an extended or reissued certificate to the web server.

Under the domain overview, select the proper account. Then open the SSL Manager (go to "Settings", "Extras", and "SSL Manager").
You will then see a listing of the (sub)domains. To the right of each (sub)domain, you can see a list of certificates. Select the new certificate here.
Then click on the symbol with the two rotating arrows next to the certificate. By doing this, the extended or reissued certificate will be uploaded to the web server permanently and will immediately be used to call up https pages.

Downloading a finished certificate (Thawte business certificate or external)

Log into your account on the customer administration interface konsoleH.
Select the domain and go to the menu on the left-hand side. Then open the SSL Manager (go to "Settings", "Extras", and "SSL Manager").
Under “SSL certificates,” you will see a list of all the business certificates you already have as well as any certificates that you have imported.
At the very right of the line for the individual certificate, click on the download icon.
The certificate and all its keys will be downloaded as a .zip file and will be saved on the local PC so that you may access it.

SSL certificates