Sometimes, you may face cases where the certificate application gets rejected and, as a result, the certificate cannot be issued. In this article we will explain what should be done if your certificate got rejected and how the certificate rejection can be avoided.
The certificate can be rejected in two ways:
- by a Certificate Authority;
- by the certificate approver via the domain control validation email
Let us review both in details and find out what to do if the certificate got rejected.
Certificates rejected by a Certificate Authority
Sometimes, the COMODO Certificate Authority (now Sectigo) rejects orders after submission. You may activate the certificate, complete domain control validation, but the certificate never arrives, and it appears that COMODO (now Sectigo) rejected it.
The reason for it is that the brand validation failed for the order.
Brand Validation is the process where a submitted SSL order is set for a manual review by the CA Validation team who needs to check some additional details regarding it. The most frequent reasons for brand validation are the following:
- The domain name or company provided in the CSR code includes some famous brand names, like Twitter, Youtube, Google, Amazon, etc. COMODO (now Sectigo) should check whether the website the certificate is going to be issued for is in any way related to the brand. Still, in most cases, such orders are rejected.
- The certificate Common Name contains or resembles a famous brand name connected to financial transactions, for instance, PayPal. Such websites are to undergo a thorough check since such domains might be used for phishing purposes.
- The domain submitted for the certificate includes the country banned by the Certificate Authority. For example, if your domain contains “iran” in it, even if your website has nothing to do with Iran, the certificate will be most likely rejected by the COMODO CA (now Sectigo CA).
- The domain name contains some keywords related to e-commerce, financial or governmental institutions, that trigger the automatic filters on the CA side to flag the order for additional checks. For instance, “commerce”, “money”, “bank”. In this case, the Certificate Authority may need to check whether the certificate is really intended for the proper institution (bank), and may even need to perform a callback with a full-time employee of this institution.
- The Common Name contains the domain for which the Certificate Authority cannot issue the certificate due to an agreement with some other company. For example, COMODO (now Sectigo) cannot issue a certificate for subdomains of the cloudapp.net domain since it is reserved for the Microsoft Azure cloud service.
- The order was caught by COMODO (now Sectigo) automatic validation filters due to some other patterns in the common name, which are considered as related to phishing sites. For instance, COMODO rejects the certificates for the domain names starting with “com-” (like com-example.com), as creating a particular subdomain for it might be used for phishing purposes (e.g., paypal.com-example.com).
As a rule, if the certificate is set for review, after pasting the validation code into the corresponding field from the link you received in the approver email, you will see the message that the domain ownership has been successfully approved; however, the Certificate Authority needs to conduct some additional checks regarding the order. Unfortunately, there will be no such a message during any step of the certificate issuance if you selected “Upload a file” as a validation method.
Unfortunately, COMODO CA (now Sectigo CA) rarely contacts end users about the orders that are stuck for review. Brand Validation orders are reviewed by the COMODO validation team and it is them who decide whether to reject or approve a request.
Certificates set for brand validation are monitored by our team on a daily basis, and we are keeping in touch with the COMODO (now Sectigo) validation team, asking them to expedite the issuance of the certificates flagged for manual review.
What to do if the CA rejected the certificate?
Since the certificate has not been issued yet, the refund is applicable for it provided that the order is within the refund grace period (the order was placed with us less than 90 days ago). Our support team monitors such rejected certificates every day and if we spot one, we will contact you via the email associated with your account. If a COMODO (now Sectigo) certificate gets rejected, we are refunding the order to account funds so that you can repurchase a new certificate and retry activation with the new details or for a new common name.
If you know that your certificate is rejected or simply wonder why the certificate status is not changing or why the certificate is not sent to you after it was approved, do not hesitate to submit a ticket with us here or click on a blue bubble icon in the lower right corner of the page to start a Live Chat conversation with one of our agents. Our support team will be glad to give you any advice or assist with the refund.
There can be, however, more extraordinary situations, for instance, the certificate reissue was rejected by the Certificate Authority, though original certificate application was processed smoothly. That can happen due to the fact that during reissue, the details in the CSR or contact information were changed to those that are not suitable for the Certificate Authority and that set the certificate for brand validation. Or, a Certificate Authority may implement some new policy regarding some brand-related domains or countries, which may affect the successful completion of the reissue.
In this case, please contact our support team via a ticket. We will surely try finding an appropriate solution for you.
If your Domain Validation certificate was rejected due the presence of brand names in the domain name or company information, you can consider purchasing an Organization or Extended Validation SSL. Though these certificates require paperwork and have a more strict process of verification, COMODO (now Sectigo) will be able to establish whether or not there is any relation to the brand in question.
Certificates rejected by the approver.
Before issuing a certificate for any domain, Certificate Authorities should verify that the certificate applicant has domain ownership rights and controls the domain. One of the possible ways to complete DCV is by receiving an email to the approver email boxes chosen during the certificate activation.
In the DCV email, there are two options available for customers: either approve the certificate issuance or reject it. Both options are present in the email from COMODO (now Sectigo):
Note: We strongly recommend that you should not reject your certificates via domain control validation emails as it will make the order not usable anymore. If you have any uncertainties or need to change some information, please contact our support team for advice. We will find the best and fastest solution for you.
If the certificate was rejected via the DCV email after the certificate activation, please contact our support team so that we can advise you on the case. The course of actions that can be applied is the same as for the application rejected by the Certificate Authority.
Providing that the certificate is within the refund grace period, we will be able to issue a refund for the certificate to your account funds.
We are also doing our best to monitor COMODO (now Sectigo) certificates that were rejected via DCV and send out corresponding notifications.
Note: The actions described above are applicable only if the rejected certificate was rejected after the original activation (not a reissue) and the certificate does not have any parent certificate IDs.
If a certificate is rejected by the Certificate Approver during reissue for the same common name, it does not mean that the whole order gets rejected. The previous certificate(s) from this order remain(s) valid. However, you will not be able to make a reissue of this certificate anymore.
In the meanwhile, if during the certificate reissue the certificate common name was changed and this reissue was rejected in the DCV email, the original certificate will be revoked as soon as you submit the reissue request.
Additionally, general refund rules apply for this certificate. If the reissue was rejected within 15 days after the original certificate was issued and within 90 days after it was purchased, we can issue the refund for it. Unfortunately, there is little our support team can do in this case. Please choose wisely whether you want to reject your certificate via Domain Control Validation.
Even if the certificate reissue was rejected, please contact our support team so that we can find some reasonable solution for you. Our support team is available 24/7.