Newest KB Articles in SSL

Client Authentication Extended Key Usage (EKU)

Sat, 07 Feb 2026 21:52:05 GMT

Overview

Client Authentication Extended Key Usage (EKU) is a certificate attribute that allows an SSL/TLS certificate to be used for client authentication, most commonly in mutual TLS (mTLS) scenarios.

In mTLS, both sides authenticate each other:

The server presents a server certificate
The client application presents a client certificate containing the Client Authentication EKU

This is commonly used for:

Secure API integrations
Partner gateways
Financial and insurance systems
Zero-trust architectures

What Is Client Authentication EKU?

Extended Key Usage (EKU) defines what a certificate is allowed to be used for.

The Client Authentication EKU is identified as:

1.3.6.1.5.5.7.3.2 (Client Authentication)

A certificate containing this EKU can:

Identify a client application
Be presented during the TLS handshake
Be validated by the remote server as a trusted client

Without this EKU, the certificate cannot be used for mTLS client authentication.

Industry Change: Public SSL Certificates No Longer Support Client Authentication EKU

Due to industry-wide security and browser root program changes, public Certificate Authorities no longer issue SSL/TLS certificates that include Client Authentication EKU.

This affects:

Sectigo
DigiCert
RapidSSL
Other publicly trusted CAs

As a result:

Public website SSL certificates are now Server Authentication only
Client Authentication EKU is no longer available in public SSL certificates
IIS hosting providers cannot install or issue such certificates

This is expected behavior and not a hosting limitation.

Supported Alternative: Private PKI Client Certificates

For mTLS and client authentication, the supported solution is to use a Private PKI client certificate.

Key differences

Public SSL	Private PKI Client Certificate
Website HTTPS	Application identity
Installed in IIS	Loaded by application code
Publicly trusted	Trusted by specific partner
No clientAuth EKU	Includes clientAuth EKU

How to Use a Private PKI Client Certificate on Shared IIS Hosting

On shared IIS servers:

Certificates cannot be installed into the Windows certificate store
IIS does not manage outbound client certificates

Instead, the certificate is used directly by the application.

Recommended Setup

1. Store the certificate securely

Upload the PFX file to a non-public folder such as:

/App_Data/cert.pfx

Ensure:

The file is not web-accessible
The password is stored securely (config file, environment variable, or secret store)

2. Load the certificate in application code

The application loads the certificate only when making outbound HTTPS calls.

Example: .NET / ASP.NET (HttpClient)

using System.Net.Http;
using System.Security.Cryptography.X509Certificates;
var certPath = Server.MapPath("~/App_Data/cert.pfx");
var certPassword = "your-pfx-password";
var clientCert = new X509Certificate2(
    certPath,
    certPassword,
    X509KeyStorageFlags.MachineKeySet
);
var handler = new HttpClientHandler();
handler.ClientCertificates.Add(clientCert);
using var client = new HttpClient(handler);
// Example API call
var response = await client.GetAsync("https://api.partner.com/endpoint");

This:

Sends the client certificate during the TLS handshake
Enables mTLS authentication
Requires no IIS configuration

3. Partner establishes trust

The external system (e.g., API gateway):

Registers the public portion of the certificate
Trusts inbound requests signed by that certificate

Local “Not Trusted” warnings are expected for Private PKI certificates.

What You Do NOT Need to Do

❌ Do not install the certificate as a website SSL
❌ Do not add IIS bindings
❌ Do not replace your public HTTPS certificate
❌ Do not enable IIS client certificate authentication

Summary

Client Authentication EKU enables mTLS client identity
Public SSL certificates no longer support this EKU
This is an industry-wide change
Private PKI client certificates are the correct solution
On shared IIS hosting, the certificate is loaded by application code
IIS configuration is not required

Order or Renew a SSL Certificate

Thu, 16 Aug 2018 20:15:57 GMT

To secure a site with https, there are six steps (detailed below):

1. Activate the SSL add-on

2. Generate a CSR

3. Submit the certificate order

4. Approve the certificate order

5. Install the Web Server Certificate

6. Force https

If you are renewing a certificate, the process will be identical to ordering a new certificate, but starting with step 2, Generate New CSR. The renewal will issue a new SSL certificate that will be installed to replace the existing one, rather than extending the expiration of the existing certificate.

Activate the SSL add-on

The SSL add-on may be enabled for an additional $10 per month. After logging into the DiscountASP Control Panel click the SSL Management link for an overview of the add-on. Then use the "Click Here to go to SSL Add-on Order Page" link to proceed to the activation page.

Finally click the "Activate SSL Addon" button to allow CSR generation.

If the unlimited subdomains add-on was not already enabled, a Unique IP will be provisioned for the site after the SSL add-on is activated. If hosting DNS through DiscountASP, no updates are necessary. But if hosting DNS externally, for example through the domain registrar, the A Record IP will need to be updated. The new IP can be found in the DNS Manager. See the below screenshot for reference.

