OpenSRS: Reseller Friendly since 1999
 

Trust Service FAQ

Below are some of the most frequently asked questions about Trust Service. If you have additional questions not answered here, you can always ask a question in our forums or contact our support staff, available 24 hours a day, 7 days a week.

SSL Certificates | | Website Security | | Privacy

SSL Certificates Overview

Using SSL Certificates

Selling SSL

SSL Certificates Overview

What is SSL?

SSL is an acronym for "Secure Sockets Layer" and is a method for establishing a secure, encrypted link between two different systems such as a web browser and a web server.

What do SSL Certificates provide?

SSL Certificates provide two important roles for systems that use them:

  1. SSL certificates provide security by encrypting the data between the browser and the web server.

    Data encryption is critical for financial transactions or other situations where websites are requesting sensitive data from visitors. Many web users will not have confidence that their interactions with the website is secure and encrypted, unless they see the lock icon which provides a visual cue that an SSL certificate has been used to protect data.
  2. SSL certificates provide identity verification, through domain and organization validation. Only the verified owner of a domain name may purchase an SSL certificate for that domain. For Organization validated SSL certificates, only verified, approved representatives of the organization are permitted to purchase an SSL certificate for domains in use by the organization.

    Extended Validation (EV) certificates take identity validation even further. Sites with an EV SSL certificate will cause the address bar on the web browser to turn green. Users are able to view information about the website that will help them to confirm that they are dealing with who they believe they are dealing with.

Both applications of SSL Certificates are important for building a trust relationship with end-users that is required before they will pass along personal, or financial information to websites or online service providers.

How does SSL work?

In the case of web browsers surfing secure web sites, SSL communication starts with the web browser requesting the digital certificate from the web server. The certificate contains the hostname of the web server, an expiration date of the certificate, the public key of the web server, and is signed by a Certificate Authority. The web browser can validate all of these pieces of information except for the public key of the web server. If all of the verifiable components pass validation, the web browser will generate its own public key and send it back to the web server. When the web browser's public key is sent back to the web server as a response, it uses the web server's public key, which was contained within the certificate, to encrypt the browser's public key being sent. Now both the web server and web browser will be able to communicate with each using secure, encrypted communications because they have exchanged each of their public keys.

What is a Wildcard certificate?

A wildcard SSL Certificate helps enable SSL encryption on multiple sub-domains using a single certificate as long as the domains are controlled by the same organization and share the same second-level domain name. For example, a Wildcard certificate issued to Company ABC using the Common Name ("*.CompanyABC.com") may be used to secure subdomains like login.companyabc.com, payment.companyabc.com and support.companyabc.com.

What are Site Seals?

Site Seals are static or dynamic images that can be placed on SSL secured websites that allows visitors to tell at a glance that they can trust who they are dealing with, that the online site is validated and that they can transact safely and securely. Each of the three brands of SSL Certificates offer different site seals:

  • Norton Secured seal, powered by VeriSign, is available with all Symantec-branded SSL certificates for installation on pages secured with a Symantec SSL Certificate. Customers not only see the trust mark, they can click the seal and verify the site in real time. More than any other trust mark, 79% of U.S. online shoppers are familiar with the Norton Secured seal.
  • GeoTrust True Site Seal is available with every GeoTrust SSL Certificate and shows web site visitors that their information is protected. The GeoTrust True Site Seal can be added to home pages, buy pages, log-ins or any other page on your authenticated site where visitors need to verify a web site. Depending on the certificate, True Site Seals are either dynamic or static and may contain further information about the identity of the certificate owner.
  • thawte Trusted Site Seal is a dynamic image appearing on websites secured with thawte SSL certificates allowing visitors to tell at a glance that they can trust the site, that the online site is validated and that they can transact safely and securely.

How does an SSL Certificate create trust in visitors to websites?

Security is a concern for many people who use the Internet. People on the Internet also recognize that websites that use digital certificates are ones that are more secure and trustworthy. Digital certificates give users confidence that their data is protected and they have a reduced risk of their information being divulged beyond the organization they are dealing with.


In addition to having a digital certificate, the Certificate Authorities that OpenSRS uses all offer Trust Seals which allow an image seal to be placed on the website itself. The banner links through to a trusted external organization that further validates the trustworthiness of the website.

What are Dynamic vs. Static Site Seals?

A Dynamic Seal is dynamic image displayed on a website that shows the current time and date of when the web page was loaded which indicates that the seal is valid for the domain it is installed on and is current and not expired. When the image is clicked, it will display information from the Certificate Authority about the website's profile which validates the web site's legitimacy. This will give visitors of the website increased confidence in the site's security.

