Causes and Handling Methods for Certificate Review Failures

SSL Certificates

Release Notes

Announcements

Price Change to DigiCert SSL Certificates

TrustAsia Root Certificate Update

Domain Validation Policy Update

SSL Certificate Service Console

Multi-Year SSL Certificate and Automatic Review

Notice on Stopping the Issuance of 2-Year SSL Certificates by CAs Starting from September 1, 2020

Announcement on Stop Using the Symantec SSL Certificate Name After 30 April 2020

Notice on Certificate Revocation Due to Private Key Compromises

Notice on Application Limits for DV SSL Certificates

Notice on Adjustment of Free SSL Certificates Policy

Let's Encrypt Root Certificate Expired on September 30, 2021

Product Introduction

Overview

Introduction to Tencent Cloud SSL Certificates

Strengths

Advantages of HTTPS

Browser Compatibility Test Report

Multi-Year SSL Certificate and Automatic Review Overview

SSL Certificate Security

SSL Certificate Data Security

Purchase Guide

Pricing

SSL Certificate Purchase Process

SSL Certificate Selection

SSL Certificates Supporting IP Address Binding

SSL Certificate Brands

Certificate Type Selection Cases

Paid SSL Certificates Renewal

SSL Certificate Renewal Process

Renewal Process for Paid SSL Certificates

Renewal Process for Free DV SSL Certificates

SSL Certificate Refund Process

Getting Started

Certificate Application

Information Submission Process for Paid SSL Certificates

Information Submission Process for Wotrus OV and EV SSL Certificates

Information Submission Process for SSL Certificates of Other Brands

Domain Ownership Validation

Domain Validation Method Selection

Automatic DNS Addition

DNS Validation

File Validation

Automatic DNS Validation

Automatic File Validation

Validation Result Troubleshooting Guide

Operation Guide

Domain Ownership Verification

Uploading Certificates

Secured Seal

CSR Management

Certificate Installation

Installing an SSL Certificate on a Tencent Cloud Service

Installing an SSL Certificate in CDN

Installation of International Standard Certificates

Installing an SSL Certificate on an Nginx Server

Installing an SSL Certificate on an Apache Server (Linux)

Installing an SSL Certificate on an Apache Server (Windows)

Installing an SSL Certificate (JKS Format) on a Tomcat Server (Linux)

Installing an SSL Certificate (JKS Format) on a Tomcat Server

Installing an SSL Certificate (PFX Format) on a Tomcat Server

Installing an SSL Certificate on a GlassFish Server

Installing an SSL Certificate on a JBoss Server

Installing an SSL Certificate on a Jetty Server

Installing an SSL Certificate on an IIS Server

Installing a Certificate on WebLogic Servers

Selecting an Installation Type for an SSL Certificate

Certificate Management

Instructions on SSL Certificate Auto-Renewal

Certificate Hosting

Uploading (Hosting) an SSL Certificate

Reminding Reviewers to Review an SSL Certificate Application

Revoking an SSL Certificate

Deleting an SSL Certificate

Reissuing an SSL Certificate

Ignoring SSL Certificate Notifications

Customizing SSL Certificate Expiration Notifications

API Documentation

Making API Requests

Certificate APIs

CSR APIs

Practical Tutorial

Automatic Solution for Implementing and Issuing Multi-Year Certificates and Binding Resources

Apple ATS Server Configuration

Quickly Applying for a Free SSL Certificate via DNSPod

Enabling Tencent Cloud DDNS and Installing Free Certificates for Synology NAS

Batch Applying for and Downloading Free Certificates Using Python-based API Calls

Profile Management

Adding Organization Profile

Adding Administrator

Adding Domain

Troubleshooting

Domain Validation Failed

Domain Security Review Failed

Website Inaccessible After an SSL Certificate is Deployed

404 Error After the SSL Certificate is Deployed on IIS

“Your Connection is Not Secure” is Displayed After the SSL Certificate is Installed

Message Indicating Parsing Failure Is Displayed When a Certificate Is Uploaded

Automatic DNS Validation Failed for a Domain Hosted with www.west.cn

Host Name Field Cannot Be Edited in IIS Manager When Type Is Set to https

Message Indicating Intermediate Certificates Missing in Chain Is Displayed When a Free SSL Certificate Is Deployed on IIS

FAQs

SSL Certificate Selection

How Do I Choose a Certificate?

What SSL Certificates Support IP Address Binding?

Can I Apply for an SSL Certificate Before Activating Website Services?

CAA Record

SSL Certificate Application

Quota of Free SSL Certificates

How to Fill In the Domains Bound to an SSL Certificate During the Application?

Wildcard SSL Certificates

Why Does the Order Status Not Changed After a Notification Email Is Received from a CA?

Can the TXT Records for Domain Name Resolution Configured in the Certificate Be Deleted?

What Is CSR?

How Do I Make a CSR File?

What Is Private Key Password?

Forgot Your Private Key Password?

Can an SSL Certificate Be Revoked?

