Skip to main content

SSL certificates

An SSL certificate is used to encrypt your website. It provides a secure connection to your website and your online store. An SSL certificate is required for certain markets and for receiving the Trusted Shops certification. You know you’re using an SSL certificate if your website is accessed via https.

1. Which SSL certificates are available?

SSL certificates are offered by independent certificate providers. plentymarkets offers different types of SSL certificates:

Type Explanation

AlwaysOn 
(DV)

  • cheapest SSL certification model

  • issued by DigiCert

  • Length of validity:

    • 6 months

  • Order it:

    • In the setup menu

  • Renewal:

COMODO 
(DV)

  • globally recognised and trusted certification authority.

  • the certification authority is liable in the event of misuse or loss of data.

  • Length of validity:

    • 1 year

    • for newly ordered certificates, the validity period begins when the certification authority confirms the order.

    • remaining validity cannot be transferred from the previous certificate.

  • Order it:

    • In the setup menu

  • Renewal:

    • not automatically renewed

    • should be renewed at the end of the validity period.

    • A reminder email is sent to the hostmaster address 14 days before the certificate officially expires.

    • It’s also possible to receive email reminders. The LetsMonitor.org  service is a free option.

Sectigo 
(OV/EV)

OV and EV certificates entail a more comprehensive verification process, but they also provide more trust.

  • OV = Organizational Validation

    • The certificate authority verifies the company. In doing so, details such as the company name, location and address are compared with information from the commercial register.

  • EV = Extended Validation

    • Considered to be the most secure and trustworthy solution.

    • The certificate authority completes a validation process specified by CA/Browser Forum .

  • Length of validity:

    • 1 year

  • Order it:

    • With an assistant

  • Renewal:

    • Renewal is not currently possible. The certificate needs to be renewed in the assistant at the end of the validity period.

Breakdown of prices

AlwaysOn
DV
COMODO
DV
Sectigo
OV
Sectigo
EV

Validity period

6 months

1 year

1 year

1 year

Monthly fee

€2

€2

€2

€2

Cost of the SSL certificate

€0

€35.70

€118.80

€348

One-time setup fee

€0

€0

€29

€99

All prices are listed in net.

2. Prerequisites for booking an SSL certificate

2.1. Domain

It’s only possible to order an SSL certificate for a primary domain. In other words, the domain must be listed as a primary domain in the menu Setup » Assistants » Basic setup » Domain assistant.

Tip: Look at your domains with the table view. This will help you recognise which one is the primary domain.

Primary Domain
Figure 1. Domain assistant with the table view

If you want to set up an SSL certificate for a different domain, you will have to set this domain as your main domain first.

It’s not possible to order an SSL certificate if the corresponding domain is defined as external (i.e. it refers to an external IP address).

external domain

2.2. Active autoscaling

A few systems have not been switched to autoscaling  (AS). In most cases, this is because the domain is not hosted by plentymarkets. As such, the domain owner must adjust the DNS settings manually. Another cause might be that the domain was added to a client for the first time. These clients are not automatically switched to autoscaling. The plentymarkets support team needs to manually activate autoscaling.

How can I tell if AS is activated?

Look at the DNS settings in the domain assistant to see whether AS is activated for the particular system.

Checking the autoscaling status:

  1. Open the domain assistant and navigate to the step Current DNS Settings.
    Note: This step only appears if you selected Add a new domain, hosted externally in the step Domain type.

  2. In the column DNS Record Type, check if a CNAME entry exists for the domain.
    → If a CNAME entry exists, autoscaling is active. An SSL certificate can be ordered.
    → If no CNAME entry exists, but rather two A records, autoscaling is not active.

  3. If autoscaling is not active, contact the plentymarkets support via the plentymarkets Forum  and ask them to activate autoscaling. The thread is in German, but the support staff can also speak English.

Example of the DNS settings shown for a system on AS:

current dns settings

2.3. For subdomains: Existing parent domain

If you want to order an SSL certificate for a subdomain, then the parent domain must also exist in the assistant. The relationship between the domain and subdomain must also be entered correctly in the assistant. Check the settings in the assistant.

If the parent domain was deleted from the assistant, then create the parent domain again. If you do not want this parent domain to point to plentymarkets, but rather e.g. to Showare, then save an external A record for the parent domain by creating a system link.

2.4. For external domains: DNS settings

The SSL order is validated on a file level. This means that the domain for which the certificate is to be ordered must be accessible correctly.

  • The DNS settings saved for the external provider must be identical to the DNS settings saved in the assistant.
    → Check the settings in the service area of your domain provider.

  • The domain that the SSL certificate is being ordered for must not have an IPv6 entry (AAAA record).
    → Check the settings in the service area of your domain provider.