A Static Seal is simply an static graphic image that can be placed on the website to indicate where the digital certificate was obtained from, however there is no click-through validation of the website and the image does not show the current time and date.

What is a Root Certificate Authority?

A Root Certificate Authority is the highest level of digital certificate within the trust relationship of certificates. Web browsers, and other applications which use digital certificates, have a limited set of Root Certificates from organizations that have been recognized as Root Certificate Authorities. All certificates they create will include a link back to their Root Certificate so web browsers will understand that the certificate is valid and can be trusted.

Most applications that use digital certificates, such s web browsers, will have a list of the official Certificate Authorities so they are aware they are legitimate and trusted. Certificate Authorities who are not in this list will cause the application to display warnings that the Certificate Authority is unknown, and may also suggest there are security issues associated with unknown Certificate Authorities.

What is a public/private key pair?

Public and Private keys are a pair of unique codes used to encrypt data sent another computer. When a computer wishes to speak securely with another computer, it sends its Public Key to the other computer. This Public Key can be used by the second computer to encrypt information sent back to the first computer.

Using SSL Certificates Back to top

What are practical applications for SSL Certificates?

The perception of SSL Certificates is that they are primarily used to secure the transmission of financial information in ecommerce. But with identity theft on the rise and more and more businesses opening up their networks via the Internet, protecting all types of personally identifiable information (social security numbers, login information, etc.) and key business information is important. SSL Certificates can be used to secure the following:

  • Web servers
  • Mail servers
  • Web forums
  • Blogging platforms
  • Control panels
  • Corporate intra- and extranets
  • Wikis
  • VPNs
  • Customer portals
  • and more!

How can certificates be used to secure additional services other than web servers?

Digital certificates are a method to encrypt communications between two programs, and although they are most commonly used for secure web surfing they can be used for an unlimited number of communications including:

  • Email
  • Instant messaging or other communications protocols
  • FTP servers

What are the Validation methods performed?

There are three methods of validation performed:

  1. Domain-validated certificates: Only the verified owner of the domain name can purchase an SSL certificate for the domain. Validation is done via email sent to the domain owner. Domain validated SSL certificates can be issued very quickly - often in minutes.
  2. Organization-validated certificates: When corporate identity validation is important, an SSL Certificate for the organization assures customers that the website is trustworthy and secure. Only verified representatives of the organization may purchase these certificates and business licences or other proof is required. The Certificate Authority will verify through phone call to ensure that the certificate request is legitimate.
  3. Extended Validation (EV) certificates: With Extended Validation, as well as displaying the certificate seal, the address bar is displayed in green, providing customers with an extra level of confidence. The green address bar is a strong visual indication that the site has an Extended Validation Certificate. The Security Status bar displays the organization name and the name of the Certificate Authority (CA).

    In order to be approved for an Extended Validation certificate, the certificate authority will actively check the Organization and the individual applying for the certificate. This is to verify that the Organization is positively the Organization they claim to be, and the individual requesting the certificate is someone who is authorized to request a digital certificate. Extended Validation may take as long as one week to complete.

What benefit is there to purchasing a digital certificate with higher assurance?

All certificates ensure that the information transmitted is encrypted and secure, but Extended Validation certificates have additional validation of the organization requesting the certificate. This is indicated in web browsers by turning the address bar green, as well as displaying the organization name contained within the certificate. Users visiting a web site with this level of validation will have a higher amount of confidence in conducting transactions with that site.

How many domain names does a certificate secure?

Certificates will only secure one domain name, and depending on the type of cert you obtain, it will be valid for only one hostname beneath that domain name. (ie: only www.example.com and not subdomain.example.com)

Wildcard certificates are valid for an unlimited amount of hostnames beneath a single domain name. With Wildcard certificates, the computers using mail.example.com, smtp.example.com, www.example.com as well as any other host based on example.com domain will all be able to use the same certificate.

What does the green address bar indicate? How does this provide value to those who purchase digital certificates from me?

Web sites using an Extended Validation certificate will cause web browsers to change the address bar to a green colour and also display the name of the Organization the certificate was issued to. Certificate Authorities will only grant Extended Validation certificates to organizations after the Certificate Authority verifies that the genuine organization is requesting the certificate.

The green address bar gives assurance to visitors of the web site that they are definitely visiting a web site run by the organization they should be dealing with, rather than a fraudulent site posing as that organization.

What are the security and flexibility aspects of digital certificates sold by OpenSRS?