What are the differences between RSA and ECC?

What Should I Do If the Console Prompts That "The Certificate Is Bound to Tencent Cloud Resources and Cannot Be Revoked" When I Submit an SSL Certificate Revocation Application?

What’s the Difference Between Certificate Reissue and Reapplication?

Which SSL Certificate Types Are Supported for Mini Programs?

SSL Certificate Management

What Should I Do If the Quick HTTPS Plan Will Expire Soon?

My Profile

How Do I View the Certificate Information?

SSL Certificate Installation

What Should I Do If the Host Name Field Is Uneditable in the IIS Manager?

How Do I Enable Port 443 for a Server?

Why Does the Website Prompt “Connection Is Untrusted"?

How Do I Install OpenSSL?

How Can I Set TLS Versions for SSL Certificates?

How Can I Combine an SSL Certificate Chain?

Can Tencent Cloud SSL Certificates Be Used for WebSocket?

How Do I Enable the IIS Service?

What Should I Do If I Am Prompted That HTTPS Is Not Secure After Reapplying for Deployment upon Expiration of the SSL Certificate?

SSL Certificate Region

Are There Any Region Restrictions on SSL Certificate Installation?

SSL Certificate Review

How Long Will the Certificate Review Takes?

Causes and Handling Methods for Certificate Review Failures

What Should I Do After Submitting the Order for Review for a Purchased Certificate?

How Do I View the Domain Validation Result of a DV SSL Certificate?

SSL Certificate Taking Effect

Is the Original SSL Certificate Still Valid After the Server IP Address Is Changed?

How Do I Check in a Browser Whether an SSL Certificate Has Taken Effect?

What Should I Do If GlobalSign Certificates Are Not Supported in Windows 7?

What Should I Do If the Issue of a Free SSL Certificate Takes Too Long or Failed?

SSL Certificate Billing and Purchase

Are DV Certificates Permanently Free?

SSL Certificate Validity Period

What Should I Do If an SSL Certificate Is About to Expire?

What Is the Impact If an SSL Certificate Is Not Renewed in Time After It Expires?

Viewing of SSL Certificate Expiration Time

Is an SSL Certificate Still Available After I Renew It?

Related Agreement

SSL Service Level Agreement

Glossary

DocumentationSSL CertificatesFAQsSSL Certificate ReviewCauses and Handling Methods for Certificate Review Failures

