gTLD SSL Requirements

Table of Contents

1. Authentication and available certificates
2. Minumum SSL requirements
3. Production server SSL requirements
4. How to generate an SSL certificate
5. Rolling SSL certificate procedure

Authentication and Available Certificates

The server requires dual SSL authentication, thus a certificate is required (X509).
The certificate can be either self signed or verified by a Certification Authority.

Please see the links below for OT&E and Production Server Certificates if required.

1. gTLD OT&E Certificate

2. Launch OT&E Certificate

3. Production Server's Certificate (.AFRICA, .JOBURG, .DURBAN, .CAPETOWN)

The intermediary certificate is NOT included in the certificate bundle above.

Minimum SSL Requirements

The certificate must be in X509 certificate format. Please do not submit a private key or a combination of private/public key.
The X509 certificate may be signed by a Certification Authority or the certificate can be self signed. An example of a certificate can be seen by downloading the file below:

Example X509 Signed Certificate

If the certificate that was provided has been loaded and installed on our end but there are still some SSL problems when connecting to our server, please log a ticket here and include the results of the following command:

openssl x509 -noout -in CERT_FILE -fingerprint -md5
where "CERT_FILE" is the certificate that you are using to connect.

Production Server SSL Requirements

Minimum SSL Requirements
The minimum requirements include:
1. A key strength/length of 1024 bits
2. A key with a maximum of 5 years of usage from creation, with a minimum of 1 year of usage

Recommended SSL Requirements
The recommended requirements include:
1. A key strength/length of 2048 bits
2. A key with a maximum of 1 year of usage from creation

How to Generate an SSL Certificate

The following is an example of how to generate an SSL Certificate.
The example assumes the use of a UNIX computer with command line access and openssl installed. 

Run the following in the command line:
1. openssl genrsa -out epp.key 1024
2. openssl req -new -x509 -key epp.key -out epp.crt -days 1095
3. cat epp.key epp.crt > epp.pem
The 1st command creates your private key.
The 2nd command creates the public certificate that you will upload to our portal.
The 3rd command creates the .pem file that the EPP example files make use of.
Once the key has been generated and you have been prompted by our system, upload the created epp.crt file. The epp.crt file is your public certificate.

DO NOT send us the .key or .pem file. Uploading either of these files will reveal your private key, rendering the use of SSL keys null. If either of the files are provided, a new key will have to be generated.
To create an SSL Certificate using a Windows computer, please install openssl from here
Run the following commands in the command line:

1. openssl  genrsa -out epp.key 1024
2. openssl req -new -x509 -key epp.key -out epp.crt -days 1095
3. type epp.key > epp.pem
4. type epp.crt >> epp.pem 

Once the key has been generated and you have been prompted by our system, upload the created C:\OpenSSL-Win32\bin\epp.crt file.

Rolling SSL Certificate Procedure

To rollover the current SSL Certificate, navigate to the Registrar Panel, then click on the namespace you would like to manage under the INTEGRATIONS heading.

Select the integration that you want to update the SSL Certificate for. Use the options availabel to you in the "SSL Certificate" section of the main content page.


For all Live accounts you will see the active SSL Certificate loaded for the namespace. Subject, Validity, MD5 and SHA1 information is displayed.


Browse to your local SSL Certificate file for upload. Click submit and your cert will be uploaded and checked for validity. Only .txt , .crt, .pem, .cer and .cert files are permitted for upload. No Private Keys will be accepted!

If valid then the SHA1, MD5 and validity dates are displayed. Click Next to continue.

If successful, you will see the following message displayed "SSL Certificate successfully added".



Last update: 04-06-2020 12:47:24