There are a number of reasons digital certificates sold by OpenSRS are a great choice, including:

  • Certificates sold through OpenSRS are compatible with all current web browsers (mobile or desktop) and web servers they will be used with. Their use is not limited to just web servers as they can be used to secure communications with other protocols such as SMTP, IMAP, POP and many more.
  • There are a variety of certificates at different prices to suit your particular needs and budget.
  • Certificate purchasing is supported by our excellent OpenSRS Support and Sales staff.
  • OpenSRS uses Certificate Authorities who are leaders in the digital certificate industry.

How does a Wildcard SSL Certificate Work?

Most types of digital certificates will only secure a computer under a single hostname (ie: www.example.com), but Wildcard certificates will secure an unlimited number of different hostnames beneath a single domain name. (ie: subdomain.example.com) If you have a large number of servers under a domain name with a variety of hostnames, or you need the flexibility of not being confined to a single hostname, a Wildcard certificate is an excellent option for flexibility, management. It eliminates the need for multiple individual certificate orders for multiple hostnames.

Selling SSL

How much do certificates cost?

Each type of certificate has a different cost associated with it depending on the level of validation, the site seal provided with the certificate and any additional features included like malware scanning. Please see our pricing page to see the current costs for each certificate.

Why should I consider selling SSL certificates to my customers?

There are several reasons people who run websites that exchange sensitive or confidential information over the Internet should use a digital certificate.

Certificates ensure that information exchanged between your customers' servers and their users will be securely transmitted over the Internet.

A portion of your customers' users, or potential customers, will not engage in transactions with them if they recognize that a certificate does not secure the communication. Many end-users will need to see their web browser address bar turn green or a lock icon appear before they will provide information to, or complete a transaction with a website or online business.

What are the various ways I can sell certificates?

OpenSRS provides two separate ways to sell certificates:

  1. Web Interface - Information needed to generate the certificate can be entered into a web page and submitted to the Certificate Authority. The resulting certificate will be emailed to the customer when approved.
  2. API - Certificate orders can be placed through an XML-based API directly to our servers. This allows you to create orders through web pages on your website, and the orders will be submitted to our system immediately. Errors with the order are also communicated back through the API, which will help in having your customers correct and finalize their orders.

Can I get a certificate if I'm an Individual and not an Organization?

Some certificates are available to individuals or groups that are not officially an Organization, however some of the higher certificates involve organization validation by the Certificate Authority in order to complete the sale. With those certificates you must be an organization that is registered and is able to be verified.

Why would I purchase digital certificates through OpenSRS rather than directly from a Certificate Authority?

Using OpenSRS to sell digital certificates has a number of advantages including:

  • Access to multiple Certificate Authorities.
  • Better prices for digital certificates due to high volume of orders to our suppliers.
  • Offer a diverse number of digital certificates at different prices allowing the best option for your customer's needs.

SiteLock Website Security Overview

SiteLock Website Security Overview

What is SiteLock and what does it do?

SiteLock is a service that performs daily scans of a website to identify vulnerabilities and protect against threats like viruses, cross-site scripting, SQL injection and even email blacklisting.

The SiteLock™ Trust Seal provides customer confidence and increases your sales and conversions.

What types of problems does SiteLock scan for?

SiteLock performs a Deep 360 Scan that encompasses:

  • Reputation monitoring: ensures the reputation of the website is intact and communication to visitors and customers is uninterrupted.
  • Malware blacklist: monitors search engine and proprietary malware lists to make sure the site is not blocked by search engines and browsers.
  • Spam blacklist: ensures that e-mails reach customers' inbox (not their Spam folder), SiteLock verifies e-mail addresses, domains, and email servers against lists used by popular email tools to identify spam.
  • SSL Verification: ensures users do not see a certificate warning or error when visiting your site.
  • Network security: validates the security of the network by making sure there is no opportunity for hackers to access the server.
  • Drive-by-downloads: scans the website to ensure visitors are not being infected with viruses often placed on websites by hackers.
  • Customer data protection (SQL & XSS): performs forward- and backward-looking scans to make sure current and future visitor/customer data on the site is secure.
  • Application security: verifies that any 3rd-party applications installed on your website are secure and up-to-date.
  • Business Verification: certifies the validity of the business and provides a certification badge to display to website visitors to let them know the business or website is legitimate.
  • Domain ownership: ensures that the domain owner is in control of the website domain.
  • Postal Address: verifies that the site owner can receive and respond to postal mail, such as customer payments or inquiries.
  • Phone Verification: ensures that there is a phone number where customers can report issues or request additional products or services.

How is SiteLock billed?

SiteLock is a subscription service billed for in advance and available in one-year terms.