  • Any existing CAA records  must allow the certificate to be ordered for the chosen domain.
    → Check the settings in the service area of your domain provider. The necessary CAA record is as follows:

DNS Source DNS Record Type DNS Target

@

CAA

issue digicert.com

2.5. Remove 301 redirects for '/'

Open the domain assistant for the particular domain and make sure there is no 301 redirect for the homepage, as shown in the following example:

/;Target-URL;301;L

/*;Target-URL;301;L

^/*;Target-URL;301;L

2.6. No manually created sub-domain for www.

A manually created sub-domain for www.yourDomain.tld prevents the SSL certificate from being issued, since it would create a duplicate DNS entry for www. If you manually created such a sub-domain, you will need to delete it.

2.7. Check list

Ready to order an SSL certificate? Work through this checklist to make sure that you’ve met all of the requirements.

  • Domain has not been cancelled

  • Domain is a primary domain

  • Domain has been switched to AutoScaling (AS)

  • For sub-domains: there is an existing parent domain

  • The DNS settings match the entries in the domain assistant

  • There is no AAAA record for whichever domain the certificate should be ordered

  • There is no negative CAA record

  • There is no 301 redirect for the homepage

  • There is no manually created sub-domain for www.

3. Ordering an SSL certificate

Once you’ve met all of the requirements, you can order an SSL certificate. plentymarkets orders the SSL certificate on your behalf and bills you for the one-off purchase price and the monthly fee.

Depending on which type of certificate you want to order, you’ll either complete the purchase in the Setup menu or in the assistant.

Only one SSL certificate for the domain

A domain can only have one SSL certificate. If your domain already has an SSL certificate in the Setup menu, and then e.g. you order a new certificate in the assistant, then the new certificate will overwrite the existing one.

3.1. With the assistant

Only OV and EV certificates (Sectigo) are ordered in the assistant. If you want to order a DV certificate (AlwaysOn und COMODO), then you need to do this in the Setup menu.

Why don’t I see the assistant?

OV and EV certificates are very new. They are currently being tested with a small group of select sellers. Do you want to order an OV or EV certificate? Then write to us in the forum! 

3.1.1. Completing the assistant

  1. Go to Setup » Assistants » Basic setup.

  2. Click on the SSL management assistant.
    → If you’ve already configured SSL certificates, then you’ll see them listed here.

  3. Click on an existing SSL certificate to open its settings. Or click on New configuration ().

  4. Complete each step of the assistant. Note Table 1.

  5. Once you’ve placed the order in the assistant, you’ll still need to complete the validation process with Sectigo.

Table 1. Steps of the SSL assistant
Step Explanation

SSL type

Choose the desired SSL certificate.

Contact data

Enter information about your company and about a contact person.

  • Contact person: this person must be authorised to complete the validation process, e.g. CIO or CEO.

  • Company contact: the company data must match the information in the commercial register.

Confirmation

Read a summary of the service options that you chose. By completing the assistant, you confirm that you want to book these paid services.

Summary

This step is purely informative.

3.1.2. Validation process after ordering

Once you’ve placed the order, you’ll receive a confirmation email (SSL Subscriber Agreement) from Sectigo. Follow the instructions in the email to complete the validation process.

Generally speaking, there are two ways to proceed:

  • Follow the link in the email. You will be forwarded to the Sectigo website. There, enter the "verification code" that you received in the email. Follow the rest of the steps on the screen. During the validation process, you will receive a phone call from Sectigo.

  • Download the documents listed in the email (Certificate Request Form & SSL Subscriber Agreement). Print the documents, sign them and send them back to Sectigo. During the validation process, you will receive a phone call from Sectigo.

It can take some time to complete all of the steps. Leave yourself enough time to sign the forms, send them back to Sectigo, receive a phone call from Sectigo and complete the validation process.

Are you authorised to complete the process?

The validation process must be completed by an authorised person, e.g. CIO or CEO. During the process, legally binding documents need to be signed by someone with signatory rights.

3.2. In the setup menu

Only DV certificates (AlwaysOn and COMODO) are ordered in the Setup menu. If you want to order an OV or EV certificate (Sectigo), then you need to do this in the assistant.

Ordering an SSL certificate in the Setup menu:

  1. Go to Setup » Client » Select client » SSL.
    → The domain’s certificates are displayed.

  2. In the row Order new SSL for domain: [domain name], click on the down arrow to the right.
    → The SSL certificates that are available for the domain are displayed.

  3. Check the available SSL certificates.

  4. Click on Order SSL certificate in the line of the SSL certificate that you want to book.
    → The SSL certificate is ordered.
    Note: It can take up to 2 hours for the SSL certificate to be activated.

  5. Delete the browser cache.

  6. Optional: Delete the DNS cache.

    1. Click the shortcut key Windows key + R.

    2. Enter CMD and press Enter.

    3. Enter the command ipconfig /flushdns.
      → The DNS cache is cleared.

When is the order complete?