Alternatively, SSL support is included for the hosting plans at our sister hosting copany, Everleap. If you wish to move to Everleap, migration assistance is available for active DiscountASP site accounts.

Generate the CSR

With the SSL add-on active, the ability to create a CSR will be available in the SSL Management section of the DiscountASP Control Panel (highlighted in red below). The CSR is provided to the certificate authority to issue the SSL certificate. Please note that it is not the SSL certificate itself.

CSR fields

Common Name: The domain name being secured. For example, discountasp.net. Or *.discountasp.net if ordering a Wildcard certificate

Organization: The legal name of your organization - or - use your name.

Organization Unit: The department in the organization handling the SSL certificate.

City / State / Country: City / State / Country where your organization is located.

After filling out the fields, click the Submit CSR Information button and the SSL Manager will update with a link to order the SSL Certificate (highlighted in red).

Submit the certificate order

From the Purchase SSL Certificate page, select the desired certificate type via radio button. Most will select RapidSSL, as it is included with the SSL Add-on.

Approver email contact

After selecting the certificate type, the page will refresh. We will list the all the standard SSL approver email contact addresses that the SSL industry uses for verification. In the order process, you will also have the ability to submit an admin contact email address.

After submitting the SSL certifcate order, you will receive an email to verify and proove you have access to the domain. If you are using the included RapidSSL certificate, you will receive and email from no-reply@rapidssl.com.

If all the information is correct, use the Purchase button to complete the order.

Note regarding CSR regeneration

After submitting a SSL certificate order, do not regenerate the CSR before installing the issued certificate through the DiscountASP Control Panel. If the CSR is regenerated after a certificate is ordered, Support will need to attempt to recover the original CSR and manually install the SSL certificate or the SSL certificate will need to be rekeyed with the new CSR.

Note, if rekeying the certificate, make sure to not revoke / cancel the certificate order. Revoking the certificate would mean it is completely invalid and a new certificate would need to be purchased to replace the original certificate.

Approve the certificate order

Barring any issues with the approver email address, the approver email should be received shortly after the order is submitted. Validate domain ownership with the link provided in the email to receive the SSL certificate at the admin contact email address.

Install the Web Certificate

After approval, an email will be received with a PEM file attached. A PEM file is a text file that can be opened with a text editor like notepad. After opening the file you will see three certificates, but only the first is required. Copy the entire block of text, including the "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" notations, as in the below example, and paste into the "Install Your SSL Certificate" field at the bottom of the SSL Manager and click the Install Certificate button to complete the process.

Force https

To avoid a "not secure" message in a browser, a forced https redirect will be necessary. For more information, see the Force https with URL rewrite knowledge base article.

CSR was regenerated / does not match SSL Certificate

Fri, 03 Aug 2018 22:25:56 GMT

To install a SSL certificate, it must match the CSR generated through the DiscountASP Control Panel. If the CSR is accidentally regenerated after placing a SSL certificate order, it will no longer be possible to install the certificate through the SSL Management / SSL Certificates sections. However, it is possible to rekey / reissue the certificate with the newly generated CSR. Then install the reissued certificate through the applicable Control Panel section.

If a RapidSSL certificate was purchased, see the following article for instructions: How to reissue a RapidSSL Certificate

If the SSL certificate was purchased through another certificate authority, generally a quick Google search for reissuing a SSL certificate through the applicable certificate authority will provide a link to the steps.

Alternatively, open a ticket with the DiscountASP Support Department, copy and paste the SSL certificate into the ticket and the CSR will be manually recovered and the SSL certificate installed.

Wrong approver email selected during RapidSSL / Sectigo order process

Fri, 03 Aug 2018 22:12:20 GMT

After selecting a SSL certificate via radial button, a "Select an approver email contact" section will be added with drop-down.

If the drop-down is missed or an email address is accidentally selected where email cannot be retrieved, please open a ticket with the Billing Department to cancel the existing SSL order. Then select a different approver email address on a new order. As the approver email address, unfortunately, cannot be changed once the order has been submitted.

If the email address selected didn't exist but is created afterwards, the approver email can be resent by the Support Department.

Force https with URL rewrite

Thu, 05 Jul 2018 23:06:01 GMT

For most sites, after installing a SSL certificate, https can be forced by adding a URL rewrite rule to the site's web.config file. Though, please note it will not apply to all sites, for example it may not work for those using routing or it may conflict with any existing URL rewrite rules. In the case of a CMS like WordPress or nopCommerce, it is often a setting within the CMS itself. The URL rewrite rule also will not work for ASP.NET Core sites (see below).

