Complete Guide to Replacing Symantec SSL with Comodo SSL for Free

Several months ago, Namecheap launched a Symantec certificate replacement plan, allowing users to replace their Symantec SSL certificates with Comodo SSL certificates for free. The new certificate (Comodo SSL) will expire at the same time as the original certificate (Symantec SSL), and users can choose whether to renew it upon expiration. The reason for launching this plan is likely that Google announced it would gradually reduce trust in Symantec SSL.

Currently, free DV SSL certificates issued by Alibaba Cloud, Tencent Cloud, and West Digital are all issued by Symantec. It seems that free certificates are easily misused, so here is a guide on how to replace Symantec SSL with Comodo SSL.

1. Preparation

• You must have already applied for a Symantec SSL certificate (e.g., free SSL from Alibaba Cloud, Tencent Cloud, or West Digital).
• Register an account at https://www.namecheap.com/.

2. Start the Replacement

1. Visit symantec-replace to test the website where you have already deployed the Symantec SSL certificate. This article uses i.bk.tn as a demonstration. As shown in the screenshot below, if the test passes, click "Activate free SSL" to proceed to the next step.\n

2. The next step requires submitting a CSR file. For reference, see: How to Generate CSR Files Using OpenSSL for SSL Certificate Applications. To simplify the process, this article uses an online generation tool: CSR Online Generator, as shown in the screenshot below.

Online CSR Generation

After generation, you will have two files: the CSR file, which is needed when applying for the certificate, and the KEY file, which is needed when deploying the SSL certificate after successful application. Please save them carefully.

3. Return to Namecheap and submit the CSR file, selecting as shown in the screenshots below.

4. Verify the domain. You can choose either HTTP file verification or DNS verification; select whichever is more convenient. Here, DNS verification is chosen.

5. You also need to fill in company information. Use Pinyin for the required fields (OPTIONAL fields can be left blank). At the bottom, enter the email address where you want to receive the SSL certificate.

6. The final step is domain verification. This step is quite hidden and took me a long time to find. Go to the Domain List, find the domain, click Manage, and then click "Get Record" to view the hostname, and perform the required DNS resolution.

7. Domain verification took about 30 minutes. I don't know if choosing HTTP file verification would be faster. After successful verification, the SSL certificate will be sent to your email. Please check the email instructions and attachments carefully.

3. Additional Notes

After extracting the attachments in the email, you will get two files: i_bk_tn.crt is the certificate file, and i_bk_tn.ca-bundle is the root certificate. These two files need to be merged into one (append the content of i_bk_tn.ca-bundle to the end). The private key file was provided when generating the CSR online. How to deploy the SSL certificate is not elaborated here.

Before Replacement: Symantec SSL

After Replacement: Comodo SSL

4. Summary

Comodo DV SSL is also very cheap if purchased directly. If conditions allow, it is recommended to use a paid SSL certificate. The revocation of the WoTrus root certificate is a warning. Tip: Another small method is to first apply for a free Symantec SSL certificate and then replace it for free with a Comodo SSL certificate. This way, you can use Comodo SSL for free for up to one year.