The order process is only finished when the status in the backend says "Complete". Any messages that include the word "challenge…​" mean that the order is still being processed. Refer to the FAQ if the order status is stuck in "challengeSolved".

4. Renewing an SSL certificate

SSL certificates must be renewed, i.e. reordered, before they expire. Even if you already have an SSL certificate, you will still need to order a new certificate before it expires. You will need to select a certificate provider and duration every time you order an SSL certificate.

Checking the expiration date of an AlwaysOn or COMODO SSL certificate:

  1. Go to Setup » Client » Select client » SSL.
    → You will see a table with the domain’s certificates.

  2. The column Valid until shows you when the certificate expires.

5. Frequently Asked Questions (FAQ)

  1. Which domain should I order the SSL certificate for?

    1. You order the SSL certificate for your main domain, i.e. the domain that is listed as the primary domain in the menu Setup » Assistants » Basic setup » Domain assistant. If you want to set up an SSL certificate for a different domain, you will have to set this domain as your main domain first.

    2. You can continue to have a domain hosted externally and save the DNS settings with this external provider. However, the SSL certificate needs to be saved close to the system. This means that even if the domain is hosted externally, the actual encoding is done directly in the system after the domain forwarding via IP address is carried out. As such, it is not possible to use an external SSL certificate. The SSL certificate needs to be ordered from plentymarkets.

    3. You cannot order SSL certificates for cancelled domains, start-up domains and test domains, i.e. domains with names that contain plenty-testdrive.eu, plentymarkets-x1.com etc.

  2. What will happen if I change the primary domain?

    1. SSL certificates are linked to a domain. This means, for example, that if the main domain is changed, then the current certificate will be deactivated, because there is a new main domain without a certificate. Deactivated doesn’t mean deleted. If you switch the main domain back to whichever domain already had an SSL certificate, then it can be re-activated, assuming that the SSL certificate hasn’t expired.

  3. Can I take the SSL certificate with me if I move my domain?

    1. You cannot take an SSL certificate with you when moving your domain to plentymarkets. Due to technical limitations, it’s only possible to order within our public key infrastructure . This applies to both directions. It’s true when moving from external to plentymarkets or from plentymarkets to external. An SSL certificate that you booked with plentymarkets needs to be saved close to the system. Therefore, you cannot take it with you when moving your domain. It is not possible to export the certificate data (secret private key). It is also not possible to “transfer” an SSL certificate from one domain (ID) to another.

  4. Do I need a hostmaster mailbox?

    1. No, you do not need a hostmaster@yourDomain.tld mailbox to purchase an SSL certificate.

  5. Can wildcard SSL certificates be issued?

    1. No, so-called wildcard SSL certificates cannot be issued in our infrastructure.

  6. How long does it take for the AlwaysOn or COMODO SSL certificate to be activated?

    1. Once you’ve ordered a new certificate, it will need to be published during a regularly scheduled system process. This can take up to 120 minutes.

    2. In rare cases, the certification authority performs a quality control before they activate the SSL certificate. Therefore, check the confirmation message displayed on the screen. Normally, quality control takes up to 24 hours. If the status in the back end is not “Complete” after 24 hours, then contact the support team in the forum and specify which domain is affected.

  7. I ordered my AlwaysOn or COMODO certificate several hours ago, but my website still isn’t classified as secure. What can I do?

    1. Option 1: Once the order has received the status “Complete” in the back end, the local browser cache must be deleted in order to update the certificate.

    2. Option 2: There might be a problem with your domain’s availability and therefore the certificate cannot be issued correctly. You can check whether it’s possible to install LetsEncrypt for your domain on the following page: https://letsdebug.net/ 
      Validation method: HTTP-01. If an error message is displayed there, you can report it to us in the forum so that we can check the situation.

  8. I want to switch from COMODO to AlwaysOn. What should I keep in mind?

    1. If you order AlwaysOn while you already have an active SSL certificate from COMODO (aka RapidSSL), then the COMODO certificate will be replaced by the AlwaysOn certificate. The “old” certificate will not be deleted, but rather deactivated. The plenty-Core team  can re-activate the certificate, assuming it has not expired. The domain might be classified as "not secure" for a maximum of one hour if the AlwaysOn certificate was just ordered, since it needs to be requested, generated and installed after the order is placed. Once the order has received the status “Complete” in the back end, the local browser cache must be deleted in order to update the certificate.

  9. The order status is stuck in “challengeSolved”. How can I fix this problem?

    1. Check whether you’ve met all of the requirements for successfully ordering an SSL certificate. If you’ve met all of the requirements, but the status is still stuck in "challengeSolved", then contact the plenty-Core team in the forum .

To top