URL rewrite rule to redirect all requests to https

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <rewrite>
      <rules>
        <rule name="Redirect to https" stopProcessing="true">
          <match url=".*" />
          <conditions>
            <add input="{HTTPS}" pattern="off" ignoreCase="true" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" />
        </rule>
      </rules>
    </rewrite>
  </system.webServer>
</configuration>

Redirect to https in Core

For Core apps, UseHttpsRedirection middleware can be used to force https by adding app.UseHttpsRedirection(); to the program.cs as in the example below

var builder = WebApplication.CreateBuilder(args);

var app = builder.Build();

  app.UseHttpsRedirection();

More detailed information can be found after the link https://docs.microsoft.com/en-us/aspnet/core/security/enforcing-ssl

Securing domain pointers with a single domain certificate

Because multi-domain certificates can be cost prohibitive or less than straight forward to order, a workaround is using domain forwarding and flexible SSL through cloudflare.com. Flexible SSL means the connection is secure between the client and cloudflare, but is not secure between cloudflare and the site. So it shouldn't, for example, be used to secure a subdirectory pointer. But is sufficient when a domain pointer is only an alternate address for a site. Please note that this will assume some familiarity with cloudflare since it is an external service.

Add the domain pointer as a website in cloudflare and then when viewing the domain Overview, expand SSL, click Overview, then Configure, select the Flexible radial button and then Save.

Now create the domain forwarding rule by expanding Rules then clicking Page Rules.

In the URL field enter the domain pointer

For Then the settings are select "Forwarding URL" and "301 - Permanent Redirect" and enter the primary site domain in the "Enter destination URL" field

Save and Deploy

Web browser security warnings after installing SSL certificate

Wed, 12 Apr 2017 17:44:13 GMT

Some of the most popular web browsers have begun to show an "insecure" warning when visiting pages that are not accessed via HTTPS. The "insecure" warning may also be triggered during an HTTPS connection if any page elements are not accessed via HTTPS, such as images or external scripts.

After you have installed an SSL certificate for your domain there are still some things you may need to do to prevent any "insecure" warnings in your user's web browser. The most common issue we see is when someone installs an SSL certificate but does not properly direct site traffic to use it.

Installing an SSL certificate makes https available, but it does not force your visitors to use HTTPS. To force all incoming connections to use HTTPS you must add an entry to the system.webServer element of your web.config file (you'll have to create the file if you don't already have one) that uses the IIS URL rewrite module to redirect all non-HTTPS traffic to HTTPS:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="Redirect to https" stopProcessing="true">
                    <match url=".*" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

That should take care of forcing all incoming connections to HTTPS. For the sake of consistency you may also want to update your site navigation and internal links to use the HTTPS URL.

If you are still seeing insecure site warnings after implementing the URL rewrite, try:

Updating local image links (and references to images or scripts from outside of your domain) that use an HTTP absolute path URL to use the HTTPS URL.
If you're using a database-driven app like WordPress, you may have to update the HTTP URLs in the database. There are "find and replace" WordPress plugins that can help.

General SSL Certificate information

Wed, 06 Jan 2010 18:59:23 GMT

How do I secure my site with SSL on DiscountASP.NET?

To use SSL certificates with your website, you will need the SSL Add-on which is $10/month. The SSL Add-on includes a unique IP address and a RapidSSL certificate.

If you want to, you can use a different SSL certificate with the SSL Add-on. You can purchase other SSL certificates through DiscountASP.NET (listed below) - OR - you can purchase SSL certificates directly from an SSL provider.

How do I get an SSL Certificate?

You have a few options for obtaining an SSL certificate.

(Option I) DiscountASP.NET provides a RapidSSL Certificate to active accounts with the SSL Add-on. This is not a shared SSL certificate. It is specifically for your domain.

(Option II) You can purchase other SSL certificates through DiscountASP.NET.

SSL Certificate	Our Annual Price	Warranty
RapidSSL	Included with SSL Add-on	$10,000
RapidSSL Wildcard	$209	$10,000
GeoTrust QuickSSL Premium	$129	$500,000
GeoTrust True BusinessID	$179	$1,250,000
GeoTrust True BusinessID with EV	$269	$1,500,000
GeoTrust True BusinessID Wildcard	$499	$1,250,000

(Option III) You can purchase an SSL certificate directly from an SSL provider.

Why is there such a difference in the cost of SSL Certificates?

Though the encryption process is similar, the cost difference is typically due to the level of business verification and SSL verification services. The less expensive SSL certificates will only verify the domain owner via an email exchange. This type of verification is very quick, taking only a matter of minutes, but it lacks a full business verification.

The professional and more expensive solutions not only verify the domain name owner but they also verify the business legitimacy by checking Dun and Bradstreet numbers (dnb.com), incorporation documents, DBA documentation, etc. The more expensive certificates typically also include SSL/business verification seals.