How does SiteLock notify customers when it finds an issue?

SiteLock will inform the site owner by email, and with an alert in the SiteLock Dashboard. The report will provide complete information about the issue that is found along with help to remove it.

What happens if SiteLock finds a vulnerability? Will the SiteLock seal tell visitors that a website has failed?

Site visitors will not be alerted to any problem. The SiteLock seal will simply continue to display the date of the last good scan of the website site. If the site owner fails to rectify the problem, within a few days SiteLock will remove the seal from the site and replace it with a single pixel transparent image. At no point will SiteLock display any indication to visitors that a website has failed a scan.

Does SiteLock work with any hosting company, server and software?

Yes.

Will SiteLock impact website performance?

No. SiteLock scans won't impact the performance of a website. The SiteLock seal has no impact on load times.

How do I install the SiteLock seal?

Users simply include the JavaScript snippet that SiteLock provides in the footer area of their site or template.

Where do my customers manage their SiteLock service?

They can manage SiteLock either through the white-label DomainAdmin.com interface that OpenSRS provides, or you can build the SiteLock dashboard interface into your own control panel.

Can a SiteLock service subscription be upgraded?

Yes. Customers can upgrade from SiteLock Basic to SiteLock Premium or SiteLock SMB Enterprise, or from SiteLock Premium to SiteLock SMB Enterprise. Downgrades are not possible. When a subscription is upgraded, the expiry date for the subscription is reset to one year from when the order is submitted.

GeoTrust Web Site Anti-Malware Scan Overview

GeoTrust Web Site Anti-Malware Scan Overview

What is GeoTrust Web Site Anti-Malware Scan and what does it do?

GeoTrust Web Site Anti-Malware Scan is a service that scans websites to detect malware and other threats that may have been installed on the site.

The GeoTrust Web Site Anti-Malware Scan Seal displayed on the web site indicates to visitors that the site is free from malware and provides customer confidence and increases sales and conversions.

What types of problems does GeoTrust Web Site Anti-Malware Scan detect?

GeoTrust Web Site Anti-Malware Scan detects known malware and malicious scripts. Through it's advanced detection system, it can also identify new threats that may not be widely known.

How is GeoTrust Web Site Anti-Malware Scan billed?

GeoTrust Web Site Anti-Malware Scan is billed on a yearly basis, in advance.

How does GeoTrust Web Site Anti-Malware Scan notify customers when it finds an issue?

GeoTrust Web Site Anti-Malware Scan will notify your customers by email that it has detected a problem. The customer will be instructed to log into the GeoTrust Web Site Anti-Malware portal to get further details and information to help them remove the malware from their web site.

What happens if GeoTrust Web Site Anti-Malware Scan finds a vulnerability? Will the GeoTrust Web Site Anti-Malware Scan seal tell visitors that a website has failed?

In the event that malware is detected, the GeoTrust Web Site Anti-Malware Scan Seal will simply disappear from the affected web site. There is no indication given that the site has failed a scan, and there is no "failed" version of the seal.

Does GeoTrust Web Site Anti-Malware Scan work with any hosting company, server and software?

GeoTrust Web Site Anti-Malware Scan works with any hosting company, and server. It will scan for malware regardless of the content management system or programming language being used.

How is the GeoTrust Web Site Anti-Malware Scan Seal installed?

After the initial scan is completed, customers will receive an email with login details to the GeoTrust Web Site Anti-Malware portal where they are able to get the javascript code snippit to install the seal on their website. The seal works in a similar fashion to other embeddable widgets and seals.

Where do my customers manage their GeoTrust Web Site Anti-Malware Scan service?

GeoTrust Web Site Anti-Malware Scan customers manage the service through a portal provided by GeoTrust. There is no management portal provided by OpenSRS and login credentials and emails are handled completely by GeoTrust.

Is a GeoTrust SSL certificate required? Can the service be used on sites secured by SSL certificates from other providers?

GeoTrust Web Site Anti-Malware Scan does not require an SSL certificate to be installed. If the web site is also secured with an SSL certificate, it doesn't matter who the SSL provider is.

TRUSTe Privacy Policy Overview

Selling and Using TRUSTe Privacy Policy

TRUSTe Privacy Policy Overview

Who is TRUSTe?

TRUSTe, founded in 1997, is the leading online privacy solutions provider. The company offers a broad suite of privacy services to help businesses build trust and increase engagement across all of their online channels including websites, mobile applications, advertising, cloud services, business analytics and email marketing.