Causes and Handling Methods for Certificate Review Failures

Download PDF

Last updated: 2024-03-06 18:03:04

Causes and Handling Methods for Certificate Review Failures

Last updated: 2024-03-06 18:03:04

Download PDF

Causes and Handling Methods for Certificate Review Failures
This document describes the possible causes of and solutions for certificate review failures.
Verification file configuration error
Note: 
We recommend running the curl -k -v or wget -S command to verify whether the file URL is valid for both HTTPS and HTTP.
Causes:
If you chose file verification as the method for domain verification when submitting your SSL certificate order for review, the domain may fail the verification due to the following possible causes:
HTTPS access is enabled for some pages of the site. However, the verification file is deployed only under the HTTP service path, not under the HTTPS service path. As a result, the verification file will not be found when requested through HTTPS.
When the verification file is accessed, the site returns an error code.
CDN is enabled, but the verification file is not synchronized to CDN servers outside the Chinese mainland.
Solutions:
Deploy the verification file under the HTTP and HTTPS service paths, and confirm that it can be accessed through HTTPS. Alternatively, temporarily disable HTTPS for all of the website pages.
Confirm that the correct verification file content can be directly accessed through the verification file URL specified by the CA, instead of through redirection or other methods.
Note: 
Check whether the browser address has changed to determine whether you have been redirected.
Synchronize the verification file to CDN servers outside the Chinese mainland, or temporarily disable CDN acceleration outside the Chinese mainland.
Note: 
If modification operations cannot be performed on the CDN servers, we recommend using DNS verification for domain verification instead.
DNS configuration error
Causes
If you choose DNS verification as the method for domain verification when submitting your SSL certificate order for review, the review may fail due to the following possible causes:
The DNS resolution record value is configured incorrectly.
For non-existent host records, the domain name resolution services of certain service providers provide query return values that are not as expected. As a result, the CA determines that the return values are incorrect.
The DNS resolution record has timed out. After you submit your certificate order for review, you will have 3 calendar days to add the DNS resolution records, otherwise the review will fail.
The dynamic domain name resolution service is enabled. However, the corresponding TXT resolution record value has not been synchronized to the DNS servers outside the Chinese mainland in time.
Solutions
Configure the correct DNS host records and record values.
Ignore the error prompts related to domain name resolution configuration, configure DNS resolution records as required, and complete the domain verification.
Resubmit the certificate order for review and add the DNS resolution records within 3 calendar days.
Confirm that the dynamic resolution service works properly and ensure that it can resolve newly added TXT resolution records properly outside the Chinese mainland.
Note: 
If you change an existing TXT record value, the time when the changed value takes effect is determined by the TTL value. However, if you add a new TXT record value, the new value takes effect in seconds. Therefore, we recommend completing the domain verification by adding a TXT record value and deleting the TXT resolution record after the domain name passes verification.
Empty or invalid company phone number
For OV and EV SSL certificates, if you leave the company phone number field empty or set it to an invalid phone number when submitting the certificate order for review, the review will fail.
Causes
For OV and EV SSL certificates, the company phone number field is required. If it is left empty or set to an invalid value, you need to reset it.
Solutions
Enter the correct company phone number by which you can be contacted for verification by the CA.
CSR file already used in other orders
Causes
To ensure certificate key security, CSR information that has been used in earlier orders cannot be reused in new orders.
Solutions
If you have used a CSR file in a successfully submitted order before, generate a new CSR file for each subsequent order. This ensures that each SSL certificate has a unique key pair, ensuring the security of your SSL certificates.
Incorrect format of the domain name bound with the certificate
Causes
A valid domain name can be up to 64 characters in length and contain only letters, digits, and hyphens (-).
Solutions
Check that the domain name information in the CSR file and order is correct.
Empty or incorrect primary domain name
Causes
The Common Name field is empty or not correctly set when the CSR file is created.
Note: 
The Common Name field must be set to one of the bound domain names.
Solutions
We recommend using the online CSR file generation feature provided by the system.
Domain name security review failure
When you apply for an SSL certificate, you may receive a review failure message.
The message content is similar to the following:
The domain did not pass the CA security verification. Domain certificate application failed. Please purchase an OV or EV certificate. You can also try to apply for a certificate using another domain.
Causes
Due to CA's anti-phishing mechanism, sensitive words contained in domain names, such as "bank" and "pay", can cause security review failure. Some less commonly used root domain names may also result in review failure. For example, root domain names suffixed with .pw, such as www.qq.pw and www.qcloud.pw, will not pass the review.
The following are sensitive words that may cause domain names to fail the security review. They are only examples, and the specific sensitive words are defined by CA.
Private/Public IP
Host name
live (excluding the .live top-level domain name)
bank
banc
alpha
test
example
credit
pw (excluding the .pw top-level domain name)
apple
ebay
trust
root
amazon
android
visa
google
discover
financial
wordpress
pal
hp
lv
free
scp
﻿
﻿
Solutions
We recommend changing the host name in the domain name and trying to submit the order again. If the problem persists after you change the host name several times, we recommend that you choose a paid certificate product or use a different primary domain name to apply for a certificate.
Note: 
Because DV SSL certificates are quickly issued through automatic authentication without manual intervention, we use stringent sensitive words filters to set the verification standard.

Was this page helpful?

You can also Contact Sales or Submit a Ticket for help.

Yes

Private/Public IP	Host name	live (excluding the .live top-level domain name)	bank
banc	alpha	test	example
credit	pw (excluding the .pw top-level domain name)	apple	ebay
trust	root	amazon	android
visa	google	discover	financial
wordpress	pal	hp	lv
free	scp

tencent cloud

New User Offers

Next-Generation CDN：EdgeOne

Elasticsearch Service free trial

Free Tier

Tencent Cloud Startup Program

Special Offers

Lighthouse Special Offers

Cloud Object Storage Special Offers

Featured Products

New Products

Education

Tencent Cloud Online Education Solutions

Gaming

Gaming Solution

Game Media Solutions

E-commerce

E-commerce retail solutions

Audio & Video

Audio/Video Solution

LVB Recording Solution

Interactive Classroom Solution

Interactive Live Streaming Solution

Audio Chat Social Networking Solution

Financial Services

Financial Services Solution

Compute

Cloud Virtual Machine

Auto Scaling

Batch Compute

CVM Dedicated Host

Database

TencentDB for MySQL

TencentDB for Redis®

TencentDB for CTSDB

TDSQL for MySQL

Data Transfer Service

TencentDB for MongoDB

TencentDB for PostgreSQL

TencentDB for SQL Server

Video Service

Cloud Streaming Services

Video on Demand

Media Processing Service

Cloud Application Rendering

Cloud Contact Center

Game Multimedia Engine

Chat

Real-time Communication

Tencent Effect SDK

AI and Machine Learning

Image Creation Large Model

Face Fusion

eKYC

Optical Character Recognition

Video Creation Large Model

Industry Applications

Tencent HealthCare Omics Platform

Container and Middleware

TDMQ for CKafka

Serverless Cloud Function

Tencent Kubernetes Engine

Tencent Kubernetes Engine for Serverless

Networking

Cloud Load Balancer

Virtual Private Cloud

Direct Connect

Cloud Connect Network

NAT Gateway

VPN Connection

Bandwidth Package

Anycast Internet Acceleration

Elastic Network Interface

Flow Logs

Global Application Acceleration Platform

Security

Captcha

Cloud Workload Protection Platform

Data Security Governance Center

Key Management Service