Every SSL Certificate order now passes through a series of automated checks before the SSL Certificate is issued. These include Domain Control Validation (DCV), Certification Authority Authorization (CAA) checks, and Multi-Perspective Issuance Corroboration (MPIC) confirmation from several locations around the world. Most orders complete these checks without any problem.
Occasionally an order does not complete as expected. The reason may lie with your own Domain Name System (DNS) configuration, or it may be caused by a temporary problem within the validation systems operated by the Certificate Authority (CA). This page explains how to tell the difference and what to do in each case.
Reasons an SSL Certificate Order May Fail to Process
The number of checks required to issue a publicly trusted SSL Certificate has grown significantly. Each check is a point where a problem can occur, and every one of them must succeed before the SSL Certificate is issued.
Most order failures come from the way a domain is configured rather than from any fault at the Certificate Authority (CA). A frequent cause is a Domain Name System (DNS) server that cannot be reached from every region. Geographic restrictions and firewall rules are common culprits.
This happens because Multi-Perspective Issuance Corroboration (MPIC) requires the Certificate Authority (CA) to confirm each check from several locations at the same time. If the Domain Name System (DNS) cannot be reached from all of them, the check fails even when the records themselves are correct. Learn About Multi-Perspective Validation 🔗
The same is true of Certification Authority Authorization (CAA) records. A Certification Authority Authorization (CAA) lookup is performed for every SSL Certificate request, whether or not any records exist, so the Domain Name System (DNS) must answer that lookup reliably from anywhere in the world. Learn About Certification Authority Authorization (CAA) Records 🔗
Orders That Stall After Successful Checks
A different situation can occur when the checks appear to have passed but the order still does not progress. This is not a configuration problem on your side. It usually points to a temporary fault within the systems operated by the Certificate Authority (CA).
A typical example is an order where Domain Control Validation (DCV) has completed and the tracking system records it as successful. The Certification Authority Authorization (CAA) stage, however, shows as unsuccessful or simply does not move forward.
When you use the retry option, the system may return an unexpected error. It can read along the lines of the order not being in a status where the Certification Authority Authorization (CAA) check needs to be performed. That message is a sign that the order has stalled at the Certificate Authority (CA), not a problem you can fix.
Important : An error stating that the order is not in a status for the Certification Authority Authorization (CAA) check to run usually indicates a stalled order at the Certificate Authority (CA). Please contact Trustico® so the problem can be investigated.
The Certificate Authority (CA) applies an automatic policy that retries the last failed action on its own. In most cases this clears the stall and the order continues, although the retry can take up to 24 hours to run.
The delay is inconvenient, and Trustico® understands that waiting is not ideal. If you would rather not wait, or if the order has not cleared after that period, please get in touch so the matter can be raised directly with the Certificate Authority (CA).
Using the Retry Options in the Tracking System
The Trustico® tracking system gives you direct control over the checks that apply to your order. Where a check has timed out or returned a temporary error, you can ask the Certificate Authority (CA) to run it again from within the tracking system.
Retrying is the right first step for a Domain Name System (DNS) or Certification Authority Authorization (CAA) check that failed because of a brief timeout or a change you have since corrected. Manage Your SSL Certificate Orders 🔗
There is an important distinction to make. If the retry runs successfully but the check still fails, the Domain Control Validation (DCV) record itself is most likely incorrect. That is not a matter for the Certificate Authority (CA) to investigate, because the records simply need to be entered correctly.
To confirm that a record is present and correct, third-party checking tools can help, and Trustico® provides its own set of tools for this purpose. Use Our SSL Certificate Tools 🔗
Tip : Keep your Domain Control Validation (DCV) records and validation files in place until the SSL Certificate has been fully issued. Removing them too early can cause a later check to fail.
If a retry itself produces an error, or the order behaves in a way that does not match any of the situations above, that is the point to ask Trustico® for help.
Accessing the Certificate Authority Portal Directly
The tracking system also includes an option that opens the validation portal operated by the Certificate Authority (CA). Most of the actions you can take there are already available within the Trustico® tracking system, which presents more detail and a wider range of options.
The portal operated by the Certificate Authority (CA) is there as a secondary option for anyone who prefers to work with it directly. It can also be useful for confirming the current status of an order whenever an error message or an outstanding requirement is unclear.
The portal is also where documentation requirements are shown for orders that need identity checks. If you are placing an Organization Validation (OV) or Extended Validation (EV) order and you are unsure what the Certificate Authority (CA) still needs, that information can be reviewed there.
Detailed guidance on what the Certificate Authority (CA) requires for a business-verified order is available on the Trustico® website. Explore the Organization Validation (OV) Guide 🔗
The requirements for the highest level of business validation are covered separately. Explore the Extended Validation (EV) Guide 🔗
Requesting Assistance From Trustico®
When an order shows the signs of a stall at the Certificate Authority (CA), or when a retry produces an error that you cannot resolve, Trustico® is here to help. Send an e-mail or a message through the contact page, describing the order and what you have seen.
Trustico® will then raise the problem with the Certificate Authority (CA) on your behalf and ask for the stalled order to be investigated and put right.
These validation systems are operated by the Certificate Authority (CA) rather than by Trustico® and are outside our direct control. As the number of checks has grown, occasional problems of this kind have appeared while the systems are refined.
Trustico® reports each occurrence to the Certificate Authority (CA) so that the process continues to improve. In the meantime, if anything about your order looks wrong, please raise it with us and we will make sure it is resolved.