Over 4,000 web properties including those from top companies like Apple, AT&T, Disney, eBay, Facebook, HP, Microsoft, Nationwide and Yelp rely on TRUSTe to ensure compliance with evolving and complex privacy requirements.

Based upon the comprehensive privacy model of “Truth in Privacy,” which is laid on a foundation of transparency, choice and accountability regarding the collection and use of personal information, TRUSTe’s privacy seal is recognized and trusted by millions of consumers as a sign of responsible privacy practices.

What does TRUSTe Privacy Policy service do?

The TRUSTe Privacy Policy service provides a wizard-based system that helps users create a valid, understandable privacy policy that properly reflects the practices used in collecting and sharing information about visitors and/or customers.

TRUSTe Privacy Policy with Seal includes an initial scan and certification, along with a seal that displays when TRUSTe certifies a web site's Privacy Policy. TRUSTe performs additional periodic scans to help preserve consistency between the privacy policy and practices.

What's the difference between TRUSTe Privacy Policy and TRUSTe Privacy Policy with Seal?

The Privacy Policy with Seal includes both a verification scan to ensure accuracy and completeness in the privacy policy, as well as a Certified Privacy seal that can be displayed on the website. The TRUSTe Privacy service doesn't include a verification scan and therefore, doesn't provide the ability to display the Certified Privacy seal. The Privacy Policy wizard is the same in both cases.

In which countries can the TRUSTe Privacy Policy be used or sold?

TRUSTe Privacy Policy is available to customers in the following countries:

  • Australia
  • Austria
  • Belgium
  • Bulgaria
  • Canada
  • Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungry
  • Iceland
  • Italy
  • Latvia
  • Liechtenstein
  • Lithuania
  • Luxembourg
  • Malta
  • New Zealand
  • Norway
  • Poland
  • Portugal
  • Republic of Ireland
  • Romania
  • Singapore
  • Slovakia
  • Slovenia
  • Sweden
  • Switzerland
  • The Netherlands
  • United Kingdom
  • United States

Selling TRUSTe Privacy Policy

Why wouldn't my customers just write their own privacy policy?

Consumer confidence in how their privacy is protected is key to online business. When TRUSTe certifies a Web site, customers get over a decade of expertise in the issues that matter most in online privacy.

Does TRUSTe check to see if the Privacy Policy is correct?

Yes, in the case of the TRUSTe Privacy Policy with Seal. TRUSTe performs a series of checks (both automated and manual) to ensure that the privacy policy is accurate. TRUSTe will often suggest changes to the generated Privacy Policy based on what it finds during these verification checks. It may take up to two days to complete this verification.

For TRUSTe Privacy Policy (without seal), it's up to the user to input correct information during the creation of the policy. TRUSTe's wizard provides an easy-to-use wizard that helps ensure that the generated policy is accurate. In this case, the policy is provided immediately.

Why does the verification take up to two days?

TRUSTe performs a series of automated and manual scans and checks to ensure that the privacy policy is accurate. This process can take as long as a couple of days, but ensures that the TRUSTe Policy is accurate, and allows the display of the TRUSTe Certified Privacy.

How does the Seal or link to the Privacy Policy get added to a website?

For the TRUSTe Privacy Policy (without seal), TRUSTe provides HTML code that links to the privacy policy (hosted by TRUSTe). For users of the TRUSTe Privacy Policy with Seal, TRUSTe provides a JavaScript code snippet that displays the TRUSTe Certified Privacy seal which includes a link to information about the user's company and to the hosted privacy policy.

What happens if changes are required to the Privacy Policy?

No problem. Usrs can simply log in and make any required changes. This can be done at any time, and users can make as many changes as required over the length of the TRUSTe subscription.

Who takes responsibility for creating and maintaining the TRUSTe Privacy Policy?

TRUSTe provides Program Requirements that outline user responsibilities. Those requirements can be found at http://www.truste.com/privacy-program-requirements/index.html

Where do my customers manage their TRUSTe service?

They can manage TRUSTe either through the white-label DomainAdmin.com interface that OpenSRS provides, or you can build the TRUSTe dashboard interface into your own control panel.

Become a Reseller

Sign Up Now
Join the Forums

Do you have something to share? Need help implementing the OpenSRS API? Have a question that isn't covered by our documentation? Just starting out and want to learn from somebody who's been there, and done that?

Interact with other Resellers and OpenSRS staff in the OpenSRS Forums.

Go to forums 
API Toolkits Make it Easy

Choose the web-based control panel, our easy to deploy and configure fully-hosted Storefront or integrate completely with the powerful OpenSRS API. Get started selling with OpenSRS your way.

Learn More