Since a user can click on the SSL Seal and get business verification information along with the SSL verification, they will have extra confidence that the SSL certificate is associated with a professional and legitimate business entity.

The new EV (Extended Validation) certificates turn a portion of the browser address bar green as a visual indication that the web page is secure and the business was verified as legitmate.

Looking for added security? SiteLock scans your website to detect hacking, and SiteLock TrueShield provides a Web Application Firewall to block online threats. Protect your site today.

Selecting the proper bit rate for a certificate

Mon, 20 Jul 2009 21:54:30 GMT

When submitting the info for a CSR in our Control Panel (for an SSL certificate), the bit rate will be 2048. When you go to the certificate provider you may see bit rates of 128 or 256 bit.

Don't let the differences in bit rates confuse you. The important thing to note here is that our stated bit rate of 2048 is the provider (server) bit rate. The certificate authority bit rates of 128 or 256 are the encryption rates for the actual communication channel (the browser communication). Those two values will not match.

Looking for added security? SiteLock scans your website to detect hacking, and SiteLock TrueShield provides a Web Application Firewall to block online threats. Protect your site today.

Activating SSL for your account

Wed, 12 Nov 2008 00:02:33 GMT

See this Knowledge Base article for information on purchasing a discounted SSL certificate through DiscountASP.NET

The following steps are necessary to activate SSL for your account.

Note that the steps are different for a Domain Validated certificate and a certificate that uses Full Organization Validation. These instructions are for Domain Validated certificates.

1 Activate the SSL add-on in the SSL manager.
When the SSL add-on is activated, you will receive two email notices, one verifying the SSL add-on activation, and another verifying the activation of the UniqueIP/Unlimited subdomain add-on. The UniqueIP/Unlimited subdomain add-on is necessary because the use of a personal SSL certificate requires that your account has a unique IP address. The Unique IP add-on is included in the price of the SSL add-on.

2 After you receive the activation notices, go back to the SSL manager and generate a CSR.
A CSR is a public key that we generate on your web server. It is used to validate specific information about the web server and your organization. The CSR is generated based on the Organization Information that you provide in Control Panel. The common name can effect on which type of certificate you can use. See the different types of common names below.

Common Name: example.com
If you wish to secure www.example.com and example.com, the Common Name is: example.com.

Common Name: subdomain.example.com
If you wish to secure a subdomain, such as secure.example.com, the Common Name is: secure.example.com. With this type of common name https://secure.example.com is secure, but https://example.com and https://www.example.com will cause 'Common Name Doesn't Match' warnings.

Common Name: *.example.com
If you wish to secure a wildcard that will work on any subdomain, such as order.example.com, the Common Name is: *.example.com. With this type of common name https://anysubdomain.example.com is secure, but https://example.com will cause 'Common Name Doesn't Match' warnings.

3 Send the CSR to the certificate authority
When your Organization Information is submitted, we will generate a CSR* and display it in the SSL manager, along with the pertinent web server information. If you obtain a certificate through us, we will transmit the CSR to the certificate authority when you click the "Click to purchase" link and complete the order. Simply complete the "admin contact information." The email address you specify in the admin contact information section is where the verification email and the SSL certificate will be sent.

If you are purchasing an SSL certificate directly from a third party SSL certificate authority, copy the CSR from the text box (the CSR begins with -----BEGIN NEW CERTIFICATE REQUEST----- and ends with -----END NEW CERTIFICATE REQUEST-----) and provide the CSR to your SSL certificate authority in whatever manner they require.

4 Wait for the verification email from certificate authority
A Domain Validated certificate will normally require that you click a link in a verification email from the certificate authority to demonstrate that you have access to the domain used in the certificate. Once you do that, the certificate authority will send the SSL certificate to you.

5 Submit and finish!
Copy the SSL certificate received via email and submit it in the SSL manager. Simply copy the code from the email and paste it into the certificate field on the SSL Manager page. The certificate field is below the field containing the CSR. Once your certificate is submitted, we will install it on your account.

Finally, test your web site using HTTPS with different browsers to ensure that the SSL installation is working properly.

Looking for added security? SiteLock scans your website to detect hacking, and SiteLock TrueShield provides a Web Application Firewall to block online threats. Protect your site today.

Exporting an SSL certificate for use on a different server

Tue, 11 Nov 2008 23:24:17 GMT

We can export your certificate and private key if you wish to use it on another server, however, we recommend against doing so.

If we export your certificate and you install it on another server, the private key will then be in the hands of more than one party, and will have been used on more than one server, which is not ideal security practice.

Most SSL providers can "re-key" your certificate in the event of a server move. When they do so, the private key that we used on our server will no longer be valid, which is preferable for your overall security.

Contact your certificate provider for details regarding re-keying. It is usually a simple matter of sending the provider a CSR from your new server.

If you still want us to export your SSL certificate with the private key, please contact support for assistance.