The Full Process of Replacing Symantec SSL with Comodo SSL for Free

Publish: 2017-06-13 | Modify: 2017-06-21

A few months ago, Namecheap launched a Symantec SSL certificate replacement program, which allows users to replace their Symantec SSL certificates with Comodo SSL certificates for free. The new Comodo SSL certificates have the same expiration date as the original Symantec SSL certificates, and users can choose whether to renew them after they expire. The reason for launching this program may be due to Google's announcement to gradually reduce trust in Symantec SSL certificates.

Currently, free DV SSL certificates provided by Alibaba Cloud, Tencent Cloud, and West.cn are issued by Symantec. It seems that free things are easy to be abused. So let's share how to replace Symantec SSL with Comodo SSL.

1. Preparation

  • You have already applied for a Symantec SSL certificate (such as the free SSL from Alibaba Cloud, Tencent Cloud, or West.cn).
  • Register an account at Namecheap.

2. Start the Replacement

  1. Visit symantec-replace to check the website where you have deployed the Symantec SSL certificate. In this article, we will use "i.bk.tn" as an example. As shown in the screenshot below, the check is passed, and click "Activate free SSL" to proceed to the next step.

screenshot

  1. The next step requires submitting the CSR file. You can refer to the article "Using OpenSSL to Generate CSR Files for SSL Certificate Applications" for instructions on how to generate a CSR file. In this article, we will use the online tool CSR Online Generator for simplicity. See the screenshot below.

screenshot

  1. Go back to Namecheap and submit the CSR file, following the screenshot below for selection.

screenshot screenshot

  1. Verify the domain. You can choose either HTTP file verification or DNS verification, whichever is more convenient. In this case, we choose DNS verification.

screenshot

  1. Fill in the company information, etc. You can use Pinyin to fill in the required fields (optional fields can be left blank). At the bottom, fill in the email address to receive the SSL certificate.

screenshot screenshot

  1. The last step is to verify the domain. This step is a bit hidden and took a while to find. In the "Domain List," find the domain, click "Manage," and then click "Get Record" to view the hostname and follow the instructions for resolution.

screenshot

  1. It takes about 30 minutes to verify the domain. I'm not sure if HTTP file verification would be faster. After successful verification, the SSL certificate will be sent to your email. Pay attention to the email instructions and attachments.

screenshot

3. Other Notes

After extracting the attachments from the email, there will be two files: i_bk_tn.crt (certificate file) and i_bk_tn.ca-bundle (root certificate). These two files need to be merged into one (append the content of i_bk_tn.ca-bundle to the end). The private key file was provided when generating the CSR online. The deployment of the SSL certificate is not described here.

screenshot

Before replacing Symantec SSL

screenshot

After replacing Comodo SSL

4. Summary

Comodo DV SSL can be purchased directly at a low price. If conditions permit, it is recommended to use paid SSL certificates. The revocation of WoSign's root certificate serves as a warning. Tip: Another method is to first apply for a free Symantec SSL certificate and then replace it with a free Comodo SSL certificate. This way, you can use the Comodo SSL certificate for up to one year for free.


Comments